Central Management of 300 Firewalls and Access-Lists Fabian Mauchle TNC 2012 Reykjavík, 21-May-2012.

Slides:

Advertisements

Similar presentations

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Advertisements

Guide to Network Defense and Countermeasures Second Edition

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.

Module 5: Configuring Access for Remote Clients and Networks.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.

WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

M2M Gateway Features Jari Lahti, CTO

COEN 252: Computer Forensics Router Investigation.

Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Interior Gateway Routing Protocol (IGRP) is a distance vector interior routing protocol (IGP) invented by Cisco. It is used by routers to exchange routing.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

Intranet, Extranet, Firewall. Intranet and Extranet.

Chapter 6: Packet Filtering

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

Network Admin Course Plan Accede Institute Of Science & Technology.

Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.

P RESENTED B Y - Subhomita Gupta Roll no: 10 T OPICS TO BE DISCUSS ARE : Introduction to Firewalls  History Working of Firewalls Needs Advantages and.

Defense Techniques Sepehr Sadra Tehran Co. Ltd. Ali Shayan November 2008.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

Internet and Intranet Fundamentals Class 9 Session A.

Access Control List (ACL)

1 © 2004, Cisco Systems, Inc. All rights reserved. Chapter 9 Intermediate TCP/IP/ Access Control Lists (ACLs)

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.

Saeed Darvish Pazoki – MCSE, CCNA Abstracted From: Cisco Press – ICND 2 – 6 IP Access Lists 1.

Verify that timestamps for debugging and logging messages has been enabled. Verify the severity level of events that are being captured. Verify that the.

Security fundamentals Topic 10 Securing the network perimeter.

Tracking Rejected Traffic.  When creating Cisco router access lists, one of the greatest downfalls of the log keyword is that it only records matches.

Network Router Security Packeting Filtering. OSI Model 1.It is the most commonly refrenced protocol model. It provides common ground when describing any.

Data Security in Local Network Using Distributed Firewall Presented By- Rahul N.Bais Guide Prof. Vinod Nayyar H.O.D Prof.Anup Gade.

Access Control List (ACL) W.lilakiatsakun. Transport Layer Review (1) TCP (Transmission Control Protocol) – HTTP (Web) – SMTP (Mail) UDP (User Datagram.

IP packet filtering Breno de Medeiros. Florida State University Fall 2005 Packet filtering Packet filtering is a network security mechanism that works.

I NTRODUCTION TO F IREWALLS. O VERVIEW OF F IREWALLS As the name implies, a firewall acts to provide secured access between two networks A firewall may.

1 CNLab/University of Ulsan Chapter 19 Firewalls  Packet Filtering Firewall  Application Gateway Firewall  Firewall Architecture.

Cisco Exam Questions IMPLEMENTING CISCO IOS NETWORK SECURITY (IINS V2.0) VERSION: Presents: 1.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.

Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos

Security fundamentals

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 12: Planning and Implementing Server Availability and Scalability.

Lab A: Planning an Installation

Instructor Materials Chapter 7: Access Control Lists

Top 5 Open Source Firewall Software for Linux User

NET 536 Network Security Firewalls and VPN

CONNECTING TO THE INTERNET

Planning and Troubleshooting Routing and Switching

Securing the Network Perimeter with ISA 2004

Managing IP Traffic with ACLs

Network Load Balancing Topology

Click to edit Master subtitle style

Chapter 4: Routing Concepts

Introduction to Networking

Welcome To : Group 1 VC Presentation

GGF15 – Grids and Network Virtualization

Introducing ACL Operation

Chapter 4: Access Control Lists (ACLs)

Access Control Lists CCNA 2 v3 – Module 11

Firewalls Routers, Switches, Hubs VPNs

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 4: Planning and Configuring Routing and Switching.

Chapter 8 Network Perimeter Security

Firewalls Jiang Long Spring 2002.

Introduction to Network Security

By Seferash B Asfa Wossen Strayer University 3rd December 2003

Presentation transcript:

Central Management of 300 Firewalls and Access-Lists Fabian Mauchle TNC 2012 Reykjavík, 21-May-2012

© 2012 SWITCH Outline WHY Router Access Lists versus Stateful Firewalls The Judgment of Solomon HOW Basic Concept Pitfalls of Local Firewalls Building Blocks Experiences 2

© 2012 SWITCH 3 Access Lists vs. Stateful Firewalls How to protect SWITCH’s IT infrastructure from attacks from the Internet? Are static IP access lists in the routers good enough? Are stateful firewalls needed?

© 2012 SWITCH 4 Access Lists Up till recently SWITCH only used static router ACL –stateless –outgoing connections generally open –incomingTCP connection forbidden, except what is explicitly needed –incoming UDP connections: a few well-known ports open where required –incoming UDP packets protocol ports ≥ 1024 allowed, Features –simple, but limited in its capabilities –excellent performance and stability, –IPv6 support

© 2012 SWITCH Access Lists 5

© 2012 SWITCH Firewalls can do better Stateful firewalls dynamically open and close ports based on the state of each TCP connection or UDP conversation –not all UPD high port need to be permanently open Features –better (stateful) handling of UDP traffic –better control in case of fragmented packets –sophisticated logging –deep packet inspection But also: –potential bottleneck –single point of failure –… and redundancy is hard to configure and maintain 6

© 2012 SWITCH Network people and PERT staff hate firewalls: –can introduce hard to diagnose problems  IP multicast, IP fragments, path MTU discovery  still buggy IPv6 support –difficult to deploy in a redundant configuration –performance issues Security people love them: –state-of-the-art protection –central point to monitor and log traffic –ability to filter on payload –independence (separation of power) Network Security;-) 7

© 2012 SWITCH Judgement of Solomon protection of the office: –wide range of equipment –every employee can have root access on his computer –guidelines for the employees (patched, disk encryption) protection of the servers: –well managed (patched, software only installed when needed) –only few people have root access –goal: maximum availability and performance 8

© 2012 SWITCH Judgment of Solomon protection of the office: protection of the servers: 9 => static access lists in the routers => plus a stateful firewall on every server but no firewall in the network =>separate IP subnets for the different departments and teams =>a central, stateful, redundant firewall state-of-the-art

© 2012 SWITCH Outline WHY Router Access Lists versus Statefule Firewalls The Judgment of Solomon HOW Basic Concept Pitfalls of Local Firewalls Building Blocks Experiences 10

© 2012 SWITCH Basic Concept for Server Security 11

© 2012 SWITCH Basic Concept for Server Security 12 reinforce every host (local firewall) reduce resources on router

© 2012 SWITCH High Level View 13 Internet 41 ACLs Server or VM

© 2012 SWITCH Advantages Stateful firewall Protection within subnet 2 nd line of defense High scalability –Virtually no performance impact –Scales with number of hosts –No central performance bottleneck –No bandwidth limitation No state synchronization required –multipathing and asymmetric traffic possible 14

© 2012 SWITCH Performance of Local Firewall 15 CPU Network firewall activated on Aug Example: dione.switch.ch aka switch.dl.sourceforge.net

© 2012 SWITCH Pitfalls of a Local Firewall Requires rules on router and local firewall Local connections (localhost) Connections between hosts (on the same subnet) –Seldom used connections Heterogeneous environments (different firewall impl.) 16

© 2012 SWITCH Cavari How to manage 300+ firewalls? Web interfaced Full IPv6 capable Use existing information (DNS, Server Management) Request based policy management Simple rollback Platform support for –Cisco IOS ACL –Linux iptables –Solaris ipfilter 17

© 2012 SWITCH Building Blocks 18 FirewallBuilder Compilers Cavari Web Application Install Scripts DNS Host DB New Tool (SWITCH) Existing Open Source Existing Tool (SWITCH) Existing Tool (SWITCH)

© 2012 SWITCH Mechanics Define allowed connections –source, destination, service (protocol, port) Use network topology to determine firewall rules Optimize rules on each firewall –remove duplicate entries and redundant more specifics 19

© 2012 SWITCH Experiences Stable operation since end of 2011 Good user acceptance –Let users (admins) view actual rules! Update IP addresses from DNS is very useful Migration takes time –Start with logging to find unknown communication Central logging facility is crucial Hosts without firewall –Extended set of rule on the router (as before) 20

© 2012 SWITCH Future Work Add Support for Mac OSX maybe Windows … Audit procedure 21

© 2012 SWITCH Questions 22