draft-baker-opsawg-firewalls

Slides:



Advertisements
Similar presentations
Guide to Network Defense and Countermeasures Second Edition
Advertisements

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Personal Info 1 Prepared by: Mr. NHEAN Sophan  Presenter: Mr. NHEAN Sophan  Position: Desktop Support  Company: Khalibre Co,. Ltd 
SAVI IP Source Guard draft-baker-sava- implementation Fred Baker.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Department Of Computer Engineering
Firewalls and the Campus Grid: an Overview Bruce Beckles University of Cambridge Computing Service.
Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.
Edge Protection 111. The Old World: Network Edge Core routers individually secured Every router accessible from outside “outside” Core telnet snmp.
Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.
Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.
Agenda Review route summarization Cisco acquire Sourcefire Review Final Exam.
P RESENTED B Y - Subhomita Gupta Roll no: 10 T OPICS TO BE DISCUSS ARE : Introduction to Firewalls  History Working of Firewalls Needs Advantages and.
Advanced IPv6 Residential Security draft-vyncke-advanced-ipv6- security-03 Eric Vyncke Mark Townsley
Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
5 Firewalls in VoIP Selected Topics in Information Security – Bazara Barry.
Chapter 4: Implementing Firewall Technologies
Analysis and recommendation for the ULA usage draft-liu-v6ops-ula-usage-analysis-00 draft-liu-v6ops-ula-usage-analysis-00 Bing Liu(speaker), Sheng Jiang.
FORESEC Academy FORESEC Academy Security Essentials (III)
Role Of Network IDS in Network Perimeter Defense.
Security “Automatic Border Detection” is essential – For service discovery scope – For prefix assignment and routing – For security Default filters (ULAs?)
What's a Firewall? A security system that acts as a protective boundary between a network and the outside world Isolates computer from the internet using.
Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
On Firewalls Fred Baker and Paul Hoffman draft-ietf-opsawg-firewalls-01.txt.
By: Brett Belin. Used to be only tackled by highly trained professionals As the internet grew, more and more people became familiar with securing a network.
Lecture 9 Page 1 CS 236 Online Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Central Management of 300 Firewalls and Access-Lists Fabian Mauchle TNC 2012 Reykjavík, 21-May-2012.
HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,
Security fundamentals
BGPSEC Protocol (From -01 to -02 and on to -03) Matt Lepinski.
CompTIA Security+ Study Guide (SY0-401)
Security Implications of IPv6 on IPv4 Networks
Intro to Networks (part 1)
SECURITY ZONES.
100% Exam Passing Guarantee & Money Back Assurance
Managing Secure Network Systems
Instructor Materials Chapter 8: Subnetting IP Networks
Network Security Marshall Leitem 11/30/04
Chapter 8: Subnetting IP Networks
How a Stateful Firewall Works
PROJECT PRESENTATION ON INTERNET FIREWALLS PRESENTED BY THE GUARDS
Introduction to Networking
Stateless Source Address Mapping for ICMPv6 Packets
Optical Networks & Smart Grid Lab.
CompTIA Security+ Study Guide (SY0-401)
Firewalls at UNM 11/8/2018 Chad VanPelt Sean Taylor.
IPv6-only in an Enterprise Network
Chapter 8: Subnetting IP Networks
Network Security: IP Spoofing and Firewall
Practical IPv6 Filtering
draft-ipdvb-sec-01.txt ULE Security Requirements
FIREWALL By Abhishar Baloni I.D
IP-Spoofing and Source Routing Connections
Firewalls Jiang Long Spring 2002.
How to Mitigate the Consequences What are the Countermeasures?
How to Detect Attacks and Supervise Rail Systems?
Network hardening Chapter 14.
Chapter 11: Network Address Translation for IPv4
Intrusion-Detection Systems
Session 20 INST 346 Technologies, Infrastructure and Architecture
Implementing Firewalls
BPSec: AD Review Comments and Responses
Outline The concept of perimeter defense and networks Firewalls.
M. Boucadair, J. Touch, P. Levis and R. Penno
Presentation transcript:

draft-baker-opsawg-firewalls Fred Baker

Purpose of this draft We have had discussions in v6ops and (now) in Homenet regarding firewalls RFC 6092 “Simple Security” draft-vyncke-advanced-ipv6-security I personally don’t think they have been very productive, and think the community needs to have a less emotional discussion on the topic Firewalls are a market requirement, but for bad reasons There are strong feelings about firewalls pro and con, and the discussions tend to not be helpful.

Draft discussion Introduction Common kinds of firewalls Perimeter security: Protection from aliens and intruders Pervasive access control Intrusion Management: Contract and Reputation filters Reasoning about Firewalls The End-to-End Principle Building a communication The middle way Recommendations

Perimeter security: Protection from aliens and intruders In Cisco equipment, we call this a “context-based” or “zone-based” defense. There is a “protected region” and “everywhere else” Sessions may originate from the “protected” region No sessions, or only certain sessions, may originate from “outside” Primary comment: “I want my NAT for security” presumes this model It’s actually a weak defense model, and disrupts certain service models PCP and UPnP are protocol models for allowing sessions into the domain for services

Pervasive access control So-called “role-based” access control Systems organized into groups for security management Policy applied in network that Permits communication within a group Permits communication between stated pairs of groups Excludes or limits all else One group is “everyone else” More flexible, but still has impact on service deployment Requires an IT department to manage

Intrusion Management: Contract and Reputation filters Generally implemented as Access control lists, Anomaly-based intrusion management, Signature-based intrusion management, or Reputation-based systems Basic policy: allow communication barring a specific reason not to Weakness: That’s not how we raise our children People often fail to maintain such software on hosts…

Reasoning about firewalls, part 1 I conclude that a firewall protects two things Protection against some forms of infrastructure attacks Second layer of defense for attacks on hosts Hosts still must be their own primary defense There may be better approaches to infrastructure defense Passive IP Addresses, for example

Reasoning about firewalls, part 2 Poorly-implemented firewalls make it difficult to deploy new technologies or services Explicit Congestion Notification SCTP …

Recommendations: ZBAC IF someone implements zone-based access control It SHOULD be possible for a host to assert that it is willing to field incoming traffic for a class of application Firewall SHOULD exclude traffic that nobody explicitly wants

Recommendations: RBAC Observation: this requires active policy management anyway It’s better to implement using the control plane (routing) than the data plane (filtering) Make the policy systemic if possible – if Alice should not talk with Bob, Alice should not have a route to Bob.

Recommendations: Active policy algorithms Reputation, Anomaly, and Signature models require regular and frequent updates Do so (duh) May not fit residential market

General observations Middleware should not prevent innovation Prevent what is known to be bad Don’t prevent the unknown; it might be good Making assumptions about address spaces is also less than useful In IPv4, we have a lot of experience with the evils of NAT In IPv6, there can also be issues in coupling between address domains. So don’t make assumptions you can’t immediately justify

Way forward this draft What I have said in this draft… Seems patently obvious to me. Seems controversial to others; we spend a lot of time, and waste energy, debating it. Is it useful to say? Would folks like to debate?