Firewalls at UNM 11/8/2018 Chad VanPelt Sean Taylor.

Slides:

Advertisements

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Advertisements

New Solutions to New Threats. The Threats, They Are A Changing Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential.

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.

FIREWALLS Chapter 11.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Firewalls and Intrusion Detection Systems

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Department Of Computer Engineering

Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.

Palo Alto Networks Product Overview Karsten Dindorp, Computerlinks.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

And how they are used. Hubs send data to all of the devices that are plugged into them. They have no ability to send packets to the correct ports. Cost~$35.

Data Center Network Redesign using SDN

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.

FIREWALL Mạng máy tính nâng cao-V1.

Sales Kickoff - ARCserve

Chapter 6: Packet Filtering

Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.

Web Application Firewall (WAF) RSA ® Conference 2013.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

P RESENTED B Y - Subhomita Gupta Roll no: 10 T OPICS TO BE DISCUSS ARE : Introduction to Firewalls  History Working of Firewalls Needs Advantages and.

SDN based Network Security Monitoring in Dynamic Cloud Networks Xiuzhen CHEN School of Information Security Engineering Shanghai Jiao Tong University,

Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.

Chapter 5: Implementing Intrusion Prevention

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.

Verify that timestamps for debugging and logging messages has been enabled. Verify the severity level of events that are being captured. Verify that the.

Secure Wired Local Area Network( LAN ) By Sentuya Francis Derrick ID Module code:CT3P50N BSc Computer Networking London Metropolitan University.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

Security fundamentals Topic 10 Securing the network perimeter.

Firewall Matthew Prestifilippo, Bill Kazmierski, Pat Sparrow.

Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.

CompTIA Security+ Study Guide (SY0-401)

Lab A: Planning an Installation

PCNSE7 Palo Alto Networks Certified Network Security Engineer

Working at a Small-to-Medium Business or ISP – Chapter 8

Computer Data Security & Privacy

PCNSE7 Palo Alto Networks Certified Network Security Engineer

Firewall – Survey Purpose of a Firewall Characteristic of a firewall

Chapter 5: Inter-VLAN Routing

Introduction to Networking

Introduction to Networking

Configuring TMG as a Firewall

Chapter 2: Basic Switching Concepts and Configuration

CompTIA Security+ Study Guide (SY0-401)

VMware NSX and Micro-Segmentation

UNM Enterprise Firewall

Sizing …today. T: Here’s how. .

Access Control Lists CCNA 2 v3 – Module 11

11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

Firewalls Purpose of a Firewall Characteristic of a firewall

POOJA Programmer, CSE Department

Firewalls Chapter 8.

Session 20 INST 346 Technologies, Infrastructure and Architecture

Presentation transcript:

Firewalls at UNM 11/8/2018 Chad VanPelt Sean Taylor

Migrating from Cisco FWSM to Palo Alto NGFW What are we changing? 11/8/2018 Migrating from Cisco FWSM to Palo Alto NGFW Why are we changing? Standard Firewall that can block source port and IP / destination port and IP NGFW is a standard firewall that also includes Next Generation features such as:

NGFW Application based controls User id Stream based inspection (SP3) IPS Malware protection Superior visibility

Impact:

2 5060’s for perimeter and distribution Hardware 2 5060’s for perimeter and distribution 4194302 10G FW throughput 2 5050’s for Datacenter 2097150 5G FW throughput 2 3020’s for Gallup 250000 2G FW throughput

Deployment Phases Perimeter Datacenter Datacenter NSX Pilot Perimeter Distribution NATTING, IPS, Zone Protection Branch Campus

Perimeter Palo Alto 5060’s were the first firewall that was at the UNM Perimeter Others had tried but failed Vwire Deployment Transparent mode Bind two network ports together No routing or switching performed Very simple configuration, Does not require any changes to surrounding or adjacent network devices

Datacenter Layer 3 Deployment Routed mode High availability Active Passive Security incident was the catalyst of replacing legacy firewalls The firewall handles routing responsibilities “On a Stick” Routes in and out of datacenter and in between datacenter Zones

Datacenter NSX Not really a Phase but an interesting test. VMWare NSX integration with Palo Alto Purpose Send interesting traffic from Virtual environment to Palo Alto for inspection and posturing Dynamic address groups and Automation Add an ip address to groups on NSX and they will be automatically added to inspection on palo alto

Security Policy above the Forwarding Plane NSX Distributed Firewall Web DB App App Web DB NetX API re-directs data flows to PA. Virtual Switch Forwarding Plane Hypervisor NSX Distributed Firewall

Distribution Palo Alto 5060’s at perimeter are also functioning as Distribution firewalls Layer 3 deployment Using same model as the datacenter. All zones get routed at Palo Altos Currently migrating legacy firewall customers We have a general zone for all customers that do not have a configured firewall zone During this phase we added High Availability to our perimeter boxes. They are now in Active passive.

NATing Currently using bidirectional and source Nat through Palo Alto Customer that needs only outbound communication Bi Directional Nat Customer that need to access resources off campus and on campus

Zone Protection Flood, Reconnaissance, and Packet based attack protection Flood Protection SYN, ICMP, UDP, and PPS (Alert, Activate, Maximum) Reconnaissance Protection Host Sweep, TCP Port Scan, UDP Port Scan (Allow, Alert, Block,) Interval / Threshold 10 sec per 100 events Packet based attack protection Spoofed IP address Fragmented Traffic

Intrusion Prevention Technology that examines network traffic flows to detect and prevent vulnerability exploits. Secondary inline at Perimeter Tipping point IPS does heavy lifting at perimeter Defense in depth Ability to active IPS policies on a zone based Single Pass Architecture Dedicated processing Stateful pattern matching

Intrusion Prevention Technology that examines network traffic flows to detect and prevent vulnerability exploits. Secondary inline at Perimeter Tipping point IPS does heavy lifting at perimeter Defense in depth Ability to active IPS policies on a zone based Single Pass Architecture Dedicated processing Stateful pattern matching

What does this mean for your department?

All departments will be receiving a basic level of firewall service under new architecture. Enhanced, customized firewall services are available for a small monthly fee.

University specific risks The nature of University traffic requires a very liberal default security posture compared to secured corporate networks, etc… Majority of University is still on public IP addresses Research Universities are often a target of intellectual property theft attempts. Attacks that we see often range in the millions to tens of millions of hits per second.

LoboZone: Minimal set of policies and inspections to block the worst of the worst. Polices determined by IT Security and Data Network Group. No customization allowed. Not protected from any other departments in LoboZone.

Department Specific Zones: Dedicated security zone with rules and inspections set by local department IT administrators in consultation with UNM IT Security. Cost is: $75/month

Department Specific Zones : Dedicated security zone with rules and inspections set by local department IT administrators in consultation with UNM IT Security. Cost is: $75/month

Department Specific Zones : Possible options: Block all inbound traffic except for specific traffic to specific servers Block access to certain categories of URL’s from your department computers Block specific attacks that you have had directed at your department such as SSH Brute Force, etc…

Other possibilities: Dedicated firewall contexts for areas that manage large number of departments Possibility of dedicated physical firewalls for high- security environments that require physical separation Costs and design would be negotiated on a case by case basis.

Questions?