Application-layer firewalling: Raise your perimeter IQ Joel Snyder Opus One.

Slides:

Advertisements

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Advertisements

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Defense-in-Depth, Part 2: Advanced Intrusion Defense Joel Snyder Opus One

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Firewall Planning and Design Chapter 1. Learning Objectives Understand the misconceptions about firewalls Realize that a firewall is dependent on an effective.

Firewalls and Intrusion Detection Systems

MSIT 458: Information Security & Assurance By Curtis Pethley.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Firewall Slides by John Rouda

TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.

Appliance Firewalls A Technology Review By: Brent Huston T h e B l a c k H a t B r i e f i n g s July 7-8, 1999 Las Vegas.

Firewalls CS461/ECE422 Spring Reading Material Text chapter 9 “Firewalls and Internet Security: Repelling the Wily Hacker”, Cheswick, Bellovin,

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Endpoint Security Current portfolio and looking forward October 2010.

By: Colby Shifflett Dr. Grossman Computer Science /01/2009.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

EWAN Equipment Last Update Copyright 2010 Kenneth M. Chipps Ph.D. 1.

Day 19. Security Tools Firewalls –Host Based –Network based IDS/IPS –Host Based –Network based –Signature based detection –Anomaly based detection Anti.

PURE SECURITY Check Point UTM-1 Luděk Hrdina Marketing Manager, Eastern Europe Check Point Software Technologies Kongres bezpečnosti sítí 11. dubna 2007,

Firewalls. What are firewalls? a hardware device and/or software program which sits between the Internet and the intranet, internet, of an organization.

Intranet, Extranet, Firewall. Intranet and Extranet.

FIREWALL Mạng máy tính nâng cao-V1.

Advanced Intrusion Defense Joel Snyder Opus One. Acknowledgements Massive Support from Marty Roesch, Ron Gula,

Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

0Gold 11 0Gold 11 LapLink Gold 11 Firewall Service How Connections are Created A Detailed Overview for the IT Manager.

Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.

Lecture 7 Network & ISP security. Firewall Simple packet-filters Simple packet-filters evaluate packets based solely on IP headers. Source-IP spoofing.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.

(c) University of Technology, Sydney Firewall Architectures.

Networking Components Daniel Rosser LTEC Network Hub It is very difficult to find Hubs anymore Hubs sends data from one computer to all other computers.

The State of the Firewall Art ComNET DC 2002 David Strom

Network Security Chapter 11 powered by DJ 1. Chapter Objectives  Describe today's increasing network security threats and explain the need to implement.

Advanced Intrusion Defense Joel Snyder Opus One

Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.

12/1/2015Faculty : Trần Thị Ngọc Hoa1 ISA server Overview 1. Introducing ISA Server 2. Deployment Scenario for ISA Server.

Operating Systems Proj.. Background A firewall is an information technology (IT) security device which is configured to permit, deny or proxy data connections.

CENTRAL SECURED PROXY NETWORK Zachary Craig Eastern Kentucky University Dept. of Technology, NET.

SonicWALL SSL-VPN Series Easy Secure Remote Access Cafferata Cristiano SE Italia.

CTC228 Nov Today... Catching up with group projects URLs and DNS Nmap Review for Test.

Matthew Glenn AP2 Techno for Tanzania This presentation will cover the different utilities on a computer.

Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and the Cisco Security Appliance.

COSC513 Final Project Firewall in Internet Security Student Name: Jinqi Zhang Student ID: Instructor Name: Dr.Anvari.

A presentation by John Rowley for IUP COSC 356 Dr. William Oblitey Faculty member in attendance.

How to fix Error code 0x80072ee2 in Windows 8.1? Fix%20%20Update%20Error%200x80072EE2%20in%20Windows%20 8.1,%20Windows%2010!%20-%20Fix%20PC%20Errors.htm.

NSA 240 Overview For End Users. 2 New Challenges To Solve  Threats Are Increasing  Web 2.0 & SaaS  Impacts to servers, users & networks  Threats go.

©2004 Check Point Software Technologies Ltd. Proprietary & Confidential Moving Beyond the Perimeter with Intelligent Security Alfredo Cusin Channel Mgr.

1 CNLab/University of Ulsan Chapter 19 Firewalls  Packet Filtering Firewall  Application Gateway Firewall  Firewall Architecture.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

© 2001, Cisco Systems, Inc. CSPFA 2.0—16-1 Chapter 16 Cisco PIX Device Manager.

Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.

Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos

Cosc 5/4765 NAC Network Access Control. What is NAC? The core concept: –Who you are should govern what you’re allowed to do on the network. Authentication.

CompTIA Security+ Study Guide (SY0-401)

Barracuda Firewall The Next-Generation Firewall for Everyone

Firewall – Survey Purpose of a Firewall Characteristic of a firewall

PROJECT PRESENTATION ON INTERNET FIREWALLS PRESENTED BY THE GUARDS

CompTIA Security+ Study Guide (SY0-401)

Firewalls Chapter 8.

IP Control Gateway (IPCG)

By Seferash B Asfa Wossen Strayer University 3rd December 2003

Presentation transcript:

Application-layer firewalling: Raise your perimeter IQ Joel Snyder Opus One

Acknowledgements Products from Check Point, Cyberguard, NetScreen, Nortel Networks, Symantec, Secure Computing, Watchguard Support from Andy Briney, Neil Roiter at Information Security

Firewalls have been around for a very long time “[AT&T’s gateway creates] a sort of crunchy shell around a soft, chewy center.” (Bill Cheswick, Design of a Secure Internet Gateway, April, 1990) First firewalls deployed in Internet-connected organizations “Firewalls and Internet Security” published TIS toolkit commonly available Cisco buys PIX (Network Translation) CheckPoint revenues cross $100m WatchGuard introduces 1st FW appliance

Surely firewall makers have been busy since 1999 ? Clear market trends Faster Cheaper Smaller  New Guard: NetScreen (Juniper), Watchguard, SonicWALL  Old Guard: Cisco, Check Point Clear product trends Add VPN features  Site-to-site  Remote Access (?) Add policy-based URL control  Websense-type Add interfaces  No longer just inside, outside, DMZ

Shirley firewall makers have been busy since 1999 ? Clear market trends Faster Cheaper Smaller  New Guard: NetScreen (Juniper), Watchguard, SonicWALL  Old Guard: Cisco, Check Point Clear product trends Add VPN features  Site-to-site  Remote Access (?) Add policy-based URL control  Websense-type Add interfaces  No longer just inside, outside, DMZ

Incremental improvements are not very exciting Smaller, cheaper, faster: that’s great VPNs, more interfaces: that’s great But what have you done for me lately? To answer that, we need to digress to the oldest battle in all of firewall-dom: proxy versus packet filter!

Arguments between Proxy and Stateful PF continued Proxy More secure because you can look at application data stream More secure because you have independent TCP stacks Stateful PF Faster to write Faster to adapt Faster to run Faster also means cheaper

Proxy-based firewalls aren’t dead… just slow! Proxy Packet Filtering Src= Dst= TCP/IP Src= Dst= Kernel Inside network = /24 Outside net = RTL Process Space

Firewall Landscape: five years ago IBM eNetwork Secure Computing Altavista Firewall TIS Gauntlet Raptor Eagle Elron Cyberguard Ukiah Software NetGuard WatchGuard SonicWALL Check Point Livermore Software Milkyway Borderware Global Internet

Stateful Packet Filtering dominates the market Stateful Packet Filtering IP Kernel Check Point Cisco NetScreen SonicWALL Freeware-based products: Ipchains, IPF, Iptables, IPFW FW Newcomers: Fortinet, Toshiba, Ingate, Enterasys, many others

But… the core argument was never disputed Proxy-based firewalls do have the possibility to give you more control because they maintain application-layer state information The reality is that proxy-based firewalls rarely went very far down that path  Why? Market demand, obviously…

Firewall Evolution: What we hoped for… Additional granular controls on a wide variety of applications Intrusion detection and prevention functionality Vastly improved centralized management systems More flexible deployment options

Firewall Evolution: What we found… Additional granular controls on some a wide variety of applications Limited intrusion detection and prevention functionality Vastly improved centralized management systems More flexible deployment options Why? Market demand, obviously…

Additional Granular Controls focused on a few applications Everybody loves HTTP management  Header filtering  File type & MIME type blocking  Embedded Data blocking (Javascript)  Virus scanning, URL Filtering Other applications are piecemeal  FTP  SMTP  VoIP  File Sharing

HTTP-oriented features served “pressure points”

Advanced Controls are diverse across products Differentiating between “advanced” controls and “basic” controls was easy to do. Proxy-based firewalls proved to be almost undistinguishable from their “insecure” stateful packet filtering brethren. Vendors appear to be reactive, not proactive.

Virus Scans and Policy Controls are simple, right? No! Some firewalls insisted on having virus and/or URL scanning happen “off box” No! Some firewalls can’t configure where you scan for viruses No! Some devices don’t have virus scanning No! Some firewalls don’t support a local list of blocked URLs Conclusion: it’s not simple

We’ve learned how to write good GUIs, haven’t we? Not in the firewall business, we haven’t Additional granularity means additional thinking about resources Products are … disappointing The firewall people have a lot to learn from the SSL VPN people

Centralized management has improved a bit Folks who had it are doing slightly better than they were Folks who didn’t have it now generally have something We’re still missing a general policy management system for firewalls Many of the centralized management tools have very rough edges

“Intrusion” is the new buzzword in security Rate-based IPS technology In firewalls, means “SYN flood protection” May be smart (NS) May include shunning (SecComp, WG, CP) Content-based IPS technology Based on IDS-style thinking May have small signature base (NS, CP) May be an “IDS with the IPS bit on” (Symantec)

So what’s going on in the firewall business? Products are diverging, not converging Personalities of products are distinct IPS is a step forward, but not challenging the world of standalone products Rate of change of established products is slow compared to new entries

What does this mean for me and my firewall? Products are diverging Personalities are distinct IPS weaker than standalone Change rate slow Matching firewall to policy is hard; change in application or policy may mean changing product! Aggressive adoption of new features unlikely in popular products; need new blood to overcome product inertia

Application-layer firewalling Joel Snyder Opus One Member, Information Security Magazine test alliance

Questions Submit your questions to Joel by clicking on the Ask a Question link on the lower left corner of your screen.

Thank you Thank you for participating in this SearchSecurity webcast. For more information on firewalls and an article by Joel, visit our Featured Topic. A copy of this presentation will be posted within the next 24 hours.