Presentation is loading. Please wait.

Presentation is loading. Please wait.

Methods to overcome corporate firewall restrictions

Similar presentations


Presentation on theme: "Methods to overcome corporate firewall restrictions"— Presentation transcript:

1 Methods to overcome corporate firewall restrictions
E. Prokhorenko, RAU, 16/04/07, Yerevan

2 Introduction Here we will deal with the following idealized network configuration: LAN with Windows based PCs and personal firewalls Corporate firewall to provide Internet access to LAN and defend it.

3 Main firewall settings
Firewall does NAT for LAN requests (some networks may be filtered, others – restricted by traffic) Some ports on firewall are closed for security reasons Some services on LAN (WWW, FTP, etc.) made visible to Internet through the holes on firewall There exists corporate proxy for HTTP, FTP, HTTPS, GOPHER, WAIS, WHOIS protocols (may be transparent) Traffic is logged for billing and security purposes

4 Additional services for LAN
SMTP, POP3, POP3S, IMAP, IMAPS are allowed or firewall itself run service SSH is allowed (may be for some people only, incoming and outgoing) VPN is allowed TELNET is not allowed X Window is not allowed

5 All that is not enough! After some time of functioning users find out that this ideal configuration lacks support for many applications, which need to be run to increase users productivity Here is partial list for needed protocols support: REAL AUDIO, ICQ, IMs, IRC, edonkey, kaaza, SKYPE, NEETMEETING and other video/audio conferencing tools.

6 Standard actions to implement addons
For each protocol needed ports must be found and open on the firewall Tests must be run to prove proper configuration Logging for usage of those protocols must be turned on and inspecting regularly All changes on the firewall must be documented

7 Problems of realization
It’s hard to decide which applications must be allowed (consult boss to decide) Many applications don’t work with NAT (can be solved in Linux router with helper modules in the netfilter; alternatively SOCKS proxy can be used) It’s hard to find needed ports for some applications (traffic capturing tools must be used) Sometimes access to prohibited networks must be granted for some applications

8 Proposed methods for solution
Tunnels – universal solution (VPN was already mentioned) Group of tunnels (application patterns) must be created for each application Tunnel software must not work through firewall but have full access to outside with own access list (rinetd – good candidate!) To access prohibited networks dedicated computers outside LAN must be used to create tunnels

9 Additional activity Authors of poorly written programs must be informed and asked to provide solution for firewall usage in the newer versions Applications templates must be activated on requests of top management for clearly defined time periods In emergency situations all patterns must be switched off with one button script

10 To the future Comparing to current firewall solutions (hardware routers with 2-3 predefined applications patterns) serious solution must include authorization service and the list of patterns, allowed to be managed by defined group of users. Reports for users must show used resources To link different branches VPNs must be used with LAN oriented applications


Download ppt "Methods to overcome corporate firewall restrictions"

Similar presentations


Ads by Google