Presentation is loading. Please wait.

Presentation is loading. Please wait.

Firewalls at UNM 11/8/2018 Chad VanPelt Sean Taylor.

Published bySuharto Dharmawijaya Modified over 6 years ago

Similar presentations

Presentation on theme: "Firewalls at UNM 11/8/2018 Chad VanPelt Sean Taylor."— Presentation transcript:

1 Firewalls at UNM 11/8/2018 Chad VanPelt Sean Taylor

2 Migrating from Cisco FWSM to Palo Alto NGFW
What are we changing? 11/8/2018 Migrating from Cisco FWSM to Palo Alto NGFW Why are we changing? Standard Firewall that can block source port and IP / destination port and IP NGFW is a standard firewall that also includes Next Generation features such as:

3 NGFW Application based controls User id Stream based inspection (SP3) IPS Malware protection Superior visibility

4 Impact:

5 2 5060’s for perimeter and distribution
Hardware 2 5060’s for perimeter and distribution 10G FW throughput 2 5050’s for Datacenter 5G FW throughput 2 3020’s for Gallup 250000 2G FW throughput

6 Deployment Phases Perimeter Datacenter Datacenter NSX Pilot
Perimeter Distribution NATTING, IPS, Zone Protection Branch Campus

7 Perimeter Palo Alto 5060’s were the first firewall that was at the UNM Perimeter Others had tried but failed Vwire Deployment Transparent mode Bind two network ports together No routing or switching performed Very simple configuration, Does not require any changes to surrounding or adjacent network devices

8

9 Datacenter Layer 3 Deployment
Routed mode High availability Active Passive Security incident was the catalyst of replacing legacy firewalls The firewall handles routing responsibilities “On a Stick” Routes in and out of datacenter and in between datacenter Zones

10

11

12 Datacenter NSX Not really a Phase but an interesting test.
VMWare NSX integration with Palo Alto Purpose Send interesting traffic from Virtual environment to Palo Alto for inspection and posturing Dynamic address groups and Automation Add an ip address to groups on NSX and they will be automatically added to inspection on palo alto

13 Security Policy above the Forwarding Plane NSX Distributed Firewall
Web DB App App Web DB NetX API re-directs data flows to PA. Virtual Switch Forwarding Plane Hypervisor NSX Distributed Firewall

14 Distribution Palo Alto 5060’s at perimeter are also functioning as Distribution firewalls Layer 3 deployment Using same model as the datacenter. All zones get routed at Palo Altos Currently migrating legacy firewall customers We have a general zone for all customers that do not have a configured firewall zone During this phase we added High Availability to our perimeter boxes. They are now in Active passive.

15

16 NATing Currently using bidirectional and source Nat through Palo Alto
Customer that needs only outbound communication Bi Directional Nat Customer that need to access resources off campus and on campus

17 Zone Protection Flood, Reconnaissance, and Packet based attack protection Flood Protection SYN, ICMP, UDP, and PPS (Alert, Activate, Maximum) Reconnaissance Protection Host Sweep, TCP Port Scan, UDP Port Scan (Allow, Alert, Block,) Interval / Threshold 10 sec per 100 events Packet based attack protection Spoofed IP address Fragmented Traffic

18 Intrusion Prevention Technology that examines network traffic flows to detect and prevent vulnerability exploits. Secondary inline at Perimeter Tipping point IPS does heavy lifting at perimeter Defense in depth Ability to active IPS policies on a zone based Single Pass Architecture Dedicated processing Stateful pattern matching

19 Intrusion Prevention Technology that examines network traffic flows to detect and prevent vulnerability exploits. Secondary inline at Perimeter Tipping point IPS does heavy lifting at perimeter Defense in depth Ability to active IPS policies on a zone based Single Pass Architecture Dedicated processing Stateful pattern matching

20 What does this mean for your department?

21 All departments will be receiving a basic level of firewall service under new architecture.
Enhanced, customized firewall services are available for a small monthly fee.

22 University specific risks
The nature of University traffic requires a very liberal default security posture compared to secured corporate networks, etc… Majority of University is still on public IP addresses Research Universities are often a target of intellectual property theft attempts. Attacks that we see often range in the millions to tens of millions of hits per second.

23 LoboZone: Minimal set of policies and inspections to block the worst of the worst. Polices determined by IT Security and Data Network Group. No customization allowed. Not protected from any other departments in LoboZone.

24 Department Specific Zones: Dedicated security zone with rules and inspections set by local department IT administrators in consultation with UNM IT Security. Cost is: $75/month

25 Department Specific Zones : Dedicated security zone with rules and inspections set by local department IT administrators in consultation with UNM IT Security. Cost is: $75/month

26 Department Specific Zones : Possible options:
Block all inbound traffic except for specific traffic to specific servers Block access to certain categories of URL’s from your department computers Block specific attacks that you have had directed at your department such as SSH Brute Force, etc…

27 Other possibilities: Dedicated firewall contexts for areas that manage large number of departments Possibility of dedicated physical firewalls for high- security environments that require physical separation Costs and design would be negotiated on a case by case basis.

28 Questions?

Download ppt "Firewalls at UNM 11/8/2018 Chad VanPelt Sean Taylor."

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
New Solutions to New Threats. The Threats, They Are A Changing Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential.

New Solutions to New Threats. The Threats, They Are A Changing Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Department Of Computer Engineering

Department Of Computer Engineering
Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.

Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.
Palo Alto Networks Product Overview Karsten Dindorp, Computerlinks.

Palo Alto Networks Product Overview Karsten Dindorp, Computerlinks.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
And how they are used. Hubs send data to all of the devices that are plugged into them. They have no ability to send packets to the correct ports. Cost~$35.

And how they are used. Hubs send data to all of the devices that are plugged into them. They have no ability to send packets to the correct ports. Cost~$35.
Data Center Network Redesign using SDN

Data Center Network Redesign using SDN
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.

1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Similar presentations

Ads by Google