University of Utah WAN Firewall Presenta6on

Transcription

1 University of Utah WAN Firewall Presenta6on Raising Awareness of our WAN Firewall Issues This document is for internal University of Utah use only.

2 4 Key Internet Firewall Ques6ons Who do we serve and what do they want? Campus and HSC Networks who want to get to/from the Internet (note: This does not include High Performance networking needs) What services do we provide? Internet access with the best security and bandwidth economically feasible How do we know we are doing a good job? Provide uninterrupted access, securely; quickly provide change requests with few or no dropped packets What is the best way to provide this service? Provide an enterprise- wide, centrally managed security solu6on

3 FW1- WAN U6liza6on Sample Snapshot 60,000 network hosts through one Internet portal What we adver6se: 10 Gig pipes to Internet What we provide: 2,532,329Kbps = 2.5 Gig 9/21/2011

4 Benefits of FW- WAN Replacement Provide immediate increased throughput to the en6re University Eliminate con6nual packet drops (~10,000 packets dropped per hour) Implement Logging Quicker Response to Tickets Our first tool for troubleshoo6ng connec6vity issues is turned off due to load on firewall Ability to quickly locate firewall rule from log Logging done on session start and close, gives granular logging for inves6ga6ons Centralized Management Saves Time A less complicated view leads to a more secure policy Global groups of objects/protocols enables standards & increased security across enterprise Create rules based on Ac6ve Directory creden6als Saves Time, Reduces Complaints Allow users to traverse the network and have same Firewall policy E.g. Desktop people go to many areas needing to download drivers. We have tradi6onally opened up firewall rules (and ACLs) allowing en6re networks out to those sites. Create rules based on FQDN E.g. jp.hp.com, windowsupdate.microsoj.com Next Genera6on func6onality Increased Security Intrusion Detec6on Applica6on Tracking; monitor what is inside the packet, not just the port number

5 Crea6ng Rules Based on FQDN Example: A rule allows access outbound on FTP Current Procedures: Because IP addresses change, IPs are con6nually added to the FTP group See diagram to the right (screenshot of FTP group members) Best Prac6ces More secure and enables documenta6on by allowing access to jp.hp.com, for example, rather than a host of addresses Wouldn t we rather allow the Desktop Group access to jp.hp.com rather than allow everyone access to en6re subnets?

6 Firewall Rules Make Sense Firewall rules are much simpler to: Manage iden6fy groups, filter permit or deny rules, modify comments Change insert /move rules, point and click, add rules now push rules tonight Navigate through policy logically arrange common rules Troubleshoot simple interface to manage Display and explain to network administrators and data managers

7 ACLs Do Not Scale Well ACLs are not easy to manage. An ACL solu6on is not scalable across the enterprise. ACL changes can easily break exis6ng policy. Copy/paste breaks, miss deny at end, PC locks up while pushing, complicated changes ajer hours rather than a simple rule push. Deciphering logs and loca6ng the actual rule is complicated. When we need to troubleshoot issues quickly, we need simplicity. ACLs are not stateful: only security is L3/L4 port info and no advanced checking. Can lead to directed anacks without proper session being built. For an ACL change, you need to know: Where in the list the ACL is going to go? What interface to apply it to? What direc6on the traffic is going (it s not enough to know source/ des6na6on IP)?

8 Recommenda6on for FW- WAN Implement a firewall with the following features: Immediately provide 400% increase in available throughput Ini6ally implement same rule set Implement plan to block unsecure inbound ports Implement plan to clean up exis6ng rules Turn on logging immediately Implement FQDN and Ac6ve Directory Rules where they apply Review IDS abili6es as 6me permits

9 What is the current firewall providing the University? Think the fw1- wan doesn t do much? In reality, it blocks traffic all day long. Below is a screen shot of the number of packets it has blocked ajer 36 days over specific ports from any source on the Internet.

10 What FW1- WAN Allows Through In researching a demonstra6on of what fw1- wan allows (that should be blocked), I came across an example of great logging. This screen shot is taken from an internal firewall log indica6ng all of the extraneous traffic going across our network, that FW1- WAN is maintaining state for, that is being dropped internally.

11 What FW1- WAN Allows Through cont d There is garbage hiqng fw- hosp all day long. There is an equal amount of traffic (dropped or allowed) hiqng all firewalls and devices.