Who Moved My Firewall. Clinton Thomson Derivco (PTY) Ltd



Similar documents
Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

INTRODUCTION TO FIREWALL SECURITY

Gateway Security at Stateful Inspection/Application Proxy

Networking for Caribbean Development

Firewall Environments. Name

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Security Technology: Firewalls and VPNs

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Chapter 12. Security Policy Life Cycle. Network Security 8/19/2010. Network Security

Chapter 11 Cloud Application Development

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

SIP Security Controllers. Product Overview

Cisco PIX vs. Checkpoint Firewall

VPN Lesson 2: VPN Implementation. Summary

CMPT 471 Networking II

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Cornerstones of Security

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

IPCOM S Series Functions Overview

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Security perimeter. Internet. - Access control, monitoring and management. Differentiate between insiders and outsiders - Different types of outsiders

Symantec Enterprise Firewalls. From the Internet Thomas Jerry Scott

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

Firewalls. Chapter 3

Professional Integrated SSL-VPN Appliance for Small and Medium-sized businesses

Chapter 9 Firewalls and Intrusion Prevention Systems

CSCE 465 Computer & Network Security

Overview. Firewall Security. Perimeter Security Devices. Routers

Firewall Security. Presented by: Daminda Perera

Next Generation Network Firewall

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Guideline on Firewall

8. Firewall Design & Implementation

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Importance of Web Application Firewall Technology for Protecting Web-based Resources

Network Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

Stateful Inspection Technology

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Polycom. RealPresence Ready Firewall Traversal Tips

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

SonicWALL Unified Threat Management. Alvin Mann April 2009

Chapter 3 Security and Firewall Protection

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Customer Service Description Next Generation Network Firewall

Total Cost of Ownership: Benefits of Comprehensive, Real-Time Gateway Security

Computer Networks. Secure Systems

May Palo Alto Networks 232 E. Java Drive Sunnyvale, CA

CSE543 - Computer and Network Security Module: Firewalls

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

CTS2134 Introduction to Networking. Module Network Security

Fortigate Features & Demo

Firewall Defaults and Some Basic Rules

SIP Trunking with Microsoft Office Communication Server 2007 R2

Source-Connect Network Configuration Last updated May 2009

CSC574 - Computer and Network Security Module: Firewalls

Internet Security Firewalls

Gigabit SSL VPN Security Router

Astaro Gateway Software Applications

Cisco IOS Advanced Firewall

NETASQ MIGRATING FROM V8 TO V9

Using Skybox Solutions to Achieve PCI Compliance

Achieving PCI Compliance Using F5 Products

Unified Threat Management, Managed Security, and the Cloud Services Model

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

allow all such packets? While outgoing communications request information from a

Load Balancing for Microsoft Office Communication Server 2007 Release 2

Assuring Your Business Continuity

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Recommended IP Telephony Architecture

Firewall Firewall August, 2003

Information Technology Career Cluster Introduction to Cybersecurity Course Number:

Securing Networks with PIX and ASA

REDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance

Internet Security. Internet Security Voice over IP. Introduction. ETSF10 Internet Protocols ETSF10 Internet Protocols 2011

Chapter 20 Firewalls. Cryptography and Network Security Chapter 22. What is a Firewall? Introduction 4/19/2010

Figure 41-1 IP Filter Rules

Firewalls. Ahmad Almulhem March 10, 2012

Secure Remote Monitoring of the Critical System Infrastructure. An Application Note from the Experts in Business-Critical Continuity

U06 IT Infrastructure Policy

Network Access Security. Lesson 10

SIP Trunking Configuration with

Network Defense Tools

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

Network Security Topologies. Chapter 11

Transcription:

Who Moved My Firewall Clinton Thomson Derivco (PTY) Ltd 1

Agenda Introduction to Derivco (Pty) Ltd Efficacy of Firewalls Firewall Roles Threat Landscape De-perimeterisation Q & A 2

Derivco as a company Leading developer of online gaming software ICT Company of the year 2007 (KZN) Management of IT Services in online gaming 3

Efficacy of Firewalls Traditional Layer 3 and 4 (Noise Filter) Ephemeral Ports and RPC Services Layer 7 Inspection (Deep Packet Inspection) Dealing with encrypted protocols Packet structures (Large vs. Small) The Commodity Race One of the few things from the 80 s that may not make us blush! L3\4 Effective for publishing services to restricted locations Stateful packet inspection the defacto standard today. Primarily noise filter. Limited value in logging unless you have the resources to manage and report. Nice for mngmt stats. Still not entirely effective for ephemeral ports such and RPC\DCOM based services. Ability to use GUIDs with packet inspection helps but not everything is fully documented and supported. Results in hack jobs and registry settings to limit ports or alternatively some IPSec L7 nice for packet sanity. Good for clear text protocols such as FTP, HTTP, Telnet, SQL. More control at application level, limit commands that pose risk. Big perf penalties. Encrypted protocols no L7 insp which makes most FWs a L4 device. This makes attacks private too. Anything worthwhile on the web today needs protection, SSL and TLS more and more pervasive. Even SMTP will negotiate TLS. Can use SSL termination at firewall or edge device, results in performance hit. Pckt structures Large vs. Small NAT big penalties. Relationship between CPU and throughput not linear. DDoS mitigation not effective on large capacity networks, works in SA market. This is specific noted in a routed FW environment. Eg MPP packets and large number of players. Commodity Race, stateful pckt insp, everyone s doing it. QOS, IPS, IPsec and SSL VPN. FW vendors adding as much as possible to offering to be competitive, enter UTM. Is this sustainable and is it exclusive to firewalls? 4

Firewall Roles Perimeter and DMZ (Physical and Logical) Remote Access Internal at Layer 7 Inside Out The Host Load Balancer Perimeter and DMZ, typical model and not much has changed or is it changing? MS example of Server Isolation and will talk on this further under load balancer. Remote Access for SSL VPN, Extranets etc Move load away from business as usual firewalls. Provides for different function vies a vie encryption and user based access. L7 FW becomes more interesting internally, possibly less encryption. Monitor traffic to\from hosts, possible location for virtual patching, post SSL decryption (clear), isolation servers in the traditional sense and include application level checks. Too externally focused, require firewall for all outbound pckts including L7 filtering on clear text protocols. Most web filtering vendors will provide SSL proxy and strip SSL, filter and establish SSL session. Required due to possible payload delivery and covert channels. Trusting servers over desktops not wise, server exploit exacerbated by allowing ANY outbound access incl DNS, NTP etc. Explain concept of tunneling data over DNS. Host FW becoming increasingly important and essential even internally for all hosts. XP and 2003 FW, to include outbound as well as inbound. Last line of FW defense for host, reduces reliance on the absolute perimeter firewall, may be effective mitigation against non patched systems and systems running unapproved services.. Effective when used with GPO. Load Balancers now provide Stateful Inspection, means to publish L4 to L7 services with inspection\action, Log and NAT connections, SSL offload etc. Relook at throughput issues of firewalls this becomes an interesting contender to remove traffic from FW. These devices can sit alongside a firewall and provide the very same services at a potentially better price\performance ratio. 5

Threat Landscape Zero Day Attacks Web Applications Skills and GUIs Moving Target (Office, VOIP and IM) Laptops and Tapes ipods, Cameras and Phones Social Attacks Information Leaks Zero day attacks and variants are overwhelming today, compared to recent past there was much less activity in this space. Threats and attacks less visible, targeted, do more damage over time and are much more difficult to detect and remove. Behaviour based IPS and AV requirement. Patching needs to happen immediately and companies need to have the agility to do so. Web applications feature rich with more functionality for the user. Risks now almost exclusively around applications. Systems are not developed with security in mind, junior developers do not possess knowledge and skill to develop secure solutions. Focus is on delivery to market and is time sensitive. GUIs becoming richer for FW, Router and SYSAdmin while skills are spread wide from low to high with many in low area. Companies forced to take lower skills and assume the risks of human error and lack of experience. GUIs are great and believe they provide great value, dependant on the skill using the product. Attacks on web systems reduced through effective patching and vendor practices. Attacks now more prevalent on user based services such as IM, VOIP and office arena. Laptops and tapes seem to be the emerging way to lose lost of data in a very short space of time. More and more data loses now being attributed to loss of laptops and tapes. Good top see technology such as LTO 4 adding encryption, laptops need to be encrypted. These nullify protection mechanisms from firewall to host, but possibly not data will talk more on this shortly. 6

De-perimeterisation Perimeters are bonnox fences at best Tunneling Applications Security at the host and data Pervasive Unobtrusive Defense in depth Data Application Host Internal Network Perimeter Physical Security Policies, Procedures, & Awareness 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information