Firewalls: The Next Generation Rick Coloccia Network Manager coloccia@geneseo.edu
Session Overview Evolution of the Firewall Packet Filters Stateful Firewalls Application Firewalls Single Appliance No More Today Next Generation Firewalls Buyer s Questions All-in-One Devices At Geneseo Elsewhere? Q & A
Evolution of the Firewall Firewalls were born in roughly 1990 Hardware and Software based firewalls We are focusing on the hardware devices only
Packet Filters Most Basic Firewall Option Compare incoming and outgoing packets to lists of source and destination addresses & ports drop reject (send notice of denial) permit Environment: T1s, 10 mbps LANs
Stateful Firewalls Packet Filters & Connection Tracking Add a unique rule to the control list: Packets matching a known active connection will be allowed by the firewall; others will be rejected. In other words: if a host on the inside asked for it, let it in Environment: T3s, dawning of metro-ethernet, 100 and 1000 mbps LANs Administration within the realm of the network administrators
Application Firewalls Understand various network applications, and can react in ways unique and specific to each application. Web Application Firewalls SPAM Firewalls Proxy Servers Bandwidth Management Devices P2P management devices Intrusion detection/prevention systems
Application Firewalls Metro-Ethernet connections of 500 mbps or more to Campuses 1 and 10 gbps connections within campus networks The Cloud is here to stay Huge bandwidth needs Home users have 10-50 mbps connection and demand high speed connections to campus. Highspeed network connectivity is a must! Hosts have up to 128 GB of RAM and tremendous processing power
Single Appliance No More The single firewall appliance is no longer sufficient Web administrators, mail administrators, security compliance officers, and network administrators all have a role in managing campus security. What was once a part time role held by one person has evolved into a complicated web of security systems. Campus security relies on layers. Like an onion.
Today Security is now designed in a layered fashion in many environments Basic stateful firewalling remains in use Web Application firewalls focus their protection on your web sites, and on your home-grown web software Proxy servers minimize bandwidth consumption by caching content locally
Today Proxy servers minimize bandwidth consumption by caching content locally Intrusion prevention systems protect networks by dropping packets that match complex signatures (either of specific exploits or of more general vulnerabilities) SPAM filters control inbound and outbound mail delivery, by comparing messages to algorithms based on white lists and black lists, signatures, and message contents
Today Multiple administrators are typically used to address several issues: cross training areas of expertise legal issues - maintaining some separation between security personnel and system administrators
Next Generation Firewalls Next-generation firewalls expand upon traditional firewall behavior by adding various elements to each firewall rule, including application, user identity, and reputation. Check Point Palo Alto SonicWall Fortinet Barracuda Stone Soft Sentinel IPS Tipping Point And more
Buyer s Questions First determine your security posture! What would you want a firewall to do? Know this before talking to a vendor! Network design considerations: How is your network built? Are there multiple points of entry? What protocols are in play? IPv4, IPv6? Multicast? Any experimental protocols?
Buyer s Questions How much staff time can you commit to deployment and maintenance of a security appliance? What is your budget? How concerned are you about diversifying security vendors? All your eggs in the same basket Best of breed
All-in-One Devices They are not without their application: Sites small in size Sites with limited personnel Sites where layered security is less important because of the types and classes of data being protected Sites where network designs would be negatively impacted by multiple security devices
At Geneseo, What & Why HP Tipping Point (IPS, Copyright Compliance) Cisco ASR 1000 Series Aggregation Services Router (Access Control Lists) Cisco ASA 5500 Series Adaptive Security Appliance (Stateful Firewall) Cisco ASA 5500 Series Adaptive Security Appliance (VPN) Bluecoat PacketShaper (Bandwidth Management) IronPort Spam Firewalls (Email filtering)
Elsewhere? What are you doing? Why?
Questions? Rick Coloccia Network Manager SUNY Geneseo 585-245-5577 coloccia@geneseo.edu