Centralized Cloud Firewall Ivan Ivanovic BUCC/AMRES Tbilisi, December 2013.
AMRES NREN 172 institutions ~2200 km dark fiber links 22 cities 3 cross border optical links Redundant Geant internet links 1 Gbps Hungarnet 10 Gbps Dante 4 service centers (Universities) Beograd (BUCC,44+80) Novi Sad (ARMUNS) Nis (JUNIS) Kragujevac (ARMUK) AMRES NREN was established as legal entity on 19th Maj 2011. Free-of-charge services
Security Until recently AMRES used only simple filtering mechanism Cisco ACL s (standard, extended...) Iptables on Linux servers Antivirus protection on desktop PC s and servers Digital divide (Funding problem) Rich AMRES institution s have purchased own firewalls Poor institutions are relaying on AMRES Problems During the years ACL s are getting longer (Maintenance problem) Filtering up to layer 4 or the OSI model Missing traffic content information is missing Network is closed
Acquisition of IronPort proxy servers Connecting school project More than 2000 primary and secondary schools Safe Internet for kids Government reaction! 6 IronPort S670 Web security appliances 2 IronPort C370 Email security appliances 1 IronPort M160 Management appliance Additional equipment (Servers, UPS, Rack.) First firewalls device in (BUCC/AMRES) Project was delayed Equipment has been purchased
Benefits Increased security and control WEB reputation filtering Malware filtering (Webroot) URL filtering Traffic control Protocol and User agents filtering Application filtering Object filtering (MIME types) Many, many, more Cloud service for our end users!
System location
IronPort Cloud service How does it work?! Centralized management through the web access.
IronPort Cloud service How does it work?! LDAP is used for authentication and authorization.
IronPort Cloud service How does it work?! End users can login to the management appliance and configure their access policies.
Web Security - Policies Custom configuration Configured by end users Global configuration AMRES configures
Web Security - Global Policy Protocol and user agents Allowed FTP over HTTP HTTP HTTPS Native FTP Allowed HTTP connect ports 20, 21, 443, 2083, 4443, 563, 2096, 8443, 8080 Custom User Agents Everything allowed (Web browsers)
Web Security - Global Policy URL filtering URL category (Denied) Child Porn Filter Avoidance Gambling Hate Speech Illegal Drugs Porn More than 60 other categories are allowed Custom URL Category Filtering Eksplicitno pusteni sajtovi (Explicitly allowed sites) CabFiles (Windows update cabinet files) Every category could be managed differently Block Monitor Redirect Warn Allow Time-based
Web Security - Global Policy Applications Visibility and Control Default Actions for Application Types is Monitor
Web Security - Global Policy Objects Allow everything Web Page Content Flash JavaScript All Images Miscellaneous Calendar Data
Web Security - Global Policy Reputation and Anti-Malware Settings Anti-Malware Settings Webroot (Denied) Dialer Hijacker Phishing URL Trojan Downloader Trojan Horse Trojan Phisher Worm Other Malware WBRS
Problems How to redirect end user web traffic toward the centralized firewall? Matter of choice How to achieve equal distribution of web traffic on all firewall devices? How to equally spread the load on all firewall devices??
Redirection of web traffic Manual configuration proxy.amres.ac.rs:8080 round-robin resolving of DNS name Auto-detect proxy settings WPAD (Web Proxy Autodiscovery Protocol) protocol http://wpad.ac.rs/wpad.dat Automatic configuration URL location of pac file Transparenti proxy WCCP (Web Cache Communication Protocol) PBR (Policy Based Routing)
Redirection of web traffic Manual configuration proxy.amres.ac.rs:8080 round-robin resolving of DNS name Auto-detect proxy settings WPAD (Web Proxy Autodiscovery Protocol) protocol http://wpad.ac.rs/wpad.dat Automatic configuration URL location of pac file Traffic control - transparent proxy WCCP (Web Cache Communication Protocol) PBR (Policy Based Routing)
Web Proxy Autodiscovery Protocol WPAD protokol function FindProxyForURL(url, host) { // If URL has no dots in host name, send traffic direct. if (isplainhostname(host)) return "DIRECT"; // If IP address is internal or hostname resolves to internal IP, send direct. var resolved_ip = dnsresolve(host); if (isinnet(resolved_ip, "147.91.0.0", "255.255.0.0") isinnet(resolved_ip, "160.99.0.0", "255.255.0.0") isinnet(resolved_ip, "91.187.128.0", "255.255.224.0") isinnet(resolved_ip, "10.0.0.0", "255.0.0.0") isinnet(resolved_ip, "172.16.0.0", "255.240.0.0") isinnet(resolved_ip, "192.168.0.0", "255.255.0.0") isinnet(resolved_ip, "127.0.0.0", "255.255.255.0")) return "DIRECT"; // All other traffic uses below proxies, in fail-over order. return "PROXY proxy.amres.ac.rs:8080; PROXY 147.91.1.41:8080; PROXY 147.91.1.42:8080; PROXY 147.91.1.43:8080; DIRECT"; Workstations must have correct domain configuration WPAD uses DNS queries in order to find java script wpad.dat file. wpad.rcub.bg.ac.rs wpad.bg.ac.rs wpad.ac.rs O P O
Redirection of web traffic Manual configuration proxy.amres.ac.rs:8080 round-robin resolving of DNS name Auto-detect proxy settings WPAD (Web Proxy Autodiscovery Protocol) protocol http://wpad.ac.rs/wpad.dat Automatic configuration URL location of pac file Traffic control - transparent proxy WCCP (Web Cache Communication Protocol) PBR (Policy Based Routing)
Redirection of web traffic Internet Manual configuration proxy.amres.ac.rs:8080 round-robin resolving of DNS name Auto-detect proxy settings WPAD (Web Proxy Autodiscovery Protocol) protocol http://wpad.ac.rs/wpad.dat Automatic configuration URL location of pac file Traffic control - transparent proxy WCCP (Web Cache Communication Protocol) PBR (Policy Based Routing) Firewall Cloud
DNS resolving DNS round-robin resolving method
Ironport Monitoring System monitoring (http://netiis.rcub.bg.ac.rs) Proxy functionality (Nagios http_check plugin) Minimum two web sites CPU and Memory Alert - Email notification IronPort custom Alerting system
Monitoring NetFlow http://netflow.rcub.bg.ac.rs
Monitoring - SNMP
Log Analysis Squid format Additional field required (timestamp format) IronPort devices collect logs for last 10 days Log analysis IronPort management centralized log system (Splunk engine) additional license Local log system on every IronPort device Export to external device (Sawmill for IronPort) 1335097134.337 32 147.91.xy.35 TCP_REFRESH_HIT/200 695 GET http://www.smedia.rs/img/btnminus.gif - DIRECT/www.smedia.rs image/gif DEFAULT_CASE_11-AMRES_all_to_Internet-AMRES_all-NONE-NONE-NONE-DefaultGroup <IW_news,0.0,"0","-",0,0,0,"1","-",-,-,-,"-","1",-,"-","-",-,-,IW_news,-,"Unknown","- ","Unknown","Unknown","-","-",173.75,0,-,"-","-"> -)
4/10/12 19:00 2:00 9:00 4:00 11:00 6:00 1:00 8:00 3:00 10:00 5:00 12:00 7:00 2:00 9:00 4:00 11:00 6:00 1:00 8:00 3:00 10:00 5:00 12:00 7:00 2:00 9:00 4:00 11:00 6:00 1:00 8:00 3:00 10:00 5:00 12:00 7:00 Gigabytes/h IronPort Log Analysis Sawmill 4,50 4,00 3,50 3,00 2,50 2,00 1,50 Raw (391.3GB) Zip (46.2GB) 1,00 0,50 0,00
IronPort Log Analysis Flaws IronPort flaws - Lack of scheduling machanism (cron- function) Administrator must manually start sync mechanism of SCP backup Sawmill flaws Slow performance Sawmill is unavailable during log files processing (x.05h x.30h)
utorrent problem Mozilla Firefox plugin Requests for 127.0.0.1 were sent to proxy server Increased log file size (30%) Increased CPU and memory usage Users were hidden behind NAT OTHERS 147.91.x6.35 147.91.xx9.1 147.91.x2.52 147.91.xx5.223 160.99.x5.171 147.91.x6.2 91.187.xx6.2 91.187.xx4.125
Questions? ivan.ivanovic@rcub.bg.ac.rs
Thank you for your time and attention! THE END