Centralized Cloud Firewall. Ivan Ivanovic BUCC/AMRES Tbilisi, December 2013.

Similar documents
Centralised web traffic filtering system

SWSA ((SECURING WEB WITH CISCO WEB SECURITY APPLIANCE)) 2.1

QUICK START GUIDE. Cisco S170 Web Security Appliance. Web Security Appliance

Blue Coat Security First Steps Solution for Deploying an Explicit Proxy

PAC File Best Practices with Web Security Gateway and Web Security Gateway Anywhere

Quickstart guide to Configuring WebTitan

Cisco S380 and Cisco S680 Web Security Appliance

Direct or Transparent Proxy?

Installing and Configuring Websense Content Gateway

Collax Web Security. Howto. This howto describes the setup of a Web proxy server as Web content filter.

AMRES NOC Bojan Jakovljević. 8 th TF-NOC meeting, Athens 2013.

SECTION- F (Revised) BOM & TECHNICAL SPECIFICATIONS

Linux Squid Proxy Server

Virtual Web Appliance Setup Guide

NETASQ MIGRATING FROM V8 TO V9

VMware Identity Manager Connector Installation and Configuration

WPAD TECHNOLOGY WEAKNESSES. Sergey Rublev Expert in information security, "Positive Technologies"

Web Request Routing. Technical Brief. What s the best option for your web security deployment?

Product Manual. Administration and Configuration Manual

Web Appliance Configuration Guide

Volume SYSLOG JUNCTION. User s Guide. User s Guide

2. Are explicit proxy connections also affected by the ARM config?

1 You will need the following items to get started:

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Setup Guide Revision C. McAfee SaaS Web Protection Service

Controlling Risk, Conserving Bandwidth, and Monitoring Productivity with Websense Web Security and Websense Content Gateway

Deploying with Websense Content Gateway

NetSpective Global Proxy Configuration Guide

ProxySG TechBrief Enabling Transparent Authentication

User Guide. Cloud Gateway Software Device

How To Protect Your Network From A Web Based Attack

BorderWare Firewall Server 7.1. Release Notes

Securing Networks with PIX and ASA

Web Protection Services Setup Guide Product Version: Web Protection

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training

Smart Connect. Deployment Guide

Virtual Managment Appliance Setup Guide

Cisco EXAM Implementing Cisco Threat Control Solutions (SITCS) Buy Full Product.

Load Balancing McAfee Web Gateway. Deployment Guide

F-Secure Internet Gatekeeper Virtual Appliance

Barracuda Web Filter Administrator s Guide

Configuration Guide BES12. Version 12.2

Web Security Deployment. Deployment Guide for Client Site Proxy and Remote Connect

WhatsUp Gold v16.3 Installation and Configuration Guide

1Y0-250 Implementing Citrix NetScaler 10 for App and Desktop Solutions Practice Exam

NETASQ ACTIVE DIRECTORY INTEGRATION

F-Secure Messaging Security Gateway. Deployment Guide

F-Secure Internet Gatekeeper

I N S T A L L A T I O N M A N U A L

HTTP. Internet Engineering. Fall Bahador Bakhshi CE & IT Department, Amirkabir University of Technology

Proxies. Chapter 4. Network & Security Gildas Avoine

Firewalls, IDS and IPS

Third Party Integration

Configuration Guide BES12. Version 12.1

Configuration Guide BES12. Version 12.3

Load Balancing Web Proxies Load Balancing Web Filters Load Balancing Web Gateways. Deployment Guide

Web Security Deployment Guide

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

Websense Content Gateway v7.x: Troubleshooting

Introduction to Mobile Access Gateway Installation

Secure Web Service - Hybrid. Policy Server Setup. Release Manual Version 1.01

ENTERPRISE DATA CENTER CSS HARDWARE LOAD BALANCING POLICY

How to Configure Captive Portal

Advanced Linux System Administration Knowledge GNU/LINUX Requirements

Quick Setup Guide. 2 System requirements and licensing Kerio Technologies s.r.o. All rights reserved.

Smoothwall Web Filter Deployment Guide

PineApp Surf-SeCure Quick

P and FTP Proxy caching Using a Cisco Cache Engine 550 an

Name Services (DNS): This is Quick rule will enable the Domain Name Services on the firewall.

Please evaluate this documentation on the following site:

Step-by-Step Configuration

Online Help. Websense Content Gateway. v7.6

REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER

Bandwidth Management and Optimization System Design (draft)

GFI Product Manual. Web security, monitoring and Internet access control. Administrator Guide

Cisco AnyConnect Secure Mobility Solution Guide

Barracuda Web Filter Administrator s Guide

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

WebTitan 5 Administrators Guide

FAQs for Oracle iplanet Proxy Server 4.0

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Understanding Slow Start

v7.8.2 Release Notes for Websense Content Gateway

Web Proxy Auto Discovery (WPAD) Configuration Guide. Revision Warning and Disclaimer

SECURE WEB GATEWAY DEPLOYMENT METHODOLOGIES

Secure Web Appliance. Reverse Proxy

WatchGuard SSL v3.2 Update 1 Release Notes. Introduction. Windows 8 and 64-bit Internet Explorer Support. Supported Devices SSL 100 and 560

McAfee Web Gateway 7.4.1

Cisco Web Security Appliance

Web Security Service

Guidance Regarding Skype and Other P2P VoIP Solutions

Blue Coat Security First Steps Solution for Integrating Authentication

QUICK START GUIDE. Cisco C170 Security Appliance

Deployment Guide. Websense Web Security Websense Web Filter. v7.1

Gigabyte Content Management System Console User s Guide. Version: 0.1

Carisbrooke. End User Guide

Integrated Cisco Products

Backup & Disaster Recovery Appliance User Guide

Deployment Guide. Websense Web Security Solutions. v7.5

Transcription:

Centralized Cloud Firewall Ivan Ivanovic BUCC/AMRES Tbilisi, December 2013.

AMRES NREN 172 institutions ~2200 km dark fiber links 22 cities 3 cross border optical links Redundant Geant internet links 1 Gbps Hungarnet 10 Gbps Dante 4 service centers (Universities) Beograd (BUCC,44+80) Novi Sad (ARMUNS) Nis (JUNIS) Kragujevac (ARMUK) AMRES NREN was established as legal entity on 19th Maj 2011. Free-of-charge services

Security Until recently AMRES used only simple filtering mechanism Cisco ACL s (standard, extended...) Iptables on Linux servers Antivirus protection on desktop PC s and servers Digital divide (Funding problem) Rich AMRES institution s have purchased own firewalls Poor institutions are relaying on AMRES Problems During the years ACL s are getting longer (Maintenance problem) Filtering up to layer 4 or the OSI model Missing traffic content information is missing Network is closed

Acquisition of IronPort proxy servers Connecting school project More than 2000 primary and secondary schools Safe Internet for kids Government reaction! 6 IronPort S670 Web security appliances 2 IronPort C370 Email security appliances 1 IronPort M160 Management appliance Additional equipment (Servers, UPS, Rack.) First firewalls device in (BUCC/AMRES) Project was delayed Equipment has been purchased

Benefits Increased security and control WEB reputation filtering Malware filtering (Webroot) URL filtering Traffic control Protocol and User agents filtering Application filtering Object filtering (MIME types) Many, many, more Cloud service for our end users!

System location

IronPort Cloud service How does it work?! Centralized management through the web access.

IronPort Cloud service How does it work?! LDAP is used for authentication and authorization.

IronPort Cloud service How does it work?! End users can login to the management appliance and configure their access policies.

Web Security - Policies Custom configuration Configured by end users Global configuration AMRES configures

Web Security - Global Policy Protocol and user agents Allowed FTP over HTTP HTTP HTTPS Native FTP Allowed HTTP connect ports 20, 21, 443, 2083, 4443, 563, 2096, 8443, 8080 Custom User Agents Everything allowed (Web browsers)

Web Security - Global Policy URL filtering URL category (Denied) Child Porn Filter Avoidance Gambling Hate Speech Illegal Drugs Porn More than 60 other categories are allowed Custom URL Category Filtering Eksplicitno pusteni sajtovi (Explicitly allowed sites) CabFiles (Windows update cabinet files) Every category could be managed differently Block Monitor Redirect Warn Allow Time-based

Web Security - Global Policy Applications Visibility and Control Default Actions for Application Types is Monitor

Web Security - Global Policy Objects Allow everything Web Page Content Flash JavaScript All Images Miscellaneous Calendar Data

Web Security - Global Policy Reputation and Anti-Malware Settings Anti-Malware Settings Webroot (Denied) Dialer Hijacker Phishing URL Trojan Downloader Trojan Horse Trojan Phisher Worm Other Malware WBRS

Problems How to redirect end user web traffic toward the centralized firewall? Matter of choice How to achieve equal distribution of web traffic on all firewall devices? How to equally spread the load on all firewall devices??

Redirection of web traffic Manual configuration proxy.amres.ac.rs:8080 round-robin resolving of DNS name Auto-detect proxy settings WPAD (Web Proxy Autodiscovery Protocol) protocol http://wpad.ac.rs/wpad.dat Automatic configuration URL location of pac file Transparenti proxy WCCP (Web Cache Communication Protocol) PBR (Policy Based Routing)

Redirection of web traffic Manual configuration proxy.amres.ac.rs:8080 round-robin resolving of DNS name Auto-detect proxy settings WPAD (Web Proxy Autodiscovery Protocol) protocol http://wpad.ac.rs/wpad.dat Automatic configuration URL location of pac file Traffic control - transparent proxy WCCP (Web Cache Communication Protocol) PBR (Policy Based Routing)

Web Proxy Autodiscovery Protocol WPAD protokol function FindProxyForURL(url, host) { // If URL has no dots in host name, send traffic direct. if (isplainhostname(host)) return "DIRECT"; // If IP address is internal or hostname resolves to internal IP, send direct. var resolved_ip = dnsresolve(host); if (isinnet(resolved_ip, "147.91.0.0", "255.255.0.0") isinnet(resolved_ip, "160.99.0.0", "255.255.0.0") isinnet(resolved_ip, "91.187.128.0", "255.255.224.0") isinnet(resolved_ip, "10.0.0.0", "255.0.0.0") isinnet(resolved_ip, "172.16.0.0", "255.240.0.0") isinnet(resolved_ip, "192.168.0.0", "255.255.0.0") isinnet(resolved_ip, "127.0.0.0", "255.255.255.0")) return "DIRECT"; // All other traffic uses below proxies, in fail-over order. return "PROXY proxy.amres.ac.rs:8080; PROXY 147.91.1.41:8080; PROXY 147.91.1.42:8080; PROXY 147.91.1.43:8080; DIRECT"; Workstations must have correct domain configuration WPAD uses DNS queries in order to find java script wpad.dat file. wpad.rcub.bg.ac.rs wpad.bg.ac.rs wpad.ac.rs O P O

Redirection of web traffic Manual configuration proxy.amres.ac.rs:8080 round-robin resolving of DNS name Auto-detect proxy settings WPAD (Web Proxy Autodiscovery Protocol) protocol http://wpad.ac.rs/wpad.dat Automatic configuration URL location of pac file Traffic control - transparent proxy WCCP (Web Cache Communication Protocol) PBR (Policy Based Routing)

Redirection of web traffic Internet Manual configuration proxy.amres.ac.rs:8080 round-robin resolving of DNS name Auto-detect proxy settings WPAD (Web Proxy Autodiscovery Protocol) protocol http://wpad.ac.rs/wpad.dat Automatic configuration URL location of pac file Traffic control - transparent proxy WCCP (Web Cache Communication Protocol) PBR (Policy Based Routing) Firewall Cloud

DNS resolving DNS round-robin resolving method

Ironport Monitoring System monitoring (http://netiis.rcub.bg.ac.rs) Proxy functionality (Nagios http_check plugin) Minimum two web sites CPU and Memory Alert - Email notification IronPort custom Alerting system

Monitoring NetFlow http://netflow.rcub.bg.ac.rs

Monitoring - SNMP

Log Analysis Squid format Additional field required (timestamp format) IronPort devices collect logs for last 10 days Log analysis IronPort management centralized log system (Splunk engine) additional license Local log system on every IronPort device Export to external device (Sawmill for IronPort) 1335097134.337 32 147.91.xy.35 TCP_REFRESH_HIT/200 695 GET http://www.smedia.rs/img/btnminus.gif - DIRECT/www.smedia.rs image/gif DEFAULT_CASE_11-AMRES_all_to_Internet-AMRES_all-NONE-NONE-NONE-DefaultGroup <IW_news,0.0,"0","-",0,0,0,"1","-",-,-,-,"-","1",-,"-","-",-,-,IW_news,-,"Unknown","- ","Unknown","Unknown","-","-",173.75,0,-,"-","-"> -)

4/10/12 19:00 2:00 9:00 4:00 11:00 6:00 1:00 8:00 3:00 10:00 5:00 12:00 7:00 2:00 9:00 4:00 11:00 6:00 1:00 8:00 3:00 10:00 5:00 12:00 7:00 2:00 9:00 4:00 11:00 6:00 1:00 8:00 3:00 10:00 5:00 12:00 7:00 Gigabytes/h IronPort Log Analysis Sawmill 4,50 4,00 3,50 3,00 2,50 2,00 1,50 Raw (391.3GB) Zip (46.2GB) 1,00 0,50 0,00

IronPort Log Analysis Flaws IronPort flaws - Lack of scheduling machanism (cron- function) Administrator must manually start sync mechanism of SCP backup Sawmill flaws Slow performance Sawmill is unavailable during log files processing (x.05h x.30h)

utorrent problem Mozilla Firefox plugin Requests for 127.0.0.1 were sent to proxy server Increased log file size (30%) Increased CPU and memory usage Users were hidden behind NAT OTHERS 147.91.x6.35 147.91.xx9.1 147.91.x2.52 147.91.xx5.223 160.99.x5.171 147.91.x6.2 91.187.xx6.2 91.187.xx4.125

Questions? ivan.ivanovic@rcub.bg.ac.rs

Thank you for your time and attention! THE END

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information