Evaluating IPv6 Firewalls & Verifying Firewall Security Performance



Similar documents
Next Generation IPv6 Network Security a Practical Approach Is Your Firewall Ready for Voice over IPv6?

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Moonv6 Test Suite. IPv6 Firewall Base Functionality Test Suite. Technical Document. Revision 0.11

Firewall Firewall August, 2003

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

IxLoad-Attack: Network Security Testing

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

Introduction of Intrusion Detection Systems

Firewall VPN Router. Quick Installation Guide M73-APO09-380

IPv6 Opportunity and challenge

Multi-Homing Dual WAN Firewall Router

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Lab Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

Chapter 11 Cloud Application Development

How Cisco IT Uses Firewalls to Protect Cisco Internet Access Locations

Skills Assessment Student Training Exam

FIREWALLS & CBAC. philip.heimer@hh.se

DEPLOYING VoIP SECURELY

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

IxLoad - Layer 4-7 Performance Testing of Content Aware Devices and Networks

Networking for Caribbean Development

Network Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000

The Cisco ASA 5500 as a Superior Firewall Solution

Implementing Secured Converged Wide Area Networks (ISCW) Version 1.0

How To Use A Cisco Wvvvdns4400N Wireless-N Gigabit Security Router For Small Businesses

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Transport and Network Layer

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Internet Protocol: IP packet headers. vendredi 18 octobre 13

- Introduction to PIX/ASA Firewalls -

Chapter 8 Network Security

PROFESSIONAL SECURITY SYSTEMS

Cisco WRVS4400N Wireless-N Gigabit Security Router: Cisco Small Business Routers

Figure 41-1 IP Filter Rules

INTRODUCTION TO FIREWALL SECURITY

Basics of Internet Security

Fig : Packet Filtering

Securing Networks with PIX and ASA

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Advanced Network Security Testing. Michael Jack

Solution of Exercise Sheet 5

Chapter 8 Security Pt 2

Routing Security Server failure detection and recovery Protocol support Redundancy

Flow Analysis Versus Packet Analysis. What Should You Choose?

Firewalls, Tunnels, and Network Intrusion Detection

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

SOFTWARE ENGINEERING 4C03. Computer Networks & Computer Security. Network Firewall

Firewall Testing Methodology W H I T E P A P E R

Firewalls. Chapter 3

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Overview - Using ADAMS With a Firewall

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Using a Firewall General Configuration Guide

Architecture de Réseaux et Dimensionnement du Trafic

SonicWALL Unified Threat Management. Alvin Mann April 2009

Overview - Using ADAMS With a Firewall

Moonv6 Test Suite. IPv6 Firewall Functionality and Interoperablility Test Suite. Technical Document. Revision 0.6

Vulnerabili3es and A7acks

Gigabit SSL VPN Security Router

Cisco IOS Flexible NetFlow Technology

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

How Cisco IT Protects Against Distributed Denial of Service Attacks

8. Firewall Design & Implementation

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

Layer 4-7 Real-World Test Solution. Agilent Network Tester N5557A/N4192A

IPv6 Security Best Practices. Eric Vyncke Distinguished System Engineer

PART D NETWORK SERVICES

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Total solution for your network security. Provide policy-based firewall on scheduled time. Prevent many known DoS and DDoS attack

Network Security. 1 Pass the course => Pass Written exam week 11 Pass Labs

Gigabit Multi-Homing VPN Security Router

LESSON Networking Fundamentals. Understand TCP/IP

Lab Developing ACLs to Implement Firewall Rule Sets

Datasheet iscsi Protocol

Cisco PIX vs. Checkpoint Firewall

Proxies. Chapter 4. Network & Security Gildas Avoine

Lucent VPN Firewall Security in x Wireless Networks

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0.

Best Practices for Securing IP Telephony

Gigabit Multi-Homing VPN Security Router

Technical Note. ForeScout CounterACT: Virtual Firewall

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Transcription:

Next Generation IPv6 Network Security IPv6 Summit Bonn 30 th June 2004 Evaluating IPv6 Firewalls & Verifying Firewall Security Performance [ Vital questions to ask your firewall vendor ] Yvon Rouault Agilent Technologies yvon_rouault@agilent.com

Objectives Appreciation for the complexities of evaluating IPv6-capable network security devices (such as firewalls) and testing performance under realistic conditions. Realistic conditions = Real, stateful application traffic using the same mix of application protocols as encountered (or expected to be encountered) within the network for which the firewall is intended. Page 2

Agenda Alarming Trends! Market and Technology Future Directions The new breed of IPv6-capable session- and content-aware devices and their complexities Scenarios for testing IPv6-capable network security devices Firewall test plan and testbed considerations Conclusion: Setting up your test lab and test network Page 3

Reminder What do firewalls do? Protect private network from public network Block incoming connection attempts, except to offered services Thwart Denial of Service attacks and protect hosts from exploits Perform deep packet inspection, application awareness Allow outgoing connections Prevent attacks from within (Trojans and file/print sharing exploits) Block prohibited sites and applications Internet Positive Traffic Positive Traffic Enterprise Network HTTP FTP Negative Traffic prohibited Negative Traffic prohibited Attack Traffic DoS attacks Attack traffic Trojan attacks from inside Page 4

Alarming trends Denial of Service (DoS) attacks are rising 1/2 of UK businesses suffered a virus or DoS attack in 2003 (25% more than 2002) 1/3 of companies are at risk of DoS attacks Attacks are costly 3 Financial Institutions lost over $30M each DoS attacks cost the UK 54M in 2002, rising to 270M by 2005 DoS attacks were major factor in Cloud Nine ISP failure, 2002 Slammer worm disrupted bank ATM networks, 911 service, and crashed routers Firewalls? 150,000 100,000 50,000 98% use firewalls, but 56% reported unauthorized network access (FBI report) Witty Worm exploited ISS firewall vulnerability, destroying 1000s of hard drives 84% of firewalls required critical patches in the last year CERT Coordination Center reported incidents 0 1997 1998 1999 2000 2001 2002 2003 http://www.cert.org/stats/cert_stats.html Page 5

Firewall performance: What do I measure? Connection set up time Application transfer time SYN SYN ACK ACK HTTP GET HTTP response TCP sessions Connection set up rate TCP sessions/sec Max concurrent sessions time Session rate Disconnection time FIN FIN ACK ACK Basic TCP processing rate, IPv4 only, IPv6 only, Mixed and tunneled v4/v6 combinations Concurrent TCP connections Application transfer rate and throughput (Mb/s) DoS attack vulnerability - ability to block or limit the impact of attacks, and performance while under attack with existing IPv4 attacks and any new IPv6 DoS attacks Performance impact of URL/content filters transfers/sec: HTTP, FTP time Application transfer rate time Functional tests prove that the device can forward IPv6 packets but does not tell how the device will act under stress! Allow IPv6 packet to pass, block IPv6 packets eg. ICMPv6 Block out of state TCPv6 sessions, establish TCPv6 session Filter L7 transaction over IPv6, server respond to requests Page 6

Testing IPv6 network security device performance Emulated clients Positive Traffic HTTP, FTP Negative Traffic unwanted FTP Positive Traffic HTTP, FTP Negative Traffic undesirable HTTP Emulated Servers FTP HTTP Attack Traffic DoS attacks Attack traffic DoS attacks from inside Combine HTTP, FTP, SMTP, POP3 etc. transactions (realistic conditions) Simulate positive traffic & measure performance Add negative & attack traffic. Does good traffic performance suffer? Scalability: How many sessions, clients, or servers can be supported with reasonable performance? How does device/network performance vary with combinations of IPv4 and IPv6? Performance over access protocols used for tunneling and security: DHCP, PPPoE, 802.1x and IPsec (especially IPsec encryption & authentication) Page 7

Limitations of layer 3-4 packet inspection (Why deep packet inspection at L7?) Applications like HTTP follow this simple session model Client Server TCP Port x TCP Port 80 time SYN SYN ACK ACK HTTP GET HTTP response TCP connection set up from client to server HTTP TCP IP 2-way application traffic on single TCP connection Layer 7 Layer 4 Layer 3 Some applications use server-initiated sessions and dynamic port allocation SPI is insufficient! Application-aware firewalls use deep packet inspection (layer 7) Page 8

Firewall Test Examples Application Transfers/sec 7000 6000 5000 4000 3000 2000 1000 0 Telnet RTSP DNS FTP actv FTP pasv HTTP 1.0 SMTP POP3 HTTP 1.1 Page 9

Firewall test plan design and tools (1) Client and server emulation of a broad range of protocols Application-aware firewalls must be tested with stateful application traffic Ability to mix protocols on a single port Measure the firewall s ability to cope with realistic, mixed traffic representative of network traffic a vendor s specifications won t reveal this Integrated access protocols (DHCP, IPsec, 802.1x, PPPoE) and VLAN support Realistic testing requires emulation of both network access and stateful traffic Flexibility to create any test scenario rapidly, without scripting Firewall test scenarios can be complex. Page 10

Firewall test plan design and tools (2) Layer 4-7 stateful application traffic. Full TCP emulation. Not a packet blaster. Firewalls implement real TCP and perform packet inspection requiring real traffic High performance and rapid configuration single application (versus wall of PCs ) Scalability The ability to scale the test up easily to reach the limits of the firewall Realism the ability to vary the test Randomize and cycle through parameters such as URLs and address ranges Change parameters while the test is running Page 11

Agilent L2-7 Testing at Moonv6 phase II (Mar 04) Agilent N2X Agilent N2X Internet2 Extreme Hitachi Agilent N2X Area 0.0.0.1 Agilent N2X 6Wind Cisco Cisco Cisco Agilent N2X NEC Foundry NetworkTester Area 0.0.0.2 Hitachi Procket Foundry NEC Agilent N2X Nokia Procket Fujitsu Cisco Extreme NetworkTester CheckPoint Netscreen NetworkTester Area 0.0.0.0 I-BGP and OSPF OSPF OSPFv3 and BGP4+ functional and convergence testing [Agilent N2X] Simultaneous IPv4/IPv6 traffic generation, routing and analysis to verify dual-stack routers [Agilent N2X] Real-time, per stream throughput, latency and packet loss statistics to measure router performance [Agilent N2X] Firewall Testing security policy and packet filtering, stateful packet inspection, application traffic performance [NetworkTester] Page 12

Conclusion IPv6 adds new complexity to L4-7 security devices: IPv4 and IPv6 packets must be reassembled up to L7 so that the contents of packets can be examined; Almost everyone has a firewall, but not all firewalls are created equal - becoming increasingly more sophisticated and complex to characterize: Performance highly dependent on the traffic profiles and configuration If you enable all of the firewall capabilities, set up dozens of filter rules, your traffic uses many TCP and UDP sessions, and you are prone to DoS and Trojan attacks, then you can expect your firewall s performance to be substantially less than advertised You must test using your own configuration and expected traffic profiles, or those of your users. Consider network design questions based on performance limits of the new IPv6-capable firewalls? More devices to support the same level of traffic? It is business critical to understand and test the security of your IPv6 networks and the performance of your firewalls Page 13

Additional Information For more information about Agilent Testers : http://www.agilent.com/comms/networktester http://www.agilent.com/comms/n2x Moonv6 Phase II test report : http://advanced.comms.agilent.com/networktester/moonv6.htm Local Contact : Enrique Labarta Boeblingen, Germany tel. +49 7031 464 1434 enrique_labarta@agilent.com http://moonv6.sr.unh.edu/ Page 14

Agilent NetworkTester Firewall performance test capabilities Broad range of protocol bricks Web, email, news, file transfer/sharing, instant messaging, streaming Mix multiple protocols on a single port to create realistic and complex tests Client and server emulation - one system, one user interface Simulate millions of real users and services Powerful "Test Plan" design and management environment Set-up tests in minutes; no need for scripting! Scalability Scale the test up easily to reach the limits of the firewall Stateful traffic over integrated IPsec, PPPoE, DHCP and 802.1x Integrated access protocols for faster and easier test set-up Integrated VLAN support Rapidly test VLAN-capable devices and virtual firewalls Transaction Variability and Real-Time Control Randomize and cycle parameters such as address lists, and attach real files Dynamically change parameters while the test is running Page 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information