Post on 16-Dec-2015
Access segregation in a corporate network: Lets go DPIeeper
Igor Bulatenko, QIWI
OK, glass, segregate enterprise network
- (Large) Enterprise: 1000+ of users vs 1000+ of servers;
- Thousands of access rules on hundreds of devices;
- Inefficient restrictions of classic IP ACL;
- Access rules management simplification.
Oldies but goldies: IP Access control list
- Most positive news: everybody knows them;
- Source, destination, protocol, port. And what about user and application? Nothing;
- Who do you want to cheat? $ssh –p 443;
- PAM with CBAC has too few protocols.
L7 way to heaven
- No bullshit: everybody knows about “next generation firewalls”;
- It case you forgot:- Application identity;- User identity;- IPS;- Directory-based policy;- Making coffee and doing other pretty things.
- OpenAppID & Snort;
- $10 for each reference:- Palo Alto, IBM, Check Point, McAfee, and so on.
Talking about the hosts and ports
Talking about the apps: feel the difference
1 Rule!!!
“Allow Jon SnowDBA Access to the LAN”
How we do it: managing user access
- IBM XGS5100 as NGFW device;- Active Directory login event – pairing user with IP address;- MacOS/*nix goes web-auth/kerberos way;- No auth – no party;- Network access based on “memberOf”:
- Each rule equals one user group in domain;- Fast access granting – no need to change device config;- Easy access recertification;
- Managing NGFW devices using handmade python API;- Collecting logs in one place;- Reading and analyzing FW rules the same way device does.
How we do it: user web interface
Lookup what you can doAnd why you can do so
Suggest, what user wants else!
How we do it: more features
Pros, cons, pitfalls
- Easy to manage access segregation solution;- Little bit more secure than IP ACL;- Damn flexible rules;- You had billion of ACLs. Now you have billion of AD groups;- DPI engine imperfection:
- Some protocols are hard to detect;- High load issues;- Fail drop or fail pass?
- Do you have your own programmers?- Making brand-new set of network rules is painful.
Mailto: videns@qiwi.com