How to Create Firewall Service on the Cheap · How to Create Firewall Service on the Cheap Daniel...
Transcript of How to Create Firewall Service on the Cheap · How to Create Firewall Service on the Cheap Daniel...
![Page 1: How to Create Firewall Service on the Cheap · How to Create Firewall Service on the Cheap Daniel Adinolfi, CISSP Senior Security Engineer Cornell University March 12, 2004. Objectives](https://reader034.fdocuments.net/reader034/viewer/2022042314/5f027d2a7e708231d40483b0/html5/thumbnails/1.jpg)
How to Create FirewallService on the Cheap
Daniel Adinolfi, CISSP
Senior Security Engineer
Cornell University
March 12, 2004
![Page 2: How to Create Firewall Service on the Cheap · How to Create Firewall Service on the Cheap Daniel Adinolfi, CISSP Senior Security Engineer Cornell University March 12, 2004. Objectives](https://reader034.fdocuments.net/reader034/viewer/2022042314/5f027d2a7e708231d40483b0/html5/thumbnails/2.jpg)
Objectives
• Outline the Cornell IT environment
• Describe the ACL deploymentarchitecture, processes, and details
• Discuss the costs of program design, roll-out, and up-keep
![Page 3: How to Create Firewall Service on the Cheap · How to Create Firewall Service on the Cheap Daniel Adinolfi, CISSP Senior Security Engineer Cornell University March 12, 2004. Objectives](https://reader034.fdocuments.net/reader034/viewer/2022042314/5f027d2a7e708231d40483b0/html5/thumbnails/3.jpg)
Cornell Environment
• 40,000 nodes
• Three Class B networks with about 750 subnets
• 110 residential networks with about 6500 nodes
• Each subnet is a unique VLAN and insolated toa single router interface
• Diverse user base: students, faculty, staff,researchers, public library users, visitors, etc.
![Page 4: How to Create Firewall Service on the Cheap · How to Create Firewall Service on the Cheap Daniel Adinolfi, CISSP Senior Security Engineer Cornell University March 12, 2004. Objectives](https://reader034.fdocuments.net/reader034/viewer/2022042314/5f027d2a7e708231d40483b0/html5/thumbnails/4.jpg)
Cornell Network
![Page 5: How to Create Firewall Service on the Cheap · How to Create Firewall Service on the Cheap Daniel Adinolfi, CISSP Senior Security Engineer Cornell University March 12, 2004. Objectives](https://reader034.fdocuments.net/reader034/viewer/2022042314/5f027d2a7e708231d40483b0/html5/thumbnails/5.jpg)
Network Administration
• Local (departmental and program-wide) supportproviders administer the majority of campussubnets– Varying degrees of technical skills
– Some small departments (a few systems), some largedepartments (hundreds of systems)
• Few departments run own network infrastructure
• Handful of firewalls deployed by departments
![Page 6: How to Create Firewall Service on the Cheap · How to Create Firewall Service on the Cheap Daniel Adinolfi, CISSP Senior Security Engineer Cornell University March 12, 2004. Objectives](https://reader034.fdocuments.net/reader034/viewer/2022042314/5f027d2a7e708231d40483b0/html5/thumbnails/6.jpg)
Security Challenges
• Around 40,000 components on the network– Infrastructure components– Faculty, staff, student, and public systems– Any and every type of OS imaginable– Some systems supported better than others
• Most common vulnerabilities– Weak or no account passwords– Un-patched and exploitable systems– Open file sharing– Virus infection
![Page 7: How to Create Firewall Service on the Cheap · How to Create Firewall Service on the Cheap Daniel Adinolfi, CISSP Senior Security Engineer Cornell University March 12, 2004. Objectives](https://reader034.fdocuments.net/reader034/viewer/2022042314/5f027d2a7e708231d40483b0/html5/thumbnails/7.jpg)
Security Challenges, cont.
• Daily observances– Several virus infections
– Several compromised systems (mostly usedfor file sharing, spamming, or scanning)
– Abuse cases (spam, harassment, etc.)
– Hundreds of (observed) scans from off-campus
– On-campus scans? Dunno.
![Page 8: How to Create Firewall Service on the Cheap · How to Create Firewall Service on the Cheap Daniel Adinolfi, CISSP Senior Security Engineer Cornell University March 12, 2004. Objectives](https://reader034.fdocuments.net/reader034/viewer/2022042314/5f027d2a7e708231d40483b0/html5/thumbnails/8.jpg)
ACL Deployment Architecture
• Use of existing packet filtering capabilities inrouters
• Homegrown scripts to automate implementation
• Complement to other hardware or softwarefirewall implementations
• Does not interfere with existing anti-spoofing,routing, and multicast ACL rules
• No special budget allocated for this project.
![Page 9: How to Create Firewall Service on the Cheap · How to Create Firewall Service on the Cheap Daniel Adinolfi, CISSP Senior Security Engineer Cornell University March 12, 2004. Objectives](https://reader034.fdocuments.net/reader034/viewer/2022042314/5f027d2a7e708231d40483b0/html5/thumbnails/9.jpg)
Program Traits
• Not for ad hoc blocks– Intended for static environments
– Not intended for incident response
– One to two business day turn around
• Limited filtering– IP, TCP/UDP port, ICMP message type
– More complex rules discouraged and rare
![Page 10: How to Create Firewall Service on the Cheap · How to Create Firewall Service on the Cheap Daniel Adinolfi, CISSP Senior Security Engineer Cornell University March 12, 2004. Objectives](https://reader034.fdocuments.net/reader034/viewer/2022042314/5f027d2a7e708231d40483b0/html5/thumbnails/10.jpg)
Scripts
• One script to generate “database”
• Additional script to upload configuration torouter– ACLs created by hand in a text file in standard
IOS format
– Separate configuration file that tells the scriptwhich router, VLAN, and ACL files (configlets)to use
![Page 11: How to Create Firewall Service on the Cheap · How to Create Firewall Service on the Cheap Daniel Adinolfi, CISSP Senior Security Engineer Cornell University March 12, 2004. Objectives](https://reader034.fdocuments.net/reader034/viewer/2022042314/5f027d2a7e708231d40483b0/html5/thumbnails/11.jpg)
How an ACL is made
1. Initial query by registered net admin
2. Consultation with technical staff, inperson, preferably (very important!)
3. ACL design
4. Implement, test, and document
5. Follow-up with customer
![Page 12: How to Create Firewall Service on the Cheap · How to Create Firewall Service on the Cheap Daniel Adinolfi, CISSP Senior Security Engineer Cornell University March 12, 2004. Objectives](https://reader034.fdocuments.net/reader034/viewer/2022042314/5f027d2a7e708231d40483b0/html5/thumbnails/12.jpg)
Issues
• No logging available to customers
• Does not scale when changes needs to beinstantaneous or often
• “Outbound” filters only
• UDP protocols can be tricky
![Page 13: How to Create Firewall Service on the Cheap · How to Create Firewall Service on the Cheap Daniel Adinolfi, CISSP Senior Security Engineer Cornell University March 12, 2004. Objectives](https://reader034.fdocuments.net/reader034/viewer/2022042314/5f027d2a7e708231d40483b0/html5/thumbnails/13.jpg)
Census
• Approx. 275 subnets with Edge ACLs
• 45 campus departments plus ResNet
• Majority are blocking Windows Networkingfrom off-campus
• Less than 10% involve complexrequirements
![Page 14: How to Create Firewall Service on the Cheap · How to Create Firewall Service on the Cheap Daniel Adinolfi, CISSP Senior Security Engineer Cornell University March 12, 2004. Objectives](https://reader034.fdocuments.net/reader034/viewer/2022042314/5f027d2a7e708231d40483b0/html5/thumbnails/14.jpg)
Futures
• Higher percentage of networks with Edge ACLs(GLBA audits, other regulations, wideracceptance of best practices)
• Web-based interface for net admins– Access limited to net admins and only for their own
subnets
– Template-based configurations
– Queries for existing ACLs
• Access to router logs (?)– syslog and ACL “hits”
![Page 15: How to Create Firewall Service on the Cheap · How to Create Firewall Service on the Cheap Daniel Adinolfi, CISSP Senior Security Engineer Cornell University March 12, 2004. Objectives](https://reader034.fdocuments.net/reader034/viewer/2022042314/5f027d2a7e708231d40483b0/html5/thumbnails/15.jpg)
Costs
• Development Time– One week for script development and database
population– One day for testing and staff training– One day for documentation and marketing
• On-going Costs– Consumed staff time– Existing router maintenance costs– No significant financial impact on infrastructure
• We offer this for free! No cost recovery.
![Page 16: How to Create Firewall Service on the Cheap · How to Create Firewall Service on the Cheap Daniel Adinolfi, CISSP Senior Security Engineer Cornell University March 12, 2004. Objectives](https://reader034.fdocuments.net/reader034/viewer/2022042314/5f027d2a7e708231d40483b0/html5/thumbnails/16.jpg)
For more information
• http://www.cit.cornell.edu/computer/security/edgeacls/
• Email: [email protected]
![Page 17: How to Create Firewall Service on the Cheap · How to Create Firewall Service on the Cheap Daniel Adinolfi, CISSP Senior Security Engineer Cornell University March 12, 2004. Objectives](https://reader034.fdocuments.net/reader034/viewer/2022042314/5f027d2a7e708231d40483b0/html5/thumbnails/17.jpg)
Thank You
!