firewall on demand
play

Firewall-On-Demand Service Andreas Polyrakis, GRNET 15-16 February - PowerPoint PPT Presentation

Nov 07, 2022 •208 likes •470 views

GRNET Firewall-On-Demand Service Andreas Polyrakis, GRNET 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Contents 2 Firewall-On-Demand Motivation & Technology background Implementation Future plans &

  1. GRNET Firewall-On-Demand Service Andreas Polyrakis, GRNET 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia

  2. Contents 2  Firewall-On-Demand  Motivation & Technology background  Implementation  Future plans & synergies 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  3. MOTIVATION & TECHNOLOGY 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  4. DDoS illustated 4 Attackers use zombies 1 zombie: Relative easy to handle army of zombies: big problem…: @ 1Meg: 100 = 200Meg • 500 = 500Meg • 2,000 = 2Gig • 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  5. Motivation 5  Need for better tools to mitigate transient attacks and anomalies  eg DDOS, spambots, viruses, scans, …  “ Better ” in terms of  Granularity : Per-flow level  Source/Dest IP/Ports, protocol type, DSCP, TCP flag, fragment encoding …  Action : Drop, rate-limit, redirect  Speed : 1-2 orders of magnitude quicker  (seconds/minutes rather than hours/days)  Efficiency : closer to the source, multidomain  Automation : integration with other systems (eg IDS/IPS, log analyzers,…)  Manageability 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  6. BGP FlowSpec 6 RFC 5575, August 2009 “Dissemination of flow specification rules with BGP”  Allows BGP to propagate an n-tuple filter with flow matching criteria and actions  matching criteria: a combination of source/dest prefix, source/dest port, ICMP type/code, packet size, DSCP, TCP flag, fragment encoding, etc…, E.g.:  all packets to 10.0.1/24 and TCP port 25  all packets to 10.0.1/24 from 192.0.0.0/8 and destination port {range [137, 139] or 8080  Filtering actions: accept, discard, rate-limit, sample, redirect, etc...  Information independent of unicast routing (different NLRI).  …But it is automatically validated against unicast routing. 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  7. Advantages of signaling via BGP 7  An incremental addition to deployed mechanisms  Complexity/scalability issues already solved, proven scalability and flexibility of BGP in adding new services  Multicast, IPv6, L3 VPN, L2 VPN, VPLS  Reuse of:  internal route distribution infrastructure (e.g.: route reflector or confederation design)  existing external relationships (e.g.: inter-domain BGP sessions to a customer network)  A trust model already in place  normally follows (the well-established trust of) unicast routing  Accept filter when advertised by next-hop for the destination prefix (compare destination address of traffic filtering rule with best match unicast route for this prefix)  Originator of filter and unicast route must be same.  No more specifics from a different AS.  Can be overridden 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  8. Comparing BGP flowspec with… 8 Traditional Firewalls, ACLs BGP blackhole routing (Complementary technologies, Flowspec can be considered as rather than competitive) an enhancement of BGP  No need for expensive, blackhole routing: dedicated hardware  Distributed across the network,  Less coarse applied as soon as traffic enters  More actions the network  Separate NLRI  Actions closer to the source (no capacity wasting)  Adequately fine-grained, even on core/backbone networks  Multidomain – easy propagation towards the upstream  Easy automation & integration 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  9. BGP FlowSpec Status 9  RFC 5575, August 2009  Vendor support:  Juniper : Supported in JUNOS since 7.3 !!!!  Cisco : Not supported, no official plan…   But participates in the RFC  Other big vendors: No  But: Supported by Quagga, ExaBGP and some other routing daemons  IPv6 support: No 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  10. GRNET FoD Implementation 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  11. Design Principles (1) 11  Goal: A service that will allow GRNET customers to mitigate transient attacks & anomalies at their upstream (GRNET) level  NOT a permanent firewalling service. Rules should be removed at the end of the attack (otherwise auto-expire).  Target audience: GRNET customers (NOCs)  Target network: GRNET  Web-based tool, shibboleth authentication of the users  Customers can control which of their users have access to the tool through appropriate “Entitlement” 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  12. Design Principles (2) 12  Functionality  Implementation of transient firewall filters across all GRNET routers  empowered by BGP flowspec  Flow granularity:  Source/Destination IPs  Source/Destination ports  More to be added in later versions (eg TCP flags)  Flow Manipulation:  Drop  Rate limit to three predefined values: 10Mbps. 1Mbps, 100Kbps  More actions may be allowed in later versions, eg redirect  Authorization & Security  Customers should only not be able to affect traffic destined to themselves  GRNET core network must be immune to the tool (in case of bug, misbehavior, compromise) 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  13. Design Principles (3) 13  Programmatic API  REST API to be added in future versions, in order to allow integration with other tools  Coding:  Secure  Based on modern technologies  Open: Open-source license, well-documented, no GRNET- specifics or hardwired stuff  Synergies:  Customers  GEANT & NRENs  GRNET or 3rd party security tools. CERT/CIRTs, IPS/IDS,… 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  14. FoD Operation Overview 14 GEANT IX Customer’s NOC representative  logs into a web tool (shibboleth) and describes flows and actions Flow destination is validated  against the customer’s IP space A dedicated router is configured  (netconf) to advertise the route via BGP flowspec eBGP sessions propagate the n-  FoD tuple to GRNET router(s). iBGP further propages the tuples to all GRNET routers. FoD router Dynamic firewall filters are  implemented on all routers Attack is mitigated (dropped,  GRNET rated-limited) upon entrance FoD Customer UI End of attack: Removal via the  tool, or auto-expire Customer 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  15. User Interface (1) 15 Firewall-On-Demand 15 February 2012, APM meeting, Dubrovnik

  16. User Interface (2) 16 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  17. Demo (iperf simulated attack) 17 A 100Mbps attack Typically less than 15 seconds Flow limited to 100Kbps

  18. Implementation - Architecture 18

  19. Implementation - Technologies 19  Open Source project  Python Django ORM & jQuery Javascript lib  Multilayered architecture  Shibboleth: User authentication based on special attrib  Django: UI rendering & db modeling  Long polling: fetch updates without reloading  Celery/beanstalk: apply configuration without locks  nxpy: Network XML to python classes proxy  Ncclient: python netconf client (ncclient)  Caching, cron jobs, REST API (next release), mobile interface (future release) 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  20. Information Flow 20 • User login • Rule management • Creation, modification, removal UI • Notifications, status • Transform rules to python objects • DB operations • Transform python objects to netconf XML configuration Middleware • Apply XML configuration via XML RPC to device • Save received configuration to device (switch) • Propagate rule via eBGP to peer routers • Rule filters and acts on matching flows Network 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  21. Status 21  Alpha version of the service already running http://fod.grnet.gr/  Pre-production (beta) within February  Source code soon to be released: http://code.grnet.gr/ 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  22. Future & Synergies 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  23. Expanding the service to the GEANT community 23  Phase 1: GEANT participation  Configure routers to accept BGP flowspec NLRI  Establish BGP peerings with GRNET  Peerings are protected by route-maps  GRNET customers’ filters are applied at GEANT level PARTICIPATING GEANT NREN  Phase 2: NREN participation  Juniper equipment is required  GRNET  Also, NREN Customers could propagate their filters through their bgp peerings instead of using the UI Customer FoD 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  24. Synergies with security teams 24  Connect to the domain’s IPS/IDS, honeypots, …  Connect to GEANT anomaly detection tool  Connect to any CERT/CIRT team that we trust  “Soft” actions can make adoption easier  Rate-limit instead of drop 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

Recommend

Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall

Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall

Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall Overview Todays top firewall problems What IT managers say about their existing firewall Firewall Satisfaction Survey (Spiceworks 2017) Top

548 views • 52 slides
Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation

Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation

Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation controlled connection between networks at different security levels = boundary protection ( L1 > L2 ) network at network at security

1.07k views • 67 slides
Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts

Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts

Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts and networks connected to other hosts and networks against attacks from the outside and from the inside. a firewall is a network security system

440 views • 30 slides
Lane ESD Technology Services Core Firewall Overview Districts Behind Firewall Blachly

Lane ESD Technology Services Core Firewall Overview Districts Behind Firewall Blachly

Lane ESD Technology Services Core Firewall Overview Districts Behind Firewall Blachly Creswell Crow-Applegate-Lorane Fern Ridge Junction City Lowell Mapleton Screened, but exempt from policies Marcola

539 views • 15 slides
Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3

Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3

Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3 State-independent interior operators Interior operator from HP recovery 6 5 Resolution of the puzzle Effect of infalling observer 7 Discussions Beni

1.61k views • 106 slides
FIREMAN: A Toolkit for FIREwall Modeling and ANalysis Michael Lin All about firewalls A

FIREMAN: A Toolkit for FIREwall Modeling and ANalysis Michael Lin All about firewalls A

FIREMAN: A Toolkit for FIREwall Modeling and ANalysis Michael Lin All about firewalls A firewall is only as good as its configuration Big deal, it should be easy to configure a firewall, right? Basically... no. A Quantitative

507 views • 14 slides
Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple firewall using Netfilter Iptables firewall in Linux Stateful Firewall Application Firewall Evading Firewalls 2 Firewalls

811 views • 55 slides
Overview Firewall Security Perimeter Security Devices H/W vs. S/W Packet Filtering vs.

Overview Firewall Security Perimeter Security Devices H/W vs. S/W Packet Filtering vs.

Overview Firewall Security Perimeter Security Devices H/W vs. S/W Packet Filtering vs. Stateful Inspection Firewall Topologies Chapter 8 Firewall Rulebases Lecturer: Pei-yih Ting 1 2 Perimeter Security Devices Routers

291 views • 7 slides
Java Card Applet Firewall Java Card Applet Firewall Exploration and Exploitation Exploration and

Java Card Applet Firewall Java Card Applet Firewall Exploration and Exploitation Exploration and

Java Card Applet Firewall Java Card Applet Firewall Exploration and Exploitation Exploration and Exploitation Wojciech Mostowski and Erik Poll Digital Security Radboud University Nijmegen The Netherlands http://www.cs.ru.nl/~{woj,erikpoll}/

818 views • 42 slides
Firewall What is it? Do we need one? Oxford Hills School District March 5, 2018 What is a

Firewall What is it? Do we need one? Oxford Hills School District March 5, 2018 What is a

Firewall What is it? Do we need one? Oxford Hills School District March 5, 2018 What is a firewall? Term first used in 1851 Henry Ford used them to protect passengers from engine fires, smoke and heat. Computer networks: a part of a

500 views • 21 slides
Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls? Network Address Translation Types of Firewalls Linux/Windows Firewalls pfSense Blue Team Activity Brief History Firewall

348 views • 30 slides
Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between

Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between

Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between NGFW and classic firewalls: Classic Firewall Next Generation Firewall Traffic filtering using Port, IP, and protocol Supported Supported VPN

533 views • 25 slides
Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between

Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between

Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between NGFW and classic firewalls: Classic Firewall Next Generation Firewall Traffic filtering using Port, IP, and protocol Supported Supported VPN

1.23k views • 26 slides
Firewall Builder Vadim Kurland vadim@fwbuilder.org http://www.fwbuilder.org Challenges of

Firewall Builder Vadim Kurland vadim@fwbuilder.org http://www.fwbuilder.org Challenges of

Firewall Builder Vadim Kurland vadim@fwbuilder.org http://www.fwbuilder.org Challenges of firewall configuration complexity leads to errors coordinated changes on many devices are hard multi-vendor environments make the job even

314 views • 28 slides
1 Four general techniques: Design goals: All traffic from inside to outside must pass

1 Four general techniques: Design goals: All traffic from inside to outside must pass

Firewall Design Principles Firewall Characteristics Types of Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for these slides . Fall 2008 CS 334: Computer Security 1

546 views • 5 slides
Firewall Architectures for High-Speed Networks Errin W. Fulp DOE Network Research PI Meeting

Firewall Architectures for High-Speed Networks Errin W. Fulp DOE Network Research PI Meeting

Firewall Architectures for High-Speed Networks Errin W. Fulp DOE Network Research PI Meeting September 28, 2005 1 Project Objectives Methods that improve network firewall performance 1. Develop policy optim ization techniques Formal

221 views • 9 slides
Cryptographic Reverse Firewall via Malleable Smooth Projective Hash Functions Rongmao Chen, Yi

Cryptographic Reverse Firewall via Malleable Smooth Projective Hash Functions Rongmao Chen, Yi

Cryptographic Reverse Firewall via Malleable Smooth Projective Hash Functions Rongmao Chen, Yi Mu, Guomin Yang , Willy Susilo, Fuchun Guo and Mingwu Zhang Asiacrypt 2016, Hanoi Outline n Background n Cryptographic Reverse Firewall n Part

639 views • 52 slides
Introduction to IPsec Charlie Kaufman charliek@microsoft.com 1 IP Security (IPsec) IETF

Introduction to IPsec Charlie Kaufman charliek@microsoft.com 1 IP Security (IPsec) IETF

Introduction to IPsec Charlie Kaufman charliek@microsoft.com 1 IP Security (IPsec) IETF standard for Network Layer security Popular for creating trusted link (VPN), either firewall-firewall, or machine to firewall Done at

868 views • 51 slides
On-Demand On-Demand Management insight when you need it! On-Demand Advisory and Support for

On-Demand On-Demand Management insight when you need it! On-Demand Advisory and Support for

On-Demand On-Demand Management insight when you need it! On-Demand Advisory and Support for Service Leaders and their Teams 1 Whats the best Should we become What are my How to price to How can I design way forward to do a servitized

398 views • 11 slides
RES212 Lab #2 Netfilter/iptables Firewall The goal of this lab is to let you become acquainted

RES212 Lab #2 Netfilter/iptables Firewall The goal of this lab is to let you become acquainted

https://res212.telecom-paristech.fr TP02v1 2018/05/31 RES212 Lab #2 Netfilter/iptables Firewall The goal of this lab is to let you become acquainted with the design, configuration and testing of firewalls. Given the limited amount of time,

736 views • 14 slides
Using a firewall to control traffic in networks 1 Example Network .35 .12 .36 .11 3.3.3.0/24

Using a firewall to control traffic in networks 1 Example Network .35 .12 .36 .11 3.3.3.0/24

Using a firewall to control traffic in networks 1 Example Network .35 .12 .36 .11 3.3.3.0/24 1.1.1.0/24 Rd .1 Ra .4.1 .4.4 1.1.0.0/16 Rc 2.2.2.0/24 .1 .4.2 .1 .23 Rb .47 Re .15.6 .99 1.1.2.0/24 4.4.4.0/24 .24 2 Firewall

708 views • 13 slides
Travel Demand Management Travel Demand Management Travel demand management balances the

Travel Demand Management Travel Demand Management Travel demand management balances the

Travel Demand Management Travel Demand Management Travel demand management balances the transport network by first understanding where there are current and forecast pressures, and then working out where there is spare capacity for these to

239 views • 21 slides
Chapter 4 - Demand Maybach Exelero Section 1 Understanding Demand Demand The desire to

Chapter 4 - Demand Maybach Exelero Section 1 Understanding Demand Demand The desire to

Chapter 4 - Demand Maybach Exelero Section 1 Understanding Demand Demand The desire to own something and the ability to pay for it. Law of Demand consumers buy more of a good when its price decreases and less when its price

783 views • 63 slides
You can keep your firewall (if you want to ) Practical, simple and cost saving applications

You can keep your firewall (if you want to ) Practical, simple and cost saving applications

You can keep your firewall (if you want to ) Practical, simple and cost saving applications of OpenDaylight you can implement today John Sobanski, Engineer, Solers Inc. July 2015 @OpenDaylightSDN #OpenSDN What You Will Learn today (By

872 views • 66 slides

More recommend