Active Firewall
description
Transcript of Active Firewall
![Page 1: Active Firewall](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681637d550346895dd45d25/html5/thumbnails/1.jpg)
Active Firewall
Use Port 23457
OK
![Page 2: Active Firewall](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681637d550346895dd45d25/html5/thumbnails/2.jpg)
Active FTP with Firewall
![Page 3: Active Firewall](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681637d550346895dd45d25/html5/thumbnails/3.jpg)
Passive FTP
Use Port 65432
![Page 4: Active Firewall](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681637d550346895dd45d25/html5/thumbnails/4.jpg)
FTP
•Pros• Ubiquitous• Common knowledge• Included in base OS
•Cons• Very little security• Not firewall friendly• No native compression• Lacks integrity validation
![Page 5: Active Firewall](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681637d550346895dd45d25/html5/thumbnails/5.jpg)
FTP
Common uses Public information Intranet transfers (careful, not everyone on the intranet is safe) Far too many things that should really use something better
![Page 6: Active Firewall](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681637d550346895dd45d25/html5/thumbnails/6.jpg)
FTP over SSL (FTPS)
Pros Same FTP familiarity
![Page 7: Active Firewall](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681637d550346895dd45d25/html5/thumbnails/7.jpg)
FTP over SSL (FTPS)
Pros Same FTP familiarity Included in base z/OS Supports X.509 certificates
(trusted authority) and keberos
RACF keyrings supported
Cons Not firewall friendly (even
worse than straight FTP) Can’t assume it’s available
on the other end
![Page 8: Active Firewall](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681637d550346895dd45d25/html5/thumbnails/8.jpg)
FTP over SSL (FTPS)
Common Uses z/OS to z/OS z/OS to i/Series Servers and clients available on platforms
![Page 9: Active Firewall](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681637d550346895dd45d25/html5/thumbnails/9.jpg)
FTP over SSH Tunnel
Pros Same FTP familiarity Firewall friendly Compression of data Good checksums of data, at least
for the internet piece
Cons More parts need to be
choreographed Requires SSH and FTP on both
ends
![Page 10: Active Firewall](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681637d550346895dd45d25/html5/thumbnails/10.jpg)
FTP over SSH Tunnel
Common uses Sites that have a significant reliance on FTP already in place that need
to implement SSH encryption for transit
![Page 11: Active Firewall](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681637d550346895dd45d25/html5/thumbnails/11.jpg)
Secure FTP (SFTP)
Pros Point to point encryption Compression and Integrity built-
in Already ready to go on
Unix/Linux servers
Cons Not part of base on z/OS or
windows May not be as familiar to users Only protects data in transit
![Page 12: Active Firewall](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681637d550346895dd45d25/html5/thumbnails/12.jpg)
Secure FTP (SFTP)
Common uses Easy access for distribution to Unix/Linux farms
![Page 13: Active Firewall](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681637d550346895dd45d25/html5/thumbnails/13.jpg)
FTP to SFTP Conversion (Vendor Solution)
Pros Satisfies SFTP requirement Can still use the FTP client
on the z/OS side
Cons Not a perfect match of
functions
![Page 14: Active Firewall](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681637d550346895dd45d25/html5/thumbnails/14.jpg)
FTP to SFTP Conversion (Vendor Solution)
Common uses Leveraging FTP already in place, but transitioning it to your
SFTP knowledgeable partners
![Page 15: Active Firewall](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681637d550346895dd45d25/html5/thumbnails/15.jpg)
PGP (Data at Rest)
Pros Full control of sensitive data Transport is not important Compression and Integrity Not just for transfers
Cons Requires staging of data
![Page 16: Active Firewall](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681637d550346895dd45d25/html5/thumbnails/16.jpg)
PGP (Data at Rest)
Common uses Sensitive data that needs protection at destination as well as in
transit When Cloud component is not managed by interested parties
![Page 17: Active Firewall](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681637d550346895dd45d25/html5/thumbnails/17.jpg)
FTP – All The Options
Common uses Mixed requirements – unfortunately, one size rarely fits all
properly
![Page 18: Active Firewall](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681637d550346895dd45d25/html5/thumbnails/18.jpg)
Provisioning Identities
• Provisioning store• LDAP• DAP• Who has access?• What tools are
going to be used?• Centralized or
decentralized Administration?
![Page 19: Active Firewall](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681637d550346895dd45d25/html5/thumbnails/19.jpg)
Federation and Identities
• Kantara Initiative (formerly Liberty Alliance)
http://kantarainitiative.org• Uses SAML via
SOAP message to deliver user credentials to internal and external partners
![Page 20: Active Firewall](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681637d550346895dd45d25/html5/thumbnails/20.jpg)
Key Management issues
• Problem: Most large enterprise cannot manage Key infrastructure for FTPs or SFTP environments
• Thousands of machines and people exchanging data with no controls on Key infrastructure
• Every LINUX/Unix Machine has a OpenSSH server out of the box
![Page 21: Active Firewall](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681637d550346895dd45d25/html5/thumbnails/21.jpg)
Universal Key Managers
• Problem: Most large enterprise cannot manage Key infrastructure for FTPs or SFTP environments
• Thousands of machines and people exchanging data with no controls on Key infrastructure
![Page 22: Active Firewall](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681637d550346895dd45d25/html5/thumbnails/22.jpg)
How to mitigate Cloud Risk
• Cloud Security Polices Example is RHOST
allowed on your virtual LINUX and UNIX servers
• Do you conduct reviews of Cloud System security?
• Have you run background checks on the parties that administer your applications?
• Do you audit traffic?
![Page 23: Active Firewall](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681637d550346895dd45d25/html5/thumbnails/23.jpg)
What to Audit
• Most Cant possibly capture all traffic
• Identify what is important to your organization
• Look for unusual patterns of traffic
• Have a way of reporting a incident in a timely fashion
![Page 24: Active Firewall](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681637d550346895dd45d25/html5/thumbnails/24.jpg)
Encrypted or not you need to know
• Do you know what is leaving your shop?
• Yes you can Monitor encrypted traffic
• Can you prove the chain of custody of your Audit data?
• What do you do if you discover a breach?
![Page 25: Active Firewall](https://reader036.fdocuments.us/reader036/viewer/2022062305/5681637d550346895dd45d25/html5/thumbnails/25.jpg)
Cloud Security Summary
• Virtualization can repeat exposures• Just because your provider says its
secure don’t believe them - Audit• Data and Transactions on The
Mainframe – Mostly secure – Once data is in transit not so much
• Now how to Manage User Identity and how distributed cloud systems are provisioned
• Universal Key Management and how are users being Authenticated?
• Can you audit your environment so you can control of your data
• What is going out your door encrypted?