Oregon State University Oregon State University Enterprise Firewall EvolutionEnterprise Firewall Evolution

Network EngineeringNetwork EngineeringChris Giem – Senior Network EngineerChris Giem – Senior Network Engineer

Bill MyersBill Myers

Project WebsiteProject Websitehttp://http://oregonstate.eduoregonstate.edu/net/firewall//net/firewall/

Oregon State University Oregon State University Enterprise Firewall EvolutionEnterprise Firewall Evolution

Viruses and worms do not play favorites. Viruses and worms do not play favorites. They are just as happy to run wild on They are just as happy to run wild on campus as in major corporationscampus as in major corporations

Enterprise Firewall EvolutionEnterprise Firewall EvolutionOregon State University network security Oregon State University network security must evolve to meet the current and future must evolve to meet the current and future needsneeds

Oregon State University Oregon State University Enterprise Firewall EvolutionEnterprise Firewall Evolution

OSU network is extremely accessible by the OSU network is extremely accessible by the InternetInternet

Many at OSU view the services they provide as a Many at OSU view the services they provide as a greater good and a public asset that should be greater good and a public asset that should be freely availablefreely available

Users want to provide access to their work and to Users want to provide access to their work and to freely collaborate with their peersfreely collaborate with their peers

They don't want barriersThey don't want barriers

Oregon State University Oregon State University Enterprise Firewall EvolutionEnterprise Firewall Evolution

Security is about preserving use of the Security is about preserving use of the network rather than creating barriersnetwork rather than creating barriers

One infected host can bring the entire OSU One infected host can bring the entire OSU network downnetwork down

Unprotected files can be destroyed and Unprotected files can be destroyed and important services severely impairedimportant services severely impaired

Oregon State University Oregon State University Enterprise Firewall EvolutionEnterprise Firewall Evolution

Why are we changingWhy are we changing

Current Firewall ArchitectureCurrent Firewall Architecture

New Firewall ArchitectureNew Firewall Architecture

The Impact to campusThe Impact to campus

TimelineTimeline

Oregon State University Oregon State University Why are we changingWhy are we changing

Lessons learnedLessons learned– Client RequirementsClient Requirements– Operational RequirementsOperational Requirements– Scalability FactorsScalability Factors

New TechnologyNew Technology– Virtual FirewallVirtual Firewall

Software feature of Cisco Firewall Service ModuleSoftware feature of Cisco Firewall Service Module

– Transparent firewallTransparent firewall Acts as “bump in the road” that does packet inspectionActs as “bump in the road” that does packet inspection Allows Multicast trafficAllows Multicast traffic

Oregon State University Oregon State University Current Firewall ArchitectureCurrent Firewall Architecture

Internet

RouterOSU Network Firewall

Router

Trusted SubnetsServices Subnets

Oregon State University Oregon State University Current Firewall ArchitectureCurrent Firewall Architecture

ConsequencesConsequences– Network Address TranslationNetwork Address Translation

Difficult to implement for on campus communicationDifficult to implement for on campus communication

– Does not allow MulticastDoes not allow Multicast– Windows ServicesWindows Services

Experienced difficulties with Windows 9X Experienced difficulties with Windows 9X

– Most of campus unprotected from the InternetMost of campus unprotected from the Internet– One size does not fit allOne size does not fit all

Policies are large and full of exceptionsPolicies are large and full of exceptions

InternetOSU

Network

ServicesSubnets

TrustedSubnets

Oregon State University Oregon State University Current Firewall ArchitectureCurrent Firewall Architecture

Current groups behind the firewallCurrent groups behind the firewall– Network EngineeringNetwork Engineering– AthleticsAthletics– Registration and EnrollmentRegistration and Enrollment– Milne Computing CenterMilne Computing Center– Numerous Services including Numerous Services including

BannerBanner Parts of ExchangeParts of Exchange Parts of ONIDParts of ONID Many othersMany others

InternetOSU

Network

ServicesSubnets

TrustedSubnets

Oregon State University Oregon State University New Firewall ArchitectureNew Firewall Architecture

Internet

Campus Firewall

ResNet OtherResNet VF

OSU Network

Example VF Example DMZ

SHS

Oregon State University Oregon State University New Firewall ArchitectureNew Firewall Architecture

FeaturesFeatures– Virtual FirewallsVirtual Firewalls– Transparent FirewallTransparent Firewall– Firewall Resource allocationFirewall Resource allocation

CapacityCapacity– Nominal throughput is 5 Gigabit and is Nominal throughput is 5 Gigabit and is

expandable expandable – 50 Virtual Firewalls per Firewall Service Module 50 Virtual Firewalls per Firewall Service Module

and expandable to 100 Virtual Firewalls per FSMand expandable to 100 Virtual Firewalls per FSM

InternetOSU

Network

COBServices

Athletics

COSServices

InsideServices

ExchangeServices

BannerServicesCOE

Services

COFServices

ISServices

ResNet

Oregon State University Oregon State University Impact to CampusImpact to Campus

What it means to campusWhat it means to campus– No Inbound ConnectionsNo Inbound Connections

Must use approved gateway (example VPN or Terminal Must use approved gateway (example VPN or Terminal Server) for devices not in a DMZServer) for devices not in a DMZ

– Server ConsolidationServer Consolidation All services accessed from the Internet must be placed All services accessed from the Internet must be placed

in a DMZin a DMZ

– Understanding Applications’ CommunicationsUnderstanding Applications’ Communications Knowing the TCP / UDP ports to create rules for the Knowing the TCP / UDP ports to create rules for the

firewallfirewall

Oregon State University Oregon State University Impact to CampusImpact to Campus

What it means to campus (cont..)What it means to campus (cont..)– Better Protection from the InternetBetter Protection from the Internet

Fewer scans, hackers, and virusFewer scans, hackers, and virus Just ask the groups already behind the firewallJust ask the groups already behind the firewall

Oregon State University Oregon State University TimelineTimeline

When?When?– Meeting with Colleges / Departments to Meeting with Colleges / Departments to

determine their networking requirementsdetermine their networking requirements April 1April 1stst to June 9 to June 9thth

– Installation, Monitoring, and AnalysisInstallation, Monitoring, and Analysis June 15thJune 15th

– Proposed Date for Going LiveProposed Date for Going Live September 7thSeptember 7th

Oregon State University Oregon State University Enterprise Firewall EvolutionEnterprise Firewall Evolution

ConclusionConclusion– The new firewall architecture is not a The new firewall architecture is not a

replacement for patching and virus replacement for patching and virus protectionprotection

– It will remove most of OSU’s exposure It will remove most of OSU’s exposure from the Internetfrom the Internet

EmailEmail– net@oregonstate.edunet@oregonstate.edu