SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.
Oregon State University Enterprise Firewall Evolution
-
Upload
networkingcentral -
Category
Documents
-
view
422 -
download
2
Transcript of Oregon State University Enterprise Firewall Evolution
Oregon State University Oregon State University Enterprise Firewall EvolutionEnterprise Firewall Evolution
Network EngineeringNetwork EngineeringChris Giem – Senior Network EngineerChris Giem – Senior Network Engineer
Bill MyersBill Myers
Project WebsiteProject Websitehttp://http://oregonstate.eduoregonstate.edu/net/firewall//net/firewall/
Oregon State University Oregon State University Enterprise Firewall EvolutionEnterprise Firewall Evolution
Viruses and worms do not play favorites. Viruses and worms do not play favorites. They are just as happy to run wild on They are just as happy to run wild on campus as in major corporationscampus as in major corporations
Enterprise Firewall EvolutionEnterprise Firewall EvolutionOregon State University network security Oregon State University network security must evolve to meet the current and future must evolve to meet the current and future needsneeds
Oregon State University Oregon State University Enterprise Firewall EvolutionEnterprise Firewall Evolution
OSU network is extremely accessible by the OSU network is extremely accessible by the InternetInternet
Many at OSU view the services they provide as a Many at OSU view the services they provide as a greater good and a public asset that should be greater good and a public asset that should be freely availablefreely available
Users want to provide access to their work and to Users want to provide access to their work and to freely collaborate with their peersfreely collaborate with their peers
They don't want barriersThey don't want barriers
Oregon State University Oregon State University Enterprise Firewall EvolutionEnterprise Firewall Evolution
Security is about preserving use of the Security is about preserving use of the network rather than creating barriersnetwork rather than creating barriers
One infected host can bring the entire OSU One infected host can bring the entire OSU network downnetwork down
Unprotected files can be destroyed and Unprotected files can be destroyed and important services severely impairedimportant services severely impaired
Oregon State University Oregon State University Enterprise Firewall EvolutionEnterprise Firewall Evolution
Why are we changingWhy are we changing
Current Firewall ArchitectureCurrent Firewall Architecture
New Firewall ArchitectureNew Firewall Architecture
The Impact to campusThe Impact to campus
TimelineTimeline
Oregon State University Oregon State University Why are we changingWhy are we changing
Lessons learnedLessons learned– Client RequirementsClient Requirements– Operational RequirementsOperational Requirements– Scalability FactorsScalability Factors
New TechnologyNew Technology– Virtual FirewallVirtual Firewall
Software feature of Cisco Firewall Service ModuleSoftware feature of Cisco Firewall Service Module
– Transparent firewallTransparent firewall Acts as “bump in the road” that does packet inspectionActs as “bump in the road” that does packet inspection Allows Multicast trafficAllows Multicast traffic
Oregon State University Oregon State University Current Firewall ArchitectureCurrent Firewall Architecture
Internet
RouterOSU Network Firewall
Router
Trusted SubnetsServices Subnets
Oregon State University Oregon State University Current Firewall ArchitectureCurrent Firewall Architecture
ConsequencesConsequences– Network Address TranslationNetwork Address Translation
Difficult to implement for on campus communicationDifficult to implement for on campus communication
– Does not allow MulticastDoes not allow Multicast– Windows ServicesWindows Services
Experienced difficulties with Windows 9X Experienced difficulties with Windows 9X
– Most of campus unprotected from the InternetMost of campus unprotected from the Internet– One size does not fit allOne size does not fit all
Policies are large and full of exceptionsPolicies are large and full of exceptions
InternetOSU
Network
ServicesSubnets
TrustedSubnets
Oregon State University Oregon State University Current Firewall ArchitectureCurrent Firewall Architecture
Current groups behind the firewallCurrent groups behind the firewall– Network EngineeringNetwork Engineering– AthleticsAthletics– Registration and EnrollmentRegistration and Enrollment– Milne Computing CenterMilne Computing Center– Numerous Services including Numerous Services including
BannerBanner Parts of ExchangeParts of Exchange Parts of ONIDParts of ONID Many othersMany others
InternetOSU
Network
ServicesSubnets
TrustedSubnets
Oregon State University Oregon State University New Firewall ArchitectureNew Firewall Architecture
Internet
Campus Firewall
ResNet OtherResNet VF
OSU Network
Example VF Example DMZ
SHS
Oregon State University Oregon State University New Firewall ArchitectureNew Firewall Architecture
FeaturesFeatures– Virtual FirewallsVirtual Firewalls– Transparent FirewallTransparent Firewall– Firewall Resource allocationFirewall Resource allocation
CapacityCapacity– Nominal throughput is 5 Gigabit and is Nominal throughput is 5 Gigabit and is
expandable expandable – 50 Virtual Firewalls per Firewall Service Module 50 Virtual Firewalls per Firewall Service Module
and expandable to 100 Virtual Firewalls per FSMand expandable to 100 Virtual Firewalls per FSM
InternetOSU
Network
COBServices
Athletics
COSServices
InsideServices
ExchangeServices
BannerServicesCOE
Services
COFServices
ISServices
ResNet
Oregon State University Oregon State University Impact to CampusImpact to Campus
What it means to campusWhat it means to campus– No Inbound ConnectionsNo Inbound Connections
Must use approved gateway (example VPN or Terminal Must use approved gateway (example VPN or Terminal Server) for devices not in a DMZServer) for devices not in a DMZ
– Server ConsolidationServer Consolidation All services accessed from the Internet must be placed All services accessed from the Internet must be placed
in a DMZin a DMZ
– Understanding Applications’ CommunicationsUnderstanding Applications’ Communications Knowing the TCP / UDP ports to create rules for the Knowing the TCP / UDP ports to create rules for the
firewallfirewall
Oregon State University Oregon State University Impact to CampusImpact to Campus
What it means to campus (cont..)What it means to campus (cont..)– Better Protection from the InternetBetter Protection from the Internet
Fewer scans, hackers, and virusFewer scans, hackers, and virus Just ask the groups already behind the firewallJust ask the groups already behind the firewall
Oregon State University Oregon State University TimelineTimeline
When?When?– Meeting with Colleges / Departments to Meeting with Colleges / Departments to
determine their networking requirementsdetermine their networking requirements April 1April 1stst to June 9 to June 9thth
– Installation, Monitoring, and AnalysisInstallation, Monitoring, and Analysis June 15thJune 15th
– Proposed Date for Going LiveProposed Date for Going Live September 7thSeptember 7th
Oregon State University Oregon State University Enterprise Firewall EvolutionEnterprise Firewall Evolution
ConclusionConclusion– The new firewall architecture is not a The new firewall architecture is not a
replacement for patching and virus replacement for patching and virus protectionprotection
– It will remove most of OSU’s exposure It will remove most of OSU’s exposure from the Internetfrom the Internet
EmailEmail– [email protected]@oregonstate.edu