Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President...
-
Upload
griffin-hutchinson -
Category
Documents
-
view
226 -
download
0
Transcript of Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President...
![Page 1: Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President Information Services Thomas College, Waterville, Maine.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d875503460f94a6be3a/html5/thumbnails/1.jpg)
Use of a Third-Generation Firewall at a Small College
May 16, 2005Christopher Rhoda, Vice President Information
ServicesThomas College, Waterville, Maine
Copyright Christohper Rhoda 2005. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
![Page 2: Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President Information Services Thomas College, Waterville, Maine.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d875503460f94a6be3a/html5/thumbnails/2.jpg)
Overview1. Thomas College background2. What are the three generations of firewalls?3. Why use a third generation firewall? 4. See how a small college configured and uses
Microsoft Internet Security and Acceleration (ISA) Server 2004.
5. Areas to be discussed include stateful packet filtering, intrusion detection, caching, Web proxy, logging, reporting, and comparisons among five of the most popular application-level firewalls.
![Page 3: Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President Information Services Thomas College, Waterville, Maine.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d875503460f94a6be3a/html5/thumbnails/3.jpg)
About Thomas College Private college in Maine 610 full-time / 1,100
total students Associate, bachelor and
masters degrees Degree programs in the
areas of business, technology, education, political science, and psychology.
![Page 4: Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President Information Services Thomas College, Waterville, Maine.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d875503460f94a6be3a/html5/thumbnails/4.jpg)
Thomas College IT Services
200 College PCs and thin-clients, 11 servers, 1Gb network backbone
Residence halls: Over 400 student-owned computers on 10/100Mb ports and wireless capabilities
Staffing: 2 full-time and 12 part-time students
![Page 5: Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President Information Services Thomas College, Waterville, Maine.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d875503460f94a6be3a/html5/thumbnails/5.jpg)
Thomas College Network History
1993 – 1st Generation Firewall NSF grant dedicated 56K line to the Internet
1995 – 2002 –1st Generation Firewall Partnership with the Maine Internetworks 30+ T1s, Cable Modems, Various Local Dial-
ups Purchased by Adelphia Communications in
2001 2002-present – 2nd & 3rd Generation
Firewalls Mid-Maine Communcations 3 T1s (6Mb fractional T3 in June 2005) State-wide dial-up via 500 number service Increasing bandwidth prioritization and
security needs Increasing residential uses of audio and
video – (examples: Bearshare, Cdigix)
![Page 6: Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President Information Services Thomas College, Waterville, Maine.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d875503460f94a6be3a/html5/thumbnails/6.jpg)
The Three Generations of Firewalls
1st Generation – packet-filtering (examples: by IP or port)
2nd Generation – application-level (examples: proxies, client apps)
3rd Generation – stateful packet-filtering
(example: only opening ports when needed, network-based attacks stopped)
![Page 7: Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President Information Services Thomas College, Waterville, Maine.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d875503460f94a6be3a/html5/thumbnails/7.jpg)
…but College networks don’t need to be secure.
Yes they do, because… Private Information
Administrative Systems Intranets, Extranets Personal Student and
Employee Info. “Institution Knowledge”
It’s important to our students
![Page 8: Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President Information Services Thomas College, Waterville, Maine.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d875503460f94a6be3a/html5/thumbnails/8.jpg)
Why Use a Third Generation Firewall?
Inspects traffic at the application level
Support multiple application proxies
Performs deep-packet stateful inspection to stop today’s attacks using many protocols: HTTP, HTTPS, SMTP, POP3, IMAP, DNS, FTP, RPC, H.323, IM, VoIP, Videoconferencing
![Page 9: Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President Information Services Thomas College, Waterville, Maine.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d875503460f94a6be3a/html5/thumbnails/9.jpg)
Stateful Packet-Filtering At the packet level, a third generation firewall
inspects the source and destination of the traffic indicated in the IP header, and the port in the TCP or UDP header identifying the network service or application used.
Dynamic packet filters enable opening a port only in response to a user's request and only for the duration required to satisfy that request, reducing the vulnerability associated with open ports.
A third generation firewall lets you dynamically determine which packets can be passed through to the internal network's circuit and application layer services.
You can configure access policy rules that open ports automatically only as allowed, and then close the ports when the communication ends.
![Page 10: Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President Information Services Thomas College, Waterville, Maine.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d875503460f94a6be3a/html5/thumbnails/10.jpg)
Intrusion Detection All Ports Scan Attack Enumerated Port Scan Attack IP Half Scan Attack Land Attack Ping of Death Attack UDP Bomb Attack Windows Out of Band Attack DNS Hostname Overflow DNS Length Overflow DNS Zone Transfer from Privileged
Ports (1-1024 DNS Zone Transfer from High Ports
(above 1024) POP Buffer Overflow
![Page 11: Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President Information Services Thomas College, Waterville, Maine.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d875503460f94a6be3a/html5/thumbnails/11.jpg)
Intrusion Prevention
Pro-active identification Ability to “sand-box” or disconnect
attacks Ability to protect threats from
inside organization (student and faculty computers)
![Page 12: Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President Information Services Thomas College, Waterville, Maine.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d875503460f94a6be3a/html5/thumbnails/12.jpg)
Caching For a better end-user experience HTTP, HTTPS, and FTP:
Caching for outgoing requests to the Internet reverse caching, for incoming requests to our web/ftp
servers.
![Page 13: Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President Information Services Thomas College, Waterville, Maine.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d875503460f94a6be3a/html5/thumbnails/13.jpg)
Why Use Internet Security and Application (ISA) Server?
For Thomas College in 2001 the choice for ISA Server 2000 was easy: Limited selection available Best academic price Ran on Windows 2000/2003 servers Integrated well with a campus with 95%
Windows computers or thin-clients Fast HTTP Proxy – 80% of our traffic Support options were a good fit
![Page 14: Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President Information Services Thomas College, Waterville, Maine.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d875503460f94a6be3a/html5/thumbnails/14.jpg)
Why Stay with ISA 2004
The value in upgrading vs. replacing
New, easier to use interface Better throughput Better logging and tracking
![Page 15: Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President Information Services Thomas College, Waterville, Maine.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d875503460f94a6be3a/html5/thumbnails/15.jpg)
Management Console
![Page 16: Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President Information Services Thomas College, Waterville, Maine.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d875503460f94a6be3a/html5/thumbnails/16.jpg)
VPN
IPSEC, L2TP, and PPTP Remote clients Site-to-site
![Page 17: Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President Information Services Thomas College, Waterville, Maine.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d875503460f94a6be3a/html5/thumbnails/17.jpg)
Logging Defaults to SQL Server (MSDE) Query Interface built-into Management Console Packet filters
2004-02-28 00:00:00 10.10.5.122 255.255.255.255 Udp 4412 7100 DROPPED - 2004-02-28 00:00:00 66.252.1.100 10.10.7.255 Udp 1026 137 BLOCKED -
Firewall Service 10.10.5.82 Drew BearShare.exe:3:5.1 2004-03-06 00:00:04 TERRIER7
private1.bearshare.net - - - - - - -GHBN 13301 24057 0
10.10.6.84 bonangj aim.exe:3:5.1 2004-03-06 00:00:04 TERRIER7 ar.atwola.com- -- - - - - GHBN 13301 530940
Web Proxy Service 10.10.6.96 thomas.edu\owensj Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90) 2004-
03-06 00:00:13 TERRIER7 - image.weather.com - 80 -612 189 http GET http://image.weather.com/web/newscenter/
stormstories/promo/tw_promo.jpg NotModified 0 10.10.6.75 THOMAS.EDU\johnstonk Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322) 2004-
03-06 00:00:13 TERRIER7 - us.i1.yimg.com - 80 -390 151 http GET http://us.i1.yimg.com/us.yimg.com/i/mc/mc2.jsNotModified 0
![Page 18: Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President Information Services Thomas College, Waterville, Maine.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d875503460f94a6be3a/html5/thumbnails/18.jpg)
Reporting
Daily, Weekly, Monthly, Annually, On-Demand
Web-based
![Page 19: Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President Information Services Thomas College, Waterville, Maine.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d875503460f94a6be3a/html5/thumbnails/19.jpg)
Reporting – Summary – Protocols
ProtocolsThe following communication protocols were used to carry network traffic through ISA Server during the report period. Protocols that have generated the most traffic are listed first.
Protocol Requests
% of Total Requests
UNKNOWN 22123198 45.1 %
HTTP 13410830 27.4 %
Gnutella/Bearshare OUT
9725296 19.8 %
DNS Query 1796926 3.7 %
HTTP - IN 598232 1.2 %
SMTP Server 310206 0.6 %
![Page 20: Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President Information Services Thomas College, Waterville, Maine.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d875503460f94a6be3a/html5/thumbnails/20.jpg)
Reporting – Summary - Users
Top UsersThe following users have generated the largest amounts of network traffic through ISA Server during the report period. Users that have generated more traffic are listed first. Network addresses are presented when user names are unknown to ISA Server.
![Page 21: Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President Information Services Thomas College, Waterville, Maine.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d875503460f94a6be3a/html5/thumbnails/21.jpg)
Reporting – Summary – Top Web Sites
![Page 22: Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President Information Services Thomas College, Waterville, Maine.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d875503460f94a6be3a/html5/thumbnails/22.jpg)
Reporting – Summary – Traffic
![Page 23: Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President Information Services Thomas College, Waterville, Maine.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d875503460f94a6be3a/html5/thumbnails/23.jpg)
Reporting – Summary – Daily Traffic
![Page 24: Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President Information Services Thomas College, Waterville, Maine.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d875503460f94a6be3a/html5/thumbnails/24.jpg)
Reporting – Web – Object Types
![Page 25: Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President Information Services Thomas College, Waterville, Maine.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d875503460f94a6be3a/html5/thumbnails/25.jpg)
Reporting – Web – Browsers
![Page 26: Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President Information Services Thomas College, Waterville, Maine.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d875503460f94a6be3a/html5/thumbnails/26.jpg)
Reporting – Web – OSs
![Page 27: Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President Information Services Thomas College, Waterville, Maine.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d875503460f94a6be3a/html5/thumbnails/27.jpg)
Reporting – Applications – Top Applications
![Page 28: Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President Information Services Thomas College, Waterville, Maine.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d875503460f94a6be3a/html5/thumbnails/28.jpg)
Reporting – Applications – Top Destinations
No Destination IPUnique
UsersReques
ts
% of Total Requests
Bytes In
% of Total Bytes In
Bytes Out
% of Total Bytes Out
Total Bytes
% of Total Bytes
1 216.220.231.72 989 381297 1.0 % 7.2 GB 2.3 % 169.2 MB 0.6 % 7.4 GB 2.1 %
2 64.236.34.97 8 59 0.0 % 6.9 GB 2.2 % 7.0 KB 0.0 % 6.9 GB 2.0 %
3 216.220.231.71 794 276817 0.7 % 5.9 GB 1.9 % 111.8 MB 0.4 % 6.0 GB 1.7 %
4 203.250.58.177 1 2 0.0 % 2.9 GB 0.9 % 7.2 MB 0.0 % 2.9 GB 0.8 %
5 165.123.99.58 1 4 0.0 % 1.9 GB 0.6 % 1.8 MB 0.0 % 1.9 GB 0.6 %
![Page 29: Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President Information Services Thomas College, Waterville, Maine.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d875503460f94a6be3a/html5/thumbnails/29.jpg)
Reporting – Security – Authorization Failures
No UserAuthorization
Failures
% of Total Authoriza
tion Failures
1 thomas.edu\couturej 6914.0 23.5 %
2 THOMAS.EDU\damonj 6536.0 22.2 %
3 thomas.edu\greenej 2348.0 8.0 %
4 THOMAS.EDU\beaudoink 2290.0 7.8 %
5 THOMAS.EDU\turcottesh 2141.0 7.3 %
6 thomas.edu\owensj 1344.0 4.6 %
7 THOMAS.EDU\cormierc 1213.0 4.1 %
![Page 30: Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President Information Services Thomas College, Waterville, Maine.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d875503460f94a6be3a/html5/thumbnails/30.jpg)
3rd-Party Add-ons
-Real-time viewing
-User quotas-Anti-virus
![Page 31: Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President Information Services Thomas College, Waterville, Maine.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d875503460f94a6be3a/html5/thumbnails/31.jpg)
Scalability Use arrays for fault-tolerance Behind or in front of other firewalls
![Page 32: Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President Information Services Thomas College, Waterville, Maine.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d875503460f94a6be3a/html5/thumbnails/32.jpg)
ISA Server 2004 vs. 2000Feature ISA Server 2004 ISA Server 2000
Network topologies
Unlimited multiple networks and types (internal, external, VPN, DMZ)
Single internal network, external network, and DMZ
Security policy Per-network policy One security policy
Layer 1 through 4 support
Stateful inspection on all network traffic Stateful inspection only on traffic from/to LAT
Network routing NAT or Route relationship Always NAT from LAT
Content inspection
Complete stateful inspection on traffic to/from firewall
Traffic to/from firewall protected by static filters
VPN filtering VPN natively supported through VPN network type
No stateful filtering on VPN traffic
Architecture Performance-optimized multilayered filtering engine
Parallel Web Proxy and Firewall services
Management All-new user interface Standard MMC plug-in
VPN support Adds IPSec Tunnel Mode PPTP, L2TP IPSec
![Page 33: Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President Information Services Thomas College, Waterville, Maine.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d875503460f94a6be3a/html5/thumbnails/33.jpg)
Other Firewall Products Check Point FireWall-1 (or Nokia 650) Secure Computing Sidewinder G2 Symantec Enterprise Firewall with VPN
7.0 WatchGuard Technologies Firebox 4500 Cisco PIX Firewall 535 Sonicwall
![Page 34: Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President Information Services Thomas College, Waterville, Maine.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d875503460f94a6be3a/html5/thumbnails/34.jpg)
3rd Generation Firewall Comparisons
Check Point Microsoft Secure Symantec WatchGuard
Firewall-1 ISA 2004 SidewinderG2 Enterprise Firebox4500
OS Windows Windows SecureOS Unix Windows N/A
Solaris Solaris
Linux Linux
Nokia IPSO
Interfaces 1,024 Unlimited 10 Unlimited 3
Stateful Packet Filtering Y Y Y Y Y
Alerts logs logs logs logs logs
e-mail e-mail e-mail e-mail e-mail
pager pager pager pager pager
SMS SMS SNMP SNMP run script
SNMP run script Tivoli
Software price $ 19,000 $ 6,381 included $ 19,995 n/a
Hardware price $ 4,200 $ 2,508 $ 34,900 $ 6,295 $ 9,990
![Page 35: Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President Information Services Thomas College, Waterville, Maine.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d875503460f94a6be3a/html5/thumbnails/35.jpg)
3rd Generation Firewall Comparisons
Check Point Microsoft Secure Symantec WatchGuard
Firewall-1 ISA 2000 SidewinderG2 Enterprise Firebox4500
Network Computing Report Card 3/21/03 issue, page 60
Protection (50%) 4.75 4 4 3 2
Performance (20%) 4 4 3 4.5 3
Management (15%) 4.5 4.5 5 4 3
Reporting (10%) 2 4 4.5 3 3
Price (5%) 2 3 3 5 4
Total Score (100% 4.15 4.03 3.95 3.55 2.55
B+ B+ B B- C-
![Page 36: Use of a Third-Generation Firewall at a Small College May 16, 2005 Christopher Rhoda, Vice President Information Services Thomas College, Waterville, Maine.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649d875503460f94a6be3a/html5/thumbnails/36.jpg)
For More Information Presenter
Christopher (Chris) Rhoda Vice President for Information Services Thomas College, Waterville, Maine http://www.thomas.edu/chris/cumrec.ppt [email protected]
Comparison information courtesy of: Mike Fratto, Senior Technology Editor, Network
Computing Executive Editor, Secure Enterprise [email protected]