Firewalls and vpns at stanford august 22 2003
Download
1 / 29

Firewalls and VPNs at Stanford: August 22, 2003 - PowerPoint PPT Presentation


  • 145 Views
  • Uploaded on
  • Presentation posted in: General

Firewalls and VPNs at Stanford: August 22, 2003. Steve Tingley & Sunia Yang tingley@networking, sunia@networking Networking Systems. Topics. Changing how we look at networking Security by protocol stack Why protect the network Costs Specific pros & cons of firewalls

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha

Download Presentation

Firewalls and VPNs at Stanford: August 22, 2003

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Firewalls and VPNs at Stanford: August 22, 2003

Steve Tingley & Sunia Yang

tingley@networking, sunia@networking

Networking Systems


Topics

  • Changing how we look at networking

  • Security by protocol stack

  • Why protect the network

  • Costs

  • Specific pros & cons of firewalls

  • Specific pros & cons of VPNs


"Old" Way of Looking at Networks

  • Open access

  • Get all bits from here to anywhere ASAP

  • Packet loss is bad in all cases


"New" Way of Looking at Networks

  • Only let in/out "good" known traffic

  • Block all bad traffic

  • Use network device (firewalls/vpns) to make up for insecure transports, insecure applications, unpatched systems

  • Use network to partially centralize IT admin in distributed environment


Security by Protocol Stack

  • Firewalls and VPNs are just part of a total security approach

    • Firewall would not have caught bugbear-b virus

    • Firewall at Stanford border would not have prevented Windows RPC exploits


Physical Layer Security (Fences)

  • "If you can touch it, you can hack it"

    • Lock up servers, network closets

  • Wireless-

    • firewall defeated if wireless behind firewall

    • allowing unencrypted wireless session through firewall defeats data security


Data layer (bus vs star topology)

  • Switches as security device

    • isolates conversations- sniffer protection

      • may misbehave and "leak"

    • block by hardware address

      • not possible in all switches

    • hardcode hw address to port- tedious, unscalable


Network/Transport Layers (Guardposts checking license plates)

  • Filter traffic by IP addresses and ports

    • Router ACLs (may be leaky)

    • Firewalls

  • Require secure protocols or vpn

    • data encrypted (ssl, ssh)

    • encrypted data could still be virus or worm


Application Layer (Stuff inside car)

  • Design in security

    • good architecture- 3 tier

    • no clear text passwords

    • secure transports

  • Proxy "firewalls"

    • screens traffic at app layer before passing to real application

  • Good sys admins

    • patch, antivirus-software

    • turnoff unused services


Why implement security?

  • Financial risks

    • loss of data and reputation

    • cost of cleaning hacked machines

  • Legal risks

    • Hipaa (medical data), Ferpa (student records)

    • lawsuits


Why firewalls/vpns?

  • Physical and data layer security is critical

    • mostly implemented already (except wireless)

  • Too many badly architected apps on market

  • Often best return of security for given staff, time and money


Costs

  • re-educate users accustomed to open net

  • training on protocols, apps, security

  • staff time

    • monitor vulnerabilities in firewalls/vpns

    • monitor traffic for break-ins

    • troubleshooting - good tight rules can break app if new revision, etc.

  • equipment- hardware and software

    • firewall, vpn concentrator, vpn client

    • traffic analysis tools, monitoring/log servers


Firewall Specifics

  • Most common security deployed at network/transport layer

  • Helps restrict who talks to who


Firewall Pros

  • For limited staff time and money, may get most amount of security

    • if firewall placed properly

    • if staff actively watching network

  • Ex.- slammer worm targets port 1434.

    • adding firewall or router rule to block 1434 is much faster than patching all machines


Firewall Cons- #1

  • Inconvenience to users

    • re-educate users

    • good rules > minor changes may break app

    • need good communication, docs and response

    • protective rules constrain traffic

      • ex. protecting workstations by denying incoming connections may break peering apps


Firewall Cons- #2

  • Incomplete security

    • Firewall does not protect needed server ports

      • e.g., if running IIS server, need to open hole for http. IIS vulnerability still must be patched. But may prevent hacker from reaching backdoor

    • Does not protect against email viruses/worms

    • May lead to complacency in Sys Admins, app developers, users


Firewall Costs- #1

  • Software & Hardware costs

    • firewalls, maintenance, support, spares

    • network analyzer

    • management/log/monitoring tools

    • management/log/monitoring servers


Firewall Costs- #2

  • Staff costs

    • Training

    • Traffic analysis and rule development

    • Monitoring traffic, vulnerabilities, breakins

    • Rule changes- proactive or reactive?

    • Meetings and politics

    • Documentation, rule change processes


Firewall Technical Issues

  • Manageable rule set vs. many exceptions

  • False positives

    • ex. Monitoring pings might look like icmp attack

  • Hard to secure port-hopping apps- VPN?

  • Session timeout limits

  • Server initiates new session to client (AFS)

  • Reply to client from different IP


VPN Specifics

  • Common way to deal with application data transparency by encrypting

  • Another layer of authentication and authorization


VPN Pros

  • With limited staff time and money, may get most application layer security

  • Sometimes can be used to enforce patch level of client operating systems


VPN Cons- #1

  • Inconvenience

    • not all VPN clients compatible or can co-exist

    • VPN clients fiddle with host's tcp/ip stack

      • may break some apps

    • may break IP dependent services

    • split tunnel issues- discussed later


VPN Cons- #2

  • Incomplete security

    • Does not protect if client machine hacked

      • in fact, provides encrypted tunnel for hacker

    • May lead to complacency in users, Sys Admins, app developers


VPN Costs- #1

  • Software & Hardware costs

    • VPN concentrator, maintenance/support, spares

    • VPN clients, maintenance, support

    • management/log/monitoring tools

    • management/log/monitoring servers


VPN Costs- #2

  • Staff costs

    • Training

    • Monitoring traffic, vulnerabilities, breakins

    • VPN client support/upgrades

    • VPN user administration

    • Meetings and politics

    • Documentation, rule change processes


VPN Technical Issues- #1

  • Scalability issues

  • Encryption overhead affects throughput

  • VPN client picks up new IP

  • Software vs hardware VPN clients

    • cost vs convenience vs compatibility


VPN Technical Issues- #2Split Tunnel

  • only traffic to specific servers is encrypted

  • pros- performance

    • less encryption overhead

    • less traffic to central VPN concentrator

  • cons- security

    • if client host is hacked, hacker can control VPN session


Stanford VPN Beta

  • URL:

  • No free client for Mac OS 8 or 9

  • Hostname: su-vpn.stanford.edu

  • Group Access Information

    • Group: Stanford

    • Password: Stanford

      Use SUNet ID and password when prompted


Questions and Feedback

  • Thanks to Information Security Services for reviewing technical accuracy and completeness.


ad
  • Login