Firewalls and vpns at stanford august 22 2003
This presentation is the property of its rightful owner.
Sponsored Links
1 / 29

Firewalls and VPNs at Stanford: August 22, 2003 PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Firewalls and VPNs at Stanford: August 22, 2003. Steve Tingley & Sunia Yang [email protected], [email protected] Networking Systems. Topics. Changing how we look at networking Security by protocol stack Why protect the network Costs Specific pros & cons of firewalls

Download Presentation

Firewalls and VPNs at Stanford: August 22, 2003

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Firewalls and vpns at stanford august 22 2003

Firewalls and VPNs at Stanford: August 22, 2003

Steve Tingley & Sunia Yang

[email protected], [email protected]

Networking Systems



  • Changing how we look at networking

  • Security by protocol stack

  • Why protect the network

  • Costs

  • Specific pros & cons of firewalls

  • Specific pros & cons of VPNs

Old way of looking at networks

"Old" Way of Looking at Networks

  • Open access

  • Get all bits from here to anywhere ASAP

  • Packet loss is bad in all cases

New way of looking at networks

"New" Way of Looking at Networks

  • Only let in/out "good" known traffic

  • Block all bad traffic

  • Use network device (firewalls/vpns) to make up for insecure transports, insecure applications, unpatched systems

  • Use network to partially centralize IT admin in distributed environment

Security by protocol stack

Security by Protocol Stack

  • Firewalls and VPNs are just part of a total security approach

    • Firewall would not have caught bugbear-b virus

    • Firewall at Stanford border would not have prevented Windows RPC exploits

Physical layer security fences

Physical Layer Security (Fences)

  • "If you can touch it, you can hack it"

    • Lock up servers, network closets

  • Wireless-

    • firewall defeated if wireless behind firewall

    • allowing unencrypted wireless session through firewall defeats data security

Data layer bus vs star topology

Data layer (bus vs star topology)

  • Switches as security device

    • isolates conversations- sniffer protection

      • may misbehave and "leak"

    • block by hardware address

      • not possible in all switches

    • hardcode hw address to port- tedious, unscalable

Network transport layers guardposts checking license plates

Network/Transport Layers (Guardposts checking license plates)

  • Filter traffic by IP addresses and ports

    • Router ACLs (may be leaky)

    • Firewalls

  • Require secure protocols or vpn

    • data encrypted (ssl, ssh)

    • encrypted data could still be virus or worm

Application layer stuff inside car

Application Layer (Stuff inside car)

  • Design in security

    • good architecture- 3 tier

    • no clear text passwords

    • secure transports

  • Proxy "firewalls"

    • screens traffic at app layer before passing to real application

  • Good sys admins

    • patch, antivirus-software

    • turnoff unused services

Why implement security

Why implement security?

  • Financial risks

    • loss of data and reputation

    • cost of cleaning hacked machines

  • Legal risks

    • Hipaa (medical data), Ferpa (student records)

    • lawsuits

Why firewalls vpns

Why firewalls/vpns?

  • Physical and data layer security is critical

    • mostly implemented already (except wireless)

  • Too many badly architected apps on market

  • Often best return of security for given staff, time and money



  • re-educate users accustomed to open net

  • training on protocols, apps, security

  • staff time

    • monitor vulnerabilities in firewalls/vpns

    • monitor traffic for break-ins

    • troubleshooting - good tight rules can break app if new revision, etc.

  • equipment- hardware and software

    • firewall, vpn concentrator, vpn client

    • traffic analysis tools, monitoring/log servers

Firewall specifics

Firewall Specifics

  • Most common security deployed at network/transport layer

  • Helps restrict who talks to who

Firewall pros

Firewall Pros

  • For limited staff time and money, may get most amount of security

    • if firewall placed properly

    • if staff actively watching network

  • Ex.- slammer worm targets port 1434.

    • adding firewall or router rule to block 1434 is much faster than patching all machines

Firewall cons 1

Firewall Cons- #1

  • Inconvenience to users

    • re-educate users

    • good rules > minor changes may break app

    • need good communication, docs and response

    • protective rules constrain traffic

      • ex. protecting workstations by denying incoming connections may break peering apps

Firewall cons 2

Firewall Cons- #2

  • Incomplete security

    • Firewall does not protect needed server ports

      • e.g., if running IIS server, need to open hole for http. IIS vulnerability still must be patched. But may prevent hacker from reaching backdoor

    • Does not protect against email viruses/worms

    • May lead to complacency in Sys Admins, app developers, users

Firewall costs 1

Firewall Costs- #1

  • Software & Hardware costs

    • firewalls, maintenance, support, spares

    • network analyzer

    • management/log/monitoring tools

    • management/log/monitoring servers

Firewall costs 2

Firewall Costs- #2

  • Staff costs

    • Training

    • Traffic analysis and rule development

    • Monitoring traffic, vulnerabilities, breakins

    • Rule changes- proactive or reactive?

    • Meetings and politics

    • Documentation, rule change processes

Firewall technical issues

Firewall Technical Issues

  • Manageable rule set vs. many exceptions

  • False positives

    • ex. Monitoring pings might look like icmp attack

  • Hard to secure port-hopping apps- VPN?

  • Session timeout limits

  • Server initiates new session to client (AFS)

  • Reply to client from different IP

Vpn specifics

VPN Specifics

  • Common way to deal with application data transparency by encrypting

  • Another layer of authentication and authorization

Vpn pros

VPN Pros

  • With limited staff time and money, may get most application layer security

  • Sometimes can be used to enforce patch level of client operating systems

Vpn cons 1

VPN Cons- #1

  • Inconvenience

    • not all VPN clients compatible or can co-exist

    • VPN clients fiddle with host's tcp/ip stack

      • may break some apps

    • may break IP dependent services

    • split tunnel issues- discussed later

Vpn cons 2

VPN Cons- #2

  • Incomplete security

    • Does not protect if client machine hacked

      • in fact, provides encrypted tunnel for hacker

    • May lead to complacency in users, Sys Admins, app developers

Vpn costs 1

VPN Costs- #1

  • Software & Hardware costs

    • VPN concentrator, maintenance/support, spares

    • VPN clients, maintenance, support

    • management/log/monitoring tools

    • management/log/monitoring servers

Vpn costs 2

VPN Costs- #2

  • Staff costs

    • Training

    • Monitoring traffic, vulnerabilities, breakins

    • VPN client support/upgrades

    • VPN user administration

    • Meetings and politics

    • Documentation, rule change processes

Vpn technical issues 1

VPN Technical Issues- #1

  • Scalability issues

  • Encryption overhead affects throughput

  • VPN client picks up new IP

  • Software vs hardware VPN clients

    • cost vs convenience vs compatibility

Vpn technical issues 2 split tunnel

VPN Technical Issues- #2Split Tunnel

  • only traffic to specific servers is encrypted

  • pros- performance

    • less encryption overhead

    • less traffic to central VPN concentrator

  • cons- security

    • if client host is hacked, hacker can control VPN session

Stanford vpn beta

Stanford VPN Beta

  • URL:

  • No free client for Mac OS 8 or 9

  • Hostname:

  • Group Access Information

    • Group: Stanford

    • Password: Stanford

      Use SUNet ID and password when prompted

Questions and feedback

Questions and Feedback

  • Thanks to Information Security Services for reviewing technical accuracy and completeness.

  • Login