Transcript Presentation Outline

Access Technology
(Firewall/VPN)
Selection & Deployment
Terry L Davis, P.E.
Associate Technical Fellow
Senior Security Architect
Boeing Shared Services Group
Bellevue, Washington
C19 - Terry L Davis
1
Overview of Boeing Global
Communications
Operations Scope
• Approaching 250,000 IP addresses
• Major operations in 30+ states
• 12+ foreign countries
• 4000+ subnets
• 750 routers
• 3000 switches
• 3 major communication hub sites
• Aggregate communication bandwidth to our
customers/partners exceeding 1 Gigabit
C19 - Terry L Davis
2
Access Technology Selection
Classical Firewalls
Services:
Internet/ISP access, Proxy services, and Standard Internet
Applications
Deployments:
Secure sites
Considerations:
Manpower, Throughput, Support (Help desk)
VPN’s
Services:
Location transparency, and Network extension
Deployments:
Within a semi-trusted environment, national deployments,
and Work-at-home over switched networks
Considerations:
The support personnel, and Site security
C19 - Terry L Davis
3
Access Technology Selection (cont)
Router-to-router tunnels
Services:
Location transparency and Network extension
Deployment:
Secure sites, Insecure environments, and International deployments
Considerations:
Manpower, Government restrictions, and Throughput
Client-to-router/server tunnels
Services:
Secure communications and Location transparency
Deployments:
Insecure sites, Road warriors, Executive dial-in services, and Work at
home on shared media networks
Considerations:
Personnel (technical or non-technical), Work at home shared systems,
Performance, and Support (Help desk)
C19 - Terry L Davis
4
Implications of the
Technology Selections
• Security
• Application access
• Network services (DNS/DHCP)
• Router/server loading due to encryption
• Authentication services
• Operations support
• Business processes
C19 - Terry L Davis
5
Access Service Layers
External
External Routing & Redundancy
Intrusion Detection, & Audit
Access Control
Existing
Legacy
Access
Services
Routing
&
Control
Protocols
Path Control
Internet
Access
Services
(IP Only &
Encryption
Access Control
Required)
Intrusion Detection, & Audit
Internal Routing & Redundancy
Internal
C19 - Terry L Davis
VPN
Access
Services
6
Access Services - Traditional Deployment
External Routers
Security Perimeter
INTERNET / WWW
Access Control & Intrusion Detection
Outer LAN
Customer
VPN &
Access
Tunnel
Data
Services
Share
Data
Xfer
Design
Systems
Interactive
WEB
Access
Access
Classical
Firewalls
Security Cells
Inner LAN
Access Control & Intrusion Detection
Internal Networks
Internal Routers
C19 - Terry L Davis
7
Access Services - Strategic Architecture
INTERNET/GlobalComm
Intelligent Services:
-Network Extension
Intelligent
Access
Services
Email
Secure Data
Drops
Data Sharing
Security Cells
Shared
Design
Systems
Shared (DMZ) LAN
Security Perimeter
External Routers
Special
Contracts
Internal Routers
-User transparent
-Secure Authentication
-Path Authorization
-Encryption
-Audit & Accounting
-Event Alarming
-Intrusion Detection
-Shunning
-Redundant Pathing
Internal Networks
C19 - Terry L Davis
8
Access Services - Mixed Deployments
INTERNET / WWW/GlobalComm
External Routers
Intrusion Detection, Audit,
& Shunning
Access Control & Intrusion Detection
Internet Hardened
Infrastructure
VPN
Access
Existing
Security Cells
Inner LAN
Intrusion Detection, Audit,
& Shunning
Internet Hardened
Servers & Workstations
Legacy Security Perimeter
Outer LAN
Access Control & Intrusion Detection
Legacy Networks & Systems
C19 - Terry L Davis
9
VPN Deployment
Typical RFP Issues:
• Looking for a single solution
• No architecture
• Not definition of a VPN
• Requirements for everything
Need to:
• Define your architecture
• Define VPN
• Define your deployment Framework
C19 - Terry L Davis
10
VPN Deployment
VPN Service
• An overlay to your existing infrastructure to
enable the delivery of a specific set of services to
a sub-set of your users.
Perimeter/Firewall Service
• An access service to a specific intranet or
extranet resource.
C19 - Terry L Davis
11
VPN Deployment
VPN Architecture
• Access
• Extranet
• Intranet
• Routed
• Integrated Operations
• others
– Private Video Conference
– etc.
C19 - Terry L Davis
12
VPN Deployment
IPSEC VPN Framework
• Ability to deploy tactical solutions that don’t fully
conform or interoperate with IPSEC
• Strategic plan to bring conforming IPSEC
services into the deployment from all your
tactical and strategic vendors.
– An interoperability matrix to guide deployment
plans
– A certification process to populate this matrix.
C19 - Terry L Davis
13
Next Generation Technology
(Wish List)
• Light weight authentication
• Authenticated connections
• Multi-gigabit link encryption
• Gigabit security
• Connection/Flow/Stream security management
• Questions on "packet examination" scaling
C19 - Terry L Davis
14
Favorite Security Technology
Definitions
Firewalls: A technology to
keep customers out
provide nefarious types with standard accesses to your network
protect the rest of the Internet from your employees
provide a black hole for dollars and man-hours
Perimeter:
What you have when you find that mapping all major accesses
into your corporation is a major project and the milestones
keep slipping.
What you have when it takes a full size database to track your
installed "firewalls", their versions, what they do, and who
they support.
C19 - Terry L Davis
15
Favorite Security Technology
Definitions (cont)
VPN:
A "sort of" private network
A highly interoperable solution if the vendor and the exact release
are the same at both ends
Encrypted tunnel:
A possibly secure communication link
A nice secure path for the "rats" to run in between your networks.
Authentication services:
A technology to broadcast your account and password to the
world
A set of non-interoperable technologies
Provide a fairly good chance that the user is who they claim to be
C19 - Terry L Davis
16
White hats
• Provide a manageable set of flexible services
• Engineer the solution; use appropriate
technology
• Be ahead of your customers
• Avoid scare tactics
• Simplify
• Enable business
Wear the white hats!
C19 - Terry L Davis
17