Third-Generation Firewalls at a Small College

Download Report

Transcript Third-Generation Firewalls at a Small College

Use of a Third-Generation
Firewall at a Small College
May 16, 2005
Christopher Rhoda, Vice President Information Services
Thomas College, Waterville, Maine
[email protected]
Copyright Christohper Rhoda 2005. This work is the intellectual property of the author. Permission is granted for
this material to be shared for non-commercial, educational purposes, provided that this copyright statement
appears on the reproduced materials and notice is given that the copying is by permission of the author. To
disseminate otherwise or to republish requires written permission from the author.
Overview
1.
2.
3.
4.
5.
Thomas College background
What are the three generations of firewalls?
Why use a third generation firewall?
See how a small college configured and uses
Microsoft Internet Security and Acceleration (ISA)
Server 2004.
Areas to be discussed include stateful packet
filtering, intrusion detection, caching, Web proxy,
logging, reporting, and comparisons among five of
the most popular application-level firewalls.
About Thomas College




Private college in Maine
610 full-time / 1,100
total students
Associate, bachelor and
masters degrees
Degree programs in the
areas of business,
technology, education,
political science, and
psychology.
Thomas College IT Services



200 College PCs and thin-clients,
11 servers, 1Gb network backbone
Residence halls: Over 400 studentowned computers on 10/100Mb
ports and wireless capabilities
Staffing: 2 full-time and 12 parttime students
Thomas College Network
History

1993 – 1st Generation Firewall



1995 – 2002 –1st Generation Firewall




NSF grant
dedicated 56K line to the Internet
Partnership with the Maine Internetworks
30+ T1s, Cable Modems, Various Local Dial-ups
Purchased by Adelphia Communications in 2001
2002-present – 2nd & 3rd Generation Firewalls





Mid-Maine Communcations
3 T1s (6Mb fractional T3 in June 2005)
State-wide dial-up via 500 number service
Increasing bandwidth prioritization and security
needs
Increasing residential uses of audio and video –
(examples: Bearshare, Cdigix)
The Three Generations of
Firewalls
1st Generation – packet-filtering
(examples: by IP or port)
2nd Generation – application-level
(examples: proxies, client apps)
3rd Generation – stateful packet-filtering
(example: only opening ports when needed,
network-based attacks stopped)
…but College networks don’t
need to be secure.


Yes they do, because…
Private Information





Administrative Systems
Intranets, Extranets
Personal Student and Employee
Info.
“Institution Knowledge”
It’s important to our students
Why Use a Third Generation
Firewall?



Inspects traffic at the application
level
Support multiple application proxies
Performs deep-packet stateful
inspection to stop today’s attacks
using many protocols: HTTP, HTTPS,
SMTP, POP3, IMAP, DNS, FTP, RPC,
H.323, IM, VoIP, Videoconferencing
Stateful Packet-Filtering




At the packet level, a third generation firewall
inspects the source and destination of the traffic
indicated in the IP header, and the port in the TCP or
UDP header identifying the network service or
application used.
Dynamic packet filters enable opening a port only in
response to a user's request and only for the
duration required to satisfy that request, reducing
the vulnerability associated with open ports.
A third generation firewall lets you dynamically
determine which packets can be passed through to
the internal network's circuit and application layer
services.
You can configure access policy rules that open ports
automatically only as allowed, and then close the
ports when the communication ends.
Intrusion Detection












All Ports Scan Attack
Enumerated Port Scan Attack
IP Half Scan Attack
Land Attack
Ping of Death Attack
UDP Bomb Attack
Windows Out of Band Attack
DNS Hostname Overflow
DNS Length Overflow
DNS Zone Transfer from Privileged Ports
(1-1024
DNS Zone Transfer from High Ports
(above 1024)
POP Buffer Overflow
Intrusion Prevention



Pro-active identification
Ability to “sand-box” or disconnect
attacks
Ability to protect threats from inside
organization (student and faculty
computers)
Caching


For a better end-user experience
HTTP, HTTPS, and FTP:


Caching for outgoing requests to the Internet
reverse caching, for incoming requests to our web/ftp servers.
Why Use Internet Security and
Application (ISA) Server?

For Thomas College in 2001 the choice
for ISA Server 2000 was easy:






Limited selection available
Best academic price
Ran on Windows 2000/2003 servers
Integrated well with a campus with 95%
Windows computers or thin-clients
Fast HTTP Proxy – 80% of our traffic
Support options were a good fit
Why Stay with ISA 2004




The value in upgrading vs. replacing
New, easier to use interface
Better throughput
Better logging and tracking
Management Console
VPN



IPSEC, L2TP, and PPTP
Remote clients
Site-to-site
Logging



Defaults to SQL Server (MSDE)
Query Interface built-into Management Console
Packet filters



Firewall Service



2004-02-28 00:00:00
2004-02-28 00:00:00
10.10.5.82
Drew
private1.bearshare.net
GHBN
13301
10.10.6.84
bonangj
-
Web Proxy Service


10.10.6.96
00:00:13
189
NotModified
10.10.6.75
2004-03-06
151
10.10.5.122
66.252.1.100
255.255.255.255 Udp
10.10.7.255
Udp
BearShare.exe:3:5.1
24057
0
aim.exe:3:5.1 2004-03-06
-
thomas.edu\owensj
TERRIER7
http
GET
0
THOMAS.EDU\johnstonk
00:00:13
TERRIER7
http
GET
4412 7100
1026 137
DROPPED
BLOCKED
-
2004-03-06
-
00:00:04
-
TERRIER7
-
-
00:00:04
-
TERRIER7
GHBN
ar.atwola.com 13301
53094
0
Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90)
2004-03-06
image.weather.com
80
http://image.weather.com/web/newscenter/stormstories/promo/tw_promo.jpg
612
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
us.i1.yimg.com 80
http://us.i1.yimg.com/us.yimg.com/i/mc/mc2.js NotModified
0
390
Reporting


Daily, Weekly, Monthly, Annually, OnDemand
Web-based
Reporting – Summary – Protocols
Protocols
The following communication protocols were used to carry network traffic through ISA Server during the report
period. Protocols that have generated the most traffic are listed first.
Protocol
Requests
% of
Total
Requ
ests
UNKNOWN
22123198
45.1 %
HTTP
13410830
27.4 %
Gnutella/Bearshare
OUT
9725296
19.8 %
DNS Query
1796926
3.7 %
HTTP - IN
598232
1.2 %
SMTP Server
310206
0.6 %
Reporting – Summary - Users

Top Users
The following users
have generated the
largest amounts of
network traffic through
ISA Server during the
report period. Users
that have generated
more traffic are listed
first. Network
addresses are
presented when user
names are unknown to
ISA Server.
Reporting – Summary – Top Web Sites
Reporting – Summary – Traffic
Reporting – Summary – Daily Traffic
Reporting – Web – Object Types
Reporting – Web – Browsers
Reporting – Web – OSs
Reporting – Applications – Top Applications
Reporting – Applications – Top Destinations
Reques
ts
% of
T
ot
al
R
e
q
u
es
ts
989
381297
8
Unique
Users
Bytes
Out
% of
T
ot
al
B
yt
es
O
ut
Total
B
yt
es
% of
T
ot
al
B
yt
es
2.3 %
169.2 MB
0.6 %
7.4 GB
2.1 %
6.9 GB
2.2 %
7.0 KB
0.0 %
6.9 GB
2.0 %
Bytes
In
% of
T
ot
al
B
yt
es
In
1.0 %
7.2 GB
59
0.0 %
No
Destination IP
1
216.220.231.72
2
64.236.34.97
3
216.220.231.71
794
276817
0.7 %
5.9 GB
1.9 %
111.8 MB
0.4 %
6.0 GB
1.7 %
4
203.250.58.177
1
2
0.0 %
2.9 GB
0.9 %
7.2 MB
0.0 %
2.9 GB
0.8 %
5
165.123.99.58
1
4
0.0 %
1.9 GB
0.6 %
1.8 MB
0.0 %
1.9 GB
0.6 %
Reporting – Security – Authorization Failures
No
User
Authorization
Failures
% of Total
Authoriza
tion
Failures
1
thomas.edu\couturej
6914.0
23.5 %
2
THOMAS.EDU\damonj
6536.0
22.2 %
3
thomas.edu\greenej
2348.0
8.0 %
4
THOMAS.EDU\beaudoink
2290.0
7.8 %
5
THOMAS.EDU\turcottesh
2141.0
7.3 %
6
thomas.edu\owensj
1344.0
4.6 %
7
THOMAS.EDU\cormierc
1213.0
4.1 %
3rd-Party Add-ons
-Real-time viewing
-User quotas
-Anti-virus
Scalability


Use arrays for fault-tolerance
Behind or in front of other firewalls
ISA Server 2004 vs. 2000
Feature
ISA Server 2004
ISA Server 2000
Network
topologies
Unlimited multiple networks and types
(internal, external, VPN, DMZ)
Single internal network, external
network, and DMZ
Security policy
Per-network policy
One security policy
Layer 1 through 4
support
Stateful inspection on all network traffic
Stateful inspection only on traffic
from/to LAT
Network routing
NAT or Route relationship
Always NAT from LAT
Content inspection
Complete stateful inspection on traffic
to/from firewall
Traffic to/from firewall protected by
static filters
VPN filtering
VPN natively supported through VPN
network type
No stateful filtering on VPN traffic
Architecture
Performance-optimized multilayered
filtering engine
Parallel Web Proxy and Firewall
services
Management
All-new user interface
Standard MMC plug-in
VPN support
Adds IPSec Tunnel Mode
PPTP, L2TP IPSec
Other Firewall Products






Check Point FireWall-1 (or Nokia 650)
Secure Computing Sidewinder G2
Symantec Enterprise Firewall with VPN 7.0
WatchGuard Technologies Firebox 4500
Cisco PIX Firewall 535
Sonicwall
3rd Generation Firewall Comparisons
Check Point
Microsoft
Secure
Symantec
WatchGuard
Firewall-1
ISA 2004
SidewinderG2
Enterprise
Firebox4500
Windows
Windows
SecureOS Unix
Windows
N/A
OS
Solaris
Solaris
Linux
Linux
Nokia IPSO
Interfaces
Stateful Packet Filtering
Alerts
1,024
Unlimited
10
Unlimited
3
Y
Y
Y
Y
Y
logs
logs
logs
logs
logs
e-mail
e-mail
e-mail
e-mail
e-mail
pager
pager
pager
pager
pager
SMS
SMS
SNMP
SNMP
run script
SNMP
run script
Tivoli
Software price
$
19,000
$
6,381
Hardware price
$
4,200
$
2,508
included
$
34,900
$
19,995
$
6,295
n/a
$
9,990
3rd Generation Firewall Comparisons
Check Point
Microsoft
Secure
Symantec
WatchGuard
Firewall-1
ISA 2000
SidewinderG2
Enterprise
Firebox4500
Network Computing Report Card
Protection (50%)
3/21/03 issue, page 60
4.75
4
4
3
2
Performance (20%)
4
4
3
4.5
3
Management (15%)
4.5
4.5
5
4
3
Reporting (10%)
2
4
4.5
3
3
Price (5%)
2
3
3
5
4
4.15
4.03
3.95
3.55
2.55
B+
B+
B
B-
C-
Total Score (100%
For More Information

Presenter






Christopher (Chris) Rhoda
Vice President for Information Services
Thomas College, Waterville, Maine
http://www.thomas.edu/chris/cumrec.ppt
[email protected]
Comparison information courtesy of:



Mike Fratto, Senior Technology Editor, Network Computing
Executive Editor, Secure Enterprise
[email protected]