firewall on demand
play

Firewall-On-Demand Service Andreas Polyrakis, GRNET 15-16 February - PowerPoint PPT Presentation

Nov 07, 2022 •208 likes •470 views

GRNET Firewall-On-Demand Service Andreas Polyrakis, GRNET 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Contents 2 Firewall-On-Demand Motivation & Technology background Implementation Future plans &

  1. GRNET Firewall-On-Demand Service Andreas Polyrakis, GRNET 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia

  2. Contents 2  Firewall-On-Demand  Motivation & Technology background  Implementation  Future plans & synergies 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  3. MOTIVATION & TECHNOLOGY 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  4. DDoS illustated 4 Attackers use zombies 1 zombie: Relative easy to handle army of zombies: big problem…: @ 1Meg: 100 = 200Meg • 500 = 500Meg • 2,000 = 2Gig • 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  5. Motivation 5  Need for better tools to mitigate transient attacks and anomalies  eg DDOS, spambots, viruses, scans, …  “ Better ” in terms of  Granularity : Per-flow level  Source/Dest IP/Ports, protocol type, DSCP, TCP flag, fragment encoding …  Action : Drop, rate-limit, redirect  Speed : 1-2 orders of magnitude quicker  (seconds/minutes rather than hours/days)  Efficiency : closer to the source, multidomain  Automation : integration with other systems (eg IDS/IPS, log analyzers,…)  Manageability 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  6. BGP FlowSpec 6 RFC 5575, August 2009 “Dissemination of flow specification rules with BGP”  Allows BGP to propagate an n-tuple filter with flow matching criteria and actions  matching criteria: a combination of source/dest prefix, source/dest port, ICMP type/code, packet size, DSCP, TCP flag, fragment encoding, etc…, E.g.:  all packets to 10.0.1/24 and TCP port 25  all packets to 10.0.1/24 from 192.0.0.0/8 and destination port {range [137, 139] or 8080  Filtering actions: accept, discard, rate-limit, sample, redirect, etc...  Information independent of unicast routing (different NLRI).  …But it is automatically validated against unicast routing. 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  7. Advantages of signaling via BGP 7  An incremental addition to deployed mechanisms  Complexity/scalability issues already solved, proven scalability and flexibility of BGP in adding new services  Multicast, IPv6, L3 VPN, L2 VPN, VPLS  Reuse of:  internal route distribution infrastructure (e.g.: route reflector or confederation design)  existing external relationships (e.g.: inter-domain BGP sessions to a customer network)  A trust model already in place  normally follows (the well-established trust of) unicast routing  Accept filter when advertised by next-hop for the destination prefix (compare destination address of traffic filtering rule with best match unicast route for this prefix)  Originator of filter and unicast route must be same.  No more specifics from a different AS.  Can be overridden 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  8. Comparing BGP flowspec with… 8 Traditional Firewalls, ACLs BGP blackhole routing (Complementary technologies, Flowspec can be considered as rather than competitive) an enhancement of BGP  No need for expensive, blackhole routing: dedicated hardware  Distributed across the network,  Less coarse applied as soon as traffic enters  More actions the network  Separate NLRI  Actions closer to the source (no capacity wasting)  Adequately fine-grained, even on core/backbone networks  Multidomain – easy propagation towards the upstream  Easy automation & integration 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  9. BGP FlowSpec Status 9  RFC 5575, August 2009  Vendor support:  Juniper : Supported in JUNOS since 7.3 !!!!  Cisco : Not supported, no official plan…   But participates in the RFC  Other big vendors: No  But: Supported by Quagga, ExaBGP and some other routing daemons  IPv6 support: No 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  10. GRNET FoD Implementation 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  11. Design Principles (1) 11  Goal: A service that will allow GRNET customers to mitigate transient attacks & anomalies at their upstream (GRNET) level  NOT a permanent firewalling service. Rules should be removed at the end of the attack (otherwise auto-expire).  Target audience: GRNET customers (NOCs)  Target network: GRNET  Web-based tool, shibboleth authentication of the users  Customers can control which of their users have access to the tool through appropriate “Entitlement” 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  12. Design Principles (2) 12  Functionality  Implementation of transient firewall filters across all GRNET routers  empowered by BGP flowspec  Flow granularity:  Source/Destination IPs  Source/Destination ports  More to be added in later versions (eg TCP flags)  Flow Manipulation:  Drop  Rate limit to three predefined values: 10Mbps. 1Mbps, 100Kbps  More actions may be allowed in later versions, eg redirect  Authorization & Security  Customers should only not be able to affect traffic destined to themselves  GRNET core network must be immune to the tool (in case of bug, misbehavior, compromise) 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  13. Design Principles (3) 13  Programmatic API  REST API to be added in future versions, in order to allow integration with other tools  Coding:  Secure  Based on modern technologies  Open: Open-source license, well-documented, no GRNET- specifics or hardwired stuff  Synergies:  Customers  GEANT & NRENs  GRNET or 3rd party security tools. CERT/CIRTs, IPS/IDS,… 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  14. FoD Operation Overview 14 GEANT IX Customer’s NOC representative  logs into a web tool (shibboleth) and describes flows and actions Flow destination is validated  against the customer’s IP space A dedicated router is configured  (netconf) to advertise the route via BGP flowspec eBGP sessions propagate the n-  FoD tuple to GRNET router(s). iBGP further propages the tuples to all GRNET routers. FoD router Dynamic firewall filters are  implemented on all routers Attack is mitigated (dropped,  GRNET rated-limited) upon entrance FoD Customer UI End of attack: Removal via the  tool, or auto-expire Customer 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  15. User Interface (1) 15 Firewall-On-Demand 15 February 2012, APM meeting, Dubrovnik

  16. User Interface (2) 16 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  17. Demo (iperf simulated attack) 17 A 100Mbps attack Typically less than 15 seconds Flow limited to 100Kbps

  18. Implementation - Architecture 18

  19. Implementation - Technologies 19  Open Source project  Python Django ORM & jQuery Javascript lib  Multilayered architecture  Shibboleth: User authentication based on special attrib  Django: UI rendering & db modeling  Long polling: fetch updates without reloading  Celery/beanstalk: apply configuration without locks  nxpy: Network XML to python classes proxy  Ncclient: python netconf client (ncclient)  Caching, cron jobs, REST API (next release), mobile interface (future release) 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  20. Information Flow 20 • User login • Rule management • Creation, modification, removal UI • Notifications, status • Transform rules to python objects • DB operations • Transform python objects to netconf XML configuration Middleware • Apply XML configuration via XML RPC to device • Save received configuration to device (switch) • Propagate rule via eBGP to peer routers • Rule filters and acts on matching flows Network 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  21. Status 21  Alpha version of the service already running http://fod.grnet.gr/  Pre-production (beta) within February  Source code soon to be released: http://code.grnet.gr/ 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  22. Future & Synergies 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  23. Expanding the service to the GEANT community 23  Phase 1: GEANT participation  Configure routers to accept BGP flowspec NLRI  Establish BGP peerings with GRNET  Peerings are protected by route-maps  GRNET customers’ filters are applied at GEANT level PARTICIPATING GEANT NREN  Phase 2: NREN participation  Juniper equipment is required  GRNET  Also, NREN Customers could propagate their filters through their bgp peerings instead of using the UI Customer FoD 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

  24. Synergies with security teams 24  Connect to the domain’s IPS/IDS, honeypots, …  Connect to GEANT anomaly detection tool  Connect to any CERT/CIRT team that we trust  “Soft” actions can make adoption easier  Rate-limit instead of drop 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Firewall-On-Demand

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall

Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall

Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall Overview Todays top firewall problems What IT managers say about their existing firewall Firewall Satisfaction Survey (Spiceworks 2017) Top

548 views • 52 slides
Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation

Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation

Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation controlled connection between networks at different security levels = boundary protection ( L1 > L2 ) network at network at security

1.07k views • 67 slides
Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts

Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts

Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts and networks connected to other hosts and networks against attacks from the outside and from the inside. a firewall is a network security system

440 views • 30 slides
Lane ESD Technology Services Core Firewall Overview Districts Behind Firewall Blachly

Lane ESD Technology Services Core Firewall Overview Districts Behind Firewall Blachly

Lane ESD Technology Services Core Firewall Overview Districts Behind Firewall Blachly Creswell Crow-Applegate-Lorane Fern Ridge Junction City Lowell Mapleton Screened, but exempt from policies Marcola

539 views • 15 slides
Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3

Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3

Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3 State-independent interior operators Interior operator from HP recovery 6 5 Resolution of the puzzle Effect of infalling observer 7 Discussions Beni

1.61k views • 106 slides
FIREMAN: A Toolkit for FIREwall Modeling and ANalysis Michael Lin All about firewalls A

FIREMAN: A Toolkit for FIREwall Modeling and ANalysis Michael Lin All about firewalls A

FIREMAN: A Toolkit for FIREwall Modeling and ANalysis Michael Lin All about firewalls A firewall is only as good as its configuration Big deal, it should be easy to configure a firewall, right? Basically... no. A Quantitative

507 views • 14 slides
Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple firewall using Netfilter Iptables firewall in Linux Stateful Firewall Application Firewall Evading Firewalls 2 Firewalls

811 views • 55 slides
Overview Firewall Security Perimeter Security Devices H/W vs. S/W Packet Filtering vs.

Overview Firewall Security Perimeter Security Devices H/W vs. S/W Packet Filtering vs.

Overview Firewall Security Perimeter Security Devices H/W vs. S/W Packet Filtering vs. Stateful Inspection Firewall Topologies Chapter 8 Firewall Rulebases Lecturer: Pei-yih Ting 1 2 Perimeter Security Devices Routers

291 views • 7 slides
Java Card Applet Firewall Java Card Applet Firewall Exploration and Exploitation Exploration and

Java Card Applet Firewall Java Card Applet Firewall Exploration and Exploitation Exploration and

Java Card Applet Firewall Java Card Applet Firewall Exploration and Exploitation Exploration and Exploitation Wojciech Mostowski and Erik Poll Digital Security Radboud University Nijmegen The Netherlands http://www.cs.ru.nl/~{woj,erikpoll}/

818 views • 42 slides
Firewall What is it? Do we need one? Oxford Hills School District March 5, 2018 What is a

Firewall What is it? Do we need one? Oxford Hills School District March 5, 2018 What is a

Firewall What is it? Do we need one? Oxford Hills School District March 5, 2018 What is a firewall? Term first used in 1851 Henry Ford used them to protect passengers from engine fires, smoke and heat. Computer networks: a part of a

500 views • 21 slides
Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls? Network Address Translation Types of Firewalls Linux/Windows Firewalls pfSense Blue Team Activity Brief History Firewall

348 views • 30 slides
Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between

Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between

Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between NGFW and classic firewalls: Classic Firewall Next Generation Firewall Traffic filtering using Port, IP, and protocol Supported Supported VPN

533 views • 25 slides
Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between

Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between

Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between NGFW and classic firewalls: Classic Firewall Next Generation Firewall Traffic filtering using Port, IP, and protocol Supported Supported VPN

1.23k views • 26 slides
Firewall Builder Vadim Kurland vadim@fwbuilder.org http://www.fwbuilder.org Challenges of

Firewall Builder Vadim Kurland vadim@fwbuilder.org http://www.fwbuilder.org Challenges of

Firewall Builder Vadim Kurland vadim@fwbuilder.org http://www.fwbuilder.org Challenges of firewall configuration complexity leads to errors coordinated changes on many devices are hard multi-vendor environments make the job even

314 views • 28 slides
1 Four general techniques: Design goals: All traffic from inside to outside must pass

1 Four general techniques: Design goals: All traffic from inside to outside must pass

Firewall Design Principles Firewall Characteristics Types of Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for these slides . Fall 2008 CS 334: Computer Security 1

546 views • 5 slides
Firewall Architectures for High-Speed Networks Errin W. Fulp DOE Network Research PI Meeting

Firewall Architectures for High-Speed Networks Errin W. Fulp DOE Network Research PI Meeting

Firewall Architectures for High-Speed Networks Errin W. Fulp DOE Network Research PI Meeting September 28, 2005 1 Project Objectives Methods that improve network firewall performance 1. Develop policy optim ization techniques Formal

221 views • 9 slides
Revisiting Bloom Filters Payload attribution via Hierarchiecal Bloom Filters Kulesh

Revisiting Bloom Filters Payload attribution via Hierarchiecal Bloom Filters Kulesh

Revisiting Bloom Filters Payload attribution via Hierarchiecal Bloom Filters Kulesh Shanmugasundaram, Herve Bronnimann, Nasir Memon 600.624 - Advanced Network Security version 3 Overview Questions Collaborative Intrusion Detection

1.29k views • 58 slides
Chapter 4: Manipulating Routing Updates CCNP-RS ROUTE Ali Aydemir Chapter 4 Objectives

Chapter 4: Manipulating Routing Updates CCNP-RS ROUTE Ali Aydemir Chapter 4 Objectives

Chapter 4: Manipulating Routing Updates CCNP-RS ROUTE Ali Aydemir Chapter 4 Objectives Describe network performance issues and ways to control routing updates and traffic. Describe the purpose of and considerations for using

1.49k views • 105 slides
Traffic Control Mechanisms Filtering Source address filtering Other forms of filtering

Traffic Control Mechanisms Filtering Source address filtering Other forms of filtering

Traffic Control Mechanisms Filtering Source address filtering Other forms of filtering Rate limits Protection against traffic analysis Padding Routing control Lecture 9 Page 1 CS 236 Online Source Address Filtering

366 views • 11 slides
Generic Router Assist Presenter: Tony Speakman Co-authors: Brad Cain Ken Calvert Christos

Generic Router Assist Presenter: Tony Speakman Co-authors: Brad Cain Ken Calvert Christos

51st IETF 6 August 2001 Generic Router Assist Presenter: Tony Speakman Co-authors: Brad Cain Ken Calvert Christos Papadopoulos Don Towsley Swapna Yelamanchi 51st IETF 6 August 2001 Page 1 Outline Model of Operation Filter

245 views • 13 slides
Agenda Topology Discovery Background Limitations using mrinfo-rec A new probing tool:

Agenda Topology Discovery Background Limitations using mrinfo-rec A new probing tool:

MERLIN Measure the Router Level of the INternet Pascal Mrindol, Benoit Donnet, Jean-Jacques Pansiot, Matthew Luckie, Young Hyun Kaiserslautern - June 2011 Next Generation Internet 2011 Agenda Topology Discovery Background Limitations

414 views • 9 slides
Perfect Imitation and Secure Asymmetry for Decoy Routing Systems with Slitheen Cecylia Bocovich

Perfect Imitation and Secure Asymmetry for Decoy Routing Systems with Slitheen Cecylia Bocovich

Perfect Imitation and Secure Asymmetry for Decoy Routing Systems with Slitheen Cecylia Bocovich Ian Goldberg 20 June 2017 EPFL Summer Research Institute Censorship Censors may monitor, alter or block traffic that enters or leaves their area

909 views • 53 slides
Measuring the Adoption of Route Origin Validation and Filtering Andreas Reuter

Measuring the Adoption of Route Origin Validation and Filtering Andreas Reuter

Measuring the Adoption of Route Origin Validation and Filtering Andreas Reuter (andreas.reuter@fu-berlin.de) Joint work with Randy Bush, Ethan Katz-Bassett, Italo Cunha, Thomas C. Schmidt, and Matthias Whlisch PEERING The BGP Testbed The BGP

1.56k views • 52 slides
Jobber Automating Inter-Tenant Trust in The Cloud Andy Sayler Eric Keller Dirk Grunwald How

Jobber Automating Inter-Tenant Trust in The Cloud Andy Sayler Eric Keller Dirk Grunwald How

Jobber Automating Inter-Tenant Trust in The Cloud Andy Sayler Eric Keller Dirk Grunwald How can we make the Data Center... more efficient? more secure? more manageable? Over 50% Enterprise Companies Use Cloud Infrastructure* * Cohen,

1k views • 59 slides

More recommend