ohne kopfschmerzen
play

OHNE KOPFSCHMERZEN CC-BY-SA Anders Henke Topics (My) Situation - PowerPoint PPT Presentation

May 21, 2023 •111 likes •520 views

GUUG Frhjahrsfachgesprch 2015 FIREWALLMANAGEMENT OHNE KOPFSCHMERZEN CC-BY-SA Anders Henke Topics (My) Situation Rock-Solid Technology Approach Data Model 2 25.03.2015 1&1 Internet AG (My) Situation

  1. GUUG Frühjahrsfachgespräch 2015 FIREWALLMANAGEMENT OHNE KOPFSCHMERZEN CC-BY-SA Anders Henke

  2. Topics  (My) Situation  Rock-Solid Technology  Approach  Data Model 2 25.03.2015 1&1 Internet AG

  3. (My) Situation  Internet Service Provider (Hosting, Access, …)  Hundreds of public services  Thousands of non-public services  Service-Oriented Architecture (SOA)  No constraints on technology  ~ 1200 developers, ~ 200 sysadmins, ~20 network engineers  There’s more than one way to do it!  Traditional Software development, Systems Operations, Applications Operations  DevOps(ish)  OpsDev(ish)  … and more.  Multi-layered defense in Depth  Using proven, rock-solid technology 3 25.03.2015 1&1 Internet AG

  4. Rock-Solid Technology “Roadblock in Palestine” by Harry Pockets, CC -BY-SA 3.0 4 25.03.2015 1&1 Internet AG

  5. Firewall Technology  Stateless Packetfilters  Simple, robust technology  Avoid Stateful Packetfilters  Easier to break than stateless packetfilters  Cool for egress traffic, not for ingress traffic  →little/no benefit to us and avoided, if possible “Roadblock in Palestine” by Harry Pockets, CC -BY-SA 3.0  No “Next -Generation Firewalls ”  Adds features we have no use for  Adds caveats we don’t want to have  →no benefits to us 5 25.03.2015 1&1 Internet AG

  6. Traditional Firewall 6 25.03.2015 1&1 Internet AG

  7. Traditional Firewall  Roadblock strictly separating any networks  Internet from internal networks  Internal networks from each other  Internal networks from Internet 7 25.03.2015 1&1 Internet AG

  8. Traditional Firewall Management  Lost in Translation  Dev gives connection requirements to Ops, Ops gives translates requirements to sysadmin, sysadmin translates to network-speak, firewall engineer translates to management software, firewall software translates to Cisco/Juniper/…  Consequences  Many Firewall tickets require “rework”  Getting firewall rules done right may take weeks. 8 25.03.2015 1&1 Internet AG

  9. Scalability  High demand of fine-granular internal firewall rules  More services, more hosts, more firewall rules  “We’re really secure, we do have tons of firewall rules”  Adding a single node to a cluster: up to 100 extra rules Adding “infrastructure” nodes: extra rules for every network   Exponential growth of fine-granular rules  Exceeding growth of customers  Exceeding growth of applications  Exceeding Moore’s law 9 25.03.2015 1&1 Internet AG

  10. Restart  Restart 10 25.03.2015 1&1 Internet AG

  11. New Network Firewalling Concept  Network Firewalling Zones  Fine-granular ACLs for public services  Subnet-granular ACLs from DMZ to internal networks  No network ACLs between internal networks  No network ACLs from internal networks to DMZ Public DMZ Internal 11 25.03.2015 1&1 Internet AG

  12. New Firewalling Concept  Network Firewalling Zones  Fine-granular ACLs for public services  Subnet-granular ACLs from DMZ to internal networks  No network ACLs between internal networks  No network ACLs from internal networks to DMZ  Host Firewall Public  Fine-granular netfilter ACLs on every host  Also secures access within the same subnet  Every host only has its own set of ACLs: O(1)  Application DMZ  Enforce Authentication / Authorization Internal 12 25.03.2015 1&1 Internet AG

  13. How to manage netfilter?  Custom scripting  Shell script, macro processor  Works well for very specific environments  You need to know what you’re doing.  Off-the-shelf software  Typically: one admin to rule them all  Does not fit our environment  Custom Management Software  Multi-user-aware  Tight integration with corporate Intranet, processes and tooling 13 25.03.2015 1&1 Internet AG

  14. Firewall Rule Management Software  Approach  Changes do typically affect a fraction of hosts  Diff is centrally calculated, a change notification broadcasted to affected hosts  On notification or agent restart, agents do poll new netfilter configuration  Netfilter configuration is cached locally and applied on agent restart. 14 25.03.2015 1&1 Internet AG

  15. Firewall Rule Management Software  No spreadsheet, no scripting language, no macro processor, no security groups  Sysadmins do know about IP addresses, ports and protocols  … Application Owners, Developers and Management don’t necessarily do.  Use a data model everyone understands!  Everyone should be able to read firewall rules!  Everyone should be able to write correct firewall rules!  Everyone should be able to approve/deploy their firewall rules! 15 25.03.2015 1&1 Internet AG

  16. Systems Architecture 16 25.03.2015 1&1 Internet AG

  17. Systems Architecture, Excerpt Application, Service, Consumer, Provider, Client Server … … 17 25.03.2015 1&1 Internet AG

  18. Firewall Management Data Model  Remember your average Monitoring system?  A cluster of hosts is running service “A”  Every object does have a distinct name and responsible team  Apply the same principles to firewalling. A 18 25.03.2015 1&1 Internet AG

  19. Firewall Management Data Model  Service A does access Service B. A B 19 25.03.2015 1&1 Internet AG

  20. Treat everything as a graph of linked nodes  Follow from service A (source) to its hosts A B  Destination = Definition of B  Consult source hosts for “ ip route get $destination ” • (Cache result as a fallback)  Deploy rule on hosts running service B  Create/Replace custom chain for service B  Fill in pre-calculated, ordered rules  Link custom chain to INPUT chain  Done!  Optionally: deploy on hosts running service A as an egress filter 20 25.03.2015 1&1 Internet AG

  21. Legacy and Management  Networks  CIDR-style networks do exist to integrate legacy sources  Groups  One can create and manage groups  Groups can contain any other objects A B 21 25.03.2015 1&1 Internet AG

  22. Spot the error! D A C B 22 25.03.2015 1&1 Internet AG

  23. Default Policies  Every service does have its own default policy  Restricted Service: default policy “reject”  Unrestricted Service: default policy “accept”  Host default policy = catch- all for “unknown”  If you’d like to access all services, create a rule involving all services.  If you need “access all areas”, create a rule involving all services AND the host. 23 25.03.2015 1&1 Internet AG

  24. Responsibilities  Responsibilities A B  Services running on a host are owned by the team running the host.  The team running the host may assign approval permissions for specific services to other teams.  Approvals  The requesting team has to be responsible for source or destination (host/service).  If the requesting team is responsible for destination, we’ll assume their approval; otherwise, we’ll request their approval.  Changes  Changing anything which results in re-deployment requires re-approval.  Until re-approval, the last approved stated is deployed. 24 25.03.2015 1&1 Internet AG

  25. Stories solved  Distributed authoring, approval and deployment of firewall rules  Simple data model, simple rules, simple auditing  “Workstations of Team Y and Jenkins may access Tomcat Admin Consoles of Team Y”  “Do what I mean” for IPv4/IPv6, incl. Default Address Selection A C B 25 25.03.2015 1&1 Internet AG

  26. Stories solved (2)  Rules may become more static  Clients do have less (recognizable) rules: more auditable • At best, every client only has a single rule with all destination services  When endpoints change: change the rule, don’t create additional rules A C B 26 25.03.2015 1&1 Internet AG

  27. Images  “Roadblock in Palestine” by Harry Pockets – Own work. Licensed under CC BY-SA 3.0 via Wikimedia Commons https://commons.wikimedia.org/wiki/File:Roadblock_in_Palestine.jpg 27 25.03.2015 1&1 Internet AG

  28. BACKUP 25.03.2015 1&1 Internet AG 28

  29. Firewall Management Data Model  How does this work? 29 25.03.2015 1&1 Internet AG

  30. Firewall Management Data Model  How does this work? 30 25.03.2015 1&1 Internet AG

  31. Services may be hosted on groups D A C B 31 25.03.2015 1&1 Internet AG

  32. Services are not limited to a single cluster. A C D B 32 25.03.2015 1&1 Internet AG

  33. Not yet implemented…  Calculate & Request Network-ACLs  Graphical Audit 33 25.03.2015 1&1 Internet AG

  34. Transformation of System Architecture to Firewall Rules Application Service 34 25.03.2015 1&1 Internet AG

  35. Transformation of System Architecture to Firewall Rules 35 25.03.2015 1&1 Internet AG

  36. Transformation of System Architecture to Firewall Rules 36 25.03.2015 1&1 Internet AG

  37. Transformation of System Architecture to Firewall Rules 37 25.03.2015 1&1 Internet AG

  38. Transformation of System Architecture to Firewall Rules 38 25.03.2015 1&1 Internet AG

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

1 Ohne Genericity Ohne Genericity 7 8 class METRO_LINE feature class ROUTE feature start is do

1 Ohne Genericity Ohne Genericity 7 8 class METRO_LINE feature class ROUTE feature start is do

1 2 Einfhrung in die Programmierung Vorlesung 13: Container-Datenstrukturen Bertrand Meyer Letzte Bearbeitung 1. Dezember 2003 Chair of Software Engineering Introduction to Programming Lecture 13 Chair of Software Engineering

87 views • 7 slides
Evolution ohne zellulre Strukturen Szenen aus einer RNA-Welt Peter Schuster Institut fr

Evolution ohne zellulre Strukturen Szenen aus einer RNA-Welt Peter Schuster Institut fr

Evolution ohne zellulre Strukturen Szenen aus einer RNA-Welt Peter Schuster Institut fr Theoretische Chemie, Universitt Wien, sterreich und The Santa Fe Institute, Santa Fe, New Mexico, USA Seminar: Evolution Im Mittelpukt der

1.25k views • 94 slides
SMDG recommendation #2 Non-ISO container identifiers 63 rd SMDG MEETING, DUBAI Popular dummy

SMDG recommendation #2 Non-ISO container identifiers 63 rd SMDG MEETING, DUBAI Popular dummy

SMDG recommendation #2 Non-ISO container identifiers 63 rd SMDG MEETING, DUBAI Popular dummy prefixes in use Dummy prefix Remarks OHNE german (means 'without') NONE descriptive NONU Officially registered BIC-Code (Schenker Italiana).

531 views • 12 slides
Mike Dietrich BU Database Technologies ORACLE Deutschland GmbH Page 1 www.decus.de 1

Mike Dietrich BU Database Technologies ORACLE Deutschland GmbH Page 1 www.decus.de 1

IT-Symposium 2005 Mike Dietrich BU Database Technologies ORACLE Deutschland GmbH Page 1 www.decus.de 1 IT-Symposium 2005 Total synchron Daten retten ohne Downtime ?! Oracle DataGuard und Flashback Agenda Oracle Oracle DataGuard

400 views • 18 slides
Parallel Linux Clusters prof. Ing. Pavel Tvrdk CSc. Katedra potaovch systm Fakulta

Parallel Linux Clusters prof. Ing. Pavel Tvrdk CSc. Katedra potaovch systm Fakulta

Parallel Linux Clusters prof. Ing. Pavel Tvrdk CSc. Katedra potaovch systm Fakulta informanch technologi esk vysok uen technick v Praze Pavel Tvrdk, 2011 c InstallFest, 5.3.2011, VUT prof. Pavel Tvrdk

384 views • 34 slides
Big Data on Google Cloud Using Cloud Dataflow, BigQuery, and friends to process data the Cloud

Big Data on Google Cloud Using Cloud Dataflow, BigQuery, and friends to process data the Cloud

Big Data on Google Cloud Using Cloud Dataflow, BigQuery, and friends to process data the Cloud way William Vambenepe, Lead Product Manager for Big Data, Google Cloud Platform @vambenepe / vbp@google.com Agenda 1 Big Data at Google 2

969 views • 38 slides
Sicherheit in Wireless LANs VS-Seminar Wintersemester 2002/2003 Betreuer: Stefan Schmidt

Sicherheit in Wireless LANs VS-Seminar Wintersemester 2002/2003 Betreuer: Stefan Schmidt

Sicherheit in Wireless LANs VS-Seminar Wintersemester 2002/2003 Betreuer: Stefan Schmidt TECHNISCHE UNIVERSITT CAROLO-WILHELMINA 1 Praesentation.ppt ZU BRAUNSCHWEIG Florian Mller I nstitut fr B etriebssysteme und R echnerverbund

1.25k views • 78 slides
How to Drive More Traffic to Your Event Website Matt Clymer Online Marketing Specialist December

How to Drive More Traffic to Your Event Website Matt Clymer Online Marketing Specialist December

Event Directors Best Practices Webinar Series Presents How to Drive More Traffic to Your Event Website Matt Clymer Online Marketing Specialist December 16 th 2010 Todays Speakers Guest Speaker Moderator Ana Jesus Matt Clymer

1.09k views • 84 slides
Programmiertechnik Klassenmethoden Prof. Dr. Oliver Haase Oliver Haase Hochschule Konstanz 1

Programmiertechnik Klassenmethoden Prof. Dr. Oliver Haase Oliver Haase Hochschule Konstanz 1

Programmiertechnik Klassenmethoden Prof. Dr. Oliver Haase Oliver Haase Hochschule Konstanz 1 Motivation Programm zur Berechung von public class Eval1 { public static void main(String[] args) { java.util.Scanner scanner = new

751 views • 27 slides
EBEEOFFICE A PRODUCT BASED ON DIGITAL TRUST

EBEEOFFICE A PRODUCT BASED ON DIGITAL TRUST

STATE OF THE ART LARGE-SCALE CONCEPT SECURITY NOTIONS Proprit dalmerys, filiale de France tlcom - Orange document valeur non

731 views • 52 slides
The Paillier Cryptosystem A Look Into The Cryptosystem And Its Potential Application By Michael

The Paillier Cryptosystem A Look Into The Cryptosystem And Its Potential Application By Michael

The Paillier Cryptosystem A Look Into The Cryptosystem And Its Potential Application By Michael OKeeffe The College of New Jersey Mathematics Department April 18, 2008 A BSTRACT So long as there are secrets, there is a need for encryption

357 views • 16 slides
Redes de Computadores Adriano Mauro Cansian adriano@acmesecurity.org Captulo 1 Introduo

Redes de Computadores Adriano Mauro Cansian adriano@acmesecurity.org Captulo 1 Introduo

unesp - IBILCE - SJRP Curso de Redes de Computadores Adriano Mauro Cansian adriano@acmesecurity.org Captulo 1 Introduo unesp - IBILCE - SJRP Metas Veremos os contextos principais. Com uma viso geral e intuitiva de redes.

1.2k views • 103 slides
1. Interaction between convection and large-scale tropical circulations 2. Modern theories of

1. Interaction between convection and large-scale tropical circulations 2. Modern theories of

1. Interaction between convection and large-scale tropical circulations 2. Modern theories of monsoons 3. Tipping points in monsoons? Simona Bordoni Environmental Science and Engineering California Institute of Technology ICTP Summer School

730 views • 56 slides
Disclosures No financial relationships Updates and Controversies in with industry

Disclosures No financial relationships Updates and Controversies in with industry

Disclosures No financial relationships Updates and Controversies in with industry Perioperative Medicine No discussion of unapproved medications, but non-FDA approved indications will be presented Hugo Quinny Cheng, MD Division of

446 views • 10 slides
Hydrogen Redistribution and Surface Effects in Silicon Solar Cells Dr. Phillip Hamer, ACAP

Hydrogen Redistribution and Surface Effects in Silicon Solar Cells Dr. Phillip Hamer, ACAP

Faculty of Engineering School of Photovoltaic and Renewable Energy Engineering Hydrogen Redistribution and Surface Effects in Silicon Solar Cells Dr. Phillip Hamer, ACAP Postdoctoral Fellow 27 th March 2019 Outline Shameless Self

493 views • 46 slides
Jason Roberts, October 2015 Topics for this session Why use covariates other than x and y?

Jason Roberts, October 2015 Topics for this session Why use covariates other than x and y?

Jason Roberts, October 2015 Topics for this session Why use covariates other than x and y? What other covariates are there? Dynamic spatial covariates: how hard can it be? Covariates for our sperm whale model Man any im images s

1.29k views • 89 slides
Statistical inference in transport-fragmentation Hoffmann models Genealogical versus temporal

Statistical inference in transport-fragmentation Hoffmann models Genealogical versus temporal

Statistical inference in transport- fragmentation models Marc Statistical inference in transport-fragmentation Hoffmann models Genealogical versus temporal data The size Marc Hoffmann dependent division rate model Paris-Dauphine

859 views • 68 slides
Novit terapeu-che nelle mala3e mieloprolifera-ve croniche Ph nega-ve Francesco Passamon-

Novit terapeu-che nelle mala3e mieloprolifera-ve croniche Ph nega-ve Francesco Passamon-

Novit terapeu-che nelle mala3e mieloprolifera-ve croniche Ph nega-ve Francesco Passamon- Universit dellInsubria Varese - Italy ESMO Guidelines for PV Vannucchi et al, Ann Oncol. 2015 Sep;26 Suppl 5:v85-99 PROUD-PV, a randomized

717 views • 43 slides
Advanced micromagnetics and atomistic simulations of magnets Richard F L Evans ESM 2018 Overview

Advanced micromagnetics and atomistic simulations of magnets Richard F L Evans ESM 2018 Overview

Advanced micromagnetics and atomistic simulations of magnets Richard F L Evans ESM 2018 Overview Micromagnetics Formulation and approximations Energetic terms and magnetostatics Magnetisation dynamics Atomistic spin

555 views • 53 slides
An Enhanced Hail Detection Algorithm for the WSR-88D A RTHUR W ITT , M ICHAEL D. E ILTS , G REGORY

An Enhanced Hail Detection Algorithm for the WSR-88D A RTHUR W ITT , M ICHAEL D. E ILTS , G REGORY

286 W E A T H E R A N D F O R E C A S T I N G V OLUME 13 An Enhanced Hail Detection Algorithm for the WSR-88D A RTHUR W ITT , M ICHAEL D. E ILTS , G REGORY J. S TUMPF ,* J. T. J OHNSON , E. D E W AYNE M ITCHELL ,* AND K EVIN W. T HOMAS *

493 views • 18 slides
Regenerate Failing Hearts! Results from the MSC-HF Trial Anders Bruun Mathiasen, M.D.

Regenerate Failing Hearts! Results from the MSC-HF Trial Anders Bruun Mathiasen, M.D.

Stem Cells Regenerate Failing Hearts! Results from the MSC-HF Trial Anders Bruun Mathiasen, M.D. Rigshospitalet, Copenhagen University Hospital Copenhagen, Denmark What we found Stem cell treatment in severe heart failure Treatment safe

317 views • 6 slides
CEE 370 Environmental Engineering Principles Lecture #32 Wastewater Treatment III: Process

CEE 370 Environmental Engineering Principles Lecture #32 Wastewater Treatment III: Process

Print version Updated: 26 November 2019 CEE 370 Environmental Engineering Principles Lecture #32 Wastewater Treatment III: Process Modeling & Residuals Reading M&Z: Chapter 9 Reading: Davis & Cornwall, Chapt 6-1 to 6-8 Reading:

722 views • 37 slides
Vitess on Kubernetes followed by a demo of VReplication Jiten Vaidya jiten@planetscale.com A

Vitess on Kubernetes followed by a demo of VReplication Jiten Vaidya jiten@planetscale.com A

Vitess on Kubernetes followed by a demo of VReplication Jiten Vaidya jiten@planetscale.com A word about me ... Jiten Vaidya - Managed teams that operationalized Vitess at Youtube CEO at PlanetScale Founded in early 2018 to help

802 views • 22 slides
NEAREST NEIGHBOR RULE Jeff Robble, Brian Renzenbrink, Doug Roberts Nearest Neighbor Rule

NEAREST NEIGHBOR RULE Jeff Robble, Brian Renzenbrink, Doug Roberts Nearest Neighbor Rule

NEAREST NEIGHBOR RULE Jeff Robble, Brian Renzenbrink, Doug Roberts Nearest Neighbor Rule Consider a test point x. x is the closest point to x out of the rest of the test points. Nearest Neighbor Rule selects the class for x with the

573 views • 33 slides

More recommend