purpose present drivers and context for firewalls define firewall technology present examples of...
DESCRIPTION
NOT An unveiling of a firewall service at SU A definition of a firewall service A forum for final decisions An exhaustive technical presentation A specific review of SU implementationsTRANSCRIPT
Purpose
• Present Drivers and Context for Firewalls• Define Firewall Technology• Present examples of Firewall Technology• Discuss Design Issues• Discuss Service and Support Issues• Exchange Ideas and Concerns about Risk,
Security and Firewalls
NOT
• An unveiling of a firewall service at SU• A definition of a firewall service• A forum for final decisions• An exhaustive technical presentation• A specific review of SU implementations
Data
Category A
Client
Access
Security
S = 1/A
Remote
Wireless
Risk
Mitigation
Affiliation
Authentication
Authorization
Host
Firewall
Balance
Packet
Header
Source
Destination
Port
Firewall
Router
Classic
Internet
Classic DMZ Firewall Architecture
Enterprise
Rules
Permit
Deny
Established
Tiers
Web Tier(Presentation Layer)
Application Tier(Middleware Layer,
Business Logic Layer,Report Query Layer)
Internet/SUNet
Data Layer(Data Base Layer,
Data Warehouse Layer)
Sensitive DataHighest Risk if compromised
Systems with access to data layerPossible location for data that is not
highly sensitive
Web pages, presentation, no directaccess to data layer
Network Communications between tiers iscontrolled and restricted by the firewalls
TYPICAL FIREWALL DESIGN WITH MULTIPLE TIERS
Layers
Zones
Vulnerabilities
Horizontal
Vertical
Development
Production
NOT
• An unveiling of a firewall service at SU• A definition of a firewall service• A forum for final decisions• An exhaustive technical presentation• A specific review of SU implementations
Service
WORP ISOApp Support
Clients, Users, Customers, Architects
Ethernet
Data
ITSS SPOC Security Person Network Person Application Person TSS Systems Person Auditor
Server Server Server Server
Client Requests, Application Planning,Auditor Mandate
Submit a HelpSU for Review andArchitecture
Create a Cross Functional Team
Review the Application,Draw the dependencies
Fill out Application Questionnaire
Design the network infrastructure
Create a Rule SetGet Security Approval
Install the firewall infrastructureor
Install the hosts in an existing infrastructure
TestAcceptGo Live
Monitor for operationsMonitor for effectiveness
ITSS Firewall Service TypicalWorkflow
SPOC
Inventory
Questions• APPLICATION INVENTORY FOR FIREWALL• What is the name of the application?• What are the names, locations, OS types, and IP addresses of the computers that host the application? Include the TCP ports that the
application uses.• Are there unique development and/or testing environments?• If yes to #3, will the application use http or https or both?• What measures of usage do you have? Are there peak periods of usage?• Is there a web server component to the application? If yes, on which computer will it be installed?• Is there a database component to the application? If yes, on which computer(s) will it be installed?• If yes to #7, is the data sensitive University data – data that is protected by one of the Federal Privacy Acts?• If there a unique application layer that mediates between the web services and the database services? If yes, on which computer(s) will it
be installed?• Who will install, upgrade and maintain the application? These are the application supporters. • Will the application supporters need direct access to the web, application and/or database server? Will Firewall Exceptions rules be
needed to grant this access?• Are the application supporters Stanford employees or outside vendors/contractors?• How is change managed in the application? What are the maintenance windows?• Will the servers need AFS access?• Will the servers need NFS access?• Will the servers need Kerberos access?• How will the servers be backed up?• Will the servers need NTP access?• What Windows domain will the servers be using?• What type of ongoing service monitoring will be in place? • Who is the appropriate person to make Security decisions about the application?• How many users do you expect to be using the application?• What is the user authentication that will be used for the application?
Pictures
Rules
Risk
Escalation
Moves
Acceptance
Troubleshooting
VPN
Internet/SUNet
Secure Application Access via VPN Technology
VPN Client
CISC OSYST EM S
VPN ConcentratorAUTHN Challenge
Yes or No?Get an IP
H EWLE TTPACKARD
AUTHN ChallengeWhat groups are you in?
AUTHZ set
UNIVERSITY
Directory ServicesWorklgroup Services
AFS Flat Files
Radius Service
Secured SU resourcesAxess, Delphi, etc.
AUTHN andAUTHZ scripts
VPN Firewall
Connections via direct tunnelsor
via forsythemrgw
Secure transport via encryptionNo split tunnels
Monitoring
Audit
Costs
Numerator
Denominator
Risk Costs