290 likes | 488 Views
Firewalls and VPNs at Stanford: August 22, 2003. Steve Tingley & Sunia Yang tingley@networking, sunia@networking Networking Systems. Topics. Changing how we look at networking Security by protocol stack Why protect the network Costs Specific pros & cons of firewalls
E N D
Firewalls and VPNs at Stanford: August 22, 2003 Steve Tingley & Sunia Yang tingley@networking, sunia@networking Networking Systems
Topics • Changing how we look at networking • Security by protocol stack • Why protect the network • Costs • Specific pros & cons of firewalls • Specific pros & cons of VPNs
"Old" Way of Looking at Networks • Open access • Get all bits from here to anywhere ASAP • Packet loss is bad in all cases
"New" Way of Looking at Networks • Only let in/out "good" known traffic • Block all bad traffic • Use network device (firewalls/vpns) to make up for insecure transports, insecure applications, unpatched systems • Use network to partially centralize IT admin in distributed environment
Security by Protocol Stack • Firewalls and VPNs are just part of a total security approach • Firewall would not have caught bugbear-b virus • Firewall at Stanford border would not have prevented Windows RPC exploits
Physical Layer Security (Fences) • "If you can touch it, you can hack it" • Lock up servers, network closets • Wireless- • firewall defeated if wireless behind firewall • allowing unencrypted wireless session through firewall defeats data security
Data layer (bus vs star topology) • Switches as security device • isolates conversations- sniffer protection • may misbehave and "leak" • block by hardware address • not possible in all switches • hardcode hw address to port- tedious, unscalable
Network/Transport Layers (Guardposts checking license plates) • Filter traffic by IP addresses and ports • Router ACLs (may be leaky) • Firewalls • Require secure protocols or vpn • data encrypted (ssl, ssh) • encrypted data could still be virus or worm
Application Layer (Stuff inside car) • Design in security • good architecture- 3 tier • no clear text passwords • secure transports • Proxy "firewalls" • screens traffic at app layer before passing to real application • Good sys admins • patch, antivirus-software • turnoff unused services
Why implement security? • Financial risks • loss of data and reputation • cost of cleaning hacked machines • Legal risks • Hipaa (medical data), Ferpa (student records) • lawsuits
Why firewalls/vpns? • Physical and data layer security is critical • mostly implemented already (except wireless) • Too many badly architected apps on market • Often best return of security for given staff, time and money
Costs • re-educate users accustomed to open net • training on protocols, apps, security • staff time • monitor vulnerabilities in firewalls/vpns • monitor traffic for break-ins • troubleshooting - good tight rules can break app if new revision, etc. • equipment- hardware and software • firewall, vpn concentrator, vpn client • traffic analysis tools, monitoring/log servers
Firewall Specifics • Most common security deployed at network/transport layer • Helps restrict who talks to who
Firewall Pros • For limited staff time and money, may get most amount of security • if firewall placed properly • if staff actively watching network • Ex.- slammer worm targets port 1434. • adding firewall or router rule to block 1434 is much faster than patching all machines
Firewall Cons- #1 • Inconvenience to users • re-educate users • good rules > minor changes may break app • need good communication, docs and response • protective rules constrain traffic • ex. protecting workstations by denying incoming connections may break peering apps
Firewall Cons- #2 • Incomplete security • Firewall does not protect needed server ports • e.g., if running IIS server, need to open hole for http. IIS vulnerability still must be patched. But may prevent hacker from reaching backdoor • Does not protect against email viruses/worms • May lead to complacency in Sys Admins, app developers, users
Firewall Costs- #1 • Software & Hardware costs • firewalls, maintenance, support, spares • network analyzer • management/log/monitoring tools • management/log/monitoring servers
Firewall Costs- #2 • Staff costs • Training • Traffic analysis and rule development • Monitoring traffic, vulnerabilities, breakins • Rule changes- proactive or reactive? • Meetings and politics • Documentation, rule change processes
Firewall Technical Issues • Manageable rule set vs. many exceptions • False positives • ex. Monitoring pings might look like icmp attack • Hard to secure port-hopping apps- VPN? • Session timeout limits • Server initiates new session to client (AFS) • Reply to client from different IP
VPN Specifics • Common way to deal with application data transparency by encrypting • Another layer of authentication and authorization
VPN Pros • With limited staff time and money, may get most application layer security • Sometimes can be used to enforce patch level of client operating systems
VPN Cons- #1 • Inconvenience • not all VPN clients compatible or can co-exist • VPN clients fiddle with host's tcp/ip stack • may break some apps • may break IP dependent services • split tunnel issues- discussed later
VPN Cons- #2 • Incomplete security • Does not protect if client machine hacked • in fact, provides encrypted tunnel for hacker • May lead to complacency in users, Sys Admins, app developers
VPN Costs- #1 • Software & Hardware costs • VPN concentrator, maintenance/support, spares • VPN clients, maintenance, support • management/log/monitoring tools • management/log/monitoring servers
VPN Costs- #2 • Staff costs • Training • Monitoring traffic, vulnerabilities, breakins • VPN client support/upgrades • VPN user administration • Meetings and politics • Documentation, rule change processes
VPN Technical Issues- #1 • Scalability issues • Encryption overhead affects throughput • VPN client picks up new IP • Software vs hardware VPN clients • cost vs convenience vs compatibility
VPN Technical Issues- #2Split Tunnel • only traffic to specific servers is encrypted • pros- performance • less encryption overhead • less traffic to central VPN concentrator • cons- security • if client host is hacked, hacker can control VPN session
Stanford VPN Beta • URL: • No free client for Mac OS 8 or 9 • Hostname: su-vpn.stanford.edu • Group Access Information • Group: Stanford • Password: Stanford Use SUNet ID and password when prompted
Questions and Feedback • Thanks to Information Security Services for reviewing technical accuracy and completeness.