Firewall Flameout

1
Firewall Flame-out

• Frank Crawford
• ANSTO
• ltfrank_at_ansto.gov.augt

2
Introduction

• Background
• Firewall Selection
• Installation
• Experiences
• Extensions
• War Stories
• Future

3
Background - ANSTO

• Scientific Research Centre
• More controlled than a university
• Less controlled than a business
• Long term usage of Internet
• Lots of different usage patterns and requirements

4
Background - Network

• 100 Workstations servers
• 600 PCs
• FDDI backbone
• 10/100 Mbit Ethernet connections
• 2Mb Microwave link to NSWRNO
• Unix, Unix Unix
• also some NT, Novell, OS/2, ...

5
Background - Scientists

• Access external research sites
• Access from external research sites
• Accessing ANSTO from other places
• e.g. middle of Hong Kong Harbour, Sri Lanka,
  Northern Territory
• Visiting scientists
• always want to go back home!
• External collaborators

6
Firewall Selection

• Government requirements - DSD
• E3 certified
• 1 and 2 1/2 choices
• Draft IM Security Policy
• Lots of preliminary study
• Firewalls mailing list
• Planned for a long time
• Study by consultant (Softway)

7
Firewall Selection (cont.)

• Limited tender
• Selected one that best suited environment
• Not cheapest, not most expensive
• Gauntlet V3.2
• runs on BSD/OS 2.1
• Local distributor - Softway
• PC platform
• Included installation by Softway

8
Installation - Design
9
Installation - Design - Outbound

• allow telnet, web, FTP, mail, news, ssh and
  system services
• web only through Squid cache
• no authentication required
• everything logged

10
Installation - Design - Inbound

• allow telnet, FTP, mail, news, ssh and system
  services
• access to external service network
• web and anonymous FTP
• require authentication
• currently using One-Time Password (S-Key)
• everything logged

11
Installation - Design - Modem

• allow web, FTP, mail, news, ssh and system
  services
• more restricted than outbound, less than inbound
• generally no authentication
• everything logged

12
Installation - Issues

• PC hardware is limited
• not enough slots, mixture of interfaces
• Firewall software is always behind
• Reports, reports and more reports
• Security manager
• busy
• Need knowledge of basic O/S

13
Installation - Highlights

• Installation downtime
• short (lt 1/2 day)
• 2nd router interface helped
• Smooth cutover
• Few changes needed
• Transparent proxies
• Packet filtering

14
Experiences

• However
• some extensions were needed
• System services
• need tightening up
• Users want more
• No more ping, traceroute, SNMP, ...

15
Extensions

• No proxies for UDP
• TFTP is messy
• needed for CISCO downloads
• need to use packet filter
• NTP is important
• run it on the firewall
• others sync to firewall
• DNS
• heaps and heap

16
More Extensions

• ssh
• very useful
• port on server tunnel
• Administration systems
• can do lots
• POP
• outbound - okay (I didnt say good)
• inbound - bad
• modem - so-so

17
War Stories (1)

• A continuing battle inwards and outwards
• Lots of messages - 16K lines/hour
• pings from inside, pings from outside
• Seems to attract attention
• Badly configured DNS
• Fast-scans
• Slow-scans
• Broadcast attacks

18
War Stories (2)

• Internal users even worse
• The firewall broke it!
• Netbank
• Library users
• specialised protocols
• Voyager (6000-6070)
• Z39.50
• Chat users
• port 6000 - same as Voyager!

19
War Stories (3)

• ActiveX
• Mail relaying
• Dorkslayers
• panic stations
• simple minded old proxy
• pick up FWTK proxy and merge in
• Total time from block to fix 36hrs
• time from warning to block 3 months!!

20
Future

• Keeping up with attacks
• More proxies
• Z39.50
• LDAP, IMAP4
• Keeping up-to-date
• O/S now unsupported
• Gauntlet fixes difficult
• VPN