Firewall Implementation

1
Firewall Implementation

• UCET 2003

2
Objective of this course

• Provide basic information about installing and
  configuring Network Firewalls for use within the
  UEN Network
• Demonstrate current accepted methods of
  implementing firewalls
• NAT/PAT vs. Public Addresses
• Provide direction on firewall rule sets
• Lots of time for QA
• Get you out of here in a reasonable time

3
Types of Firewall Implementation
4
Basic Types of Firewall Implementation

• There are 3 types of basic firewall
  implementation
• Transparent / Bridging Firewalls
• The Sandwich Firewall
• VLAN Switch Implementation

5
Types of Firewall Implementation

• Transparent / Bridging Firewall
• Pros
• It is Transparent to the Traffic crossing the
  network
• It is a very fast firewall capable of High
  Bandwidth Monitoring
• Easy to Implement in most scenarios
• Cons
• Bridging firewalls are usually very expensive
• NAT/PAT Options are not available on the Firewall
• VPN and other features are not on the Firewall
• Does not allow for DMZs on the same Firewall

Traffic from the outside router is routed
directly to the inside router without a decision
being made on the Firewall
6
Types of Firewall Implementation

• The Sandwich Firewall Implementation
• Pros
• Many inexpensive models are available
• NAT/PAT/VPN Options available on many models
• Capable of DMZ implementation
• Cons
• Slightly more difficult to implement
• May require the purchase of additional equipment
  to implement (eg Router)

Traffic from the outside router is statically
routed to the outside of the firewall and then
once through the firewall is statically routed to
the inside router
7
Types of Firewall Implementation

• Firewall VLAN Implementation
• Pros
• Can be done without additional equipment
• NAT/PAT/VPN Options available
• Capable of DMZ implementation
• Cons
• Relies on VLANs for Security
• Not a highly recommended solution by security
  experts But it will work

Protected LAN
8
NAT and PATvsPublic Addressing
9
NAT/PAT vs. Public Addressing

• PROS
• NAT/PAT adds a layer of security to Hide
  devices within your network.
• NAT/PAT saves address space.
• CONS
• NAT/PAT makes implementation more complicated.
• NAT/PAT alone do not provide sufficient security.
• NAT/PAT does not work well with a variety of
  applications.
• NAT/PAT makes it more difficult to provide
  services to the Public network effectively.

10
NAT/PAT vs. Public Addressing

• PROS
• Public Addressing is generally easier to
  implement on firewalls
• Easier to provide public accessible services on
  your network.
• CONS
• Public Addressing consumes more address space
• Public Addressing facilitates more exposure to
  your internal networks

11
Firewall Ruleset Implementation
12
Firewalling Rulesets

• There are 2 Basic approaches to implementing
  rulesets on your firewall
• Block all and Allow
• Allow all and Block
• Each have their Pros and Cons

13
Block all and Allow

• This method is generally the most secure
  implementation of a firewall ruleset.
• But, this method tends to have the higher
  implementation headache because of its closed
  nature
• Unknown applications on the network which use odd
  ports and need access through the firewall.
• Common applications which and not completely
  secure needing access through the firewall.
• Instant Messengers etc
• This method should be done after close monitoring
  of traffic across the network for a long period
  of time using network sniffers or other monitors
  to try and map the legitimate services on your
  network needing access through the firewall
• It is recommended that you use a DMZ for all
  general services which provide public
  information, or in other words, anything that
  needs to be accessed by the public internet
  SHOULD be placed in the DMZ
• This should be the first method considered when
  implementing rulesets on your firewall if
  possible to implement

14
Allow and Block

• Allow and Block is basically the opposite.
  Although it is capable of adding security to a
  network, it is a less secure implementation based
  on the fact that you will continue to allow some
  malicious traffic enter the network.
• This method is much easier to implement, and
  allows for a slower more methodical approach for
  implementation.
• This method does not generally effect the
  Unknown Application problem thereby making
  implementation go much smoother
• This approach is basically an attempt to remove
  the Critical Security Concerns on the network
  first, and slowly implement a more closed network
  posture.
• This solution should only be considered if a
  Block all and Allow solution is not possible.

15
OK I have a Firewall, What Next
16
Implementation RecommendationsNext Steps

• If you are currently stuck on how or where to put
  your firewall, let us recommend some next steps.
• Leverage the UEN Engineering and Security
  Departments to help with your implementation
• Help is available in network design and ruleset
  design.
• Outsource the implementation project
• We have heard a lot of great things from some
  districts who have had outsourced the
  implementation project.
• Cost would be a factor in this decision.
• Begin systematically monitoring network traffic
  entering your network and mapping that traffic to
  generate a ruleset
• Its recommended that you use a sniffer like
  eeyes IRIS which helps determine which protocols
  and types of traffic you have on your network
• Leverage the UEN Network Operations Center for
  support on basic firewall configuration for Cisco
  PIX and some other supported devices.
• The UEN NOC does have some great experience in
  support and configuration of firewall devices.
• Begin by firewalling smaller portions of your
  network at first and slowly moving other networks
  over behind the firewall.
• Firewall Training
• We recommend that you get training on your
  specific firewall solution.
• UEN May provide some training in the future for
  various firewall platforms

17
The UEN Firewall Recommendation

• One Year Later

18
The UEN Firewall Recommendation

• In October 2001, UEN released its Firewall
  Recommendation for all stakeholders.
• One Year later, 17 separate entities on the UEN
  Network have implemented a firewall solution on
  their networks
• This represents nearly 24 of all UEN routed
  networks which are currently behind some sort of
  firewall.
• Plans have been communicated by stakeholders
  showing that many more entities are planning
  implementations within the next 6 to 8 months

19
Questions and Answers

• Ask Me ANYTHING
• Within reason

20
Thanks for Coming

• UCET 2003