Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Published on

  • Be the first to comment


  1. 1. Firewall Implementation UCET 2003
  2. 2. Objective of this course <ul><li>Provide basic information about installing and configuring Network Firewalls for use within the UEN Network </li></ul><ul><ul><li>Demonstrate current accepted methods of implementing firewalls </li></ul></ul><ul><ul><li>NAT/PAT vs. Public Addresses </li></ul></ul><ul><ul><li>Provide direction on firewall rule sets </li></ul></ul><ul><li>Lots of time for Q&A </li></ul><ul><li>Get you out of here in a reasonable time </li></ul>
  3. 3. Types of Firewall Implementation
  4. 4. Basic Types of Firewall Implementation <ul><li>There are 3 types of basic firewall implementation </li></ul><ul><ul><li>Transparent / Bridging Firewalls </li></ul></ul><ul><ul><li>The Sandwich Firewall </li></ul></ul><ul><ul><li>VLAN Switch Implementation </li></ul></ul>
  5. 5. Types of Firewall Implementation <ul><li>Transparent / Bridging Firewall </li></ul><ul><li>Pros </li></ul><ul><ul><li>It is Transparent to the Traffic crossing the network </li></ul></ul><ul><ul><li>It is a very fast firewall capable of High Bandwidth Monitoring </li></ul></ul><ul><ul><li>Easy to Implement in most scenarios </li></ul></ul><ul><li>Cons </li></ul><ul><ul><li>Bridging firewalls are usually very expensive </li></ul></ul><ul><ul><li>NAT/PAT Options are not available on the Firewall </li></ul></ul><ul><ul><li>VPN and other features are not on the Firewall </li></ul></ul><ul><ul><li>Does not allow for DMZ’s on the same Firewall </li></ul></ul>Traffic from the outside router is routed directly to the inside router without a decision being made on the Firewall
  6. 6. Types of Firewall Implementation <ul><li>The Sandwich Firewall Implementation </li></ul><ul><li>Pros </li></ul><ul><ul><li>Many inexpensive models are available </li></ul></ul><ul><ul><li>NAT/PAT/VPN Options available on many models </li></ul></ul><ul><ul><li>Capable of DMZ implementation </li></ul></ul><ul><li>Cons </li></ul><ul><ul><li>Slightly more difficult to implement </li></ul></ul><ul><ul><li>May require the purchase of additional equipment to implement (eg Router) </li></ul></ul>Traffic from the outside router is statically routed to the outside of the firewall and then once through the firewall is statically routed to the inside router
  7. 7. Types of Firewall Implementation <ul><li>Firewall VLAN Implementation </li></ul><ul><li>Pros </li></ul><ul><ul><li>Can be done without additional equipment </li></ul></ul><ul><ul><li>NAT/PAT/VPN Options available </li></ul></ul><ul><ul><li>Capable of DMZ implementation </li></ul></ul><ul><li>Cons </li></ul><ul><ul><li>Relies on VLANs for Security </li></ul></ul><ul><ul><li>Not a highly recommended solution by security experts But it will work </li></ul></ul>Protected LAN
  8. 8. NAT and PAT vs Public Addressing
  9. 9. NAT/PAT vs. Public Addressing <ul><li>PROS: </li></ul><ul><ul><li>NAT/PAT adds a layer of security to “Hide” devices within your network. </li></ul></ul><ul><ul><li>NAT/PAT saves address space. </li></ul></ul><ul><li>CONS: </li></ul><ul><ul><li>NAT/PAT makes implementation more complicated. </li></ul></ul><ul><ul><li>NAT/PAT alone do not provide sufficient security. </li></ul></ul><ul><ul><li>NAT/PAT does not work well with a variety of applications. </li></ul></ul><ul><ul><li>NAT/PAT makes it more difficult to provide services to the Public network effectively. </li></ul></ul>
  10. 10. NAT/PAT vs. Public Addressing <ul><li>PROS: </li></ul><ul><ul><li>Public Addressing is generally easier to implement on firewalls </li></ul></ul><ul><ul><li>Easier to provide public accessible services on your network. </li></ul></ul><ul><li>CONS: </li></ul><ul><ul><li>Public Addressing consumes more address space </li></ul></ul><ul><ul><li>Public Addressing facilitates more exposure to your internal networks </li></ul></ul>
  11. 11. Firewall Ruleset Implementation
  12. 12. Firewalling Rulesets <ul><li>There are 2 Basic approaches to implementing rulesets on your firewall </li></ul><ul><ul><li>Block all and Allow </li></ul></ul><ul><ul><li>Allow all and Block </li></ul></ul><ul><li>Each have their Pros and Cons </li></ul>
  13. 13. Block all and Allow <ul><li>This method is generally the most secure implementation of a firewall ruleset. </li></ul><ul><li>But, this method tends to have the higher implementation headache because of its closed nature </li></ul><ul><ul><li>Unknown applications on the network which use odd ports and need access through the firewall. </li></ul></ul><ul><ul><li>Common applications which and not completely secure needing access through the firewall. </li></ul></ul><ul><ul><ul><li>Instant Messengers etc… </li></ul></ul></ul><ul><li>This method should be done after close monitoring of traffic across the network for a long period of time using network sniffers or other monitors to try and map the legitimate services on your network needing access through the firewall </li></ul><ul><li>It is recommended that you use a DMZ for all general services which provide public information, or in other words, anything that needs to be accessed by the public internet SHOULD be placed in the DMZ </li></ul><ul><li>This should be the first method considered when implementing rulesets on your firewall if possible to implement </li></ul>
  14. 14. Allow and Block <ul><li>Allow and Block is basically the opposite. Although it is capable of adding security to a network, it is a less secure implementation based on the fact that you will continue to allow some malicious traffic enter the network. </li></ul><ul><li>This method is much easier to implement, and allows for a slower more methodical approach for implementation. </li></ul><ul><li>This method does not generally effect the “Unknown Application” problem thereby making implementation go much smoother </li></ul><ul><li>This approach is basically an attempt to remove the “Critical Security Concerns” on the network first, and slowly implement a more closed network posture. </li></ul><ul><li>This solution should only be considered if a Block all and Allow solution is not possible. </li></ul>
  15. 15. OK… I have a Firewall, What Next…
  16. 16. Implementation Recommendations Next Steps <ul><li>If you are currently stuck on how or where to put your firewall, let us recommend some next steps. </li></ul><ul><ul><li>Leverage the UEN Engineering and Security Departments to help with your implementation </li></ul></ul><ul><ul><ul><li>Help is available in network design and ruleset design. </li></ul></ul></ul><ul><ul><li>Outsource the implementation project </li></ul></ul><ul><ul><ul><li>We have heard a lot of great things from some districts who have had outsourced the implementation project. </li></ul></ul></ul><ul><ul><ul><li>Cost would be a factor in this decision. </li></ul></ul></ul><ul><ul><li>Begin systematically monitoring network traffic entering your network and mapping that traffic to generate a ruleset </li></ul></ul><ul><ul><ul><li>Its recommended that you use a sniffer like eeye’s IRIS which helps determine which protocols and types of traffic you have on your network </li></ul></ul></ul><ul><ul><li>Leverage the UEN Network Operations Center for support on basic firewall configuration for Cisco PIX and some other supported devices. </li></ul></ul><ul><ul><ul><li>The UEN NOC does have some great experience in support and configuration of firewall devices. </li></ul></ul></ul><ul><ul><li>Begin by firewalling smaller portions of your network at first and slowly moving other networks over behind the firewall. </li></ul></ul><ul><ul><li>Firewall Training </li></ul></ul><ul><ul><ul><li>We recommend that you get training on your specific firewall solution. </li></ul></ul></ul><ul><ul><ul><li>UEN May provide some training in the future for various firewall platforms </li></ul></ul></ul>
  17. 17. The UEN Firewall Recommendation One Year Later
  18. 18. The UEN Firewall Recommendation <ul><li>In October 2001, UEN released its Firewall Recommendation for all stakeholders. </li></ul><ul><li>One Year later, 17 separate entities on the UEN Network have implemented a firewall solution on their networks </li></ul><ul><li>This represents nearly 24% of all UEN routed networks which are currently behind some sort of firewall. </li></ul><ul><li>Plans have been communicated by stakeholders showing that many more entities are planning implementations within the next 6 to 8 months </li></ul>
  19. 19. Questions and Answers Ask Me ANYTHING Within reason
  20. 20. Thanks for Coming UCET 2003