Tracy Ashton Senior Systems Engineer Juniper Networks

1. Next-Generation Firewall Security
Updated for 2015
Tracy Ashton
Juniper Networks
tashton@juniper.net

2. Agenda
– Next-generation firewall policies (RBAC)
– Suite B and new IPSec protocols
– Commercial Solutions for Classified (CSfC)
– Real-time reputation-based threat blocking
9/3/2015

3. Typical stateful firewall policy
• Source and Destination are IP addresses or networks
– can be named, but names are usually local
• Service usually maps to a TCP or UDP port number
– some protocols are more sophisticated and use ALGs
9/3/2015

4. Source and Destination
• We need a way to replace addresses with a
standardized, organization-wide naming scheme
• DNS names can be difficult to use in firewall policies
– need to iterate through multiple addresses per name
– reverse lookup often fails
• User’s addresses change constantly
• VM-based server addresses can change too
– different techniques for users and servers
9/3/2015

5. Users
• Firewall polls the domain controller: “best effort”
– not an option for complex domain schemes
• Complete internal security: 802.1x
– local access requires the same security standards as
remote access
– must be implemented on all internal switches and APs
– 802.1x controller can also populate user lists on next-
generation firewalls
– no more “hard on the outside, soft on the inside”
9/3/2015

6. 802.1x
802.1x looks very complex, but it’s easy to understand if you go
step by step, and everyone will be using it soon...
9/3/2015
AD/LDAP/PKI/RSA
Tablet/Notebook/Laptop
Domain A
Domain B
Tablet/Notebook/Laptop
Switches and APs
Network Access Controller
Protected
Resource

7. 802.1x and dynamic firewall policies
• Network access controller can add an authorized
user to one or more firewall rules
• Can be based on AD group membership
• Control user access by adding and removing from AD
groups, not by writing firewall policy per user
• Controller to firewall communication is an emerging
standard, so early implementations are proprietary
9/3/2015

8. Server movement
• Modern datacenters use virtual machines
• VM controllers move VMs during operation
• Solution: VM controllers must provide an interface
for firewall queries
• Emerging standards, mostly proprietary today
• Using DNS to define internet-based servers is difficult
– but internal DNS is easier to control, and may be an option
9/3/2015

9. Source and Destination are no longer static, local
objects:
But what about the protocols?
How do we know that TCP port 80 is carrying legitimate
HTTP, not hidden P2P traffic... or worse?
9/3/2015

10. Track state at all protocol levels
(courtesy of w3.org)
9/3/2015

11. Firewall plus intrusion detection and prevention
• Advanced intrusion prevention techniques use protocol-
specific state engines
• Every communication between client and server is
carefully matched against expected behavior
• This allows for reliable identification of protocols,
regardless of port number
• We can also prevent the majority of zero-day attacks by
imposing common-sense limits on communication
• Intrusion detection signatures are integrated with state
engines to reduce or eliminate false positives
9/3/2015

12. Next-generation firewalls:
• Provide multiple methods for replacing static,
address-based policies with dynamic, up-to-date lists
of users and servers
• Examine packets more thoroughly to guarantee that
protocols are not being misused
• Support scripting languages and provide an API for
customization and integration with mgmt systems
• Support advanced VPN features...
9/3/2015

13. Suite B – new algorithms for IPSec
• NSA’s latest set of cryptographic algorithms:
– 3DES replaced with AES-128, AES-256
– MD5 and SHA1 replaced with SHA-256, SHA-384
– RSA replaced with ECDSA, DH replaced with ECDH
• The NSA never attempted to push weak
algorithms; this was an over-interpretation of
an EC-RNG error that the NSA later corrected
9/3/2015

14. Commercial Solutions for Classified
http://www.nsa.gov/ia/programs/csfc_program/
If you select FW/VPN products from the NSA’s list...
And layer one IPSec tunnel inside another...
You can carry classified information on commonly
available, off-the-shelf hardware
9/3/2015

15. Botnets, DDoS, and CnC hosts
• User clicks on something, installs malware
• User’s machine is now a ‘bot
• Malware is quiet, evades detection, occasionally
contacts internet-based Command and Control host
• CnC operator waits for enough hosts to become bots,
then issues attack command
• Bots begin a Distributed Denial of Service attack
against the CnC operator’s target
9/3/2015

16. Real-time reputation-based threat intelligence
• For many years, DISA has provided a daily list of IP
addresses that were involved in malicious activity
• Service providers and major corporations are now joining
together to produce similar intelligence
• Addresses involved in attacks are uploaded to a
community operated cloud service
• Next-generation firewalls can subscribe to the service,
and dynamically block known baddies
• Still in development, but represents a fundamental
advance in security techniques and capabilities
9/3/2015

17. Thank you for listening!
Feel free to contact me with
questions: tashton@juniper.net
9/3/2015