• No results found

Open Source Firewall

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Open Source Firewall"

Copied!
34
0
0

Loading.... (view fulltext now)

Download now ( 34 Page )

Full text

(1)

Open Source Firewall

Dream or reality ?

(2)

Open Source Firewall: dream or reality?

Introduction

Firewalls

Situation K.U.Leuven

Open Source implementation

Open Source alternatives

(3)

Open Source Firewall: dream of reality?

flexibility

bandwidth

modifiable

price/licenses

scalability

documentation

high availability

expertise

More or less independent of firewall

(4)

Firewalls

• packet filter

– performance

low security

– application independent

no screening above network layer

• application proxy/gateway

– security

performance

– full application awareness dedicated

• stateful packet inspection

– network layer inspection

– performance

(5)
(6)
(7)

KotNet

Internet

KULnet

FW/NAT

web cache

web cache

2000

25Mbps

CheckPoint

Cisco

(8)

KotNet

Internet

KULnet

FW/NAT

web cache

NAT

web cache

Linux

CheckPoint

2001

80Mbps

(9)

2003

KotNet

Internet

KULnet

Firewall

web cache

NAT

NAT

web cache

36 Mbps

34 Mbps

0.6 Mbps

6 Mbps

Avg 86Mbps

VPN

Nortel

Linux

CheckPoint

(10)

KotNet

Internet

KULnet

Firewall

web cache

NAT

web cache

2005

NAT

39 Mbps

36 Mbps

6 Mbps

8 Mbps

Avg 100Mbps

VPN

10 Mbps

Cisco

Linux

Linux

Linux

Cisco

(11)

Internet bandwidth usage

KotNet bandwidth usage

(12)

K.U.Leuven network

KotNet

Internet

KULeuven

Firewall

 central firewall: filtering only between 3 zones

 Within K.U.Leuven limited inter-subnet filtering via Cisco ACL’s

 autoblock

 smtp-block or smtp traffic limited to CAV

 ACL towards subnet of DMZ’s, departments, units, …

 Domino-effect if 1 machine is hacked

(13)

DMZ’s

Eliminate Domino-effect between servers

 group servers in functional DMZ’s (dedicated intrusion detection and

prevention, …)

 security measures on servers: filters on each server

(14)

Functional DMZ’s

Firewall

WWW

CAV

pop/imap

samba

ldap

DB

dns/dhcp

SAP

dmz-X

(15)

Data streams

KotNet

Internet

KULnet

Firewall

DMZ’s

service requests

inter DMZ traffic

web cache

NAT

outgoing Internet requests

• web requests

• non-web requests

Load implications

Firewall: only KUL services

NAT: only KUL non-web Internet requests

web caches: only KUL web requests

(16)

KotNet

Internet

KULnet

Firewall

web cache

NAT

web cache

2006

NAT

DMZ’s

(17)

Firewalls

• CheckPoint/Nokia

– central management

documentation/support

– GUI

licenses/price

– multi OS/HW

• Cisco PIX

– out-of-box

flexible

– hardened purpose built RT OS

– price

• ASIC based

(Juniper Netscreen ISG-2000 or Fortinet Fortigate-3600

)

– dedicated HW

price

– high bandwidth performance

performance under DDOS < open source

witin specs

– hardened purpose built RT OS

• Open Source

– flexible (P2P)

state replication (almost stable)

– modifiable (BCrouter)

complex protocols (experimental modules)

(18)

Firewalls

security specific RT OS (hardened) multipurpose OS

ASIC

“open” HW

all in one

components based

vendor

Open Source

(19)

design criteria

 high availability

 redundancy

 scalability

 secure setup

 flexibility (adjustable/modifiable)

(20)

Open Source implementation

• NAT/Filtering: iptables/nf-hipac

• High Availability: VRRP

• Multiple DMZ’s: 802.1q/vlan

• Logging: remote syslog/ulog

(21)

Filtering/NAT

• netfilter

kernel framework

• iptables

userspace program

iptables <command> [<match>]+ <target>

• nf-hipac

high performance packet classification

(22)
(23)
(24)
(25)
(26)
(27)
(28)
(29)
(30)
(31)

Complex protocols

• ftp (active)

• conntrack helper

(

PORT 134,58,10,1,4,1 aka 134.58.10.1:1025)

(32)

Open Source

• Complete solution

– Hardened OS

– GUI

smoothwall, ipcops et al

• FW GUI/script generators

fwbuilder, firestarter et al

• OS hardening projects

openwall

• Commercial linux based FW (all-in-one)

(33)

Future

• GUI/complete solutions

• central management/logging

• enhanced conntrack helpers (SIP, …)

• additional matches & targets

(34)

Questions & Answers

URL’s

iptables/ulog:

http://www.be.iptables.org

nf-hipac:

http://www.hipac.org

VRRP:

http://www.keepalived.org

syslog-ng:

http://www.ballabit.com

Debian GNU/Linux:

http://www.debian.org

Complete solution: http://smoothwall.org

GUI’s:

http://phpfwgen.sourceforge.net

http://fwbuilder.org

http://firestarter.sourceforge.net

http://shorewall.net

Hardened Linux: http://openwall.com

Commercial open source based:

References

Download now ( PDF - 34 Page - 1.07 MB )

Related documents

Using Vivado Design Suite with Version Control Systems Author: Jim Wu

The recommended methodology is to use the Vivado Design Suite Manage IP feature for IP management, keep design sources as remote files, and use Tool Command Language (Tcl) scripts

LID 50. P r o j e c t # S T R

The Bidder agrees that the foregoing prices represent a true measure of the labor and materials required to perform the work, including all allowances for overhead and profit, for

Dieta Low Carb Senhor Tanquinho

Try Scribd FREE for 30 days to access over 125 million titles without ads or interruptions. Start Free Trial

NANYANG TECHNOLOGICAL UNIVERSITY NANYANG BUSINESS SCHOOL MBA (INTERNATIONAL BUSINESS) PROGRAMME B6726 MERGERS AND ACQUISITIONS.

Research papers should have the standard of articles published in scholarly journals such as the Columbia Journal of World Business and Mergers &amp; Acquisitions, while case

Provider Profiling. Residential Treatment Facilities. 01/01/12 to 12/31/12

Utilization information available for Members receiving RTF services includes the number of unique Members treated, the average length of stay, the number of Mental Health

Massachusetts Oral Health Report

Many Massachusetts residents lack easy access to routine dental care, often leading to profound impacts on overall health and social functioning.. The greatest barriers to access

Telematics. 14th Tutorial - Proxies, Firewalls, P2P

prerouting mangle mangle mangle mangle input forward forward forward filter mangle conntrack conntrack forward forward forward local process filter input output postrouting

The association between family and community social capital and health risk behaviours in young people: an integrative review

Thus, this integrative review was undertaken to identify and synthesise research findings on the role and impact of family and community social capital on health risk behaviours