Firewall Flameout - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

Firewall Flameout

Description:

Installation - Design - Outbound. allow telnet, web, FTP, mail, news, ssh and system services ... more restricted than outbound, less than inbound. generally no ... – PowerPoint PPT presentation

Number of Views:25
Avg rating:3.0/5.0
Slides: 21
Provided by: raymon70
Category:

less

Transcript and Presenter's Notes

Title: Firewall Flameout


1
Firewall Flame-out
  • Frank Crawford
  • ANSTO
  • ltfrank_at_ansto.gov.augt

2
Introduction
  • Background
  • Firewall Selection
  • Installation
  • Experiences
  • Extensions
  • War Stories
  • Future

3
Background - ANSTO
  • Scientific Research Centre
  • More controlled than a university
  • Less controlled than a business
  • Long term usage of Internet
  • Lots of different usage patterns and requirements

4
Background - Network
  • 100 Workstations servers
  • 600 PCs
  • FDDI backbone
  • 10/100 Mbit Ethernet connections
  • 2Mb Microwave link to NSWRNO
  • Unix, Unix Unix
  • also some NT, Novell, OS/2, ...

5
Background - Scientists
  • Access external research sites
  • Access from external research sites
  • Accessing ANSTO from other places
  • e.g. middle of Hong Kong Harbour, Sri Lanka,
    Northern Territory
  • Visiting scientists
  • always want to go back home!
  • External collaborators

6
Firewall Selection
  • Government requirements - DSD
  • E3 certified
  • 1 and 2 1/2 choices
  • Draft IM Security Policy
  • Lots of preliminary study
  • Firewalls mailing list
  • Planned for a long time
  • Study by consultant (Softway)

7
Firewall Selection (cont.)
  • Limited tender
  • Selected one that best suited environment
  • Not cheapest, not most expensive
  • Gauntlet V3.2
  • runs on BSD/OS 2.1
  • Local distributor - Softway
  • PC platform
  • Included installation by Softway

8
Installation - Design
9
Installation - Design - Outbound
  • allow telnet, web, FTP, mail, news, ssh and
    system services
  • web only through Squid cache
  • no authentication required
  • everything logged

10
Installation - Design - Inbound
  • allow telnet, FTP, mail, news, ssh and system
    services
  • access to external service network
  • web and anonymous FTP
  • require authentication
  • currently using One-Time Password (S-Key)
  • everything logged

11
Installation - Design - Modem
  • allow web, FTP, mail, news, ssh and system
    services
  • more restricted than outbound, less than inbound
  • generally no authentication
  • everything logged

12
Installation - Issues
  • PC hardware is limited
  • not enough slots, mixture of interfaces
  • Firewall software is always behind
  • Reports, reports and more reports
  • Security manager
  • busy
  • Need knowledge of basic O/S

13
Installation - Highlights
  • Installation downtime
  • short (lt 1/2 day)
  • 2nd router interface helped
  • Smooth cutover
  • Few changes needed
  • Transparent proxies
  • Packet filtering

14
Experiences
  • However
  • some extensions were needed
  • System services
  • need tightening up
  • Users want more
  • No more ping, traceroute, SNMP, ...

15
Extensions
  • No proxies for UDP
  • TFTP is messy
  • needed for CISCO downloads
  • need to use packet filter
  • NTP is important
  • run it on the firewall
  • others sync to firewall
  • DNS
  • heaps and heap

16
More Extensions
  • ssh
  • very useful
  • port on server tunnel
  • Administration systems
  • can do lots
  • POP
  • outbound - okay (I didnt say good)
  • inbound - bad
  • modem - so-so

17
War Stories (1)
  • A continuing battle inwards and outwards
  • Lots of messages - 16K lines/hour
  • pings from inside, pings from outside
  • Seems to attract attention
  • Badly configured DNS
  • Fast-scans
  • Slow-scans
  • Broadcast attacks

18
War Stories (2)
  • Internal users even worse
  • The firewall broke it!
  • Netbank
  • Library users
  • specialised protocols
  • Voyager (6000-6070)
  • Z39.50
  • Chat users
  • port 6000 - same as Voyager!

19
War Stories (3)
  • ActiveX
  • Mail relaying
  • Dorkslayers
  • panic stations
  • simple minded old proxy
  • pick up FWTK proxy and merge in
  • Total time from block to fix 36hrs
  • time from warning to block 3 months!!

20
Future
  • Keeping up with attacks
  • More proxies
  • Z39.50
  • LDAP, IMAP4
  • Keeping up-to-date
  • O/S now unsupported
  • Gauntlet fixes difficult
  • VPN
Write a Comment
User Comments (0)
About PowerShow.com