Access Technology (Firewall/VPN) Selection

1
Access Technology(Firewall/VPN)Selection
Deployment

• Terry L Davis, P.E.
• Associate Technical Fellow
• Senior Security Architect
• Boeing Shared Services Group
• Bellevue, Washington

2
Overview of Boeing Global Communications

• Operations Scope
• Approaching 250,000 IP addresses
• Major operations in 30 states
• 12 foreign countries
• 4000 subnets
• 750 routers
• 3000 switches
• 3 major communication hub sites
• Aggregate communication bandwidth to our
  customers/partners exceeding 1 Gigabit

3
Access Technology Selection

• Classical Firewalls
• Services
• Internet/ISP access, Proxy services, and Standard
  Internet Applications
• DeploymentsSecure sites
• ConsiderationsManpower, Throughput, Support
  (Help desk)
• VPNs
• ServicesLocation transparency, and Network
  extension
• DeploymentsWithin a semi-trusted environment,
  national deployments, and Work-at-home over
  switched networks
• ConsiderationsThe support personnel, and Site
  security

4
Access Technology Selection (cont)
Router-to-router tunnels ServicesLocation
transparency and Network extension DeploymentSec
ure sites, Insecure environments, and
International deployments ConsiderationsManpower
, Government restrictions, and Throughput Client-t
o-router/server tunnels ServicesSecure
communications and Location transparency Deploymen
tsInsecure sites, Road warriors, Executive
dial-in services, and Work at home on shared
media networks ConsiderationsPersonnel
(technical or non-technical), Work at home shared
systems, Performance, and Support (Help desk)
5
Implications of the Technology Selections

• Security
• Application access
• Network services (DNS/DHCP)
• Router/server loading due to encryption
• Authentication services
• Operations support
• Business processes

6
Access Service Layers
External
External Routing Redundancy
Intrusion Detection, Audit
VPN Access Services
Access Control
Path Control
Existing Legacy Access Services
Internet Access Services (IP Only
Encryption Required)
Routing Control Protocols
Access Control
Intrusion Detection, Audit
Internal Routing Redundancy
Internal
7
Access Services - Traditional Deployment
External Routers
INTERNET / WWW
Access Control Intrusion Detection
Outer LAN
Customer Access
Design Systems
Data Xfer
Interactive Access
VPN Tunnel Services
Classical Firewalls
Security Perimeter
WEB Access
Data Share
Security Cells
Inner LAN
Access Control Intrusion Detection
Internal Networks
Internal Routers
8
Access Services - Strategic Architecture
INTERNET/GlobalComm
External Routers
Shared Design Systems
Intelligent Services -Network Extension -User
transparent -Secure Authentication -Path
Authorization -Encryption -Audit
Accounting -Event Alarming -Intrusion
Detection -Shunning -Redundant Pathing
Email
Security Perimeter
Shared (DMZ) LAN
Security Cells
Intelligent Access Services
Secure Data Drops
Data Sharing
Special Contracts
Internal Networks
Internal Routers
9
Access Services - Mixed Deployments
INTERNET / WWW/GlobalComm
External Routers
Intrusion Detection, Audit, Shunning
Access Control Intrusion Detection
Outer LAN
Internet Hardened Infrastructure
VPN Access
Existing Security Cells
Legacy Security Perimeter
Inner LAN
Intrusion Detection, Audit, Shunning
Access Control Intrusion Detection
Internet Hardened Servers Workstations
Legacy Networks Systems
10
VPN Deployment

• Typical RFP Issues
• Looking for a single solution
• No architecture
• Not definition of a VPN
• Requirements for everything
• Need to
• Define your architecture
• Define VPN
• Define your deployment Framework

11
VPN Deployment

• VPN Service
• An overlay to your existing infrastructure to
  enable the delivery of a specific set of services
  to a sub-set of your users.
• Perimeter/Firewall Service
• An access service to a specific intranet or
  extranet resource.

12
VPN Deployment

• VPN Architecture
• Access
• Extranet
• Intranet
• Routed
• Integrated Operations
• others
• Private Video Conference
• etc.

13
VPN Deployment

• IPSEC VPN Framework
• Ability to deploy tactical solutions that dont
  fully conform or interoperate with IPSEC
• Strategic plan to bring conforming IPSEC services
  into the deployment from all your tactical and
  strategic vendors.
• An interoperability matrix to guide deployment
  plans
• A certification process to populate this matrix.

14
Next Generation Technology(Wish List)

• Light weight authentication
• Authenticated connections
• Multi-gigabit link encryption
• Gigabit security
• Connection/Flow/Stream security management
• Questions on "packet examination" scaling

15
Favorite Security Technology Definitions

• Firewalls A technology to
• keep customers out
• provide nefarious types with standard accesses to
  your network
• protect the rest of the Internet from your
  employees
• provide a black hole for dollars and man-hours
• Perimeter
• What you have when you find that mapping all
  major accesses into your corporation is a major
  project and the milestones keep slipping.
• What you have when it takes a full size database
  to track your installed "firewalls", their
  versions, what they do, and who they support.

16
Favorite Security Technology Definitions (cont)
VPNA "sort of" private networkA highly
interoperable solution if the vendor and the
exact release are the same at both
ends Encrypted tunnelA possibly secure
communication linkA nice secure path for the
"rats" to run in between your networks. Authentic
ation services A technology to broadcast your
account and password to the worldA set of
non-interoperable technologiesProvide a fairly
good chance that the user is who they claim to be
17
White hats

• Provide a manageable set of flexible services
• Engineer the solution use appropriate technology
• Be ahead of your customers
• Avoid scare tactics
• Simplify
• Enable business
• Wear the white hats!