Embed Size (px)
Citation preview
Use of a Third-Generation Firewall at a Small College
May 16, 2005Christopher Rhoda, Vice President Information
ServicesThomas College, Waterville, Maine
Copyright Christohper Rhoda 2005. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Overview1. Thomas College background2. What are the three generations of firewalls?3. Why use a third generation firewall? 4. See how a small college configured and uses
Microsoft Internet Security and Acceleration (ISA) Server 2004.
5. Areas to be discussed include stateful packet filtering, intrusion detection, caching, Web proxy, logging, reporting, and comparisons among five of the most popular application-level firewalls.
About Thomas College Private college in Maine 610 full-time / 1,100
total students Associate, bachelor and
masters degrees Degree programs in
the areas of business, technology, education, political science, and psychology.
Thomas College IT Services
200 College PCs and thin-clients, 11 servers, 1Gb network backbone
Residence halls: Over 400 student-owned computers on 10/100Mb ports and wireless capabilities
Staffing: 2 full-time and 12 part-time students
Thomas College Network History
1993 – 1st Generation Firewall NSF grant dedicated 56K line to the Internet
1995 – 2002 –1st Generation Firewall Partnership with the Maine Internetworks 30+ T1s, Cable Modems, Various Local Dial-
ups Purchased by Adelphia Communications in
2001 2002-present – 2nd & 3rd Generation Firewalls
Mid-Maine Communcations 3 T1s (6Mb fractional T3 in June 2005) State-wide dial-up via 500 number service Increasing bandwidth prioritization and
security needs Increasing residential uses of audio and video
– (examples: Bearshare, Cdigix)
The Three Generations of Firewalls1st Generation – packet-filtering
(examples: by IP or port)2nd Generation – application-level (examples: proxies, client apps)3rd Generation – stateful packet-
filtering (example: only opening ports when needed,
network-based attacks stopped)
…but College networks don’t need to be secure.
Yes they do, because… Private Information
Administrative Systems Intranets, Extranets Personal Student and
Employee Info. “Institution Knowledge”
It’s important to our students
Why Use a Third Generation Firewall?
Inspects traffic at the application level
Support multiple application proxies Performs deep-packet stateful
inspection to stop today’s attacks using many protocols: HTTP, HTTPS, SMTP, POP3, IMAP, DNS, FTP, RPC, H.323, IM, VoIP, Videoconferencing
Stateful Packet-Filtering At the packet level, a third generation firewall
inspects the source and destination of the traffic indicated in the IP header, and the port in the TCP or UDP header identifying the network service or application used.
Dynamic packet filters enable opening a port only in response to a user's request and only for the duration required to satisfy that request, reducing the vulnerability associated with open ports.
A third generation firewall lets you dynamically determine which packets can be passed through to the internal network's circuit and application layer services.
You can configure access policy rules that open ports automatically only as allowed, and then close the ports when the communication ends.
Intrusion Detection All Ports Scan Attack Enumerated Port Scan Attack IP Half Scan Attack Land Attack Ping of Death Attack UDP Bomb Attack Windows Out of Band Attack DNS Hostname Overflow DNS Length Overflow DNS Zone Transfer from Privileged
Ports (1-1024 DNS Zone Transfer from High Ports
(above 1024) POP Buffer Overflow
Intrusion Prevention Pro-active identification Ability to “sand-box” or disconnect
attacks Ability to protect threats from
inside organization (student and faculty computers)
Caching For a better end-user experience HTTP, HTTPS, and FTP:
Caching for outgoing requests to the Internet reverse caching, for incoming requests to our web/ftp servers.
Why Use Internet Security and Application (ISA) Server?
For Thomas College in 2001 the choice for ISA Server 2000 was easy: Limited selection available Best academic price Ran on Windows 2000/2003 servers Integrated well with a campus with 95%
Windows computers or thin-clients Fast HTTP Proxy – 80% of our traffic Support options were a good fit
Why Stay with ISA 2004 The value in upgrading vs.
replacing New, easier to use interface Better throughput Better logging and tracking
Management Console
VPN IPSEC, L2TP, and PPTP Remote clients Site-to-site
Logging Defaults to SQL Server (MSDE) Query Interface built-into Management Console Packet filters
2004-02-28 00:00:00 10.10.5.122 255.255.255.255 Udp 4412 7100 DROPPED - 2004-02-28 00:00:00 66.252.1.100 10.10.7.255 Udp 1026 137 BLOCKED -
Firewall Service 10.10.5.82 Drew BearShare.exe:3:5.1 2004-03-06 00:00:04 TERRIER7
private1.bearshare.net - - - - - - -GHBN 13301 24057 0
10.10.6.84 bonangj aim.exe:3:5.1 2004-03-06 00:00:04 TERRIER7 ar.atwola.com- -- - - - - GHBN 13301 530940
Web Proxy Service 10.10.6.96 thomas.edu\owensj Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90) 2004-
03-06 00:00:13 TERRIER7 - image.weather.com - 80 -612 189 http GET http://image.weather.com/web/newscenter/
stormstories/promo/tw_promo.jpg NotModified 0 10.10.6.75 THOMAS.EDU\johnstonk Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322) 2004-
03-06 00:00:13 TERRIER7 - us.i1.yimg.com - 80 -390 151 http GET http://us.i1.yimg.com/us.yimg.com/i/mc/mc2.jsNotModified 0
Reporting Daily, Weekly, Monthly, Annually,
On-Demand Web-based
Reporting – Summary – Protocols
ProtocolsThe following communication protocols were used to carry network traffic through ISA Server during the report period. Protocols that have generated the most traffic are listed first.
Protocol Requests
% of Total Requests
UNKNOWN 22123198 45.1 %
HTTP 13410830 27.4 %Gnutella/Bearshare
OUT 9725296 19.8 %
DNS Query 1796926 3.7 %
HTTP - IN 598232 1.2 %
SMTP Server 310206 0.6 %
Reporting – Summary - Users Top Users
The following users have generated the largest amounts of network traffic through ISA Server during the report period. Users that have generated more traffic are listed first. Network addresses are presented when user names are unknown to ISA Server.
Reporting – Summary – Top Web Sites
Reporting – Summary – Traffic
Reporting – Summary – Daily Traffic
Reporting – Web – Object Types
Reporting – Web – Browsers
Reporting – Web – OSs
Reporting – Applications – Top Applications
Reporting – Applications – Top Destinations
No Destination IP Unique Users
Requests
% of Total Requests
Bytes In
% of Total Bytes In
Bytes Out
% of Total Bytes Out
Total Bytes
% of Total Bytes
1 216.220.231.72 989 381297 1.0 % 7.2 GB 2.3 % 169.2 MB 0.6 % 7.4 GB 2.1 %2 64.236.34.97 8 59 0.0 % 6.9 GB 2.2 % 7.0 KB 0.0 % 6.9 GB 2.0 %3 216.220.231.71 794 276817 0.7 % 5.9 GB 1.9 % 111.8 MB 0.4 % 6.0 GB 1.7 %4 203.250.58.177 1 2 0.0 % 2.9 GB 0.9 % 7.2 MB 0.0 % 2.9 GB 0.8 %5 165.123.99.58 1 4 0.0 % 1.9 GB 0.6 % 1.8 MB 0.0 % 1.9 GB 0.6 %
Reporting – Security – Authorization Failures
No User Authorization Failures
% of Total Authoriza
tion Failures
1 thomas.edu\couturej 6914.0 23.5 %2 THOMAS.EDU\damonj 6536.0 22.2 %3 thomas.edu\greenej 2348.0 8.0 %4 THOMAS.EDU\beaudoink 2290.0 7.8 %5 THOMAS.EDU\turcottesh 2141.0 7.3 %6 thomas.edu\owensj 1344.0 4.6 %7 THOMAS.EDU\cormierc 1213.0 4.1 %
3rd-Party Add-ons
-Real-time viewing
-User quotas-Anti-virus
Scalability Use arrays for fault-tolerance Behind or in front of other firewalls
ISA Server 2004 vs. 2000Feature ISA Server 2004 ISA Server 2000
Network topologies
Unlimited multiple networks and types (internal, external, VPN, DMZ)
Single internal network, external network, and DMZ
Security policy Per-network policy One security policyLayer 1 through 4
supportStateful inspection on all network traffic Stateful inspection only on traffic
from/to LATNetwork routing NAT or Route relationship Always NAT from LATContent
inspectionComplete stateful inspection on traffic
to/from firewallTraffic to/from firewall protected by
static filtersVPN filtering VPN natively supported through VPN
network typeNo stateful filtering on VPN traffic
Architecture Performance-optimized multilayered filtering engine
Parallel Web Proxy and Firewall services
Management All-new user interface Standard MMC plug-inVPN support Adds IPSec Tunnel Mode PPTP, L2TP IPSec
Other Firewall Products Check Point FireWall-1 (or Nokia 650) Secure Computing Sidewinder G2 Symantec Enterprise Firewall with VPN
7.0 WatchGuard Technologies Firebox 4500 Cisco PIX Firewall 535 Sonicwall
3rd Generation Firewall Comparisons Check Point Microsoft Secure Symantec WatchGuard
Firewall-1 ISA 2004 SidewinderG2 Enterprise Firebox4500
OS Windows Windows SecureOS Unix Windows N/A
Solaris Solaris
Linux Linux
Nokia IPSO
Interfaces 1,024 Unlimited 10 Unlimited 3
Stateful Packet Filtering Y Y Y Y Y
Alerts logs logs logs logs logs
e-mail e-mail e-mail e-mail e-mail
pager pager pager pager pager
SMS SMS SNMP SNMP run script
SNMP run script Tivoli
Software price $ 19,000 $ 6,381 included $ 19,995 n/a
Hardware price $ 4,200 $ 2,508 $ 34,900 $ 6,295 $ 9,990
3rd Generation Firewall Comparisons
Check Point Microsoft Secure Symantec WatchGuard
Firewall-1 ISA 2000 SidewinderG2 Enterprise Firebox4500
Network Computing Report Card 3/21/03 issue, page 60
Protection (50%) 4.75 4 4 3 2
Performance (20%) 4 4 3 4.5 3
Management (15%) 4.5 4.5 5 4 3
Reporting (10%) 2 4 4.5 3 3
Price (5%) 2 3 3 5 4
Total Score (100% 4.15 4.03 3.95 3.55 2.55
B+ B+ B B- C-
For More Information Presenter
Christopher (Chris) Rhoda Vice President for Information Services Thomas College, Waterville, Maine http://www.thomas.edu/chris/cumrec.ppt [email protected]
Comparison information courtesy of: Mike Fratto, Senior Technology Editor, Network
Computing Executive Editor, Secure Enterprise [email protected]
