Piotr Wojciechowski - VeriFone
Language: English
Role of firewalls in modern data center or edge of Enterprise network. Standard ACLs or simple IPS are not sufficient protection, we have to look deeper inside the packets, face the challenges of virtualization and deployment of cloud-based services. Session will show how to use products of different vendors to create comprehensive network protection, how to fulfill requirements of modern data center and when virtualization is better than physical hardware.
Register to the next PLNOG edition today: krakow.plnog.pl
2. ABOUT ME
¢ Senior Network Engineer MSO at VeriFone Inc.
¢ Previously Network Solutions Architect at one of top polish IT
integrators
¢ CCIE #25543 (Routing & Switching)
¢ Blogger – http://ccieplayground.wordpress.com
¢ Administrator of CCIE.PL board
— The biggest Cisco community in Europe
— About 7800 users
— 3 admin, 3 moderators
— Over 60 polish CCIEs as members, 20 of them actively posting
— About 100 new topics per month
— About 800 posts per month
— English section available
3. AGENDA
¢ Facts about firewalls market and evolution
¢ Security challenges
¢ Next Generation Firewalls
¢ NGIPS
¢ Data Center Security Future
5. FACTS ABOUT FIREWALLS MARKET
¢ Virtualized versions of enterprise network
safeguards will not exceed 10% of unit sales by year-
end 2016
¢ Through 2018, more than 75% of enterprises will
continue to seek network security from a different
vendor than their network infrastructure vendor
Source: Magic Quadrant for Enterprise Network Firewalls,
Gartner, 14 April 2014
6. FACTS ABOUT FIREWALLS MARKET
¢ Less than 20% of enterprise Internet connections
today are secured using next-generation firewalls
(NGFWs)
¢ By year-end 2014, this will rise to 35% of the
installed base, with 70% of new enterprise edge
purchases being NGFWs
¢ Fewer than 5% of enterprises will deploy all-virtual
firewalls in data centers through 2016
Source: Magic Quadrant for Enterprise Network Firewalls,
Gartner, 14 April 2014
7. FACTS ABOUT FIREWALLS MARKET
¢ Fewer than 5% of enterprises will deploy all-virtual
firewalls in data centers through 2016
¢ Fewer than 2% of deployed enterprise firewalls will
have Web antivirus actively enabled on tchem
through 2016
Source: Magic Quadrant for Enterprise Network Firewalls,
Gartner, 14 April 2014
8. APPLICATIONS HAVE CHANGED – FIREWALLS HAVE NOT
• The
gateway
at
the
trust
border
is
the
right
place
to
enforce
policy
control
Ø Sees
all
traffic
Ø Defines
trust
boundary
Collaboration / Media
SaaS Personal
• But
applica;ons
have
changed
Ø Ports
≠
Applica;ons
Ø IP
addresses
≠
Users
Ø Headers
≠
Content
Source: PaloAlto, Palo Alto Networks Product Overview
16. INFRASTRUCTURE AS A SERVICE (IAAS)
¢ Set of modular building blocks of underlying resources
¢ Services may be introduced either through dedicated appliances or
through virtual appliance implementations
¢ Cost-effective use of capital IT resources through co-hosting
¢ Better service quality through virtualization features
¢ Increased operation efficiency and agility through automation
17. SECURITY CHALLENGES IN DC
¢ There is a challenge between achieving business value and protecting
these highly prized targets
Source: Infonetics Research Report Experts: Data Center Security Strategies and Vendor
18. REQUIREMENTS FOR DC FIREWALLS
¢ Threat Prevention
— Protect against external attacks – including those routed through internal
“secure” clients
¢ Data Leakage Prevention
— Protect confidential and unauthorized content from leaving the network
¢ Access Control
— Control access – by user or groups of users – to specific applications and
content
¢ Performance
— Minimize latency and maximize throughput to ensure business performance
is not compromised
Source: PaloAlto, Palo Alto Networks Product Overview
27. URL FILTERING
¢ Block sites based on category or reputation
¢ Based on user or user group
¢ Allow administrators block websites with potentially harmful objects
¢ Allow blocking of non-business related sites
¢ Bandwidth control for designated categories
¢ Enforcing safe search
¢ Prevent file download/upload
28. APPLICATION VISIBILITY
¢ Identification of application using multiple factors not only port or IP
classification
¢ Allow administrators to deploy comprehensive application usage
control policies for both inbound and outbound network traffic
29. USER VISIBILITY
¢ Seamless integration with enterprise directory services
such as Active Directory, LDAP etc.
¢ Enables administrators to view and control application
usage based on individual users and groups of users, as
opposed to just IP addresses
¢ User information is pervasive across all features
including application and threat visibility, policy
creation, forensic investigation, and reporting
30. CONTENT VISIBILITY
¢ Scanning engine that uses a uniform threat signature
format detects and blocks a wide range of threats and
limits unauthorized transfer of files and sensitive data
¢ Comprehensive URL database controls non-work related
web surfing
¢ IT departments can regain control over application and
related threat traffic
33. FAILOVER – REPLICATED STATES
¢ Replicated features depends on vendor, used firmware and hardware –
check release notes for full list
¢ New features added with every release
34. MULTI-CONTEXT
¢ More often required by for
regulatory compliance
¢ Each context has separate
control-plane and data-plane,
interfaces and config memory
¢ Some features are not supported
in multi-context mode
36. CLUSTERING
¢ With new
approach it’s
crucial to
undestand the
data flow
within cluster
in very scenario
¢ Lack of proper
data and
control plane
can make more
harm that lack
of clustering
37. TRUSTSEC
¢ Provides the
ability to create
policies to map
end users, or
consumers, to
data center
assets, or
servers and
applications
¢ AAA services for
a variety of
external actors
38. TRUSTSEC
¢ Policy in the
firewall has
been expanded
to include
source and
destination
security groups
that are
downloaded
from the ISE
40. NGIPS
Source: Gartner’s Magic Quadrant for Intrusion Prevention Systems
Adam Hils, Greg Young, Jeremy D’Hoinne , 29 December 2014
41. NGIPS
¢ Some things remains unchanged:
— Tuning is the process of ‘defining’ protections that match the environment
— Although most network provide standard services implementation creates
challenges
— Failure to tune = failure to protect
42. NGIPS
¢ IPS are more and more context-aware
¢ Signatures are not the base for event correlation
¢ Events correlation happens on advanced monitoring systems – IPS
itself cannot perform this
43. NGIPS
¢ Many organizations have relied solely on access control lists and
enforcement as the only method of protecting the data center.
¢ A primary assumption is that the “authorized” user is really who they
say they are, or that the authorized user is in control of their device
that is accessing the data center
44. NGIPS
¢ One of the easiest ways for a cyber attacker to get a foothold into an
enterprise organization’s network is by installing a rootkit onto a
user’s end device.
¢ Security access control lists will allow the malware to traverse the
network into the data center
45. NGIPS
¢ NGIPS requirements and imperatives:
— High Availability
— Zero Downtime
— Flow survivability
— Hardware and link redundancy
— Asymmetric packets flows expected and properly handled
— Elastic scaling
— Low latency
— Manageability/visibility/orchestration
— Security and regulatory compliance
54. FOCUS OF FUTURE
¢ Specific cloud service requirement and technical specification
¢ Cloud service requirements in specific market area
¢ Cloud networking
¢ Security requirements
¢ Cloud SLA
¢ Operation and maintenance