tagesordnung win/ip-forum - dfn · 2005-10-21 · tuukka helander, stonesoft germany gmbh 10:00 -...
Post on 20-Apr-2020
3 Views
Preview:
TRANSCRIPT
Tagesordnung WIN/IP-Forum
Mittwoch 19.10.2005 9:00 – 11:00 Uhr
9:00 - 9:15 Uhr
Bericht des WiN-LaborsVerena Venus, WiN-Labor RRZE Erlangen
9:15 - 9:30 Uhr
Customer Network Management für das G-WiN, X-WiN und GEANTAndreas Hanemann ,CNM-Team LRZ München
9:30 - 10:00 UhrStoneGate Security Platform Technical OverviewTuukka Helander, Stonesoft Germany GmbH
10:00 - 10:30 Uhr
Netzwerk Security im wired und wireless Umfeld(am Beispiel von HP ProCurve Komponenten)Frank Eckenfels, HP Deutschland
10:30 – 11:00 Uhr
Kundenrouter im X-WiN - Optimale Nutzung der neuen Angebote undmehr Sicherheit für den ZugangsrouterHenning Irgens, Dimension Data BerlinSteffen Göpel, Dimension Data München
StoneGate Security PlatformTechnical Overview
43. DFN-BetriebstagungTuukka Helander
Network Security Specialist
Slide 2 Copyright © 2001-2005 Stonesoft Corp. All rights reserved.
About Stonesoft! Sound Business Practices
! Established 1990! Listed on Helsinki Stock Exchange
(HEX) Since 1999! Debt free, strong cash position
! Recognized in Security andBusiness Continuity
! About 270 employees! 22 locations in 17 countries! Solutions sold on all the
continents
Slide 3 Copyright © 2001-2005 Stonesoft Corp. All rights reserved.
StoneGate Security Platform
Slide 4 Copyright © 2001-2005 Stonesoft Corp. All rights reserved.
Traditional Network Topology
Slide 5 Copyright © 2001-2005 Stonesoft Corp. All rights reserved.
The Problem
Slide 6 Copyright © 2001-2005 Stonesoft Corp. All rights reserved.
StoneGate With High Availability
Slide 7 Copyright © 2001-2005 Stonesoft Corp. All rights reserved.
…Links Remain Active
Slide 8 Copyright © 2001-2005 Stonesoft Corp. All rights reserved.
StoneGate Architecture
Firewall EnginesImplements AccessControl, Multi-LayerInspection, NAT, VPN,Authentication,Monitoring and Logging
StoneGateManagement CenterUnified concepts andnotifications
GUI ClientsAdminstrators use GUIclients to configure,monitor and manage thesystem
IPS AnalyzerAnalyzer receives events(sensors or other sources),combines the events andmakes further analysis
IPS SensorsSensor captures thenetwork traffic andanalyzes it
Log ServerManagement Server Alert Server
VPN EnginesImplementsMulti-Link VPN,Authentication,Monitoringand Logging
Slide 9 Copyright © 2001-2005 Stonesoft Corp. All rights reserved.
Supported Platforms
! Firewall/VPN gateway! Intel® i386, i486, i586, i686 or compatible! IBM® eServer zSeriesTM and iSeriesTM
! Java-based management system! Microsoft® Windows® 2000, XP! Red Hat® Linux® Enterprise 3! Fedora Core 3! Solaris™ 8 and 9
! VPN Client! Microsoft® Windows® operating systems
Slide 10 Copyright © 2001-2005 Stonesoft Corp. All rights reserved.
Multi-Layer Inspection
! Combines three firewall technologies:! packet filtering! stateful inspection! application layer inspection
! Application layer security with ProtocolAgents
! Security level can be chosen for each rule! Adjustable timeouts for connections and
different TCP states
Slide 11 Copyright © 2001-2005 Stonesoft Corp. All rights reserved.
Protocol Agent
! Handles complex protocols(e.g. FTP, Oracle, H.323),including NAT at layer 7
! Enforces protocol standards! Redirects connections to
Content Inspection Server! Flexible and configurable! No performance penalty
like in proxy firewalls! Independent processes,
doesn’t burden fwd
Slide 12 Copyright © 2001-2005 Stonesoft Corp. All rights reserved.
Integrated Operating System
! Operating system designed for firewall andVPN use! Includes only modules needed by StoneGate! e.g. sshd included in the standard installation –
no telnetd! Read-only file system for critical HD areas
! No additional security patches needed! Patches included in StoneGate releases
! Firewalls remotely upgradeable fromcentralized management server
Slide 13 Copyright © 2001-2005 Stonesoft Corp. All rights reserved.
IPsec Compliant VPN
! Supported algorithms:! Cipher: AES-128, AES-256, DES, 3DES, Blowfish,
Twofish, CAST-128 and NULL! Message Digest: MD5 and SHA-1
! Supported user authentication methods:! RADIUS, TACACS+ or LDAP(S) back-end protocols! Client certificates! Smart Cards (PKCS#11, PKCS#15, Microsoft CAPI)! USB tokens
! Built-in active traffic filter on VPN Client! Includes Application Security
Slide 14 Copyright © 2001-2005 Stonesoft Corp. All rights reserved.
Firewall/VPN Gateway Clustering
! Built-in high availability and load balancingwithin 2 to 16 gateways
! Evolved from StoneBeat FullCluster, whichhas over 8 000 installations
! Managed as single firewall/VPN gateways! Configuration across a cluster is always unified
! Fully transparent to the users
is
Slide 15 Copyright © 2001-2005 Stonesoft Corp. All rights reserved.
Unicast and Multicast CVI Mode
! All nodes share thesame (unicast ormulticast) MAC address! Multicast mode can be
used with IGMP
! All nodes receive allpackets, but eachconnection is handledby one node only
! Nodes communicateover a heartbeat link
Slide 16 Copyright © 2001-2005 Stonesoft Corp. All rights reserved.
Dispatcher CVI Mode
! One of the nodesworks as a dispatcher:! has the cluster MAC
address! distributes the packets! can also process the
packets
! Dispatcher change isinformed withgratuitous ARP
! No need for switchconfiguration
Slide 17 Copyright © 2001-2005 Stonesoft Corp. All rights reserved.
Outbound ISP Load Balancing (1/3)
! The SYN packet from theclient reaches StoneGate
Internet
SYN SYN
SYN ! StoneGate replicates theSYN packet through all ISPswith different source NAT
Client
Server
! The server replies to allSYN packets with a SYN-ACK
! The ISP that delivers SYN-ACK packet fastest will beused for the connection
! RST will be sent throughthe other ISPs
RST SYN-ACK
LAN
SYN
Slide 18 Copyright © 2001-2005 Stonesoft Corp. All rights reserved.
Outbound ISP Load Balancing (2/3)
! The fastest ISP for thatdestination is cached afterthe probing
Internet
Client
Server
! When a new connection tothe same destination isestablished, the cached ISPwill be used
LAN
Slide 19 Copyright © 2001-2005 Stonesoft Corp. All rights reserved.
LAN
Outbound ISP Load Balancing (3/3)
! If the connection cannot beestablished through thecached ISP, the probing isdone again
Internet
Client
Server
! The first SYN packet is sentthrough the cached ISP
SYN
! If the connection times out,the client resends the SYNpacket
timeoutSYN
Slide 20 Copyright © 2001-2005 Stonesoft Corp. All rights reserved.
DMZ
Inbound ISP Load Balancing (1/3)
! Client performs a DNSlookup
Internet
Client
Server
! DNS server returns multipleIP addresses, one for eachISP
! The client connects theserver by using one of thegiven IP addresses
! StoneGate translates the IPaddress to the privateaddress of the server
! Return packets are routedvia the same ISP
DNS Server
Slide 21 Copyright © 2001-2005 Stonesoft Corp. All rights reserved.
DMZ
Inbound ISP Load Balancing (2/3)
! Typically client can useanother one of the given IPaddresses, if the connectioncannot be established usingthe first oneInternet
Client
Server
DNS Server
Slide 22 Copyright © 2001-2005 Stonesoft Corp. All rights reserved.
Inbound ISP Load Balancing (3/3)
! StoneGate probes all ISPsperiodically to ensureconnectivity
Internet
Client
Server
pingping
ping
! Probing is done by pingingdefined IP addresses
! If ping fails, the ISP isconsidered to be down, andStoneGate sends DDNSupdate to remove thecorresponding IP address(es)DNS Server
DDNS
DMZ
Slide 23 Copyright © 2001-2005 Stonesoft Corp. All rights reserved.
PingMonitoring
Agent protocol
Server Load Balancing
! Connections arebalanced based onserver availability
! Firewall monitorsservers using Ping orMonitoring Agent
! Can be used withMulti-Linking
Slide 24 Copyright © 2001-2005 Stonesoft Corp. All rights reserved.
Multi-Link VPN (1/2)
SITE B
Internet
SITE A
ISP A ISP B ISP C
ISP X ISP Y
! Multi-Link VPN createssubtunnels using eachpossible combination ofend-point IP addresses
! Multi-Link monitors thestatus and performance ofall subtunnels and allocatestraffic based on that
! If a subtunnel fails, trafficwill be failed over to othersubtunnels
Slide 25 Copyright © 2001-2005 Stonesoft Corp. All rights reserved.
Multi-Link VPN (2/2)
Internet
ISP A ISP B ISP C
ISP X ISP Y
Leased line
! Also IP based private linkscan be used as a part of theMulti-Link VPN
! Links can be defined asbackup links! Also applies to ISP’s
! Backup links will be usedonly if all primary links fail
SITE A
SITE B
Slide 26 Copyright © 2001-2005 Stonesoft Corp. All rights reserved.
Hassle-free Engine Installation
! 5 minute installation! StoneGate installed as a single package
! No need to separately install and harden the OS! No need to install an add-on HA solution
! Turns a standard server into a firewall/VPNappliance after a short installation wizard
Slide 27 Copyright © 2001-2005 Stonesoft Corp. All rights reserved.
Automating Alert Escalation
! Alert Center allowsdefining with a rulebase how alerts areforwarded,escalated andacknowledged
Slide 28 Copyright © 2001-2005 Stonesoft Corp. All rights reserved.
Reporting
Slide 29 Copyright © 2001-2005 Stonesoft Corp. All rights reserved.
Remote Upgrade
! Upgrade through GUI! No local physical
action needed
! Only delta is sent! Secured through
TLS connection andchecksum
! Old versionoperative untilnew one ready! Version roll-back
possible
Slide 30 Copyright © 2001-2005 Stonesoft Corp. All rights reserved.
Remote OS Management
! Interface configuration! VLAN tagging (IEEE 802.1q)! Dynamic IP! DHCP Relay
! Static routes! IP multicast and policy
routing supported
! ARP entries! Automatically generated
for NAT
! Syslog comes into thefirewall log
Slide 31 Copyright © 2001-2005 Stonesoft Corp. All rights reserved.
Routing and Anti-spoofing
! Drag and drop static routes, and anti-spoofing ruleswill be automatically generated
Slide 32 Copyright © 2001-2005 Stonesoft Corp. All rights reserved.
Rule Base Templates
! Security policies are based on templates! Inherited rules cannot be modified in the policies! Policies follow the template changes automatically
Slide 33 Copyright © 2001-2005 Stonesoft Corp. All rights reserved.
Sub Rule Bases
! Set of rules which share some common component! skip all sub-rules if the Jump rule does not match! e.g. all HTTP related rules in one sub-rule base
Slide 34 Copyright © 2001-2005 Stonesoft Corp. All rights reserved.
Logging
! Log data sent to theLog Server! Stored locally on the
firewall if log servercannot be connected
! Informative and userfriendly log browsing
! Powerful log datamanagement tools
Slide 35 Copyright © 2001-2005 Stonesoft Corp. All rights reserved.
Reference: RWTH Aachen
! Dynamic Load Balancing! Scalability! Transparent Failover! Convenient Management! Software solution upgradeable to 10Gbps
environment
Slide 36 Copyright © 2001-2005 Stonesoft Corp. All rights reserved.
Office Central Region
Stonesoft Germany GmbHLyoner Str. 1560528 Frankfurt am Main
Tel: +49-69-4272968-0Fax: +49-69-4272968-99E-mail info.germany@stonesoft.comWebsite www.stonesoft.com
top related