purpose present drivers and context for firewalls define firewall technology present examples of...

Purpose

• Present Drivers and Context for Firewalls• Define Firewall Technology• Present examples of Firewall Technology• Discuss Design Issues• Discuss Service and Support Issues• Exchange Ideas and Concerns about Risk,

Security and Firewalls

NOT

• An unveiling of a firewall service at SU• A definition of a firewall service• A forum for final decisions• An exhaustive technical presentation• A specific review of SU implementations

Data

Category A

Client

Access

Security

S = 1/A

Remote

Wireless

Risk

Mitigation

Affiliation

Authentication

Authorization

Host

Firewall

Balance

Packet

Header

Source

Destination

Port

Firewall

Router

Classic

Internet

Classic DMZ Firewall Architecture

Enterprise

Rules

Permit

Deny

Established

Tiers

Web Tier(Presentation Layer)

Application Tier(Middleware Layer,

Business Logic Layer,Report Query Layer)

Internet/SUNet

Data Layer(Data Base Layer,

Data Warehouse Layer)

Sensitive DataHighest Risk if compromised

Systems with access to data layerPossible location for data that is not

highly sensitive

Web pages, presentation, no directaccess to data layer

Network Communications between tiers iscontrolled and restricted by the firewalls

TYPICAL FIREWALL DESIGN WITH MULTIPLE TIERS

Layers

Zones

Vulnerabilities

Horizontal

Vertical

Development

Production

NOT

• An unveiling of a firewall service at SU• A definition of a firewall service• A forum for final decisions• An exhaustive technical presentation• A specific review of SU implementations

Service

WORP ISOApp Support

Clients, Users, Customers, Architects

Ethernet

Data

ITSS SPOC Security Person Network Person Application Person TSS Systems Person Auditor

Server Server Server Server

Client Requests, Application Planning,Auditor Mandate

Submit a HelpSU for Review andArchitecture

Create a Cross Functional Team

Review the Application,Draw the dependencies

Fill out Application Questionnaire

Design the network infrastructure

Create a Rule SetGet Security Approval

Install the firewall infrastructureor

Install the hosts in an existing infrastructure

TestAcceptGo Live

Monitor for operationsMonitor for effectiveness

ITSS Firewall Service TypicalWorkflow

SPOC

Inventory

Questions• APPLICATION INVENTORY FOR FIREWALL• What is the name of the application?• What are the names, locations, OS types, and IP addresses of the computers that host the application? Include the TCP ports that the

application uses.• Are there unique development and/or testing environments?• If yes to #3, will the application use http or https or both?• What measures of usage do you have? Are there peak periods of usage?• Is there a web server component to the application? If yes, on which computer will it be installed?• Is there a database component to the application? If yes, on which computer(s) will it be installed?• If yes to #7, is the data sensitive University data – data that is protected by one of the Federal Privacy Acts?• If there a unique application layer that mediates between the web services and the database services? If yes, on which computer(s) will it

be installed?• Who will install, upgrade and maintain the application? These are the application supporters. • Will the application supporters need direct access to the web, application and/or database server? Will Firewall Exceptions rules be

needed to grant this access?• Are the application supporters Stanford employees or outside vendors/contractors?• How is change managed in the application? What are the maintenance windows?• Will the servers need AFS access?• Will the servers need NFS access?• Will the servers need Kerberos access?• How will the servers be backed up?• Will the servers need NTP access?• What Windows domain will the servers be using?• What type of ongoing service monitoring will be in place? • Who is the appropriate person to make Security decisions about the application?• How many users do you expect to be using the application?• What is the user authentication that will be used for the application?

Pictures

Rules

Risk

Escalation

Moves

Acceptance

Troubleshooting

VPN

Internet/SUNet

Secure Application Access via VPN Technology

VPN Client

CISC OSYST EM S

VPN ConcentratorAUTHN Challenge

Yes or No?Get an IP

H EWLE TTPACKARD

AUTHN ChallengeWhat groups are you in?

AUTHZ set

UNIVERSITY

Directory ServicesWorklgroup Services

AFS Flat Files

Radius Service

Secured SU resourcesAxess, Delphi, etc.

AUTHN andAUTHZ scripts

VPN Firewall

Connections via direct tunnelsor

via forsythemrgw

Secure transport via encryptionNo split tunnels

Monitoring

Audit

Costs

Numerator

Denominator

Risk Costs