Tagesordnung WIN/IP-Forum - DFN · 2005-10-21 · Tuukka Helander, Stonesoft Germany GmbH 10:00 - 10:30 Uhr Netzwerk Security im wired und wireless Umfeld (am Beispiel von HP ProCurve

Tagesordnung WIN/IP-Forum

Mittwoch 19.10.2005 9:00 – 11:00 Uhr

9:00 - 9:15 Uhr

Bericht des WiN-LaborsVerena Venus, WiN-Labor RRZE Erlangen

9:15 - 9:30 Uhr

Customer Network Management für das G-WiN, X-WiN und GEANTAndreas Hanemann ,CNM-Team LRZ München

9:30 - 10:00 UhrStoneGate Security Platform Technical OverviewTuukka Helander, Stonesoft Germany GmbH

10:00 - 10:30 Uhr

Netzwerk Security im wired und wireless Umfeld(am Beispiel von HP ProCurve Komponenten)Frank Eckenfels, HP Deutschland

10:30 – 11:00 Uhr

Kundenrouter im X-WiN - Optimale Nutzung der neuen Angebote undmehr Sicherheit für den ZugangsrouterHenning Irgens, Dimension Data BerlinSteffen Göpel, Dimension Data München

StoneGate Security PlatformTechnical Overview

43. DFN-BetriebstagungTuukka Helander

Network Security Specialist

Slide 2 Copyright © 2001-2005 Stonesoft Corp. All rights reserved.

About Stonesoft! Sound Business Practices

! Established 1990! Listed on Helsinki Stock Exchange

(HEX) Since 1999! Debt free, strong cash position

! Recognized in Security andBusiness Continuity

! About 270 employees! 22 locations in 17 countries! Solutions sold on all the

continents


StoneGate Security Platform


Traditional Network Topology


The Problem


StoneGate With High Availability


…Links Remain Active


StoneGate Architecture

Firewall EnginesImplements AccessControl, Multi-LayerInspection, NAT, VPN,Authentication,Monitoring and Logging

StoneGateManagement CenterUnified concepts andnotifications

GUI ClientsAdminstrators use GUIclients to configure,monitor and manage thesystem

IPS AnalyzerAnalyzer receives events(sensors or other sources),combines the events andmakes further analysis

IPS SensorsSensor captures thenetwork traffic andanalyzes it

Log ServerManagement Server Alert Server

VPN EnginesImplementsMulti-Link VPN,Authentication,Monitoringand Logging


Supported Platforms

! Firewall/VPN gateway! Intel® i386, i486, i586, i686 or compatible! IBM® eServer zSeriesTM and iSeriesTM

! Java-based management system! Microsoft® Windows® 2000, XP! Red Hat® Linux® Enterprise 3! Fedora Core 3! Solaris™ 8 and 9

! VPN Client! Microsoft® Windows® operating systems


Multi-Layer Inspection

! Combines three firewall technologies:! packet filtering! stateful inspection! application layer inspection

! Application layer security with ProtocolAgents

! Security level can be chosen for each rule! Adjustable timeouts for connections and

different TCP states


Protocol Agent

! Handles complex protocols(e.g. FTP, Oracle, H.323),including NAT at layer 7

! Enforces protocol standards! Redirects connections to

Content Inspection Server! Flexible and configurable! No performance penalty

like in proxy firewalls! Independent processes,

doesn’t burden fwd


Integrated Operating System

! Operating system designed for firewall andVPN use! Includes only modules needed by StoneGate! e.g. sshd included in the standard installation –

no telnetd! Read-only file system for critical HD areas

! No additional security patches needed! Patches included in StoneGate releases

! Firewalls remotely upgradeable fromcentralized management server


IPsec Compliant VPN

! Supported algorithms:! Cipher: AES-128, AES-256, DES, 3DES, Blowfish,

Twofish, CAST-128 and NULL! Message Digest: MD5 and SHA-1

! Supported user authentication methods:! RADIUS, TACACS+ or LDAP(S) back-end protocols! Client certificates! Smart Cards (PKCS#11, PKCS#15, Microsoft CAPI)! USB tokens

! Built-in active traffic filter on VPN Client! Includes Application Security


Firewall/VPN Gateway Clustering

! Built-in high availability and load balancingwithin 2 to 16 gateways

! Evolved from StoneBeat FullCluster, whichhas over 8 000 installations

! Managed as single firewall/VPN gateways! Configuration across a cluster is always unified

! Fully transparent to the users

is


Unicast and Multicast CVI Mode

! All nodes share thesame (unicast ormulticast) MAC address! Multicast mode can be

used with IGMP

! All nodes receive allpackets, but eachconnection is handledby one node only

! Nodes communicateover a heartbeat link


Dispatcher CVI Mode

! One of the nodesworks as a dispatcher:! has the cluster MAC

address! distributes the packets! can also process the

packets

! Dispatcher change isinformed withgratuitous ARP

! No need for switchconfiguration


Outbound ISP Load Balancing (1/3)

! The SYN packet from theclient reaches StoneGate

Internet

SYN SYN

SYN ! StoneGate replicates theSYN packet through all ISPswith different source NAT

Client

Server

! The server replies to allSYN packets with a SYN-ACK

! The ISP that delivers SYN-ACK packet fastest will beused for the connection

! RST will be sent throughthe other ISPs

RST SYN-ACK

LAN

SYN



! The fastest ISP for thatdestination is cached afterthe probing

Internet

Client

Server

! When a new connection tothe same destination isestablished, the cached ISPwill be used

LAN


LAN


! If the connection cannot beestablished through thecached ISP, the probing isdone again

Internet

Client

Server

! The first SYN packet is sentthrough the cached ISP

SYN

! If the connection times out,the client resends the SYNpacket

timeoutSYN


DMZ

Inbound ISP Load Balancing (1/3)

! Client performs a DNSlookup

Internet

Client

Server

! DNS server returns multipleIP addresses, one for eachISP

! The client connects theserver by using one of thegiven IP addresses

! StoneGate translates the IPaddress to the privateaddress of the server

! Return packets are routedvia the same ISP

DNS Server


DMZ


! Typically client can useanother one of the given IPaddresses, if the connectioncannot be established usingthe first oneInternet

Client

Server

DNS Server



! StoneGate probes all ISPsperiodically to ensureconnectivity

Internet

Client

Server

pingping

ping

! Probing is done by pingingdefined IP addresses

! If ping fails, the ISP isconsidered to be down, andStoneGate sends DDNSupdate to remove thecorresponding IP address(es)DNS Server

DDNS

DMZ


PingMonitoring

Agent protocol

Server Load Balancing

! Connections arebalanced based onserver availability

! Firewall monitorsservers using Ping orMonitoring Agent

! Can be used withMulti-Linking


Multi-Link VPN (1/2)

SITE B

Internet

SITE A

ISP A ISP B ISP C

ISP X ISP Y

! Multi-Link VPN createssubtunnels using eachpossible combination ofend-point IP addresses

! Multi-Link monitors thestatus and performance ofall subtunnels and allocatestraffic based on that

! If a subtunnel fails, trafficwill be failed over to othersubtunnels


Multi-Link VPN (2/2)

Internet

ISP A ISP B ISP C

ISP X ISP Y

Leased line

! Also IP based private linkscan be used as a part of theMulti-Link VPN

! Links can be defined asbackup links! Also applies to ISP’s

! Backup links will be usedonly if all primary links fail

SITE A

SITE B


Hassle-free Engine Installation

! 5 minute installation! StoneGate installed as a single package

! No need to separately install and harden the OS! No need to install an add-on HA solution

! Turns a standard server into a firewall/VPNappliance after a short installation wizard


Automating Alert Escalation

! Alert Center allowsdefining with a rulebase how alerts areforwarded,escalated andacknowledged


Reporting


Remote Upgrade

! Upgrade through GUI! No local physical

action needed

! Only delta is sent! Secured through

TLS connection andchecksum

! Old versionoperative untilnew one ready! Version roll-back

possible


Remote OS Management

! Interface configuration! VLAN tagging (IEEE 802.1q)! Dynamic IP! DHCP Relay

! Static routes! IP multicast and policy

routing supported

! ARP entries! Automatically generated

for NAT

! Syslog comes into thefirewall log


Routing and Anti-spoofing

! Drag and drop static routes, and anti-spoofing ruleswill be automatically generated


Rule Base Templates

! Security policies are based on templates! Inherited rules cannot be modified in the policies! Policies follow the template changes automatically


Sub Rule Bases

! Set of rules which share some common component! skip all sub-rules if the Jump rule does not match! e.g. all HTTP related rules in one sub-rule base


Logging

! Log data sent to theLog Server! Stored locally on the

firewall if log servercannot be connected

! Informative and userfriendly log browsing

! Powerful log datamanagement tools


Reference: RWTH Aachen

! Dynamic Load Balancing! Scalability! Transparent Failover! Convenient Management! Software solution upgradeable to 10Gbps

environment


Office Central Region

Stonesoft Germany GmbHLyoner Str. 1560528 Frankfurt am Main

Tel: +49-69-4272968-0Fax: +49-69-4272968-99E-mail [email protected] www.stonesoft.com

Documents

Tagesordnung WIN/IP-Forum - DFN · 2005-10-21 · Tuukka Helander, Stonesoft Germany GmbH 10:00 - 10:30 Uhr Netzwerk Security im wired und wireless Umfeld (am Beispiel von HP ProCurve