MULTI 100GB CAMPUS NGFWWHEN IPTABLES ISN'T ENOUGH
INTRO
Jason SullivanNetwork Security Architect @ UITS
CCIE #60763
CCDPCCNP x2AWS Network SpecialistAWS Associate Architect
AGENDA
o Network Firewall Evolution
o Design Considerations
o Scaling/Fault-Tolerance
o Campus Architectures
o UTM (Unified Threat Management)
o Performance Degradation
o Netops vs. Secops
o IDS
FIREWALL/ROUTER POLICY EVOLUTIONMOST BASIC IMPLEMENTATIONS OF PACKET FILTERING
NEXT-GENERATION FIREWALL TECHNOLOGIES
ESTABLISHED REFLEXIVE CBAC ZBF
• Completely Stateless filters (unidirectional ACL's)
• ACL's supporting 'established' argument permit some return traffic (TCP)
• 'Reflection' of egress (out) connections information to ingress interface permitting return traffic (TCP/UDP)
• 'Inspection' of protocol data (~175 protocols/services)
• MQC (Module QoS CLI) enabled policy via 'Zoning' (Zone Based Firewalls)
Server return traffic dropped
ZBF
100.1.1.2(IN)
200.1.1.1(OUT)
OUTSIDE-HOST sending ICMP ECHO
(IN) (OUT)
SECURITY APPLICANCE EVOLUTION§ Connection maintenance (state table)
§ protocol inspections (http/ftp/dns)
§ Basic ALG (fixup) support
§ Deep Packet Inspection (fixed/module)
§ Application Identification (AppID/ODP)
§ IPS
§ Malware (security intelligence)
§ Local and off-box analysis
NGFW DETECTION
FIREWALL SCALING AND DESIGN CONSIDERATIONSROUTED/TRANSPARENT
CONTROL-PLANE ENHANCEMENTS
CAMPUS DEPLOYMENTS
RTR VS. FIREWALL
Router
¡ Forwarding latency measured in milliseconds
¡ Basic Policy via TCAM
¡ Optimized line cards forward via hardware
¡ Forwarding latency measured in milliseconds
¡ Cheap(er)
NGFW
¡ Stateful
¡ Rich policy enforcement via Application Identification
¡ Deep packet analysis
¡ Identity Based Access
¡ Logging
¡ Event Correlation
RTR OR TRANSPARENT FIREWALL (...INLINE-SET?)
Routed Transparent (bridge)
INSIDE (vl50)OUTSIDE (vl55)
L3 IFC vl55 5.5.5.1/24
5.5.5.0/24
5.5.5.0/24
5.5.5.0/24
INSIDE (Eth0/0)
OUTSIDE (Eth0/1)
x.x.y.0/30
x.x.x.0/30
10.1.1.0/24
200.1.1.0/24
FW's RIB;10.1.1.0/24 via Eth0/020.1.1.0/24 via Eth0/1
InlineSet/Bump-on-Wire (True Pass-Through)
Eth0/0 Eth0/1
SUP/NetModsSUP/NetMods SUP/NetMods
Spanned-EtherChannel via (cLACP)Required a shared forwarding plane (VSS/VPC)
Individual interface mode can create asymmetric conditions –group into same security-zone
SUP/NetModsSUP/NetMods SUP/NetMods
Internet Edge
Campus Edge
Po10Nameif OutsideSec-Level 0
Po20Nameif InsideSec-Level 100
NO Encap
EDGE-A
BGP Peer-ABGP Peer-B
EDGE-B
BGP Peer-ABGP Peer-B
Dynamic Routing Protocols (via FW);X86 –OKMemory –SureCode optimization –meh
ECMP
54MB
Installed Routes
BORDER NAT DEVICE (FIREWALL)
NAT translation ~312 bytes in DRAM per XLATE. 10,000 translations consume about 3 MB. Firewalls fundamentally have significantly more DRAM than routers
...Hardware assisted NAT is a thing
1.47TB
Intel 8175M Specs
ROUTED AND BRIDGED FIREWALL @ UA
Per VRF eBGP (L3)
BGP PeerA vl10BGP PeerB vl20BGP PeerC vl30BGP PeerD vl40
BGP PeerA vl501BGP PeerB vl502BGP PeerC vl503BGP PeerD vl504
L2/Transparent
L3/Routed
cPE (XR)
VIP 172.16.1.2
DMZ (NX)
VIP 172.16.1.1(S) 128.196.0.0/16 172.16.1.2/29(S) 150.135.0.0/16 172.16.1.2/29
(S) 0.0.0.0/0 172.16.1.1/29
EDGE FW (FTD)
Fusion (NX)
XLATE (/24 pub)-PAT (overloading)-Static (private -> public)-Policy (src/dst)
L3
SiteA
SiteB
SiteC
L3SiteD
SiteE
SiteF
L3L3
SiteG SiteI
L3SiteH
L3 L3
L3LDP/IGP/BFD
Inter-VRF FW (L2)
cPE
Core (Aggregation)
Per VRF eBGP (L3)
BGP PeerA vl10BGP PeerB vl20BGP PeerC vl30BGP PeerD vl40
BGP PeerA vl501BGP PeerB vl502BGP PeerC vl503BGP PeerD vl504
Firewall on StickPo1.x Po1.x
(IN) vl-x
10.1.1.1/29
10.1.1.2/29
10.1.1.3/29
Both control-plane and data plane traffic are processed via the firewall bridge
Po1.10 (IN) VRF-APo1.501 (OUT) VRF-APo1.20 (IN) VRF-BPo1.502 (OUT) VRF-B
Po1.30 (IN) VRF-CPo1.503 (OUT) VRF-C
EDGE FW (FTD)
ISP-A ISP-B
IPsec/ESP IPsec/ESP
L2 L2
UNIFIED THREAT MANAGEMENTSECURITY INTELLIGENCE
MALWARE
IPS
THREAT INTELLIGENCE VIA SUBSCRIPTION
THREAT INTELLIGENCE VIA SUBSCRIPTION (VENDOR)
SECURITY INTELLIGENCE (BLACKLIST)
Application Permit vs. port/protocol
Event Correlation/Remediation
PERFORMANCE DEGRADATIONSECURITY POSTURE IMPACTING PERFORMANCE
CORES AND CLOCK
§ Total number of cores
§ Frequency of cores
Throughput is proportional to CPU core count and clockspeed. While single flow performance is limited to an individual thread.
4-5Gbps of TCP single-flow throughput via 4100/9300 (stateful)
7-8Gbps of UDP single-flow throughput via 4100/9300 (stateful)
ControlDataSnort
29Gbs/36 (snort cores) = 800Mbs IPSPer Snort Core
Up to 40Gbps of single-flow UDP with 1500-byte pkts
TRAFFIC PROFILES AND INSPECTION DEPTH
Security vs. Connectivity;
All network threats blocked (55k signatures/Application identification)All files and archives scanned for malware (cache flow until analysis is done prior to release)
Large packet size/continuous flows cause performance issues
FLOW GENERATION (SEND ME YOUR OLD IXIA!)
NETOPS VS SECOPSTLS
FLOW COLLECTION
FIREWALL POLICY
SSL/TLS PROXY
¡ Why are you doing this?
¡ Untrusted PKI?
¡ Compliance?
§ Decrypt Re-Sign
§ Decrypt via known key
§ DnD
TAP-AGG
SiteA
SiteB
SiteC
L3SiteD
SiteE
SiteF
L3L3
SiteG SiteI
L3SiteH
L3 L3
MPLS FABRIC
SNEL (NetFLow) Flow Data
NFDUMP/NFSEN
INTER-VRF Fusion FW
ASCI VS. BINARY
IDSBRO/ZEEK
SNORT
IDS
EDGE FW (FTD)
ISP-A ISP-BPo1.50 (IN) vl50Po1.75 (OUT) vl75
Bundle-Eth100.75Encap dot1q 75
Bundle-Eth100.75Encap dot1q 75
(4)
RAW Pkt Data
BROSNORTFireEYE
L2
L3 TAP-AGG
BRO/ZEEK STORAGE CONSIDERATION
62PB
SNORT INLINE
BUILDING SNORT V3
• Hyperscan requires Ragel and the Boost headers• Use latest version of Ragel and Boost header
• PCRE - Perl Compatible Regular Expressions High Cost (CPU)• Core capability of Snort (regex pattern matching)
SNORT FREEBIES
THANK [email protected]
Top Related