www-tus.csx.cam.ac.uk/techlink/workshops/2003-05-2...

townripeData Management

Jan 31, 2013 (4 years and 5 months ago)

139 views

Jesus College IT Department

TechLink Seminar
21
-
05
-
03

Ashley Meggitt (IT Manager) and

Damian Kramer (Unix and Network Administrator)

TechLink Seminar

Presented by


Jesus College Firewall
-

Benefits and Overheads

Jesus College IT Department

TechLink Seminar
21
-
05
-
03



Some experience of firewall management



Used primarily as a security device



Precinct wide firewall plan in place



Computer Services white paper



Skill set

Ashley Meggitt and Damian Kramer

Background

Jesus College IT Department

TechLink Seminar
21
-
05
-
03

Ashley Meggitt and Damian Kramer

Q. Why did we decide to implement a precinct wide firewall?

The firewall offers us a tool for management of




Security




Network monitoring and low level management




User administration




Additional services

A. Management

Jesus College IT Department

TechLink Seminar
21
-
05
-
03

Ashley Meggitt and Damian Kramer



First Line of defence from external attacks




Defence against attacks across our own network




A point of control between networks

Security

Jesus College IT Department

TechLink Seminar
21
-
05
-
03

Ashley Meggitt and Damian Kramer



Monitor bandwidth across all external interfaces



Individual bandwidth monitoring




Monitor types of traffic



port management



protocol management
-

potential




Adjust to pressure on the bandwidth
-

QOS




Create and manage private subnets

Network monitoring and low level management

Jesus College IT Department

TechLink Seminar
21
-
05
-
03

Ashley Meggitt and Damian Kramer



Simple connection to the network




Easy registration




Implementation of policies




Potential for individual charging




Easy disconnection

-

NAT and DHCP


Key components

User Administration

Jesus College IT Department

TechLink Seminar
21
-
05
-
03

Ashley Meggitt and Damian Kramer



In conjunction with other aspects of the network


VLANS




CCTV over IP




Access Control




Future developments

Additional Services

Jesus College IT Department

TechLink Seminar
21
-
05
-
03

Ashley Meggitt and Damian Kramer

Network Layout

Firewall 1

CUDN PoP

Management

CCTV

DMZ

Catering

Management

Admin

Academic

Firewall 2

Logging

Jesus College IT Department

TechLink Seminar
21
-
05
-
03

Ashley Meggitt and Damian Kramer

System / Services


Runs Devil Linux 0.5


Uses iptables


DNS


DHCP


NAT


Argus

Jesus College IT Department

TechLink Seminar
21
-
05
-
03

Ashley Meggitt and Damian Kramer

Rules


Default to all traffic blocked


Allow outgoing connections


No new connections allowed from DMZ to rest of network


Special exceptions (Earth Sciences, Engineering)


User exceptions (port redirecting)

Jesus College IT Department

TechLink Seminar
21
-
05
-
03

Ashley Meggitt and Damian Kramer

Management


Linux server


MySQL Database backend


Web frontend


Custom file packaging for transferring configuration to
running firewall


Jesus College IT Department

TechLink Seminar
21
-
05
-
03

Ashley Meggitt and Damian Kramer

Logging


Linux server


PostgreSQL backend


Apache & EmbPerl Web frontend


Custom argus collection scripts


Summarisation and analysis on nightly basis


Jesus College IT Department

TechLink Seminar
21
-
05
-
03

Ashley Meggitt and Damian Kramer

Logging Screenshot 1

Jesus College IT Department

TechLink Seminar
21
-
05
-
03

Ashley Meggitt and Damian Kramer

Logging Screenshot 2

Jesus College IT Department

TechLink Seminar
21
-
05
-
03

Ashley Meggitt and Damian Kramer

Management Screenshot 1

Jesus College IT Department

TechLink Seminar
21
-
05
-
03

Ashley Meggitt and Damian Kramer

Management Screenshot 2

Jesus College IT Department

TechLink Seminar
21
-
05
-
03

Ashley Meggitt and Damian Kramer



Specialist CO




Well organised network




Rule consideration




Dealing with people




Launch logistics




Extra hardware




Reliance


a key networking component




Responsibility

Overheads to Consider