multi 100gb campusngfw - internet2

MULTI 100GB CAMPUS NGFWWHEN IPTABLES ISN'T ENOUGH

INTRO

Jason SullivanNetwork Security Architect @ UITS

CCIE #60763

CCDPCCNP x2AWS Network SpecialistAWS Associate Architect

AGENDA

o Network Firewall Evolution

o Design Considerations

o Scaling/Fault-Tolerance

o Campus Architectures

o UTM (Unified Threat Management)

o Performance Degradation

o Netops vs. Secops

o IDS

FIREWALL/ROUTER POLICY EVOLUTIONMOST BASIC IMPLEMENTATIONS OF PACKET FILTERING

NEXT-GENERATION FIREWALL TECHNOLOGIES

ESTABLISHED REFLEXIVE CBAC ZBF

• Completely Stateless filters (unidirectional ACL's)

• ACL's supporting 'established' argument permit some return traffic (TCP)

• 'Reflection' of egress (out) connections information to ingress interface permitting return traffic (TCP/UDP)

• 'Inspection' of protocol data (~175 protocols/services)

• MQC (Module QoS CLI) enabled policy via 'Zoning' (Zone Based Firewalls)

Server return traffic dropped

ZBF

100.1.1.2(IN)

200.1.1.1(OUT)

OUTSIDE-HOST sending ICMP ECHO

(IN) (OUT)

SECURITY APPLICANCE EVOLUTION§ Connection maintenance (state table)

§ protocol inspections (http/ftp/dns)

§ Basic ALG (fixup) support

§ Deep Packet Inspection (fixed/module)

§ Application Identification (AppID/ODP)

§ IPS

§ Malware (security intelligence)

§ Local and off-box analysis

NGFW DETECTION

FIREWALL SCALING AND DESIGN CONSIDERATIONSROUTED/TRANSPARENT

CONTROL-PLANE ENHANCEMENTS

CAMPUS DEPLOYMENTS

RTR VS. FIREWALL

Router

¡ Forwarding latency measured in milliseconds

¡ Basic Policy via TCAM

¡ Optimized line cards forward via hardware

¡ Forwarding latency measured in milliseconds

¡ Cheap(er)

NGFW

¡ Stateful

¡ Rich policy enforcement via Application Identification

¡ Deep packet analysis

¡ Identity Based Access

¡ Logging

¡ Event Correlation

RTR OR TRANSPARENT FIREWALL (...INLINE-SET?)

Routed Transparent (bridge)

INSIDE (vl50)OUTSIDE (vl55)

L3 IFC vl55 5.5.5.1/24

5.5.5.0/24

5.5.5.0/24

5.5.5.0/24

INSIDE (Eth0/0)

OUTSIDE (Eth0/1)

x.x.y.0/30

x.x.x.0/30

10.1.1.0/24

200.1.1.0/24

FW's RIB;10.1.1.0/24 via Eth0/020.1.1.0/24 via Eth0/1

InlineSet/Bump-on-Wire (True Pass-Through)

Eth0/0 Eth0/1

SUP/NetModsSUP/NetMods SUP/NetMods

Spanned-EtherChannel via (cLACP)Required a shared forwarding plane (VSS/VPC)

Individual interface mode can create asymmetric conditions –group into same security-zone

SUP/NetModsSUP/NetMods SUP/NetMods

Internet Edge

Campus Edge

Po10Nameif OutsideSec-Level 0

Po20Nameif InsideSec-Level 100

NO Encap

EDGE-A

BGP Peer-ABGP Peer-B

EDGE-B

BGP Peer-ABGP Peer-B

Dynamic Routing Protocols (via FW);X86 –OKMemory –SureCode optimization –meh

ECMP

54MB

Installed Routes

BORDER NAT DEVICE (FIREWALL)

NAT translation ~312 bytes in DRAM per XLATE. 10,000 translations consume about 3 MB. Firewalls fundamentally have significantly more DRAM than routers

...Hardware assisted NAT is a thing

1.47TB

Intel 8175M Specs

ROUTED AND BRIDGED FIREWALL @ UA

Per VRF eBGP (L3)

BGP PeerA vl10BGP PeerB vl20BGP PeerC vl30BGP PeerD vl40

BGP PeerA vl501BGP PeerB vl502BGP PeerC vl503BGP PeerD vl504

L2/Transparent

L3/Routed

cPE (XR)

VIP 172.16.1.2

DMZ (NX)

VIP 172.16.1.1(S) 128.196.0.0/16 172.16.1.2/29(S) 150.135.0.0/16 172.16.1.2/29

(S) 0.0.0.0/0 172.16.1.1/29

EDGE FW (FTD)

Fusion (NX)

XLATE (/24 pub)-PAT (overloading)-Static (private -> public)-Policy (src/dst)

L3

SiteA

SiteB

SiteC

L3SiteD

SiteE

SiteF

L3L3

SiteG SiteI

L3SiteH

L3 L3

L3LDP/IGP/BFD

Inter-VRF FW (L2)

cPE

Core (Aggregation)

Per VRF eBGP (L3)

BGP PeerA vl10BGP PeerB vl20BGP PeerC vl30BGP PeerD vl40

BGP PeerA vl501BGP PeerB vl502BGP PeerC vl503BGP PeerD vl504

Firewall on StickPo1.x Po1.x

(IN) vl-x

10.1.1.1/29

10.1.1.2/29

10.1.1.3/29

Both control-plane and data plane traffic are processed via the firewall bridge

Po1.10 (IN) VRF-APo1.501 (OUT) VRF-APo1.20 (IN) VRF-BPo1.502 (OUT) VRF-B

Po1.30 (IN) VRF-CPo1.503 (OUT) VRF-C

EDGE FW (FTD)

ISP-A ISP-B

IPsec/ESP IPsec/ESP

L2 L2

UNIFIED THREAT MANAGEMENTSECURITY INTELLIGENCE

MALWARE

IPS

THREAT INTELLIGENCE VIA SUBSCRIPTION

THREAT INTELLIGENCE VIA SUBSCRIPTION (VENDOR)

SECURITY INTELLIGENCE (BLACKLIST)

Application Permit vs. port/protocol

Event Correlation/Remediation

PERFORMANCE DEGRADATIONSECURITY POSTURE IMPACTING PERFORMANCE

CORES AND CLOCK

§ Total number of cores

§ Frequency of cores

Throughput is proportional to CPU core count and clockspeed. While single flow performance is limited to an individual thread.

4-5Gbps of TCP single-flow throughput via 4100/9300 (stateful)

7-8Gbps of UDP single-flow throughput via 4100/9300 (stateful)

ControlDataSnort

29Gbs/36 (snort cores) = 800Mbs IPSPer Snort Core

Up to 40Gbps of single-flow UDP with 1500-byte pkts

TRAFFIC PROFILES AND INSPECTION DEPTH

Security vs. Connectivity;

All network threats blocked (55k signatures/Application identification)All files and archives scanned for malware (cache flow until analysis is done prior to release)

Large packet size/continuous flows cause performance issues

FLOW GENERATION (SEND ME YOUR OLD IXIA!)

NETOPS VS SECOPSTLS

FLOW COLLECTION

FIREWALL POLICY

SSL/TLS PROXY

¡ Why are you doing this?

¡ Untrusted PKI?

¡ Compliance?

§ Decrypt Re-Sign

§ Decrypt via known key

§ DnD

TAP-AGG

SiteA

SiteB

SiteC

L3SiteD

SiteE

SiteF

L3L3

SiteG SiteI

L3SiteH

L3 L3

MPLS FABRIC

SNEL (NetFLow) Flow Data

NFDUMP/NFSEN

INTER-VRF Fusion FW

ASCI VS. BINARY

IDSBRO/ZEEK

SNORT

IDS

EDGE FW (FTD)

ISP-A ISP-BPo1.50 (IN) vl50Po1.75 (OUT) vl75

Bundle-Eth100.75Encap dot1q 75

Bundle-Eth100.75Encap dot1q 75

(4)

RAW Pkt Data

BROSNORTFireEYE

L2

L3 TAP-AGG

BRO/ZEEK STORAGE CONSIDERATION

62PB

SNORT INLINE

BUILDING SNORT V3

• Hyperscan requires Ragel and the Boost headers• Use latest version of Ragel and Boost header

• PCRE - Perl Compatible Regular Expressions High Cost (CPU)• Core capability of Snort (regex pattern matching)

SNORT FREEBIES

THANK YOUJSULLIVAN@ARIZONA.EDU