‘-

1

Overview & Q&A Session

Brad Hilimon (bhilimon@buffalo.edu)Network Engineer / NCS

INTERNET FIREWALL

‘-

2

• The firewalls used on the network today generally only protect individual networks and have been installed over the years as requested.• 9 clusters protecting machine room networks.

• 2 clusters hosting ~30 virtualized department firewalls.

• 5 clusters for the new “protected” networks.

• Today we use traditional IP & port based policies. We don’t look at any of the traffic to determine if it’s good, bad or what it is.

• UB has never had a campus-wide firewall at the Internet edge. Most wired networks use public IP addresses, open to the Internet.

• We have a few ACLs to block various ports both inbound and outbound. Most of these are in place due to previous malware/attacks over the years.

• ISO office receives a copy of the internet traffic to look for threats.• Everything we block is a manual process today.

Some background / history…

‘-

3

• We are installing a firewall at the Internet edge / border.

• All traffic flowing in and out of UB will go through the firewall.

• Full layer 7 “next gen” feature set. Monitoring & inspection of traffic to identify and prevent malware, viruses, botnet connections, automated URL blocking of malicious websites, and more…

• Subscription to vendor security service to provide real-time signature and database updates.

• Slight changes to routing architecture so we’re not firewalling peer Internet traffic (other schools, hospitals, etc…)

What are we doing?

‘-

4

• Fortinet FortiGate 7030E (two)

• 100Gb/s interfaces for connectivity to current and future backbone.

• Connected today via 40Gb/s optics broken out into 10Gb/s interfaces.

• Capable of approximately 35Gb/s of fully inspected traffic. Higher throughput expected by not inspecting some traffic, such as Netflix.

• UB’s combined Internet traffic in and out is ~12.5Gb/s.

• Deployed in an active/passive design, in two separate locations for redundancy.

• Fortinet FortiGate 501E

• Smaller unit for testing

What did we buy?

‘-

5

• Fortinet FortiSandbox

• On-site appliance that scans files submitted to it.

• Runs each file in a virtual machine and attempts to determine if the file is malicious. Windows / Mac.

• Looks for network behaviors / connections.

• Registry changes.

• Files that are added, removed, changed, etc...

• Firewall automatically sends files it doesn’t have signatures for.

• Can manually submit files by uploading, URL submission.

• Can scan network shares.

• Creates new signatures for the firewall to prevent duplicate scanning.

• Signatures can (and should be) be shared with Fortinet (FortiGuard) to benefit other customers.

What did we buy?

‘-

6

• Fortinet FortiAnalyzer

• Collects logs

• Crunches data

• Displays current and historical information about threats, malware, traffic, etc…

• Reporting

What did we buy?

‘-

7

• Move existing URL blocking functionality. URL blocking today is being done on EOL hardware.

• Move existing router ACLs to the firewalls for ease of management.

• Move existing P2P rate-limiting to the firewalls. Rate-limiting today is being done on EOL hardware.

• Enable automatic URL blocking (FortiGuard) Security Category.

• We can still manually blacklist/whitelist URLs.

• New custom UB branded URL block pages.

• Procedure to request a false-positive URL be unblocked.

Initial Goals / Features

‘-

8

• FortiGuard is Fortinet’s security subscription service. It’s the source of all information about threats the various components use. All of the Fortinet hardware constantly receives updates as often as every minute. More info at fortiguard.com

• Malware / virus signatures

• Botnet information (IP / URLs)

• Malicious URLs

• Application signatures

• IPS signatures

• Domain / URL reputation

• Community / customer signature submissions to improve service for everyone.

FortiGuard

‘-

‘-

10

• Inspection and Sandboxing of email attachments. Done out-of-band, no interruption of email flow. We’ve already been doing this all summer, building our malware database.

• No blocking or scanning of incoming traffic on day one. You should not notice any different behavior.

• No additional traffic inspection on day one. Rollout of features will happen over time.

• Initial deployment scheduled for October 10th @ 4:30am.

Initial Goals / Features (cont…)

‘-

11

• Possible sandboxing of other traffic if physical resources allow. We only have 1 Sandbox server. Built as a cluster to add-on if needed.

• Inspection of all outbound and return traffic (user generated traffic). Minimal blocking of malicious traffic, such as botnet connections, malicious URLs, etc…

• Inspection of non-UB initiated inbound traffic (non user generated traffic), such as requests to web servers.

Short Term Goals

‘-

12

• Default blocking of all unsolicited inbound connections.

• Rollout over time. Exact plan TBD by the ISO. We have a mix of dedicated and shared networks to coordinate with departments.

• Rules will allow inbound connections to other firewalled & server networks.

Long Term Goals

‘-

• Looking into offering access for IT staff to upload files or submit URLs to the Sandbox for inspection. Working through some privacy issues related to reporting before we can offer this.

• Looking into offering access for IT staff to scan network shares using the Sandbox. User permissions are currently not granular enough.

Future…

‘-

14

• Networks with firewalls elsewhere on campus will be whitelisted but willpossibly still be inspected for malware, malicious traffic, etc…

• You will continue to maintain your policies through Space.

• Future plans for machine room or departments firewalls is TBD. Most of them are EOS in 2020. Replacement discussions expected to start in the summer of 2019.

Existing Firewalled Networks

‘-

15

• The Internet firewall is meant to enforce basic policies at the campus level.

• The Internet firewall is not intended to be a department firewall.

• We have no plans to maintain per-IP policies.

• Departments still running their own servers should look into our virtualized firewall offering if you wish to maintain per-IP policies for your department/servers.

• The new firewall is only for Internet traffic. Traffic between UB networks will never reach the firewall.

• Internet traffic for directly connected 3rd party entities like schools, hospitals and other sites will not go through the firewall.

• Traffic to the Syracuse DR site will not go through the new firewall.

What we are not doing?

‘-

‘-

17

Overview & Q&A Session

Brad Hilimon (bhilimon@buffalo.edu)Network Engineer / NCS

QUESTIONS?