multi 100gb campusngfw - internet2

MULTI 100GB CAMPUS NGFWWHEN IPTABLES ISN'T ENOUGH

INTRO

Jason SullivanNetwork Security Architect @ UITS

CCIE #60763

CCDPCCNP x2AWS Network SpecialistAWS Associate Architect

AGENDA

o Network Firewall Evolution

o Design Considerations

o Scaling/Fault-Tolerance

o Campus Architectures

o UTM (Unified Threat Management)

o Performance Degradation

o Netops vs. Secops

o IDS

FIREWALL/ROUTER POLICY EVOLUTIONMOST BASIC IMPLEMENTATIONS OF PACKET FILTERING

NEXT-GENERATION FIREWALL TECHNOLOGIES

ESTABLISHED REFLEXIVE CBAC ZBF

• Completely Stateless filters (unidirectional ACL's)

• ACL's supporting 'established' argument permit some return traffic (TCP)

• 'Reflection' of egress (out) connections information to ingress interface permitting return traffic (TCP/UDP)

• 'Inspection' of protocol data (~175 protocols/services)

• MQC (Module QoS CLI) enabled policy via 'Zoning' (Zone Based Firewalls)

Server return traffic dropped

ZBF

100.1.1.2(IN)

200.1.1.1(OUT)

OUTSIDE-HOST sending ICMP ECHO

(IN) (OUT)

SECURITY APPLICANCE EVOLUTION§ Connection maintenance (state table)

§ protocol inspections (http/ftp/dns)

§ Basic ALG (fixup) support

§ Deep Packet Inspection (fixed/module)

§ Application Identification (AppID/ODP)

§ IPS

§ Malware (security intelligence)

§ Local and off-box analysis

NGFW DETECTION

FIREWALL SCALING AND DESIGN CONSIDERATIONSROUTED/TRANSPARENT

CONTROL-PLANE ENHANCEMENTS

CAMPUS DEPLOYMENTS

RTR VS. FIREWALL

Router

¡ Forwarding latency measured in milliseconds

¡ Basic Policy via TCAM

¡ Optimized line cards forward via hardware

¡ Forwarding latency measured in milliseconds

¡ Cheap(er)

NGFW

¡ Stateful

¡ Rich policy enforcement via Application Identification

¡ Deep packet analysis

¡ Identity Based Access

¡ Logging

¡ Event Correlation

RTR OR TRANSPARENT FIREWALL (...INLINE-SET?)

Routed Transparent (bridge)

INSIDE (vl50)OUTSIDE (vl55)

L3 IFC vl55 5.5.5.1/24

5.5.5.0/24

5.5.5.0/24

5.5.5.0/24

INSIDE (Eth0/0)

OUTSIDE (Eth0/1)

x.x.y.0/30

x.x.x.0/30

10.1.1.0/24

200.1.1.0/24

FW's RIB;10.1.1.0/24 via Eth0/020.1.1.0/24 via Eth0/1

InlineSet/Bump-on-Wire (True Pass-Through)

Eth0/0 Eth0/1

SUP/NetModsSUP/NetMods SUP/NetMods

Spanned-EtherChannel via (cLACP)Required a shared forwarding plane (VSS/VPC)

Individual interface mode can create asymmetric conditions –group into same security-zone

SUP/NetModsSUP/NetMods SUP/NetMods

Internet Edge

Campus Edge

Po10Nameif OutsideSec-Level 0

Po20Nameif InsideSec-Level 100

NO Encap

EDGE-A

BGP Peer-ABGP Peer-B

EDGE-B

BGP Peer-ABGP Peer-B

Dynamic Routing Protocols (via FW);X86 –OKMemory –SureCode optimization –meh

ECMP

54MB

Installed Routes

BORDER NAT DEVICE (FIREWALL)

NAT translation ~312 bytes in DRAM per XLATE. 10,000 translations consume about 3 MB. Firewalls fundamentally have significantly more DRAM than routers

...Hardware assisted NAT is a thing

1.47TB

Intel 8175M Specs

ROUTED AND BRIDGED FIREWALL @ UA

Per VRF eBGP (L3)

BGP PeerA vl10BGP PeerB vl20BGP PeerC vl30BGP PeerD vl40


L2/Transparent

L3/Routed

cPE (XR)

VIP 172.16.1.2

DMZ (NX)

VIP 172.16.1.1(S) 128.196.0.0/16 172.16.1.2/29(S) 150.135.0.0/16 172.16.1.2/29

(S) 0.0.0.0/0 172.16.1.1/29

EDGE FW (FTD)

Fusion (NX)

XLATE (/24 pub)-PAT (overloading)-Static (private -> public)-Policy (src/dst)

L3

SiteA

SiteB

SiteC

L3SiteD

SiteE

SiteF

L3L3

SiteG SiteI

L3SiteH

L3 L3

L3LDP/IGP/BFD

Inter-VRF FW (L2)

cPE

Core (Aggregation)

Per VRF eBGP (L3)



Firewall on StickPo1.x Po1.x

(IN) vl-x

10.1.1.1/29

10.1.1.2/29

10.1.1.3/29

Both control-plane and data plane traffic are processed via the firewall bridge

Po1.10 (IN) VRF-APo1.501 (OUT) VRF-APo1.20 (IN) VRF-BPo1.502 (OUT) VRF-B

Po1.30 (IN) VRF-CPo1.503 (OUT) VRF-C

EDGE FW (FTD)

ISP-A ISP-B

IPsec/ESP IPsec/ESP

L2 L2

UNIFIED THREAT MANAGEMENTSECURITY INTELLIGENCE

MALWARE

IPS

THREAT INTELLIGENCE VIA SUBSCRIPTION

THREAT INTELLIGENCE VIA SUBSCRIPTION (VENDOR)

SECURITY INTELLIGENCE (BLACKLIST)

Application Permit vs. port/protocol

Event Correlation/Remediation

PERFORMANCE DEGRADATIONSECURITY POSTURE IMPACTING PERFORMANCE

CORES AND CLOCK

§ Total number of cores

§ Frequency of cores

Throughput is proportional to CPU core count and clockspeed. While single flow performance is limited to an individual thread.

4-5Gbps of TCP single-flow throughput via 4100/9300 (stateful)

7-8Gbps of UDP single-flow throughput via 4100/9300 (stateful)

ControlDataSnort

29Gbs/36 (snort cores) = 800Mbs IPSPer Snort Core

Up to 40Gbps of single-flow UDP with 1500-byte pkts

TRAFFIC PROFILES AND INSPECTION DEPTH

Security vs. Connectivity;

All network threats blocked (55k signatures/Application identification)All files and archives scanned for malware (cache flow until analysis is done prior to release)

Large packet size/continuous flows cause performance issues

FLOW GENERATION (SEND ME YOUR OLD IXIA!)

NETOPS VS SECOPSTLS

FLOW COLLECTION

FIREWALL POLICY

SSL/TLS PROXY

¡ Why are you doing this?

¡ Untrusted PKI?

¡ Compliance?

§ Decrypt Re-Sign

§ Decrypt via known key

§ DnD

TAP-AGG

SiteA

SiteB

SiteC

L3SiteD

SiteE

SiteF

L3L3

SiteG SiteI

L3SiteH

L3 L3

MPLS FABRIC

SNEL (NetFLow) Flow Data

NFDUMP/NFSEN

INTER-VRF Fusion FW

ASCI VS. BINARY

IDSBRO/ZEEK

SNORT

IDS

EDGE FW (FTD)

ISP-A ISP-BPo1.50 (IN) vl50Po1.75 (OUT) vl75

Bundle-Eth100.75Encap dot1q 75

Bundle-Eth100.75Encap dot1q 75

(4)

RAW Pkt Data

BROSNORTFireEYE

L2

L3 TAP-AGG

BRO/ZEEK STORAGE CONSIDERATION

62PB

SNORT INLINE

BUILDING SNORT V3

• Hyperscan requires Ragel and the Boost headers• Use latest version of Ragel and Boost header

• PCRE - Perl Compatible Regular Expressions High Cost (CPU)• Core capability of Snort (regex pattern matching)

SNORT FREEBIES

THANK [email protected]

multi 100gb campusngfw - internet2

Documents