Architecture of the perimeter

1
Architecture of the perimeter
Wouter Avondstondt Technical Director EMEA
2
Who are we ?

• Wouter Avondstondt, manager support EMEA
• Resilience, California, est. 1995
• original product triple modular systems
• applied that technology to firewalls and other
  applications

3
Intro

• Security?
• CIA
• confidentiality
• integrity
• availability
• Availability is often forgotten in the design.

4
Overview

• HA architecture of systems (Resilience)
• (Over)designing the perimeter
• Losing the perimeter

5
1. Resilience system architecture

• focus on High Availability
• for best of breed applications
• Check Point VPN-1
• Websense
• Sophos PureMessage
• Insightix

6
typical HA technology
Administration/ Configuration
Application
HA Software
Operating System
I/O Drivers
HW
7
iHA technology
8
Resilience iHA technology
9
Resilience technologies

• iHA 99.999 uptime (5 nines)
• 5 minutes of (planned) downtime a year
• Full integration between modules
• automatic failover
• automatic learning between systems

10
CSO investment protection

• CSO continuous secured ownership
• 24/7 support
• full maintenance and upgrades
• no End Of Life
• upgrades with up to 100 money back
• All of this for 40 per 3 year contract
• Advantages
• to our Software partners the client doesnt have
  to consider what software to buy after the
  hardware runs out. If the hardware stays, the
  application stays too
• to the resellers you keep the client, who
  doesnt go shopping every 3 years or so when they
  need hardware replacement

11
Firewall replacement program!

• hand in ANY firewall
• get 33 off of list price per for a new
  Resilience unit!!
• until end of November..

12
2. Designing the perimeter

• Secure the network with a firewall infrastructure
• High availability is a MUST
• There are several options available
• each has strengths and weaknesses

13

• Choice 1
• a pair of firewalls
• 1 internal switch
• 1 external router

14

• Choice 2
• a pair of firewalls
• 1 internal switch
• 2 external routers

15

• Choice 3
• 2 firewalls
• 2 routers
• 2 switches

16

• Choice 4
• 2 firewalls
• 2 routers
• 2 internal switches
• 2 external switches

17

• Choice 5
• added meshed
• network to the
• external side
• System is proofed for failure of 2 devices or
  links extreme high availability setup

18

• Choice 6
• meshed on all sides

19
pros and cons

• a lot of choices
• every level gets a lot harder to manage
• troubleshooting becomes a nightmare
• ? look for the right balance of HA and complexity

20

• Choice 4 seems reasonable

21
Conclusion HA design

• built a robust network
• a secure network
• an easy to manage network

22
3. The future some thoughts

• statement
• there are so many entry-points into our network
  that there is really no longer a perimeter, so do
  we still need a firewall?

23
The network outsourced

• Outsource the whole network, it is unsafe anyway
• do the security yourself, on a user and system
  basis

24
3. The lost perimeter
25
Problems

• the perimeter is there, but it is bypassed by
  everyone
• remote hosts have full access to the networked
  services via dialup, VPN etc. usually without
  real control over the protocols (they are often
  encrypted so cant be looked at)

26
The open network

• the network can be outsourced.
• the security is done in-house

- OS hardening
- antivirus and IDS
- desktop/server firewall
- VPN connectivity with user authentication

• all of these integrated with each other

27
In reality

• More likely scenario
• servers separately firewalled
• central firewall is an internal network
  separator, covering the real assets

28
New trend the Jericho forum

• group of industry IT leaders
• bringing the firewall down
• Security should be done with
• inherently secure servers
• inherently secure protocols
• there may be no firewall in the classical sense
  anymore, but a traffic manager that knows the
  protocols and connects safe protocols through to
  the right services.

29

• Thanks!
• QA