Jesus College Firewall Benefits and Overheads

1
Jesus College Firewall - Benefits and Overheads
Jesus College IT Department
TechLink Seminar
Presented by
Ashley Meggitt (IT Manager) and Damian Kramer
(Unix and Network Administrator)
TechLink Seminar 21-05-03
2
Background
Jesus College IT Department

• Some experience of firewall management
• Used primarily as a security device
• Precinct wide firewall plan in place
• Computer Services white paper
• Skill set

Ashley Meggitt and Damian Kramer
TechLink Seminar 21-05-03
3
Jesus College IT Department
Q. Why did we decide to implement a precinct wide
firewall?
A. Management

• The firewall offers us a tool for management of
• Security
• Network monitoring and low level management
• User administration
• Additional services

Ashley Meggitt and Damian Kramer
TechLink Seminar 21-05-03
4
Security
Jesus College IT Department

• First Line of defence from external attacks
• Defence against attacks across our own network
• A point of control between networks

Ashley Meggitt and Damian Kramer
TechLink Seminar 21-05-03
5
Network monitoring and low level management
Jesus College IT Department

• Monitor bandwidth across all external interfaces
  
• Individual bandwidth monitoring
• Monitor types of traffic
• port management
• protocol management - potential
• Adjust to pressure on the bandwidth - QOS
• Create and manage private subnets

Ashley Meggitt and Damian Kramer
TechLink Seminar 21-05-03
6
User Administration
Jesus College IT Department
- NAT and DHCP Key components

• Simple connection to the network
• Easy registration
• Implementation of policies
• Potential for individual charging
• Easy disconnection

Ashley Meggitt and Damian Kramer
TechLink Seminar 21-05-03
7
Additional Services
Jesus College IT Department

• In conjunction with other aspects of the network
  VLANS
• CCTV over IP
• Access Control
• Future developments

Ashley Meggitt and Damian Kramer
TechLink Seminar 21-05-03
8
Network Layout
Jesus College IT Department
CUDN PoP
Logging
Firewall 1
Firewall 2
Management
CCTV
Admin
Catering
Management
DMZ
Academic
Ashley Meggitt and Damian Kramer
TechLink Seminar 21-05-03
9
System / Services
Jesus College IT Department

• Runs Devil Linux 0.5
• Uses iptables
• DNS
• DHCP
• NAT
• Argus

Ashley Meggitt and Damian Kramer
TechLink Seminar 21-05-03
10
Rules
Jesus College IT Department

• Default to all traffic blocked
• Allow outgoing connections
• No new connections allowed from DMZ to rest of
  network
• Special exceptions (Earth Sciences, Engineering)
• User exceptions (port redirecting)

Ashley Meggitt and Damian Kramer
TechLink Seminar 21-05-03
11
Management
Jesus College IT Department

• Linux server
• MySQL Database backend
• Web frontend
• Custom file packaging for transferring
  configuration to running firewall

Ashley Meggitt and Damian Kramer
TechLink Seminar 21-05-03
12
Logging
Jesus College IT Department

• Linux server
• PostgreSQL backend
• Apache EmbPerl Web frontend
• Custom argus collection scripts
• Summarisation and analysis on nightly basis

Ashley Meggitt and Damian Kramer
TechLink Seminar 21-05-03
13
Logging Screenshot 1
Jesus College IT Department
Ashley Meggitt and Damian Kramer
TechLink Seminar 21-05-03
14
Logging Screenshot 2
Jesus College IT Department
Ashley Meggitt and Damian Kramer
TechLink Seminar 21-05-03
15
Management Screenshot 1
Jesus College IT Department
Ashley Meggitt and Damian Kramer
TechLink Seminar 21-05-03
16
Management Screenshot 2
Jesus College IT Department
Ashley Meggitt and Damian Kramer
TechLink Seminar 21-05-03
17
Overheads to Consider
Jesus College IT Department

• Specialist CO
• Well organised network
• Rule consideration
• Dealing with people
• Launch logistics
• Extra hardware
• Reliance a key networking component
• Responsibility

Ashley Meggitt and Damian Kramer
TechLink Seminar 21-05-03