BSD Firewall by frt17672


									                                  BSD Firewall

              R. Les Cottrell
Stanford Linear Accelerator Center (SLAC)
      Presented at SCS Technical Coordination Meeting July 22, 1998

8/4/2010           1
 Securing          BSD SLAC is a requirement from Richter
  – Protect BSD without destroying open collaborative
    environment for most of SLAC
 This   meetings goals:
      explain  the current understanding & improve it
      put forward some first steps

      raise questions / concerns

      prioritize and assign resources to address as appropriate

         8/4/2010   2
               Possible Concept

                   BSD ~200 hosts
              ISDN Purch
          NTFS’        Plan       Dev Web
          DNS’ NTP’ BSD             PS
             DHCP              Sage
web-proxy             Firewall            ADSM
                                ssh ssh Unix-admins
    8/4/2010   3
   Sage (Sun): Oracle server for BSD
   Parsley (Sun): Oracle server for SLAC (e.g. CANDO)
   Web-proxy (Sun or NT?): allows BSD folks to have a single way of
    getting to outside BSD web pages & thus allows blocking of most
    Web access.
   ssh (Sun): allows single point of access to BSD for Unix logon thus
    allowing blocking of most ssh logons
   DHCP (Sun): dynamic host configuration server needed if DHCP
   PS (NT): PeopleSoft server for BSD
   SMS’ (NT), NTFS’ (NT): provides support for separate BSD NT
   ISDN (Cisco): allows dialin access to BSD from home
          8/4/2010   4
   Allow:                                         Block
    –   time, smtp, http out, dns                    –   no mail gateways
    –   POP/IMAP                                     –   http in
    –   telnet out of BSD                            –   telnet into BSD
    –   ftp out of BSD [s]                           –   ftp into BSD
    –   afs & Kerberos                               –   nfs, nis, tftp, bootp?
    –   VPN?                                         –   r*
    –   print                                        –   NT network (135-139)
    –   adsm                                         –   hydra?
    –   sql*net between PS & DW [s]                  –   X11 & XDMCP, finger
    –   snmp (need for monitoring) [s]               –   DECnet, AppleTalk,
    –   Deny all others                                  NetWare

           8/4/2010         5
                  Firewall Requirements
 Some  of the services/protocols can be blocked with
 existing router ACLs, e.g.
  – nfs, r*, NT networking, telnet into BSD
 Toallow some services/protocols (ftp, sql*net)
 requires statefulness
  – i.e. open connection on well know port, then data flows
    on ephemeral ports, so when see well known port open
    up ephermeral ports for duration of session
  – we do not currently have a device that can do this

       8/4/2010   6
 Move  ~50 purchasers & planners into BSD, ~ $12K
 Provide a router with ACLs (cannot be stateful) for
  BSD to block:
  – telnet in to BSD, r*, ftp in to BSD, NIS (via portmapper)
  – DECnet, IPX (does Flex server use this?), AppleTalk
    (only IP printers in BSD)
  – NT networking, ie.135-139
 Buy  a firewall which supports stateful blocking [s] ~
 Put all BSD on switches (avoid sniffing, can block
  snmp), cost ~ $45K
        8/4/2010   7
                   Questions - Services
 How many BSD insiders need to telnet/ssh out?
 How many BSD insiders need to ftp out
 Can BSD insiders use afs instead of ftp?
 Can we allow all simple TCP outbound access
  – simple means non stateful protocols
  – if so, then we may not need a Web proxy
 Can   all BSD insiders use an ssh IMAP/POP client?
  – Protect passwords in clear

        8/4/2010   8
                  Questions - BSD
 Printers
  – Do printers inside need to be accessed from outside?
  – Do printers outside need to be accessed from inside?
  – How does NT print, is there an NT print server inside?
 Where does Flex server go?
 Do we have to block DHCP/BootP?
 Do we need ISDN, if so how many?
  – Costly ($700/mo, $12K one time) if > than say 4 users
  – What about host stored passwords in shared homes?
  – Do these users already have ISDN?
       8/4/2010   9
 Questions - BSD Policies/assumptions
 Users do not install software (esp. off net or floppy)
 Users do not accept Excel/Word enclosures with
  macros or:
  – is McAfee VirusScan good enough
  – do we need to check all mail at gateway ($20K)
 No unregistered Web servers off port 80
 Assumptions, inside BSD:
  – no NCDs
  – no AppleTalk printers (laserwriters)
  – NIS turned off on all hosts in BSD
       8/4/2010   10
             Questions - initial testing
 Need  to precisely define what protocols/services to
  block, in which direction and to & from where (IP
  – who decides & works with John Halperin?
 Need to identify more precisely the impacts of
 Who works with users to notify, educate, provide
  documentation & FAQs, consult, trouble-shoot,
  coordinate, schedule outages

       8/4/2010   11
           Questions - What about NT
 What    are the plans & schedule for:
  –   splitting the BSD domain off from the rest of SLAC
  –   providing NTFS’
  –   the contacts are Andrea, Patrick, Jeff, Bill Johnson
  –   etc.?
 Do  NT afs clients need ephermeral ports?
 How does NT print, is there an NT print server

        8/4/2010   12
 Questions - NT & App admin access
 Do Ian, Freddie, Frank, George etc. need to be
 inside firewall or outside or both
  – How many such people are there?
  – How do we identify them, & who is responsible for
    identifying them?
  – What are the possible solutions?

       8/4/2010   13
               Questions - Web Servers
 What     are the plans for proxy
  –    What is needed?
  –    What is available?
  –    Is it NT or Unix?
  –    Is it a separate server & if so where?
  –    When will it be ready?
  –    Who is the contact person?
 Isa separate server needed inside firewall to access

         8/4/2010   14
                 Questions - Databases
 What   are plans for Parsley
  – When does it get installed?
  – What has to get moved to it etc.?
  – Ian reconfigures Sage
 Database       group is responsible for Development Web
 Who is responsible for Web-proxy server?

      8/4/2010   15
                   Questions - Unix
 When  will Parsley be ready for Ian?
 Who is responsible for the ssh server (do we need
 ADSM issues:
  – do Parsley & Sage backup to ADSM?
  – what protocols does it use?
 Arethere issues with administering Sage, DHCP,
  web-proxy with NFS, NIS etc. blocked?
  – How are inside accounts administered?

        8/4/2010   16
 Get ssh ftp for evaluation
 Get questions answered
 Assign group to define initial simple blocks

        8/4/2010   17

To top