Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

DPI as a means of access segregation in a corporate

advertisement 
Access segregation in a corporate
network: Lets go DPIeeper
Igor Bulatenko, QIWI
OK, glass, segregate enterprise network
- (Large) Enterprise: 1000+ of users vs 1000+ of servers;
- Thousands of access rules on hundreds of devices;
- Inefficient restrictions of classic IP ACL;
- Access rules management simplification.
Oldies but goldies: IP Access control list
- Most positive news: everybody knows them;
- Source, destination, protocol, port. And what about user and
application? Nothing;
- Who do you want to cheat? $ssh –p 443;
- PAM with CBAC has too few protocols.
L7 way to heaven
- No bullshit: everybody knows about “next generation firewalls”;
- It case you forgot:
-
Application identity;
User identity;
IPS;
Directory-based policy;
Making coffee and doing other pretty things.
- OpenAppID & Snort;
- $10 for each reference:
-
Palo Alto, IBM, Check Point, McAfee, and so on.
Talking about the hosts and ports
Talking about the apps: feel the difference
1 Rule!!!
“Allow Jon Snow
DBA Access to the
LAN”
How we do it: managing user access
-
IBM XGS5100 as NGFW device;
Active Directory login event – pairing user with IP address;
MacOS/*nix goes web-auth/kerberos way;
No auth – no party;
Network access based on “memberOf”:
-
Each rule equals one user group in domain;
Fast access granting – no need to change device config;
Easy access recertification;
- Managing NGFW devices using handmade python API;
- Collecting logs in one place;
- Reading and analyzing FW rules the same way device does.
How we do it: user web interface
And why you can do so
Lookup what you can do
Suggest, what user wants else!
How we do it: more features
- Use the force stats, Luke:
-
Profiling users activity;
Automatic access group suggestions (Magic! Magic!);
Elasticsearch? Analyze it all!
- Emergency “allow all” button:
-
Grants you unlimited access to the internal resources;
Alerts the security team 
- Feedback on IPS events:
-
Block user access;
Kill user session;
Pros, cons, pitfalls
-
Easy to manage access segregation solution;
Little bit more secure than IP ACL;
Damn flexible rules;
You had billion of ACLs. Now you have billion of AD groups;
DPI engine imperfection:
-
Some protocols are hard to detect;
High load issues;
Fail drop or fail pass?
- Do you have your own programmers?
- Making brand-new set of network rules is painful.
Mailto: videns@qiwi.com
Related documents
ASSIGNMENT FEEDBACK
ASSIGNMENT FEEDBACK
Information Prescription Service (IPS) Content Feedback
Information Prescription Service (IPS) Content Feedback
5 Tips for Choosing a Next-Generation Firewall
5 Tips for Choosing a Next-Generation Firewall
16) Running in and away from the archives
16) Running in and away from the archives
About ACL
About ACL
SYSTEM DESIGN OF A BIOFEEDBACK ACTIVE SENSOR SYSTEM (BASS)
SYSTEM DESIGN OF A BIOFEEDBACK ACTIVE SENSOR SYSTEM (BASS)
InjuryRisksFemale
InjuryRisksFemale
iPS Generation Timeline
iPS Generation Timeline
Individual Placement and Support – Sussex
Individual Placement and Support – Sussex
Civil Rights and Beyond Study Guide
Civil Rights and Beyond Study Guide
Polytechnic Institute of Setúbal (11
Polytechnic Institute of Setúbal (11
Supported Employment: The Individualized Placement and Support
Supported Employment: The Individualized Placement and Support
Download
advertisement