DPI as a means of access segregation in a corporate

Access segregation in a corporate
network: Lets go DPIeeper
Igor Bulatenko, QIWI
OK, glass, segregate enterprise network
- (Large) Enterprise: 1000+ of users vs 1000+ of servers;
- Thousands of access rules on hundreds of devices;
- Inefficient restrictions of classic IP ACL;
- Access rules management simplification.
Oldies but goldies: IP Access control list
- Most positive news: everybody knows them;
- Source, destination, protocol, port. And what about user and
application? Nothing;
- Who do you want to cheat? $ssh –p 443;
- PAM with CBAC has too few protocols.
L7 way to heaven
- No bullshit: everybody knows about “next generation firewalls”;
- It case you forgot:
Application identity;
User identity;
Directory-based policy;
Making coffee and doing other pretty things.
- OpenAppID & Snort;
- $10 for each reference:
Palo Alto, IBM, Check Point, McAfee, and so on.
Talking about the hosts and ports
Talking about the apps: feel the difference
1 Rule!!!
“Allow Jon Snow
DBA Access to the
How we do it: managing user access
IBM XGS5100 as NGFW device;
Active Directory login event – pairing user with IP address;
MacOS/*nix goes web-auth/kerberos way;
No auth – no party;
Network access based on “memberOf”:
Each rule equals one user group in domain;
Fast access granting – no need to change device config;
Easy access recertification;
- Managing NGFW devices using handmade python API;
- Collecting logs in one place;
- Reading and analyzing FW rules the same way device does.
How we do it: user web interface
And why you can do so
Lookup what you can do
Suggest, what user wants else!
How we do it: more features
- Use the force stats, Luke:
Profiling users activity;
Automatic access group suggestions (Magic! Magic!);
Elasticsearch? Analyze it all!
- Emergency “allow all” button:
Grants you unlimited access to the internal resources;
Alerts the security team 
- Feedback on IPS events:
Block user access;
Kill user session;
Pros, cons, pitfalls
Easy to manage access segregation solution;
Little bit more secure than IP ACL;
Damn flexible rules;
You had billion of ACLs. Now you have billion of AD groups;
DPI engine imperfection:
Some protocols are hard to detect;
High load issues;
Fail drop or fail pass?
- Do you have your own programmers?
- Making brand-new set of network rules is painful.
Mailto: videns@qiwi.com