Presentation on theme: "Access segregation in a corporate network: Lets go D PI eeper Igor Bulatenko, QIWI."— Presentation transcript:
Access segregation in a corporate network: Lets go D PI eeper Igor Bulatenko, QIWI
OK, glass, segregate enterprise network -(Large) Enterprise: of users vs of servers; -Thousands of access rules on hundreds of devices; -Inefficient restrictions of classic IP ACL; -Access rules management simplification.
Oldies but goldies: IP Access control list -Most positive news: everybody knows them; -Source, destination, protocol, port. And what about user and application? Nothing; -Who do you want to cheat? $ssh –p 443; -PAM with CBAC has too few protocols.
L7 way to heaven -No bullshit: everybody knows about “next generation firewalls”; -It case you forgot: -Application identity; -User identity; -IPS; -Directory-based policy; -Making coffee and doing other pretty things. -OpenAppID & Snort; -$10 for each reference: -Palo Alto, IBM, Check Point, McAfee, and so on.
Talking about the hosts and ports
Talking about the apps: feel the difference 1 Rule!!! “Allow Jon Snow DBA Access to the LAN”
How we do it: managing user access -IBM XGS5100 as NGFW device; -Active Directory login event – pairing user with IP address; -MacOS/*nix goes web-auth/kerberos way; -No auth – no party; -Network access based on “memberOf”: -Each rule equals one user group in domain; -Fast access granting – no need to change device config; -Easy access recertification; -Managing NGFW devices using handmade python API; -Collecting logs in one place; -Reading and analyzing FW rules the same way device does.
How we do it: user web interface Lookup what you can do And why you can do so Suggest, what user wants else!
How we do it: more features -Use the force stats, Luke: -Profiling users activity; -Automatic access group suggestions (Magic! Magic!); -Elasticsearch? Analyze it all! -Emergency “allow all” button: -Grants you unlimited access to the internal resources; -Alerts the security team -Feedback on IPS events: -Block user access; -Kill user session;
Pros, cons, pitfalls -Easy to manage access segregation solution; -Little bit more secure than IP ACL; -Damn flexible rules; -You had billion of ACLs. Now you have billion of AD groups; -DPI engine imperfection: -Some protocols are hard to detect; -High load issues; -Fail drop or fail pass? -Do you have your own programmers? -Making brand-new set of network rules is painful.