NGF03 NextGen Firewall Features Slide Deck FW7.1.1

Barracuda NextGen Firewall F ‐ NextGen
Features ‐ Instructor Slides
Advanced Firewall Policies
Barracuda NextGen Firewall F
Dynamic Rules
Used to grant temporary access without editing the firewall
ruleset
• Inactive by default
• Enabled with a duration
Bidirectional Access Rules
1
Schedule Objects
• Restrict rules to specific times and intervals
• Used as additional matching criteria
Hostname Network Objects
• Network objects in which the IP addresses are determined by
DNS resolution
• DNS‐resolvable hostname limited to 24 IPv4 and
17 IPv6 addresses
• The firewall must be able to resolve the DNS entries
Proxy ARP
• Configuration via proxy ARP objects
• Can be regarded as additional IP addresses
• Firewall responds to ARP requests for these IP addresses
2
Named Networks
Transfer the network structure information to the firewall
configuration
• Use human‐readable names
• Can be used for both ruleset evaluation and visualization
Named Networks
Named Network Structure
• Describes networks in a top‐down approach
• Splits the 32 bits of the IPv4 address into multiple, sequential bit
ranges called network tree nodes
3
Named Network Value
The Named Network values are added to the most granular layer
of the group hierarchy.
Firewall Settings
• General Firewall configuration
• Settings that affect Host Firewall and Forwarding Firewall
• Forwarding settings
• Settings that affect only forwarding operations
Changing parameters may require a reboot of the firewall.
Make sure you know what you are doing!
Advanced Rule Parameters
• Rule Mismatch policy
• TCP SYN Flood Protection
• Generic TCP Proxy
• Interface Mismatch policy
• Additional access rule parameters
4
Rule Mismatch Policy
• Access rule is executed if source, destination, service, and user
conditions match – otherwise, the next rule is evaluated
• Set the Rule Mismatch policy
• CONTINUE on Mismatch (default)
• BLOCK on Mismatch
• DENY on Mismatch
TCP Syn Flood Protection
Outbound Mode (Default)
Syn Syn
SynACK SynACK
ACK ACK
Inbound Mode
Syn Syn
SynACK SynACK
ACK ACK
Transparent Redirect
HTTP and HTTPS forwarded to devices such as the Web Security
Gateway without rewriting the original source/destination IP
5
Interface Mismatch Policy
10.0.8.95
1. HQ – 10.0.8.0/24
eth0
eth1
Transfer Net eth3
Internet
1. HQ – 10.0.9.0/24
Reverse Routing Interface Mismatch
Additional Access Rule Parameters
• Resource Protection
• Rule Event
• Application Logging
• Transparent Failover State Sync
• Block Page for TCP 80
DNS Caching and DNS Interception
6
Caching DNS
Caching DNS
Caching DNS
Caching DNS using a remote management tunnel
7
DNS Interception
Firewall User Awareness
Authentication Schemes
• Local and external authentication schemes
• User‐ and group‐based authentication policies
• Group information dependent on authentication protocol
8
User‐Aware Firewall Systems
RADIUS RSA Secure ID X509 TACACS+
SMS Passcode
LDAP/S
(VPN)
NTLM Local
DC Agent TS Agent Wi‐Fi Controllers
Authentication
Database
Active Directory Citrix TS Microsoft TS
User Objects
• Restrict access rules to specific users and user groups
• Used as an additional matching criteria
• User conditions consist of:
• Login name
• Group
• Policy roles
• X509 certificate
• VPN user
• Authentication method
Access Rule Matching Conditions
• Mandatory rule matching conditions
• Source, destination, service
• Optional rule matching conditions
• User, schedule
• A connection request matches if all configured rule conditions
match.
• User is identified according to the source IP address
9
Barracuda Authentication Tools
• Barracuda DC Agent
• Barracuda TS Agent
• Wi‐Fi AP authentication
• Sync authentication to trustzone
Barracuda DC Agent
Barracuda DC Agent
• Install either on the domain controller or dedicated Windows PC
• Checks the domain controller for login events
• Obtains the records of authenticated users
• Allows true single sign‐on capabilities
10
Barracuda DC Client
• Located on the firewall
• Checks for user authentication information from the Barracuda
DC Agent
• Received usernames and IP addresses stored in user database
• Information is available to all services supporting DC Client authentication
Terminal Server Agent
Barracuda Terminal Server Agent
• Enables transparent monitoring of users on a Microsoft
Terminal Server
• Assigns a port range to each user
• Source IP is the same for all users coming from the Terminal Server
• User / port range mapping sent to the firewall
11
Wi‐Fi AP Authentication
• Firewall monitors syslog files sent by Wi‐Fi access points to
identify login and logout events.
• Supported Wi‐Fi access points:
• Aerohive (login only)
• Ruckus (login and logout)
• Aruba (login only)
• Aruba Instant (login only)
Sync Authentication to Trustzone

• To enforce security policies across multiple firewalls, use Access
Control Service Trustzones on the Control Center as global
objects.
• Allows access control services in the same trustzone to share
security policies.
• Authentication information is distributed within the trustzone.
Firewall Authentication
• Inline firewall authentication
• Offline firewall authentication
• Guest access
12
Firewall Authentication Daemon
• Web server used for firewall user authentication (fwauthd)
• Runs on loopback interface (127.0.0.1)
• Listens on ports 80, 443‐447 depending on authentication type
• Supported authentication sources:
• External authentication servers (LDAP, RADIUS, Active Directory, etc.)
• Firewall local user database (NGF Local)
• External signed x.509 certificates
Inline Firewall Authentication
• HTTP/S connection request – authentication required
fwauthd
HTTP+S
• Authentication data OK – connection is established
HTTP+S
Offline Firewall Authentication
• Connection request ‐ redirection to authentication page
fwauthd
Browser
• Authentication data OK – connection established
SSH
13
Firewall Auth‐Daemon Listening Ports
• User authentication through username / password:
• TCP 80 (plaintext),
• TCP 443 (SSL encrypted),
• TCP 448 (SSL encrypted with automatic redirection)
• User authentication through x.509 certificate:
• TCP 444
• User authentication through x.509 certificate and username /
password:
• TCP 445
Firewall Auth‐Daemon Listening Ports
• Guest access confirmation page
• TCP 446
• Guest access with ticketing
• TCP 447
Firewall Authentication Client
• Automates login through offline firewall authentication on
startup
• URL for offline firewall authentication must be configured.
14
Guest Access / Ticketing
• Login or ticketing system to temporarily grant access to guest
users.
• Acts as captive portal to enforce user authentication
• Confirmation page, login portal, or guest ticketing
• Ticketing administrator
• URL: https://<firewall IP address>/lp/cgi‐bin/ticketing
• Only one ticketing administrator user
• Time‐based access
Remote Procedure Calls
Remote Procedure Calls
• ONC‐RPC (Unix / SUNRPC) Portmapper UDP 111
• DCE‐RPC (Microsoft Windows) Endpoint‐Mapper TCP 135
NFS Server
(UDP4095)
NFS Port?
NFS Data
NFS is on
UDP4095
Portmapper
(UDP111)
15
Passive RPC
• RPC service information is extracted from Portmapper /
Endpointmapper connections by the firewall dcerpc/oncrpc
plugins.
• Plugin is configured in the service object. NFS Server
(UDP4095)
Plugin
NFS Port?
NFS Data
Service Port
NFS is on
NFS UDP4095 UDP4095
Portmapper
(UDP111)
Active RPC
• Firewall continuously queries RPC server for offered RPC
services.
• All servers offering RPC services are entered in the Firewall
Forwarding settings. NFS Server
(UDP4095)
Which RPC
NFS Port?
NFS Data Services?
Service Port NFS: UDP4095
NFS is on
NFS UDP4095 Mountd: UDP42365
UDP4095
NIS: TCP2357
Mountd UDP42365
NIS TCP2357 Portmapper
(UDP111)
Application Control
16
The Application Challenge
Application Control
• Dedicated ruleset to allow, deny, and prioritize app traffic
• Application pattern database updated regularly
Application Control Features
• SSL Interception
• URL Filtering
• Virus Scanning and Advanced Threat Protection
• File Content and User Agent Filtering
• Mail DNSBL Check and Link Protection
• SafeSearch and Google Accounts
17
SSL Interception
• Decrypts SSL‐encrypted traffic to inspect content
• Root certificate required on all clients to avoid browser
certificate errors
Application Objects
• Reusable combinations of predefined and custom applications
• Let you create your own set of applications
• Available types of application objects:
• Application Object
• Custom Application Object
• Protocol Object
• Application Filter Object
URL Filtering in the Firewall
• Offers real‐time URL filtering for web traffic
• URL Filer policy object
• Policies for every URL category
• Custom URL allow and block lists
• URL Filter match object
• Used as an additional application rule matching criteria
18
URL Filtering in the Firewall
URL Filter Policy Objects
Determine how a website of the URL category is handled
• Allow
• Block
• Alert
• Warn and Continue
• Override
Virus Scanning in the Firewall
Transparent, per‐access‐rule scanning of HTTP(S), FTP(S), and
SMTP(S) traffic for malware.
Transparent, per-access rule scanning of HTTP, FTP, STMP, and SMTPS traffic for
malware
19
Virus Scanning in the Firewall
• Supports granular configuration
• Large file policy
• Archive scanning
• Data trickling
• HTTP‐chunked encoding
• Quarantine folder (SMTP/SMTPS)
• Two virus scanning engines available
• Avira
• ClamAV
Advanced Threat Protection (ATP)
• Detects and protects against advanced malware, zero‐day
exploits, and targeted attacks.
• Analyzes files in the Barracuda ATP cloud
• Assigns a risk score and offers a report for analyzed files
• Supports HTTP(S), FTP(S), and SMTP(S) traffic
• Provides automatic local blacklisting
ATP File Scanning
ATP Policy – Deliver first, then scan
20
ATP File Scanning
ATP Policy – Scan first, then deliver
File Content Filtering in the Firewall
Real‐time file content filtering for HTTP(S), FTP and SMTP(S).
File Content Policy Objects
• Contain a list of policy rules for the file transfer
• Allow
• Alert
• Block
• Do not log
• Change the QoS band of the file transfers
21
User Agent Filtering in the Firewall
• Controls access to web‐based resources based on the user
agent string
• User agent strings can be overridden on the client
• Definitions are updated via Energize Updates
Mail Security in the Firewall
Transparently scans incoming and outgoing SMTP connections for
malware and known‐bad sender IP addresses
Link Protection for Mail Security in the Firewall
• Protects users from fraudulent links inside emails
• URL links get checked and rewritten when fraudulence is
suspected
22
SafeSearch
• Protects against undesired content in search results
• No client configuration required
• Enforced on Google, YouTube, Bing, and Yahoo
• Custom search applications
• Block search terms using custom application objects
• Does not override SafeSearch settings
Google Accounts Filtering
Filters traffic to Google services based on the domain attached to
the Google Apps account
Custom Block Pages
Fully customizable, unbranded block pages
23
Firewall Monitor and Threat Scan
Firewall Monitor
Threat Scan
Intrusion Prevention System
• Monitors local and forwarding traffic for malicious activities
• Compares the bitstream with its internal signatures database
for malicious code patterns
Intrusion Prevention System Features
• TCP stream reassembly
• Firewall engine receives the segments in a TCP conversation, buffers them, and
reassembles the segments into a correct stream
• URL obfuscation
• Provides various countermeasures to avert attacks
• Based on URL encoding techniques
• TCP split handshake (RFC793)
• Blocks the usage of TCP split handshake attacks
• Used by hackers to execute various network attacks
24
Intrusion Prevention System Guidelines
• Enable IPS with Report only
• Track false positives and define exceptions
• Disable Report only
• Avoid full database scan on all access rules
• Default IPS policy used on all new access rules per default
Network Bridging
Bridging for Physical Segmentation
Logical Network
10.0.8.0/24
25
Default Network Bridge
Routed Bridge
VLAN Limitations of Layer 2 Bridges
26
Limitations
• IPv4 only
• Most Application Control features require default route to the
bridge interface
• Full support on routed layer 2 and 3 bridges
• Not supported on transparent layer 2 bridges, except URL, File Content, and User
Agent filtering
• VMware ESXi server requires promiscuous mode on vSwitch for
transparent layer 2 bridges
Spyware and Botnet Protection
Spyware and Botnet Protection
• Firewall denies bots and malware access to control servers
• DNS sinkhole
• ATP subscription required
• For all protocols
• Malicious Sites URL Filter category
• EU subscription required
• Only for HTTP and HTTPS traffic
27
DNS Sinkhole
Spyware & Botnet Protection for HTTP
28

NGF03 NextGen Firewall Features Slide Deck FW7.1.1

Uploaded by

Copyright:

Available Formats

NGF03 NextGen Firewall Features Slide Deck FW7.1.1

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NGF03 NextGen Firewall Features Slide Deck FW7.1.1

Uploaded by

Copyright:

Available Formats

Barracuda NextGen Firewall F ‐ NextGen

RADIUS RSA Secure ID X509 TACACS+

Active Directory Citrix TS Microsoft TS

Sync Authentication to Trustzone

You might also like

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.