NextGen Firewall F Foundation Complete

Transcription

1 Introducing the Barracuda NextGen Firewall F Barracuda NextGen Firewall F Supported Platforms The Barracuda NextGen Firewall F and NextGen Control Center are available as: Hardware appliances Virtual systems Public cloud deployments System Architecture 1

2 F Series Firewall Services License Overview Energize Updates Malware Protection Advanced Threat Protection Advanced Remote Access Barracuda NG Web Filter Instant Replacement Warranty Extension Premium Support Base License Hardware Licensing Firewall bound to a license upon activation No artificial limits: hardware performance is the sole restriction Cold standby licensing Firewall is purchased without licenses. If the firewall fails, Barracuda Networks Technical Support transfers the license to the cold standby. 2

3 Virtual Licensing License token entered manually MAC transferred to Barracuda Activation Server Serial number issued to the virtual firewall Capacity number Sizing recommendation Defined number of protected IPs on VF10 VF500 Maximum number of CPU cores defined per model Optional Subscription Licenses Subscription period starts when license is activated Subscription licenses available for 1, 3, or 5 years Barracuda Energize Updates 24x7 and 24x5 phone support Application Control and File content definition updates Firmware updates IPS/IDS engine and signature updates Barracuda URL Filter SSL VPN Web App template updates Optional Subscription Licenses Malware Protection Enables the Virus Scanner service Available for all models except F10 and VF10 Advanced Threat Protection (ATP) A Malware Protection subscription is required Barracuda NG Web Filter Barracuda NG Web Security Combines Malware Protection and NG Web Filter license 3

4 Optional Subscription Licenses Barracuda Web Security Service Instant Replacement Service Replacement shipped next business day 24x7 and phone support Hardware refresh every four years Barracuda Advanced Remote Access SSL VPN service and NAC support Available for all Vxmodels and F18 or higher Unlimited parallel client to site VPN and CudaLaunch sessions NextGen Admin Support for all features and available services.net Framework 4.0 or higher Portable binary Windows only Web Interface Alternative configuration management tool Subset of features and services available NextGen Admin used in monitoring mode 4

5 Topics Covered Introducing the NextGen Firewall Supported platforms Firewall services System architecture Management Interfaces Licensing On premises Deployment Barracuda NextGen Firewall F Overview of License States Demo mode Only weak encryption ciphers (DES, RSA512) Root password always ngf1r3wall ACLs are ignored Normal operation Grace mode Initial three day grace period for unlicensed boxes 5

6 The License Activation Process Purpose of online activation Requirements From to 7.0 NextGen Admin client with access to theactivation server As of 7.1 NextGen Firewall F and NextGen Admin with access to the activation server Deploying Hardware Systems Management access Management IP: Username: root Password: ngf1r3wall Activating Hardware Systems Online activation without license token Activation process The system s serial number is sent to Barracuda Networks. Enter your registration details and accept EULA. The license is issued and retrieved by the firewall. 6

7 Deploying Virtual Systems Download the image from the Barracuda Download Portal Deploy the image to a supported hypervisor Management access Management IP is set via hypervisor console Username: root Password: ngf1r3wall Activating Virtual Systems Prerequisite License token from Barracuda Customer Services Activation process Enter the license token. The hardware ID and serial number are sent to Barracuda Networks. Register your system and accept EULA. The license is issued and transferred to the firewall. Topics Covered Hardware deployments Virtual deployments License activation 7

8 Basic Configuration Tasks Barracuda NextGen Firewall F Barracuda NextGen Admin Dashboard Service bar Ribbon bar NextGen Admin options Barracuda activation Configuration Tab Configuration lock Configuration changes Discarding or undoing configuration changes Import/Export configurations Revision Control System (RCS) Basic or Advanced view 8

9 Administration Settings System access Root password Management ACLs DNS settings Time settings / NTP notification Telemetry data Routing Architecture HQ /24 Direct Route HQ Direct Route ISP Internet /0 eth0 eth1 ISP Gateway Route Internet Network Connections Interfaces Management Routed Virtual LANs Wi Fi Ethernet bundles Integrated switch 9

10 Dynamic Network Connections xdsl connections PPPoE, PPPoA, and PPTP supported Up to 4 xdsl links DHCP client connections Up to 12 DHCP links WWAN connections External WWAN modem required SMS/Text message support Viewing Network Information Interface details IP addresses ARP table Routing table Attaching Networks to the Firewall /24 eth0 eth0: /24 eth3 Interface IP? /24 10

11 Adding Default/Gateway Routes Next Hop eth1 Interface IP? / Deploying Network Changes Send changes and activate Activate network changes Failsafe Force Soft Activate Now Understanding Routing Tables Processed from top to bottom Decisions based on: Source based routing Route status Prefix lengths Preference (Metric) 11

12 Virtual Servers and Services Proxy Service Listening Socket 3128 VPN Service Listening Socket 443 Virtual Server: S IP Pool : : /24 Box Layer eth0 eth /24 Deploying Virtual Servers and Services Virtual server Preconfigured virtual server S1 Naming guidelines Product type Virtual service Limitations Naming guidelines IP address assignment Controlling Virtual Servers and Services State can be controlled Start Restart Stop Block Default servers and services introduced according to model type 12

13 Topics Covered NextGen Admin Configuration tab and example configuration change Administration settings Network configuration Routing Dynamic network connections Activating network configuration changes Virtual servers and services Firewall Policies Barracuda NextGen Firewall F Firewall Layout Dest. IP Address Dest. Port Forwarding Firewall Ruleset Forwarding Traffic Incoming Traffic Host Ruleset (inbound) F Series Firewall Host Ruleset (outbound) Outgoing Traffic Dest. IP Address Dest. Port Dest. IP Address Dest. Port Dest. IP Address Dest. Port

14 Ruleset Behavior IP Packet 1 NO MATCH! Pass Rule1 Source: Destination: Source: /8 Service: HTTP Destination: Port: 2048 Port: 80 NO MATCH! Pass Rule2 Source: /16 Service: HTTP Destination: MATCH! Pass Rule3 Source: /24 Service: HTTP Destination: Block by no rule match! Intranet Server Traffic Flow Firewall Live and Firewall History Firewall Live for real time session information Firewall History for all sessions after the session slot ends Use Filters to show only sessions matching filter criteria Traffic Meter shows real time traffic in Bits/sec, Bytes/sec or Packets/sec 14

15 Access Rules Traffic is blocked Traffic is allowed Destination NAT Firewall Objects Network objects Service objects Connection objects Pass Access Rule Action Connection Pass Original Source IP HQ /24 Source SRC NAT No SRC NAT DMZ /24 Destination DST NAT No DST NAT eth0 eth

16 Block or Deny HQ /24 Source IP :1024 Destination IP :80 Access Rule Action Connection Block Not Applicable DMZ /24 eth0 eth Static Source NAT (1:1) HQ /24 Source :1024 Destination :22 1:1 NAT Source :1024 Destination : eth0 Access Rule Action Pass eth1 ISP / Internet /0 Connection Explicit SNAT to PAT or Hiding NAT (n:1) HQ /24 Source : :1024 Destination :80 n:1 NAT Source : :2041 Destination : eth0 Access Rule Action Pass eth1 ISP / Internet /0 Connection 1st or 2nd Server IP Dynamic NAT ISDN, xdsl, DHCP,UMTS Explicit 16

17 Destination NAT Access Rule Action Connection Dst NAT Original Source IP Source Destination :80 Source Destination :80 DMZ /24 Client ISP /24 eth eth Web Server Application Redirect Access Rule Action Connection App Redirect Original Source IP Source Destination Vpn.com:691 Source Destination :691 Client ISP /24 dhcp Dynamic IP VPN Service :691 Topics Covered Firewall Service Overview Firewall Rulesets Access Rules Firewall Objects Access Rules Examples Network Address Translation (NAT) NextGen Admin Firewall Live and Firewall History Cascade Access Rules 17

18 Introduction to Next Generation Firewall F Features Barracuda NextGen Firewall F Application Control Application Control Features SSL Interception URL Filtering Virus Scanning and Advanced Threat Protection File Content and User Agent Filtering Mail DNSBL Check and Link Protection SafeSearch and Google Accounts 18

19 Intrusion Prevention System (IPS) Monitors local and forwarding traffic for malicious activities Compares bitstream to IPS pattern database User Aware Firewall Systems RADIUS RSA Secure ID X509 TACACS+ LDAP/S SMS Passcode (VPN) NTLM DC Agent TS Agent Wi Fi Controllers Local Authentication Database Active Directory Citrix TS Microsoft TS Barracuda DC and TS Agent DC Agent for Microsoft Active Directory servers TS Agent for Microsoft Terminal servers Allow true single sign on capabilities 19

20 User Objects Restrict access rules to specific users and user groups Used as an additional matching criteria Quality of Service Prioritizes traffic to optimize bandwidth utilization Avoids use of routers queue Traffic Classification Forwarding Traffic >50 MBit Virtual Interface CLASS1 10 (~76%) Virtual Interface: root CLASS2 2 (~16%) CLASS3 1 (~8%) Virtual Interface Queue 50 Mbit/s Physical Interface 20

21 Traffic Prioritization (No Delay) Forwarding Traffic Virtual Interface CLASS1 10 (~76%) Virtual Interface: root CLASS2 2 (~16%) CLASS3 1 (~8%) Queue Virtual Interface No Delay (Prioritized Traffic) 50 Mbit/s Unlimited! Physical Interface QoS Bands Business Internet Background VoIP Virtual Interface CLASS1 10 (~76%) Virtual Interface: root CLASS2 2 (~16%) CLASS3 1 (~8%) Queue Virtual Interface No Delay (Prioritized Traffic) 50 Mbit/s Unlimited! Physical Interface Topics Covered Application Control Intrusion Prevention System (IPS) User Awareness Traffic Shaping (QoS) 21

22 NextGen Control Center Barracuda NextGen Firewall F Barracuda NextGen Control Center Central administration appliance Manages and monitors a large number of F and S Series Firewalls Box layer identical to F Series Firewall Control Center Models and Platforms Hardware C400 Standard Edition C610 Enterprise Edition Public Cloud VCC410 Standard Edition VCC610 Enterprise Edition Virtual VC400 Standard Edition VC610 Enterprise Edition VC820 Global Edition 22

23 Control Center Features Central Management Multi Admin Support and Role Based Administration Central Eventing and Log Collection Revision Control System (RCS) Central Statistics Graphical VPN Configuration Interface (GTI Editor) Shared Services FW Audit Barracuda Earth Public Key Infrastructure (PKI) Control Center System Architecture Control Center Deployment Deployment and activation identical to the firewall Initial setup with the Control Center Wizard 23

24 Control Center Communication Hierarchical Levels Hierarchical Levels Use Case 24

25 Adding Firewalls to the Control Center Create a new firewall configuration directly on the Control Center New firewalls clone the cluster default box configuration Adding Firewalls to the Control Center Import PAR file from an existing firewall Major firmware version of the firewall and cluster must match The virtual server name must be unique in the cluster Control Center Status Map Shows status information for all managed firewalls Filter and sort the list Log into the managed firewalls fromthestatusmap 25

26 Control Center Configuration Update Configuration sync status for all managed firewalls Control Center Firmware Update Firmware updates handled by the Control Center Download directly or upload manually to Control Center Control Center must be updated first Barracuda Activation Unlicensed Licensed Firewalls 1st MAC Serial No. Internet Connection 1st MAC Serial No. 1st MAC Serial No. 1st MAC Serial No. NextGen Control Center Internet Barracuda Online Activation Server 26

27 Barracuda Activation Handles licensing for all managed firewalls Firewalls can use either single licenses or bulk licensing through pool licenses Control Center Repositories Powerful tool for administrators to use configurations in multiple firewalls Create repository entries for configurations used more than once Repository types General repository Range repository Cluster repository Global Firewall Objects Enter network addresses one time for all the networks, public IP addresses, and special servers and reuse them. 27

28 Global Firewall Objects Objects can be created on different levels Global, range, cluster, and firewall Lower level objects can override higher level objects Allows you to enforce the same objects names, but with different values Allows you to use repositories more widely Objects with special usage Site specific network objects Named Networks Remote Management Tunnel Secures management traffic between a remote firewall and the Control Center TINA client to site VPN (TCP/UDP 692) Box layer service independent of virtual server state Multiple IPv4 and IPv6 addresses as VPN point of entry are possible Remote Management Tunnel Forward traffic to the Control Center if the master VPN service is not assigned a public IP address 28

29 VIP Network Dedicated network for communication between remote firewalls and the Control Center Used to access remote managed firewalls via NextGen Admin Adding Firewalls Create a new firewall on the Control Center Configure the remote management tunnel VIP address VPN point of entry Remote network Reachable IPs Deploy PAR file to remote firewall Topics Covered Control Center Overview Central Management Adding Firewalls to the Control Center Remote Management Tunnels and VIP Networks Licensing on the Control Center Global Firewall Objects Control Center Repository Control Center Deployment 29

30 Virtual Private Networks Barracuda NextGen Firewall F Virtual Private Networks Connect remote networks and users to the corporate network Three types of VPN services Client to site VPN Site to site VPN SSL VPN Virtual Private Network Overview 30

31 IPsec VPN Industry standard VPN protocol Connect to any standard compliant third party VPN gateway IKEv1 and IKEv2 site to site and client to site VPNs TINA VPN Proprietary extension of the IPsec protocol Improved connectivity and availability over the standard IPsec F Series Firewalls only TINA VPN Features Multiple encapsulation transports for reliable transport and greater flexibility Traffic Intelligence Multiple transports and heartbeat monitoring for transparent failover Continual bandwidth and throughput evaluation (QoS) Immunity to NAT devices and proxies (Ports 691/443) Optional WAN Optimization 31

32 TINA Transport Modes ESP Native IPsec protocol and best performance UDP Low overhead, reduced latency and NAT traversal capabilities TCP Transport reliability and NAT traversal capabilities Hybrid (TCP and UDP) Routing ESP Transport Mode The VPN tunnel status is up, but no data is delivered because the router filters ESP packets. ESP packets may be filtered here Transport mode ESP UDP session used for keepalives TCP or UDP Transport Mode TCP on port 691/443 for low quality lines or via HTTP proxies UDP 691 for response optimized tunnels TCP/UDP ESP TCP or UDP:

33 Barracuda VPN Concept Site 1 Routing VPN Forwarding Firewall Host Firewall VPN Tunnel Protocol:Port TCP/UDP:691 Host Firewall Site 2 VPN Forwarding Firewall Routing Client ( ) Server ( ) VPN Tunnel Settings Local and remote network Local and destination peer Call direction and transport mode (TINA only) Encryption and authentication Tunnel probing and timeout Site to Site VPN Authentication Multiple authentication options Pre shared RSA public key Pre shared passphrase (IPsec only) External root signed x.509 certificate Explicit x.509 certificate Hashing algorithm for the VPN tunnel MD5, SHA, and NOHASH High performance, but theoretically vulnerable SHA256 and RIPEMD160 Recommended SHA512 and GCM 33

34 Configuring IPsec VPN Tunnels Aggressive or Main mode Key lifetimes Supernetting Dead Peer Detection Perfect Forward Secrecy Use IPsec Dynamic IPs NextGen Admin: Tunnel Monitoring VPN Dashboard Provides a continuously updated overview of all VPN information VPN Tab Provides information on all VPN connections that are configured on the firewall Graphical Tunnel Interface Editor Graphical interface to create and manage TINA and IPsec VPN tunnels Eliminates redundant configuration steps Configure VPN tunnels quickly Less error prone Available on the Control Center 34

35 Topics Covered VPN Service Overview VPN Protocols Site to Site VPN VPN Tunnel Settings Site to Site VPN Authentication Configuring a TINA Site to Site Tunnel Configure IPsec Site to Site VPN NextGen Admin Tunnel Monitoring GTI Editor The Graphical Tunnel Interface Introduction to Traffic Intelligence Barracuda NextGen Firewall F Introduction to Traffic Intelligence 35

36 Multi Transport VPN Multi transport VPN instead of multiple VPN tunnels Traffic Intelligence Example xdsl Link Bulk 0 Headquarters MPLS Line VPN Tunnel Quality 1 Branch Office WWAN Link On Demand Fallback 2 TI PolicyTI for Policy Mail for Citrix Preferred Transport Class Quality 1 Second Try Transport Class Bulk 0 Further Tries Policy Stay First on try transport Cheaper then try Expensive Explicit Transport Selection Preferred and Second Try transport class Further Tries transport selection policy 36

37 Dynamic Transport Selection Dynamic Bandwidth and Latency Detection Performance Based Transport Selection Adaptive Bandwidth Protection Traffic Duplication Session Balancing Static Session Balancing Distributes sessions via round robin over selected transports Packet Balancing Traffic is balanced with a round robin balancing policy on a per packet basis Adaptive Session Balancing Uses link quality metrics collected by Dynamic Bandwidth and Latency Detection Introduction to Remote Access Barracuda NextGen Firewall F 37

38 Remote Access Clients Available as: Hardware appliance Virtual appliance Cloud service Barracuda SSL VPN Secure access via HTTPS Responsive web portal for seamless integration CudaLaunch allows native app and tunnel support Advanced Remote Access subscription required CudaLaunch SSL VPN Client CudaLaunch for Windows and macos Native app and SSL tunnel support Barracuda VPN Client integration CudaLaunch for ios and Android Native app and SSL tunnel support Full device VPN via client to site VPN group policies 38

39 Client to Site VPN Protocols Barracuda TINA IPsec IKEv1 and IKEv2 L2TP/IPsec Layer 2 protocol using IPsec for authentication and security PPTP Vulnerable Point to Point Tunneling Protocol The Barracuda Network Access Client Barracuda VPN Client and Network Access Client Secures connections to the corporate LAN Supported on Windows, macos, Linux, and FreeBSD Topics Covered Remote Access Overview Remote Access Clients 39

40 Logging, Reporting, Statistics Barracuda NextGen Firewall F Events Keep track of incidents and system access on all levels of the operating system Event based notification model Classified according to severity and notification type Support server and client notifications Mail, SNMP, program execution, Apple push notifications Audio alert, pop ups Event Severity Notification Logging Generated by services on the box and virtual server Stored in plain text In /var/phion/logs External USB storage Forwarded via syslog streaming Automatic log cycling preserves disk space Can be viewed and filtered in the LOGS tab 40

41 Statistics Generated for most configured services Stored in a database in /phion0 Separate from log files Two types Top statistics Time statistics Automatic statistics cooking preserves disk space Barracuda NextGen Report Creator Creates customized and fully configurable reports User reports Address activity URL category Application category reports Applications reports Security reports VPN accounting Supports NextGen Firewalls F and X Topics Covered Logging Events Statistics Report Creator 41

42 System Maintenance Barracuda NextGen Firewall F Backup Single backup file PAR, PGZ, or PCA No logs, statistics, events, Spam Filter learning database or Mail Gateway queue data Multiple options for creating a box.par Manually via NextGen Admin Manually or automated via CLI using phionar Backing Up the Control Center Two PAR files required box.par includes the box layer configuration archive.par contains the service configuration archive.par contains Configuration of all managed firewalls Settings such as VIP ranges, admins, licenses, and repositories 42

43 Restore NextGen Admin Using F Series Install Command Line interface Copy box.par to /opt/phion/update and reboot Retrieve directly from Control Center with getpar Restoring the Control Center Prepare a fresh Control Center On the box layer restore the box.par file On the service layer restore the archive.par file Apply a complete update to all managed firewalls F Series Install Reimage via bootable USB stick Applies hotfixes Filename of hotfix determines the installation order Restores the configuration PAR / PCA files 43

44 Firmware Update Element Download and install updates/hotfixes via NextGen Admin Firmware update notification configuration must be enabled UPDATES element must be visible on the dashboard Control Center handles updatesformanagedfirewalls Topics Covered Backup and Restore Updating Firewalls and Control Centers Recovery via F Series Install High Availability Barracuda NextGen Firewall F 44

45 High Availability (HA) Services on the virtual server are always available, even if one firewall fails. HA cluster contains two stand alone or managed firewalls. Active passive configuration Continuous monitoring of the partner High Availability Concept Running on Firewall1 Running Standby on Firewall2 Firewall VPN Firewall VPN Server: S1 Primary Box Layer HA Sync Server: S1 Backup Box Layer Stand Alone High Availability Cluster Primary firewall downloads licenses for both firewalls. Primary firewall is the configuration master. Firewall specific configurations: Network and Box properties Configuration Sync Configuration Firewall 1 Session Sync Firewall 2 45

46 Managed High Availability Cluster Both firewalls must be in the same cluster. Configuration received from the Control Center Shares the same virtual server configuration Box layer configured individually Configuration SYNC Configuration Control Center Session SYNC Firewall 1 Firewall 2 High Availability Cluster Status Default state Statusof primary firewall isprimary Status of secondary firewall is standby High Availability Cluster Requirements Both firewalls must use same platform and be same model Different revisions of same hardware appliance allowed Less than 80ms latency on the HA sync connection ARP cache time or ARP timeout set between 30 and 60 seconds on switch 46

47 Private Uplinks for HA Sync Default: HA sync between primary management IPs Private uplinks are additional connections for HA sync. Access Rule Design for High Availability Session sync only for sessions using server layer IP addresses Use custom connection objects instead of Dynamic NAT Box layer IP addresses are introduced before virtual server IP addresses. Dynamic NAT may resolve to the IP introduced first on the interface. NGF1: Box Layer IP Virtual Server IP Local LAN Dynamic NAT NGF2: Box Layer IP Internet Topics Covered High Availability Overview Standalone High Availability Cluster Managed High Availability Cluster High Availability Cluster Status and Manual Failover 47

48 IPv6 Configuration Barracuda NextGen Firewall F IPv6 2001:0db8:85a3:0042:1000:8a2e:0370: bit address space True end to end connectivity (no NAT) Simplified network configuration More efficient packet processing and routing Services IPv6 Support The following services offer support for IPv6: Firewall Service VPN Service (envelope only) Virus Scanner (not in combination with Application Control) DNS Service DHCP Service DHCP Relay Dynamic Routing: OSPF/RIP/BGP SNMP Service Mail Gateway NextGen Firewall F Series Management Sync of IPv6 session information in High Availability Clusters 48

49 VPN Service VPN envelope only Only IPv4 traffic through the tunnel VPN Service Supported: Client to site Site to site Remote management tunnels Not supported: Dynamic mesh L2TP / PPTP SSL VPN WAN Optimization Firewall Service IPv6 only network objects Single IPv6 address / network List of IPv6 addresses / networks Mixed IPv4 / IPv6 network objects Hostname (DNS resolved) Custom external network objects IPv6 Access Rules support Pass and Cascade Deny and Block 49

50 Firewall Service Application Control Detect only for IPv6 traffic No other features, such as SSL Interception or URL Filtering, are supported Intrusion Prevention System IPv6 traffic is scanned and, depending on the mode, blocked or reported Network Configuration IPv6 must be enabled separately Dual stack configuration IPv6 used alongside IPv4 At least one IPv4 address must be configured Use a loopback IPv4 address to expose only IPv6 addresses Not possible to configure a high availability cluster using IPv6 management IP addresses only Soft network activation for IPv6 network configurations IPv6 routes are added or removed without service interruption IPv6 WAN Connections Static Box layer or service layer IPv6 addresses Direct attached IPv6 routes IPv6 gateway routes Dynamic Prefix delegation Stateless and statefulautoconfiguration 50

51 Dynamic IPv6 WAN Connections Stateful IPv6 address assigned via DHCPv6 Stateful and prefix delegation IPv6 address and a network address prefix assigned via DHCPv6 Prefix delegation Network address prefix assigned by the ISP Stateless 64 bit prefix assigned Host address determined with the EUI 64 process Dynamic IPv6 WAN Connections Limitations Using the provided DNS servers may overwrite DNS servers received from the provider via DHCPv4 All routes for dynamic IPv6 interfaces are added to the main routing table Fully transparent fail overs for high availability clusters are not possible Stateless Autoconfiguration Client sends router solicitation request Firewall answers with router advertisement (RA): IPv6 prefix Next hop / default gateway (optional) DNS server, search domain Client configures itself with globally unique IPv6 address Address combines IPv6 prefix and device identifier 51

52 Stateful Autoconfiguration Router advertisement Gateway IPv6 prefix Client receives network information from DHCPv6 server Use prefix from the IPv6 WAN interface if IPv6 networks are received via prefix delegation Topics Covered Services IPv6 Support Network Configuration Dynamic IPv6 WAN Connections Stateless Autoconfiguration 52