introduction to firewall technology_ lecture 5-12-03x

8/2/2019 Introduction to Firewall Technology_ Lecture 5-12-03x

1/33

Click to edit Master subtitle style

4/17/12

Introduction to Firewall

TechnologyLecture 512th March 2012


2/33

4/17/12

Outline

What is a firewall

Why an organization needs a firewall

Types of firewalls and technologies Deploying a firewall

DMZ

VPN

22


3/33

4/17/12

What is a Firewall?

A firewall is hardware, software, or acombination of both that is used toprevent unauthorized programs or

Internet users from accessing aprivate network and/or a singlecomputer

By conventional definition, a firewallis a partition made of fireproofmaterial designed to prevent the

spread of fire from one part of a33


4/33

4/17/12

Acts as a security gateway between two networks

Usually between trusted and untrusted networks(such as between a corporate network and theInternet)

Tracks and controls network communications

Decides whether to pass, reject, encrypt, or logcommunications (Access Control)

CorporateSite

Corporate NetworkGateway

Internet

44


5/33

4/17/12

Firewall Rules

Allow traffic that flowsautomatically because it has beendeemed as safe (Ex. Meeting

Maker, Eudora, etc.)

Block traffic that is blockedbecause it has been deemed

dangerous to your computer Ask asks the user whether or not

the traffic is allowed to pass through55


6/33

4/17/12

Hardware vs. SoftwareFirewalls

Hardware Firewalls

Protect an entire network

Implemented at the router level Usually more expensive, harder to

configure

Software Firewalls Protect a single computer

Usually less expensive, easier to

configure 66


7/33

4/17/12

INTERNET

Firewall

ProtectedNetwork

WHO ? WHEN ?WHAT ? HOW ?

Rules Determine

77


8/33

4/17/12

Firewall goals

All traffic from outside to inside andvice-versa passes through thefirewall

Only authorized traffic, as defined bylocal security policy, will be allowedto pass

The firewall itself is immune topenetration

88


9/33

4/17/12

Why an organization needsa firewall

Protection from vulnerable Services

Controlled Access to Site Systems

Concentrated Security Enhanced Privacy

Logging and Statistics on Network

Use, Misuse

Policy Enforcement

99


10/33

4/17/12

Protection Methods

Packet Filtering

Rejects TCP/IP packets from unauthorized hosts and/orconnection attempts by unauthorized hosts

Network Address Translation (NAT) Translates the addresses of internal hosts so as to hide

them from the outside world

Also known as IP masquerading

Proxy Services

Makes high level application level connections toexternal hosts on behalf of internal hosts to completelybreak the network connection between internal and

external hosts 1010


11/33

4/17/12

Other common FirewallServices

Encrypted Authentication

Users on the external network areauthenticated by the Firewall to gain access

to the private network Virtual Private Networking

Establishes a secure connection between

two private networks over a public networkThis allows the use of the Internet as a

connection medium rather than the useof an expensive leased line

1111


12/33

4/17/12

Additional servicessometimes provided

Virus Scanning

Searches incoming data streams for virussignatures so they may be blocked

Done by subscription to stay current

McAfee / Norton

Content Filtering

Allows the blocking of internal users fromcertain types of content.

Usually an add-on to a proxy server

Usually a separate subscription service1212


13/33

4/17/12

NAT

Network Address Translation (NAT) issimply that it takes a networkaddress, and translates it to

another network addressThe image (Next slide) shows how 3

users can all communicate on the

Internet with just one IPaddress. The router shown must becapable of performing NAT

1313


14/33

4/17/12 1414


15/33

4/17/12

Types of Firewalls

PacketFilter

Stage ofEvolution

CircuitGateways

StatefulInspection

Application

Gateways

1515


16/33

4/17/12

Packet Filters

Packets examined at the networklayer

Useful first line of defense -commonly deployed on routers

Simple accept or reject decisionmodel

No awareness of higher protocollayers

1616


17/33

4/17/12

Applications

Presentations

Sessions

Transport

DataLink

Physical

Data Link

Physical

Applications

Presentations

Sessions

Transport

Data Link

Physical

Network

Presentations

Sessions

Transport

Applications

Network Network

1717


18/33

4/17/12 1818


19/33

4/17/12

Packet filters usually permit or denynetwork traffic based on:

Source and destination IP addresses

Protocol, such as TCP, UDP, or ICMP

Source and destination ports and ICMPtypes and codes

Flags in the TCP header, such aswhether the packet is a connect request

Direction (inbound or outbound)1919


20/33

4/17/12

Work at the network level.

A data packet is compared to

a set of criteria before it isforwarded

Advantages: low cost, lowimpact on networkperformance

Disadvanta es: does not2020


21/33

4/17/12

Limitations of Packet Filters

IP addresses of hosts on the protected side of thefilter can be readily determined by observing thepacket traffic on the unprotected side of the filter

Filters cannot check all of the fragments of higherlevel protocols (like TCP) as the TCP headerinformation is only available in the first fragment.

Modern firewalls reconstruct fragments then checksthem

Filters are not sophisticated enough to check thevalidity of the application level protocolsembedded in the TCP packets

2121


22/33

4/17/12

Circuit level Gateways

2222


23/33

4/17/12

Work at the session layer

Monitor TCP handshaking betweenpackets to determine whether arequested session is legitimate

Information passed to remotecomputer through a circuit levelgateway appears to have originatedfrom the gateway

Advantages: relatively inexpensive ,hidin information about the rivate2323


24/33

4/17/12

Application Gateway orProxy

Packets examined at the applicationlayer

Application/Content filtering possible- prevent FTP put commands, forexample

Modest performance

Scalability limited

2424


25/33

4/17/12

Packets examined atApplication Layer

Applications

Presentations

Sessions

Transport

Data Link

Physical

Data Link

Physical

Applications

Presentations

Sessions

Transport

Data Link

Physical

Network NetworkNetwork

Presentations

Sessions

Transport

Applications

2525


26/33

4/17/12

Application Gateway orProxy

2626


27/33

4/17/12

Work at the application layer

Incoming or outgoing packets cannotaccess services for which there is noproxy

Filter application specific commands

Can also be used to log user activityand logins.

Advantages: a high level of security

Disadvantages: having a significant2727

van ages an


28/33

4/17/12

van ages andisadvantages of proxy

gateways Advantages Proxy GWs can log all connections, activity in

connections

Proxy GWs can provide caching

Proxy GWs can do intelligent filtering based on content

Proxy GWs can perform user-level authentication

Disadvantages

Not all services have proxied versions

May need different proxy server for each service

Requires modification of client

Performance may be compromised 2828


29/33

4/17/12

Stateful Inspection

Packets Inspected between data linklayer and network layer in the OSkernel

State tables are created to maintainconnection context

Invented by Check Point

2929


30/33

4/17/12

Applications

Presentations

Sessions

Transport

Data Link

Physical

Data Link

Applications

Presentations

Sessions

Transport

Data Link

Physical

Network Network

Network

Presentations

Sessions

Transport

INSPECT Engine

Applications

Dynamic StateTablesDynamic State

Tables

3030


31/33

4/17/12

Stateful Filtering

3131


32/33

4/17/12

Stateful Inspection

3232


33/33

4/17/12

Stateful Inspection

Stateful (multilayer) inspection firewalls work at the application, session, network

layer

They filter packets at the network layer,determine whether session packets arelegitimate and evaluate contents ofpackets at the application layer

They allow direct connection between client

and host, alleviating the problem caused bythe lack of transparency of application levelgateways-- can also be used to log useractivity and logins

They rely on algorithms to recognize andprocess application layer data instead of3333

introduction to firewall technology_ lecture 5-12-03x

Documents