introduction to firewall technology_ lecture 5-12-03x
TRANSCRIPT
-
8/2/2019 Introduction to Firewall Technology_ Lecture 5-12-03x
1/33
Click to edit Master subtitle style
4/17/12
Introduction to Firewall
TechnologyLecture 512th March 2012
-
8/2/2019 Introduction to Firewall Technology_ Lecture 5-12-03x
2/33
4/17/12
Outline
What is a firewall
Why an organization needs a firewall
Types of firewalls and technologies Deploying a firewall
DMZ
VPN
22
-
8/2/2019 Introduction to Firewall Technology_ Lecture 5-12-03x
3/33
4/17/12
What is a Firewall?
A firewall is hardware, software, or acombination of both that is used toprevent unauthorized programs or
Internet users from accessing aprivate network and/or a singlecomputer
By conventional definition, a firewallis a partition made of fireproofmaterial designed to prevent the
spread of fire from one part of a33
-
8/2/2019 Introduction to Firewall Technology_ Lecture 5-12-03x
4/33
4/17/12
Acts as a security gateway between two networks
Usually between trusted and untrusted networks(such as between a corporate network and theInternet)
Tracks and controls network communications
Decides whether to pass, reject, encrypt, or logcommunications (Access Control)
CorporateSite
Corporate NetworkGateway
Internet
44
-
8/2/2019 Introduction to Firewall Technology_ Lecture 5-12-03x
5/33
4/17/12
Firewall Rules
Allow traffic that flowsautomatically because it has beendeemed as safe (Ex. Meeting
Maker, Eudora, etc.)
Block traffic that is blockedbecause it has been deemed
dangerous to your computer Ask asks the user whether or not
the traffic is allowed to pass through55
-
8/2/2019 Introduction to Firewall Technology_ Lecture 5-12-03x
6/33
4/17/12
Hardware vs. SoftwareFirewalls
Hardware Firewalls
Protect an entire network
Implemented at the router level Usually more expensive, harder to
configure
Software Firewalls Protect a single computer
Usually less expensive, easier to
configure 66
-
8/2/2019 Introduction to Firewall Technology_ Lecture 5-12-03x
7/33
4/17/12
INTERNET
Firewall
ProtectedNetwork
WHO ? WHEN ?WHAT ? HOW ?
Rules Determine
77
-
8/2/2019 Introduction to Firewall Technology_ Lecture 5-12-03x
8/33
4/17/12
Firewall goals
All traffic from outside to inside andvice-versa passes through thefirewall
Only authorized traffic, as defined bylocal security policy, will be allowedto pass
The firewall itself is immune topenetration
88
-
8/2/2019 Introduction to Firewall Technology_ Lecture 5-12-03x
9/33
4/17/12
Why an organization needsa firewall
Protection from vulnerable Services
Controlled Access to Site Systems
Concentrated Security Enhanced Privacy
Logging and Statistics on Network
Use, Misuse
Policy Enforcement
99
-
8/2/2019 Introduction to Firewall Technology_ Lecture 5-12-03x
10/33
4/17/12
Protection Methods
Packet Filtering
Rejects TCP/IP packets from unauthorized hosts and/orconnection attempts by unauthorized hosts
Network Address Translation (NAT) Translates the addresses of internal hosts so as to hide
them from the outside world
Also known as IP masquerading
Proxy Services
Makes high level application level connections toexternal hosts on behalf of internal hosts to completelybreak the network connection between internal and
external hosts 1010
-
8/2/2019 Introduction to Firewall Technology_ Lecture 5-12-03x
11/33
4/17/12
Other common FirewallServices
Encrypted Authentication
Users on the external network areauthenticated by the Firewall to gain access
to the private network Virtual Private Networking
Establishes a secure connection between
two private networks over a public networkThis allows the use of the Internet as a
connection medium rather than the useof an expensive leased line
1111
-
8/2/2019 Introduction to Firewall Technology_ Lecture 5-12-03x
12/33
4/17/12
Additional servicessometimes provided
Virus Scanning
Searches incoming data streams for virussignatures so they may be blocked
Done by subscription to stay current
McAfee / Norton
Content Filtering
Allows the blocking of internal users fromcertain types of content.
Usually an add-on to a proxy server
Usually a separate subscription service1212
-
8/2/2019 Introduction to Firewall Technology_ Lecture 5-12-03x
13/33
4/17/12
NAT
Network Address Translation (NAT) issimply that it takes a networkaddress, and translates it to
another network addressThe image (Next slide) shows how 3
users can all communicate on the
Internet with just one IPaddress. The router shown must becapable of performing NAT
1313
-
8/2/2019 Introduction to Firewall Technology_ Lecture 5-12-03x
14/33
4/17/12 1414
-
8/2/2019 Introduction to Firewall Technology_ Lecture 5-12-03x
15/33
4/17/12
Types of Firewalls
PacketFilter
Stage ofEvolution
CircuitGateways
StatefulInspection
Application
Gateways
1515
-
8/2/2019 Introduction to Firewall Technology_ Lecture 5-12-03x
16/33
4/17/12
Packet Filters
Packets examined at the networklayer
Useful first line of defense -commonly deployed on routers
Simple accept or reject decisionmodel
No awareness of higher protocollayers
1616
-
8/2/2019 Introduction to Firewall Technology_ Lecture 5-12-03x
17/33
4/17/12
Applications
Presentations
Sessions
Transport
DataLink
Physical
Data Link
Physical
Applications
Presentations
Sessions
Transport
Data Link
Physical
Network
Presentations
Sessions
Transport
Applications
Network Network
1717
-
8/2/2019 Introduction to Firewall Technology_ Lecture 5-12-03x
18/33
4/17/12 1818
-
8/2/2019 Introduction to Firewall Technology_ Lecture 5-12-03x
19/33
4/17/12
Packet filters usually permit or denynetwork traffic based on:
Source and destination IP addresses
Protocol, such as TCP, UDP, or ICMP
Source and destination ports and ICMPtypes and codes
Flags in the TCP header, such aswhether the packet is a connect request
Direction (inbound or outbound)1919
-
8/2/2019 Introduction to Firewall Technology_ Lecture 5-12-03x
20/33
4/17/12
Work at the network level.
A data packet is compared to
a set of criteria before it isforwarded
Advantages: low cost, lowimpact on networkperformance
Disadvanta es: does not2020
-
8/2/2019 Introduction to Firewall Technology_ Lecture 5-12-03x
21/33
4/17/12
Limitations of Packet Filters
IP addresses of hosts on the protected side of thefilter can be readily determined by observing thepacket traffic on the unprotected side of the filter
Filters cannot check all of the fragments of higherlevel protocols (like TCP) as the TCP headerinformation is only available in the first fragment.
Modern firewalls reconstruct fragments then checksthem
Filters are not sophisticated enough to check thevalidity of the application level protocolsembedded in the TCP packets
2121
-
8/2/2019 Introduction to Firewall Technology_ Lecture 5-12-03x
22/33
4/17/12
Circuit level Gateways
2222
-
8/2/2019 Introduction to Firewall Technology_ Lecture 5-12-03x
23/33
4/17/12
Work at the session layer
Monitor TCP handshaking betweenpackets to determine whether arequested session is legitimate
Information passed to remotecomputer through a circuit levelgateway appears to have originatedfrom the gateway
Advantages: relatively inexpensive ,hidin information about the rivate2323
-
8/2/2019 Introduction to Firewall Technology_ Lecture 5-12-03x
24/33
4/17/12
Application Gateway orProxy
Packets examined at the applicationlayer
Application/Content filtering possible- prevent FTP put commands, forexample
Modest performance
Scalability limited
2424
-
8/2/2019 Introduction to Firewall Technology_ Lecture 5-12-03x
25/33
4/17/12
Packets examined atApplication Layer
Applications
Presentations
Sessions
Transport
Data Link
Physical
Data Link
Physical
Applications
Presentations
Sessions
Transport
Data Link
Physical
Network NetworkNetwork
Presentations
Sessions
Transport
Applications
2525
-
8/2/2019 Introduction to Firewall Technology_ Lecture 5-12-03x
26/33
4/17/12
Application Gateway orProxy
2626
-
8/2/2019 Introduction to Firewall Technology_ Lecture 5-12-03x
27/33
4/17/12
Work at the application layer
Incoming or outgoing packets cannotaccess services for which there is noproxy
Filter application specific commands
Can also be used to log user activityand logins.
Advantages: a high level of security
Disadvantages: having a significant2727
van ages an
-
8/2/2019 Introduction to Firewall Technology_ Lecture 5-12-03x
28/33
4/17/12
van ages andisadvantages of proxy
gateways Advantages Proxy GWs can log all connections, activity in
connections
Proxy GWs can provide caching
Proxy GWs can do intelligent filtering based on content
Proxy GWs can perform user-level authentication
Disadvantages
Not all services have proxied versions
May need different proxy server for each service
Requires modification of client
Performance may be compromised 2828
-
8/2/2019 Introduction to Firewall Technology_ Lecture 5-12-03x
29/33
4/17/12
Stateful Inspection
Packets Inspected between data linklayer and network layer in the OSkernel
State tables are created to maintainconnection context
Invented by Check Point
2929
-
8/2/2019 Introduction to Firewall Technology_ Lecture 5-12-03x
30/33
4/17/12
Applications
Presentations
Sessions
Transport
Data Link
Physical
Data Link
Applications
Presentations
Sessions
Transport
Data Link
Physical
Network Network
Network
Presentations
Sessions
Transport
INSPECT Engine
Applications
Dynamic StateTablesDynamic State
Tables
3030
-
8/2/2019 Introduction to Firewall Technology_ Lecture 5-12-03x
31/33
4/17/12
Stateful Filtering
3131
-
8/2/2019 Introduction to Firewall Technology_ Lecture 5-12-03x
32/33
4/17/12
Stateful Inspection
3232
-
8/2/2019 Introduction to Firewall Technology_ Lecture 5-12-03x
33/33
4/17/12
Stateful Inspection
Stateful (multilayer) inspection firewalls work at the application, session, network
layer
They filter packets at the network layer,determine whether session packets arelegitimate and evaluate contents ofpackets at the application layer
They allow direct connection between client
and host, alleviating the problem caused bythe lack of transparency of application levelgateways-- can also be used to log useractivity and logins
They rely on algorithms to recognize andprocess application layer data instead of3333