2 DMZ Networks The most common firewall environment implementation is known as a DMZ, or DeMilitarized Zone network. A DMZ network is created out of a network connecting two firewalls; i.e., when two or more firewalls exist in an environment, the networks connecting the firewalls can be DMZ networks
3 DMZ Networks DMZ networks serve as attachment points for computer systems and resources that need to be accessible either externally or internally, but that should not be placed on internal protected networks. For example, an organization could employ a boundary router firewall and two internal firewalls, and place all externally accessible servers on the outer, or external DMZ between the router and the first firewall. The boundary router would filter packets and provide protection for the servers, and the first firewall would provide access control and protection from the servers in case they were attacked. The organization could locate other internally accessible servers on the internal DMZ located between the two internal firewalls; the firewalls could provide protection and access control for the servers, protecting them both from external and internal attack.
4 Virtual Private Networks A virtual private network is constructed on top of existing network media and protocols by using additional protocols and usually, encryption. If the VPN is encrypted, it can be used as an extension of the inner, protected network. In most cases, virtual private networks are used to provide secure network links across networks that are not trusted. For example, virtual private network technology is increasingly used in the area of providing remote user access to organizational networks via the global Internet.
5 Placement of VPN Servers In most cases, placing the VPN server at the firewall is the best location for this function. Placing it behind the firewall would require that VPN traffic be passed outbound through the firewall encrypted and the firewall is then unable to inspect the traffic, inbound or outbound, and perform access control, logging, or scanning for viruses, etc. Advanced virtual private network functionality comes with a price, however. For example, if VPN traffic is encrypted, there will be a decrease in performance commensurate with (a) the amount of traffic flowing across the virtual private network, and (b) the type/length of encryption being used. Performing encryption in hardware will significantly increase performance, however. For some DMZ environments, the added traffic associated with virtual private networks might require additional capacity planning and resources.
6 Intranets An intranet is a network that employs the same types of services, applications, and protocols present in an Internet implementation, without involving external connectivity. For example, an enterprise network employing the TCP/IP protocol suite, along with HTTP for information dissemination would be considered an Intranet. Most organizations currently employ some type of intranet, although they may not refer to the network as such. Within the internal network (intranet), many smaller intranets can be created by the use of internal firewalls. As an example, an organization may protect its personnel network with an internal firewall, and the resultant protected network may be referred to as the personnel intranet.
7 Extranets Extranets form the third piece of the modern enterprise connectivity picture. An extranet is usually a business-to-business intranet; that is, two intranets are joined via the Internet. The extranet allows limited, controlled access to remote users via some form of authentication and encryption such as provided by a VPN. Extranets share nearly all of the characteristics of intranets, except that extranets are designed to exist outside a firewall environment. By definition, the purpose of an extranet is to provide access to potentially sensitive information to specific remote users or organizations, but at the same time denying access to general external users and systems. Extranets employ TCP/IP protocols, along with the same standard applications and services. Many organizations and agencies currently employ extranets to communicate with clients and customers. Within an extranet, options are available to enforce varying degrees of authentication, logging, and encryption.
8 Infrastructure Components: Hubs and Switches There are numerous weaknesses associated with network hubs. First and foremost, network hubs allow any device connected to them to see the network traffic destined for, or originating from, any other device connected to that same network hub. For this reason, network hubs should not be used to build DMZ networks or firewall environments. A more advanced infrastructure device is the network switch. Network switches are Layer 2 devices, which means that they actually employ basic intelligence in providing attachment points for networked systems or components. Network switches are essentially multiport bridges, so they are also capable of delivering the full network bandwidth to each physical port. Another side effect of the bridging nature of switches is that systems connected to a switch cannot eavesdrop on each other. These anti-eavesdrop capabilities inherent in network switches make them useful for implementing DMZ networks and firewall environments.
9 Intrusion Detection Systems Intrusion Detection Systems (IDS) are designed to notify and in some cases prevent unauthorized access to a networked system or resource. Many intrusion detection systems are also capable of interacting with firewalls in order to bring a reactive element to the provision of network security services. Firewalls that interact with intrusion detection systems are capable of responding to perceived remote threats automatically, without the delays associated with a human response. For example, if an intrusion detection system detects a denial-of-service attack in progress, it can instruct certain firewalls to automatically block the source of the attack (albeit, false positives responses can occur).
10 Placement of Servers in Firewall Environments Where to place servers in a firewall environment depends on many factors, including the number of DMZs, the external and internal access required for the servers located on the DMZ, the amount of traffic, and the sensitivity of the data served. It is not possible to proscribe a one size fits all recommendation for server location, but several guidelines can be used to make the determination, including the following: Protect external servers with a Boundary Router/Packet Filter. Do not place externally accessible servers on the protected network. Place internal servers behind internal firewalls as their sensitivity and access require. Isolate servers such that attacks on the servers do not impair the rest of the network.
11 Firewall Implementation Keep It Simple The KISS principle is something that should be first and foremost in the mind of a firewall environment designer. Essentially, the more simple the firewall solution, the more secure it likely will be and the easier it will be to manage. Complexity in design and function often leads to errors in configuration.
12 Firewall Implementation Use Devices as They Were Intended to Be Used Using network devices as they were primarily intended in this context means do not make firewalls out of equipment not meant for firewall use. For example, routers are meant for routing; their packet filtering capability is not their primary purpose, and the distinction should never be lost on those designing a firewall implementation. Depending on routers alone to provide firewall capability is dangerous; they can be misconfigured too easily. Network switches are another example (see Section 3.6); when used to switch firewall traffic outside of a firewall environment, they are susceptible to attacks that could impede switch functionality. In many cases, hybrid firewalls and firewall appliances are better choices simply because they are optimized to be firewalls first and foremost
13 Firewall Implementation Create Defense in Depth Defense in depth involves creating layers of security as opposed to one layer. The infamous Maginot line is, in hindsight, an excellent example of what not to do in firewall environments: place all your protection at the firewall. Where several firewalls can be used, they should be used. Where routers can be configured to provide some access control or filtering, they should be. If a server s operating system can provide some firewall capability, use it.
14 Firewall Implementation Pay Attention to Internal Threats Lastly, attention to external threats to the exclusion of internal threats leaves the network wide open to attack from the inside. While it may be difficult to think of your work colleagues as posing a potential threat, consider that an intruder who gets past the firewall somehow could now have free reign to attack internal or external systems. Therefore, important systems such as internal web and servers or financial systems should be placed behind internal firewalls or DMZ environments.
15 8. Firewall Policy Firewall Policy A firewall policy dictates how the firewall should handle applications traffic such as web, , or telnet. The policy should describe how the firewall is to be managed and updated. The steps involved in creating a firewall policy are as follows: Identification of network applications deemed necessary, Identification of vulnerabilities associated with applications, Cost-benefits analysis of methods for securing the applications, Creation of applications traffic matrix showing protection method, and Creation of firewall rulesets based on applications traffic matrix.
16 8. Firewall Policy Applications traffic matrix
17 8. Firewall Policy Implementing a Firewall Ruleset Most of firewall platforms utilize rulesets ad their mechanism for implementing security controls. The contents of these rulesets determine the actual functionality of a firewall. Depending on the firewall platform architecture, firewall rulesets can contain various pieces of information. Nearly all rulesets, however, will contain the following fields, as minumum: The source address of packet. The destination address of packets. Possibly some characteristics of the Layer 4 communication sessions. Sometimes information pertaining to which interface of the router the packet came from and which interface of the router the packet is destined for. An action, such as Deny or Permit the packet, or Drop the packet.
18 8. Firewall Policy Implementing a Firewall Ruleset The firewall rulesets should always block the following types of traffic: Inbound traffic from a non-authenticated source system with a destination address of the firewall system itself. Inbound traffic with a source address indicating that the packet originated on a network behind the firewall. This type of packet likely represents some type of spoofing attack. Inbound traffic from a non-authenticated source system containing SNMP (Simple Network Management Protocol) traffic. These packets can be an indicator that an intruder is probing a network, but there are few reasons an organization or agency might want to allow inbound SNMP traffic, and it should be blocked in the vast majority of circumstances. Inbound or Outbound network traffic containing a source or destination address of (localhost). Such traffic is usually some type of attack against the firewall system itself.
19 8. Firewall Policy Testing Firewall Policy In many cases, firewall policy can be verified using one of two methodologies. The first methodology, and by far the easiest, is Obtain hardcopies of the firewall configurations and compare these hardcopies against the expected configuration based on defined policy. All organizations, at a minimum, should utilize this type of review. in-place configuration testing. In this methodology, the organization utilizes tools that assess the configuration of a device by attempting to perform operations that should be prohibited. Although these reviews can be completed with public domain tools, many organizations, especially those subject to regulatory requirements, will choose to employ commercial tools.
22 8. Firewall Policy Implementing a Firewall Rulesets Symantec
23 8. Firewall Policy Implementing a Firewall Rulesets Firewall Builder
24 8. Firewall Policy
25 8. Firewall Policy Firewall Policy 1. Allow Web traffic (TCP 80/443) from any external address to internal web server 2. Allow DNS (UDP 53) from any external address to internal DNS server 3. Allow SMTP (TCP 25) from any external address to internal POP server 4. Allow Oracle (TCP 1521) from Accounting Dept. to internal DB server 5. Allow Web traffic (TCP 80/443) from Sales Dept. to any address. 6. Allow Web traffic (TCP 80/443) from Marketing Dept. to any address 7. DROP Firewall Rule Sets Source Src Port Destination Dst Port Protocol Action
Complliiance Componentt DEEFFI INITION Description Rationale Firewall Environments Firewall Environment is a term used to describe the set of systems and components that are involved in providing or supporting
A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based
PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute
Firewalls Securing Networks Chapter 3 Part 1 of 4 CA M S Mehta, FCA 1 Firewalls Learning Objectives Task Statements 1.3 Recognise function of Telecommunications and Network security including firewalls,..
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design Learning Objectives Identify common misconceptions about firewalls Explain why a firewall
Firewalls and VPNs Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to: Understand firewall technology and the various approaches
Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls CS426 Fall 2010/Lecture 36 1 Announcements There will be a quiz on Wed There will be a guest lecture on Friday, by Prof. Chris Clifton
http://technet.microsoft.com/en-us/library/cc757501(ws.10).aspx Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003 Updated: October 7, 2005 Applies To: Windows Server 2003 with
Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls
Cisco Secure PIX Firewall with Two Routers Configuration Example Document ID: 15244 Interactive: This document offers customized analysis of your Cisco device. Contents Introduction Prerequisites Requirements
Network Defense Tools Prepared by Vanjara Ravikant Thakkarbhai Engineering College, Godhra-Tuwa +91-94291-77234 www.cebirds.in, www.facebook.com/cebirds firstname.lastname@example.org What is Firewall? A firewall
FIREWALLS & CBAC email@example.com Implementing a Firewall Personal software firewall a software that is installed on a single PC to protect only that PC All-in-one firewall can be a single device that
Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.
Firewalls and Network Defence Harjinder Singh Lallie (September 12) 1 Lecture Goals Learn about traditional perimeter protection Understand the way in which firewalls are used to protect networks Understand
2011, TextRoad Publication ISSN 2090-424X Journal of Basic and Applied Scientific Research www.textroad.com A Model Design of Network Security for Private and Public Data Transmission Farhan Pervez, Ali
Firewall Design Principles Software Engineering 4C03 Dr. Krishnan Stephen Woodall, April 6 th, 2004 Firewall Design Principles Stephen Woodall Introduction A network security domain is a contiguous region
IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT Roopa K. Panduranga Rao MV Dept of CS and Engg., Dept of IS and Engg., J.N.N College of Engineering, J.N.N College of Engineering,
Chapter 2: Security Techniques Background Chapter 3: Security on Network and Transport Layer Chapter 4: Security on the Application Layer Chapter 5: Security Concepts for Networks Firewalls Intrusion Detection
CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access
Cisco PIX vs. Checkpoint Firewall Introduction Firewall technology ranges from packet filtering to application-layer proxies, to Stateful inspection; each technique gleaning the benefits from its predecessor.
Firewall, VPN, IDS/IPS Ahmet Burak Can Hacettepe University firstname.lastname@example.org What is a Firewall? A firewall is hardware, software, or a combination of both that is used to prevent unauthorized programs
Chapter 10 Firewall Firewalls are devices used to protect a local network from network based security threats while at the same time affording access to the wide area network and the internet. Basically,
Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives List the different types of network security devices and explain how they can be used Define network
Chapter 11 Cloud Application Development Contents Motivation. Connecting clients to instances through firewalls. Chapter 10 2 Motivation Some of the questions of interest to application developers: How
Access control policy: Role-based access As subjects (a person or automated agent) often change roles within an organization, it is best to define an access control policy based on the roles they play.
Chapter 15 Firewalls, IDS and IPS Basic Firewall Operation The firewall is a border firewall. It sits at the boundary between the corporate site and the external Internet. A firewall examines each packet
Maruleng Local Municipality. 22 November 2011 1 Version Control Version Date Author(s) Details 1.1 23/03/2012 Masilo Modiba New Policy 2 Contents ICT Firewall Policy 1 Version Control.2 1. Introduction.....4
Internet Firewall CSIS 3230 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 8.8: Packet filtering, firewalls, intrusion detection Ch
SE 4C03 Winter 2005 Firewall Design Principles By: Kirk Crane Firewall Design Principles By: Kirk Crane 9810533 Introduction Every network has a security policy that will specify what traffic is allowed
s (March 4, 2015) Abdou Illia Spring 2015 Test your knowledge Which of the following is true about firewalls? a) A firewall is a hardware device b) A firewall is a software program c) s could be hardware
SECURITY via FIREWALLS 1. Introduction Firewall technology has matured to the extent that today s firewalls can coordinate security with other firewalls and intrusion detection systems. They can scan for
1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams
SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab 9940313 March 04, 2004 Introduction: A computer firewall protects computer networks from unwanted intrusions which could compromise confidentiality
CCNA Security 1.1 Instructional Resource Chapter 4 Implementing Firewall Technologies 2012 Cisco and/or its affiliates. All rights reserved. 1 Describe numbered, named, standard and extended IP ACLs. Configure
Firewall and Router Policy Approved By: \S\ James Palmer CSC Loss Prevention Director PCI Policy # 1600 Version # 1.1 Effective Date: 12/31/2011 Revision Date: 12/31/2014 December 31, 2011 Date 1.0 Purpose:
Configuring Personal Firewalls and Understanding IDS Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA 1 Configuring Personal Firewalls and IDS Learning Objectives Task Statements 1.4 Analyze baseline
CEN 448 Security and Internet Protocols Chapter 20 Firewalls Dr. Mostafa Hassan Dahshan Computer Engineering Department College of Computer and Information Sciences King Saud University email@example.com
PROFESSIONAL SECURITY SYSTEMS Security policy, active protection against network attacks and management of IDP Introduction Intrusion Detection and Prevention (IDP ) is a new generation of network security
NETWORK SECURITY Ch. 8: Defense Mechanism - Firewall Firewall A firewall is a hardware, software, or a combination of both that monitors and filters traffic packets that attempt to either enter or leave
Firewalls (IPTABLES) Objectives Understand the technical essentials of firewalls. Realize the limitations and capabilities of firewalls. To be familiar with iptables firewall. Introduction: In the context
Network Security Topologies Chapter 11 Learning Objectives Explain network perimeter s importance to an organization s security policies Identify place and role of the demilitarized zone in the network
ICAB5238B Build a highly secure firewall Release: 1 ICAB5238B Build a highly secure firewall Modification History Not Applicable Unit Descriptor Unit descriptor This unit defines the competency required
ΕΠΛ 674: Εργαστήριο 5 Firewalls Παύλος Αντωνίου Εαρινό Εξάμηνο 2011 Department of Computer Science Firewalls A firewall is hardware, software, or a combination of both that is used to prevent unauthorized
Proxy Server, Network Address Translator, Firewall 1 Proxy Server 2 1 Introduction What is a proxy server? Acts on behalf of other clients, and presents requests from other clients to a server. Acts as
Load Balance Router R258V Specification Hardware Interface WAN - 5 * 10/100M bps Ethernet LAN - 8 * 10/100M bps Switch Reset Switch LED Indicator Power - Push to load factory default value or back to latest
Network Security s Access lists Ingress filtering s Egress filtering NAT 2 Drivers of Performance RequirementsTraffic Volume and Complexity of Static IP Packet Filter Corporate Network The Complexity of
CMSGu2014-02 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Firewall National Computer Board Mauritius Version 1.0 June
Virtual private network Network security protocols COMP347 2006 Len Hamey Instead of a dedicated data link Packets securely sent over a shared network Internet VPN Public internet Security protocol encrypts
Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control
INTRODUCTION TO FIREWALL SECURITY SESSION 1 Agenda Introduction to Firewalls Types of Firewalls Modes and Deployments Key Features in a Firewall Emerging Trends 2 Printed in USA. What Is a Firewall DMZ
Deploying Firewalls Throughout Your Organization Avoiding break-ins requires firewall filtering at multiple external and internal network perimeters. Firewalls have long provided the first line of defense
Session 9 Firewalls, IDS and IPS Prepared By: Dr. Mohamed Abd-Eldayem Ref.: Corporate Computer and Network Security By: Raymond Panko Basic Firewall Operation 2. Internet Border Firewall 1. Internet (Not
The Bomgar Appliance in the Network The architecture of the Bomgar application environment relies on the Bomgar Appliance as a centralized routing point for all communications between application components.
Ethical Hacking and Countermeasures Version 6 Module LX Firewall Technologies News Source: http://www.internetnews.com/ Module Objective This module will familiarize i you with: Firewalls Hardware Firewalls
Industrial Network Security for SCADA, Automation, Process Control and PLC Systems Contents 1 An Introduction to Industrial Network Security 1 1.1 Course overview 1 1.2 The evolution of networking 1 1.3
CHAPTER 9 Firewalls and Virtual Private Networks Introduction In Chapter 8, we discussed the issue of security in remote access networks. In this chapter we will consider how security is applied in remote
Internet Security Cornerstones of Security Authenticity the sender (either client or server) of a message is who he, she or it claims to be Privacy the contents of a message are secret and only known to
Securing Enclave Lecture 6 Urban Bilstrup Urban.Bilstrup@hh.se Perimeter Defense Once an enclave is identified, it must be mapped to the network so that clear electronic perimeters can be defined. It is
REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB Conducted: 29 th March 5 th April 2007 Prepared By: Pankaj Kohli (200607011) Chandan Kumar (200607003) Aamil Farooq (200505001) Network Audit Table of
OLD DOMINION UNIVERSITY 188.8.131.52 - Router-Switch Best Practices (last updated: 20080303) Introduction One of the information techlogy priorities for Old Dominion University (ODU) is to provide and maintain
RimApp RoadBLOCK goes beyond simple filtering! Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes. However, traditional
ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας Department of Computer Science Firewalls A firewall is hardware, software, or a combination of both that is used to prevent unauthorized Internet users
Lesson 5: Network perimeter security Alejandro Ramos Fraile firstname.lastname@example.org Tiger Team Manager (SIA company) Security Consulting (CISSP, CISA) Perimeter Security The architecture and elements that provide
JK0 015 CompTIA E2C Security+ (2008 Edition) Exam Version 4.1 QUESTION NO: 1 Which of the following devices would be used to gain access to a secure network without affecting network connectivity? A. Router
Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also
Chapter 12 Network Security Security Policy Life Cycle A method for the development of a comprehensive network security policy is known as the security policy development life cycle (SPDLC). Network Security