A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Transcription

1 A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based firewall is installed on the edge of a private network or network segment. o Most network-based firewalls are considered hardware firewalls, even though they use a combination of hardware and software to protect the network from Internet attacks. o Network-based firewalls are more expensive and require more configuration than other types of firewalls, but they are much more robust and secure. A host-based firewall is installed on a single computer in a network. o Almost all host-based firewalls are software firewalls. o A host-based firewall can be used to protect a computer when no network-based firewall exists (e.g., when connected to a public network). o Host-based firewalls are less expensive and easier to use than network-based firewalls, but they don't offer the same level of protection or customization. A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection. Firewalls use filtering rules, sometimes called access control lists (ACLs), to identify allowed and blocked traffic. A rule identifies characteristics of the traffic: o The interface the rule applies to o The direction of traffic (inbound or outbound) o Packet information such as the source or destination IP address or port number o The action to take when the traffic matches the filter criteria Each ACL has an implicit deny. This is a line at the end of the ACL stating that if a packet doesn't match any of the defined rules, then it will be dropped. Firewalls do not offer protection against all attacks (e.g., spoofing). The following table describes different firewall types: Firewall Type Characteristics A packet filtering firewall makes decisions about which network traffic to allow by examining information in the IP packet header such as source and destination addresses, ports, and service protocols. A packet filtering firewall: Packet filtering firewall Uses ACLs or filter rules to control traffic. Operates at OSI Layer 3 (Network layer). Offers high performance because it examines only the addressing information in the packet header. Can be implemented using features that are included in most routers. Is a popular solution because it is easy to implement and maintain, has a minimal impact on system performance, and is fairly inexpensive. A packet filtering firewall is considered a stateless firewall because it examines each packet and uses rules to accept or reject it, without considering whether the packet is part of a valid and active session. Circuit-level A circuit-level proxy or gateway makes decisions about which traffic to allow based

2 proxy on virtual circuits or sessions. A circuit-level gateway: Operates at OSI Layer 5 (Session layer). Keeps a table of known connections and sessions. Packets directed to known sessions are accepted. Verifies that packets are properly sequenced. Ensures that the TCP three-way handshake process occurs only when appropriate. Does not filter packets. Instead, it allows or denies sessions. A circuit-level proxy is considered a stateful firewall because it keeps track of the state of a session. A circuit-level proxy can filter traffic that uses dynamic ports, because the firewall matches the session information for filtering and not the port numbers. In general, circuit-level proxies are slower than packet filtering firewalls. However, if only the session state is being used for filtering, a circuit-level gateway can be faster after the initial session information has been identified. An application-level gateway is capable of filtering based on information contained within the data portion of a packet. An application-level gateway: Examines the entirety of the content being transferred (not just individual packets). Operates at OSI Layer 7 (Application layer). Understands, or interfaces with, the application-layer protocol. Can filter based on user, group, and data (e.g., URLs within an HTTP request). Is the slowest form of firewall because entire messages are reassembled at the Application layer. Application-level gateway One example of an application-level gateway is a proxy server. A proxy server is a device that stands as an intermediary between a secure private network and the public. Proxies can be configured to: Control both inbound and outbound traffic. Increase performance by caching frequently accessed content. Content is retrieved from the proxy cache instead of the original server. Filter content and restrict access depending on the user or specific website. Shield or hide a private network. There are two different types of proxy servers: A forward proxy server handles requests from inside a private network out to the Internet. A reverse proxy server handles requests from the Internet to a server located inside a private network. A reverse proxy can perform load balancing, authentication, and caching. Oftentimes, reverse proxies work transparently, meaning that clients requesting specific resources don't know they are using a reverse proxy to access a server. Unified threat management A unified threat management device combines multiple security features into a single network appliance. A single UTM device can provide several security features:

3 (UTM) device Firewall VPN Ant-spam Antivirus Load balancing By combining several services into one appliance, UTM devices make managing network security much easier. However, they also introduce a single point of failure if the UTM fails, network security is lost. Additionally, UTM devices aren't as robust as other devices made for a specific use. Because of this, UTM devices are best suited for: Offices where space limits don't allow for multiple security appliances. Satellite offices that need to be managed remotely. Configuration changes need to be made on only one device, rather than multiple devices. Smaller businesses that wouldn't benefit from the robust features provided by specific security appliances. A common method of using firewalls is to define various network zones. Each zone identifies a collection of users who have similar access needs. Firewalls are configured at the edge of these zones to filter incoming and outbound traffic. For example, you can define a zone that includes all hosts on your private network protected from the Internet, and you can define another zone within your network for controlled access to specific servers that hold sensitive information. Network ports are logical connections, provided by the TCP or UDP protocols at the Transport layer, to be used by protocols in the upper layers of the OSI model. The TCP/IP protocol stack uses port numbers to determine what protocol incoming traffic should be directed to. Some characteristics of ports are listed below: Ports allow a single host with a single IP address to run network services. Each port number identifies a distinct service. Each host can have over 65,000 ports per IP address. Port use is regulated by the Internet Corporation for Assigned Names and Numbers (ICANN). ICANN specifies the following three categories for ports: Well known ports range from 0 to 1023 and are assigned to common protocols and services. Registered ports range from 1024 to and are assigned by ICANN to a specific service. Dynamic (also called private or high) ports range from to and can be used by any service on an ad hoc basis. Ports are assigned when a session is established, and ports are released when the session ends. The following table lists the well-known ports that correspond to common Internet services: Port(s) Service 20 TCP and UDP File Transfer Protocol (FTP)

4 21 TCP and UDP 22 TCP and UDP Secure Shell (SSH) 23 TCP Telnet 25 TCP and UDP Simple Mail Transfer Protocol (SMTP) 53 TCP and UDP Domain Name Server (DNS) 67 TCP and UDP 68 TCP and UDP Dynamic Host Configuration Protocol (DHCP) 69 TCP and UDP Trivial File Transfer Protocol (TFTP) 80 TCP and UDP Hypertext Transfer Protocol (HTTP) 110 TCP Post Office Protocol (POP3) 119 TCP Network News Transport Protocol (NNTP) 123 TCP and UDP Network Time Protocol (NTP) 137 TCP and UDP 138 TCP and UDP 139 TCP and UDP NetBIOS Name Service NetBIOS Datagram Service NetBIOS Session Service 143 TCP Internet Message Access Protocol (IMAP4) 161 UDP 162 TCP and UDP Simple Network Management Protocol (SNMP) 389 TCP and UDP Lightweight Directory Access Protocol (LDAP) 443 TCP and UDP HTTP over Secure Sockets Layer (HTTPS) 445 TCP Microsoft Server Message Block (SMB) File Sharing

5 1720 TCP H.323 Call Signaling 2427 UDP Cisco Media Gateway Control Protocol (MGCP) 3389 TCP and UDP Remote Desktop Protocol (RDP) 5004 TCP and UDP 5005 TCP and UDP Real-time Transport Protocol (RTP) Data Real-time Transport Protocol (RTP) Control 5060 TCP and UDP 5061 TCP Session Initiation Protocol (SIP) Session Initiation Protocol (SIP) over TLS To protect a server, ensure that only the necessary ports are open. For example, if the server is being used only for , then shut down ports that correspond to FTP, DNS, HTTP, etc. All-in-one security appliances combine many security functions into a single device. These appliances are also known asunified threat security devices or web security gateways. These types of devices may be the best choice for: A small company without the budget to buy individual components. A small office without the physical space for individual components. A remote office without a technician to manage individual security components. An all-in-one security appliance can include the following security functions: Spam filter URL filter Web content filter Malware inspection Intrusion detection system All-in-one security appliances can also include the following: Network switch Router Firewall TX uplink (integrated CSU/DSU) Bandwidth shaping A demilitarized zone (DMZ), also called a screened subnet, is a buffer network (or subnet) that sits between the private network and an untrusted network (such as the Internet). The DMZ is created using the following configurations: o Configure two firewall devices: one connected to the public network and one connected to the private network. o Configure a single device with three network cards: one connected to the public network, one connected to the private network, and one connected to the screened subnet.

6 o Configure a single device with two network cards: one connected to the public network and another connected to a private subnet containing hosts that are accessible from the private network. Configure proxy ARP so the public interface of the firewall device responds to ARP requests for the public IP address of the device. Publicly accessible resources (servers) are placed inside the screened subnet. Examples of publicly accessible resources include web, FTP, or servers. Packet filters on the outer firewall allow traffic directed to the public resources inside the DMZ. Packet filters on the inner firewall prevent unauthorized traffic from reaching the private network. If the firewall managing traffic into the DMZ fails, only the servers in the DMZ are subject to compromise. The LAN is protected by default. When designing the outer firewall packet filters, a common practice is to close all ports and open only those ports necessary for accessing the public resources inside the DMZ. Typically, firewalls allow traffic originating in the secured internal network into the DMZ and through to the Internet. Traffic that originates in the DMZ (low security area) or the Internet (no security area) should not be allowed access to the intranet (high security area). Do not place any server in the DMZ that doesn't have to be there. There are two types of firewalls that you can implement: A routed firewall, is also a Layer 3 router. In fact, many hardware routers include firewall functionality. Transmitting data through this type of firewall counts as a router hop. A routed firewall usually supports multiple interfaces, each connected to a different network segment. A transparent firewall, also called a virtual firewall, operates at Layer 2 and is not seen as a router hop by connected devices. Both the internal and external interfaces on a transparent firewall connect to the same network segment. Because it is not a router, you can easily introduce a transparent firewall into an existing network. Firewalls use access control lists (ACLs) to manage incoming or outgoing traffic. You should be familiar with the following characteristics of an ACL: ACLs describe the traffic type that will be controlled. ACL entries: o Describe traffic characteristics. o Identify permitted and denied traffic. o Can describe a specific traffic type, or allow or restrict all traffic. When created, an ACL usually contains an implicit deny any entry at the end of the list. Each ACL applies only to a specific protocol. Each router interface can have up to two ACLs for each protocol: one for incoming traffic and one for outgoing traffic. When an ACL is applied to an interface, it identifies whether the list restricts incoming or outgoing traffic. Each ACL can be applied to more than one interface. However, each interface can have only one incoming and one outgoing list. ACLs can be used to log traffic that matches the list statements. Many hardware routers, such as those from Cisco, also provide a packet filtering firewall. These devices are frequently used to fill both network roles (router and firewall) at the same time. When you create an ACL on a Cisco device, a deny any statement is automatically added at the end of the list (this statement does not appear in the list itself). For a list to allow any traffic, it must have at least one permit statement that either permits a specific traffic type or permits all traffic not specifically restricted.

7 There are two general types of access lists used on Cisco devices: Access List Type Characteristics Standard ACLs: Standard ACL Can filter only on source hostname or host IP address. Should be placed as close to the destination as possible. Use the following number ranges: o 1 99 o Extended ACLs: Extended ACL Can filter by: o Source IP protocol (IP, TCP, UDP, etc.) o Source hostname or host IP address o Source or destination socket number o Destination hostname or host IP address o Precedence or TOS values Should be placed as close to the source as possible. Use the following number ranges: o o