INTRODUCTION TO FIREWALL SECURITY



Similar documents
Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Securing Networks with PIX and ASA

Firewalls. Chapter 3

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

Cisco PIX vs. Checkpoint Firewall

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Security Technology: Firewalls and VPNs

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Chapter 9 Firewalls and Intrusion Prevention Systems

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Firewalls, IDS and IPS

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Firewalls. Ahmad Almulhem March 10, 2012

CMPT 471 Networking II

FIREWALL AND NAT Lecture 7a

Introduction of Intrusion Detection Systems

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

Stateful Firewalls. Hank and Foo

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Proxy Server, Network Address Translator, Firewall. Proxy Server

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Chapter 15. Firewalls, IDS and IPS

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

DMZ Network Visibility with Wireshark June 15, 2010

Distributed Systems. Firewalls: Defending the Network. Paul Krzyzanowski

12. Firewalls Content

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Firewall Audit Techniques. K.S.Narayanan HCL Technologies Limited

Network Security 2. Module 2 Configure Network Intrusion Detection and Prevention

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

CTS2134 Introduction to Networking. Module Network Security

Cisco Firewall Technology

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Network Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Guideline for setting up a functional VPN

SonicOS 5.9 One Touch Configuration Guide

Agenda. Understanding of Firewall s definition and Categorization. Understanding of Firewall s Deployment Architectures

Lecture 23: Firewalls

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

Chapter 8 Security Pt 2

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

FIREWALLS & CBAC. philip.heimer@hh.se

TABLE OF CONTENTS NETWORK SECURITY 2...1

Configuring the Transparent or Routed Firewall

Load Balancing and Sessions. C. Kopparapu, Load Balancing Servers, Firewalls and Caches. Wiley, 2002.

Cisco AnyConnect Secure Mobility Solution Guide

SonicWALL PCI 1.1 Implementation Guide

Chapter 4: Security of the architecture, and lower layer security (network security) 1

Firewalls. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Firewalls. Characteristics.

Firewalls. Contents. ITS335: IT Security. Firewall Characteristics. Types of Firewalls. Firewall Locations. Summary

Stateful Inspection Technology

How To Protect Your Network From Attack

Networking for Caribbean Development

Internet Security Firewalls

VPN Lesson 2: VPN Implementation. Summary

CSCE 465 Computer & Network Security

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

A Model Design of Network Security for Private and Public Data Transmission

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

Cisco ASA, PIX, and FWSM Firewall Handbook

Firewalls and System Protection

Cisco Secure PIX Firewall with Two Routers Configuration Example

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

Firewalls, Tunnels, and Network Intrusion Detection

2. Are explicit proxy connections also affected by the ARM config?

Chapter 11 Cloud Application Development

8. Firewall Design & Implementation

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Training Course on Network Administration

Firewalls. Network Security. Firewalls Defined. Firewalls

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

- Introduction to PIX/ASA Firewalls -

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

Transcription:

INTRODUCTION TO FIREWALL SECURITY SESSION 1 Agenda Introduction to Firewalls Types of Firewalls Modes and Deployments Key Features in a Firewall Emerging Trends 2 Printed in USA.

What Is a Firewall DMZ Network Internet Outside Network Inside Network A firewall is an access control device that looks at the IP packet, compares with policy rules and decides whether to allow, deny or take some other action on the packet 3 A Simple Analogy The Firewall as the Premise Guard 4 Printed in USA.

Guard Responsibility You Are Mr. John and You Want to Meet Mr. Fred Should I Allow? Let Me Check My Rules Book I Will Allow You to Come in, Provided You Prove Your Identity Authenticate Yourself I Am Supposed to Log All the Information Name, Address, Time, etc. 5 Key Access Control Parameters 7 6 5 4 3 2 1 Application Presentation Session Transport Network Data Link Physical HTTP Data Kaaza, FTP abc TCP and UDP Port Numbers IP Addresses, Protocol, Flags MAC Addresses Policy database collection of access control rules based on the above parameters Other names rules table, access control lists, firewall policies 6 Printed in USA.

Examples DATA LINK LAYER Deny all packets from MAC address 00-1b-ef-01-01-01 Do not prompt for authentication if MAC address is 00-1b-15-01-02-03 (IP phone) NETWORK LAYER Deny everything except outbound packets from 10.10.0.0 255.255.0.0 subnet Permit only GRE traffic Deny everything except IP traffic from network 192.168.1.0 to network 171.69.231.0 7 Examples TRANSPORT LAYER Allow web traffic from anybody (Internet) provided the destination address is my web server (10.10.10.1) Allow FTP traffic from anybody (Internet) to my FTP server (10.10.10.2) but only after successful authentication Deny all UDP traffic APPLICATION LAYER Deny all peer-to-peer networks Do not allow HTTP headers with POST subcommand Do not allow DEBUG option in SMTP (MAIL) commands 8 Printed in USA.

Agenda Introduction to Firewalls Types of Firewalls Modes and Deployments Key Features in a Firewall Emerging Trends 9 Firewall Technologies Packet filtering gateways Cisco routers with simple ACLs Stateful inspection firewalls Cisco PIX, Cisco routers with firewall feature set, check point Proxy firewalls Gauntlet, Sidewinder Personal firewalls Cisco CSA, Check Point Zone, Sygate NAT firewalls Cisco Linksys, Netgear 10 Printed in USA.

Packet Filtering Gateways Drop/allow packets based on source or destination addresses or ports (some exceptions) No state information is maintained; decisions are made only from the content of the current packet Integrated feature in routers and switches High performance Fragmentation may cause a problem 11 Packet Filtering Gateways www.yahoo.com Internet Outside Get Sports Page (Request) Inside 10.0.0.15 Sports Page (Reply) Stateless Two Separate ACLs Are Required 1. Permit HTTP traffic from 10.0.0.0 to www.yahoo.com 2. Permit HTTP traffic from www.yahoo.com to 10.0.0.0 12 Printed in USA.

Stateful Inspection Firewalls Packet filtering gateways plus Maintaining state Stateful firewalls inspect and maintain a record (a state table) of the state of each connection that passes through the firewall To adequately maintain the state of a connection the firewall needs to inspect every packet But short cuts can be made once a packet is identified as being part of an established connection Different vendors record slightly different information about the state of a connection High performance and most popular 13 Example: Stateful Inspection of a TCP Connection (A Connection-Oriented Reliable Protocol) Source Addr Destination Addr Source Port Destination Port Initial Sequence # Ack Flag 192.168.0.10 # 1 IP Header TCP Header Private Network 192.168.0.10 198.133.219.25 1026 23 49091 Syn No Data Checks for a Translation Slot Is It Part of an Existing Connection 1. Check for: (Src IP, Src Port, Dest IP, Dest Port) 2. Check Sequence Number 3. Check Flags If the Code Bit Is Not syn-ack, Drop the Packet Public Network 192.168.0.10 198.133.219.25 1026 23 49769 Syn 198.133.219.25 198.133.219.25 198.133.219.25 192.168.0.10 192.168.0.10 # 4 # 3 23 23 1026 1026 92513 49092 Syn-Ack 92513 49770 Syn-Ack # 2 14 Printed in USA.

Example: Stateful Inspection of a TCP Connection (Cont.) # 5 Private Network 192.168.0.10 198.133.219.25 1026 23 49092 92514 Ack Data Flows Checks for a Translation Slot If Not, It Creates One After Verifying NAT, Global, Access Control, and Authentication or Authorization, if Any; if OK, a Connection Is Created Public Network 198.168.0.10 198.133.219.25 1026 23 49770 92514 Ack 10.0.0.3 198.133.219.25 IP Header TCP Header 15 Example: Stateful Inspection of a UDP Connection (A Connectionless Unreliable Protocol) Source Addr Destination Addr Source Port Destination Port # 1 10.0.0.3 IP Header TCP Header Private Network 10.0.0.3 172.30.0.50 1028 53 The Firewall Checks for a Translation Slot; if Not, It Creates One After Verifying NAT, Global, Access Control, and Authentication or Authorization, if Any; if OK, a Connection Is Created SIF Firewall All UDP Responses Arrive from Outside Public Network 192.168.0.10 172.30.0.50 1028 53 # 2 172.30.0.50 172.30.0.50 172.30.0.50 10.0.0.3 and within UDP User- 192.168.0.10 # 4 Configurable Timeout # 3 53 53 1028 1028 (Src IP, Src Port, Dest IP, Dest Port) Check Translation check 16 Printed in USA.

Stateful Inspection Firewalls www.yahoo.com Internet Outside Get Sports Page (Request) Inside 10.0.0.15 Sports Page (Reply) Stateful Only One ACL Is Required 1. Permit HTTP traffic from 10.0.0.0 to www.yahoo.com 17 Proxy Firewalls Proxy Server Internet Outside Network Inside Network All requests and replies pass though a proxy server; no direct connection between a client and the server; everything is proxied thus the name 18 Printed in USA.

Proxy Firewalls Proxy Server 2 Get Sports Page (Request) 1 www.yahoo.com Internet 3 Sports Page (Reply) 4 Inside Network Two Separate TCP Connections Client to proxy firewall Proxy firewall to www.yahoo.com 19 How a Proxy Service Works external.foobar.com 193.33.22.1 User Request to Gateway Server ftp gw.foobar.com Gatekeeper Router Data Transfer Authentication by Gateway Server DNS Lookup gw.foobar.com Internal.foobar.com Re-Routing to Application Server internal.foobar.com 20 Printed in USA.

Proxy Firewalls Proxy firewalls permit no traffic to pass directly between networks Provide intermediary style connections between the client on one network and the server on the other Addition of new applications require proxy development on server and client For HTTP (application specific) proxies all web browsers must be configured to point at proxy server 21 Personal Firewalls LITE version of network firewalls for laptops and desktops Disallow inbound connections unless explicitly allowed Watches inbound/outbound traffic Protect laptops and desktops from attacks Host Intrusion Prevention Systems (HIPS) integrated with a distributed firewall is a much better solution provides zero day protection against worms and viruses 22 Printed in USA.

NAT/PAT Firewalls: Concept Internet NAT Global pool 192.168.0.17-30 192.168.0.0 Global pool 192.168.0.3-14 10.0.0.0/24 10.2.0.0 /24 Internet PAT 192.168.0.20 Port 2000 192.168.0.20 Port 2001 10.0.0.11 10.0.0.4 10.0.0.11 10.0.0.4 23 NAT Firewalls NAT Firewalls hide all internal addresses thus protect small networks from external attacks as internal addresses are not exposed May offer minimal stateful inspection and basic VPN A full fledged stateful firewall is much powerful then basic NAT firewalls 24 Printed in USA.

Agenda Introduction to Firewalls Types of Firewalls Modes and Deployments Key Features in a Firewall Emerging Trends 25 Form Factors Dedicated Appliances Software (Network and Personal) Firewall Switch Module Integrated in Router Software Specialized and secure OS Ease of management Many price/performance levels Runs on general purpose OS Multi-purpose server Light version personal FW Very high performance Leverages existing infrastructure saves rack space Investment protection WAN connections Performance considerations 26 Printed in USA.

Firewall Deployment Small Business/ Branch Office Internet Service Provider Corp HQ Perimeter Telecommuter Regional Office Data Center and Internal Firewalls ASP 27 Firewall Modes Virtual firewall mode Transparent firewall mode 28 Printed in USA.

Virtual Firewalls Logical partitioning of a single firewall into multiple logical firewalls, each with its own unique policies and administration Each virtual firewall provides the same firewall features provided by a standalone firewall Provides method to consolidate multiple firewalls into a single appliance, thus reducing overall management and operational overhead SP SP 29 Transparent Firewall Provides ability to easily drop in a firewall into existing networks without requiring any addressing changes Simplifies deployment, providing an ideal solution for small and medium businesses with limited IT resources Transparent Firewall Router 10.30.1.0/24 10.30.1.0/24 Router SAME Subnet 30 Printed in USA.

Agenda Introduction to Firewalls Types of Firewalls Modes and Deployments Key Features in a Firewall Emerging Trends 31 Key Features to Look for in a Firewall Performance Throughput (real world vs. best case) Scalability investment protection ASIC vs. NP vs. general purpose CPU Resiliency Active passive Active active Asymmetric routing 32 Printed in USA.

Key Features to Look for in a Firewall ACL management Performance Debugging Insertion/enabling Integration with AAA Dynamic protocols Multimedia applications FTP 33 Key Features to Look for in a Firewall Content filtering ActiveX/JAVA URL filtering Virus scanning VPN Site-to-site VPN Remote access VPN SSL VPN 34 Printed in USA.

Key Features to Look for in a Firewall Integration with the existing infrastructure Integration with AAA servers Integration with PKI servers Centralized ACLs Integration with VoIP protocols Management Device managers Multi-device managers Logging and reporting SOHO devices with dynamic IP addresses 35 Agenda Introduction to Firewalls Types of Firewalls Modes and Deployments Key Features in a Firewall Emerging Trends 36 Printed in USA.

Emerging Trends Application inspection and WEB ACLs Application firewalls Instant messenger firewalls Email firewalls Web firewalls Integration with In-line IDS Integration with antivirus 37 Application Firewall: Many Definitions Application layer ACLs Filtering based on normal application traffic (port 80 misuse and others) Protection against known vulnerabilities signatures Protocol anomalies User defined filters (Layer 7 filtering) Patterns (streams and context-based) Old proxy firewalls with enhanced speeds 38 Printed in USA.

Integration with Inline IDS Mixed opinion supporters in both camps Direction firewall vendors adding IDS and IDS vendors adding firewall features Key Issues False positives good traffic may be dropped Performance Regex, a taxing operation Failover No complete solution today by anybody 39 Integration with Antivirus Integrated vs. stand-alone Some firewall vendors are integrating anti-virus software in low end boxes all in one solution Key issue Performance 40 Printed in USA.

THANK YOU 41 42 Printed in USA.