FIREWALL ARCHITECTURES



Similar documents
Firewalls and VPNs. Principles of Information Security, 5th Edition 1

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Security Technology: Firewalls and VPNs

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Network Security Topologies. Chapter 11

Internet Security Firewalls

CMPT 471 Networking II

Proxy Server, Network Address Translator, Firewall. Proxy Server

Overview. Firewall Security. Perimeter Security Devices. Routers

Internet Security Firewalls

Firewall Security. Presented by: Daminda Perera

Guideline on Firewall

12. Firewalls Content

Distributed Systems. Firewalls: Defending the Network. Paul Krzyzanowski

Firewalls and System Protection

Internet infrastructure. Prof. dr. ir. André Mariën

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Chapter 11 Cloud Application Development

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

allow all such packets? While outgoing communications request information from a

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

FIREWALLS & CBAC. philip.heimer@hh.se

What would you like to protect?

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

Network Security. Internet Firewalls. Chapter 13. Network Security (WS 2002): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

Cornerstones of Security

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Chapter 15. Firewalls, IDS and IPS

- Introduction to Firewalls -

Linux firewall. Need of firewall Single connection between network Allows restricted traffic between networks Denies un authorized users

Agenda. Understanding of Firewall s definition and Categorization. Understanding of Firewall s Deployment Architectures

Firewall Configuration. Firewall Configuration. Solution Firewall Principles

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Packet filtering and other firewall functions

Network Security. Chapter 13. Internet Firewalls. Network Security (WS 07/08): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

Intranet, Extranet, Firewall

How To Protect Your Network From Attack

NAT (Network Address Translation)

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

CSCE 465 Computer & Network Security

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Firewalls. Chapter 3

White Paper Copyright 2011 Nomadix, Inc. All Rights Reserved. Thursday, January 05, 2012

Laboratory Exercises VII: Network Firewalls

Owner of the content within this article is Written by Marc Grote

Firewalls and Virtual Private Networks

ABSTRACT CHAPTER I. Preliminary Background

Firewalls. Mahalingam Ramkumar

Firewall Environments. Name

Firewalls, IDS and IPS

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Document No. FO1101 Issue Date: Work Group: FibreOP Technical Team October 31, 2013 FINAL:

Nuclear Plant Information Security A Management Overview

Security threats and network. Software firewall. Hardware firewall. Firewalls

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Chapter 20 Firewalls. Cryptography and Network Security Chapter 22. What is a Firewall? Introduction 4/19/2010

Vocia MS-1 Network Considerations for VoIP. Vocia MS-1 and Network Port Configuration. VoIP Network Switch. Control Network Switch

Technical Support Information

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Multi-Homing Dual WAN Firewall Router

Network Address Translation (NAT)

Packet Filtering using the ADTRAN OS firewall has two fundamental parts:

Chapter 4 Customizing Your Network Settings

Source-Connect Network Configuration Last updated May 2009

Basics of Internet Security

ΕΠΛ 674: Εργαστήριο 5 Firewalls

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

Post-Class Quiz: Telecommunication & Network Security Domain

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

UPPER LAYER SWITCHING

CAP, EAS AND IPAWS: INTRODUCING A DEFENSE-IN-DEPTH SECURITY STRATEGY FOR BROADCASTERS

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Fig : Packet Filtering

Compter Networks Chapter 9: Network Security

Information Technology Career Cluster Introduction to Cybersecurity Course Number:

Firewalls. Ahmad Almulhem March 10, 2012

CIS 433/533 - Computer and Network Security Firewalls

Chapter 12. Security Policy Life Cycle. Network Security 8/19/2010. Network Security

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

Tutorial 3. June 8, 2015

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

INTRUSION DETECTION SYSTEMS and Network Security

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Firewall Architecture

Transcription:

FIREWALL ARCHITECTURES The configuration that works best for a particular organization depends on three factors: The objectives of the network, the organization s ability to develop and implement the architectures, and the budget available for the function. There are FOUR common architectural implementations of firewalls.these implementations are packet filtering routers, screened host firewalls, dual-homed firewalls,a nd screened subnet firewalls. I. Packet Filtering Routers Most organizations with a n Internet connections have some form of a router as the interface to the Internet at the perimeter between the organization s internal networks and the external service provider. Many of these routers can be configured to reject packets that the organization does not allow into the network. This is a simple but effective way to lower the organization s risk from external attack. The drawbacks to this type of system include a lack of auditing and strong authentication. Also, the complexity of the access control lists used to filter the packets can grow and degrade network performance. Fig

6-4 is an example of this type of architecture. II. Screened Host Firewalls This architecture combines the packet filtering router with a separate, dedicated firewall, such as an application proxy server. This approach allows the router to pre-screen packets to minimize the network traffic and loads on the internal proxy.the application proxy examines an application layer protocol, such as HTTP, and perform the proxy services. This separate host is often referred to as a bastion host; it can be a rich target for external attacks, and should be very thoroughly secured.evn though the bastion host/application proxy actually contains only cached copies of the internal Web documents, it can still present a promising target, because compromise of the bastion host can disclose the configuration of internal networks and possibly provide external sources with internal information. Since the bastion host stands as a sloe defender on the network perimeter, it is also commonly referred to as the Sacrificial Host. To its advantage, this configuration requires the external attack to compromise two separate systems, before the attack can access internal data. Inthis way, the bastion host protects the data more fully than the router alone. Fig 6-11 shows a typical configuration of a screened host architectural approach.

III. Dual-Homed Host Firewalls The next step up in firewall architectural complexity is the dual-homed host. When this architectural approach is used, the bastion host contains two NICs (Network Interface Cards) rather than one, as in the bastion host configuration. One NIC is connected to the external network, and one is connected to the internal network, providing an additional layer of protection. With TWO NICs, all traffic must physically go through the firewall to move between the internal and external networks. Implementation of this architecture often makes use of NATs. NAT is a method of mapping real, valid, external IP addresses to special ranges of non-routable internal IP addresses, thereby creating yet another barrier to intrusion from external attackers. The internal addresses used by NAT consist of three different ranges. Organizations that need Class A addresses can use the 10.x.x.x range, which has over 16.5 million usable addresses. Organization s that need Class B addresses can use the 192.168.x.x range, which has over 65,500 addresses. Finally, organiazations with smaller needs, such as those needing onlya few Class C addresses, can use the c172.16.0.0 to 172.16.15.0 range, which hs over 16 Class C addresses or about 4000 usable addresses. See table 6-4 for a recap of the IP address ranges reseved fro non-public networks. Messages sent with internal addresses within these three internal use addresses is directly connected to the external network, and avoids the NAT server, its traffic cannot be routed on the public network. Taking advantage of this, NAT prevents external attacks from reaching internal machines with addresses in specified ranges.if the NAT server is a multi-homed bastion host, it translates between the true, external IP addresses assigned to the organization by public network naming authorities ansd the internally assigned, nonroutable IP addresses. NAT translates by dynamically assigning addresses to internal communications and tracking the conversions with sessions to determine which incoming message is a response to which outgoing traffic. Fig 6-12 shows a typical configuration of a dual homed host firewall that uses NAT and proxy access to protect the internal network.

Another benefit of a dual-homed host is its ability to translate between many different protocols at their respective data link layers, including Ethernet, Token Ring, Fiber Distributed Data interface (FDDI), and Asynchronous Transfer Method (ATM). On the downside, if this dual-homed host is compromised, it can disable the connection to the external network, and as traffic volume increases, it can become overloaded. Compared to more complex solutions, however, this architecture provides strong overall protection with minimal expense. IV. Screened Subnet Firewalls (with DMZ) The dominant architecture used today is the screened subnet firewall. The architecture of a screened subnet firewall provides a DMZ. The DMZ can be a dedicated port on the firewall device linking a single bastion host, or it can be connected to a screened subnet, as shown in Fig 6-13. Until recently, servers providing services through an untrusted network were commonly placed in the DMZ. Examples of these include Web servers, file transfer protocol (FTP) servers, and certain database servers. More recent strategies using proxy servers have provided much more secure solutions.

A common arrangement finds the subnet firewall consisting of two or more internal bastion hosts behind a packet filtering router, with each host protecting the trusted network. There are many variants of the screened subnet architecture. The first general model consists of two filtering routers, with one or more dual-homed bastion hosts between them. In the second general model, as illustrated in Fig 6-13, the connections are routed as follows: 1. Connections from the outside or un trusted network are routed through an external filtering router. 2. Connections from the outside or un trusted network are routed into-and then out of a routing firewall to the separate network segment known as the DMZ. 3. Connections into the trusted internal network are allowed only from the DMZ bastion host servers.

The screened subnet is an entire network segment that performs two functions: it protects the DMZs systems and information from outside threats by providing a network of intermediate security; and it protects the internal networks by limiting how external connections can gain access to internal systems. Although extremely secure, the screened subnet can be expensive to implement and complex to configure and manage. The value of the information it protects must justify the cost. Another facet of the DMZ is the creation of an area of known as an extranet. AN extranet is a segment of the DMZ where additional authentication and authorization controls are put into place to provide services that are not available to the general public. An example would be an online retailer that allows anyone to browse the product catalog and place items into a shopping cart, but will require extra authentication and authorization when the customer is ready to check out and place an order.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information