Firewalls Outlines: What is a firewall Why an organization ation needs a firewall Types of firewalls and technologies Deploying a firewall What is a VPN By: Arash Habibi Lashkari July 2010 1
Introduction Computer virus have become today s headline news With the increasing use of the Internet, it has become easier for virus to spread Virus show us loopholes in software Most virus are targeted at the MS Windows OS 2
What is a Firewall? A firewall : Acts as a security gateway between two networks Usually between trusted and untrusted networks (such as between a corporate network and the Internet) Internet Corporate Network Gateway Corporate Site 3
What is a Firewall? A firewall : Acts as a security gateway between two networks Tracks andcontrols network communications Decides whether to pass, reject, encrypt, or log communications (Access Control) Internet Corporate Network Gateway Corporate Site 4
Why Firewalls are Needed Prevent attacks from untrusted networks Protect data integrity of critical information Preserve customer and partner confidence 5
Evolution of Firewalls Stateful Inspection Application Proxy Packet Filter Stage of Evolution 6
Packet Filter Packets examined at the network layer Useful first line of defense commonly deployed on routers Simple accept or reject decision model No awareness of higher protocol layers Applications Presentations Sessions Transport Network Data Link Applications Presentations Sessions Transport Network Data Link Applications Presentations Sessions Transport Network Data Link Physical Physical Physical 7
Application Gateway or Proxy Packets examined at the application layer Application/Content filtering possible prevent FTP put commands, for example Modest performance Scalability limited Applications Presentations Sessions Transport Network Data Link Applications Presentations Sessions Transport Network Data Link Applications Presentations Sessions Transport Network Data Link Physical Physical Physical 8
Stateful Inspection Packets Inspected between data link layer and network layer in the OS kernel State tables are created to maintain connection context Invented by Check Point Applications Applications Presentations Applications Presentations Sessions Presentations Sessions Transport Sessions Transport Network Transport Network Network Data Link Data Link Data Link Physical Physical Physical INSPECT Engine Dynamic State Dynamic Tables State Dynamic Tables State Tables 9
Network Address Translation (NAT) 192.172.1.1-192.172.1.254172 1 1 172 1 254 Internal IP Addresses Corporate LAN 219.22.165.1 Internet Public IP Address(es) Converts a network s illegal IP addresses to legal or public IP addresses Hides the true addresses of individual hosts, protecting them from attack Allows more devices to be connected to the network 10
Port Address Translation Hiding PATGlobal PATGlobal 192.168.0.15 10 10.0.0.2 10 10.0.0.2 10.0.0.2 192 192.168 168.0.15 15 192 192.168 168.0.15 15 49090 23 2000 10.0.0.2 23 172 172.30 30.0.50 50 172 172.30 30.0.50 50 172 172.30 30.0.50 50 172 172.30 30.0.50 50 23 10 10.0.0.3 10 10.0.0.3 23 192 192.168 168.0.15 15 192 192.168 168.0.15 15 10.0.0.3 2001 23 49090 23 172 172.30 30.0.50 50 172 172.30 30.0.50 50 172 172.30 30.0.50 50 172 172.30 30.0.50 50 23 23 11
Personal Firewalls Need arisesfrom alwayson connections Your PC is not protected enough by your OS Intrusion detection facilities Different ee teeso levels of security Templates 12
13
Firewall Deployment DMZ Corporate Network Gateway Protect internal network from attack Most common deployment point Internet Corporate Network Gateway Human Resources Network Demilitarized Zone (DMZ) Public Servers Corporate Site 14
Firewall Deployment Corporate Network Gateway Internal Segment Gateway Protect sensitive segments (Finance, HR, Product Development) Provide second layer of defense Ensure protection against internal attacks and misuse Internet Public Servers Demilitarized Zone (Publicly-accessible servers) Human Resources Network Internal Segment Gateway Corporate Site 15
Firewall Deployment Corporate Network Gateway Internal Segment Gateway Server Based Firewall Protect individual application servers Files protect Internet DMZ Human Resources Network Server-Based Firewall Public Servers Corporate Site SAP Server 16
Firewall Deployment Hardware appliance based firewall Single platform, software pre installed Can be used to support small organizations or branch offices with little IT support Software based dfirewall Flexible platform deployment options Can scale as organization grows 17
Summary Firewalls foundation of an enterprise security policy Stateful Inspection is theleading firewall technology 18
What is a VPN? Acme Corp Site 1 A VPN is a private connection over an open network A VPN includes authentication and encryption to protect data integrity and confidentiality VPN Internet VPN Acme Corp Site 2 19
Why Use Virtual Private Networks? More flexibility Leverage ISP point of presence Usemultiple connection types (cable, DSL, T1, T3) Most attacks originate within an organization 20
Why Use Virtual Private Networks? More flexibility More scalability Add new sites, users quickly Scale bandwidth to demand 21
Why Use Virtual Private Networks? More flexibility More scalability Lower costs Reduced frame relay/leased line costs Reduced long distance Reduced equipment costs (modem banks,csu/dsus) Reduced technical support 22
Types of VPNs Remote Access VPN Provides access to internal corporate network over the Internet Reduces long distance, modem bank, and technical support costs PAP,CHAP,RADIUS Corporate Site Internet 23
Types of VPNs Corporate Site Remote Access VPN Site to Site VPN Connects multiple offices over Internet Reduces dependencies on frame relay andleased lines Internet Branch Office 24
Types of VPNs Remote Access VPN Site to Site VPN Extranet VPN Provides business partners access to critical information (leads, sales tools, etc) Reduces transaction and operational costs Internet Corporate Site Partner #2 Partner Network Security #1 06 25
Types of VPNs Remote Access VPN Site to Site VPN Extranet VPN Client/Server VPN Protects sensitive internal communications LAN clients Database Server LAN clients with sensitive data Internet 26
Components of a VPN Encryption Key management Message authentication Entity authentication 27
Encryption Joe s PC to HR Server Encrypted Joe s PC HR Server Mary s PC All Other Traffic Cleartext E-Mail Server Current standards: DES and Triple DES Over 20 years in the field AES beginning deployment New standard More computationally efficient Longer keys = more secure 28
Key Management Public key cryptosystems t enable secure exchange of private crypto keys across open networks Re keying at appropriate intervals IKE = Internet Key Exchange protocols Incorporates ISAKMP/Oakley 29
Authentication IPsec standards focus on authentication of two network devices to each other IP address/preshared key Digital certificates User authentication is added on top if required RADIUS and TACACS+ are the standard protocols for authentication servers XAUTH is being added to the standards to address user authentication 30
Point to Point Tunneling Protocol Layer 2 remote access VPN distributed with Windows product family Addition to Point to Point Protocol (PPP) Allows multiple Layer 3 Protocols Uses proprietary authentication and encryption Limited user management and scalability Known security vulnerabilities Corporate Network PPTP RAS Server Remote PPTP Client Internet ISP Remote Access Switch 31
Layer 2 Tunneling Protocol (L2TP) Layer 2 remote access VPN protocol Combines and extends PPTP and L2F (Cisco supported protocol) Weak authentication and encryption Does not include packet authentication, data integrity, or key management Must be combined with IPSec for enterprise level security Remote L2TP Client Corporate Network L2TP Server Internet ISP L2TP Concentrator 32
Internet Protocol Security (IPSec) Layer 3 protocol lfor remote access, intranet, t and extranet VPNs Internet standard for VPNs Provides flexible encryption and message authentication/integrity i i Includes key management 33
Components of an IPSec VPN Encryption DES, 3DES, and more Message HMAC MD5, HMAC SHA 1, Authentication or others Entity Authentication Key Management Digital it Certificates, t Shared Secrets, Hybrid Mode IKE Internet Key Exchange (IKE), Public Key Infrastructure (PKI) 34
Encryption Explained Used to convert data to a secret code for transmission over an untrusted network Clear Text The cow jumped over the moon Encryption Algorithm Encrypted Text 4hsd4e3mjvd3sd a1d38esdf2w4d 35
Symmetric Encryption Same key used to encrypt and decrypt message Faster than asymmetric encryption Examples: DES, 3DES, RC5, Rijndael Shared Secret Key 36
Asymmetric Encryption Different keys used to encrypt and decrypt message (One public, one private) Examples include RSA, DSA, SHA 1, MD 5 Bob Alice Alice Public Key Encrypt Alice Private Key Decrypt 37
Secure Virtual Network Architecture Corporate Network RSA Advanced PKI RSA ACE/Server FireWall-1 Trend InterScan, WebManager, emanager & StoneBeat Security Cluster IPSec-compliant Gateway Extranet Partner Site VPN-1 SecureServer LDAP Directory VPN-1 Accelerator Card VPN-1/FireWall-1 Gateway & StoneBeat FullCluster FloodGate-1 QoS RSA ACE/Agent Dial-up VPN-1 SecuRemote & RSA SecurID VPN-1 SecureClient & RSA SecurID Broadband ConnectControl Server Load Balancing ISS RealSecure Intrusion Detection Router Remote Users Extranet Application Server Web Server Pool Enterprise Management Console Policy-based Management Reporting Account Management Network Open Security 06 Extension VPN-1/FireWall-1 Nokia Appliance Remote Office 38
Questions Lab 3 Install Kool Firewall And Capture the packets and kill the suspicious packets 39