Modern Firewalls Security Management in Local Networks



Similar documents
7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Firewall Design Principles Firewall Characteristics Types of Firewalls

z/os Firewall Technology Overview

Introduction to Security and PIX Firewall

21.4 Network Address Translation (NAT) NAT concept

OS/390 Firewall Technology Overview

VPN. Date: 4/15/2004 By: Heena Patel

5.0 Network Architecture. 5.1 Internet vs. Intranet 5.2 NAT 5.3 Mobile Network

Chapter 10. Network Security

Network Access Security. Lesson 10

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Overview. Protocols. VPN and Firewalls

Technical Notes TN 1 - ETG FactoryCast Gateway TSX ETG 3021 / 3022 modules. How to Setup a GPRS Connection?

Table of Contents. 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2

Cornerstones of Security

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

Network Security and Firewall 1

Internet infrastructure. Prof. dr. ir. André Mariën

Figure 41-1 IP Filter Rules

Chapter 32 Internet Security

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

Technical papers Virtual private networks

Information Technology Career Cluster Introduction to Cybersecurity Course Number:

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Using a Firewall General Configuration Guide

OS/390 Firewall Technology Overview

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

VPN VPN requirements Encryption VPN-Types Protocols VPN and Firewalls

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

NETASQ MIGRATING FROM V8 TO V9

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Inspection of Encrypted HTTPS Traffic

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Protocol Security Where?

Firewall. User Manual

Why SSL is better than IPsec for Fully Transparent Mobile Network Access

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Automatic Hotspot Logon

Enterprise Security Critical Standards Summary

Chapter 7 Transport-Level Security

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

Lecture 17 - Network Security

Network Security Administrator

SSL VPN Technology White Paper

Chapter 12 Supporting Network Address Translation (NAT)

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

WEB Security & SET. Outline. Web Security Considerations. Web Security Considerations. Secure Socket Layer (SSL) and Transport Layer Security (TLS)

Securing IP Networks with Implementation of IPv6

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

Security Technology: Firewalls and VPNs

Network Defense Tools

How Virtual Private Networks Work

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

INTRUSION DETECTION SYSTEMS and Network Security

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

How To Understand And Understand The Security Of A Key Infrastructure

From Network Security To Content Filtering

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

Network Security Topologies. Chapter 11

Computer Networks. Secure Systems

This section provides a summary of using network location profiles to identify network connection types. Details include:

Intranet, Extranet, Firewall

Cisco Integrated Services Routers Performance Overview

ICTTEN8195B Evaluate and apply network security

Chapter 17. Transport-Level Security

Network Security. by David G. Messerschmitt. Secure and Insecure Authentication. Security Flaws in Public Servers. Firewalls and Packet Filtering

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Multi-Homing Dual WAN Firewall Router

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Virtual Private Networks (VPN) Connectivity and Management Policy

12. Firewalls Content

Open Source Security: Opportunity or Oxymoron?

Securing an IP SAN. Application Brief

Raptor Firewall Products

Cisco PIX vs. Checkpoint Firewall

Virtual Private Networks

Firewalls, Tunnels, and Network Intrusion Detection

Types of Firewalls E. Eugene Schultz Payoff

Cryptography and network security CNET4523

Protecting a Corporate Network with ViPNet. Best Practices in Configuring the Appropriate Security Level in Your ViPNet Network

Networking for Caribbean Development

information security and its Describe what drives the need for information security.

Cisco Which VPN Solution is Right for You?

Cisco RV082 Dual WAN VPN Router Cisco Small Business Routers

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

Ficha técnica de curso Código: IFCAD111

Securing Cisco Network Devices (SND)

Firewall Firewall August, 2003

Chapter 9 Firewalls and Intrusion Prevention Systems

Transcription:

r uhr-university bochum Department of Computer Science Prof. Dr.-Ing. Dr. h.c. Wolfgang Weber Modern Firewalls Security Management in Local Networks ICINAS-98 St.Petersburg Thomas Droste Wolfgang Weber http://www.etdv.ruhr-uni-bochum.de/dv/publications/icinas98/ ICINA S-98:ST.PETERSBURG,RU SSIA,SEPTEMPER 7-11 1998 URL: http://www.etdv.ruhr-uni-bochum.de

Modern Firewalls - Security Management in Local Networks (LAN) Th. Droste a and W. Weber b a Dipl.-Ing. Thomas Droste, Senior Research Fellow, Department of Computer Science, Ruhr-University Bochum, Germany b Prof. Dr.-Ing. Wolfgang Weber, Director of the named institute, Germany Abstract The world wide proceeding of networking requires a secure mechanism to protect the own local network. A direct Internet-access and a permanent connection between the intranet and the Internet exhibits a security lack which must be eleminated. Depending on the security level there are different estimations to check. In this context the solution for this security problem are firewalls and cryptographic mechanisms. Between the packetfilter function of former firewalls the modern third generation firewalls have an extended functionality. This features reach from the packet filter function on the lower TCP/IP-layers over transparent proxy servers and the construction of virtual private networking (VPN) to the support on the next generation Internet Protocol version 6 (IPv6). Beyond this, the firewall extends to a computer-pool which detaches the classical dual homed firewall as a single computer. The dataflow-analysis between the internal and external network reaches from the network access layer up to the application layer in the TCP/IP-Protocol Architecture. Various server-applications are placed in an independent security server net (SSN) which could run on one or different hosts. So it is possible to obtain an extended analysis, for example virus check on datagrams or deactivation of programs in HTML-pages (Java, Active-X). The second advantage is the separation between the services, presented for example for public-access (www-server, email-server, etc.) and the local network. Because the graphically based systems, especially Windows NT are spreading more and more, and the local networks changed into intranets, the modern firewalls are remote-administrated from the intranet based on a Graphical User Interface (GUI). The GUI is more comfortable regarding the connection of different intranets over the Internet as a VPN. Authentisation and cryptographic methods warrant a secure tunnel between the different intranets. From outside the VPN the direct connection to the intranet by any Internet-access is realized

via a dynamic VPN. The old IP-stack is replaced with the new IPv6 to establish a temporary tunnel to the intranet. The implementation and migration to IPv6 in the internal network for every host and the protocol-conversion in the firewall for the Internet-connection allows the use of authentication and cryptographic mechanism in the intranet. 1. INTRODUCTION The aim of a firewall is to protect the internal network against unauthorized accesses without significant influence to the dataflow, but nevertheless the utmost flexibility. Additionally, such a firewall transposes the demanded security policy. Filtering and evaluation of packages is regarded in several layers. On the IP level the fixing and implementation of IP-addresses permits or restricts the dataflow. One layer above -on the TCP level- the filtering of Internet services is done by releasing of port numbers. As a secondary condition further fields in the header are checked. The successive application of further rules ensures the selection of permitted or restricted accesses. The evaluation and indication of attacks f.i. IP-spoofing is an additional function. The firewall has to detect the resulting IP storm. To hide the structure of the Internet for unauthorized people the use of proxy systems is a usual method. Such systems are normally started directly as a service in the firewall to handle the queries. Transparent proxy systems have an active access in the background of the dataflow. There are two principles of proxy systems. A circuit level proxy has only a filter function based on the security policy of the firewall. Such generic proxies do not belong to an application protocol and have therefore no knowledge about this protocol. A new protocol can easily be implemented here. The application level proxies are an advanced development. They have full knowledge about the related application protocol. I.e. each command can be analyzed and eventually blocked. These dedicated proxy servers belong to the respective application protocols. 2. EXTENDED FUNCTIONALITY Beyond the security function against prohibited access the construction of VPN as a standard function is necessary. Thus it becomes possible to construct a quite secure connection among different intranets via Internet. The normal communication happens by constructing a tunnel among several intranets by overlapping of protocols. The Internet acts as a backbone for the VPN in the distributed host network. Additionally, different encryption methods can be applied. The transfer of f.i. emails via the VPN are automatically encrypted by PGP (Pretty Good Privacy). The advantage of VPN via Internet is the lowering of costs because no supplementary installed wires between the intranets are

required. Beyond this, all services of the Internet can be used permanently in the intranet. Members of the intranet compound who are stationally outside the VPN can get access with special client software realized by a dynamical VPN (DVPN). The construction of a temporary tunnel and the connected substitution of IP stacks by the new IPv6 realizes a registration in the intranet compound. To get the authentication different mechanism are used, f.i. the authentication via PINcodes. One advantage is the high security of the connection from any Internet access. In the meantime, the integration of different communication partners has become a supplementary demand to the firewall. A scalation of connections over the WAN with single users, companies and computer pools is possible via coding and authentication defined by the IP Security (IPSec) Working Group. If both connected partners assist the IPSec independently from the used firewall, authenticated connections can be constructed. Meanwhile, the firewall as a central node of the Internet does not only separate the intranet from the Internet but also partly the publicly accessible services via its SSN. An advantage of this separation is the increased security by duplicated protection. If an attack to the public part of the intranet happens, this does not directly implicate a security loss for the internal network. A physical and logical separation by the firewall protects the other part. These third generation firewalls allow further analysis-functions on higher protocol levels. F.i. the check of SMTP commands in an email can be realized by using the application level proxy. The transfer via Content Vectoring Protocol (CVP) and a following virus check applied to received e-mails by a virus scan server enables the system to investigate the content of an email inclusive attached data files. A further chance to directly influence the dataflow is the extension of the proxy, f.i. the HTTP proxy. In such cases the dataflow must be specially observed. Extended options are f.i. the deactivation of Java Script, Java and Active-X, virus check for downloaded files and generating of log files for further analysis. The administration and maintenance of these third generation firewalls will usually be realized by remote administration via internal network to avoid security risks by f.i. sniffer attacks. The basic configuration is locally done in the firewall host, all further is achieved via secure connections. The administration has to be done with help of the GUI. This guarantees a better visualization and excludes a wrong configuration to a high degree. The application translates the rules for the security policy. The user defined administration is done f.i. by a browser over of the secure HTTPS via Java or by an independent local application from any internal host. A further advantage is mainly connected with the VPN: The administrator of one connected internal network can also administrate the other firewalls. In case of a security violation the firewall must produce an alarm. This can be done in diverse ways and results in different actions: alarms for simple access violations by prohibited use of a restricted service up to heavy security offences.

The warning reactions and alarms can be displayed on a monitor or be transferred as an e-mail or via SMS-gateway to the administrator. 3. AUTHENTICATION AND CRYPTOGRAPHY Authentication and cryptography on the package level realizes an unequivocal and secure identification where the data can be additionally encoded. Due to the generation of session keys it is nearly impossible to analyse the network traffic. A potential hacker cannot calculate the session key in real time and is hindered to influence the established session. Using the new IPv6 respected IPSec as standardized protocol the Authentication Header (AH) authenticates the sent data, whereas the Encapsulated Security Payload (EPS) encrypts the data of a datagram. The Data Encryption Standard (DES), the triple DES (3DES), Define- Hellmann and RSA are used as algorithms for the encoding. Hash functions (MD5, SHA-1) construct a digital fingerprint of the data before they are encrypted with the above mentioned algorithms. The receiver decodes and checks the datagram and gets the original and authentic data. The security of the firewall is also dependent on the protocol security of IPv6. The security mechanism on the protocol level lowers the chance for an abuse. As a basic demand a secure exchange of keys and identification must be given. Each encoding and authentication needs time for the decoding followed by more communication data. If the general encoding and verification is done by the firewall it is possible to transfer and automate this procedures via integrated hardware. Today the technique already offers fast IC for the realization of the DES algorithm or IDEA in hardware and to enable the system for a high datarate. High security and datarates can be even realized by duplicating the firewall. The disadvantage in such a solution results from the fact that now two hosts are directly connected with the Internet offering two access-points for unauthorized access trials. When an intranet is split into two or more independent parts it makes sense to construct an own firewall for each part. 4. CONCEPT FOR A COMMUNICATION POOL Beside the realization of the security concept it is desirable to develop a concept for the whole network topology, which eases the internal data communication and administration. In the meantime, many different applications run on different systems. Therefor it is useful to have centralized basic structures. A central server in the protected intranet offers central services for security, virus scanning, installation and administration in a computer connection. Beyond the security in form of a firewall as entrance to the Internet the control of the network must be done inside the intranet. This is not only valid for the

installation of software patches of different operating systems or centrally installed applications, but also a distributed firewall could be developed as a security management. On several hosts different services are parallelly active and controlled by a central server. This server should be included in the internal network and should not have any direct connection to the special firewall host to be protected against attacks from outside. The running services on the hosts inside the intranet apply the information from the internal central server. Transferred data inside such a intranet are automatically virus-scanned, whenever they are transferred among the hosts. The steady prove of the internal network traffic detects restricted connections in the Internet by f.i. prohibited modems. The homogenity of the network brings the advantage of the centralized datahold of services and configuration files. A network is always only as secure as its weakest element. Thus an internal disturber or forbidden connection from the Internet to the whole network can produce the same dangers like oldfashioned protocol-implementations or bugs in the operating system. Of course, the central management and the distribution of services demands reliability and security of the single applications. The communication of these applications in form of a standard mechanism is the common basis. The security against failures of the internal server is not problematic, because the firewall transposes the main security concept. The distribution of applications to different hosts can also be realized in such a concept, where the central server is available as a recover server protocolling and temporarily storing the data traffic and the transferred data. A central management should minimize the costs and optimize the security whereby the single hosts in their performance should not get restrictions. The central management should not lower the speed of the network traffic. A firewall can perform the demand of global assistance of the IPv6 in an optimum manner because the implementation of the protocol protects at least the own intranet up to the general application in the whole Internet. 5. REFERENCES 1 Borderware Firewall Server, http://www.securecomputing.com 2 D.B. Chapman, E.D. Zwicky, Building Internet Firewalls, O Reilly & Associates Inc., Sebastopol, 1995 3 W.R. Cheswick, S.M. Bellovin, Firewalls und Sicherheit im Internet, Addison- Wesley Publ. Comp., Bonn, 1996 4 V. Gupta, S. Glass, Firewall Traversal for Mobile IP: Goals and Requirements, http://www.ietf.org/internet-drafts/draft-ietf-mobileip-ft-req-00.txt, Internet Engineering Task Force (IETF), Internet-Draft, 1997 5 Security Policy, http://csrc.nist.gov/isptg/html/isptg.html 6 TIS Gauntlet Firewall, http://www.tis.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information