How are they used? Where do firewalls live? On the borders of Network Segments Two-way static routes between mutually trusting subnets Interdepartmental routing within an organization
How are they used? NAT configuration for a private/business network Firewall Interfaces: external (public presence) and internal (gateway address) whiteruby.rit.edu vs. whiteruby.tuesday.local Internal Network Addresses: *.tuesday.local
Pros Does not require additional hardware. Does not require additional computer wiring. A good option for single computers. They are very easy to configure Cons Since they run on your computer they require resources (CPU, memory and disk space) from your system. They can introduce incompatibilities into your operating system. One copy is typically required for each computer.
Pros They tend to provide more complete protection than software firewalls A hardware firewall can protect more than one system at a time They do not effect system performance since they do not run on your system. They are independent of your operating system and applications. Cons They tend to be expensive, although if you have a number of machines to protect it can cost less to purchase one hardware firewall than a number of copies of a software product. Since they do not run on your computer, they can be challenging to configure.
Choosing the right firewall: The size of your network The level of security you’re looking for The amount of money your willing to pay Compatibility and interoperability
Available Firewalls - Windows Built in Pros Available on every Windows computer by default as of SP2 No configuration needed beyond enabling it for it to work Cons Who will police the police? Outgoing transmissions limited very little if at all Could create a false sense of security in normal users
Available Firewalls - ISA Server Useful for a large business network Based on a combination of Application Layer and Packet Filtering technology Allows restriction of outgoing access by user, program, destination, and other criteria Restricts incoming access as necessary VPN support
Scriptable Firewall Systems OpenBSD (pf) http://www.openbsd.org/faq/pf/ http://www.openbsd.org/faq/pf/ FreeBSD (ipf, ipfw) http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf.html http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf.html http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls- ipfw.html http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls- ipfw.html Linux 2.4 and later (iptables) http://www.netfilter.org/ http://www.netfilter.org/
Getting Started with Firewalls You Need: One (1) computer with two (2) network interfaces Somebody else's network (read: the Internet) Several of your own computers A hub or a switch to connect your own computers together
Getting Started with Firewalls Software Firewalls: m0n0wall – http://m0n0.ch/wall/http://m0n0.ch/wall/ Smoothwall – http://smoothwall.net/ or http://smoothwall.org/ (Clever marketing! Check this out, it's two different websites)http://smoothwall.net/ http://smoothwall.org/
What is Intrusion Detection? Host-based IDS Single tapped network host Network-based IDS One or more tapped network segments Tapped gateways or firewalls
Circuit-Level Firewalls TCP Handshaking Authorized connections are counted New traffic is automatically allowed for open connections Every circuit acts as a data source for IDS-type analysis or logging “Intelligent” network switches Paranoia? Watch what you say!
Big Brother IDS Snort: The De-Facto IDS http://www.snort.org/docs/ http://www.snort.org/docs/ Monitor Everything, Log and Classify Build Signatures for: Legitimate Use Patterns Attacks Patterns Tap Placement is Everything: http://www.snort.org/docs/iss-placement.pdf http://www.snort.org/docs/iss-placement.pdf
Where to Tap? Network Gateways Connections from users to the internet Circuit-level Tap Monitor connections between local network users Host-based IDS System Logs and user information Decrypted traffic
Conclusions Is there anybody left in the audience who wants to see a large-scale IDS implemented here at RIT? Definitely not me! Or across your ISP's network? Definitely not me! Questions?