Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 25: Firewalls Introduce several types of firewalls

Similar presentations

Presentation on theme: "Lecture 25: Firewalls Introduce several types of firewalls"— Presentation transcript:

1 Lecture 25: Firewalls Introduce several types of firewalls
Discuss their advantages and disadvantages Compare their performances Demonstrate their applications C. Ding -- COMP L25

2 What is a Firewall? A firewall is a system of hardware and software components designed to restrict access between or among networks, most often between the Internet and a private Internet. The firewall is part of an overall security policy that creates a perimeter defense designed to protect the information resources of the organization. C. Ding -- COMP L25

3 In other words… “A data sentry at the gateway to your network, combining the power of multiple firewall technologies to deliver powerful perimeter security” C. Ding -- COMP L25

4 What a Firewall does Implement security policies at a single point
Monitor security-related events (audit, log) Provide strong authentication Allow virtual private networks C. Ding -- COMP L25

5 What a Firewall does not do
Protect against attacks that bypass the firewall Dial-out from internal host to an ISP Protect against internal threats disgruntled employee Insider cooperates with an external attacker Protect against the transfer of virus-infected programs or files C. Ding -- COMP L25

6 Firewall - Typical layout
A firewall denies or permits access based on policies and rules Protected Private Network Internet C. Ding -- COMP L25

7 Protected Private Network
Watching for attack Monitor Log Notify Protected Private Network Internet Attack C. Ding -- COMP L25

8 Firewall technologies
Common firewall technologies: They may be classified into four categories: Packet Filtering Firewalls Circuit Level Firewalls Application Gateway Firewalls (or proxy servers) Stateful Inspection Firewalls (dynamic packet filtering firewalls) These technologies operate at different levels of detail, providing varying degrees of network access protection. These technologies are not mutually exclusive as some firewall products may implement several of these technologies simultaneously. C. Ding -- COMP L25

9 The Internet protocol stack
Application Transport TCP, UDP . . . Network IP Data Link Physical Leased Line, ISDN, xDSL . . . LAN Interface Card Drivers, MAC Address PPP, Frame Relay . . . WAN LAN C. Ding -- COMP L25

10 Packet Filtering Firewalls
C. Ding -- COMP L25

11 Packet Filtering firewalls
The original firewall Works at the network level of the OSI model Applies packet filters based on access rules Source address Destination address Application or protocol Source port number Destination port number C. Ding -- COMP L25

12 Packet Filtering firewalls
C. Ding -- COMP L25

13 Packet Filtering firewalls
Packet Filtering is usually an integrated function of a router. Packet filtering relies on Network Layer and Transport Layer information contained in the headers of data packets to police traffic. This information includes source IP address and port number, destination IP address and port number, and protocol used (e.g., TCP, UDP, ICMP). This information is used as the criteria in network access rules. These rules are organized into several “filter sets” and each set handles traffic coming to the firewall over a specific interface. C. Ding -- COMP L25

14 Packet Filtering Policy Example
My host Other host action name port comments block * Block everything from MS allow My-gateway 25 Allow incoming mail C. Ding -- COMP L25

15 Packet Filtering Policy Example
Rule 1 2 3 4 5 6 7 8 Direction Out In In & Out Source Address * 10.56* 10.122* Destination * Protocol TCP # Source Port 23 (Telnet) # Destin. 25 (Mail) 513 (rlogin) 20 (FTP) Action Drop Pass Slide 16 C. Ding -- COMP L25

16 Web Access Through a Packet Filter Firewall
ACK: = positive acknowledgement message for the sender from the receiver. Typically just one bit. C. Ding -- COMP L25

17 Packet Filtering Firewalls
Firewall/Router Output Filter Access Rules Input Filter Access Rules Internal Network Router Network Network Data Link Data Link Internet Physical Physical C. Ding -- COMP L25

18 Packet Filtering Firewalls: pros and cons
Advantages: Simple, low cost, transparent to user Disadvantages: Hard to configure filtering rules Hard to test filtering rules Don’t hide network topology (due to transparency) May not be able to provide enough control over traffic C. Ding -- COMP L25

19 Circuit Level Firewalls (Circuit Level Gateways)
C. Ding -- COMP L25

20 Circuit Level Firewalls
Circuit level gateways work at the session layer of the OSI model, or the TCP layer of TCP/IP Monitor TCP handshaking between packets to determine whether a requested session is legitimate. C. Ding -- COMP L25

21 Circuit Level Firewalls
C. Ding -- COMP L25

22 Application Gateway Firewalls (Proxy Firewalls)
C. Ding -- COMP L25

23 Application Gateway firewalls
Similar to circuit-level gateways except that they are application specific. Every connection between two networks is made via an application program called a proxy Proxies are application or protocol specific Only protocols that have specific proxies configured are allowed through the firewall; all other traffic is rejected. Gateway that is configured to be a web proxy will not allow any ftp, gopher, telnet or other traffic through C. Ding -- COMP L25

24 Application Gateway Firewalls
Data Link Network Internet Physical Internal Router Transport Application Application Proxies C. Ding -- COMP L25

25 Application Gateway Firewalls
C. Ding -- COMP L25

26 Application Gateway Strengths
Very secure if used in conjunction with an intelligent packet filtering firewall Well designed proxies provide excellent security C. Ding -- COMP L25

27 Application Gateway weaknesses
Very CPU intensive Requires high performance host computer Host operating system liable to attack Many proxies are transparent to application Not transparent to users Expensive C. Ding -- COMP L25

28 Stateful Inspection Firewalls
C. Ding -- COMP L25

29 Stateful Inspection Firewalls
Third generation firewall technology, often referred to as dynamic packet filtering Understands data in packets from the network layer (IP headers) up to the Application Layer Tracks the state of communication sessions C. Ding -- COMP L25

30 Stateful Inspection Firewalls
Firewall/Router Router Network - Access Rules Transport - Access Rules Application - State Table Inspection Module Data Link Network Internal Physical Internet C. Ding -- COMP L25

31 Protected Private Network
Dynamic Filtering Stateful Inspection firewalls dynamically open and close ports (application specific connection points) based on access policies. Protected Private Network Firewall checks policies to validate sending computer and allows traffic to pass to Public network Internet User initiates web session Return traffic for validated web session is permitted and the state of the flow is monitored Other traffic from public network is blocked C. Ding -- COMP L25

32 Stateful Inspection Strengths
Monitors the state of all data flows Dynamically adapts filters based on defined policies and rules Easily adapted to new Internet applications Transparent to users Low CPU overheads C. Ding -- COMP L25

33 Stateful Inspection Weaknesses
Need to provide new client program Might have problems with the availability of source code for various platforms C. Ding -- COMP L25

34 Stateful Inspection Firewalls
These are among the most secure firewalls available today “fooling them can be a lot of work” Jon McCown, network security analyst for the - U.S. National Computer Security Agency (NCSA) C. Ding -- COMP L25

35 General Performance C. Ding -- COMP L25

36 Other Issues about Firewalls
C. Ding -- COMP L25

37 RADIUS Support Remote Authentication Dial-In User Services
A single, central security database for all system users Centralised management of access lists C. Ding -- COMP L25

38 Remote access security
Dial-in user authenticated Telephony Services Head office Firewall policy assigned to dial-in user before completing connection to network Remote Dial-in user C. Ding -- COMP L25

39 Stateful Inspection Implementation
Firewall checks policy rules to validate sender Return traffic for validated web session is permitted and the state of the flow is monitored Protected private network Internet User initiates web session Firewall opens required port and allows traffic to pass to public network C. Ding -- COMP L25

40 Network Address Translation
Firewall substitutes private address to public address and forwards to the Internet Protected private network Internet Firewall translates return flow from Public to Private address User communicates with Internet using a private IP address C. Ding -- COMP L25

41 Application Level Gateway Example
Gateway completes connection FTP Server If connection is valid the state table is updated and connection to FTP Server established FTP connection initiated from public network Access rules verified C. Ding -- COMP L25

42 Session Logging The firewall can be configured to log an extensive range of events Including: All denied packets All allowed packets Selected allowed and denied packet types Etc. C. Ding -- COMP L25

43 Notification SNMP/SMTP
sent to specified address Firewall detects attack (Port Scan) Protected private network Internet SNMP Trap message to management platform SNMP: simple network management protocol C. Ding -- COMP L25

44 Notification and Reconfiguration
Web Server DMZ Firewall detects attack (SYN Flood) Protected private network Internet sent to System Manager Firewall automatically reconfigured to deny all External access to WEB Server C. Ding -- COMP L25

45 Secure management Secure encrypted and authenticated remote management
Secure Shell “SSH” RSA encryption keys bits DES and Triple DES encryption for SSH sessions Can limit access to specific user addresses C. Ding -- COMP L25

46 Network configuration examples
C. Ding -- COMP L25

47 Protected private network
Allow all access from private network to the Internet Deny all access from the Internet to the private network Protected private network Internet C. Ding -- COMP L25

48 Semi-Militarised Zone
Protected private network All unauthorised traffic is blocked Private network for corporate servers and users Internet WEB Server SMZ Firewall policy limits incoming access to WEB and mail server from public network All other incoming traffic blocked SMZ Mail Server Semi Militarised Zone C. Ding -- COMP L25

49 Private LAN stays secure
Protected private network Internet WEB Server Login:hacker Password:please OK Then! SMZ Mail Server Semi-Militarised Zone C. Ding -- COMP L25

50 Protected private network
Demilitarised Zone Protected private network Open access between private LAN and DMZ Static filters between private LAN and DMZ used to control access Allow SMTP, From here to there only Internet WEB Server DMZ Mail Server Demilitarised Zone C. Ding -- COMP L25

51 Concluding Remarks All that a firewall can do it’s to control network activities between OSI levels 2 and 7. They cannot keep out data carried inside applications, such as viruses within messages: there are just too many way of encoding data to be able to filter out this kind of threat. Although Firewalls provide a high level of security in today's Private Networks to the outside world we still need the assistance of other related Security components in order to guarantee proper network security. C. Ding -- COMP L25

Download ppt "Lecture 25: Firewalls Introduce several types of firewalls"

Similar presentations

Ads by Google