Presentation is loading. Please wait.

Presentation is loading. Please wait.

Firewalls Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Similar presentations

Presentation on theme: "Firewalls Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)"— Presentation transcript:

1 Firewalls Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

2 Firewalls are not just for companies any more: the changing home

3 High Speed Internet Connections Drive the importance of security

4 The home Network: always on the Net

5 Always on, all hackers all the time For me to attack your system, I must send packets to it With dial, you get a different IP address for each call and in relative terms that call is not long Big issue is that you will have the same IP address for a long time with persistent connections You may have the same IP address ALL the time. So plenty of time for someone to go after you Personal PCs have the standard OS vulnerabilities Private Web servers easy targets

6 Windows file sharing does not help Admin Shares –$c –On by default in Win 9* and older NT Browser Service –Network Neighborhood –Could see everyone else's PCs Hard to turn it off on Internet facing interfaces interfaces Who cares? QDATA.*

7 Multiple security problems Defense in Depth

8 The tradeoffs

9 Costs Dollars for the software Download of updates Customization –most software out of the box works fine –File and print sharing on your home LAN –special apps Checking logs

10 Example of customization

11 The firewall: The first line of defense

12 What a firewall does not do

13 Firewall technologies Network Address Translation

14 A digression, TCP/IP

15 Internet Protocol

16 TCP

17 TCP connection flow the syn is unique to session start

18 TCP Ports Identify the App

19 IP addresses

20 Private IP addresses Routable IP addresses are scarce Not every system in the world needs direct and always on access to the Internet Private addresses allows you to address many more systems than the public address space (public addresses can be routed over the internet For a private addressed system to access the internet it must be translated to a public address Private addresses are defined by RFC 1918 –10.*.*.*, 172.16.*.*-172.31.*.*, 192.168.*.*

21 Public IP address assignment If you are dialing up, you get one for the duration of the call and it will change If you are on a always on you MAY get a one –Providers charge for more than 1 permanent IP addresses –Some cable systems change your address so you cant host a server without them knowing (and of course you paying) To address multiple PCs and have them access the internet you must NAT

22 Network Address Translation

23 Enterprise NAT NAT is also used to hide addresses –Remote end can only see the NATed address not the real one Both ends use private addresses And will often have duplicates ( So will often dual nat that is translate both source and destination Can even map ports so 1 address, multiple servers – port 80; – port 25; – port 20:

24 Pat Port address translation Allows many stations to share 1 ip address Depends on keeping track what source port and IP address for each connection Then select a unique port to associate with the single public IP address

25 Packet Filtering the basis of a firewall

26 Packet Filtering Firewalls will trust inside addresses Spoofing: attacker makes their address look like an inside address Will rely on the TCP ACK bit to determine if a connection is inbound or outbound –will permit all outbound (you to the Inet) by default Can configure what inbound connections you want to allow (home web server) Does not work well with certain applications –FTP opens connections from the outside –Media and VOIP use dynamic ports

27 Stateful Inspection

28 Stateful inspection Look at outbound connection request to the Internet Remember the addresses and the ports Only permit traffic from the Internet if it saw that it was initiated from the inside network All modern firewalls work this way

29 Proxy Server

30 Since application is intercepted Can authenticate by user Can log content Can block content by looking at the URLs All web access is via proxy

31 Authentication w/o proxy Telnet or web to the firewall the login –then can access all other services Dedicated client –Firewall-1 has a custom client –Firewall contacts client code when user tries to access a service –ask for login and if ok grants it.

32 A firewall: Always does packet filters Always does stateful packet filtering Always logs May have a proxy May do authentication

33 Corporate Firewalls Appliance based –PIX, FW1 Nokia –more expensive –Dedicated OS –Harder to crack as fewer OS issues –Harder to scale (as based on specific hardware) Computer based –Runs on NT or Unix –Can leverage existing computers –Easier to learn at home

34 Home Firewalls Device Based –Part of your access box or can get a dedicated appliance –May be free with a box you are already getting –Does not touch your OS but then may need more configuration –Do not have to touch multiple computers –Does not impact inside the house OS based –Tied into the network stack –Can easily deal with custom apps –May need to modify for home access

35 Linksys Router (appliance)

36 Linksys Router Filtering

37 Linksys Router logs

38 Norton Personal Firewall (part of OS)

39 Application list

40 Summary If you access the internet at all get an OS based firewall If you have always on get an appliance based Or even better use both.

Download ppt "Firewalls Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)"

Similar presentations

Ads by Google