Presentation is loading. Please wait.

Presentation is loading. Please wait.

Firewalls : usage Data encryption Access control : usage restriction on some protocols/ports/services Authentication : only authorized users and hosts.

Published byAshley Nichols Modified over 9 years ago

Similar presentations

Presentation on theme: "Firewalls : usage Data encryption Access control : usage restriction on some protocols/ports/services Authentication : only authorized users and hosts."— Presentation transcript:

1 Firewalls : usage Data encryption Access control : usage restriction on some protocols/ports/services Authentication : only authorized users and hosts (machines) Monitoring for further auditing Packet filtering Compliance with the specified protocols Virus detection Isolation of the internal network from the Internet Connection proxies (masking of the internal network) Application proxies (masking of the « real » software)

2 Firewalls : basics All packets exchanged between the internal and the external domains go through the FW that acts as a gatekeeper –external hosts « see » the FW only –internal and external hosts do not communicate directly –the FW can take very sophisticated decisions based on the protocol implemented by the messages –the FW is the single access point => authentication + monitoring site –a set of “flow rules” allows decision taking

3 Firewalls : architecture (I) Outside world Exterior router Firewall Interior router Internal network servers DMZ (DeMilitarized Zone)

4 Firewalls : architecture (II) : merging exterior and interior FW Outside world Exterior/Interior Firewall Internal network servers DMZ

5 Firewalls : architecture (III) : merging exterior FW and servers Outside world External Firewall + servers Internal Firewall Internal network DMZ Bof…

6 Firewalls : architecture (IV) : managing multiple subnetworks Outside world Exterior/Interior Firewall Internal subnetwork B servers DMZ Backbone Internal subnetwork A Firewall

7 Firewalls : architecture (V) : managing multiple exterior FW Internet Exterior Firewall A Interior Firewall Internal network servers DMZ Exterior Firewall B E.g. supplier network Sub-DMZ A Sub-DMZ B

8 Firewalls : architecture (VI) : managing multiple DMZ Internet Exterior/Interior Firewall A Internal network Servers A DMZ A E.g. supplier network DMZ B Exterior/Interior Firewall B Servers B

9 Firewalls : architecture (VII) : internal FW Outside world Exterior/Interior Firewall Internal network servers DMZ Sensitive area Firewall Sensitive area

10 Firewalls : some recommendations Bastion hosts – better to put the bastions in a DMZ than in an internal network – disable non-required services – do not allow user accounts – fix all OS bugs – safeguard the logs – run a security audit – do secure backups Avoid to put in the same area entities which have very different security requirements

11 Using proxies (I) Proxies can be used to « hide » the real servers Interior => Exterior traffic –Give the internal user the illusion that she/he accesses to the exterior server –But intercept the traffic to/from the server, analyze the packets (check the compliance with the protocol, search for keywords, etc.), log the requests Exterior => Interior traffic –Give the external user the illusion that she/he accesses to the interior server –But intercept the traffic to the server, analyze the packets (check the compliance with the protocol, search for keywords, etc.), log the requests

12 Using proxies (II) Advantage –knowledge of the service/protocol => efficiency and « intelligent » filtering –Ex : session tracking, stateful connection Disadvantages –one proxy per service ! –may require modifications of the client –do not exist for all services

13 Static Network Address Translation (NAT) (I) From Arkoon Inc. tutorial xxx.xxx.xxx.xxx Internal network yyy.yyy.yyy.yyy xxx.xxx.xxx.xxx

14 Static Network Address Translation (NAT) (II) xxx.xxx.xxx.xxx Internal network yyy.yyy.yyy.yyy Internal network xxx.xxx.xxx.xxx yyy.yyy.yyy.yyyxxx.xxx.xxx.xxx The FW maintains an address translation table The FW transforms address xxx.xxx.xxx.xxx into yyy.yyy.yyy.yyy in the field « source address » The FW transforms address yyy.yyy.yyy.yyy into address xxx.xxx.xxx.xxx in the field « destination address » This operation is transparent for both the exterior and the interior hosts

15 Applications Non TCP/UDP based protocols Pre-defined partnership addresses Web server, mail….(traffic to Internet) Application server (hidden behind a FW) Host known/authenticated outside with a specific address …

16 PAT : Port Address Translation (I) Port 80 Port 2033 From Arkoon Inc. tutorial Internal network

17 Connections are open from an exterior host Translation table Use of lesser public addresses Flexible management of server ports PAT : Port Address Translation (II)

18 Web server user, @IP'U' U→P:80 U → IP1:80 IP1:80 → U P:80 → U U → P:81 U → IP2:80 IP2:80 → U P:8 → U Translation Table @IP « P » port 80 → @IP1 : port 80 port 81 → @IP2 : port 80 @IP2, port 80 Web server @IP1, port 80 FW, @IP 'P' PAT : Port Address Translation (III) From Arkoon Inc. tutorial Web server Internal network

19 Masking (I) From Arkoon Inc. tutorial Internal network

20 Connections are open by internal hosts Dynamic connection table (IP address + source port number) One single address is known outside (the FW address) Spare IP addresses Masking (II)

21 Arkoon, @IP 'M' user @IP2 Web server @IP 'W2' 1:1025->W M:10000->W W->1:1025 2:1025->W M:10001->W W->M:10001 W->2:1025 M:10000->W2 W2->M:10000 W2->2:1026 W->M:10000 Translation table @IP « M » 1:1025(10000)->W 2:1025(10001)->W 2:1026(10000)->W2 @IP2 FW, @IP 'M' From Arkoon Inc. tutorial Internal network 2:1026->W2

Download ppt "Firewalls : usage Data encryption Access control : usage restriction on some protocols/ports/services Authentication : only authorized users and hosts."

Similar presentations

Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.

Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.
CST 415 - Computer Networks NAT CST 415 4/10/2017 CST 415 - Computer Networks.

CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.

INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Chapter 6 Network Address Translation (NAT). Network Address Translation  Modification of source or destination IP address  Needed by networks using.

Chapter 6 Network Address Translation (NAT). Network Address Translation  Modification of source or destination IP address  Needed by networks using.
Beth Johnson April 27, 1998. What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.

Beth Johnson April 27, What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Similar presentations

Ads by Google