Presentation is loading. Please wait.

Presentation is loading. Please wait.

Firewall Configuration Strategies

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Firewall Configuration Strategies"— Presentation transcript:

1 Firewall Configuration Strategies
Chapter 3

2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Understand the goals that underlie a firewall’s configuration Identify and implement different firewall configuration strategies Employ methods of adding functionality to your firewall

3 Establishing Rules and Restrictions for Your Firewall
Rules give firewalls specific criteria for making decisions about whether to allow packets through or drop them All firewalls have a rules file—the most important configuration file on the firewall

4 The Role of the Rules File
Establishes the order the firewall should follow Tells the firewall which packets should be blocked and which should be allowed Requirements Need for scalability Importance of enabling productivity of end users while maintaining adequate security

5 Restrictive Firewalls
Block all access by default; permit only specific types of traffic to pass through

6 Strategies for Implementing a Security Policy
Follow the concept of least privilege Spell out services that employees cannot use Use and maintain passwords Choose an approach Open Optimistic Cautious Strict Paranoid

7 Connectivity-Based Firewalls
Have fewer rules; primary orientation is to let all traffic pass through, then block specific types of traffic

8 Overview to Firewall Configuration Strategies
Criteria Scalable Take communication needs of individual employees into account Deal with IP address needs of the organization

9 Scalability Provide for the firewall’s growth by recommending a periodic review and upgrading software and hardware as needed

10 Productivity The stronger and more elaborate the firewall, the slower the data transmissions Important features of firewall: processing and memory resources available to the bastion host

11 Productivity

12 Dealing with IP Address Issues
If service network needs to be privately rather than publicly accessible, which DNS will its component systems use? If you mix public and private addresses, how will Web server and DNS servers communicate? Let the proxy server do the IP forwarding (it’s the security device)

13 Firewall Configuration Strategies

14 Firewall Configuration Strategies
Settle on general approaches; establish rules for them Deploy firewalls, routers, VPN tunnels, and other tools in a way that will implement rules Use security components to defend against common attacks

15 Using Security Components to Defend Against Attacks

16 Screening Router Filters traffic passing between one network and another Simple, minimally secure Two interfaces—external and internal—each with its own unique IP address Performs IP forwarding, based on an access control list (ACL)

17 Screening Router

18 Stateful Packet Filtering

19 Dual-Homed Host A workstation with an internal interface and an external interface to the Internet Disadvantage Host serves as a single point of entry to the organization

20 Screened Host Similar to dual-homed host, but the host is dedicated to performing security functions Sits exposed on the perimeter of the network rather than behind the firewall Requires two network connections Also called a dual-homed gateway or bastion host

21 Screened Host

22 Two Routers, One Firewall
Router positioned on the outside Performs initial, static packet filtering Router positioned just inside the network Routes traffic to appropriate computers in the LAN being protected Can do stateful packet filtering

23 Two Routers, One Firewall

24 DMZ Screened Subnet Screened subnet Three-pronged firewall
Network exposed to external network, but partially protected by a firewall Three-pronged firewall Three network interfaces connect it to: External network DMZ Protected LAN Service network Screened subnet that contains an organization’s publicly accessible server

25 DMZ Screened Subnet

26 Three-Pronged Firewall with Only One Firewall
Advantages Simplification Lower cost Disadvantages Complexity Vulnerability Performance

27 Common Service Network Systems
Those that contain Web and mail servers Those that contain DNS servers Those that contain tunneling servers

28 Multiple-Firewall DMZs
Achieve the most effective Defense in Depth Help achieve load distribution Added security offsets slowdown in performance Two or more firewalls can be used to protect Internal network One DMZ Two DMZs Branch offices that need to connect to main office’s internal network

29 Two Firewalls, One DMZ Two firewalls used to set up three separate networks (tri-homed firewall) Internal protected network (behind DMZ) External private network or service network (within DMZ) External network (outside DMZ) Advantage Enables control of traffic in the three networks

30 Two Firewalls, One DMZ

31 Two Firewalls, Two DMZs Setting up separate DMZs for different parts of the organization helps balance the traffic load between them

32 Two Firewalls, Two DMZs

33 Multiple Firewalls to Protect Branch Offices

34 Load Distribution Through Layering of Firewalls

35 Reverse Firewalls Inspect and monitor traffic going out of a network rather than trying to block what’s coming in Help block Distributed Denial of Service (DDoS) attacks

36 Specialty Firewalls Protect specific types of network communications (eg, , instant-messaging) Examples Mail Marshal and WebMarshal by Marshal Software OpenReach includes a small-scale packet-filtering firewall for its VPN VOISS Proxy Firewall (VF-1) by VocalData Speedware Corporation sells its own firewall software

37 Approaches That Add Functionality to a Firewall
Network Address Translation (NAT) Encryption Application proxies VPNs Intrusion detection systems (IDSs)

38 NAT Converts publicly accessible IP addresses to private ones and vice versa; shields IP addresses of computers on the protected network from those on the outside

39 NAT

40 Encryption Takes a request, turns it into gibberish using a private key; exchanges the public key with the recipient firewall or router Recipient decrypts the message and presents it to the end user in understandable form

41 Encryption

42 Application Proxies Act on behalf of a host; receive requests, rebuild them from scratch, and forward them to the intended location as though the request originated with it (the proxy) Can be set up with either a dual-homed host or a screened host system

43 Application Proxies Dual-homed setup Screened subnet system
Host that contains the firewall or proxy server software has two interfaces, one to the Internet and one to the internal network being protected Screened subnet system Host that holds proxy server software has a single network interface Packet filters on either side of the host filter out all traffic except that destined for proxy server software

44 Application Proxies on a Dual-Homed Host

45 VPNs Connect internal hosts with specific clients in other organizations Connections are encrypted and limited only to machines with specific IP addresses VPN gateway can: Go on a DMZ Bypass the firewall and connect directly to the internal LAN

46 VPN Gateway Bypassing the Firewall

47 Intrusion Detection Systems
Can be installed in external and/or internal routers at the perimeter of the network Built into many popular firewall packages

48 IDS Integrated into Perimeter Routers

49 IDS Positioned Between Firewall and Internet

50 Chapter Summary How to design perimeter security for a network that integrates firewalls with a variety of other software and hardware components Rules and restrictions that influence configuration of a security perimeter Security configurations that either perform firewall functions or that use firewalls to create protected areas

Download ppt "Firewall Configuration Strategies"

Similar presentations

DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 7 Working with Proxy Servers & Application-Level Firewalls By Whitman, Mattord,

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 7 Working with Proxy Servers & Application-Level Firewalls By Whitman, Mattord,
Working with Proxy Servers and Application-Level Firewalls Chapter 5.

Working with Proxy Servers and Application-Level Firewalls Chapter 5.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Chapter 8: Firewall Configuration and Administration

Chapter 8: Firewall Configuration and Administration

Similar presentations

Ads by Google