Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Similar presentations

Presentation on theme: "Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)"— Presentation transcript:

1 Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Firewalls Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

2 Firewalls are not just for companies any more: the changing home

3 High Speed Internet Connections Drive the importance of security

4 The home Network: always on the Net

5 Always on, all hackers all the time
For me to attack your system, I must send packets to it With dial, you get a different IP address for each call and in relative terms that call is not long Big issue is that you will have the same IP address for a long time with persistent connections You may have the same IP address ALL the time. So plenty of time for someone to go after you Personal PCs have the standard OS vulnerabilities Private Web servers easy targets

6 Windows file sharing does not help
Admin Shares $c On by default in Win 9* and older NT Browser Service Network Neighborhood Could see everyone else's PCs Hard to turn it off on Internet facing interfaces interfaces Who cares? QDATA.*

7 Multiple security problems
Defense in Depth

8 The tradeoffs

9 Costs Dollars for the software Download of updates Customization
most software out of the box works fine File and print sharing on your home LAN special apps Checking logs

10 Example of customization

11 The firewall: The first line of defense

12 What a firewall does not do

13 Firewall technologies
Network Address Translation

14 A digression, TCP/IP

15 Internet Protocol

16 TCP

17 TCP connection flow the syn is unique to session start

18 TCP Ports Identify the App

19 IP addresses

20 ‘Private’ IP addresses
Routable IP addresses are scarce Not every system in the world needs direct and always on access to the Internet Private addresses allows you to address many more systems than the ‘public’ address space (public addresses can be routed over the internet For a private addressed system to access the internet it must be translated to a public address Private addresses are defined by RFC 1918 10.*.*.*, *.* *.*, *.*

21 Public IP address assignment
If you are dialing up, you get one for the duration of the call and it will change If you are on a ‘always on’ you MAY get a one Providers charge for more than 1 permanent IP addresses Some cable systems change your address so you cant host a server without them knowing (and of course you paying) To address multiple PCs and have them access the internet you must NAT

22 Network Address Translation

23 Enterprise NAT NAT is also used to ‘hide’ addresses
Remote end can only see the NATed address not the real one Both ends use private addresses And will often have duplicates ( ) So will often ‘dual nat’ that is translate both source and destination Can even map ports so 1 address, multiple servers port 80; port 25; port 20:

24 Pat Port address translation
Allows many stations to share 1 ip address Depends on keeping track what source port and IP address for each connection Then select a unique port to associate with the single public IP address

25 Packet Filtering the basis of a firewall

26 Packet Filtering Firewalls will trust inside addresses
Spoofing: attacker makes their address look like an inside address Will rely on the TCP ACK bit to determine if a connection is inbound or outbound will permit all outbound (you to the Inet) by default Can configure what inbound connections you want to allow (home web server) Does not work well with certain applications FTP opens connections from the outside Media and VOIP use dynamic ports

27 Stateful Inspection

28 Stateful inspection Look at outbound connection request to the Internet Remember the addresses and the ports Only permit traffic from the Internet if it saw that it was initiated from the inside network All modern firewalls work this way

29 Proxy Server

30 Proxy Server Since application is intercepted Can authenticate by user
Can log content Can block content by looking at the URLs All web access is via proxy

31 Authentication w/o proxy
Telnet or web to the firewall the login then can access all other services Dedicated client Firewall-1 has a custom client Firewall contacts client code when user tries to access a service ask for login and if ok grants it.

32 A firewall: Always does packet filters
Always does stateful packet filtering Always logs May have a proxy May do authentication

33 Corporate Firewalls Appliance based ‘Computer’ based PIX, FW1 Nokia
more expensive Dedicated OS Harder to crack as fewer OS issues Harder to scale (as based on specific hardware) ‘Computer’ based Runs on NT or Unix Can leverage existing computers Easier to learn at home

34 Home Firewalls Device Based OS based
Part of your access box or can get a dedicated appliance May be ‘free’ with a box you are already getting Does not touch your OS but then may need more configuration Do not have to touch multiple computers Does not impact ‘inside the house’ OS based Tied into the network stack Can easily deal with custom apps May need to modify for home access

35 Linksys Router (appliance)

36 Linksys Router Filtering

37 Linksys Router logs

38 Norton Personal Firewall (part of OS)

39 Application list

40 Summary If you access the internet at all get an OS based firewall
If you have always on get an appliance based Or even better use both.

Download ppt "Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)"

Similar presentations

Ads by Google