Presentation is loading. Please wait.

Presentation is loading. Please wait.

Firewall Matthew Prestifilippo, Bill Kazmierski, Pat Sparrow.

Published byArnold Murphy Modified over 8 years ago

Similar presentations

Presentation on theme: "Firewall Matthew Prestifilippo, Bill Kazmierski, Pat Sparrow."— Presentation transcript:

1 Firewall Matthew Prestifilippo, Bill Kazmierski, Pat Sparrow

2 Basics Intended to stop unauthorized traffic from traveling from one network to another Intended to stop unauthorized traffic from traveling from one network to another Between router and internal network setup Between router and internal network setup

3 All data arriving at or leaving the network passes through the firewall, where it can be accepted or denied. A list of rules can be set, allowing the firewall to determine what types of data should not be allowed to pass through. These rules can allow certain devices inside the network to have different privileges Basics

4 Filtering Packet Filters Packet Filters This job is done in the transport and network layerThis job is done in the transport and network layer Looks at the packets to see if forbidden IP’s are trying to come in.Looks at the packets to see if forbidden IP’s are trying to come in. Not affective in the case of spoofingNot affective in the case of spoofing Stateful Inspection Stateful Inspection Use ACK and SYN packet for verification/correspondenceUse ACK and SYN packet for verification/correspondence Keeps track of sessionsKeeps track of sessions

5 Filtering Application Proxies Application Proxies Application levelApplication level Extra processing power needed, but more security providedExtra processing power needed, but more security provided

6 Filtering A firewall can filter packets based on the source or destination IP address A firewall can filter packets based on the source or destination IP address A firewall can filter packets based on the destination port A firewall can filter packets based on the destination port A firewall can filter packets based on the protocol (UDP, TCP, IP …) A firewall can filter packets based on the protocol (UDP, TCP, IP …)

7 Interfaces 3 basic interfaces: 3 basic interfaces: 1. Inside – trusted network1. Inside – trusted network 2. Outside – untrusted network2. Outside – untrusted network 3. DMZ – demilitarized zone3. DMZ – demilitarized zone Web server Web server Why a DMZ? Why a DMZ?

8 NAT Static Static Permanent inside local -> inside global mappingPermanent inside local -> inside global mapping Dynamic Dynamic Pool of global addresses are defined. Machines that make a request to the outside are assigned accordingly.Pool of global addresses are defined. Machines that make a request to the outside are assigned accordingly.

9 NAT Overloading (PAT) Overloading (PAT) When there are more nodes than there are global addresses available, use port space to map to extra machinesWhen there are more nodes than there are global addresses available, use port space to map to extra machines This means that one address can be used for multiple computers (hence the term overloading)This means that one address can be used for multiple computers (hence the term overloading)

10 PAT

11 URL Filtering Need a N2H2 or a Websense server Need a N2H2 or a Websense server Filtering process includes the PIX relying on the server to determine whether or not a website is allowed. Filtering process includes the PIX relying on the server to determine whether or not a website is allowed. Could also use the access-list command Could also use the access-list command

12 Packet Inspection A Firewall must inspect every packet traveling in and out of a network A Firewall must inspect every packet traveling in and out of a network Too many rules can result in a bottleneck Too many rules can result in a bottleneck Looking up domain names while logging can slow performance Looking up domain names while logging can slow performance Using VPN and other functions can slow the performance Using VPN and other functions can slow the performance

13 PIX 515e Firewall 433 MHz Intel Celeron processor 433 MHz Intel Celeron processor 64 MB RAM 64 MB RAM 16 MB onboard flash memory 16 MB onboard flash memory 188 Mbps throughput 188 Mbps throughput can handle more than 130,000 sessions can handle more than 130,000 sessions Recommended for small to medium-sized business networks Recommended for small to medium-sized business networks

14 Our Setup We reset the firewall with the inside IP address of 134.198.161.254 with a netmask of 255.255.248.0, which is the same as the inside address of the original network configuration We reset the firewall with the inside IP address of 134.198.161.254 with a netmask of 255.255.248.0, which is the same as the inside address of the original network configuration We set the outside IP address to 134.161.170.252, which is the same as the original network configuration. We set the outside IP address to 134.161.170.252, which is the same as the original network configuration. The PIX515 has replaced the router. The PIX515 has replaced the router. By default, the firewall allows outgoing traffic to any IP address. By default, the firewall allows outgoing traffic to any IP address.

15 Rules Source and Destinations IPs Source and Destinations IPs Source and Destination interface Source and Destination interface Type of Packet Type of Packet Default rule: Default rule: Source: 0.0.0.0 on inside interface Source: 0.0.0.0 on inside interface Destination: 0.0.0.0 on outside interface Destination: 0.0.0.0 on outside interface Packet Type: IP Packet Type: IP Action: Permit Action: Permit

16 Our Rules Allow all traffic to enter the network Allow all traffic to enter the network Source: 0.0.0.0 on the outside Source: 0.0.0.0 on the outside Destination: 0.0.0.0 on the inside Destination: 0.0.0.0 on the inside Packet Type: IP Packet Type: IP Action: Permit Action: Permit  Prevent hosts from accessing Playboy.com Source: 216.163.137.3 on the outside Source: 216.163.137.3 on the outside Destination: 0.0.0.0 on the inside Destination: 0.0.0.0 on the inside Packet Type: IP Packet Type: IP Action: Deny Action: Deny

17 Work With IDS View IDS logs to find any bad IPS and add rules to prevent them from sending packets to the network View IDS logs to find any bad IPS and add rules to prevent them from sending packets to the network

Download ppt "Firewall Matthew Prestifilippo, Bill Kazmierski, Pat Sparrow."

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.

Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.


Cisco PIX 515E Firewall. Overview What a PIX Firewall can do Adaptive Security Algorithm Address Translation Cut-Through Proxy Access Control Network.

Cisco PIX 515E Firewall. Overview What a PIX Firewall can do Adaptive Security Algorithm Address Translation Cut-Through Proxy Access Control Network.
CISCO PIX FIREWALL Configuration for DCSL Tuan Anh Nguyen CSCI 5234 University of Houston Clear Lake Fall Semester, 2005.

CISCO PIX FIREWALL Configuration for DCSL Tuan Anh Nguyen CSCI 5234 University of Houston Clear Lake Fall Semester, 2005.
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.

Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.

BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)

1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.

January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.
NAT (Network Address Translation) Natting means Translation of private IP address into public IP address . In order to communicate with internet we must.

NAT (Network Address Translation) Natting means "Translation of private IP address into public IP address ". In order to communicate with internet we must.
Chapter 6: Packet Filtering

Chapter 6: Packet Filtering
Cisco PIX firewall Set up 3 security zones ***CS580*** John Trafecanty Jules R. Nya Baweu August 23, 2005.

Cisco PIX firewall Set up 3 security zones ***CS580*** John Trafecanty Jules R. Nya Baweu August 23, 2005.
Page 1 NAT & VPN Lecture 8 Hassan Shuja 05/02/2006.

Page 1 NAT & VPN Lecture 8 Hassan Shuja 05/02/2006.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

Similar presentations

Ads by Google