Scribd Logo
Unggah

Selamat datang di Scribd!

  • Firewall2 PDF

    Diunggah oleh

    Randy Adalah Rand
    15 tayangan30 halaman
    Firewalls block certain traffic, while allowing other traffic to pass. Firewalls are created to match policy rules are based on: - Routing based filters (Who - siapa) Sender and Destination berasal dari mana? Tidak peduli mau ngapain di sana - kadang-kadang bisa ditipu seorang client.

    Deskripsi Asli:

    Judul Asli

    20100326_Firewall2.pdf

    Hak Cipta

    © © All Rights Reserved

    Format Tersedia

    PDF, TXT atau baca online dari Scribd

    Apakah menurut Anda dokumen ini bermanfaat?

    Apakah konten ini tidak pantas?

    Laporkan Dokumen Ini
    Firewalls block certain traffic, while allowing other traffic to pass. Firewalls are created to match policy rules are based on: - Routing based filters (Who - siapa) Sender and Destination berasal dari mana? Tidak peduli mau ngapain di sana - kadang-kadang bisa ditipu seorang client.

    Hak Cipta:

    © All Rights Reserved
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    15 tayangan30 halaman

    Firewall2 PDF

    Diunggah oleh

    Randy Adalah Rand
    Firewalls block certain traffic, while allowing other traffic to pass. Firewalls are created to match policy rules are based on: - Routing based filters (Who - siapa) Sender and Destination berasal dari mana? Tidak peduli mau ngapain di sana - kadang-kadang bisa ditipu seorang client.

    Hak Cipta:

    © All Rights Reserved
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    dari 30

    Firewall

    POS
    SATPAM
    Firewall

    Apaitufirewall
    Firewalladalahsuatumekanisme,sehinggasuatu
    clientdariluardilarang/dibolehkanmengakseske
    dalamjaringan(atauclientyangberadadidalam
    dilarang/dibolehkanmengakseskeluarjaringan)
    berdasarkanaturanaturanyangditetapkan.
    Sepertipossatpamdisuatuinstansi/perumahan
    Bekerjadilayer:antara3dan4(bahkan5)diTCP/IP
    Model

    Istilahistilah
    Masquerading
    Allowsmanymachinestousetheappeartocomefromthe
    sameIPaddress
    Connectionscanonlybeinitiatedbyinternalhost

    NAT NetworkAddressTranslation
    ThetermNATcanmeanmanydifferentthings,see
    RFC2663fordetails
    Generallysomerouterlevelmappingandconversion
    betweenasetofprivateIPaddressesandasinglepublicIP
    address(IPMasq)orsetofpublicIPaddresses.

    Mengapabutuh

    Toimplementyourpolicy!
    Tomanagetherisksofprovidingyourservices.
    Tosegregatenetworkswithdifferentpolicies.
    Toprovideaccountabilityofnetworkresources.

    Firewallsmitigate/reducerisk
    BlockingMOSTthreats
    Theyhavevulnerabilitiesaswell
    Improperconfigurationisthelargestthreat

    Carakerja
    Denganmenelitipaketpaketyanglewatfirewallitudan
    mencocokkannyadenganmelihatdaftar/aturanyangdiberikan
    kepadanya.
    Firewallsblockcertaintraffic,whileallowingothertraffictopass.
    Differenttypesoffirewallspasstrafficusingdifferentmethods
    PacketFiltering
    Proxy
    ConnectionStateAnalysis
    Boleh lewat
    mbak ? Nih
    surat-suratnya

    Anak kecil ga
    boleh keluar..
    sudah malam

    Firewall

    Adaduatipeutama
    Firewallsrulesarecreatedtomatchpolicy
    Rulesarebasedon:
    Routingbasedfilters(Who siapa)

    SenderandDestination
    berasaldarimana?
    Maukemana?
    Tidakpedulimaungapaindisana

    Contentbasedfilters(What mauapa)
    TCP/IPPortnumbersandServices
    Apayangakankamulakukandisana?
    Tidaksemudahyangnomer1,sebabkadangkadangbisaditipu
    seorangclient

    Duapendekatanaturan
    Defaultallow
    Mengijinkansemualewatkecualiyangterdaftar
    Placeroadblocks/watchgatesalongawideopen
    road.

    Defaultdeny
    Semuadilaranglewatkecualiyangterdaftar
    Buildawallandcarvepathsforeveryoneyoulike.

    PacketFiltering
    Simplestformoffirewalling
    Canoftenbeimplementedonnetwork
    equipment(routers,switches)
    BlockscertainTCP/IPPorts,protocols,and/or
    addresses.
    Rulesareappliedtotheheadersofthe
    packets
    Contoh:iptables,ipchains(Linux)

    PacketFiltering
    AdvantagesofPacketFiltering
    HighPerformance
    Canusuallybeappliedtocurrentrouters/switches(No
    additionalequipment!)
    Effective

    DisadvantagesofPacketFiltering
    Canquicklybecomeaverycomplexconfiguration
    Easytomisconfigure
    Difficulttoconfigurefordynamicprotocols(likeDHCP/FTP)
    Cantdoanycontentbasedfiltering(removeemail
    attachments,javascript,ActiveX)
    ProcessingPower

    ContohPacketFiltering
    Anabbreviatedpacket
    Source
    SrcPort Destination DestPort
    204.210.251.1 8104
    128.146.2.205
    31337

    ACiscopacketfilter
    access-list 2640 deny any 128.146.2.0 0.0.0.255 gt
    1023

    Proxy
    Firewallacceptsrequests,andexecutesthem
    inbehalfoftheuser
    Iwanttoseehttp://www.osu.edu
    Firewallgetshttp://www.osu.edu content
    Firewallsendscontenttorequester

    Contoh:Squid

    Proxy
    AdvantagesofProxyFirewall
    Theydontallowdirectconnectionsbetween
    internalandexternalhosts
    Cansupportauthentication,classesofusers
    Canallow/denyaccessbasedoncontent
    Cankeepverydetailedlogsofactivity(including
    thedataportionsofpackets)
    Caching/effectivebandwidth

    Proxy
    DisdvantagesofProxyFirewall
    Slowerthanpacketfilterfirewalls
    Requireadditionalhardware
    morehardwareformoreusers
    slowhardware=slowservice

    Somefirewallsrequirespecialclientconfigurationsonthe
    workstations.
    Someprotocolsmaynotbesupported(AIM,RealAudio,
    Napster,H.323)Variesbyvendor.
    Configurationcanbecomplex
    Mustconfigureproxyforeachprotocol

    ConnectionStateAnalysis
    Similartopacketfiltering,butanalyzes
    packetstomakesureconnectionrequests
    occurinthepropersequence.
    Example:
    ICMPEchoRepliesarenotacceptedthroughthe
    firewallunlessthereisanoutstandingICMPEcho
    Request.

    ConnectionStateAnalysis
    Advantages
    Caching
    ContentMonitoring

    Disadvantages
    Performance
    Overheadrequiresmoreexpensivesystem

    Topologi
    Bridgetypefirewall
    Invisibletousers
    Easytoinstallforalreadyexistingnetworks

    Routertypefirewalls
    HasIPAddress,visibletousers

    Topologi
    AdvantagesofBridgetype
    firewall

    Advantages of Routertype firewall

    Invisibletousers
    Easytoinstallforalready
    existingnetworks

    Rule configuration
    slightly better than
    bridge

    DisadvantagesofBridge
    typefirewall
    Requiresmoreequipment
    thanpacketfiltering
    Rulesmaybemoreconfusing
    toconfigure

    Disadvantages of
    Router-type firewall
    System is visible to
    users and outsiders

    Problems
    Firewallsasfilterscanbeconsideredformostparttobe
    infallible...butasasecuritymeasure?Theycanonly
    enforcerules(generallystatic)

    internet
    Firewall

    Problems
    Crunchyontheoutside,butsoftandchewy
    ontheinside.

    internet
    Firewall

    Jaringan kita
    Jaringan terpercaya

    SettingFirewall
    UsingtheDMZ(DeMilitarizedzone)toyour
    advantage
    FirewallsasIntrusionDetectiondevices
    ConfigureVPNsformanagement

    DMZConfiguration
    Separateareaoffthefirewall
    Differentnetworksegmentsmayhavedifferentpolicies

    Departments
    Serviceareas
    PublicServices
    InternalServices

    Usuallyadifferentsubnet
    CommonlyusedtohouseInternetfacingmachines(i.e.Web
    Servers)
    Hasitsownfirewallpolicy

    DMZConfiguration
    PlacewebserversintheDMZnetwork
    Onlyallowwebports(TCPports80and443)

    internet
    Firewall

    Web Server

    DMZConfiguration
    Dontallowwebserversaccesstoyournetwork
    Allowlocalnetworktomanagewebservers(SSH)
    DontallowserverstoconnecttotheInternet
    Patchingisnotconvenient
    Mas ..yang
    merah gak
    boleh lewat
    lho

    Firewall

    Web Server

    internet

    DMZConfiguration
    Jaringan Lokal:
    Semua boleh
    menghubungi webserver (port 80/443
    PC-PC tertentu boleh
    menghubungi server
    lewat SSH (port 22)
    Server tidak boleh
    menghubungi
    jaringan lokal

    Firewall

    Web Server

    Internet:
    Semua boleh
    menghubungi webserver (port 80/443
    Selain layanan web
    tidak diperkenankan
    Server tidak boleh
    jalan-jalan di internet

    FirewallsebagaiIDS

    IDS=IntrusionDetectionSystem
    Collectloginformationfromthedenyrules
    FindPortscanning,hackingattempts,etc
    Isolatetrafficwithdenyruleshelpscutdown
    theinformationoverload

    FirewallsebagaiIDS
    WhattodowithALLthatdata..GraphIt!
    Showstrends,whatpeoplearelookingfor
    Helpsprioritizesecuritytasks

    Occasionallyyoumaywanttoblockportscans

    FirewallsebagaiIDS

    PaycloseattentiontotrafficleavingDMZ
    Oftenthefirstsignofacompromise
    Lowtrafficrules,sologsarentasenormous
    Emailisnice,providedyouretheonlyone
    readingit

    VPN
    VPN=VirtualPrivateNetwork
    VPNisfarmoresecurethanother
    managementmethods:
    SSLandSSHarevulnerabletoManInTheMiddle
    Attacks
    TelnetandSNMParecleartext
    TherearenoknownMIMattacksagainstIPSEC
    (Yet)

    VPN

    VPNclientsaresupportedonmostplatforms
    Mostfirewallswillworkwithmostclients
    NetscreennowofficiallysupportsFreeSwan
    MacOSXisnowsupportingVPN

    Conclusions
    Peopledontjustputupathickfrontdoorfor
    theirsensitivebelongings,youshouldntfor
    yournetworkeither.
    Firewallsareaneffectivestart tosecuringa
    network.Notafinish.
    Caremustbetakentoconstructan
    appropriatesetofrulesthatwillenforceyour
    policy.

    Anda mungkin juga menyukai