IS 7-Firewall PDF

Firewall
Unit 7
Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
Outline
▪ Kinds of Firewall
▪ Filtering Services
▪ DMZ
▪ Implementing policies(default allow, default deny)
▪ IDPS
▪ Types of IDPS
▪ VPN
Introduction
▪ Isolates trustworthy Internal network of organisation (intranet)
from less trustworthy external Network (internet) a
▪ by filtering all traffic b
a b
What a Firewall can do?
▪ Manage and control network traffic
▪ Authenticate access
▪ Act as an intermediary
▪ Protect resources
▪ Record and report on events
Manage and control network
traffic
▪ Packet Inspection
▪ Source IP address and Source port
▪ Destination IP address and Destination port
▪ IP protocol
▪ Packet header information (sequence numbers,
checksums, data flags, payload information, and so on)
▪ Connections and State
▪ Stateful Packet Inspection
Authenticate Access
▪ Input of a username and password to access firewall.
▪ Use of certificates and public keys
▪ Authentication can be handled through the use of pre-
shared keys
Act as an intermediary
▪ A proxy functions by effectively mimicking the host it is

trying to protect.
▪ In many cases, this function as a proxy is complemented by
using a firewall that is capable of inspecting the actual
application data to ensure that it is legitimate and non
malicious data.
▪ When functioning in this manner, the firewall is known as
working as an application proxy
Protect resources
▪ Service control
▪ Determines the types of Internet services that can be
accessed, inbound or outbound
▪ Direction control
▪ Determines the direction in which particular service
requests are allowed to flow
▪ User control
▪ Controls access to a service according to which user is
attempting to access it
▪ Behavior control
▪ Controls how particular services are used (e.g., it may
enable external access to only a portion of local
information).
Mukesh Patel School of Technology Management and Engineering
Rejo Mathew, Asst Prof, IT
Record and report on events
▪ Console notification: presents a notification to the console.
The drawback of this method is that it requires someone to
be actively monitoring the console to check for alarms.
▪ Simple Network Management Protocol (SNMP) notification:
used to generate traps that are sent to the network
management system(NMS) that is monitoring the firewall.
▪ Paging notification: When an event occurs send a page to an
administrator. It can be numeric or alphanumeric,
depending on the type of pager carried by the administrator.
▪ E-mail notification: Similar to paging, here the firewall sends
an e-mail to the registered e-mail address.
What a Firewall cannot do?
Firewall cannot overcome threats provided by following
▪ Malicious insider
▪ Entry point behind firewalls
▪ Alien threats
Classification of Firewalls
▪ Based on processing mode
▪ Packet filtering or screening routers
▪ Application gateway
▪ Circuit gateways
▪ MAC layer firewalls
▪ Hybrids
▪ Based on generation
▪ Based on structure
▪ Residential or commercial grade
▪ Hardware or software based
Packet filtering or screening
routers
▪ Packet filtering firewalls examine header information of data
packets
▪ Most often based on combination of:
▪ Internet Protocol (IP) source and destination address
▪ Direction (inbound or outbound)
▪ TCP or UDP source and destination port requests
▪ Simple firewall models enforce rules designed to prohibit
packets with certain addresses or partial addresses
routers
▪ Filters packets going in both directions.

▪ The packet filter is typically set up as a list of rules based
on matches to fields in the IP or TCP header.
▪ Two default policies (discard or forward).
Source Address Destination Service (HTTP, FTP, SMTP, Action (Allow/Deny)
Address Telnet)
172.16.x.x 10.10.x.x Any Deny
192.168.x.x 10.10.10.25 HTTP Allow
routers
▪ Three subsets of packet filtering firewalls:
▪ Static filtering : requires that filtering rules governing
how the firewall decides which packets are allowed and
which are denied are developed and installed
▪ Dynamic filtering: allows firewall to react to emergent
event and update or create rules to deal with event
▪ Stateful inspection firewalls: that keep track of each
network connection between internal and external
systems using a state table
▪ Examples: ACL , ipfilter
routers
▪ Advantages:
▪ Simplicity
▪ Transparency to users
▪ High speed
▪ Disadvantages:
▪ Difficulty of setting up packet filter rules
▪ Lack of Authentication (IP spoofing attacks possible).
Application Gateways
▪ Frequently installed on a dedicated computer; also known as
a proxy server
▪ Since proxy server is often placed in unsecured area of the
network (e.g. DMZ), it is exposed to higher levels of risk from
less trusted networks
▪ Additional filtering routers can be implemented behind the
proxy server further protecting internal systems
Circuit Gateways
▪ Circuit gateway firewall operates at transport layer
▪ Like filtering firewalls, Circuit gateway firewall do not
usually look at data traffic flowing between two networks,
but prevent direct connections between one network and
another
▪ Accomplished by creating tunnels connecting specific
processes or systems on each side of the firewall and allows
only authorized traffic in the tunnels
▪ A circuit level gateway relays TCP connections but does no
extra processing or filtering of the protocol
MAC Layer Firewalls
▪ Designed to operate at the media access control layer of OSI
network model
▪ Able to consider specific host computer’s identity in its
filtering decisions
▪ MAC addresses of specific host computers are linked to
access control list (ACL) entries that identify specific types of
packets that can be sent to each host; all other traffic is
blocked
Types of Firewall and OSI model
Hybrid
▪ Combines elements of different types of firewalls;
i.e., elements of packet filtering and proxy services or of packet
filtering and circuit gateways
▪ Alternately, may consist of two separate firewall devices;
each a separate firewall system, but connected to work in
tandem
Based on Generation
First Gen ▪ Static packet filtering firewalls
Second ▪ Application-level firewalls or proxy servers
Gen
Third Gen ▪ Stateful inspection firewalls
Fourth ▪ Dynamic packet filtering firewalls; allow only packets with

particular source, destination, and port addresses to enter
Gen
Fifth Gen ▪ Kernel proxies; specialized form working under kernel of
Windows NT
Fifth generation firewall
▪ This architecture uses dynamic, custom TCP/IP-based
stacks. These stacks are session dependent, which means
that they are constructed on-the-fly when a new session
request arrives at the firewall.
▪ Custom stacks comprise only those protocol proxies that are
relevant to the session for which they were built, which
allows customization of the level of stringency used to
evaluate all packets belonging to a single network session.
▪ Eg. Cisco Centri Firewall
Based on Structure
▪ Most firewalls are appliances: stand-alone, self contained
systems
▪ Commercial-grade firewall system consists of firewall
application software running on general-purpose computer
▪ Small office/home office (SOHO) or residential-grade
firewalls, aka broadband gateways or DSL/cable modem
routers, connect user’s local area network or a specific
computer system to Internetworking device
▪ Residential-grade firewall software is installed directly on
the user’s system
D-Link
Software vs. Hardware Debate
▪ Which firewall type should the residential user implement?
▪ Where would you rather defend against a hacker?
▪ With the software option, hacker is inside your computer
▪ With the hardware device, even if hacker manages to crash
firewall system, computer and information are still safely
behind the now disabled connection
Firewall Architectures
▪ Firewall devices can be configured in a number of network
connection architectures
▪ Configuration that works best depends on three factors:
▪ Objectives of the network
▪ Organization’s ability to develop and implement
architectures
▪ Budget available for function
Common Architecture
▪ Packet filtering routers
▪ Screened host firewalls
▪ Dual-homed firewalls
▪ Screened subnet firewalls
Packet filtering routers
▪ Most organizations with Internet connection have a router
serving as interface to Internet
▪ Many of these routers can be configured to reject packets
that organization does not allow into network
▪ Drawbacks include a lack of auditing and strong
authentication
Screened Host Firewalls
▪ Packet Filtering router + Application proxy server
▪ Allows router to prescreen packets to minimize traffic/load
on internal proxy
▪ Separate host is often referred to as bastion host; can be rich
target for external attacks and should be very thoroughly
secured
Dual-Homed Host Firewalls
▪ Bastion host contains two network interface cards (NICs):
one connected to external network, one connected to
internal network
▪ Implementation of this architecture often makes use of
network address translation (NAT), creating another barrier
to intrusion from external attackers
Screened Subnet Firewalls (with
DMZ)
▪ Dominant architecture is the Screened Subnet firewall
▪ consists of two or more internal bastion hosts behind packet
filtering router, with each host protecting trusted network:
▪ Connections from outside (untrusted network) routed
through external filtering router
▪ Connections from outside (untrusted network) are
routed into and out of routing firewall to separate
network segment known as DMZ
▪ Connections into trusted internal network allowed only
from DMZ bastion host servers
DMZ)
▪ Screened subnet performs two functions:
▪ Protects DMZ systems and information from outside
threats
▪ Protects the internal networks by limiting how external
connections can gain access to internal systems
▪ Another facet of DMZs: extranets
▪ An extranet is a segment of DMZ where additional
authentication and authorization controls are put in place to
provide services not available to the general public.
DMZ)
Selecting the right firewall
When selecting firewall, consider a number of factors:
▪ Does it offer right balance between protection and cost as
per the need of organization?
▪ Which features are included in base price and which are not?
▪ Easy to setup and configure?
▪ How accessible are staff technicians who can configure the
firewall?
▪ Can firewall adapt to organization’s growing network?
Configuring and Managing
Firewalls
▪ Each firewall device must have own set of configuration
rules regulating its actions
▪ Firewall policy configuration is usually complex and difficult
▪ Configuring firewall policies is both an art and a science
▪ When security rules conflict with the performance of
business, security often loses
Best Practices
▪ All traffic from trusted network is allowed out
▪ Firewall device never directly accessed from public network
▪ SMTP data allowed to pass through firewall
▪ Internet Control Message Protocol (ICMP) data denied
▪ Telnet access to internal servers should be blocked
▪ When Web services offered outside firewall, HTTP traffic
should be denied from reaching internal networks
Example of Network Configuration
External Filtering Firewall
External Filtering Firewall
Intrusion detection & Prevention
system (IDPS)
▪ IDS perform variety of functions:
▪ Auditing system configuration for vulnerabilities and
misconfiguration.
▪ Assessing the integrity of critical system and data files.
▪ Recognizing known attack patterns in system activity.
▪ Identifying abnormal activity through statistical analysis.
▪ Managing audit trails and highlighting user violation of
policy or normal activity
▪ Installing and operating traps to record information
about the intruders.
IPS difference from IDS
▪ IPS can respond to a detected threat by attempting to
prevent it from succeeding. They use several response
techniques, which can be divided into the following groups:
▪ The IPS stops the attack itself.
▪ The IPS changes the security environment.
▪ The IPS changes the attack’s content.
The IPS stops the attack itself.
▪ Terminate the network connection or user session that is

being used for the attack
▪ Block access to the target (or possibly other likely targets)
from the offending user account, IP address, or other
attacker attribute
▪ Block all access to the targeted host, service, application, or
other resource.
IPS changes the security environment
▪ The IPS could change the configuration of other security
controls to disrupt an attack.
▪ Common examples are reconfiguring a network device (e.g.,
firewall, router, switch) to block access from the attacker or
to the target, and altering a host-based firewall on a target to
block incoming attacks.
▪ Some IPSs can even cause patches to be applied to a host if
the IPS detects that the host has vulnerabilities.
IPS changes the attack’s content
▪ Some IPS technologies can remove or replace malicious
portions of an attack to make it benign.
▪ A simple example is an IPS removing an infected file
attachment from an e-mail and then permitting the cleaned
email to reach its recipient.
▪ A more complex example is an IPS that acts as a proxy and
normalizes incoming requests, which means that the proxy
repackages the payloads of the requests, discarding header
information. This might cause certain attacks to be discarded
as part of the normalization process.
IDPS fundamentals
▪ IDPS sensors: IDPS sensors can be software and hardware
based used to collect and analyze the network traffic.
▪ A network IDPS can be embedded in a networking device,
a standalone appliance, or a module monitoring the
network traffic.
▪ A Host IDPS is a server-specific agent running on a server
with a minimum of overhead to monitor the OS
▪ IDPS management: Acts as the collection point for alerts and
performs configuration and deployment services for
the IDPS sensors in the network.
Detection Techniques
▪ Signature-based : Process of comparing signatures (pattern
that corresponds to a known threat) against observed events
to identify possible incidents
▪ Anomaly-based detection: Process of comparing definitions
of what activity is considered normal against observed
events to identify significant deviations.
▪ Stateful protocol analysis: Process of comparing
predetermined profiles of generally accepted definitions of
benign protocol activity for each protocol state against
observed events to identify deviations.
▪ Most IDPS technologies use multiple detection methods,
either separately or integrated to provide more broad and
accurate detection.
Signature-Based IDPS
▪ Examine data traffic in search of patterns that match known
signatures
▪ Widely used because most attacks have clear and distinct
signatures
▪ An attacker will try to modify a basic attack in such a way
that it will not match the known signature of that attack.
▪ As new attack strategies are identified, the signature
database must be continually updated
Statistical Anomaly-Based IDPS
▪ The statistical anomaly-based IDPS (stat IDPS) or behavior-
based IDPS sample network activity to compare to traffic
that is known to be normal
▪ When measured activity is outside baseline parameters or
clipping level, IDPS will trigger an alert
▪ IDPS can detect new types of attacks
▪ More overhead and processing capacity than signature-
based
▪ May generate many false positives
Stateful Protocol Analysis IDPS
▪ SP 800-94:
▪ Stores and uses relevant data detected in a session to
identify intrusions involving multiple requests/responses;
allows IDPS to better detect specialized, multi session
attacks (deep packet inspection)
▪ Drawbacks: analytical complexity; processing overhead; may
fail to detect unless protocol violates fundamental behavior;
Types of IDPS Systems
▪ Network-Based: Monitors network traffic for network
segments or devices and analyses the network and
application protocol activity to identify suspicious activity.
▪ Wireless: Monitors wireless network traffic and analyses
it to identify suspicious activity
▪ Network Behaviour Analysis (NBA): Monitors network
traffic to identify threats that generate unusual traffic
flows, such as DDoS attacks, scanning and certain forms
of malware.
▪ Host-Based: Monitors the single host and the events
occurring within that host for suspicious activity.
Host IDS
Network IDS
Comparison of IDS
Strengths of IDPS
IDPSs perform the following functions well:
▪ Monitoring and analysis of system events and user behaviors
▪ Testing security states of system configurations
▪ Baselining security state of system and tracking changes
▪ Recognizing system event patterns matching known attacks
▪ Recognizing activity patterns that vary from normal activity
▪ Managing OS audit and logging mechanisms and data they generate
▪ Alerting appropriate staff when attacks are detected
▪ Measuring enforcement of security policies encoded in analysis engine
▪ Providing default information security policies
▪ Allowing non-security experts to perform important security monitoring
functions
Limitations of IDPS
IDPSs cannot perform the following functions:
▪ Compensate for weak/missing security mechanisms in protection
infrastructure
▪ Instantaneously detect, report & responding to attack when there is
heavy network or processing load
▪ Detect new attacks or variants of existing attacks
▪ Effectively respond to attacks by sophisticated attackers
▪ Investigate attacks without human intervention
▪ Resist attacks intended to defeat or circumvent them
▪ Compensate for problems with fidelity of data sources
▪ Deal effectively with switched networks
Virtual Private Network
▪ Private and secure network connection between systems;
uses data communication capability of unsecured and public
network
▪ Securely extends organization’s internal network
connections to remote locations beyond trusted network
▪ Three VPN technologies defined:
▪ Trusted VPN
▪ Secure VPN
▪ Hybrid VPN (combines trusted and secure)
Functions of VPN
▪ Authentication of remote computer and (perhaps)
remote user as well
▪ Encapsulation of incoming and outgoing data
▪ Encryption of incoming and outgoing data
Transport Mode
▪ Data within IP packet is encrypted, but header info is not
▪ Allows user to establish secure link directly with remote
host, encrypting only data contents of packet
▪ Two popular uses:
▪ End-to-end transport of encrypted data
▪ Remote access worker connects to office network over
Internet by connecting to a VPN server on the perimeter
Transport Mode
Tunnel Mode
▪ Organization establishes two perimeter tunnel servers
▪ These servers act as encryption points, encrypting all traffic
that will traverse unsecured network
▪ Primary benefit to this model is that an intercepted packet
reveals nothing about true destination system
▪ Example of tunnel mode VPN: Microsoft’s Internet Security
and Acceleration (ISA) Server
Tunnel Mode

IS 7-Firewall PDF

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

IS 7-Firewall PDF

Diunggah oleh

Hak Cipta:

Format Tersedia

Firewall

▪ A proxy functions by effectively mimicking the host it is

▪ Filters packets going in both directions.

Second ▪ Application-level firewalls or proxy servers

Fourth ▪ Dynamic packet filtering firewalls; allow only packets with

▪ Terminate the network connection or user session that is

Anda mungkin juga menyukai