Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
o Firewall Services
Static
Circuit Level
Proxy Server
Application Server
o Firewall Technologies
Static Packet Filtering
First Generation
OSI: 3
ACL's
Can filter packets based on protocols, the domain name of the
source and a few other attributes.
Circuit Level
Second Generation
OSI: 5
Monitor TCP handshaking between hosts to make sure a session is
legitimate and are used to validate whether a packet is either a connection
request, or a data packet belonging to an established connection or virtual
circuit.
Application Level
Third Generation
OSI: 3-5, 7
Proxy
Anonymous and Transparent proxy servers
transparent proxy server tells the remote computer the IP
address of your computer
Advantages:
Authenticate Individuals
Detect DoS
Monitor / Filter App Data
Malformed ULR's
Buffer Overflow
Detailed Logging
Make IP Spoofing difficult
Limitations
Processor / Memory Intensive
Logging
Mitated with:
Context Transfer Protocol (CXTP)
Monitor only key applications
Do not support all applications
May require client software
Manual updates for new or modified application protocols
Every protocol must have a proxy in order for the firewall to be
completely effective
Slower at passing information than other firewalls, because of the
proxy applications.
Not transparent to end users and require manual configuration of
each client computer
OSI: 3 ----> 4 ----> <---- 5 <---- 7
Dynamic Packet-Filtering / Stateful
Fourth Generation
OSI: 3-5
Dyanmic Filtering
Most versatile/Common
Maintains State Table
Cisco IOS Firewall is a Stateful firewall
Creates Connection Object on:
S/D IP
S/D Port
TCP SEQ
TCP/UDP Fields
Limitations
Internal IP may be exposed
Mitigated with Proxy and NAT
No prevention of Application Layer Attacks
Not all protocols are Stateful (UDP and ICMP)
Applications that open multiple ports
User Authentication not supported
Slower than Packet-Filtering
Uses:
Primary means of Defense
Cost Effective
Defense against DoS and Spoofing
Allowing only connections in table
o Other:
Transparent Firewalls
L2
Can run in single and multiple context
Bridged from one VLAN to other instead of routing
MAC lookups are used rather than routing tables
o Application Inspection Firewalls / DPI
Aware of L4 and L5 connection states
Check conformity of application commands on L5
Check and affect L7 (Java, P2P)
Prevents more types of attacks than stateful
Uses NAT
Monitors sessions for secondary port numbers
Inspection Behavior
Transport Layer: Acts like a stateful firewall by examining information in
the headers of Layer 3 packets and Layer 4 segments. The application inspection
firewall looks at the TCP header for SYN, RST, ACK, FIN, and other control codes
to determine the state of the connection, for example.
Session Layer: Checks the conformity of commands within a known
protocol. For example, when it checks Simple Mail Transfer Protocol (SMTP), only
acceptable message types on Layer 5 are allowed (DATA, HELO, MAIL, NOOP,
QUIT, RCPT, RSET). It also checks whether the command attributes that are used
conform to the internal rules.
Application Layer: Rarely supported. Application layer firewalls may
provide protocol support for HTTP, and they can determine whether the content is
really an HTML website or a tunneled application. If it were a tunneled application,
the application inspection firewall would block the content or terminate the
connection.
Limitations
Few inspections engines currently available that support L7 content
Alone, does not support User authentication
Increased operating costs due to increased processor/memory
requirements
Common Firewalls can't run
Uses:
Secondary means of defense
More stringent control over security than stateful filtering
o Zone-Based Firewall
Includes
Stateful Inspection
URL Filtering
IOS 12.4(6)T
Does not include:
Authentication Proxy
IPv6 Stateful Inspection
Supports Application Inspection for:
IM POP3 SMTP HTTP SunRPC IMAP