Introduction to Firewall Technology

Lecture 5 Click to edit Master subtitle style 12th March 2012

4/17/12

Outline

What is a firewall Why an organization needs a firewall Types of firewalls and technologies Deploying a firewall DMZ VPN

4/17/12

22

What is a Firewall?

A firewall is hardware, software, or a combination of both that is used to prevent unauthorized programs or Internet users from accessing a private network and/or a single computer By conventional definition, a firewall is a partition made of fireproof material designed to prevent the spread of fire from one part 33 a of 4/17/12

Acts as a security gateway between two networks

Usually between trusted and untrusted networks (such as between a corporate network and the Internet)
Tracks and controls network communications

Internet

Corporate Network Gateway

Decides whether to pass, reject, encrypt, or log communications (Access Control)

Corporate Site

4/17/12

44

Firewall Rules

Allow traffic that flows automatically because it has been deemed as safe (Ex. Meeting Maker, Eudora, etc.) Block traffic that is blocked because it has been deemed dangerous to your computer Ask asks the user whether or not the traffic is allowed to pass through
4/17/12 55

Hardware vs. Software Firewalls

Hardware Firewalls

Protect an entire network Implemented at the router level Usually more expensive, harder to configure Protect a single computer

Software Firewalls

Usually less expensive, easier to configure 4/17/12 66

Rules Determine

WHO ? WHEN ? WHAT ? HOW ?

INTERNET

Firewall

Protected Network

4/17/12

77

Firewall goals

All traffic from outside to inside and vice-versa passes through the firewall Only authorized traffic, as defined by local security policy, will be allowed to pass The firewall itself is immune to penetration
4/17/12 88

Why an organization needs a firewall

Protection from vulnerable Services Controlled Access to Site Systems Concentrated Security Enhanced Privacy Logging and Statistics on Network Use, Misuse Policy Enforcement
4/17/12 99

Protection Methods

Packet Filtering

Rejects TCP/IP packets from unauthorized hosts and/or connection attempts by unauthorized hosts

Network Address Translation (NAT)

Translates the addresses of internal hosts so as to hide them from the outside world Also known as IP masquerading

Proxy Services

4/17/12

Makes high level application level connections to external hosts on behalf of internal hosts to completely break the network connection between internal and external hosts
1010

Other common Firewall Services

Encrypted Authentication

Users on the external network are authenticated by the Firewall to gain access to the private network Establishes a secure connection between two private networks over a public network

Virtual Private Networking

This allows the use of the Internet as a connection medium rather than the use of an expensive leased line
1111

4/17/12

Additional services sometimes provided

Virus Scanning

Searches incoming data streams for virus signatures so they may be blocked Done by subscription to stay current

McAfee / Norton

Content Filtering

Allows the blocking of internal users from certain types of content.

Usually an add-on to a proxy server

1212 Usually a separate subscription service

4/17/12

NAT

Network Address Translation (NAT) is simply that it takes a network address, and translates it to another network address The image (Next slide) shows how 3 users can all communicate on the Internet with just one IP address.The router shown must be capable of performing NAT
4/17/12 1313

4/17/12

1414

Types of Firewalls
Stateful Inspection

Application Gateways Circuit Gateways Packet Filter

4/17/12

Stage of Evolution

1515

Packet Filters

Packets examined at the network layer Useful first line of defense commonly deployed on routers Simple accept or reject decision model No awareness of higher protocol layers
4/17/12 1616

Applications Presentations Sessions Transport Network Data Link Physical

Applications Presentations Sessions Transport Network Data Link Physical

Applications Presentations Sessions Transport Network Data Link Physical

4/17/12

1717

4/17/12

1818

Packet filters usually permit or deny network traffic based on:

Source and destination IP addresses Protocol, such as TCP, UDP, or ICMP Source and destination ports and ICMP types and codes Flags in the TCP header, such as whether the packet is a connect request Direction (inbound or outbound)
1919

4/17/12

Work at the network level. A data packet is compared to a set of criteria before it is forwarded Advantages: low cost, low impact on network performance
2020 Disadvantages: does not

4/17/12

Limitations of Packet Filters

IP addresses of hosts on the protected side of the filter can be readily determined by observing the packet traffic on the unprotected side of the filter Filters cannot check all of the fragments of higher level protocols (like TCP) as the TCP header information is only available in the first fragment.

Modern firewalls reconstruct fragments then checks them

Filters are not sophisticated enough to check the validity of the application level protocols embedded in the TCP packets
4/17/12 2121

Circuit level Gateways

4/17/12

2222

Work at the session layer Monitor TCP handshaking between packets to determine whether a requested session is legitimate Information passed to remote computer through a circuit level gateway appears to have originated from the gateway Advantages: relatively inexpensive , 4/17/12 2323 hiding information about the private

Application Gateway or Proxy

Packets examined at the application layer Application/Content filtering possible - prevent FTP put commands, for example Modest performance Scalability limited
4/17/12 2424

Packets examined at Application Layer

Applications Presentations Sessions Transport Network Data Link Physical

Applications Presentations Sessions Transport Network Data Link Physical

Applications Presentations Sessions Transport Network Data Link Physical

4/17/12

2525

Application Gateway or Proxy

4/17/12

2626

Work at the application layer Incoming or outgoing packets cannot access services for which there is no proxy Filter application specific commands Can also be used to log user activity and logins. Advantages: a high level of security
4/17/12

Disadvantages: having a significant 2727

Advantages and disadvantages of proxy gateways Advantages

Proxy GWs can log all connections, activity in connections Proxy GWs can provide caching Proxy GWs can do intelligent filtering based on content Proxy GWs can perform user-level authentication

Disadvantages

Not all services have proxied versions May need different proxy server for each service Requires modification of client
2828

Performance may be compromised 4/17/12

Stateful Inspection

Packets Inspected between data link layer and network layer in the OS kernel State tables are created to maintain connection context Invented by Check Point

4/17/12

2929

Applications Applications Presentations Sessions Transport Network Data Link Physical Data Link Presentations Sessions Transport Network Applications Presentations Sessions Transport Network Data Link Physical

INSPECT Engine

Dynamic State Dynamic State Tables Tables

4/17/12

3030

Stateful Filtering

4/17/12

3131

Stateful Inspection

4/17/12

3232

Stateful Inspection

Stateful (multilayer) inspection firewalls

work at the application, session, network layer They filter packets at the network layer, determine whether session packets are legitimate and evaluate contents of packets at the application layer They allow direct connection between client and host, alleviating the problem caused by the lack of transparency of application level gateways-- can also be used to log user activity and logins They rely on algorithms to recognize and 4/17/12 3333 process application layer data instead of