Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
4/17/12
Outline
What is a firewall Why an organization needs a firewall Types of firewalls and technologies Deploying a firewall DMZ VPN
4/17/12
22
What is a Firewall?
A firewall is hardware, software, or a combination of both that is used to prevent unauthorized programs or Internet users from accessing a private network and/or a single computer By conventional definition, a firewall is a partition made of fireproof material designed to prevent the spread of fire from one part 33 a of 4/17/12
Usually between trusted and untrusted networks (such as between a corporate network and the Internet)
Tracks and controls network communications
Internet
Corporate Site
4/17/12
44
Firewall Rules
Allow traffic that flows automatically because it has been deemed as safe (Ex. Meeting Maker, Eudora, etc.) Block traffic that is blocked because it has been deemed dangerous to your computer Ask asks the user whether or not the traffic is allowed to pass through
4/17/12 55
Hardware Firewalls
Protect an entire network Implemented at the router level Usually more expensive, harder to configure Protect a single computer
Software Firewalls
Rules Determine
INTERNET
Firewall
Protected Network
4/17/12
77
Firewall goals
All traffic from outside to inside and vice-versa passes through the firewall Only authorized traffic, as defined by local security policy, will be allowed to pass The firewall itself is immune to penetration
4/17/12 88
Protection from vulnerable Services Controlled Access to Site Systems Concentrated Security Enhanced Privacy Logging and Statistics on Network Use, Misuse Policy Enforcement
4/17/12 99
Protection Methods
Packet Filtering
Rejects TCP/IP packets from unauthorized hosts and/or connection attempts by unauthorized hosts
Translates the addresses of internal hosts so as to hide them from the outside world Also known as IP masquerading
Proxy Services
4/17/12
Makes high level application level connections to external hosts on behalf of internal hosts to completely break the network connection between internal and external hosts
1010
Encrypted Authentication
Users on the external network are authenticated by the Firewall to gain access to the private network Establishes a secure connection between two private networks over a public network
This allows the use of the Internet as a connection medium rather than the use of an expensive leased line
1111
4/17/12
Virus Scanning
Searches incoming data streams for virus signatures so they may be blocked Done by subscription to stay current
McAfee / Norton
Content Filtering
4/17/12
NAT
Network Address Translation (NAT) is simply that it takes a network address, and translates it to another network address The image (Next slide) shows how 3 users can all communicate on the Internet with just one IP address.The router shown must be capable of performing NAT
4/17/12 1313
4/17/12
1414
Types of Firewalls
Stateful Inspection
4/17/12
Stage of Evolution
1515
Packet Filters
Packets examined at the network layer Useful first line of defense commonly deployed on routers Simple accept or reject decision model No awareness of higher protocol layers
4/17/12 1616
4/17/12
1717
4/17/12
1818
Source and destination IP addresses Protocol, such as TCP, UDP, or ICMP Source and destination ports and ICMP types and codes Flags in the TCP header, such as whether the packet is a connect request Direction (inbound or outbound)
1919
4/17/12
Work at the network level. A data packet is compared to a set of criteria before it is forwarded Advantages: low cost, low impact on network performance
2020 Disadvantages: does not
4/17/12
IP addresses of hosts on the protected side of the filter can be readily determined by observing the packet traffic on the unprotected side of the filter Filters cannot check all of the fragments of higher level protocols (like TCP) as the TCP header information is only available in the first fragment.
Filters are not sophisticated enough to check the validity of the application level protocols embedded in the TCP packets
4/17/12 2121
4/17/12
2222
Work at the session layer Monitor TCP handshaking between packets to determine whether a requested session is legitimate Information passed to remote computer through a circuit level gateway appears to have originated from the gateway Advantages: relatively inexpensive , 4/17/12 2323 hiding information about the private
Packets examined at the application layer Application/Content filtering possible - prevent FTP put commands, for example Modest performance Scalability limited
4/17/12 2424
4/17/12
2525
4/17/12
2626
Work at the application layer Incoming or outgoing packets cannot access services for which there is no proxy Filter application specific commands Can also be used to log user activity and logins. Advantages: a high level of security
4/17/12
Proxy GWs can log all connections, activity in connections Proxy GWs can provide caching Proxy GWs can do intelligent filtering based on content Proxy GWs can perform user-level authentication
Disadvantages
Not all services have proxied versions May need different proxy server for each service Requires modification of client
2828
Stateful Inspection
Packets Inspected between data link layer and network layer in the OS kernel State tables are created to maintain connection context Invented by Check Point
4/17/12
2929
Applications Applications Presentations Sessions Transport Network Data Link Physical Data Link Presentations Sessions Transport Network Applications Presentations Sessions Transport Network Data Link Physical
INSPECT Engine
4/17/12
3030
Stateful Filtering
4/17/12
3131
Stateful Inspection
4/17/12
3232
Stateful Inspection
work at the application, session, network layer They filter packets at the network layer, determine whether session packets are legitimate and evaluate contents of packets at the application layer They allow direct connection between client and host, alleviating the problem caused by the lack of transparency of application level gateways-- can also be used to log user activity and logins They rely on algorithms to recognize and 4/17/12 3333 process application layer data instead of