Escolar Documentos
Profissional Documentos
Cultura Documentos
doc
Chapter 6 - Firewalls
1. Firewalls
It prevents specific types of information from moving between the outside world, known
as the untrusted network (Internet), and the inside world, known as the trusted network
(intranet)
Firewall Architectures
3 factors
1. the objectives of the network
2. the organization’s ability to develop and implement the architectures
3. the budget available for the function
4 common architectural implementations
Packet filtering routers
Normally a router between the organization’s internal network and
the external network provider
Rejects packets that the organization does not want
Screened host firewalls
Bastion host or sacrificial host
A separate machine dedicated as the firewall
Better security because break in requires 2 machines
2
Dual-homed firewalls
Host contains 2 Network Interface Cards (NIC) interfaces
One is connected to the internal network and one to the external
network
Uses NAT most of the time
Translation between many different protocols
Ethernet
Token Ring
Fiber Distributed Data Interface (FDDI)
Asynchronous Transfer Method (ATM)
Screened subnet firewalls (with DMZ)
It provides a filtering router that protects the DMZ which contains
a bunch of proxy servers which are behind another filtering router
which protects the trusted network. This way the DMZ becomes
one level of protection and then the proxy server serves as another
SOCKS Servers
SOCKS is the protocol for handling TCP traffic through a proxy
server
It is a proprietary circuit-level proxy server that places special
SOCKS client-side agents on each workstation
This places the filtering device on the workstation instead of having
a single point of defense and single point of failure
Selecting the right firewall
Factors and questions to consider
1. What type of firewall technology offers the right balance between
protection and cost for the needs of the organization?
2. What features are included in the base price? What features are
available at extra cost? Are all costs factors known?
3. How easy is it to set up and configure the firewall? How accessible are
the staff technicians who can competently configure the firewall?
4. Can the candidate firewall adapt to the growing network in the target
organization?
Cost is the second most important issue
Configuring and managing firewalls
Each device should have its own set of rules that regulate its actions
Best practices for firewalls
All traffic from trusted network is allowed out
Firewall is never directly accessible from the public network for configuration and
management purposes
Simple Mail Transport Protocol (SMTP) data is allowed through
All Internet Control Message Protocol (ICMP) data is denied (ping)
Telnet access to internal network from public is denied
HTTP traffic should use some form of proxy or DMZ architecture
Firewall rules
SA SP DA DP Action
Rule set 1
Any Any 10.10.10.0 >1023 Allow
3
Any packet headed for internal network with port 1024 or greater can
come in. Reponses to internal request are allowed
Rule set 2
Any Any 10.10.10.1 Any Deny
Any Any 10.10.10.2 Any Deny
10.10.10.1 Any Any Any Deny
10.10.10.2 Any Any Any Deny
Stops all traffic to the firewall from internal or external networks. This
means you must sit at the console to access the firewall itself. Firewall
device itself is never accessible directly from the public network
Rule set 3
10.10.10.0 Any Any Any Allow
All traffic from the trusted network is allowed out
Rule set 4
Any Any 10.10.10.6 25 Allow
All Simple Mail Transfer Protocol (SMTP) packets are allowed in but are
routed to a well-configured SMTP gateway who is 10.10.10.6
Rule set 5
10.10.10.0 Any Any 7 Allow
Any Any 10.10.10.0 7 Deny
All Internet Control Message Protocol (ICMP) data is denied these are
ping requests
Rule set 6
10.10.10.0 Any 10.10.10.0 23 Allow
Any Any 10.10.10.0 23 Deny
Telnet access to all internal servers from public network should be blocked.
Note telnet is sometimes allowed from internal for OA&M
Rule set 7a
Any Any 10.10.10.4 80 Allow
Allows all HTTP traffic to get to the Web server 10.10.10.4
Rule set 7b
Any Any 10.10.10.5 80 Allow
Allows all HTTP traffic to go to proxy server
Rule set 7c
10.10.10.5 80 192.168.2.4 80 Allow
Allows all HTTP traffic to go from the proxy server to the internal Web
server
Rule set 8
Any Any Any Any Deny
The cleanup rule. Deny everything that does not fit one of the rules above
Content filters
It is a software filter, technically not a firewall, which allows administrators to
restrict access to content from within a network
Also known as Reverse firewalls because their primary focus is to restrict internal
access to external material
4
Dial-Up
This is networking that uses a regular phone line
War dialer
It is an automatic phone dialing program that dials every phone number
with a range 732.566.1000 to 732.566.5000. It basically checks for a
modem to answer and when it does it makes a note of it
RADIUS and TACACS
These are systems that authenticate the credentials of users who are trying to
access an organization’s network via a dial-up connection
Sesame
It is the same as Kerberos except the user receives a token
The token is presented to gain access to the systems via Privilege Attribute
Certificate (PAC)
5
Uses leased circuits form a service provider and conducts packet switching over
these circuits. Must trust the service provider
Secure VPN
Uses security protocols and encrypts traffic transmitted across unsecured public
networks like the Internet
Hybrid VPN
Combines the two above
Encapsulation
One packet is put in the frames of another during transmission
Encryption
Keeps contents private while transmitting over public network
Authentication
Must check that the user is really who they claim to be
Transport mode
The data part of the IP packet is encrypted but not the header
2 main uses
End-to-end transport of encrypted data
Remote access worker gets on to company network and is allowed to work
as if they were part of the LAN at work
Tunnel mode
Entire packet is encrypted between the 2 tunnel servers which are sending the
packet over the unsecured part of the network. Tunnel servers are not really the
final destination so if packet is captured the true destination is never known