Escolar Documentos
Profissional Documentos
Cultura Documentos
March 2000
Welcome to Introduction
to Firewall Essentials
Firewall Essentials
Unit I
Chapter 1: What is a Firewall?
Chapter 2: Types of Firewalls
Chapter 3: How Firewalls Work
Course Map
Firewall Essentials
Unit II
Chapter 1: The Need for a Firewall
Chapter 2: Security Hazards
Course Map
Firewall Essentials
Unit III
Chapter 1: Firewall Features
Chapter 2: Security Policies
Open Discussion
Unit I - Chapter 1
What is a Firewall?
Securing a Network
Firewall Router
Firewall Firewall
Restricted Network
Communicating Across a
Network
Network packet (level 3)
Network session (level 7)
Network Packet
LAN
204.32.38.103 204.32.38.102
To: 204.32.38.102
192.38.1.2 192.38.1.3 192.38.1.4
LAN
192.38.1.1
Mailing a Letter
Network Session
Access Control
Authentication
Activity Logging
Other Firewall Services
Access Control
Proxy Applications
Virus Scanning
Address Mapping
Virtual Private Networks (VPN)
Firewall Administration
Interfaces
Most prominent
Easier to use
Less prone to errors
Actual Security Provided
Application
Level
DROP
Network 2
Application-level Gateway
Firewall
Does not allow packets to pass directly between
networks
Original connections are made to a proxy on the
firewall
Application-level Gateway
Firewall (cont.)
Requires a separate application for each
network service
TELNET
FTP
E-mail
WWW
Application-level
Gateway Firewall
Application-Level Gateway
Application
Level
Kernel Level
Network 2
Stateful Packet Filtering
Communication information
Information from all seven layers of the packet
Stateful Inspection
Communication-derived state
State information derived from previous
communications
Stateful Inspection
Application-derived state
State information derived from other applications
Stateful Inspection
Information manipulation
Evaluation of flexible expressions based on the
following:
communication information
communication-derived state
application-derived state
Check Points FireWall-1
Stateful Inspection
Application
Application Presentation Application
Presentation Session Presentation
Session Transport Session
Transport Network Transport
Network Network
DataLink DataLink
DataLink
Physical Physical
Physical
Inspect Engine
Dynamic
State Tables
Comparison of Firewall
Architecture
Firewall Packet Filters Application Stateful Inspection
Capability Level Gateways
Kernel Level
Routers and host-based packet filters
Proxy
Possible Firewall
Processing Locations - Kernel
Network Cards
Application Level
Kernel Level
Pass
X
Router
X
HTTP Packet +
X
FTP Packet
Drop X
Example Rule List
5 * * * * Drop
Example Packets and
Resulting Actions
Source Destination Protocol Source Destination Match Action
Address Address Port Port Rule # Taken
Number Number
10.56.2.98 10.122.6.11 TCP 23567 23 (Telnet) 2 Pass
Application Authorization
Level Database
2
Proxy
2
1 4 3
Kernel Level
User Destination
Host
Connection Process
Direct Connection
Modified Client
Invisible Proxy
Direct Connection
Intranet
Internet Services
RAS
Financial connection (Reuters, Bloomberg, etc)
Extranet
etc.
Lab 1
What Firewall is Best?
Discussion Lab
Internet connection
Email, ftp, dns, web public
Web surfing and ftp
Intranet
Oracle server
Discussion Lab
Firewall Firewall
Restricted Network
Possible solution.
Unit II - Chapter 2
Security Hazards
Security Hazards:
Objectives
Denial-of-Service
Network Packet Sniffing
IP Spoof Attack
Denial of Service
Denial-of-Service Attack
Flood of E-mail
to Target
Network
Attacker
Original TCP Packet
Original TCP Packet
Packet
Filter
Internal
10.12.1.5
Reports source address
to be 10.12.1.1
Unit III - Chapter 1
Firewall Features
Basic Access Control
Host-Based
Describes the sets of services allowed for each host
or network
Service-Based
Identifies the sets of hosts or networks that may use
each service
Host Spoofing Controls
Finger
Used to find out logins, user names, and information
concerning a users previous login
Supported Services (cont.)
rlogin
Developed at the University of California at Berkeley
Used for remote access between local systems, but
not recommended for use across the Internet
because of lack of proper authentication capability
Supported Services (cont.)
TELNET
Standard remote login protocol application
Provides a character-based connection between two
systems
User Authentication
Authentication Mechanisms
Remote/Central
Administration
Firewalls in multiple geographic locations should
be administered by a single group within the
company
With central administration the administrator
configures the firewalls from a central database
they all share
Actions Taken From Alarms
Dual-Host Firewalls
Splitting the functions of a firewall between two hosts
to force attackers to break into two systems for a
successful attack
Integrity Scanner
An application on the firewall that continually scans
the firewall for any unauthorized changes to files, file
size, or devices
Firewall Integrity (cont.)
Invisibility
A firewall that cant be seen is difficult to attack
Special Features
Address Mapping
Day and Time Restrictions
Load Control
Tunneling
Virtual Private Networks (VPN)
Hacker Traps
Address Mapping
External Internal
192.168.1.2
192.168.1.1
Legal IP address Illegal IP address
204.32.38.1 192.168.1.2
LAN
192.168.1.4 192.168.1.3
Day and Time Restrictions
Firewall Firewall
Internet risks
Security Policy
Philosophies (cont.)
Service Access
Internal user issues
Remote access policies
External connections
Security Policy
Philosophies (cont.)
Firewall Design
Permit any service unless it is expressly denied
Deny any service unless it is expressly permitted
Security Policy
Philosophies (cont.)
Information concerns
E-mail
Web browsing
Security Policy
Philosophies (cont.)
Remote Access
A users dial-out capability might become an intruder
dial-up threat
Outside users must be forced to pass through the
advanced authentication features of the firewall