Firewall presentation

A Presentation On

Submitted To :- Presented By :-

2/4/2013 Firewall 1

1. Definition of Firewall
2. Need of Firewall
3. Firewall Design Principles
4. Firewall Characteristics
5. What a Firewall Can Do?
6. What a Firewall Can’t Do?
7. Architecture of Firewall
8. Types Of Firewall
9. Implementation of Firewall
10. Deployment of Firewall
11. Report & Conclusion

2/4/2013 Firewall 2

•Here is how Bob Shirey defines it in RFC 2828.

•An internetwork gateway that restricts data
communication traffic to and from one of the
connected networks (the one said to be "inside"
the firewall) and thus protects that network's
system resources against threats from the
other network (the one that is said to be
"outside" the firewall). (See: guard, security
gateway.)

2/4/2013 Firewall 3

Rules Determine

WHO ? WHEN ?
WHAT ? HOW ?

My
INTERNET PC

Secure
Private
Firewall Network

2/4/2013 Firewall 4

What is a Firewall ?
 A firewall : Internet
◦ Acts as a security
gateway between two
networks
 Usually between trusted “Allow Traffic
and untrusted networks to Internet”
(such as between a
corporate network and
the Internet)
◦ Tracks and controls
network
communications
 Decides whether to
pass, reject, encrypt, o
r log communications
(Access Control) Corporate
Site

2/4/2013 Firewall 5

Firewalls History
• First generation - packet filters
• The first paper published on firewall technology was in 1988, when Jeff
Mogul from Digital Equipment Corporation (DEC) developed filter systems
known as packet filter firewalls.

• Second generation - circuit level
• From 1980-1990 two colleagues from AT&T Company, developed the
second generation of firewalls known as circuit level firewalls.

• Third generation - application layer
• Publications by Gene Spafford of Purdue University, Bill Cheswick at AT&T
Laboratories described a third generation firewall. also known as proxy
based firewalls.

•Subsequent generations
• In 1992, Bob Braden and Annette DeSchon at the University of Southern
California (USC) were developing their own fourth generation packet filter
firewall system.
• In 1994 an Israeli company called Check Point Software Technologies built
this into readily available software known as FireWall-1.
• Cisco, one of the largest internet security companies in the world released
their PIX ” Private Internet Exchange ” product to the public in 1997.

2/4/2013 Firewall 6

 Theft or disclosure of internal data
 Unauthorized access to internal hosts
 Interception or alteration of data
 Vandalism & denial of service
 Wasted employee time
 Bad publicity, public embarassment, and
law suits

2/4/2013 Firewall 7

The Nature of Today’s Attackers

 Who are these “hackers” who are trying to break into your
computer?

Most people imagine someone at a keyboard late at night, guessing
passwords to steal confidential data from a computer system.
This type of attack does happen, but it makes up a very small
portion of the total network attacks that occur.

Today, worms and viruses initiate the vast majority of attacks.
Worms and viruses generally find their targets randomly.

As a result, even organizations with little or no confidential
information need firewalls to protect their networks from these
automated attackers.

2/4/2013 Firewall 8

Firewall Design Principles

1. Information systems undergo a steady evolution (from small LAN`s
to Internet connectivity)
2. Strong security features for all workstations and servers not
established
3. The firewall is inserted between the premises network and the
Internet
4. Aims:
1. Establish a controlled link
2. Protect the premises network from Internet-based attacks
3. Provide a single choke point

2/4/2013 Firewall 9

Firewall Characteristics

Design goals:

1. All traffic from inside to outside must pass through the firewall
(physically blocking all access to the local network except via the
firewall)

2. Only authorized traffic (defined by the local security police) will
be allowed to pass

3. The firewall itself is immune to penetration (use of trusted
system with a secure operating system)

2/4/2013 Firewall 10

Firewall Characteristics

Four general techniques:

1. Service control
• Determines the types of Internet services that can be accessed,
inbound or outbound

2. Direction control
• Determines the direction in which particular service requests are
allowed to flow

3. User control
• Controls access to a service according to which user is attempting
to access it

4. Behavior control
• Controls how particular services are used (e.g. filter e-mail)

What Firewalls Can Do

 Positive Effects
 Negative Effects


What Firewalls Do (Positive Effects)

Positive Effects

 User authentication.
Firewalls can be configured to require user authentication. This
allows network administrators to control ,track specific user activity.

 Auditing and logging.
By configuring a firewall to log and audit activity, information may
be kept and analyzed at a later date.



 Anti-Spoofing - Detecting when the source of the network traffic is
being "spoofed", i.e., when an individual attempting to access a
blocked service alters the source address in the message so that the
traffic is allowed.

 Network Address Translation (NAT) - Changing the network
addresses of devices on any side of the firewall to hide their true
addresses from devices on other sides. There are two ways NAT is
performed:

◦ One-to-One - where each true address is translated to a unique translated
address.
◦ Many-to-One - where all true addresses are translated to a single
address, usually that of the firewall.



 Virtual Private Networks

VPNs are communications sessions traversing public networks that
have been made virtually private through the use of encryption
technology. VPN sessions are defined by creating a firewall rule that
requires encryption for any session that meets specific criteria.


What Firewalls Do (Negative Effects)

 Negative Effects

Although firewall solutions provide many benefits, negative effects
may also be experienced.

◦ Traffic bottlenecks. By forcing all network traffic to pass through the
firewall, there is a greater chance that the network will become congested.

◦ Single point of failure. In most configurations where firewalls are the
only link between networks, if they are not configured correctly or are
unavailable, no traffic will be allowed through.

◦ Increased management responsibilities. A firewall often adds to
network management responsibilities and makes network troubleshooting
more complex.


What a Firewall Can’t Do
• Do Firewalls Prevent Viruses and Trojans? NO!! A
firewall can only prevent a virus or Trojan from accessing the
internet while on your machine
• 95% of all viruses and Trojans are received via e-mail,
through file sharing (like Kazaa or Gnucleus) or through
direct download of a malicious program
• Firewalls can't prevent this -- only a good anti-virus software
program can however , once installed on your PC, many viruses
and Trojans "call home" using the internet to the hacker that designed
it
• This lets the hacker activate the Trojan and he/she can now use your
PC for his/her own purposes
• A firewall can block the call home and can alert you if there is
suspicious behavior taking place on your system


Firewall Architectures

 Screening Router
 Simple Firewall
 Multi-Legged firewall
 Firewall Sandwich
 Layered Security Architecture


Screening Router
In te rn e t/
U n tru ste d
N e tw o rk

R o u te s o r b lo c k s p a c k e ts , a s
d e te rm in e d b y s e c u rity p o lic y

S c re e n in g R o u te r

In te rn a l T ru ste d N e tw o rk

D e s k to p
M a in fra m e D a ta b a s e
S e rv e r

In te rn e t/

Simple Firewall U n tru ste d
N e tw o rk

F ire w a ll th e n h a n d le s tra ffic
a d d itio n a lly to m a in ta in m o re S c re e n in g R o u te r
s e c u rity

F ire w a ll


D e s k to p
S e rv e r
w e b , s m tp


Multi-Legged Firewall
In te rn e t/
U n tru ste d
N e tw o rk


a d d itio n a lly to m a in ta in m o re
s e c u rity

D M Z n o w o ffe rs a s e c u re D M Z S e m i-T ru ste d N e tw o rk
s a n d b o x to h a n d le u n -tru s te d F ire w a ll
c o n n e c tio n s to in te rn e t s e rv ic e s


W e b S e rv e r S M T P S e rv e r S e rv e r

D e s k to p
S e rv e r


Firewall In te rn e t/
U n tru ste d
N e tw o rk

Sandwich

F ire w a ll th e n h a n d le s tra ffic O u ts id e F ire w a ll
s e c u rity

D M Z n o w o ffe rs a s e c u re
DMZ
n e tw o rk to h a n d le u n -tru s te d
S e m i-tru ste d D M Z S e m i-T ru ste d N e tw o rk
n e tw o rk

S e p a ra tio n o f s e c u rity p o lic y
c o n tro ls b e tw e e n in s id e a n d
o u ts id e fire w a lls

W e b S e rv e r S M T P S e rv e r S e rv e r
In s id e F ire w a ll


D e s k to p
A p p S e rv e r


Layered Firewall

s e c u rity In te rn e t /U n -
tru ste d N e tw o rk
D M Z n o w o ffe rs a s e c u re
n e tw o rk to h a n d le u n -tru s te d

S e p a ra tio n o f s e c u rity p o lic y
c o n tro ls n e tw o rk s w ith in y o u r
tru s te d n e tw o rk a s w e ll a s y o u DMZ
s e m i a n d u n -tru s te d n e tw o rk s S e m i-tru ste d
n e tw o rk
F e n c e s k e e p h o n e s t p e o p le
h o n e s t!


M a in fra m e
U se r N e tw o rk H R N e tw o rk
N e tw o rk
In te rn a l F ire w a ll In te rn a l F ire w a ll

In te rn a l F ire w a ll

D e ve lo p m e n t
N e tw o rk


Types of Firewalls

 Common types of Firewalls:
1. Packet-filtering routers
2. Application-level gateways
3. Circuit-level gateways
4. Bastion host
5. Distributed Firewall System
6. Virtual Private Network (VPN)


Packet-filtering Router

◦ Applies a set of rules to each incoming IP packet
and then forwards or discards the packet
◦ Filter packets going in both directions
◦ The packet filter is typically set up as a list of
rules based on matches to fields in the IP or TCP
header
◦ Two default policies (discard or forward)


Packet Filtering Firewall

Trusted Firewall Untrusted
Network rule set Network

Packet is Blocked or Discarded


Packet Filtering Firewall

 A packet filtering firewall is often called a network layer firewall because
the filtering is primarily done at the network layer (layer three) or the
transport layer (layer four) of the OSI reference model.


Packet Filtering


Packet-filtering Router

 Advantages:
◦ Simplicity
◦ Transparency to users
◦ High speed
 Disadvantages:
◦ Difficulty of setting up packet filter rules
◦ Lack of Authentication


Application-level Gateway
 Gateway sits between user
on inside and server on gateway-to-remote
outside. Instead of talking host ftp session
directly, user and server talk host-to-gateway
ftp session
through proxy.
 Allows more fine grained and
sophisticated control than
packet filtering. For
example, ftp server may not
allow files greater than a set
size.
 A mail server is an example application
of an application gateway gateway
◦ Can’t deposit mail in
recipient’s mail server
without passing through
sender’s mail server


Application Gateways/Proxies


Application-level Gateway

•Advantages
1. Proxy can log all connections, activity in connections
2. Proxy can provide caching
3. Proxy can do intelligent filtering based on content
4. Proxy can perform user-level authentication

•Disadvantages
1. Not all services have proxied versions
2. May need different proxy server for each service
3. Requires modification of client
4. Performance

Circuit-level Gateway

1. Stand-alone system
2. Specialized function performed by an Application-level Gateway
3. Sets up two TCP connections
4. The gateway typically relays TCP segments from one connection
to the other without examining the contents
5. The security function consists of determining which connections
will be allowed
6. Typically use is a situation in which the system administrator
trusts the internal users
7. An example is the SOCKS package


Circuit Level


Bastion Host

 Highly secure host system
 A system identified by the firewall administrator as a critical strong
point in the network´s security
 The bastion host serves as a platform for an application-level or
circuit-level gateway
 Potentially exposed to "hostile" elements
 Hence is secured to withstand this
◦ Disable all non-required services; keep it simple
 Trusted to enforce trusted separation between network
connections
 Runs circuit / application level gateways
◦ Install/modify services you want
 Or provides externally accessible services


Screened Host Architecture


Distributed Firewalls

 A central management node sets the
security policy enforced by individual hosts
 Combination of high-level policy
specification with file distribution
mechanism
 Advantages:
◦ Lack of central point of failure
◦ Ability to protect machines outside topologically
isolated space
◦ Great for laptops
 Disadvantage:
◦ Harder to allow in certain services, whereas it’s
easy to block 2/4/2013 Firewall 37

Distributed Firewalls Drawback

 Allowing in certain services works if and
only if you’re sure the address can’t be
spoofed
◦ Requires anti-spoofing protection
◦ Must maintain ability to roam safely
 Solution: IPsec
◦ A machine is trusted if and only if it can perform
proper cryptographic authentication


Virtual Private Network (VPN)
 Used to connect two private networks via the
internet
◦ Provides an encrypted tunnel between the two private
networks
◦ Usually cheaper than a private leased line but should be
studied on an individual basis
◦ Once established and as long as the encryption remains
secure the VPN is impervious to exploitation
◦ For large organizations using VPNs to connect
geographically diverse sites, always attempt to use the
same ISP to get best performance.
 Try to avoid having to go through small Mom-n-Pop ISPs as
they will tend to be real bottlenecks


Virtual Private Network (VPN)


Implementations

 Software
◦ Devil-Linux
◦ Dotdefender
◦ ipfirewall
◦ PF
◦ Symantec …

 Hardware
◦ Cisco PIX
◦ DataPower
◦ SofaWare Technologies


Firewall Deployment
DMZ

 Corporate Network Internet
Gateway Demilitarized Zone
(DMZ)
◦ Protect internal Public Servers
network from attack
Corporate Network
◦ Most common Gateway
deployment point
Human Resources
Network

Corporate
Site


Firewall Deployment

 Corporate Network Internet
Gateway Public Servers

 Internal Segment
Gateway Demilitarized Zone
(Publicly-accessible
◦ Protect sensitive servers)
segments
(Finance, HR, Product
Development) Human Resources
Network
◦ Provide second layer of
defense
Internal Segment Gateway
◦ Ensure protection
against internal
attacks and misuse Corporate
Site


Firewall Deployment

 Corporate Internet
Public Servers
Network Gateway DMZ

 Internal Segment
Gateway
 Server-Based
Firewall
Human Resources
Network

◦ Protect individual
application servers Server-Based
Firewall
◦ Files protect Corporate
Site
SAP
Server

The“2002 Computer Security Institute /FBI Computer Crime
and Security Survey” Reported:

 90% of survey respondents (primarily larger corporations) detected
computer security breaches. Respondents reported a wide range of
attacks:
 44% detected system penetration from the outside
 44% detected denial of service attacks
 76% detected employee abuse of Internet access privileges
 85% detected computer viruses, worms, etc.
 80% acknowledged financial losses due to computer security
breaches
 44% were willing and/or able to quantify their financial losses (these
losses were $455 million).
 Most serious losses occurred through theft of proprietary information
and financial fraud.
 74% cited their Internet connections as a frequent point of attack and
33% cited their internal systems ands frequent point of attack
 34% reported intrusions to law enforcement (up from only 16% in
1996)

Future of Firewalls
 Firewalls will continue to advance as the
attacks on IT infrastructure become more
and more sophisticated
 More and more client and server
applications are coming with native
support for proxied environments
 Firewalls that scan for viruses as they
enter the network and several firms are
currently exploring this idea, but it is not
yet in wide use


Conclusion
 It is clear that some form of security for
private networks connected to the
Internet is essential
 A firewall is an important and necessary
part of that security, but cannot be
expected to perform all the required
security functions.


Firewall presentation

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Firewall presentation

Ähnlich wie Firewall presentation (20)

Firewall presentation