440 likes | 604 Views
An Introduction to Firewall Technology. 凌群電腦. 報告人:潘志豪. E-Mail : Jason_Pan@tc.syscom.com.tw. TEL : 04-2202-1221. Agenda. What is a firewall Why an organization needs a firewall Types of firewalls and technologies Deploying a firewall What is a VPN. Internet. Corporate Network Gateway.
E N D
An Introduction to Firewall Technology 凌群電腦 報告人:潘志豪 E-Mail : Jason_Pan@tc.syscom.com.tw TEL : 04-2202-1221
Agenda • What is a firewall • Why an organization needs a firewall • Types of firewalls and technologies • Deploying a firewall • What is a VPN
Internet Corporate Network Gateway What is a Firewall ? • A firewall : • Acts as a security gateway between two networks • Usually between trusted and untrusted networks (such as between a corporate network and the Internet) Corporate Site
Internet “Allow Traffic to Internet” “Block traffic from Internet” What is a Firewall ? • A firewall : • Acts as a security gateway between two networks • Tracks and controls network communications • Decides whether to pass, reject, encrypt, or log communications (Access Control) Corporate Site
Why Firewalls are Needed • Prevent attacks from untrusted networks • Protect data integrity of critical information • Preserve customer and partner confidence
Evolution of Firewalls Stateful Inspection Application Proxy Packet Filter Stage of Evolution
Packet Filter • Packets examined at the network layer • Useful “first line” of defense - commonly deployed on routers • Simple accept or reject decision model • No awareness of higher protocol layers Applications Applications Applications Presentations Presentations Presentations Sessions Sessions Sessions Transport Transport Transport Network Network Network DataLink Data Link Data Link Physical Physical Physical
Application Gateway or Proxy • Packets examined at the application layer • Application/Content filtering possible - prevent FTP “put” commands, for example • Modest performance • Scalability limited Applications Applications Applications Presentations Presentations Presentations Sessions Sessions Sessions Transport Transport Transport Network Network Network Data Link Data Link Data Link Physical Physical Physical
Dynamic State Tables Dynamic State Tables Dynamic State Tables Stateful Inspection • Packets Inspected between data link layer and network layer in the OS kernel • State tables are created to maintain connection context • Invented by Check Point Applications Applications Presentations Applications Presentations Sessions Presentations Sessions Transport Sessions Transport Network Transport Network Network Data Link Data Link Data Link Physical Physical Physical INSPECT Engine
Network Address Translation (NAT) 192.172.1.1-192.172.1.254 • Converts a network’s illegal IP addresses to legal or public IP addresses • Hides the true addresses of individual hosts, protecting them from attack • Allows more devices to be connected to the network 219.22.165.1 InternalIP Addresses PublicIP Address(es) Internet Corporate LAN
Port Address Translation—Hiding PATGlobal 192.168.0.15 10.0.0.2 192.168.0.15 10.0.0.2 172.30.0.50 172.30.0.50 2000 49090 23 23 10.0.0.3 192.168.0.15 172.30.0.50 172.30.0.50 49090 2001 10.0.0.3 23 23
Personal Firewalls • Need arises from always on connections • Your PC is not protected enough by your OS • Intrusion detection facilities • Different levels of security • Templates
Internet Corporate Network Gateway Firewall Deployment DMZ • Corporate Network Gateway • Protect internal network from attack • Most common deployment point Demilitarized Zone (DMZ) Public Servers Human Resources Network Corporate Site
Internet Internal Segment Gateway Firewall Deployment • Corporate Network Gateway • Internal Segment Gateway • Protect sensitive segments (Finance, HR, Product Development) • Provide second layer of defense • Ensure protection against internal attacks and misuse Public Servers Demilitarized Zone (Publicly-accessible servers) Human Resources Network Corporate Site
Internet Server-Based Firewall SAP Server Firewall Deployment • Corporate Network Gateway • Internal Segment Gateway • Server-Based Firewall • Protect individual application servers • Files protect Public Servers DMZ Human Resources Network Corporate Site
Firewall Deployment • Hardware appliance based firewall • Single platform, software pre-installed • Can be used to support small organizations or branch offices with little IT support • Software based firewall • Flexible platform deployment options • Can scale as organization grows
Summary • Firewalls foundation of an enterprise security policy • Stateful Inspection is the leading firewall technology
選擇防火牆參考依據 • 防火牆必須允許/拒絕的網路協定或應用層網路傳輸 ? • 防火牆在控制網路傳輸時是否需要作使用者身份認證 ? • 如何建立規則? • 是否可隱藏網址? • 是否有一個以上的網址,能夠保護網路上數個 web 和 email 伺服器不受攻擊?
選擇防火牆參考依據 續 • 是否可過濾 Java 和 ActiveX? • 它如何強化作業系統安全? • 是否在不影響安全性的情況下處理所有的網路傳輸活動? • 是否提供事件紀錄和警告? • 是否簡單易用? • 是否支援附加其他的事件報告軟體? • 是否提供內容阻擋功能?
選擇防火牆參考依據 續 • 是否具擴充性,以符合未來的需求? • 是否易於加入遠端的防火牆和行動使用者? • 是否和市面上其他產品互通?
VPN VPN What is a VPN? Acme Corp Site 1 Acme Corp • A VPN is a private connection over an open network • A VPN includes authentication and encryption to protect data integrity and confidentiality Internet Acme Corp Site 2
Why Use Virtual Private Networks? • More flexibility • Leverage ISP point of presence • Use multiple connection types (cable, DSL, T1, T3) • Most attacks originate within an organization
Why Use Virtual Private Networks? • More flexibility • More scalability • Add new sites, users quickly • Scale bandwidth to demand
Why Use Virtual Private Networks? • More flexibility • More scalability • Lower costs • Reduced frame relay/leased line costs • Reduced long distance • Reduced equipment costs (modem banks,CSU/DSUs) • Reduced technical support
Types of VPNs Corporate Site • Remote Access VPN • Provides access to internal corporate network over the Internet • Reduces long distance, modem bank, and technical support costs • PAP,CHAP,RADIUS Internet
Types of VPNs Corporate Site • Remote Access VPN • Site-to-Site VPN • Connects multiple offices over Internet • Reduces dependencies on frame relay and leased lines Internet Branch Office
Types of VPNs Corporate Site • Remote Access VPN • Site-to-Site VPN • Extranet VPN • Provides business partners access to critical information (leads, sales tools, etc) • Reduces transaction and operational costs Internet Partner #2 Partner #1
Types of VPNs Database Server • Remote Access VPN • Site-to-Site VPN • Extranet VPN • Client/Server VPN • Protects sensitive internal communications LAN clients Internet LAN clients with sensitive data
Components of a VPN • Encryption • Key management • Message authentication • Entity authentication
Encryption Joe’s PC to HR Server Encrypted • Current standards: DES and Triple-DES • Over 20 years in the field • AES beginning deployment • New standard • More computationally efficient • Longer keys = more secure Joe’s PC HR Server All Other Traffic E-Mail Server Cleartext Mary’s PC
Key Management • Public key cryptosystems enable secure exchange of private crypto keys across open networks • Re-keying at appropriate intervals • IKE = Internet Key Exchange protocols • Incorporates ISAKMP/Oakley
Authentication • IPsec standards focus on authentication of two network devices to each other • IP address/preshared key • Digital certificates • User authentication is added on top if required • RADIUS and TACACS+ are the standard protocols for authentication servers • XAUTH is being added to the standards to address user authentication
Internet Point-to-Point Tunneling Protocol • Layer 2 remote access VPN distributed with Windows product family • Addition to Point-to-Point Protocol (PPP) • Allows multiple Layer 3 Protocols • Uses proprietary authentication and encryption • Limited user management and scalability • Known security vulnerabilities Corporate Network PPTP RAS Server Remote PPTP Client ISP Remote Access Switch
Internet Layer 2 Tunneling Protocol (L2TP) • Layer 2 remote access VPN protocol • Combines and extends PPTP and L2F (Cisco supported protocol) • Weak authentication and encryption • Does not include packet authentication, data integrity, or key management • Must be combined with IPSec for enterprise-level security Corporate Network Remote L2TP Client L2TP Server ISP L2TP Concentrator
Internet Protocol Security (IPSec) • Layer 3 protocol for remote access, intranet, and extranet VPNs • Internet standard for VPNs • Provides flexible encryption and message authentication/integrity • Includes key management
Encryption Message Authentication Entity Authentication Key Management DES, 3DES, and more HMAC-MD5, HMAC-SHA-1, or others Digital Certificates, Shared Secrets,Hybrid Mode IKE Internet Key Exchange (IKE), Public Key Infrastructure (PKI) Components of an IPSec VPN All managed by security associations (SAs)
Encryption Explained • Used to convert data to a secret code for transmission over an untrusted network Encrypted Text Clear Text Encryption Algorithm “The cow jumped over the moon” “4hsd4e3mjvd3sd a1d38esdf2w4d”
Symmetric Encryption • Same key used to encrypt and decrypt message • Faster than asymmetric encryption • Examples: DES, 3DES, RC5, Rijndael Shared Secret Key
Asymmetric Encryption • Different keys used to encrypt and decrypt message (One public, one private) • Examples include RSA, DSA, SHA-1, MD-5 Bob Alice Alice Private Key Decrypt Alice Public Key Encrypt
Secure Virtual Network Architecture RSA ACE/Server RSA Advanced PKI Trend InterScan , WebManager , eManager & StoneBeat Security Cluster IPSec-compliant Gateway Corporate Network ExtranetPartner Site FireWall-1 VPN-1 SecuRemote & RSA SecurID LDAP Directory VPN-1/FireWall-1 Gateway & StoneBeat FullCluster Dial-up FloodGate-1 QoS VPN-1 SecureServer VPN-1 SecureClient & RSA SecurID VPN-1 Accelerator Card RSA ACE/Agent Broadband ISS RealSecure Intrusion Detection ConnectControl Server Load Balancing Remote Users Router Extranet Application Server • Enterprise Management Console • Policy-based Management • Reporting • Account Management • Open Security Extension VPN-1/FireWall-1 Nokia Appliance Remote Office Web Server Pool