1 / 44

An Introduction to Firewall Technology

An Introduction to Firewall Technology. 凌群電腦. 報告人:潘志豪. E-Mail : Jason_Pan@tc.syscom.com.tw. TEL : 04-2202-1221. Agenda. What is a firewall Why an organization needs a firewall Types of firewalls and technologies Deploying a firewall What is a VPN. Internet. Corporate Network Gateway.

dellab
Download Presentation

An Introduction to Firewall Technology

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. An Introduction to Firewall Technology 凌群電腦 報告人:潘志豪 E-Mail : Jason_Pan@tc.syscom.com.tw TEL : 04-2202-1221

  2. Agenda • What is a firewall • Why an organization needs a firewall • Types of firewalls and technologies • Deploying a firewall • What is a VPN

  3. Internet Corporate Network Gateway What is a Firewall ? • A firewall : • Acts as a security gateway between two networks • Usually between trusted and untrusted networks (such as between a corporate network and the Internet) Corporate Site

  4. Internet “Allow Traffic to Internet” “Block traffic from Internet” What is a Firewall ? • A firewall : • Acts as a security gateway between two networks • Tracks and controls network communications • Decides whether to pass, reject, encrypt, or log communications (Access Control) Corporate Site

  5. Why Firewalls are Needed • Prevent attacks from untrusted networks • Protect data integrity of critical information • Preserve customer and partner confidence

  6. Evolution of Firewalls Stateful Inspection Application Proxy Packet Filter Stage of Evolution

  7. Packet Filter • Packets examined at the network layer • Useful “first line” of defense - commonly deployed on routers • Simple accept or reject decision model • No awareness of higher protocol layers Applications Applications Applications Presentations Presentations Presentations Sessions Sessions Sessions Transport Transport Transport Network Network Network DataLink Data Link Data Link Physical Physical Physical

  8. Application Gateway or Proxy • Packets examined at the application layer • Application/Content filtering possible - prevent FTP “put” commands, for example • Modest performance • Scalability limited Applications Applications Applications Presentations Presentations Presentations Sessions Sessions Sessions Transport Transport Transport Network Network Network Data Link Data Link Data Link Physical Physical Physical

  9. Dynamic State Tables Dynamic State Tables Dynamic State Tables Stateful Inspection • Packets Inspected between data link layer and network layer in the OS kernel • State tables are created to maintain connection context • Invented by Check Point Applications Applications Presentations Applications Presentations Sessions Presentations Sessions Transport Sessions Transport Network Transport Network Network Data Link Data Link Data Link Physical Physical Physical INSPECT Engine

  10. Network Address Translation (NAT) 192.172.1.1-192.172.1.254 • Converts a network’s illegal IP addresses to legal or public IP addresses • Hides the true addresses of individual hosts, protecting them from attack • Allows more devices to be connected to the network 219.22.165.1 InternalIP Addresses PublicIP Address(es) Internet Corporate LAN

  11. Port Address Translation—Hiding PATGlobal 192.168.0.15 10.0.0.2 192.168.0.15 10.0.0.2 172.30.0.50 172.30.0.50 2000 49090 23 23 10.0.0.3 192.168.0.15 172.30.0.50 172.30.0.50 49090 2001 10.0.0.3 23 23

  12. Personal Firewalls • Need arises from always on connections • Your PC is not protected enough by your OS • Intrusion detection facilities • Different levels of security • Templates

  13. Internet Corporate Network Gateway Firewall Deployment DMZ • Corporate Network Gateway • Protect internal network from attack • Most common deployment point Demilitarized Zone (DMZ) Public Servers Human Resources Network Corporate Site

  14. Internet Internal Segment Gateway Firewall Deployment • Corporate Network Gateway • Internal Segment Gateway • Protect sensitive segments (Finance, HR, Product Development) • Provide second layer of defense • Ensure protection against internal attacks and misuse Public Servers Demilitarized Zone (Publicly-accessible servers) Human Resources Network Corporate Site

  15. Internet Server-Based Firewall SAP Server Firewall Deployment • Corporate Network Gateway • Internal Segment Gateway • Server-Based Firewall • Protect individual application servers • Files protect Public Servers DMZ Human Resources Network Corporate Site

  16. Firewall Deployment • Hardware appliance based firewall • Single platform, software pre-installed • Can be used to support small organizations or branch offices with little IT support • Software based firewall • Flexible platform deployment options • Can scale as organization grows

  17. Summary • Firewalls foundation of an enterprise security policy • Stateful Inspection is the leading firewall technology

  18. 選擇防火牆參考依據 • 防火牆必須允許/拒絕的網路協定或應用層網路傳輸 ? • 防火牆在控制網路傳輸時是否需要作使用者身份認證 ? • 如何建立規則? • 是否可隱藏網址? • 是否有一個以上的網址,能夠保護網路上數個 web 和 email 伺服器不受攻擊?

  19. 選擇防火牆參考依據 續 • 是否可過濾 Java 和 ActiveX? • 它如何強化作業系統安全? • 是否在不影響安全性的情況下處理所有的網路傳輸活動? • 是否提供事件紀錄和警告? • 是否簡單易用? • 是否支援附加其他的事件報告軟體? • 是否提供內容阻擋功能?

  20. 選擇防火牆參考依據 續 • 是否具擴充性,以符合未來的需求? • 是否易於加入遠端的防火牆和行動使用者? • 是否和市面上其他產品互通?

  21. VPN VPN What is a VPN? Acme Corp Site 1 Acme Corp • A VPN is a private connection over an open network • A VPN includes authentication and encryption to protect data integrity and confidentiality Internet Acme Corp Site 2

  22. Why Use Virtual Private Networks? • More flexibility • Leverage ISP point of presence • Use multiple connection types (cable, DSL, T1, T3) • Most attacks originate within an organization

  23. Why Use Virtual Private Networks? • More flexibility • More scalability • Add new sites, users quickly • Scale bandwidth to demand

  24. Why Use Virtual Private Networks? • More flexibility • More scalability • Lower costs • Reduced frame relay/leased line costs • Reduced long distance • Reduced equipment costs (modem banks,CSU/DSUs) • Reduced technical support

  25. Types of VPNs Corporate Site • Remote Access VPN • Provides access to internal corporate network over the Internet • Reduces long distance, modem bank, and technical support costs • PAP,CHAP,RADIUS Internet

  26. Types of VPNs Corporate Site • Remote Access VPN • Site-to-Site VPN • Connects multiple offices over Internet • Reduces dependencies on frame relay and leased lines Internet Branch Office

  27. Types of VPNs Corporate Site • Remote Access VPN • Site-to-Site VPN • Extranet VPN • Provides business partners access to critical information (leads, sales tools, etc) • Reduces transaction and operational costs Internet Partner #2 Partner #1

  28. Types of VPNs Database Server • Remote Access VPN • Site-to-Site VPN • Extranet VPN • Client/Server VPN • Protects sensitive internal communications LAN clients Internet LAN clients with sensitive data

  29. Components of a VPN • Encryption • Key management • Message authentication • Entity authentication

  30. Encryption Joe’s PC to HR Server Encrypted • Current standards: DES and Triple-DES • Over 20 years in the field • AES beginning deployment • New standard • More computationally efficient • Longer keys = more secure Joe’s PC HR Server All Other Traffic E-Mail Server Cleartext Mary’s PC

  31. Key Management • Public key cryptosystems enable secure exchange of private crypto keys across open networks • Re-keying at appropriate intervals • IKE = Internet Key Exchange protocols • Incorporates ISAKMP/Oakley

  32. Authentication • IPsec standards focus on authentication of two network devices to each other • IP address/preshared key • Digital certificates • User authentication is added on top if required • RADIUS and TACACS+ are the standard protocols for authentication servers • XAUTH is being added to the standards to address user authentication

  33. Internet Point-to-Point Tunneling Protocol • Layer 2 remote access VPN distributed with Windows product family • Addition to Point-to-Point Protocol (PPP) • Allows multiple Layer 3 Protocols • Uses proprietary authentication and encryption • Limited user management and scalability • Known security vulnerabilities Corporate Network PPTP RAS Server Remote PPTP Client ISP Remote Access Switch

  34. Internet Layer 2 Tunneling Protocol (L2TP) • Layer 2 remote access VPN protocol • Combines and extends PPTP and L2F (Cisco supported protocol) • Weak authentication and encryption • Does not include packet authentication, data integrity, or key management • Must be combined with IPSec for enterprise-level security Corporate Network Remote L2TP Client L2TP Server ISP L2TP Concentrator

  35. Internet Protocol Security (IPSec) • Layer 3 protocol for remote access, intranet, and extranet VPNs • Internet standard for VPNs • Provides flexible encryption and message authentication/integrity • Includes key management

  36. Encryption Message Authentication Entity Authentication Key Management DES, 3DES, and more HMAC-MD5, HMAC-SHA-1, or others Digital Certificates, Shared Secrets,Hybrid Mode IKE Internet Key Exchange (IKE), Public Key Infrastructure (PKI) Components of an IPSec VPN All managed by security associations (SAs)

  37. Encryption Explained • Used to convert data to a secret code for transmission over an untrusted network Encrypted Text Clear Text Encryption Algorithm “The cow jumped over the moon” “4hsd4e3mjvd3sd a1d38esdf2w4d”

  38. Symmetric Encryption • Same key used to encrypt and decrypt message • Faster than asymmetric encryption • Examples: DES, 3DES, RC5, Rijndael Shared Secret Key

  39. Asymmetric Encryption • Different keys used to encrypt and decrypt message (One public, one private) • Examples include RSA, DSA, SHA-1, MD-5 Bob Alice Alice Private Key Decrypt Alice Public Key Encrypt

  40. 目前Internet上使用的加密系統比較表

  41. 目前Internet上使用的加密系統比較表

  42. 破解 DES Keys 的成本時間參考

  43. Secure Virtual Network Architecture RSA ACE/Server RSA Advanced PKI Trend InterScan , WebManager , eManager & StoneBeat Security Cluster IPSec-compliant Gateway Corporate Network ExtranetPartner Site FireWall-1 VPN-1 SecuRemote & RSA SecurID LDAP Directory VPN-1/FireWall-1 Gateway & StoneBeat FullCluster Dial-up FloodGate-1 QoS VPN-1 SecureServer VPN-1 SecureClient & RSA SecurID VPN-1 Accelerator Card RSA ACE/Agent Broadband ISS RealSecure Intrusion Detection ConnectControl Server Load Balancing Remote Users Router Extranet Application Server • Enterprise Management Console • Policy-based Management • Reporting • Account Management • Open Security Extension VPN-1/FireWall-1 Nokia Appliance Remote Office Web Server Pool

  44. Thank You!

More Related