1 / 33

Understanding Firewalls: Principles and Categories

This chapter delves into the principles and categories of firewalls, from packet filtering to application gateways, discussing different architectural considerations and technologies. Learn about the importance of integrated security systems and the role of firewalls in safeguarding networks.

jlynn
Download Presentation

Understanding Firewalls: Principles and Categories

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Firewalls & VPNs Principles of Information Security Chapter 6 Part 1

  2. References • Circuit-level Gateways vs Application Gateways • http://www.pcstats.com/articleview.cfm?articleid=1450&page=5 • Introduction to Network Firewalls • http://www.more.net/technical/netserv/tcpip/firewalls/ • Firewalls Explained • http://www.dmccormick.org/firewalls.htm • Firewall Architectures • http://docstore.mik.ua/orelly/networking/firewall/ch04_02.htm • Introduction to Firewalls (on-line report) • http://www2.hawaii.edu/~sdunan/ics623/Dunan.FirewallReport.html

  3. Topic Objectives • Describe categories of firewalls. • Describe firewall architectures. • Discuss considerations for selecting architectures

  4. Firewalls So, this “wall” can be several devices, including firewall itself • Goal is to prevent specific types of information from moving between external networks and internal networks. • In general, the arrangement of security devices placed at the perimeter of a computer network to guard the entry is collectively called a firewall, or firewall perimeter. • At least one of those devices is a program or a hardware device called a firewall.

  5. Create an integrated security system • firewall perimeter = firewall+ IDS + antivirus • Also use access control and auditing • Create many firewall perimeters, at strategic entry points • Keep patching and updating them!

  6. Categorizing Firewalls • Processing mode • Packet filtering, aka filtering (e.g. a router) • Application gateways • Circuit gateways • MAC layer firewalls, • hybrid • Development Era (generation) • Which level of technology is used • Structure • Commercial-grade, residential-grade • Implementation • Software, hardware, hybrid

  7. Many different firewalls to pick from • Basic personal use: ZoneAlarm, Norton Personal, Sygate • More commercial: e.g Check Point Next Generation • http://directory.google.com/Top/Computers/Security/Firewalls/Products/ Many! • Cisco firewall appliance (i.e. hardware firewall) http://tools.cisco.com/search/JSP/search-results.get?strQueryText=pix+firewall&Search+All+cisco.com=cisco.com&language=en&country=US&thissection=f&accessLevel=Guest&autosuggest=true • http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.htmlPerformance tables

  8. Pros and Cons

  9. Packet Filtering Firewalls • Examine packet headers • Use Access Control Lists (ACLs) to examine and control packet flow based on source/destination IP addresses in the network • Simple firewalls examine IP network layer headers • source/destination IP address, protocol (udp, tcp), inbound or outbound traffic • can reject (deny), discard, or forward packets • 3 types of packet filtering firewalls • static filtering - rules must be configured in advance • dynamic filtering • firewall can modify rules dynamically in response to traffic • opens and closes doors to allow only specified packet wiht source, destination, and port to pass through the firewall • stateful inspection – firewall keeps track of the state of connection and if the packet “makes sense” in the context. It can check incoming packets that are responses to internal requests. If it cannot figure it out, it checks ACL tables.

  10. IP Packet Structure

  11. Sample ACL table for a stateless packet filtering firewall Discussion: how do we read such a table? (Look at the Review of TCP and Logic file) Discussion: what do these rules mean? Do you see why an IDS is necessary?

  12. Stateful Inspection Firewalls • Examine transport layer headers • Track the state of transport layer connections using a state table. • Able to track TCP and UDP source/destination ports and TCP flags in particular • Dynamic stateful inspection firewalls • Maintain dynamic state tables to modify filtering rules based on network events

  13. TCP and UDP Packet Structure

  14. Sample ACL table for a statefull packet filtering firewall Discussion: how do we read such a table? (Should we look at the Review of TCP and Logic file ?) Discussion: what do these lines mean?

  15. Where do we put packet filters? • Cloud, packet filter, proxy server, inside net • Cloud, packet filter, DMZ, packet filter, inside net

  16. Application Gateways • AKA, application-level firewall,application firewall, or proxy server • Frequently installed on a separate computer but used in conjunction with the filtering router • Examines application layer information to determine service type, etc. • Acts as a proxy for a service request • Web server proxy receives requests for web pages, accesses the web server, and returns the pages to the client • Able to store recently accessed pages in a local cache. May be referred to as cache servers. • Frequently placed in an unsecured network location, or a DMZ network • Can be used to route all internal traffic for web pages via the intermediate proxy server • Still widely used for e-commerce, but DMZ networks becoming more commonly used. • Can be slower than other types of firewalls. • Designed for one or a few protocols; cannot be easily reconfigured.

  17. Proxy Server (also called application gateway, or application-level firewall, or application firewall) E.g. web proxy receives traffic meant for/from the web server and then delivers them to/from the web server. The web server is protected by a firewall, in the figure above. There can be a packet-filter firewall in front of the proxy too.

  18. Circuit Gateways • AKA, circuit gateway firewall or circuit-level gateway • Operates at transport layer • Create tunnels connecting specific processes or systems and allow only authorized traffic in tunnels • Only examines address and port information; does not examine application layer data.

  19. MAC Layer & Hybrid Firewalls • MAC Layer filtering • Operates at Layer 2 and examines MAC addresses • Typically included as a feature of packet filtering firewalls, or hardware firewalls. • Hybrid Firewalls • Contain components of different types of firewalls • packet filtering + MAC layer filtering • packet filtering + circuit gateway • packet filtering + proxy server

  20. Firewall Generations • First Generation • static packet filtering • Second Generation • Proxy servers or application-level firewalls • Third Generation • Stateful inspection firewalls • Fourth Generation • Dynamic packet filtering firewalls • Fifth Generation • kernel proxy - operates at multiple layers of the protocol stack • Windows NTEXEC kernel • Cisco Centri Firewall kernel

  21. Firewall Structures • Commercial-Grade Firewall Appliances • standalone, self-contained hardware & software • firmware-based instructions increase reliability and performance and reduce compromise • rule sets stored in nonvolatile RAM • Commercial-Grade Firewall Systems • Application software running on general-purpose computers • Small Office/Home Office-Grade (SOHO) Firewall Appliances • Protection for always-on high speed Internet connections • Support stateful inspection, MAC filtering, port forwarding and NAT • May provide intrusion detection capability • Residential-Grade Firewall Software • Frequently available as free or inexpensive software packages that run on individual hosts.

  22. SOHO Hardware vs Software Firewall • Suggestion --- use BOTH • Implements the strategy of defense in depth • Hardware firewalls reduce/eliminate exposure of individual systems from scanning and probes • Very likely to eliminate 100% of pre-attack probes • May improve system performance by reducing unnecessary traffic on local network • SOHO hardware firewalls are not especially expensive and well worth the investment • Software firewalls provide an alternative, secondary firewall as a backup if someone breaks through the perimeter firewall.

  23. Firewall Architectures • 4 common implementations • Packet Filtering Routers • Screened Host Firewalls • Dual-Home Host Firewalls • Screened Subnet Firewalls (with DMZ)

  24. Packet Filtering Routers • Basic Border Firewall

  25. Untrusted Host • Exposed hosts outside border firewall • Host is configured for minimal services • Both incoming and outgoing traffic goes through the external host • E.g., proxy server • Internal hosts cannot trust the external host • If all traffic routes through the untrusted host, it may also be a dual-homed host.

  26. Screened Host • Untrusted host on separate network and inside firewall • Still untrusted by internal hosts • Other untrusted hosts can be on same network • Creates a public access network (e.g., web access) • aka DMZ • aka perimeter network, service network

  27. Dual-Homed Host • All traffic enters/leaves internal network via proxy server. • Proxy server may or may not be the firewall. Not required to be the same device.

  28. Screened Subnet Firewall • Traffic between internal network and Internet traverses two firewalls and DMZ network • Hosts in DMZ act as publically accessible servers • Traffic entering inner firewally must originate from a host in the DMZ • Internal firewalls provide protection between internal subnets

  29. Firewall Configuration Advantages/Disadvantages

  30. SOCKS Servers • SOCKS • Protocol for handling TCP traffic through a proxyserver. • Proprietary, circuit-level proxy server. • Uses special client-side SOCKS agents on each workstation. • Filtering occurs in workstations, vice the proxy server. • Each workstation must be managed as a firewall detection and protection device. • May require extra support and management resources, since individual clients must also be managed.

  31. SOCKS Server • Note: depicts dual-homed host configuration with inner and outer firewalls.

  32. Firewall Selection • Factors to consider • Which firewall design provides the desired protection? • What type of firewall technology offers the right balance between protection and cost and meets the needs of the organization? • What features are included? • In the base price, as add-ons? • Are all cost factors known? • How easy is it to set up and configure? • How accessible are knowledgeable staff to support the firewall? • Can the proposed firewall adapt to projected network growth in the organization?

More Related