1 / 53

Firewall s 101

2. Firewall topics. Why do you need a firewall?What is a firewall?What is the perfect firewall?What types of firewall are there?How should I deploy firewalls?What is good firewall architecture?. 3. What are the risks?. Theft or disclosure of internal dataUnauthorized access to internal hostsI

rosalyn
Download Presentation

Firewall s 101

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. ©2006 Secure Computing Corporation. All Rights Reserved. 1 9/2/2012 Firewall’s 101 Paul A. Henry MCP+I, MCSE, CCSA, CCSE, CFSA, CFSO, CISSP, CISM, CISA, ISSAP, CIFI Vice President, Technology Evangelism Secure Computing

    2. 2 Firewall topics Why do you need a firewall? What is a firewall? What is the perfect firewall? What types of firewall are there? How should I deploy firewalls? What is good firewall architecture?

    3. 3 What are the risks? Theft or disclosure of internal data Unauthorized access to internal hosts Interception or alteration of data Vandalism & denial of service Lost employee time Bad publicity, public embarassment, and law suits

    4. 4 What needs to be secured? Crown jewels: patent work, source code, market analysis; information assets Any way into your network Any way out of your network Information about your network

    5. 5 Why do I need a firewall? One firewall is simpler to administer than many hosts. It’s easier to be security conscientious with a firewall.

    6. 6 What is a firewall? As many machines as it takes to: be the sole connection between inside and outside. test all traffic against consistent rules. pass traffic that meets those rules. contain the effects of a compromised system.

    7. 7 Firewall components All of the machines in the firewall are immune to penetration or compromise. retain enough information to recreate their actions.

    8. 8 The Perfect firewall Lets you do your business Works with existing security measures Provides an acceptable level of Risk as defined by your Corporate Security Policy

    9. 9 The security continuum Ease of use vs. degree of security Cheap, secure, feature packed, easy to administer? Choose three. Default deny or default accept

    10. 10 Policy for the firewall Who gets to do what via the Internet? What Internet usage is not allowed? Who makes sure the policy works and is being complied with? When can changes be made to policy/rules? What will be done with the logs? Will we cooperate with law enforcement?

    11. 11 What you firewall is important Internal security policy should show what systems need to be guarded. How you deploy your firewall determines what the firewall protects. The kind of firewall is how much insurance you’re buying.

    12. 12 OSI Model – TCP/IP Model

    13. 13 A fieldtrip through an IP packet Important fields are: IP Header, TCP Header, Application Level Header

    14. 14 Types of Firewalls Packet filters Static Dynamic (Stateful SPF) Proxy Circuit Level Proxy Application Proxy Store and Forward Proxy Assume all these firewalls block the outside from creating new connections unless specifically allowed in the FW’s rulesAssume all these firewalls block the outside from creating new connections unless specifically allowed in the FW’s rules

    15. 15 Packet filters

    16. 16 Packet filters

    17. 17 IP Header Segment The only information of value to the packet filter in the IP header segment is the Source and Destination addresses of the packet

    18. 18 IP Header Segment

    19. 19 TCP Header Segment The only information of value to the packet filter in the TCP header segment is the source / destination ports for the packet and the SYN flag A dynamic packet filter uses the SYN flag to determine if a packet is a new connection or existing connection

    20. 20 TCP Header Segment

    21. 21 Packet filters How Packet filters work Read the header and filter by whether fields match specific rules. In a Dynamic Packet Filter (SPF) the SYN flags allow the Firewall to tell if connection is new or ongoing. Static packet filters do not look at the status of communications.

    22. 22 Packet filters Allows connections as long as the ports are OK Dynamic packet filters can deny / allow new inbound connections, using the SYN flag When run at the kernel level, the host is directly involved, and accessible to attack. The host must be hardened

    23. 23 Packet filter weaknesses It’s easy to botch the rules. Good logging is hard On poorly designed packet filters Stealth scanning works well Packet fragments, IP options, and source routing work by default Packet filters usually can’t do authentication of end points

    24. 24 Stateful packet filters

    25. 25 Stateful packet filters Fast – because they do very little work SPFs are dynamic packet filters operating at the kernel level - dangerous The only data inspected by a SPF is source, destination and service. SPFs are incapable of decisions such as: allow - put do not allow - get SPFs have to collect and assemble packets in order to have enough data to act upon. Once a connection is made it is entered in to a table, when a new packet arrives if it matches the table it is allowed to pass – without further inspection

    26. 26 SPF flow diagram

    27. 27 Stateful packet filters

    28. 28 Weaknesses in SPF All the flaws of standard filtering still apply. On SPFs Stealth scanning works well, hackers can learn what ports are open without alerting the administrator. Default setups are very often insecure as reflected in CERT bulletins. The packet that leaves the remote site is the same packet that arrives at the client. Data in an allowed connection can be destructive. SPFs are totally unaware of the packet pay-load Traditionally SPFs have poor logging. An SPF by and of itself is nothing more than a dynamic packet filter

    29. 29 Proxy firewalls Proxy firewalls pass data between two separate connections, one on each side of the firewall. Types: circuit level proxy, application proxy, store and forward proxy. Current hardware platforms allow performance equal to or better than SPF with dramatically more granular security

    30. 30 General proxy weaknesses The host is now directly involved, and accessible to attack. The host must be hardened. Higher latency & lower throughput.

    31. 31 Circuit level proxy

    32. 32 Circuit level proxy

    33. 33 Circuit level proxy FW acts as an intermediary and transfers all information between the two connections. There is no direct connection between the client and host Tends to have better logging than packet filters as more data is available Data passed inside the circuit could be dangerous.

    34. 34 Application proxy

    35. 35 Application proxy FW transfers only acceptable information between the two connections. There is no direct connection between the client and host The proxy can understand the protocol and filter the data within. Strong Application Proxy implementations will inspect and re-write the packet for full RFC compliance Provides the best logging as all possible data is available

    36. 36 Application proxy weaknesses Some proxies on an “application proxy” firewall may not be fully application aware. Proxies have to be written securely.

    37. 37 Store and forward proxies Client asks firewall for document; the firewall downloads the document, saves it to disk, and provides the document to the client. The firewall may cache the document. Can do data filtering. Examples: Microsoft, Netscape, CERN, Squid proxies; SMTP mail

    38. 38 Weaknesses Store and forward proxies tend to be big new programs. Making them your primary connection to the internet is dangerous. These applications don’t protect the underlying operating system at all. Caching proxies can require more administrator time and hardware.

    39. 39 Architecture summary No single architecture is the Holy Grail A firewall based on anything less than a combination and balance of all 3 architectures is simply inadequate static packet filter dynamic packet filter (SPF) circuit / application proxy

    40. 40 Other Considerations OS Hardening Network Address Translation (NAT) Logging

    41. This slide show a typical application level only firewall. The firewall software (proxies, packet filtering, etc.) reside on top of a non secure OS (i.e. SUN OS, HP/UX, NT, etc.). All the firewall security then is based on this application level program. If a hacker is able to get through this software or around this software, they have easy access into the OS and can tunnel through the firewall or otherwise disable the firewall. This is a LESS SECURE SOLUTION. This slide show a typical application level only firewall. The firewall software (proxies, packet filtering, etc.) reside on top of a non secure OS (i.e. SUN OS, HP/UX, NT, etc.). All the firewall security then is based on this application level program. If a hacker is able to get through this software or around this software, they have easy access into the OS and can tunnel through the firewall or otherwise disable the firewall. This is a LESS SECURE SOLUTION.

    42. This shows the same as the last slide, but for CyberGuard Firewall. CyberGuard firewall also has application level firewall software. However, this resides on top of our B1 (B2 future) OS and networking. Thus, if a hacker is able to penetrate our application level software or get around this software, they run into the MLS capabilities of our B1 OS & Networking. They cannot penetrate into the OS to tunnel through or modify the security aspects of the CyberGuard. This is the MOST SECURE SOLUTION! This shows the same as the last slide, but for CyberGuard Firewall. CyberGuard firewall also has application level firewall software. However, this resides on top of our B1 (B2 future) OS and networking. Thus, if a hacker is able to penetrate our application level software or get around this software, they run into the MLS capabilities of our B1 OS & Networking. They cannot penetrate into the OS to tunnel through or modify the security aspects of the CyberGuard. This is the MOST SECURE SOLUTION!

    43. 43 Network Address Translation (NAT) NAT changes the ip addresses in a packet, so that the address of the client inside never shows up on the internet.

    44. 44 Types of NAT Many IPs inside to many static IPs outside Many IPs inside to many random IPs outside Many IPs inside to one IP address outside Transparent diversion of connections

    45. 45 Weaknesses of NAT Poor NAT implementations can still give out a lot of information about your network May need a lot of horsepower

    46. 46 Logging Pros: Very cheap Solves some behavioral problems Logfiles are good Cons: Administrator intensive Doesn’t prevent damage Needs a very stable environment to be useful

    47. 47 Types of logging Program logging Syslog /NT event log Sniffers Argus, Network General, HP Openview, TCPdump Router debug mode A very good tool for tracking across your network

    48. 48 Firewall deployment checklist Review corporate security policy requirements Have a list of what needs to be protected Have all of the networks configured for the firewall All rules are in place Logging is on

    49. 49 What steps are left? What is the firewall allowing access to? Internal machines receiving data had better be secure. If these services can’t be secured, what do you have to lose?

    50. 50 Last checks Day 0 Backups made? Are there any gaps between our corporate security policy and the rules the firewall is enforcing?

    51. 51 Auditing A firewall works when an audit finds no deviations from policy. Scanning tools are good for auditing conformance to policy, not very good for auditing security.

    52. 52 Sample configurations Good configurations should: Limit Denial of Service. Minimize complexity for inside users. Be fully auditable. Allow outside to connect to all specific inside permitted resources. Allow inside to connect to all specific outside permitted resources. Deny outside to connect to all specific inside denied resources. Deny inside to connect to all specific outside denied resources.

    53. ©2006 Secure Computing Corporation. All Rights Reserved. 53 9/2/2012 Thank You

More Related