1 / 31

Firewalls

Firewalls. Dustin Pettigrew. Overview . Introduction Network Protection Organizational Network Defense Configuring Firewalls. Introduction. Firewall Basics Evolution of Firewalls Firewall Technologies. Origins. Term originated with physical firewall

gil
Download Presentation

Firewalls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Firewalls Dustin Pettigrew

  2. Overview • Introduction • Network Protection • Organizational Network Defense • Configuring Firewalls

  3. Introduction • Firewall Basics • Evolution of Firewalls • Firewall Technologies

  4. Origins • Term originated with physical firewall • Designed to contain/compartmentalize fires • Slow down the spread of fires • Computing firewalls work a bit differently • Usually try to prevent “external fires” • More like the Great Wall of China • Does provide internal segmentation and protection

  5. Firewall Basics • Use set of rules that permit/deny access • Rules are stored in tables or Access Control Lists • Main objective is to protect LAN from outside networks (Internet) • Can be implemented in software and hardware

  6. Evolution of Firewalls • First Generation: Packet Filters • Stateless • Only use information in the packet header • Can be filtered by Protocol, IP address, Port, etc. • Addresses the first two layers of the TCP/IP Model Application Transport Internet Network Interface

  7. Evolution of Firewalls • Second Generation: Circuit Level Filtering • “Stateful” packet filtering • Can look into a particular sessions for different protocols • Track packets as part of a new/existing/invalid transaction • Addresses first three layers of the TCP/IP Model Application Transport Internet Network Interface

  8. Evolution of Firewalls • Third Generation: Application Level Filtering • Expands off circuit level filtering • Can examine application specific protocols for valid data and can track connection states • Most popular implementation is Proxies • Addresses all four layers of the TCP/IP Model Application Transport Internet Network Interface

  9. Evolution of Firewalls • Fourth Generation: Dynamic Packet Filtering • Used to create temporary firewall rules. • Typically used for UDP based connections • According to Cisco • Treat new packet as a new virtual connection • If a response is generated for the originator, allow the connection • Forget the rule after transaction finishes • Used for short term solutions

  10. Firewall Technologies • Hardware Firewalls • Most commonly found in network routers • Typically uses “stateless” packet filtering for quick inspection • Needs to be fast on heavy-load networks • For consumers, manufacturer default options suffice to protect small home/business networks • Can be hardened to further restrict access through web and command-line interfaces

  11. Firewall Technologies • Software Firewalls • Software installed on a host that implements circuit-level filtering • Rely on processing power of host • Can analyze protocol layers and provide advance filtering • Block applications, restrict resource sharing, web filtering • Protect against common trojans and viruses

  12. Firewall Technologies • Proxies • Extensions of Application-level Filters • Designed for a specific protocol: HTTP, FTP, SSH, etc. • Provide increased access control and detailed application specific checks in data • Also acts as a “messenger” on behalf of the proxy user

  13. Firewall Technologies • Additional Technologies • Access Control Lists • Define what clients can connect to which servers • Statically defined, manually updated • Network Address Translation • Modify IP headers used for routing traffic • Protects private IP addresses from being exposed

  14. Network Protection • Filtering is meant to be fast and work on limited memory • Need to be able to detect events that are malicious or undesirable • Need to actively prevent attacks from persisting

  15. Intrusion Detection/Prevention Systems • Difference between them: • Intrusion Detection System (IDS) – Detects and alerts management stations (passive) • Intrusion Prevention System (IPS) – Takes alerts from IDS, logs them and actively prevent attacks (reactive) • Most systems are a combined IDPS • Firewalls protect from outside; IDPS monitors internal and external networks

  16. Intrusion Detection/Prevention Systems • Terminology • Alarms – The system has detected a possible attack and alerts the management system • False Positive – Normal traffic detected as an attack • False Negative – Attack not detected • Site Policy – Guidelines that determine rules and configuration • Confidence Value – The trusted ability to accurately detect attacks

  17. Intrusion Detection/Prevention Systems • Types • Network-base IDPS – Piece or hardware monitoring multiple hosts • Host-based IDPS – Piece of software residing on the monitored host • Wireless IPS – Same as NIPS, but for wireless protocols (Bluetooth, 802.11, Infrared, etc.) • Network Behavior Analysis – Looking for changes to network flow

  18. Intrusion Detection/Prevention Systems • Detection Methods • Signature-based Detection • Needs pre-existing, previous attack • Use pre-defined attack patterns or “signatures” • Anomaly-based Detection • Establish a norm/baseline of a network • Anything that deviates from the norm raises an alarm • Protocol Analysis Detection • Monitors protocol states for any malicious activity

  19. Organizational NetworkDefense • Based on Network Topology • Determine internal and public systems • Use a layered approach to segment networks and similar systems • Combine Hardware and Software Firewalls

  20. De-militarized Zone • Perimeter Network • Isolated part of the network that is typically publically accessible • Protects rest of internal, private network • Services: DNS, Web, Mail, VoIP

  21. Organizational NetworkDefense

  22. Firewall Configuration • Protect from outside, secure inside • Deny-all default • Whitelist approved application traffic • Establish rules for dynamic filtering

  23. Firewall Configuration • Process of adding whitelist entries/exceptions • Examine application documentation • Determine appropriate rules • Observe network traffic on development network • Add hardened exceptions to current rule-set • Prevent unwanted threats from new rules

  24. Firewall Configuration • Adding rules for FTP • Add rule allowing incoming FTP requests on port 21 • Add dynamic rules for outbound on port 21 and in/outbound on port 20 • RFC 959 • Configure Application Firewall to block invalid commands, malformed control packets, etc.

  25. Windows XP Firewall Starting Nmap 5.51 ( http://nmap.org ) at 2011-04-11 22:57 Central Daylight Time Nmap scan report for 192.168.1.6 Host is up (0.0010s latency). All 1000 scanned ports on 192.168.1.6 are filtered MAC Address: 00:11:2F:FB:D1:9D (Asustek Computer) Nmap done: 1 IP address (1 host up) scanned in 27.23 seconds

  26. Windows XP Firewall Starting Nmap 5.51 ( http://nmap.org ) at 2011-04-11 23:19 Central Daylight Time Nmap scan report for 192.168.1.6 Host is up (0.00089s latency). Not shown: 999 filtered ports PORT STATE SERVICE 3389/tcp closed ms-term-serv MAC Address: 00:11:2F:FB:D1:9D (Asustek Computer) Nmap done: 1 IP address (1 host up) scanned in 10.55 seconds

  27. Windows XP Firewall

  28. Windows XP Firewall

  29. Windows XP Firewall

  30. Resources • Wikipedia – Firewall (computing), OSI model, Intrusion detection system, Intrusion prevention system, DMZ (computing), FTP • Cisco – Evolution of the Firewall Industry <http://www.cisco.com/univercd/cc/td/doc/product/iaabu/centri4/user/scf4ch3.htm>

  31. Questions/Comments

More Related