Firewalls : usage

Firewalls : usage • Data encryption • Access control : usage restriction on some protocols/ports/services • Authentication : only authorized users and hosts (machines) • Monitoring for further auditing • Packet filtering • Compliance with the specified protocols • Virus detection • Isolation of the internal network from the Internet • Connection proxies (masking of the internal network) • Application proxies (masking of the « real » software)

Firewalls : basics • All packets exchanged between the internal and the external domains go through the FW that acts as a gatekeeper • external hosts « see » the FW only • internal and external hosts do not communicate directly • the FW can take very sophisticated decisions based on the protocol implemented by the messages • the FW is the single access point => authentication + monitoring site • a set of “flow rules” allows decision taking

Firewalls : architecture (I) servers Interior router Exterior router Internal network Outside world Firewall DMZ (DeMilitarized Zone)

Firewalls : architecture (II) : merging exterior and interior FW servers DMZ Exterior/Interior Firewall Outside world Internal network

Firewalls : architecture (III) : merging exterior FW and servers External Firewall + servers Internal Firewall Outside world Internal network DMZ Bof…

Firewalls : architecture (IV) : managing multiple subnetworks servers DMZ Firewall Internal subnetwork A Exterior/Interior Firewall Outside world Firewall Backbone Internal subnetwork B

Firewalls : architecture (V) : managing multiple exterior FW E.g. supplier network Exterior Firewall A Sub-DMZ A Exterior Firewall B Interior Firewall Internal network Sub-DMZ B Internet servers DMZ

Firewalls : architecture (VI) : managing multiple DMZ Servers A E.g. supplier network DMZ A Exterior/Interior Firewall A Servers B DMZ B Internal network Exterior/Interior Firewall B Internet

Firewalls : architecture (VII) : internal FW servers DMZ Internal network Exterior/Interior Firewall Sensitive area Firewall Outside world Sensitive area

Firewalls : some recommendations • Bastion hosts • better to put the bastions in a DMZ than in an internal network • disable non-required services • do not allow user accounts • fix all OS bugs • safeguard the logs • run a security audit • do secure backups • Avoid to put in the same area entities which have very different security requirements

Using proxies (I) • Proxies can be used to « hide » the real servers • Interior => Exterior traffic • Give the internal user the illusion that she/he accesses to the exterior server • But intercept the traffic to/from the server, analyze the packets (check the compliance with the protocol, search for keywords, etc.), log the requests • Exterior => Interior traffic • Give the external user the illusion that she/he accesses to the interior server • But intercept the traffic to the server, analyze the packets (check the compliance with the protocol, search for keywords, etc.), log the requests

Using proxies (II) • Advantage • knowledge of the service/protocol => efficiency and « intelligent » filtering • Ex : session tracking, stateful connection • Disadvantages • one proxy per service ! • may require modifications of the client • do not exist for all services

Static Network Address Translation (NAT) (I) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy yyy.yyy.yyy.yyy xxx.xxx.xxx.xxx Internal network From Arkoon Inc. tutorial

xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy yyy.yyy.yyy.yyy xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy Internal network Internal network Static Network Address Translation (NAT) (II) • The FW maintains an address translation table • The FW transforms address xxx.xxx.xxx.xxx into yyy.yyy.yyy.yyy in the field « source address » • The FW transforms address yyy.yyy.yyy.yyy into address xxx.xxx.xxx.xxx in the field « destination address » • This operation is transparent for both the exterior and the interior hosts

Applications • Non TCP/UDP based protocols • Pre-defined partnership addresses • Web server, mail….(traffic to Internet) • Application server (hidden behind a FW) • Host known/authenticated outside with a specific address • …

PAT : Port Address Translation (I) Port 2033 Port80 Internal network From Arkoon Inc. tutorial

PAT : Port Address Translation (II) • Connections are open from an exterior host • Translation table • Use of lesser public addresses • Flexible management of server ports

PAT : Port Address Translation (III) FW, @IP 'P' U→P:80 U → IP1:80 P:80 → U IP1:80 → U U → P:81 Web server Web server U → IP2:80 @IP1, port 80 P:8 → U user, @IP'U' IP2:80 → U Web server Translation Table @IP « P » port 80 → @IP1 : port 80 port 81→@IP2 : port 80 @IP2, port 80 Internal network From Arkoon Inc. tutorial

Masking (I) Internal network From Arkoon Inc. tutorial

Masking (II) • Connections are open by internal hosts • Dynamic connection table (IP address + source port number) • One single address is known outside (the FW address) • Spare IP addresses

user @IP1 Web server @IP'W' FW, @IP 'M' Arkoon, @IP 'M' M:10000->W 1:1025->W W->M:10000 W->1:1025 M:10001->W 2:1025->W W->M:10001 W->2:1025 M:10000->W2 2:1026->W2 W2->M:10000 W2->2:1026 user @IP2 @IP2 Translation table @IP « M » 1:1025(10000)->W 2:1025(10001)->W 2:1026(10000)->W2 Web server Internal network @IP 'W2' From Arkoon Inc. tutorial

Firewalls : usage

Firewalls : usage

Presentation Transcript

Frequency Distribution, Cross-Tabulation, and Hypothesis Testing

Weaver Publications Official Vacation Journal Wyoming 2008 Usage Research

General guideline for pain therapy and opioid usage

Usage Meets Link Analysis: Towards Improving Intranet and Site Specific Search via Usage Statistics

Mysteries of Windows Memory Management Revealed

E-VERIFY SAVE TITLE VI

Security Assessments of IPv6 Networks and Firewalls

Cyberbullying

Stacks and Queues

Guide to Network Defense and Countermeasures Second Edition

Anonymized Data: Generation, Models, Usage

Security

ACT English

The Crystallographic Information File (CIF) Description and Usage

HOV Attitude and Usage Study