1 / 76

Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition. Chapter 9 Choosing and Designing Firewalls. Objectives. Explain what firewalls can and cannot do Describe common approaches to packet filtering Establish a set of rules and restrictions for a firewall

webb
Download Presentation

Guide to Network Defense and Countermeasures Second Edition

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Guide to Network Defense and CountermeasuresSecond Edition Chapter 9 Choosing and Designing Firewalls

  2. Objectives • Explain what firewalls can and cannot do • Describe common approaches to packet filtering • Establish a set of rules and restrictions for a firewall • Design common firewall configurations • Compare hardware and software firewalls Guide to Network Defense and Countermeasures, Second Edition

  3. An Overview of Firewalls • Firewall • Hardware or software • Can configure to block unauthorized network access • Firewalls cannot protect against malicious insiders • Who send proprietary information out of the organization • Firewalls cannot protect connections that do not go through it Guide to Network Defense and Countermeasures, Second Edition

  4. What Firewalls Are • Network firewall • Combination of multiple software and hardware components • Earliest firewalls were packet filters • Some firewalls are designed for consumers • Norton Personal Firewall • ZoneAlarm • Sygate Personal Firewall Guide to Network Defense and Countermeasures, Second Edition

  5. Guide to Network Defense and Countermeasures, Second Edition

  6. What Firewalls Are (continued) • Rules for blocking traffic are done case-by-case • Actions include: • Allow the traffic • Block the traffic • Customize access • Check Point Next Generation (NG) firewall • Designed to protect and monitor large-scale networks • Firewall appliances • Self-contained hardware devices Guide to Network Defense and Countermeasures, Second Edition

  7. Guide to Network Defense and Countermeasures, Second Edition

  8. Guide to Network Defense and Countermeasures, Second Edition

  9. What Firewalls Are Not • Firewalls are not a standalone solution • Cannot protect from internal threats • Need strong security policy and employee education • Firewalls must be combined with • Antivirus software • IDS • Open Platform for Security (OPSEC) • Protocol used by Check Point NG to integrate with other security products Guide to Network Defense and Countermeasures, Second Edition

  10. Approaches to Packet Filtering • Stateless packet filtering • Stateful packet filtering • Packet filtering depends on position of components Guide to Network Defense and Countermeasures, Second Edition

  11. Stateless Packet Filtering • Decides whether to allow or block packets based on information in the protocol headers • Filtering based on common IP header features • IP address • Ports and sockets • ACK bits • Intruders can get around these defenses • Advantage: Inexpensive • Disadvantage: Cumbersome to maintain Guide to Network Defense and Countermeasures, Second Edition

  12. Guide to Network Defense and Countermeasures, Second Edition

  13. Stateful Packet Filtering (continued) • Keeps a record of connections a host computer has made with other computers • Maintain a file called a state tablecontaining record of all current connections • Allows incoming packets to pass through only from external hosts already connected Guide to Network Defense and Countermeasures, Second Edition

  14. Guide to Network Defense and Countermeasures, Second Edition

  15. Stateful Packet Filtering (continued) • Windows Firewall • One of the most user-friendly packet filters • Improved version of Internet Connection Firewall • Can limit the amount of traffic with more precision • You can even specify exceptions • Advanced tab allows more complex settings Guide to Network Defense and Countermeasures, Second Edition

  16. Guide to Network Defense and Countermeasures, Second Edition

  17. Guide to Network Defense and Countermeasures, Second Edition

  18. Guide to Network Defense and Countermeasures, Second Edition

  19. Packet Filtering Depends on Position • Type of filtering a device can do depends on • Position of the device in the firewall perimeter • Other hardware or software • Packet filter placement • Between the Internet and a host • Between a proxy server and the Internet • At either end of a DMZ Guide to Network Defense and Countermeasures, Second Edition

  20. Guide to Network Defense and Countermeasures, Second Edition

  21. Guide to Network Defense and Countermeasures, Second Edition

  22. Creating Rules and Establishing Restrictions • Rule base • Tells firewalls what to do when a certain kind of traffic attempts to pass • Points to consider • Based on organization’s security policy • Include a firewall policy • Simple and short as possible. • Restrict access to ports and subnets on the internal network from the Internet • Control Internet services Guide to Network Defense and Countermeasures, Second Edition

  23. Base the Rule Base on Your Security Policy • When configuring rules pay attention to • Logging and auditing • Tracking • Filtering • Network Address Translation (NAT) • Quality of Service (QoS) • Desktop security policy • Rule base is a practical implementation of the organization’s policy Guide to Network Defense and Countermeasures, Second Edition

  24. Base the Rule Base on Your Security Policy (continued) • Common policies that need to be reflected in the rule base • Employees have access to Internet with restrictions • Public can access company’s Web and e-mail server • Only authenticated traffic can access the internal LAN • Employees are not allowed to use instant-messaging • Traffic from the company’s ISP should be allowed • Block external traffic by instant-messaging software • Only network administrator should be able to access internal network directly from the Internet Guide to Network Defense and Countermeasures, Second Edition

  25. Create a Firewall Policy That Covers Application Traffic • Firewall policy • Addition to security policy • Describes how firewall handles application traffic • Risk analysis provides a list of applications • And associated threats and vulnerabilities • General steps to create a firewall policy • Identify network applications • Determine methods for securing application traffic • You must balance security and cost • Consider all firewalls in your network Guide to Network Defense and Countermeasures, Second Edition

  26. Guide to Network Defense and Countermeasures, Second Edition

  27. Guide to Network Defense and Countermeasures, Second Edition

  28. Create a Firewall Policy That Covers Application Traffic (continued) • Firewalls enable you to control access to your computer or network • By controlling access to particular applications • Options for defining rules • Allow traffic • Block traffic • Ask or prompt Guide to Network Defense and Countermeasures, Second Edition

  29. Keep the Rule Base Simple • Keep list of rules as short as possible • About 30 and 50 rules • Shorter the rule base, faster the firewall will perform • Firewalls process rules in a particular order • Usually rules are numbered starting at 1 and displayed in a grid • Most important rules should be at the top of the list • Make the last rule a cleanup rule • A catch-all type of rule Guide to Network Defense and Countermeasures, Second Edition

  30. Guide to Network Defense and Countermeasures, Second Edition

  31. Guide to Network Defense and Countermeasures, Second Edition

  32. Restrict Subnets, Ports, and Protocols • Filtering by IP addresses • You can identify traffic by IP address range • Most firewalls start blocking all traffic • You need to identify “trusted” networks • Firewall should allow traffic from trusted sources Guide to Network Defense and Countermeasures, Second Edition

  33. Guide to Network Defense and Countermeasures, Second Edition

  34. Control Internet Services • Web services • Employees always want to surf the Internet • DNS • Resolves fully qualified domain names (FQDNs) to their corresponding IP addresses • DNS uses UDP port 53 for name resolution • DNS uses TCP port 53 for zone transfers • E-mail • POP3 and IMAP4 • SMTP • LDAP and HTTP Guide to Network Defense and Countermeasures, Second Edition

  35. Guide to Network Defense and Countermeasures, Second Edition

  36. Guide to Network Defense and Countermeasures, Second Edition

  37. Guide to Network Defense and Countermeasures, Second Edition

  38. Control Internet Services (continued) • FTP • Types of FTP transactions • Active FTP • Passive FTP • Filtering by ports • Filters traffic based on TCP or UDP port numbers • Can filter a wide variety of information Guide to Network Defense and Countermeasures, Second Edition

  39. Guide to Network Defense and Countermeasures, Second Edition

  40. Guide to Network Defense and Countermeasures, Second Edition

  41. Control Internet Services (continued) • Filtering by ports • You can filter out everything but • TCP port 80 for Web • TCP port 25 for e-mail • TCP port 21 for FTP Guide to Network Defense and Countermeasures, Second Edition

  42. Guide to Network Defense and Countermeasures, Second Edition

  43. Guide to Network Defense and Countermeasures, Second Edition

  44. Guide to Network Defense and Countermeasures, Second Edition

  45. Control Internet Services (continued) • ICMP message type • ICMP functions as a housekeeping protocol • Helps networks cope with communication problems • Attackers can use ICMP packets to crash a computer • Filtering by service • Firewalls can filter by the name of a service • You do not have to specify a port number • Firewalls can also filter by the six TCP control flags Guide to Network Defense and Countermeasures, Second Edition

  46. Guide to Network Defense and Countermeasures, Second Edition

  47. Guide to Network Defense and Countermeasures, Second Edition

  48. Control Internet Services (continued) • Filtering by service • Firewalls can also filter by the IP options • Security • Loose resource and record routing • Strict source and record routing • Internet timestamp Guide to Network Defense and Countermeasures, Second Edition

  49. Control Internet Services (continued) • Filtering by service • Rules should follow a few general practices • Firewall with a “Deny All” security policy should start from a clean slate • Nobody can connect to the firewall except the administrator • Block direct access from the Internet to any computer behind the firewall • Permit access to public services in the DMZ Guide to Network Defense and Countermeasures, Second Edition

  50. Guide to Network Defense and Countermeasures, Second Edition

More Related