firewalls
Download
Skip this Video
Download Presentation
Firewalls

Loading in 2 Seconds...

play fullscreen
1 / 54

Firewalls - PowerPoint PPT Presentation


  • 182 Views
  • Uploaded on

Firewalls. PROTECTING YOUR COMPUTER NETWORK. By Ford Levy. What we will cover. Who Needs a Firewall Network Basics Firewall Basics Establishing Rules Firewall Solutions Sources for more information. Does Security Matter?. Would you care if someone could:.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Firewalls' - leonora


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
firewalls

Firewalls

PROTECTING YOUR COMPUTER NETWORK

By Ford Levy

what we will cover
What we will cover
  • Who Needs a Firewall
  • Network Basics
  • Firewall Basics
  • Establishing Rules
  • Firewall Solutions
  • Sources for more information
does security matter
Does Security Matter?

Would you care if someone could:

  • Crash your computer every 5 minutes?
  • Erase or change your client data
  • Steal proprietary information
  • Reconfigure your Server
  • Transfer your company’s bank balance via EFTPS to ENRON’s payroll account.
does your business need
Does Your Business Need…
  • Theft or disclosure of internal data
  • Unauthorized access to internal hosts
  • Interception or alteration of data
  • Vandalism & denial of service
  • Wasted employee time
  • Access to Martha Stewart’s Broker
does security matter at your company
Does Security Matter at Your Company?

Do You Have…

  • Computers
  • A Network
  • Access to the Internet
  • Shared Files and Peripherals
  • Files you do not want to lose
  • Programs you do not want tampered with
  • Artwork to Ship to New Hampshire
is it an issue on your system
Is it an Issue on Your System?
  • Protocol design? (Nah, that’s an application problem)
  • Application design? (We plan to add that in the future...)
  • Application deployment? (Let’s get it running first)
  • System administration? (I’m putting out fires every day!)

Some systems and/or protocols are designed with security

in mind from the beginning -- maybe even as their primary

design goal. But for most? The story’s the same…

The Focus is on System Operation, not Security

system vulnerabilities
System Vulnerabilities
  • Almost all vulnerabilities come from bugs in the implementation of, or misconfigurations of, the OS and/or apps
  • Rarely, a problem with a protocol itself
  • Vulnerabilities can lead to:
    • Unauthorized access: attacker gains control of the victim’s machine (attacker can log in, read files, and/or make changes to the system)
    • Denial of Service against host (attacker can crash the computer, disable services, etc.)
    • Denial of Service against network (attack can disrupt routing, flood the network, etc.)
system vulnerabilities8
System Vulnerabilities

MS WINDOWS – A MAJOR CULPRIT

NT XP 2000 MILLENIUM

What About Linux?

who is the enemy
SimpsonWho is the enemy?
  • The Troubled Genius
    • Has a deep understanding of systems
    • Capable of finding obscure vulnerabilities in OS’s, apps, and protocols, and exploiting them
    • Extremely skilled at evading countermeasures
    • Can dynamically adapt to new environments
  • The Idiot
    • Little or no true understanding of systems
    • Blindly downloads & runs code written by T.G.
    • Can usually be stopped by calling his mother

Who do you think causes more damage?

the idiot
The IDIOT!!!
  • The idiots collectively cause more damage because there are a vast number of them
  • Every security incident analyzed at NIH was the work of an idiot
  • Every time smart hackers find a new security hole, they make it public -- they have a publish or perish “ethic”
  • Each time, hordes of idiots pounce on it and break into every system they can find
  • Purchases used shredders from Arthur Andersen on Ebay
what a firewall can t protect you from
What a Firewall Can’t Protect You From
  • Inside Attack
  • Social Engineering
  • Viruses and Trojan Horses
  • Poorly Trained firewall administrators
  • Most of the shows on the Fox News Channel
tcp ip making the internet happen
TCP/IP – MAKING THE INTERNET HAPPEN
  • Transmission Control Protocol/Internet Protocol
  • A Suite of Protocols or Rules for Communicating (language)
  • Defines Standards for Communicating on the Internet
  • Four Layers
    • Network Interface Layer
    • Internet Layer
    • Transport Layer
    • Application Layer
packet fences
PACKET FENCES

Internet Communication uses Packets

Data broken up into small Packets

Prevents single user from capturing bandwidth and bogging down internet

IP labels each packet with unique internet destination address

TCP assigns sequence number to each so destination can reconstruct

connecting to the internet
Connecting to the Internet

Dial-up modem (slow but no permanent connection)

ISDN (faster with no permanent connection)

DSL (fast with permanent connection)

Cable Modem (fast but bandwidth limits. Permanent connection)

T1/T3 (very fast with permanent connection)

Wireless (comparable to DSL. May be permanent)

connecting to the internet17
Connecting to the Internet

Network Router

Transfers network packets between two different networks

securing your system the quick easy way
Securing your systemthe quick & easy way

It’s easy to run a secure computer system. You just have to disconnect all dial-up (and DSL) connections and permit only direct-wired terminals, put the machine and its terminals in a shielded room, fire all employees and post a guard at the door.

F.T. Grampp and R.H. Morris

the never ending game
The never-ending game

1. New bugs are found; exploits are published

2. Hordes of idiots cause damage using those exploits

3. Vendors are pressured to come out with fixes

4. Users install the fixes (sometimes? rarely?)

5. Go to step 1.

The big questions are:

1. How can we protect a large site? (The site is only as strong as its most poorly administered machine.)

2. How can we pro-actively protect against attacks that we have never seen before, to avoid Step 2 damage?

firewalls not as good as a guard but
Firewalls(not as good as a guard but…)
  • Routers: easy to say “allow everything but…”
  • Firewalls: easy to say “allow nothing but…”
  • This helps because we turn off access to everything, then evaluate which services are mission-critical and have well-understood risks
  • Note: the only difference between a router and a firewall is the design philosophy; do we prioritize security, or Connectivity/performance?
typical firewall setup
Typical firewall setup

Evil Internet

DMZ

internal network

Diagram courtesy of CheckPoint Software Tech, www.checkpoint.com

inter department firewall setup
Inter-department firewall setup

Department

B

DMZ ?

Department A

okay so what is it
Okay, So what is it?
  • A firewall is a system of components of hardware, software or both designed to control access between our network and an external network or Internet
  • A firewall system can be a router, a personal computer, a host, or multi-host
  • What the investors of WorldCom want to throw Bernard Ebbers through
really what is it
Really, What Is It!
  • Logically, a firewall is a separator, a restrictor, an analyzer
  • Physically, the implementation of a firewall varies from site to site
  • The best implementations occur during network design, not after
how about common features
How About Common Features
  • Block incoming network traffic based on source or destination (most common)
  • Block outgoing network traffic based on source or destination
  • Block network traffic based on content (screening)
  • Make internal resources available
  • Allow connections to internal network (VPNs)
  • Report on network traffic and firewall activities
why do we need it
Why Do We Need It?
  • A firewall is a line of Internet’s defense

a. Protection

-- A firewall has ability to filter insecure

services that will be reduce risks

to the sites on the internet

-- Will pass only selected protocols

say what
Say What?

b. Controlling Access

-- Can block all ways to get into a system

without knowing an account name and

password

-- Reduce the number of accounts

accessed from the outside

-- Keep the attackers out of the network

firewall uses
Firewall Uses

c. Monitoring and logging

-- Logging what happens at the firewall is

important

-- Can help us analyze a possible security

breach later

-- Gives feedback on the performance and

actual filtering done by the firewall

one size does not fit all
One Size Does Not Fit All
  • Personal firewall
  • Departmental or small organization firewall
  • Enterprise firewall
how does it work
How Does It Work?
  • Packet filtering

-- Packet filtering system route packets

between internal and external host, but

they do it selectively.

-- Usually, this router checks the information

that every packet’s header has:

source IP address

destination IP address

IP protocol ID

TCP or UDP port number

ICMP message type

-- It is the only protecting system: if its

security fails, the internal network is

exposed.

how does it work34
How Does It Work?
  • Proxy services ( or application proxy )

-- It is a software solution

-- These programs take user’s requests for

Internet services and forward them to the

actual services

  • Proxy services(PS) vs Packet filtering(PF)

-- A PF inspects only the packet header

A PS scan the entire data in the packet

A PF passes and an allowed packet that

travels from the internal network

A PS regenerates an allowed packet that

is sent from the firewall to the server on

the Internet

how does it work35
How Does It Work?
  • Network Address Translation (NAT)

-- Outside world sees only one or more outside IP addresses of the firewall. Internal network uses different IP addresses.

-- These programs take user’s requests for Internet services and forward them to the actual services

establishing rules
Establishing Rules

Creating an Internet Acceptable Use Policy

Creating a Security Policy

Using the Policy to Configure your Firewall

Allow-all

Deny-all

Combination of both

strategies policies and rules
Strategies, Policies and Rules

Internet Use and Security

Policy

Internet Acceptable Use:

Define all available services

Determine who can access the internet

Define ownership of resources

Establish the responsibility of employees

Define all unauthorized use of the Internet

Define what e-mail purposes are expressly disallowed.

Define disallowed protocol for internet use

Define disallowed web content

Define disallowed file-type downloads

Define disallowed web addresses and actions

strategies policies and rules38
Strategies, Policies and Rules

Internet Use and Security

Policy

Security:

Establish a project team to develop security policy

Identify what resources require protection

Identify what potential risks exist for each resource

Decide the probability of risks coming of fruition

Create mitigation plans that address each risk

sample policy in use
Sample Policy in Use
  • Deny network traffic on all IP ports
  • Except, allow network traffic on port 80 (HTTP)
  • Except, from all HTTP traffic, deny HTTP video content
  • Except, allow HTTP video content for members of the Education Center
  • Except, deny members of Education Center to download HTTP video content at night and weekends.
solutions disguised as software
Solutions Disguised as Software

Windows as a firewall

A Personal Firewall

Enterprise Firewalls

slide43
BUT…
  • No stateful packet filters
  • No application proxies
  • No monitoring or logging
  • No firewall mindset
dangers of older windows os
Dangers of Older Windows OS

Win 95, 98 and ME

File and Printer sharing:

- Easy to misuse for remote administration

- Should disable sharing component for dial-up adapter (unbinding)

  • PPTP Client:
  • - All Windows OS products support VPN.
  • - Requires closer monitoring of those computers
  • - PPTP replaced by L2TP on Windows 2000 and XP
the latest windows networking system
The Latest Windows Networking System

Windows 2000

  • Better packet filtering capabilities
    • TCP/IP Filtering in the Network Control Panel Console
    • Input filters and output filters per network interface
    • Input filters and output filters per remote access policy
    • Block and permit filters in an IPSec policy
  • More flexible NAT implementation
    • Simplified version from Windows 98SE
    • More configurable version that can be installed in the Routing and Remote Access console
the latest windows networking system46
The Latest Windows Networking System

Windows 2000

  • Support for L2TP VPN Protocol
    • Considered more secure than PPTP
  • Support for IPSec encrypted traffic
personal firewalls
Personal Firewalls

BlackICE

$40 for single user

Intrusion detection over outgoing traffic blockage

Four predefined protection levels (paranoid, nervous, cautious and trusting)

Two packet filtering levels (IDS and Firewall)

Intrusion alert can vary from icon indication to information collection to complete blockage

Also any Windows OS from 95 up

ZoneAlarm

Free for single computer

Provides three security levels

Two network zones (local and internet)

Trusted Application list created via Program Alerts

Lock option to block internet activity after specified period of inactivity

Works on any Windows OS from 95 on up

slide49
What’s a Firewall Appliance?
  • No moving parts, no hard drive, no boot-up and no crashing (hopefully)
  • Can be placed between network and internet or within a network structure (departmentalized)
  • Replaces software firewalls (with exceptions)
  • Turn-key approach
slide50
What’s Available

At the Enterprise Level

TOP MODELS INCLUDE:

Lucent’s - VPN Gateway V2.0

Radgaurd Inc’s - clPro-HQ

Sonic Systems Inc’s - SonicWALL PRO

WatchGuard Technologies Inc’s - WatchGuard LiveSecurity System

slide51
What’s Available

At the Home Office/Small Office Level

TOP MODELS INCLUDE:

Sonic Systems Inc’s - SonicWALL Soho2

WatchGuard Technologies Inc’s – Watchguard SOHO/tc

summary
Summary

Firewalls are not a complete security solution. Certain threats ( such as malicious insiders, completely new threats, or new viruses) are outside the control of the firewall. You need to figure out other ways to protect against these threats. But firewalls offer excellent protection against network threats.

Firewalls only work within a complete system of security where policies have been defined and implemented throughout the enterprise, regardless of size.

more information
More Information

Sites to Visit:

  • The SANS Institute
  • CERT/CC
  • Microsoft Security
  • ICSA Labs
  • InfoSysSec Security Patrol
  • SecurityFocus.com
  • Firewallguide.com
ad