firewall configuration strategies l.
Download
Skip this Video
Download Presentation
Firewall Configuration Strategies

Loading in 2 Seconds...

play fullscreen
1 / 50

Firewall Configuration Strategies - PowerPoint PPT Presentation


  • 189 Views
  • Uploaded on

Firewall Configuration Strategies. Chapter 3. Learning Objectives. Set up firewall rules that reflect an organization’s overall security approach Understand the goals that underlie a firewall’s configuration Identify and implement different firewall configuration strategies

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Firewall Configuration Strategies' - madrona


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
learning objectives
Learning Objectives
  • Set up firewall rules that reflect an organization’s overall security approach
  • Understand the goals that underlie a firewall’s configuration
  • Identify and implement different firewall configuration strategies
  • Employ methods of adding functionality to your firewall
establishing rules and restrictions for your firewall
Establishing Rules and Restrictions for Your Firewall
  • Rules give firewalls specific criteria for making decisions about whether to allow packets through or drop them
  • All firewalls have a rules file—the most important configuration file on the firewall
the role of the rules file
The Role of the Rules File
  • Establishes the order the firewall should follow
  • Tells the firewall which packets should be blocked and which should be allowed
  • Requirements
    • Need for scalability
    • Importance of enabling productivity of end users while maintaining adequate security
restrictive firewalls
Restrictive Firewalls
  • Block all access by default; permit only specific types of traffic to pass through
strategies for implementing a security policy
Strategies for Implementing a Security Policy
  • Follow the concept of least privilege
  • Spell out services that employees cannot use
  • Use and maintain passwords
  • Choose an approach
    • Open
    • Optimistic
    • Cautious
    • Strict
    • Paranoid
connectivity based firewalls
Connectivity-Based Firewalls
  • Have fewer rules; primary orientation is to let all traffic pass through, then block specific types of traffic
overview to firewall configuration strategies
Overview to Firewall Configuration Strategies
  • Criteria
    • Scalable
    • Take communication needs of individual employees into account
    • Deal with IP address needs of the organization
scalability
Scalability
  • Provide for the firewall’s growth by recommending a periodic review and upgrading software and hardware as needed
productivity
Productivity
  • The stronger and more elaborate the firewall, the slower the data transmissions
  • Important features of firewall: processing and memory resources available to the bastion host
dealing with ip address issues
Dealing with IP Address Issues
  • If service network needs to be privately rather than publicly accessible, which DNS will its component systems use?
  • If you mix public and private addresses, how will Web server and DNS servers communicate?
  • Let the proxy server do the IP forwarding (it’s the security device)
firewall configuration strategies14
Firewall Configuration Strategies
  • Settle on general approaches; establish rules for them
  • Deploy firewalls, routers, VPN tunnels, and other tools in a way that will implement rules
  • Use security components to defend against common attacks
screening router
Screening Router
  • Filters traffic passing between one network and another
  • Simple, minimally secure
  • Two interfaces—external and internal—each with its own unique IP address
  • Performs IP forwarding, based on an access control list (ACL)
dual homed host
Dual-Homed Host
  • A workstation with an internal interface and an external interface to the Internet
  • Disadvantage
    • Host serves as a single point of entry to the organization
screened host
Screened Host
  • Similar to dual-homed host, but the host is dedicated to performing security functions
  • Sits exposed on the perimeter of the network rather than behind the firewall
  • Requires two network connections
  • Also called a dual-homed gateway or bastion host
two routers one firewall
Two Routers, One Firewall
  • Router positioned on the outside
    • Performs initial, static packet filtering
  • Router positioned just inside the network
    • Routes traffic to appropriate computers in the LAN being protected
    • Can do stateful packet filtering
dmz screened subnet
DMZ Screened Subnet
  • Screened subnet
    • Network exposed to external network, but partially protected by a firewall
  • Three-pronged firewall
    • Three network interfaces connect it to:
      • External network
      • DMZ
      • Protected LAN
  • Service network
    • Screened subnet that contains an organization’s publicly accessible server
three pronged firewall with only one firewall
Three-Pronged Firewall with Only One Firewall
  • Advantages
    • Simplification
    • Lower cost
  • Disadvantages
    • Complexity
    • Vulnerability
    • Performance
common service network systems
Common Service Network Systems
  • Those that contain Web and mail servers
  • Those that contain DNS servers
  • Those that contain tunneling servers
multiple firewall dmzs
Multiple-Firewall DMZs
  • Achieve the most effective Defense in Depth
  • Help achieve load distribution
  • Added security offsets slowdown in performance
  • Two or more firewalls can be used to protect
    • Internal network
    • One DMZ
    • Two DMZs
    • Branch offices that need to connect to main office’s internal network
two firewalls one dmz
Two Firewalls, One DMZ
  • Two firewalls used to set up three separate networks (tri-homed firewall)
    • Internal protected network (behind DMZ)
    • External private network or service network (within DMZ)
    • External network (outside DMZ)
  • Advantage
    • Enables control of traffic in the three networks
two firewalls two dmzs
Two Firewalls, Two DMZs
  • Setting up separate DMZs for different parts of the organization helps balance the traffic load between them
reverse firewalls
Reverse Firewalls
  • Inspect and monitor traffic going out of a network rather than trying to block what’s coming in
  • Help block Distributed Denial of Service (DDoS) attacks
specialty firewalls
Specialty Firewalls
  • Protect specific types of network communications (eg, e-mail, instant-messaging)
  • Examples
    • Mail Marshal and WebMarshal by Marshal Software
    • OpenReach includes a small-scale packet-filtering firewall for its VPN
    • VOISS Proxy Firewall (VF-1) by VocalData
    • Speedware Corporation sells its own firewall software
approaches that add functionality to a firewall
Approaches That Add Functionality to a Firewall
  • Network Address Translation (NAT)
  • Encryption
  • Application proxies
  • VPNs
  • Intrusion detection systems (IDSs)
slide38
NAT
  • Converts publicly accessible IP addresses to private ones and vice versa; shields IP addresses of computers on the protected network from those on the outside
encryption
Encryption
  • Takes a request, turns it into gibberish using a private key; exchanges the public key with the recipient firewall or router
  • Recipient decrypts the message and presents it to the end user in understandable form
application proxies
Application Proxies
  • Act on behalf of a host; receive requests, rebuild them from scratch, and forward them to the intended location as though the request originated with it (the proxy)
  • Can be set up with either a dual-homed host or a screened host system
application proxies43
Application Proxies
  • Dual-homed setup
    • Host that contains the firewall or proxy server software has two interfaces, one to the Internet and one to the internal network being protected
  • Screened subnet system
    • Host that holds proxy server software has a single network interface
    • Packet filters on either side of the host filter out all traffic except that destined for proxy server software
slide45
VPNs
  • Connect internal hosts with specific clients in other organizations
  • Connections are encrypted and limited only to machines with specific IP addresses
  • VPN gateway can:
    • Go on a DMZ
    • Bypass the firewall and connect directly to the internal LAN
intrusion detection systems
Intrusion Detection Systems
  • Can be installed in external and/or internal routers at the perimeter of the network
  • Built into many popular firewall packages
chapter summary
Chapter Summary
  • How to design perimeter security for a network that integrates firewalls with a variety of other software and hardware components
  • Rules and restrictions that influence configuration of a security perimeter
  • Security configurations that either perform firewall functions or that use firewalls to create protected areas