firewalls usage n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Firewalls : usage PowerPoint Presentation
Download Presentation
Firewalls : usage

Loading in 2 Seconds...

play fullscreen
1 / 21

Firewalls : usage - PowerPoint PPT Presentation


  • 111 Views
  • Uploaded on

Firewalls : usage. Data encryption Access control : usage restriction on some protocols/ports/services Authentication : only authorized users and hosts (machines) Monitoring for further auditing Packet filtering Compliance with the specified protocols Virus detection

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Firewalls : usage' - ron


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
firewalls usage
Firewalls : usage
  • Data encryption
  • Access control : usage restriction on some protocols/ports/services
  • Authentication : only authorized users and hosts (machines)
  • Monitoring for further auditing
  • Packet filtering
  • Compliance with the specified protocols
  • Virus detection
  • Isolation of the internal network from the Internet
  • Connection proxies (masking of the internal network)
  • Application proxies (masking of the « real » software)
firewalls basics
Firewalls : basics
  • All packets exchanged between the internal and the external domains go through the FW that acts as a gatekeeper
    • external hosts « see » the FW only
    • internal and external hosts do not communicate directly
    • the FW can take very sophisticated decisions based on the protocol implemented by the messages
    • the FW is the single access point => authentication + monitoring site
    • a set of “flow rules” allows decision taking
firewalls architecture i
Firewalls : architecture (I)

servers

Interior router

Exterior router

Internal network

Outside world

Firewall

DMZ

(DeMilitarized Zone)

slide4

Firewalls : architecture (II) : merging exterior and interior FW

servers

DMZ

Exterior/Interior

Firewall

Outside world

Internal network

slide5

Firewalls : architecture (III) : merging exterior FW and servers

External Firewall

+

servers

Internal Firewall

Outside world

Internal network

DMZ

Bof…

slide6

Firewalls : architecture (IV) : managing multiple subnetworks

servers

DMZ

Firewall

Internal

subnetwork A

Exterior/Interior

Firewall

Outside world

Firewall

Backbone

Internal

subnetwork B

slide7

Firewalls : architecture (V) : managing multiple exterior FW

E.g. supplier

network

Exterior

Firewall A

Sub-DMZ A

Exterior

Firewall B

Interior Firewall

Internal network

Sub-DMZ B

Internet

servers

DMZ

slide8

Firewalls : architecture (VI) : managing multiple DMZ

Servers A

E.g. supplier

network

DMZ A

Exterior/Interior

Firewall A

Servers B

DMZ B

Internal

network

Exterior/Interior

Firewall B

Internet

firewalls architecture vii internal fw
Firewalls : architecture (VII) : internal FW

servers

DMZ

Internal network

Exterior/Interior

Firewall

Sensitive

area

Firewall

Outside world

Sensitive

area

firewalls some recommendations
Firewalls : some recommendations
  • Bastion hosts
    • better to put the bastions in a DMZ than in an internal network
    • disable non-required services
    • do not allow user accounts
    • fix all OS bugs
    • safeguard the logs
    • run a security audit
    • do secure backups
  • Avoid to put in the same area entities which have very different security requirements
using proxies i
Using proxies (I)
  • Proxies can be used to « hide » the real servers
  • Interior => Exterior traffic
    • Give the internal user the illusion that she/he accesses to the exterior server
    • But intercept the traffic to/from the server, analyze the packets (check the compliance with the protocol, search for keywords, etc.), log the requests
  • Exterior => Interior traffic
    • Give the external user the illusion that she/he accesses to the interior server
    • But intercept the traffic to the server, analyze the packets (check the compliance with the protocol, search for keywords, etc.), log the requests
using proxies ii
Using proxies (II)
  • Advantage
    • knowledge of the service/protocol => efficiency and « intelligent » filtering
    • Ex : session tracking, stateful connection
  • Disadvantages
    • one proxy per service !
    • may require modifications of the client
    • do not exist for all services
static network address translation nat i
Static Network Address Translation (NAT) (I)

xxx.xxx.xxx.xxx

xxx.xxx.xxx.xxx

yyy.yyy.yyy.yyy

yyy.yyy.yyy.yyy

xxx.xxx.xxx.xxx

Internal network

From Arkoon Inc. tutorial

slide14

xxx.xxx.xxx.xxx

yyy.yyy.yyy.yyy

yyy.yyy.yyy.yyy

xxx.xxx.xxx.xxx

xxx.xxx.xxx.xxx

yyy.yyy.yyy.yyy

Internal network

Internal network

Static Network Address Translation (NAT) (II)

  • The FW maintains an address translation table
  • The FW transforms address xxx.xxx.xxx.xxx into yyy.yyy.yyy.yyy in the field « source address »
  • The FW transforms address yyy.yyy.yyy.yyy into address xxx.xxx.xxx.xxx in the field « destination address »
  • This operation is transparent for both the exterior and the interior hosts
applications
Applications
  • Non TCP/UDP based protocols
  • Pre-defined partnership addresses
  • Web server, mail….(traffic to Internet)
  • Application server (hidden behind a FW)
  • Host known/authenticated outside with a specific address
pat port address translation i
PAT : Port Address Translation (I)

Port 2033

Port80

Internal network

From Arkoon Inc. tutorial

pat port address translation ii
PAT : Port Address Translation (II)
  • Connections are open from an exterior host
  • Translation table
  • Use of lesser public addresses
  • Flexible management of server ports
slide18

PAT : Port Address Translation (III)

FW, @IP 'P'

U→P:80

U → IP1:80

P:80 → U

IP1:80 → U

U → P:81

Web server

Web server

U → IP2:80

@IP1, port 80

P:8 → U

user, @IP'U'

IP2:80 → U

Web server

Translation Table @IP « P »

port 80 → @IP1 : port 80

port 81→@IP2 : port 80

@IP2, port 80

Internal network

From Arkoon Inc. tutorial

masking i
Masking (I)

Internal network

From Arkoon Inc. tutorial

masking ii
Masking (II)
  • Connections are open by internal hosts
  • Dynamic connection table (IP address + source port number)
  • One single address is known outside (the FW address)
  • Spare IP addresses
slide21

user

@IP1

Web server

@IP'W'

FW, @IP 'M'

Arkoon, @IP 'M'

M:10000->W

1:1025->W

W->M:10000

W->1:1025

M:10001->W

2:1025->W

W->M:10001

W->2:1025

M:10000->W2

2:1026->W2

W2->M:10000

W2->2:1026

user

@IP2

@IP2

Translation table @IP « M »

1:1025(10000)->W

2:1025(10001)->W

2:1026(10000)->W2

Web server

Internal network

@IP 'W2'

From Arkoon Inc. tutorial