1 / 53

OfficeConnect Internet Firewall

OfficeConnect Internet Firewall. Feburary, 2000. Agenda. The Internet and Security What Is A Firewall & Why Do You Need One?! Firewall Issues Types of Firewalls Firewall Applications. The Internet & Security. The Internet What is it anyway?. Can be thought of as a “Network of Networks'’

svea
Download Presentation

OfficeConnect Internet Firewall

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OfficeConnect Internet Firewall Feburary, 2000

  2. Agenda • The Internet and Security • What Is A Firewall & Why Do You Need One?! • Firewall Issues • Types of Firewalls • Firewall Applications

  3. The Internet & Security

  4. The InternetWhat is it anyway? • Can be thought of as a “Network of Networks'’ • Internet primarily uses the TCP/IP stack shown below:

  5. Security on the InternetWhy is it unsafe? • Weak Authentication • Passwords on the Inter-net can be cracked, via freeware!! • Ease of Spying/Monitoring • Passwords travels across the Internet unencrypted - TELNET • Ease of Spoofing • Impersonate the client's system • Flawed LAN Services • Be Careful of using insecure services - rlogin, NIS, NFS • Complex Configurations on the LAN • Complex systems can leave loop holes. • UNIX vendors still ship host systems with access controls configured for maximum (i.e., least secure) access.

  6. What is a Firewall&Why Do You Need One?!

  7. What is a firewall? • A security device that lies between the LAN and the WAN • Keep the LAN private • Block inappropriate traffic passing through

  8. The Firewall ConceptWhat are we are trying to protect? • Our Data • Secrecy • Integrity • Availability • Our Resources • Stop Hackers using services such as HD space, CPU time etc • Our Reputation • Hackers can use your identity

  9. The Firewall ConceptWhat are protecting against? • Intrusions • Very Common attacks • Hackers use you computers for legitimate purposes • Your computers system stays alive • Denial of Service (DoS) Attacks • Prevents you from using your computers system • Deliberate attacks are uncommon • Very easy to achieve DoS attacks • Flooding is a common type of Dos • Information Theft • Hackers use common internet services to gain access. • Impersonate by using the telephone (Passive) • Tap network with a Sniffer (Active) • Usually a very slow way of getting information

  10. The Firewall ConceptWho can be hacked anyway? • NASA - 1998 • All hosts were crippled with DoS attacks. • Pentagon Attacks -1998 • Teenagers broke into several servers. • USAF Command 1997 • Uncovered highly secretive data. • AOL -1998 • Hackers used the poor AOL security to break into American Civil Liberties Union • Other Sites : UNICEF, Fox, Yahoo, Coca-Cola. • StarWave 1997 • Credit Card numbers from NBA and ESPN were captured. • VISA - 1997 • 300,000 Credit Card number lifted in CA.

  11. Why FirewallsWhat can they Do? • Keep the danger of the internet from spreading into the private LAN. • Restricts people from entering a controlled area • Prevents attackers from getting close to your defences • Restricts people leaving at a controlled point

  12. Why FirewallsWhat can they Do? • Focuses Security Decisions at one point • Only forwards TCP and UDP traffic

  13. Why FirewallsTypical Features • Enforce security policies • Allow, Deny, Encrypt access to any service. • Log, count, report on all internet activity • Check to see if any hackers have tried to spoof the network • URL Site Filtering • Uses a large filter list from 3rd party companies. CyberNOT • 200,000 people are addicted to x-rates sites in the US! • Set up VPN Links • Remote management • Site to Site links, Firewall to Firewall • Traffic Shaping • Allow more bandwidth for HTTP traffic • Many more advanced features available • Only limited by the imagination of the developer

  14. Firewall Limitations

  15. Issues and ProblemsWhat Firewall can’t Do! • Most Important: Firewalls are not completely secure! - • Castle / Moat • Restricts Access to Desirable Services • Block Certain services such as TELNET, FTP, NFS • LAN Topology might not suit a Firewall • Large Potential for Back Doors • Modem Access still permitted • Hackers can jump around the Firewall • Little Protection from Insider Attacks • Need to promote a host based security system

  16. Issues and Problems • WWW, gopher • New threats using these common services are not known to Firewalls! • Potential for data-driven attacks • Viruses • Firewalls can not scan packets for viruses • Too complex to do at the moment • Throughput • Potential Bottleneck • Not so much of a problem today with speeds of 40Mb/s

  17. Issues with FirewallStupidity & Accidents • Firewalls do not protect from accidents • 55% of all security incidents are a result of naive users • DoS attacks are usually not attacks at all • Apple Computers were out of action for days, due to an email problem • An email was sent that inadvertently caused 300,000 error messages to be sent from their email server.

  18. Types of Firewalls

  19. Types of FirewallsNetwork Level Firewalls • Uses Packet Filtering • Lets you control (allow, deny) data transfer based on: • The IP address the data is coming from • The IP address the data is going to • These were typically built into Routers

  20. Types of FirewallsNetwork Level Firewalls Disadvantages: • Has Lowest Security • No Screening above Network Layer • Advantages: • Application Independence • High Performance • Scalability

  21. Types of FirewallsApplication Gateways • An Application Gateway (Proxy Firewall) is a host running a proxy service, say TELNET, FTP or X-Windows

  22. Types of FirewallsApplication Gateways Advantages: • Good Security • Full Application-layer awareness Disadvantages: • Poor Performance • Limited Application Support • Poor Scalability since is breaks Client/Server model

  23. Types of FirewallsStateful Inspection • New generation of firewall technology (Checkpoint FW-1) • Provides full layer awareness without breaking the Client/Server model • Evaluates packets based on previous connections Advantages: • Good Security • Full Application-layer awareness • Scalability • Transparency • Good Performance Disadvantages: • ?

  24. Typical ServicesWhich Protocols to Filter? • tftp(PORT 69) • Can be used to read any file on the system • X Windows, OpenWindows(PORTS 6000+) • Can leak information from x-windows, including all keystrokes • RPC (PORT 111) • Remote Procedure Call. Includes NFS, NIS • Can be used to steal passwords and read/write to files • rlogin, rsh, rexex(PORTS 513,514,512) • Can permit unauthorised access to accounts • TELNET & FTP(PORT 23, 20 +21) • Should be restricted to certain systems only • SMTP(PORT 25) • Restrict to a central email server

  25. Typical ServicesWhich Protocols to Filter? • RIP(PORT 520) • Can be spoofed to redirect packet routing • DNS(PORT 53) • Contains information about hosts that could help hackers • UUCP (UNIX-to-UNIX CoPy) (PORT 540) • Can be used for unauthorised access • HTTP(PORT 80) • Should be restricted to an Application Gateway that contains proxy services. This is safer. • All these services must be set up correctly in order to reduce exploitation.

  26. Firewall Applications

  27. Firewall ArchitecturesDual-Homed Host (DHH) • The host has two Interfaces and usually acts as a router. • Information is not directly routed to the other networks. • A DHH can reject services depending on the data. • Provide a very high level of control. • Dual-homed hosts can only provide services by proxy.

  28. Firewall ArchitecturesScreened-Host (SH) • Primary security is provided by packet filtering. • The Bastion computer is the only system on the LAN that hosts on the internet can connect to. • Provides better security and usability • If the bastion host is attacked, the whole LAN is venerable.

  29. Firewall ArchitecturesScreened Subnet (SS) • Adds an extra layer of security • Isolates LAN from the Internet • Isolate the Bastion Hosts on the perimeter network (DMZ)

  30. Firewall TechnologySummary

  31. Firewall Technology Summary • Internet is a dangerous place • Security needs to be a prime concern • Three types of Attack • Intrusions, DoS, Information Theft • Firewalls do the following • enforce Policies, Log, Filter URLs, VPN etc. • Firewalls still have problems and backdoors • Lots of problem protocols to block • Three Types of firewalls • Network-Level, Application Gateway, Stateful Packet Inspection • Three Main Architectures • Dual-homed host • Screened-Host • Screened Subnet

  32. OfficeConnect Internet Firewall Features

  33. OfficeConnect Internet Firewall DMZ POWER LAN DMZ WAN RESET

  34. OfficeConnect Internet Firewall • Firewall Security • Internet Filtering • Logs and Alerts • User Remote Access • DHCP Capabilities • DMZ

  35. Firewall Security • Protect LAN from invasions from WAN • Carried out by Stateful Packet Inspection • Only TCP and UDP packets allowed through, all other packets dropped

  36. Easily Set Up network • Getting started Wizard CD for the novice • Easy to use graphical interface for complex network setup • NO COMMAND LINE INTERFACE

  37. Easily Set Up Network

  38. Attacks Blocked • Denial of Service attacks are blocked from all ports • Syn Flood, Ping of Death, IP Spoofing, Land Attack, Smurf Amplification, Sequence number prediction • All attacks alerted and logged with IP address details • Logs and alerts can be emailed for immediate action

  39. Attacks Logged

  40. Filter Unwanted Web Sites • Built-in web filtering capabilities • Selected web sites can be blocked • Keyword • IP address or URL • Blocked Web Site hits can be alerted and logged • Block Java, Cookies and ActiveX

  41. Filter Unwanted Web Sites

  42. Filter Unwanted Web Sites

  43. Web Site Filter Subscription • Annual subscription to a web site filter list • Web Site Filter offers blocking by category • 1000’s of web sites in filter list • List updated every week

  44. Web Site Filter Subscription

  45. Control Services to and from the LAN • Block and activate service protocols into and from your network independently • Specify port numbers as well as defined services • Control the direction of allowed/blocked services

  46. Control Services To and From The LAN

  47. Network Diagnostics • Identify possible network problems

  48. Data Reports • Produce reports on the usage of your bandwidth, and web site hits

  49. Data Reports

  50. User Privileges • Give user privileges to selected users • Bypass filters • Remote Access • Allows different levels of user

More Related