FIREWALL

FIREWALL
Presentation By
Akash R
2nd
MCA

16/05/15 Firewall 2
Content
1.Definition of Firewall
2.Need of Firewall
3.Firewall Design Principles
4.Firewall Characteristics
5.What a Firewall Can Do?
6.What a Firewall Can’t Do?
7.Architecture of Firewall
8.Types Of Firewall
9.Implementation of Firewall
10.Deployment of Firewall
11.Conclusion

16/05/15 Firewall 3
• Here is how Bob Shirey defines it in RFC 2828.
• An internetwork gateway that restricts data
communication traffic to and from one of the connected
networks (the one said to be "inside" the firewall) and
thus protects that network's system resources against
threats from the other network (the one that is said to be
"outside" the firewall). (See: guard, security gateway.)
Definition

16/05/15 Firewall 4
INTERNET
Firewall
Secure
Private
Network
WHO ? WHEN ?
WHAT ? HOW ?
My
PC
Rules Determine

What is a Firewall ?
A firewall :
◦ Acts as a security gateway
between two networks
 Usually between trusted
and untrusted networks
(such as between a
corporate network and the
Internet)
◦ Tracks and controls network
communications
 Decides whether to pass,
reject, encrypt, or log
communications (Access
Control)
16/05/15 Firewall 5
Corporate
Site
“Allow Traffic
to Internet”
Internet

16/05/15 Firewall 6
Firewalls History
• First generation packet filters
•
• The first paper published on firewall technology was in 1988, when Jeff Mogul from Digital
Equipment Corporation (DEC) developed filter systems known as packet filter firewalls.
• Second generation circuit level
•
• From 19801990 two colleagues from AT&T Company, developed the second generation of
firewalls known as circuit level firewalls.
• Third generation application layer
•
• Publications by Gene Spafford of Purdue University, Bill Cheswick at AT&T Laboratories
described a third generation firewall. also known as proxy based firewalls.
• Subsequent generations
•
• In 1992, Bob Braden and Annette DeSchon at the University of Southern California (USC)
were developing their own fourth generation packet filter firewall system.
• In 1994 an Israeli company called Check Point Software Technologies built this into readily
available software known as FireWall1.
• Cisco, one of the largest internet security companies in the world released their PIX ”
Private Internet Exchange ” product to the public in 1997.

16/05/15 Firewall 7
Theft or disclosure of internal data
Unauthorized access to internal hosts
Interception or alteration of data
Vandalism & denial of service
Wasted employee time
Bad publicity, public embarassment, and law suits
Need Of Firewall

Placed at the entrance to an organization’s
intranet
Placed inside an internal network
Placed between RAS and internal network
It is the check point for communication to an
outside network
Firewall Location


Company intranet

Firewall Router

Restricted Network

Corporate Data Center

Firewall

Internet
Firewall Location

Firewall

16/05/15 Firewall 10
The Nature of Today’s Attackers
Who are these “hackers” who are trying to break into your computer?
Most people imagine someone at a keyboard late at night, guessing
passwords to steal confidential data from a computer system. This type
of attack does happen, but it makes up a very small portion of the total
network attacks that occur.
Today, worms and viruses initiate the vast majority of attacks.
Worms and viruses generally find their targets randomly.
As a result, even organizations with little or no confidential
information need firewalls to protect their networks from these
automated attackers.

Firewall Design Principles
1. Information systems undergo a steady evolution (from small LAN`s to
Internet connectivity)
2. Strong security features for all workstations and servers not established
3.The firewall is inserted between the premises network and the Internet
4.Aims:
1.Establish a controlled link
2.Protect the premises network from Internetbased attacks
3.Provide a single choke point

Firewall Characteristics
Design goals:
1.All traffic from inside to outside must pass through the firewall
(physically blocking all access to the local network except via the
firewall)
2.Only authorized traffic (defined by the local security police) will be
allowed to pass
3.The firewall itself is immune to penetration (use of trusted system with a
secure operating system)

Firewall Characteristics
Four general techniques:
1.Service control
• Determines the types of Internet services that can be accessed, inbound
or outbound
2.Direction control
• Determines the direction in which particular service requests are allowed
to flow
3.User control
• Controls access to a service according to which user is attempting to
access it
4.Behavior control
• Controls how particular services are used (e.g. filter email)

Access Control
Authentication
Activity Logging
Other Firewall Services
Standard Firewall Services

Allows the firewall to consider the network
interface where the packet enters
Prevents or limits IP spoofing
“Don’t talk to me unless I talk to you first”
Access Control

Standards have usually relied on passwords or
smartcards or token
No based on IP address but user level
Authentication

Allows the firewall to record information
concerning all successful and failed session
attempts
Referred to as an audit log
Activity Logging

Proxy Applications
Address Mapping
Virtual Private Networks (VPN)
Other Firewall Services

What Firewalls Can Do
Positive Effects
Negative Effects

What Firewalls Do (Positive Effects)
Positive Effects
User authentication.
Firewalls can be configured to require user authentication.
This allows network administrators to control ,track specific user
activity.
Auditing and logging.
By configuring a firewall to log and audit activity,
information may be kept and analyzed at a later date.

AntiSpoofing Detecting when the source of the network
traffic is being "spoofed", i.e., when an individual attempting to
access a blocked service alters the source address in the
message so that the traffic is allowed.
Network Address Translation (NAT) Changing the network
addresses of devices on any side of the firewall to hide their
true addresses from devices on other sides. There are two ways
NAT is performed:

◦ OnetoOne where each true address is translated to a
unique translated address.
◦ ManytoOne where all true addresses are translated to a
single address, usually that of the firewall.

Virtual Private Networks
VPNs are communications sessions traversing public
networks that have been made virtually private through the
use of encryption technology. VPN sessions are defined by
creating a firewall rule that requires encryption for any
session that meets specific criteria.

What Firewalls Do (Negative Effects)
Negative Effects
Although firewall solutions provide many benefits, negative effects
may also be experienced.

◦ Traffic bottlenecks. By forcing all network traffic to pass through
the firewall, there is a greater chance that the network will become
congested.
◦ Single point of failure. In most configurations where firewalls are
the only link between networks, if they are not configured correctly
or are unavailable, no traffic will be allowed through.
◦ Increased management responsibilities. A firewall often adds to
network management responsibilities and makes network
troubleshooting more complex.

What a Firewall Can’t Do
 Do Firewalls Prevent Viruses and Trojans? NO!! A firewall can only
prevent a virus or Trojan from accessing the internet while on your machine

 95% of all viruses and Trojans are received via email, through file sharing
(like Kazaa or Gnucleus) or through direct download of a malicious program
 Firewalls can't prevent this only a good antivirus software program can
however , once installed on your PC, many viruses and Trojans "call home"
using the internet to the hacker that designed it
 This lets the hacker activate the Trojan and he/she can now use your PC for
his/her own purposes
 A firewall can block the call home and can alert you if there is suspicious
behavior taking place on your system

Firewall Architectures
Screening Router
Simple Firewall
Multi-Legged firewall
Firewall Sandwich
Layered Security Architecture
16/05/15 25Firewall

Screening Router
Screening Router
Internet/
Untrusted
Network
Internal Trusted Network
Server
Desktop
Mainframe Database
Routes or blocks packets, as
determined by security policy

Simple Firewall
Screening Router
Internet/
Untrusted
Network
Server
web, smtp
Desktop
Mainframe Database
Firewall then handles traffic
additionally to maintain more
security
Firewall

Multi-Legged Firewall
Screening Router
Internet/
Untrusted
Network
Server
Desktop
Mainframe Database
security
DMZ now offers a secure
sandbox to handle un-trusted
connections to internet services
Firewall
DMZ Semi-Trusted Network
Web Server SMTP Server Server

Firewall
Sandwich
Screening Router
Internet/
Untrusted
Network
App Server
Desktop
Mainframe Database
security
network to handle un-trusted
Separation of security policy
controls between inside and
outside firewalls
Inside Firewall
Outside Firewall
DMZ
Semi-trusted
network
DMZ Semi-Trusted Network
Web Server SMTP Server Server

Layered Firewall
Development
Network
User Network HR Network
Internet /Un-
trusted Network
DMZ
Semi-trusted
network
Inside Firewall
Inside Firewall
Internal Firewall
Internal Firewall
Mainframe
Network
Internal Firewall
security
network to handle un-trusted
Separation of security policy
controls networks within your
trusted network as well as you
semi and un-trusted networks
Fences keep honest people
honest!

Three classes of firewall administrator
interfaces:
Text-file based administration
Text-menu based administration
GUI-based administration
Firewall Administration
Interfaces

Popular in routers and homegrown firewalls
Interface of choice for UNIX administrators
Easier to make errors
Text-File Based Administration

Reduces likelihood of errors
Less flexibility of control
Limited visual feedback to changes made
Text-Menu Based Administration

Most prominent
Easier to use
Less prone to errors
GUI-Based Administration

Types of Firewalls
Common types of Firewalls:
1.Packetfiltering routers
2.Applicationlevel gateways
3.Circuitlevel gateways
4.Bastion host
5.Distributed Firewall System
6.Virtual Private Network (VPN)

◦Applies a set of rules to each incoming IP packet and then
forwards or discards the packet
◦Filter packets going in both directions
◦The packet filter is typically set up as a list of rules based
on matches to fields in the IP or TCP header
◦Two default policies (discard or forward)
Packet-filtering Router

Packet Filtering Firewall
Trusted
Network
Firewall
rule set
Packet is Blocked or Discarded
Untrusted
Network
16/05/15 37Firewall

Packet Filtering Firewall
 A packet filtering firewall is often called a network layer firewall because
the filtering is primarily done at the network layer (layer three) or the
transport layer (layer four) of the OSI reference model.

Packet Filtering
16/05/15 39Firewall

Advantages:
◦Simplicity
◦Transparency to users
◦High speed
Disadvantages:
◦Difficulty of setting up packet filter rules
◦Lack of Authentication
Packet-filtering Router

Application-level Gateway
Gateway sits between user on inside
and server on outside. Instead of
talking directly, user and server talk
through proxy.
Allows more fine grained and
sophisticated control than packet
filtering. For example, ftp server
may not allow files greater than a set
size.
A mail server is an example of an
application gateway
◦ Can’t deposit mail in recipient’s mail
server without passing through
sender’s mail server
host-to-gateway
ftp session
gateway-to-remote
host ftp session
application
gateway

• Advantages
1.Proxy can log all connections, activity in connections
2.Proxy can provide caching
3.Proxy can do intelligent filtering based on content
4.Proxy can perform user-level authentication
• Disadvantages
1.Not all services have proxied versions
2.May need different proxy server for each service
3.Requires modification of client
4.Performance
Application-level Gateway

1.Stand-alone system
2.Specialized function performed by an Application-level
Gateway
3.Sets up two TCP connections
4.The gateway typically relays TCP segments from one
connection to the other without examining the contents
5.The security function consists of determining which
connections will be allowed
6.Typically use is a situation in which the system administrator
trusts the internal users
7.An example is the SOCKS package
Circuit-level Gateway

Circuit Level
16/05/15 45Firewall

Bastion Host
 Highly secure host system
 A system identified by the firewall administrator as a critical strong
point in the network´s security
 The bastion host serves as a platform for an application-level or
circuit-level gateway
 Potentially exposed to "hostile" elements
 Hence is secured to withstand this
◦ Disable all non-required services; keep it simple
 Trusted to enforce trusted separation between network connections
 Runs circuit / application level gateways
◦ Install/modify services you want
 Or provides externally accessible services

Screened Host Architecture
16/05/15 47Firewall

Distributed Firewalls
A central management node sets the security policy
enforced by individual hosts
Combination of high-level policy specification with
file distribution mechanism
Advantages:
◦Lack of central point of failure
◦Ability to protect machines outside topologically isolated
space
◦Great for laptops
Disadvantage:
◦Harder to allow in certain services, whereas it’s easy to block

Distributed Firewalls Drawback
Allowing in certain services works if and only if
you’re sure the address can’t be spoofed
◦Requires anti-spoofing protection
◦Must maintain ability to roam safely
Solution: IPsec
◦A machine is trusted if and only if it can perform proper
cryptographic authentication

Virtual Private Network (VPN)
Used to connect two private networks via the internet
◦ Provides an encrypted tunnel between the two private networks
◦ Usually cheaper than a private leased line but should be studied on an
individual basis
◦ Once established and as long as the encryption remains secure the VPN is
impervious to exploitation
◦ For large organizations using VPNs to connect geographically diverse sites,
always attempt to use the same ISP to get best performance.
 Try to avoid having to go through small MomnPop ISPs as they will tend to be
real bottlenecks

Virtual Private Network (VPN)
16/05/15 51Firewall

It is a physical or logical subnetwork that contains and exposes an
organization's external services to a larger untrusted network, usually the
Internet.

It is sometimes referred to as a perimeter network

Hosts in the DMZ have limited connectivity to specific hosts in the internal
network, firewall controls the traffic between the DMZ servers and the
internal network clients.

A DMZ configuration typically provides security from external attacks, but it
typically has no bearing on internal attacks such as sniffing communication via
a packet analyzer or spoofing such as email spoofing.
DMZ : Demilitarized Zone

Implementations
Software
◦ Devil-Linux
◦ Dotdefender
◦ ipfirewall
◦ PF
◦ Symantec …
Hardware
◦ Cisco PIX
◦ DataPower
◦ SofaWare Technologies
16/05/15 54Firewall

Firewall Deployment
Corporate Network
Gateway
◦ Protect internal network
from attack
◦ Most common
deployment point
Internet
Human Resources
Network
Corporate
Site
Demilitarized Zone
(DMZ)
Public Servers
DMZ
Corporate Network
Gateway

Firewall Deployment
Gateway
Internal Segment Gateway
◦ Protect sensitive segments
(Finance, HR, Product
Development)
◦ Provide second layer of
defense
◦ Ensure protection against
internal attacks and misuse
Internet
Human Resources
Network
Corporate
Site
Public Servers
Demilitarized Zone
(Publicly-accessible
servers)
Internal Segment Gateway

Firewall Deployment
Gateway
Internal Segment
Gateway
ServerBased Firewall
◦Protect individual
application servers
◦Files protect
Internet
Human Resources
Network
Corporate
Site
Server-Based
Firewall
SAP
Server
Public Servers
DMZ

The“2002 Computer Security Institute /FBI Computer
Crime and Security Survey” Reported:
 90% of survey respondents (primarily larger corporations) detected computer security
breaches. Respondents reported a wide range of attacks:
 44% detected system penetration from the outside
 44% detected denial of service attacks
 76% detected employee abuse of Internet access privileges
 85% detected computer viruses, worms, etc.
 80% acknowledged financial losses due to computer security breaches
 44% were willing and/or able to quantify their financial losses (these losses were $455
million).
 Most serious losses occurred through theft of proprietary information and financial
fraud.
 74% cited their Internet connections as a frequent point of attack and 33% cited their
internal systems ands frequent point of attack
 34% reported intrusions to law enforcement (up from only 16% in 1996)
16/05/15 58Firewall

Denial-of-Service
Network Packet Sniffing
IP Spoof Attack
Internet Attacks

A simple attack where the attacker repeatedly
sends their victim voluminous amounts of
electronic mail until the network can no longer
handle the volume - denying them of mail service
Denial-of-Service Attack


Attacker
Mail Server
Target Mailbox

Flood of E-mail

to Target
Denial of Service Mail
Attack

The attacker “listens in” to the data on your
network with a packet sniffer, capturing data and
displaying it in a readable manner
Source and destination users usually don’t even
know that they’ve been “sniffed”
Network Packet Sniffing


Attacker

Network

TCP Packet Copies

Original TCP Packet

Original TCP Packet
Network Packet
Sniffing Attack

The attacker uses the unique IP address of an
unsuspecting target user, presumably for illicit
purposes
An IP spoof becomes a serious attack if the
external attacker claims to have an IP address
that is internal to the targeted network
IP Spoof Attack


External

10.35.25.6

Internal

10.12.1.1

Internal

10.12.1.5

Packet

Filter

Reports source address

to be 10.12.1.1

Filter assumes packet is

from trusted source, and allows

data into the network
IP Spoof Attack

Access Rules and Lists
Host Spoofing Controls
Basic Access Control

Host-Based
Describes the sets of services allowed for each
host or network
Service-Based
Identifies the sets of hosts or networks that may
use each service
Access Rules and Lists

Reducing the threat of spoofing IP addresses:
Restriction of the “source routing option” allows
a host to control the route taken to return to the
source host address
Control by network interface also reduces the
threat
Host Spoofing Controls

Domain Name System (DNS)
DNS servers share information
An attacker could possible redefine the address
of a trusted host within a network to an address
outside the network
Supported Services

Finger
Used to find out logins, user names, and
information concerning a users previous login
Supported Services (cont.)

File Transfer Protocol (FTP)
A separate network connection is usually made
from the destination host back to the original FTP
connection
Most FTP servers supports a PASV (passive
mode) capability allowing the connection to
originate from the client rather than the server

Internet Control Messaging Protocol (ICMP)
Used to send error or test messages between
systems
“PING” uses ICMP to send echo requests to see if
a host is reachable

Internet Relay Chat (IRC)
Using IRC, a user can contact an IRC server and
join an Internet conversation
Threats associated with IRC are of a “social
engineering” nature - an attacker may contact a
user through IRC and convince them to
compromise their network

Network News Transfer Protocol (NNTP)
Allows users to access newsgroups to read
information or participate in discussions
Network File System (NFS)
Allows users to share file systems with other
users
Little security and vulnerable to attacks

Network Time Protocol (NTP)
A service used to synchronize clocks between
computers and networks

rlogin
Developed at the University of California at
Berkeley
Used for remote access between local systems,
but not recommended for use across the Internet
because of lack of proper authentication
capability

TELNET
Standard remote login protocol application
Provides a character-based connection between
two systems

Authentication Mechanisms
User Authentication

Firewalls in multiple geographic locations should
be administered by a single group within the
company
With central administration the administrator
configures the firewalls from a central database
they all share
Remote/Central
Administration

Recording the action in a log or alarm file
Sending e-mail to an administrator
Displaying a message on the firewall console
Sending an SNMP alarm to a network manager
system
Actions Taken From Alarms

Activating and sending a message to an
administrator’s pager
Running a specialized application or script file
from the firewall
Actions Taken From Alarms
(cont.)

Dual-Host Firewalls
Splitting the functions of a firewall between two
hosts to force attackers to break into two
systems for a successful attack
Integrity Scanner
An application on the firewall that continually
scans the firewall for any unauthorized changes
to files, file size, or devices
Firewall Integrity

Address Mapping
Day and Time Restrictions
Load Control
Tunneling
Virtual Private Networks (VPN)
Hacker Traps
Special Features

Most organizations have invalid or illegal IP
addressing internally
Firewalls can map illegal addresses internally to
legal addresses as packets leave the network
Address Mapping


LAN

192.168.1.3

192.168.1.4

192.168.1.1

192.168.1.2

Illegal IP address

192.168.1.2

Legal IP address

204.32.38.1

Internal
External
Address Mapping

Security policies can be set to restrict certain
network access based on day and time
Day and Time Restrictions

x

FTP allowed 
FTP disallowed
Day and Time Restrictions

Limits the number of simultaneous connections
permitted to a host
Helps protect against flooding attacks
Load Control


Limiting the number of simultaneous connections
x
Load Control

Enables encryption all or selected
communication between two or more sites
Requires cooperating firewalls to encrypt and
decrypt packets as they are sent and received
Virtual Private Networks
(VPN)


Company

intranet 1

Company

intranet 2

Internet

Firewall 
Firewall

Not encrypted

PRIVATE

Not encrypted

PRIVATE

Encrypted

PUBLIC
Virtual Private
Networks (VPNs)

Sometimes referred to as “lures and traps” or
“honey pots”
Intruders think they have succeeded in breaking
into the network when in reality they have been
redirected to a “safe” place on the network
Hacker Traps

Future of Firewalls
Firewalls will continue to advance as the attacks on
IT infrastructure become more and more
sophisticated
More and more client and server applications are
coming with native support for proxied environments
Firewalls that scan for viruses as they enter the
network and several firms are currently exploring this
idea, but it is not yet in wide use
16/05/15 95Firewall

Conclusion
A solid firewall will help you stop intruders from accessing your system. we
keep our Internet link to the outside world but the outside world can't view us
unless we want them to.
With a firewall in place we will still have typical email access, but chat and
other interactive programs will require you to take an extra step to grant access
before we can use them.

Conclusion
It is clear that some form of security for private networks
connected to the Internet is essential
A firewall is an important and necessary part of that
security, but cannot be expected to perform all the
required security functions.
16/05/15 98Firewall

FIREWALL

More Related Content

What's hot (20)

Similar to FIREWALL (20)

Recently uploaded (20)

FIREWALL