0% found this document useful (0 votes)
21 views24 pages

Firewall (EN)

Firewalls are essential for protecting internal networks from external attacks, acting as a checkpoint for traffic monitoring and access control. They must enforce strict access rules, be immune to attacks, and all traffic must pass through them. Various types of firewalls exist, including packet filtering, stateful inspection, proxy, and personal firewalls, each with distinct functionalities and limitations.

Uploaded by

Kushner Serge
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
21 views24 pages

Firewall (EN)

Firewalls are essential for protecting internal networks from external attacks, acting as a checkpoint for traffic monitoring and access control. They must enforce strict access rules, be immune to attacks, and all traffic must pass through them. Various types of firewalls exist, including packet filtering, stateful inspection, proxy, and personal firewalls, each with distinct functionalities and limitations.

Uploaded by

Kushner Serge
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 24

1.

Firewalls
Firewalls
 Internet connection is a business requirement for almost all
organizations
 A computer connected directly to the Internet is a potential
target for attackers
 Any computer dysfunction costs money (directly or indirectly)
 Protection mechanisms for defending internal networks
against external attacks are required

2
Firewall’s role
 A physical manifestation of the network security policy
 Check point and traffic monitoring, between two networks
 A mechanism for controlling access to internal network
resources/services
 Similar to a “protection wall”

3
Firewall’s role (cont.)

Who ? When ?
What ? How ?

PC
INTERNET

Private Network
Firewall
4
Firewall requirements
1. All traffic from inside to outside and vice-versa must pass
through the firewall
 uncontrolled network access points (backdoors) must not exist
2. Only authorized network traffic, set by the security policy,
may pass through the firewall
 strict access rules
3. The firewall itself must be immune to attacks. This assumes
using a trust system which was previously configured for
security (hardening)
 dedicated machines that do not run other services

5
Terminology
 Packet – data unit created by a network protocol for transporting
data and control information. In the TCP/IP stack context it is also
called datagram.
 DMZ (DeMilitarized Zone) – a network segment between outside
(unprotected network, Internet) and the internal network (protected),
having the role of relaying the information exchange. It is the
network in which, usually, the public services and application
gateways are located
 Protected and unprotected networks
– Protected networks are located behind a firewall, being protected by its
policies
– Unprotected networks, like Internet, sit in front of a firewall and are not
protected by its policies
 Traffic directions
– Inbound = to the interior of the firewall protected zone
– Outbound = to the exterior of the firewall protected zone

6
Terminology (cont.)
 Inbound vs Outbound
– Inbound = to the interior of the firewall protected zone

Internal External
Network FW
Network

– Outbound = to the exterior of the firewall protected zone

7
Firewall example

Internal
Network
FW R Internet

Protected DMZ Unprotected

8
Firewall example (cont.)

C
Policy 1 o
Serv1 FW r N
SW FW R
Policy 2
p e
o t
Serv2 FW r w
Policy 3
a o
Serv3 FW t r
Serv4 e k

9
Access control parameters

Policy (firewall rules) examples:


 At the Data Link Layer
– Drop all packets from MAC address 00-1c-bf-01-02-03
– Don't ask for authentication if the MAC address is 00-1c-2b-aa-bb-cc
 At the Network Layer
– Deny all traffic, except outbound packets coming from 10.10.10.0/24 network
– Allow only ESP (IPSec) traffic
– Deny all traffic, except traffic from 172.16.30.0/24 network to 192.168.10.0/24 network

10
Parametri de control al accesului (cont.)

Policy (firewall rules) examples:


 At the Transport Layer
– Allow web traffic from everywhere (including Internet), as long as the destination address
is 192.168.0.10
– Allow FTP traffic from everywhere to 192.168.0.11
 At the Application Layer
– Deny all "peer-to-peer" traffic
– Do not allow HTTP traffic that has the "POST" subcommand in it's header
– Do not allow the "DEBUG" option in SMTP commands (e-mail)

11
Firewall types
1. Packet filtering firewall
2. Stateful inspection firewall
3. Proxy firewall
4. Personal firewall

12
Packet filtering firewall
 Allows or denies packets based on the source/destination IP
address or port number
– filtering rules (ACL - Access Control List)
 Packet inspection is done in both directions (inbound and
outbound traffic)
 Packet payload is not inspected
 It doesn't store state information; packets are treated
individually, disregarding the context
 Function supported by almost all routers
 Advantages
– simple, fast, transparent for end users
 Disadvantages
– it can't block all types of traffic
– inefficient against some types of attacks (e.g. IP address spoofing)
13
Packet filtering firewall (cont.)

Stateless packet filter – two access control lists are necessary:


1. Allow HTTP traffic from de la 10.0.0.0/24 to www.yahoo.com
2. Allow HTTP traffic from www.yahoo.com to 10.0.0.0/24

14
Stateful inspection firewall
 Uses also packet filtering
 Inspects packets and stores state information for each
connection
– once a packet is identified as being part of an established connection,
it's processing can be optimized (take a shorter path)
– state information stored by the firewall is different from vendor to
vendor
 The most popular type of firewall
 Great performance

15
Stateful inspection firewall (cont.)

One access control list is enough:


1. Allow HTTP traffic from 10.0.0.0/24 to www.yahoo.com

16
Proxy firewall
 Application Level Gateway – protocol level control
 All requests and responses pass through the proxy server where they are
validated
 There are two separate connections: client-proxy, proxy-server
 Each service needs a separate proxy
– not all services support proxy servers
 Circuit Level Gateway is the most simple implementation of a proxy
– relay between two TCP connections
– security is assured by limiting the number of allowed connections
– once the connections are created, traffic flows without content checking
– the most known implementation is SOCKS 5

17
Personal firewall
 Simplified version of a network firewall used by workstations
 Denies inbound connections if they were not explicitly allowed
 Inspects inbound/outbound traffic and protects workstations
against attacks
 Personal firewall examples:
– Windows XP Firewall (SP2)
– ZoneAlarm (www.zonelabs.com)
– Norton Personal Firewall (www.symantec.com)
– Comodo Firewall (www.comodo.com)

18
Firewall implementation
 Specialized, secured operating system
 Different levels of performance/price
 Easy to install and maintain

 Runs on general purpose systems


 Medium performance level

 High level of performance


 Integrates with the existent network infrastructure

 Protection of existing investment


 Dedicated to WAN/Internet connections
 Affects router's packet forwarding performance

19
Key characteristics for a firewall
 Performance
– processing speed (bps, pps, cps)
– scalability
– ASIC vs NP vs CPU (general purpose)
 Availability
– active-pasive
– active-active
 Content filtering
– ActiveX and Java applets
– URL filtering
 VPN
– Site-to-Site
– Remote Access
– SSL VPN (WebVPN or Client-less VPN)
 Integration with existing infrastructure
– AAA (Authentication, Authorization, Accounting) services
– PKI (Public Key Infrastructure) services
– Logging services

20
Firewall limitations
 Does not offer protection against internal attacks
– 70 % of the attacks are from inside!
 Does not offer protection against viruses sent by e-mail or Web
– SMTP and HTTP traffic is always permitted by firewall!
 Complex systems
– configuring and maintaining a firewall is not simple task!

21
Firewall products
 Cisco ASA
 Check Point FireWall-1
 Juniper NetScreen
 Palo Alto Networks PA/VM
 Fortinet FortiGate
 McAfee Firewall Enterprise
 Stonesoft NGFW
 Linux netfilter/iptables

22
Gartner Magic Quadrant for Enterprise Network Firewalls, 2010

23
24

You might also like