Firewall (EN)
Firewall (EN)
Firewalls
Firewalls
Internet connection is a business requirement for almost all
organizations
A computer connected directly to the Internet is a potential
target for attackers
Any computer dysfunction costs money (directly or indirectly)
Protection mechanisms for defending internal networks
against external attacks are required
2
Firewall’s role
A physical manifestation of the network security policy
Check point and traffic monitoring, between two networks
A mechanism for controlling access to internal network
resources/services
Similar to a “protection wall”
3
Firewall’s role (cont.)
Who ? When ?
What ? How ?
PC
INTERNET
Private Network
Firewall
4
Firewall requirements
1. All traffic from inside to outside and vice-versa must pass
through the firewall
uncontrolled network access points (backdoors) must not exist
2. Only authorized network traffic, set by the security policy,
may pass through the firewall
strict access rules
3. The firewall itself must be immune to attacks. This assumes
using a trust system which was previously configured for
security (hardening)
dedicated machines that do not run other services
5
Terminology
Packet – data unit created by a network protocol for transporting
data and control information. In the TCP/IP stack context it is also
called datagram.
DMZ (DeMilitarized Zone) – a network segment between outside
(unprotected network, Internet) and the internal network (protected),
having the role of relaying the information exchange. It is the
network in which, usually, the public services and application
gateways are located
Protected and unprotected networks
– Protected networks are located behind a firewall, being protected by its
policies
– Unprotected networks, like Internet, sit in front of a firewall and are not
protected by its policies
Traffic directions
– Inbound = to the interior of the firewall protected zone
– Outbound = to the exterior of the firewall protected zone
6
Terminology (cont.)
Inbound vs Outbound
– Inbound = to the interior of the firewall protected zone
Internal External
Network FW
Network
7
Firewall example
Internal
Network
FW R Internet
8
Firewall example (cont.)
C
Policy 1 o
Serv1 FW r N
SW FW R
Policy 2
p e
o t
Serv2 FW r w
Policy 3
a o
Serv3 FW t r
Serv4 e k
9
Access control parameters
10
Parametri de control al accesului (cont.)
11
Firewall types
1. Packet filtering firewall
2. Stateful inspection firewall
3. Proxy firewall
4. Personal firewall
12
Packet filtering firewall
Allows or denies packets based on the source/destination IP
address or port number
– filtering rules (ACL - Access Control List)
Packet inspection is done in both directions (inbound and
outbound traffic)
Packet payload is not inspected
It doesn't store state information; packets are treated
individually, disregarding the context
Function supported by almost all routers
Advantages
– simple, fast, transparent for end users
Disadvantages
– it can't block all types of traffic
– inefficient against some types of attacks (e.g. IP address spoofing)
13
Packet filtering firewall (cont.)
14
Stateful inspection firewall
Uses also packet filtering
Inspects packets and stores state information for each
connection
– once a packet is identified as being part of an established connection,
it's processing can be optimized (take a shorter path)
– state information stored by the firewall is different from vendor to
vendor
The most popular type of firewall
Great performance
15
Stateful inspection firewall (cont.)
16
Proxy firewall
Application Level Gateway – protocol level control
All requests and responses pass through the proxy server where they are
validated
There are two separate connections: client-proxy, proxy-server
Each service needs a separate proxy
– not all services support proxy servers
Circuit Level Gateway is the most simple implementation of a proxy
– relay between two TCP connections
– security is assured by limiting the number of allowed connections
– once the connections are created, traffic flows without content checking
– the most known implementation is SOCKS 5
17
Personal firewall
Simplified version of a network firewall used by workstations
Denies inbound connections if they were not explicitly allowed
Inspects inbound/outbound traffic and protects workstations
against attacks
Personal firewall examples:
– Windows XP Firewall (SP2)
– ZoneAlarm (www.zonelabs.com)
– Norton Personal Firewall (www.symantec.com)
– Comodo Firewall (www.comodo.com)
18
Firewall implementation
Specialized, secured operating system
Different levels of performance/price
Easy to install and maintain
19
Key characteristics for a firewall
Performance
– processing speed (bps, pps, cps)
– scalability
– ASIC vs NP vs CPU (general purpose)
Availability
– active-pasive
– active-active
Content filtering
– ActiveX and Java applets
– URL filtering
VPN
– Site-to-Site
– Remote Access
– SSL VPN (WebVPN or Client-less VPN)
Integration with existing infrastructure
– AAA (Authentication, Authorization, Accounting) services
– PKI (Public Key Infrastructure) services
– Logging services
20
Firewall limitations
Does not offer protection against internal attacks
– 70 % of the attacks are from inside!
Does not offer protection against viruses sent by e-mail or Web
– SMTP and HTTP traffic is always permitted by firewall!
Complex systems
– configuring and maintaining a firewall is not simple task!
21
Firewall products
Cisco ASA
Check Point FireWall-1
Juniper NetScreen
Palo Alto Networks PA/VM
Fortinet FortiGate
McAfee Firewall Enterprise
Stonesoft NGFW
Linux netfilter/iptables
22
Gartner Magic Quadrant for Enterprise Network Firewalls, 2010
23
24