Ch04 Introduction To Firewalls
Ch04 Introduction To Firewalls
Ch04 Introduction To Firewalls
rd
3 Edition
Chapter Four
Introduction to Firewalls
Overview
Identify common misconceptions about firewalls
Explain why a firewall is dependent on an effective
security policy
Understand what a firewall does
Describe the types of firewall protection
Recognize the limitations of firewalls
Introduction
Firewalls and related technical controls are a
fundamental security tool
Overview of the issues involved in planning and
designing firewalls
Each individual firewall
Combination of software and hardware components
Firewalls Explained
Firewall
Anything that can filter the transmission of packets of
digital information
As they attempt to pass through an interface between
networks
Application proxy
Provide network services to users while blocking direct
connections to them
Guide to Firewalls and VPNs, 3rd Edition
Logging
VPN
Authentication
Shielding hosts inside the network so that attackers
cannot identify them and use them as staging areas
for sustained attacks
Caching data
Filtering content that is considered inappropriate
Guide to Firewalls and VPNs, 3rd Edition
Firewall Components
Packet filter
Proxy server
Authentication system
Software that perform Network or Port Address
Translation (NAT or PAT)
Bastion host
Has only the bare essentials
See Figure 4-3
10
11
12
Technical Details
Ports
Ports
Allow many network services to share a single
network address
Socket
Combination of a senders full address and
receivers address
13
14
Enabling documentation
Provide information to the network administrator in
the form of log files
Contributing to a VPN
Connects two companies networks over the Internet
Guide to Firewalls and VPNs, 3rd Edition
15
16
17
Packet Filtering
Packet
Sometimes called a datagram
Basic element of network data
Contains two types of information: header and data
Packet-filtering firewall
Functions at the IP level
Determines whether to drop a packet or forward it to
the next network connection based on the rules
programmed into the firewall
18
19
20
21
22
23
24
25
26
Offline
X Marks the Spot
Letter x used in two ways
10.10.x.x, where the x indicates a value in the
range of 0 to 254 that can be assigned by the user
organization
Represent any value, but in a different location
Any address that meets the defined portion of the
address
27
Technical Details
Fresh Hot CIDR
CIDR
Classless Inter-Domain Routing
CIDR Mask
Mitigate the inefficiencies in the way IP addresses
used to be organized and assigned
28
CIDR Notation
Class A: 10.11.12.13
CIDR Notation
Class B: 147.144.1.212
CIDR Notation
Class C: 208.67.220.220
Firewall Categories
Processing mode
How the firewall examines the network traffic that it
is trying to filter
Generation
Level of technology a firewall has
Later generations being more complex and more
recently developed
Structure
Kind of structure for which the firewalls are intended
32
Processing Mode
Five major processing-mode categories for
firewalls:
Packet-filtering firewalls, application gateways,
circuit gateways, MAC layer firewalls, and hybrids
Most are hybrids
33
Processing Mode
Packet-filtering firewalls
Three kinds of packet-filtering firewalls:
Static filtering
Rules must be manually configured
Dynamic filtering
Automatically changes rules in response to
network events
Stateful inspection
Maintains a state table
34
Circuit gateways
35
Hybrid firewalls
Combine the elements of various types of firewalls
36
Firewall Generations
First-generation firewalls
Static packet-filtering firewalls
Second-generation firewalls
Application-level firewalls or proxy servers
Third-generation firewalls
Stateful inspection firewalls
Fourth-generation firewalls
Also known as dynamic packet-filtering firewalls
Allow only a particular packet with a particular
source, destination, and port address to enter
Guide to Firewalls and VPNs, 3rd Edition
37
38
Firewall Structures
Commercial-grade firewall appliances
Stand-alone, self-contained combinations of
computing hardware and software
Have many of the features of a general-purpose
computer
With the addition of firmware-based instructions
Increase reliability and performance
Minimize the likelihood of being compromised
40
41
42
43
44
45
Netfilter/iptables
Firewall software that comes with the Linux 2.4
kernel
Powerful solution for stateless and stateful packet
filtering, NAT, and packet processing
Link Ch 4c
Guide to Firewalls and VPNs, 3rd Edition
46
Software device
Can be disabled and allow free network access
47
48
Firewall Architectures
Packet-filtering routers
Can be configured to reject packets that the
organization does not allow into the network
49
50
51
52
53
54
Limitations Of Firewalls
Cannot be expected to do everything
Should not be the only form of protection for a
network
55