Chapter Three

Network Firewall
Security

1
2
3
4
 Firewalls
What is a Firewall?
A firewall is a program or network devices that
filters the information coming through the
internet connection into your private network or
computer system.
Firewalls are often categorized as either
network firewalls or host-based firewalls.
Network firewalls filter traffic between two or
more networks and run on network hardware.
Host-based firewalls run on host computers
and control network traffic in and out of those
machines.

5
 Continued…

6
 Types of Firewalls:

1. Packet Filtering Router

2. Application Level Gateway
3. Circuit Level Gateway
1. Packet Filtering Router
Applies a set of rules to each incoming IP
packets and then Allow or Drop the
packets.
Filter packets going in both directions.
The packet filter is typically set up as a list
of rules based on matches in the IP or TCP
7
header.
 Continued…

8
 Application Level Gateway
Also called as proxy server.
Acts as a relay of application level traffic.
It is used to check the traffic levels.

9
 Circuit Level Gateway

Standalone Software.
Sets up two TCP connections.
 The gateways typically relays TCP
segments from one connection to the other
without examining the contents (simply it
will send).
The Security functions consists of
determining which connections will be
allowed

10
 Continued…

11
 The Role of Firewalls
A firewall is a term used for a “barrier”
between a network of machines and users
that operate under a common security
policy and generally trust each other and
the outside world.
There are two basic reasons for using a
firewall at present:
to save money in concentrating your
security on a small number of components
to simplify the architecture of a system by
restricting access only to machines that
12
trust each other.
 Advantages of Firewalls
Concentration of security all modified
software and logging is located on the
firewall system as opposed to being
distributed many hosts.
Protocol Filtering, where the firewalls
filters protocols and services that are either
not necessary or that cannot be adequately
secured from exploitation.
Information Hiding, in which a firewall can
“hide” names of internal systems (or)
electronic mail addresses, thereby revealing
less information to outside hosts.
13 Application Gateways, where the firewalls
 Continued…
Disadvantages of Firewalls
The most obvious being that certain types
of network access may be hampered or
even blocked for some hosts, including
telnet, ftp, NFS etc.
A second disadvantages with a firewall
system is that it concentrates security in
one spot as opposed to distributing it
among systems, thus a compromised of the
firewall could be disastrous to other less
protected systems on the subnet.
Example: If someone attacks the
14
security guard, the organization face
 Internet Security
Architecture
Designing an Appropriate Network
There are invariably numerous
requirements and expectations placed
upon a network, such as meeting and
exceeding the organization’s availability
and performance requirements, providing a
platform that is conducive for securing
sensitive network assets, and enabling
effective and secure links to other
networks.
On top of that, the overall network design
must provide the ability to grow and
15
support future network requirements.
 Continued…
Common steps for obtaining such information
include meeting with project stakeholders,
application and system owners, developers,
management, and users.
It is important to understand their expectations
and needs with regard to performance, security,
availability, budget, and the overall importance
of the new project.
Adequately understanding these elements will
ensure that project goals are met, and that
appropriate network performance and security
controls are included in the design.
One of the most common problems encountered
in a network implementation is unmet
16 expectations resulting from a difference of
assumptions. That’s why expectations should be
 
Performance
The legacy Cisco Hierarchical Internetworking
model, which most network engineers are
intimately familiar with, is a common design
implemented in large-scale networks today,
although many new types of purposed
designs have been developed that support
emerging technologies like class fabrics,
lossless Ethernet, layer two bridging with trill
or IEEE 802.1aq, and other data center–
centric technologies.
The three-tier hierarchy still applies to
campus networks, but no longer to data
centers. This is a “legacy” model socialized
by Cisco, but even Cisco has newer thinking
for datacenters. Networks are becoming
17
much more specialized, and the security
 Continued…
The Cisco Hierarchical Internetworking model,
depicted in Figure 13-1, uses three main layers
commonly referred to as the core, distribution,
and access layers:
Core layer Forms the network backbone and is
focused on moving data as fast as possible
between distribution layers. Because
performance is the core layer’s primary focus, it
should not be used to perform CPU-intensive
operations such as filtering, compressing,
encrypting, or translating network addresses for
traffic.
Distribution layer Sits between the core and
the access layer. This layer is used to aggregate
18
access-layer traffic for transmission into and out
 Continued…

19
 Continued…
The Cisco model is highly scalable. As the
network grows, additional distribution and
access layers can be added seamlessly.
As the need for faster connections and more
bandwidth arises, the core and distribution
equipment can be upgraded as required.
This model also assists corporations in
achieving higher levels of availability by
allowing for the implementation of redundant
hardware at the distribution and core layers.
And because the network is highly
segmented, a single network failure at the
access or distribution layers does not affect
the entire network.
20
Internal Security Practices
 Continued…
Internal controls, such as firewalls and early
detection systems (IDS, IPS, and SIEM),
should be located at strategic points within
the internal network to provide additional
security for particularly sensitive resources
such as research networks, repositories
containing intellectual property, and human
resource and payroll databases.
Dedicated internal firewalls, as well as the
ability to place access control lists on
internal network devices, can slow the
spread of a virus. Figure 13-4 depicts a
21
network utilizing internal firewalls.
 Continued…
When designing internal network zones, if
there is no reason for two particular networks
to communicate, explicitly configure the
network to block traffic between those
networks, and log any attempts that hosts
make to communicate between them.
With modern VoIP networks, this can be a
challenge as VoIP streams are typically
endpoint to endpoint, but consider only
allowing the traffic you know to be legitimate
between any two networks.
 A common technique used by hackers is to
target an area of the network that is less
22 secure, and then work their way in slowly via
 Continued…

23
 Continued…

24
 IPv4 and IPv6 Security
IP Security Overview
The Internet community has developed
application-specific security mechanisms in
a number of areas, including electronic mail
(S/MIME, PGP), client/server(Kerberos), Web
access (SSL), and others. However, users
have some security concerns that cut across
protocol layers.
For example, an enterprise can run a secure,
private TCP/IP network by disallowing links
to untrusted sites, encrypting packets that
leave the premises, and authenticating
packets that enter the premises.
25
By implementing security at the IP level, an
 Continued…
In response to these issues, the Internet
Architecture Board (IAB) included
authentication and encryption as necessary
security features in the next-generation IP,
which has been issued as IPv6. Fortunately,
these security capabilities were designed to
be usable both with the current IPv4 and the
future IPv6. This means that vendors can
begin offering these features now, and many
vendors do now have some IPsec capability
in their products.
IP-level security encompasses three
functional areas: authentication,
26 confidentiality, and key management.
 Continued…
The confidentiality facility enables
communicating nodes to encrypt messages to
prevent eavesdropping by third parties.
The key management facility is concerned
with the secure exchange of keys. The current
version of IPsec, known asIPsecv3, encompasses
authentication and confidentiality. Key
management is provided by the Internet Key
Exchange standard, IKEv2.
Overview of IP security (IPsec)
Internet Protocol Security (IPsec) is a network
protocol, that authenticates and encrypts the
27
packets of data sent over a network.

 Continued…
IPsec can protect data flows between a pair
of hosts (host-to-host), between a pair of
security gateways (network-to-network), or
between a security gateway and a host
(network-to-host).
Internet Protocol security (IPsec) uses
cryptographic security services to protect
communications over Internet Protocol (IP)
networks.
IPsec supports network-level peer
authentication, data-origin authentication,
data integrity, and data confidentiality
28
(encryption), and replay protection.
 Continued…
The IPsec suite is an open standard.
IPsec uses the following protocols to
perform various functions:
Authentication Headers (AH) provides
connectionless data integrity and data origin
authentication for IP datagrams and provides
protection against replay attacks.
Encapsulating Security Payloads (ESP)
provides confidentiality, data-origin
authentication, connectionless integrity, an
anti-replay service (a form of partial
sequence integrity), and limited traffic-flow
confidentiality.
29
Security Associations (SA) provides the
 APPLICATIONS OF IPSEC
IPsec provides the capability to secure
communications across a LAN, across
private and public WANs, and across the
Internet. Examples of its use include the
following:
Secure branch office connectivity over the
Internet: A company can build a secure
virtual private network over the Internet or
over a public WAN. This enables a business
to rely heavily on the Internet and reduce
its need for private networks, saving costs
and network management overhead.
30
Secure remote access over the Internet: An
 Continued…
Establishing extranet and intranet
connectivity with partners: IPsec can be
used to secure communication with other
organizations, ensuring authentication and
confidentiality and providing a key
exchange mechanism.
Enhancing electronic commerce security:
Even though some Web and electronic
commerce applications have built-in
security protocols, the use of IPsec
enhances that security
31
 HOST Security
Authentication
Authentication is the process of reliably
verifying the identity of someone (or
something). There are lots of examples of
authentication in human interaction.
1. we recognize each others' faces when we
meet.
2. we recognize each others' voices on the
telephone.
3. we are authenticated by the customs official
who checks us against the picture on our
passport.
32
4. A guard might authenticate you by
 Continued…
Creating a good quality password policy
The security provided by a password system
depends on the passwords being kept secret at all
times. Thus, a password is vulnerable to
compromise whenever it is used, stored, or even
known.
A password must be initially assigned to a user
when enrolled on the system.
A user's password must be changed periodically.
The system must maintain a “password database”.
Users must remember their passwords.
Users must enter their passwords into the system
33
at authentication time.
 Continued…
Authentication Identification
Sometimes also require that the computer
verify its identity with the users, based on
three methods:
what you know (eg., passwords)
what you have (eg., keycards)
what you are (eg., biometric information)
Verification
Validation of information supplied against a
table of possible values based on users
claimed identity, Verify identity based on
34 your physical characteristics, known as
 Continued…
Characteristics used include:
Signature
Fingerprint, hand geometry
face or body profile
Speech, retina pattern
How authentication is done depends on
capabilities of entity being authenticated.
Two most important capabilities:
ability to store a high-quality key.
ability to perform cryptographic operations

35
 Continued…

High Quality Authentication

Secret
Chosen from large space
Computationally infeasible to guess

Computer vs. Person

Computer has both.
Person has neither

36
 Continued…
Types of Authentication
1. Password-based authentication
Authenticating oneself by showing a secret
password to the remote peer (and to the
network).
Always vulnerable to eavesdropping attack.
Usually protection: limit frequency of
incorrect password entries.
2. Address-based authentication
Authenticating oneself by using a
physically-secured terminal/computer.
37 Conceptually similar to password-based
 Continued…
3. Cryptography-based authentication
Authenticating oneself by showing
evidence of a secret key to the remote peer
(and to the network) but without exposing
the secret to the peer (or to the
network).Secret key can be obtained from a
password.
Problems with Passwords
Eavesdropping
On-line guessing of password
Off-line cracking
38 Security of password file
 Continued…
1. Eavesdropping
Passwords must be uttered to be used.
Most people don't watch.
But they are not the people you are worried
about.
Wiretapping is a more sophisticated
problem.
If the password is sent from across a
network then eavesdropping is possible.
For example, a traditional telnet connection
is unsecured – no cryptography. so an
39
attacker who can eavesdrop, eg., on the
 Continued…
2. Trojan Horses
A Trojan horse is a useful, or apparently useful,
program, which also performs unwanted/harmful
functions.
If a user can be induced to run a Trojan horse
which mimics the log in program then the Trojan
can capture the user’s password.
 The password can then be sent to the author of
the Trojan
3. On-Line Guessing
I can impersonate you if I can guess your
password.
Some systems enforce easily guessable
passwords (not really a good idea, but some do it
40 – would be better to disallow).
 Continued…
4. Locking Accounts
Can lock accounts after too many failed
attempts.
But then easy for someone to deny access.
Can cut-off connection after a number of
failed attempts and require it to be re-
established.
Can have system response be very slow.
5. Off Line Password Guessing
Passwords more vulnerable if off-line
guessing possible.
41
Off line attack - an intruder captures a
 Thank You!

42