FIREWALL

1
FIREWALL
PRESENTATION
Beth Johnson
April 27, 1998
2
What is a Firewall

• Firewall mechanisms are used to control internet
  access
• An organization places a firewall at each
  external connection to guarantee that the
  internal networks remain free from unauthorized
  traffic
• A firewall consists of two barriers and a secure
  computer called a bastion host
• Each barrier uses a filter to restrict datagram
  traffic
• To be effective, a firewall that uses datagram
  filtering should restrict access to
• -all IP sources
• -IP destinations
• -protocols
• -protocol ports
• except those that are explicitly decided to be
  available externally

3
Firewall continued

• A packet filter that allows a manager to specify
  which datagrams to admit instead of which
  datagrams to block can make such restrictions
  easy to specify
• The bastion host offers externally-visible
  servers, and runs clients that access outside
  servers
• Usually, a firewall blocks all datagrams arriving
  from external sources except those destined for
  the bastion host

4
Implementing a Firewall

• A firewall can be implemented in one of several
  ways
• -the choice depends on details such as the
  number of external connections
• In many cases, each barrier in a firewall is
  implemented with a router that contains a packet
  filter
• A firewall can also use a stub network to keep
  external traffic off network
• A stub network consists of a short wire to which
  only three computers connect

5
FIREWALL MARKET STUDY
6
The WallRaptor Systems Inc.

• Used for smaller networks
• Has powerful logging capabilities so you can
  figure out if someone has tried to crack your
  network
• Also, get Raptors WebNOT utility, which blocks
  15,000 unsavory Web sites
• For a nominal fee, the vendor will provide
  periodic updates
• The wall can only be implemented on a 25-user
  network
• Cost 995 list

7
Gauntlet Internet FirewallTrusted Information
Systems (TIS)

• Positioned as an application gateway
• Uses proxies to enforce network traffic rules
• Proxies track and log traffic as it flows through
  the firewall
• Can configure smoke alarms to notify you when
  illegal activity occurs
• Firewalls automatically builds a log report that
  tracks anomalies
• You can also receive the alerts via e-mail or
  pager

8
Gauntlet continued

• Gauntlet is available in two versions
• -software -only solution -11,500
• it installs on an existing BSD Unix, HP/UX,
  or SunOS host
• -turnkey solution -15,000
• runs on a Pentium Machine

9
Check Point Firewall-1Check Point Software
Technologies Ltd.

• Check Point redefined the way people think about
  firewalls with its stateful-inspection engine,
  which works at the network layer instead of an
  application-proxy-based firewall
• Easy to add new services as they emerge
• Firewall-1 comes with all of the basic services
  including
• -HTTP
• -SSL
• -NNTP
• -SMTP
• -DNS
• Administrators can control each of these services
  using flexible rules

10
Firewall-1 continued

• Can place specific restrictions on individual FTP
  sites and directories, and can selectively allow
  gets but not puts
• Check Point has developed Content Vectoring
  Protocol (CVP), which defines how a firewall
  forwards packets and data to specialized servers
• An administrator can configure and monitor
  Firewall-1 on the firewall itself or from
  anywhere on the network
• Any unauthorized use can trigger a visible or
  audible alert to the System Status screen or one
  of many other options such as e-mail
• Firewall-1 optional encryption module turns the
  firewall into a VPN node
• Dynamic TCP/IP addresses are allowed
• Cost 50 nodes -4,995
• unlimited -18,990

11
AltaVista Firewall 97Digital Equipment Corp.

• Application-proxy-based firewall
• Suitable for small networks because of the lack
  of remote configuration capabilities and
  inability to work with more than two-adapter
  configurations
• vulnerable to SYN-flood attacks
• AltaVista has solid support for most of the basic
  services, except for some minor deficiencies with
  HTTP
• Telnet and FTP access can be finely regulated
• Cost 50 nodes -3,995
• unlimited -14,995

12
Firewall/PlusNetwork-1 Software Technology

• Aimed at networks of all sizes
• Runs as a Window NT service on both Intel and
  Alpha platforms
• Firewall/Plus uses both proxies and stateful
  inspection
• Packets are allowed or denied based on choices
  made by the administrator configuration
• Firewall/Plus can run transparently without an IP
  address
• -to run in this manner, the firewall must be
  placed between the internet connection and the
  local network
• Consists of a firewall engine and a user
  interface for making modifications to the engine

13
Firewalls/Plus continued

• You can remotely manage the firewall by loading
  the user interface on a remote PC and then
  connecting to a predefined TCP port over an
  encrypted connection
• Cost 50 nodes -3,750
• unlimited -13,000

14
Basic Mini FirewallComputer Peripheral Systems

• Used with a dial-up Internet connection at a
  desktop
• The Basic Mini Firewall is tiny enough to slip
  into your pocket
• It connects to your phone line and your 10 Base-T
  LAN
• Product works by breaking your connection to the
  LAN when you connect to the Internet via your
  modem
• Isnt flexible (and being off the LAN can
  sometimes be inconvenient)
• Makes LAN off-limits
• Cost 85 list