Firewalls - PowerPoint PPT Presentation

1 / 34

About This Presentation

Title:

Firewalls

Description:

Firewalls. A Presentation for K778. Gokul Bhandari. January 29, ... What is a Firewall? ... Bastion host - A system installed on a network to resist attack. ... – PowerPoint PPT presentation

Number of Views:154

Avg rating:3.0/5.0

Slides: 35

Provided by: busi350

Category:

more less

Transcript and Presenter's Notes

Title: Firewalls

1
Firewalls

A Presentation for K778
Gokul Bhandari
January 29, 2002

2
Agenda

What is a Firewall?
How does it work?
OSI TCP/IP Models
Firewall Types
Implementation Issues
Firewall Market
Conclusion

3
What is a Firewall?

In old times, a fireproof wall used to work as a
barrier to prevent the spread of fire (e.g Quebec
City), so the term firewall.
A hardware device or a software program
Protects networked computers from intrusion
Must have at least two network interfaces one
it intends to protect (usually private network),
the other it intends to protect from (public
network Internet).

4
What is a firewall?

Sits at the gateway of networks
Early firewalls simply routers
Hardware firewall part of TCP/IP routers
Software firewall A program in a secured host

5
Some Firewall related "buzz" words

Bastion host - A system installed on a network to
resist attack. Generally runs under Unix, VMS, NT
DMZ (Demilitarized Zone) - Part of network that
is neither part of the internal network nor
directly part of the Internet
IP Slicing/Hijacking - Attack in an active
session
IP Spoofing - Attacker illicitly impersonates
using the victim's IP address

6
How to know if you run into the firewall?

The program seems to hang--for no real reason.
The connected computer never replies.The messages
may look something like this
master.uwyo.edu finger peery_at_envy.isc.tamu.edu
envy.isc.tamu.edu
And after 30 seconds or so...
connect Connection timed out
master.uwyo.edu telnet envy.isc.tamu.edu
Trying 128.194.13.183...
And after 30 seconds or so...
telnet Unable to connect to remote host
Connection timed out
(Source http//www.isc.tamu.edu/tamu/firewall.h
tml)

7
How does it work?

Filters both inbound and outbound traffic
Two types of filtering
Address filtering filter packets based on
source and destination addresses and port
numbers.
Protocol filtering based on protocol used, e.g.
HTTP, ftp, telnet.

8
How does it work? (Contd)

May use complex rules to determine if the traffic
should be allowed
The rules depend upon the layers it operates on
The firewall sophistication depends upon the
layer it operates on
Understanding of protocol layer is needed

9
OSI Model

OSI stands for Open Systems Interconnection
Developed in 1983 by representatives of major
computer and telecom companies
The goal was to provide a reference model
Officially adopted by ISO as an international
standard

10
TCP/IP Model

The protocol for the Internet
IP divides message into packets and sends
IP is connectionless
TCP Connection-oriented
TCP takes care of keeping track of packets.
Reassembles at the end as a single file.

11
OSI TCP/IP Models

TCP/IP older than OSI
So it does not comply in all respect
The lower four layers are interoperable
Firewalls cannot operate below layer 3

12
OSI TCP/IP Models
13
Firewalls at layer 3

Layer 3 is
Network layer in OSI, IP layer in TCP/IP
Concerned with routing packets to their
destinations
Firewall can determine whether the packet is from
the trusted source
Cannot know what the packet contains

14
Firewalls at layer 4

Layer 4 is
Transport in OSI, TCP/UDP in TCP/IP
Firewalls know a little more the packet
Firewalls can create more sophisticated rules for
granting an denying access

15
Firewalls at the highest layer

The highest layer is
Application layer in both models
Firewalls at this level know the most about
packets
Can be very selective and sophisticated
Is firewall at the higher layer superior?

16
Firewalls IP layer

Professional firewalls catch packets before OS
does
No direct path from the Internet to the OSs
TCP/IP stack

17
Firewall types

Four broad categories
Packet filtering firewalls
Circuit level gateways
Application level gateways
Stateful multi-layer inspection firewalls

18
Packet filtering firewalls

Each packet is compared to a set of criteria
Firewall can drop or forward the packet or send
message to the originator
Have low cost and low impact on network
performance
Works only at the network or IP layer unknown
traffic can go up to level 3
Usually part of the router

19
Circuit level gateways

Works at session layer in OSI and TCP layer in
TCP/IP
The rule is session based, e.g. they monitor
handshaking between packets
Can hide information about protected network
Relatively inexpensive, individual packet not
filtered

20
Application level gateways

Also called Proxies
Similar to circuit-level gateways except
application specific
Rules based on protocol or browser types
Packets are filtered at the application layer
Can be used to log user activities and logins

21
Application level gateways

Offer high level of security
High impact on network performance
Context switches slow network
Not transparent to end users
Requires manual configuration of each client
computer

22
SMI Firewalls

Combine the other three types of firewall
Filter packets at network layer
Determine whether session packets are legitimate
Evaluate contents of packets at application layer
Allow direct communication b/w client and host

23
SMI Firewalls

Rely on algorithms to recognize and process
application layer data
Offer high level of security, good performance,
and transparency
Very expensive
Highly competent administrator required to manage
their complexity

24
Comparison of Firewall technologies

Firewall Capability Packet Filters App. Layer SMI

Communication Info Partial Partial Yes Comm.-de
rived State No Partial Yes App-derived
State No Yes Yes Info. Manipulation Partial Yes
Yes (Source http//www.checkpoint.com)
25
Firewall Implementation

Begin with denying all access
Decide on Inbound access policy
If no secure access to LAN is needed, then
NAT(Network Address Translation) router is
sufficient.
If secure access to LAN is needed, then determine
the criteria

26
Firewall Implementation

Decide on Outbound access policy
If users need access to web only, then proxy
server is suitable
Requires manual configuration of each browser on
each machine
If NAT router is safe for inbound, then it is
also safe for outbound

27
Firewall Implementation

Dial-in /Dial-out access
Dial-in requires a secure remote access PPP
server. Place it outside the firewall
Dial-out can be made secure by physically
isolating the computer or by using software to
isolate the LAN network interface from remote
access interface

28
Firewall Implementation

Buy a firewall product
Buy a complete product or
Configure from routing or proxy software
Determine your needs and evaluate your expertise
May need to outsource if the system administrator
is not competent

29
Firewall market

Cheapest - 14.95
Norton Personal Firewall 2001 2.5 by Symantec
Corporation
Most expensive - 9175.88
MAX 2024 ROUTER by Lucent technologies
The top three personal firewalls that are free
for personal use (but not for business) are
Sygate, Tiny and ZoneAlarm

30
What Firewalls can't protect against

Using unauthorized modems attached to computers
inside the firewall
Tunneling "bad" things over HTTP, SMTP, and
other protocols
Virus - There are too many ways of encoding
binary files for transfer over network.
Data driven attacks - Something is mailed to
internal host and then executed there (e.g. from
past Sendmail, Outlook, Java Applet, ActiveX
control)
Firewall protection method is REACTIVE. Any novel
method of attack will defeat it.

31
What Firewalls can't protect against

It is the human, stupid!
No cure for
Stupidity, Incompetence, Revenge and Betrayal

32
Conclusion

Firewall is not just a piece of hardware and
software
It must be part of the corporate culture and
policy and not a candy bar with "a hard, crunchy
outside with a soft, chewy center".
"It must be a part of a consistent overall
organizational security architecture."

33

References