1 firewall overview eecs710 fall 2006 presenter: michael lea professor hossein saiedian

1

Firewall Overview

EECS710 Fall 2006Presenter: Michael LeaProfessor Hossein Saiedian

2

Firewalls

1. Firewall Defined2. Benefits 3. Firewall Misconceptions4. Firewall Technologies5. Application and Design

3

Firewall

6. Deployment Methodology 7. Monitoring, Maintenance, and

Support 8. Firewall Selection Criteria9. Deployment Exercise 10.Question and Answer11.Summary

4

Firewall Defined

• A Firewall is security device which is configured to permit, deny or proxy data connections

• Firewall rule sets are based upon the organization's security policy

• Firewalls can either be hardware and/or software based

5

Firewall Defined

• Firewall's primary task is to control traffic between computer networks with different zones of trust

• Example of different zones internal (trusted) network and the Internet (untrusted)

6

Firewall Defined

• Firewalls are based on least privilege principle and separation of duties

• Firewalls require a experienced administrator– Considerable understanding of network

protocols– In depth knowledge of Security assurance

7

Benefits of a firewall

• Provide Additional security • Protection between a private and public

network• Provide internal protection within a private

network for security access• Controls to stop or limit the spread of

Virus/Worm• Cost savings on Circuit costs

8

Benefits of a firewall

• Business Enabler – Connect your Company to the Internet– Provide Remote access

• Enforce Security Policy control by controlling network access

• Disaster Recovery

9

Firewall Misconceptions

• Security is holistic• Firewalls can give a false sense of

security– Wireless Network– Small mistakes can render a firewall

worthless as a security tool – Modem bypass

10

Firewall Misconceptions

Internet

Outside

Inside

DMZ

WWW Server

Email Server

Firewall

Internet Router

Internet Worm

TCP 80 is Open

11

Firewall Misconceptions

Internet

Outside

Inside

Firewall

Internet RouterMalicious Web Site

Active X ControlsJava

Web Surfer

12

Firewall Technologies

• Application Firewall• IPS• Anti-X• NAT/PAT• HA• VPN• Content Filter

13

Application Firewall

• Provides protection to Application servers

• Can provide protection to Web Server

• Provides Critical protection that IPS and other security tools can not provide

14

Protection Provided for

• SQL Injection • Cross-Site Scripting • Command Injection • Cookie/Session Poisoning • Buffer Overflow • Zero Day Attacks• Many other Attacks and Hacks

15

SQL Injection

Standard Login – Web based Application

16

SQL Injection

User has access to view her salary information

17

SQL Injection

Hacker using SQL Injection

18

SQL Injection

Instead of authenticating the user it returns the salary results

19

SQL Injection

Hacker changes the payroll database

"SELECT * FROM TableSalary where EmployeeID='' OR 1=1; INSERT INTO TableSalary (EmployeeID, EmployeeName, Salary, IncomeTax, ProfessionalTax, HRA) VALUES (5,'Bad','$70,000', 0, 0, 0)--'"

20

SQL Injection

The results of the new salary change

21

IPS

Intrusion Protection Systems provides deep packet inspection to protect network assets

22

IPS

Provide protection against attacks• Protects critical Network

infrastructure• Protects servers from worms• Provide Zero Day attack protection

23

Anti-X

Provides protection from the following threats:• Spyware• Spam• Malware• Phishing Attempts• Virus protection

24

NAT/PAT

NAT (Network Address Translation)• Used to map a public address to a private address• Also known as network masquerading or IP-masquerading• Involves re-writing the source and/or destination addresses of IP packets as they pass

through a router or firewall• Private Network Addresses are 192.168.x.x, 172.16.x.x through 172.31.x.x, and

10.x.x.x • Can also be utilized when address spaces overlap

25

NAT/PAT

Internet

Email Server

Web Server

23.2.29.30

NAT Example

10.1.1.10 10.1.1.20

OutsideInside

10.1.1.1

NAT Rule

Map 23.2.29.30 à 10.1.1.10

Map 23.2.29.30 à 10.1.1.20

26

NAT Overloading

• NAT Overloading is used to conserve address space• Only 4,294,967,296 addressable host devices with

IPV4

NAT overload utilizes unique TCP or UDP source port (1024-65535)

27

PAT

Internet

Email Server

Web Server

23.2.29.30

PAT Example

10.1.1.10 10.1.1.20

OutsideInside

10.1.1.1

PAT Rule

Map 23.2.29.30 – TCP 80 (WWW), TCP (443) à 10.1.1.20

Map 23.2.29.30 – TCP 25 (SMTP) à 10.1.1.10 (25)

*** PAT only required one registered address

28

HA

High Availability

29

VPN

• VPN provides for a secure connection across a untrusted network by utilizing encryption

• VPN can be used as for Wide Area connectivity • VPN can be used for host based connections • Can be utilized for backup connection

30

VPN Deployment

Site-to-Site Deployment

31

VPN Client Deployment

• SSL VPN• IPSEC • Security checks on local client

– Check for virus protection– Check for key stroke logger– Provide for client clean up after session

is completed

32

VPN Client Deployment

• SSL VPN• IPSEC • Security checks on local client

– Check for virus protection– Check for key stroke logger– Provide for client clean up after session

is completed

33

VPN Split Tunneling

34

VPN Best Practices

Utilize AES – 256 bitUtilize Security check on clientsDisable Split tunnelingUtilize two factor authentication to

include two of the following– Token based authentication– Password– Biometrics

35

Content Filtering

• Used to filter access to web sites • Can also limit acces to other services such

as IM, FTP, P2P, and other services• Provides for additional security

– Phishing protection– Malicious Site blocked

• Provides for monitoring of employee activity• Controls employee access based on HR

policies

36

Content FilteringTypical Content filtering Deployment

37

Deployment

InternetSimple Firewall

Deployment

Outside

Inside

DMZ

WWW Server

Email Server

Firewall

Internet Router

38

Multiple Firewall Deployment

Internet

Multiple Firewall Deployment

Outside

Inside

DMZ

WWW Server

Email Server

Firewall

Internet Router

Data Center

Branch Office

Business Partner

Inside

InsideInside

Outside

Outside

Outside

39

Deployment Best Practices

• Test Deployment before placing into production

• Verify all features and functions• Verify security• Run security test against the Firewall

deployment to test security

40

Monitoring, Maintenance, and Support• Monitoring most take place or security incidents

may go unnoticed and undetected• To maintain ongoing security assurance Firewall

must be monitored, maintained, and supported • Firewalls that do not receive appropriate ongoing

maintenance will not be less affective as new security threats arise

• Vendor support must be maintained or new security threats will be able to exploit the Firewall

41

Monitoring

• At a minimum firewall logs should be monitored on a daily basis

• Firewall alerts that register high should be reacted to in real time

42

Monitoring SIM

SIM (Security Incident Management)• Provides a central logging point for

all security reporting devices• Built in rule set to provide event

correlation from security devices• Centralizes security monitoring

43

SIM

Correlates Data from • Syslog• SNMP• SDEE• Netflow• Endpoint event logs

44

SIM

45

SIM Benefits

• Centralized Repository for Security Events

• Classification of Security Incidents• Rapidly locate and mitigate a attack• Reduction of false positives• Leverage your investment in security

equipment• Reduction of security events with the

use of correlation

46

Maintenance

• Monitor your vendor for security updates and or patch

• Run periodic security assessments against your firewall (inside and outside assessments)

• Verify that firewall software level is up to date• Monitor industry for new technologies• Keep a close watch within the security

community about new attack vectors

47

Support

• Maintain ongoing support contracts on equipment while it is in production

• Have skilled staff to support your firewall or outsource the activity to a Security Service provider

48

Firewall Selection

When making a firewall purchase the following items should be considered

• Security• Features (IPS, AV control, etc)• Cost• Maintenance Cost

49

Firewall Selection

• Vendor support model• Logging and Monitoring support• Performance requirements

– Maximum connections– Maximum connections/second– Maximum Firewall Throughput

50

Firewall Selection

• Future scaling requirements• HA (Active/Active, Active/Passive or

None)• Content filtering• Number of Supported interfaces• Types of support interface (Fiber,

Copper, and or WAN)

51

Firewall Selection

• Management software (Single firewall or Enterprise management)

• Reliability MTBF• Routing protocol support

52

Summary

Firewalls are a integral part of network that provide for Security Assurance

Firewalls are constantly changing as information security technology changes

As technology changes it is critical for Security managers and decision makers to adopt to new security threats and challenges

53

Deployment Exercise

SMTP Deployment

54

Deployment Exercise

!--- Define the IP address for the inside interface. interface Ethernet3

nameif inside security-level 100

ip address 192.168.1.1 255.255.255.0

55

Deployment Exercise

!--- Define the IP address for the outside interface.

interface Ethernet4 nameif outside security-level 0 ip address 209.164.3.1 255.255.255.248

56

Deployment Exercise

!--- Create an access list that permits Simple !--- Mail Transfer Protocol (SMTP) traffic from anywhere!--- to the host at 209.164.3.5 (our server). The name of this

list is !--- smtp. Add additional lines to this access list as required.!--- Note: There is one and only one access list allowed per!--- interface per direction (for example, inbound on the

outside interface).

access-list smtp extended permit tcp any host 209.164.3.5 eq smtp

57

Deployment Exercise

!--- Specify that any traffic that originates inside from the!--- 192.168.2.x network NATs (PAT) to 209.164.3.1 if!--- such traffic passes through the outside interface.

global (outside) 1 209.164.3.1nat (inside) 1 192.168.2.0 255.255.255.0

58

Deployment Exercise

!--- Define a static translation between 192.168.2.57 on the inside and

!--- 209.164.3.5 on the outside. These are the addresses to be used by

!--- the server located inside the PIX Firewall.

static (inside,outside) 209.164.3.5 192.168.2.57 netmask 255.255.255.255

59

Deployment Exercise

!--- Apply the access list named smtp inbound on the outside interface.

access-group smtp in interface outside

60

Deployment Exercise

!--- Instruct the PIX to hand any traffic destined for 192.168.x.x!--- to the router at 192.168.1.2.

route inside 192.168.0.0 255.255.0.0 192.168.1.2 1

61

Deployment Exercise

!--- Set the default route to 209.164.3.2.!--- The PIX assumes that this address is a router address.

route outside 0.0.0.0 0.0.0.0 209.164.3.2 1

62

Deployment Exercise

!--- SMTP/ESMTP is inspected as "inspect esmtp" is included in the map.

policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp

63

Deployment Exercise

Control access from our SP Spool serverOriginal configaccess-list smtp extended permit tcp any host 209.164.3.5 eq

smtp

To allow only 202.202.202.25access-list smtp extended permit tcp host 202.202.202.25 host

209.164.3.5 eq smtp

64

Question and Answer

65

Close