firewall essentials
DESCRIPTION
Firewall trainingTRANSCRIPT
![Page 1: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/1.jpg)
By Sylvain Maret / Datelec Networks SAMarch 2000
![Page 2: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/2.jpg)
Welcome to Introduction to Firewall Essentials
This course is intended to provide you with an understanding of key concepts and theories associated with firewalls, security policies and attacks directed toward your network.
![Page 3: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/3.jpg)
Course Objectives
Understand firewall basics, including the definition of a firewall, firewall functions and the need for firewalls
Understand firewall technologies, including TCP/IP basics, routers and application-level gateways (proxies)
![Page 4: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/4.jpg)
Course Objectives (cont.)
Understand security hazards
Understand cryptography, including the need for encryption and virtual private networks (VPNs)
![Page 5: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/5.jpg)
Course Map
Firewall Essentials Unit I
Chapter 1: What is a Firewall?Chapter 2: Types of FirewallsChapter 3: How Firewalls Work
![Page 6: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/6.jpg)
Course Map
Firewall Essentials Unit II
Chapter 1: The Need for a FirewallChapter 2: Security Hazards
![Page 7: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/7.jpg)
Course Map
Firewall Essentials Unit III
Chapter 1: Firewall FeaturesChapter 2: Security Policies
Open Discussion
![Page 8: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/8.jpg)
Unit I - Chapter 1What is a Firewall?
![Page 9: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/9.jpg)
Securing a Network
Firewall Visiting Packets
![Page 10: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/10.jpg)
Placed at the entrance to an organization’s intranet
Placed inside an internal network Placed between RAS and internal network
It is the check point for communication to an outside network
Firewall Location
![Page 11: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/11.jpg)
Company intranet
Firewall Router
Restricted Network
Corporate Data Center
Firewall
Internet
Firewall Location
Firewall
![Page 12: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/12.jpg)
Network packet (level 3)
Network session (level 7)
Communicating Across a Network
![Page 13: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/13.jpg)
Contains all the information required to route it to the final destination
Contains the information to deliver it to the correct application on the destination system
Requires five specific pieces of information for routing
Network Packet
![Page 14: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/14.jpg)
IP Packet Components
U. S. Mail AddressComponents Comments
Destination IP address Street address and zip code Each host on an IP Internetor intranet must have aunique IP address
Protocol Organization name The standard protocols above IP are TCP and UDP
Destination port number Recipient name Identifies the networkapplication to receive the packet
Source IP address Sender’s return address So the application knows where to send replies
Source port number Sender’s name To identify the applicationof the sending host for return packets
Comparing IP Packet with a Letter Address
![Page 15: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/15.jpg)
Network - similar to a zip code, the primary information used by routers to deliver the packet to the correct LAN
Host - similar to a letter address, directs the packet to the correct host on the LAN
Division of IP Address
![Page 16: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/16.jpg)
LAN
LAN
To: 204.32.38.102
204.32.38.102204.32.38.103
204.32.38.104
204.32.38.105
192.38.1.1
192.38.1.2 192.38.1.3 192.38.1.4
“Mailing” a Letter
![Page 17: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/17.jpg)
The total data sent between an initial request and the completion of that request
Evident at the user or application level of the protocol stack
Network Session
![Page 18: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/18.jpg)
Access Control
Authentication
Activity Logging
Other Firewall Services
Standard Firewall Services
![Page 19: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/19.jpg)
Allows the firewall to consider the network interface where the packet enters
Prevents or limits IP spoofing
“Don’t talk to me unless I talk to you first”
Access Control
![Page 20: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/20.jpg)
Standards have usually relied on passwords or smartcards or token
No based on IP address but user level
Authentication
![Page 21: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/21.jpg)
Allows the firewall to record information concerning all successful and failed session attempts
Referred to as an audit log
Activity Logging
![Page 22: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/22.jpg)
Proxy Applications
Virus Scanning
Address Mapping
Virtual Private Networks (VPN)
Other Firewall Services
![Page 23: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/23.jpg)
Three classes of firewall administrator interfaces:
Text-file based administration
Text-menu based administration
GUI-based administration
Firewall Administration Interfaces
![Page 24: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/24.jpg)
Popular in routers and homegrown firewalls
Interface of choice for UNIX administrators
Easier to make errors
Text-File Based Administration
![Page 25: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/25.jpg)
Reduces likelihood of errors
Less flexibility of control
Limited visual feedback to changes made
Text-Menu Based Administration
![Page 26: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/26.jpg)
Most prominent
Easier to use
Less prone to errors
GUI-Based Administration
![Page 27: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/27.jpg)
A firewall can reduce the vulnerabilities on a network, not eliminate them
Firewalls act as filters
Actual Security Provided
![Page 28: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/28.jpg)
Unit I - Chapter 2Types of Firewalls
![Page 29: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/29.jpg)
Packet Filter
Application-Level Gateway
Stateful Inspection
Three Basic Types ofFirewalls
![Page 30: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/30.jpg)
Referred to as filtering routers with a set of simple rules
Determines whether a packet should pass based on the source and destination information within the packet
Process is performed at the kernel level
Packet Filter Firewall
![Page 31: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/31.jpg)
Less secure than application-level gateway firewalls
Packet Filter Firewall (cont.)
![Page 32: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/32.jpg)
Packet Filter
ApplicationLevel
Kernel Level
Filter Route
DROP
PASSPackets
Network 1
Network 2
Network 3
Packet Filtering Firewall
![Page 33: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/33.jpg)
Does not allow packets to pass directly between networks
Original connections are made to a proxy on the firewall
Application-level Gateway Firewall
![Page 34: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/34.jpg)
Requires a separate application for each network service
TELNET
FTP
WWW
Application-level Gateway Firewall (cont.)
![Page 35: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/35.jpg)
Application-Level Gateway
ApplicationLevel
Kernel Level
RoutePackets
Network 1
Network 2
Network 3Proxy Proxy
Application-level Gateway Firewall
![Page 36: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/36.jpg)
Ensures the highest level of firewall security by performing the following functions:
Accessing, analyzing and utilizing communication information
Communication-derived state
Application-derived state
Information Manipulation
Stateful Packet Filtering
![Page 37: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/37.jpg)
Communication information
Information from all seven layers of the packet
Stateful Inspection
![Page 38: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/38.jpg)
Communication-derived state
State information derived from previous communications
Stateful Inspection
![Page 39: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/39.jpg)
Application-derived state
State information derived from other applications
Stateful Inspection
![Page 40: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/40.jpg)
Information manipulation
Evaluation of flexible expressions based on the following:
communication informationcommunication-derived stateapplication-derived state
Stateful Inspection
![Page 41: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/41.jpg)
Inspect Engine
DynamicState Tables
Application
Presentation
Session
Transport
Network
DataLink
Physical
Application
Presentation
Session
Transport
DataLink
Physical
Network
Application
Presentation
Session
Transport
Network
DataLink
Physical
Check Point’s FireWall-1 Stateful Inspection
![Page 42: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/42.jpg)
Comparison of Firewall Architecture
FirewallCapability
Packet Filters ApplicationLevel Gateways
Stateful Inspection
Communicationinformation
Communication-derived state
Application-derived state
Informationmanipulation
Partial
No
No
Partial
Partial
Partial
Yes
Yes
Yes
Yes
Yes
Yes
![Page 43: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/43.jpg)
Unit I - Chapter 3How Firewalls Work
![Page 44: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/44.jpg)
Identify the packet processing locations on a firewall
Describe packet filtering and its limitations
Describe proxy applications and their limitations
Identify user authentication
Describe firewall auditing
How Firewalls Work: Objectives
![Page 45: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/45.jpg)
Application Level
Proxy services
Kernel Level
Routers and host-based packet filters
Network Interface Card (NIC) Level
Packet Processing Locations
![Page 46: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/46.jpg)
Application
Kernel
Network Cards
Proxy
Application Level
Kernel Level
Network Card Level
Possible FirewallProcessing Locations -
Packet Processing Locations Within a Firewall
![Page 47: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/47.jpg)
May occur at any one of the processing locations
Most often supported at the NIC or kernel level
Passes or drops packet based on source and destination IP addressing
Packet Filtering
![Page 48: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/48.jpg)
Field Purpose
Source IP address
Destination IP address
Upper level protocol
TCP source port number
TCP destination port number
Host address of sender
Host address of service provider
Different protocols offer different services
A random number greater than 1024
Indicates service such as Telnet or HTTP
Fields of Interest for Packet Filtering
![Page 49: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/49.jpg)
HTTP Filtering
Router
HTTP Packet +
FTP Packet
X
Pass
XX
X
Drop
![Page 50: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/50.jpg)
RuleNumber
1
SourceAddress
DestinationAddress
Protocol SourcePortNumber
Action
2
3
4
5
10.56.2.99
10.56.*
10.122.*
*
*
*
10.122.*
10.56.*
10.56.*
*
*
TCP
TCP
TCP
*
*
*
23
*
*
Drop
Pass
Pass
Pass
Drop
Example Rule List
![Page 51: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/51.jpg)
MatchRule #
10.56.2.98
SourceAddress
DestinationAddress
Protocol SourcePortNumber
ActionTaken
10.56.2.99
10.56.2.98
10.122.34.9
10.122.23.1
10.122.6.11
10.122.6.11
10.122.6.11
10.56.2.5
TCP
TCP
other
TCP
TCP
23567
6723
23568
23
1543
23 (Telnet)
23 (Telnet)
23 (Telnet)
98455
25 (mail)
Pass
Drop
Drop
Pass
Pass
DestinationPortNumber
10.56.2.98
2
1
5
3
4
Example Packets and Resulting Actions
![Page 52: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/52.jpg)
Some rules could leave open doors to the network
Difficult to determine examine exactly what the rules permit
Limitations of Packet Filtering
![Page 53: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/53.jpg)
Applications on proxy gateways that act on behalf of the user requesting service through the firewall
Proxy Applications
![Page 54: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/54.jpg)
Application-level Gateway
ApplicationLevel
Kernel Level
2
AuthorizationDatabase
Proxy2
1 34
User DestinationHost
Connection Process Using an Application-level Gateway
![Page 55: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/55.jpg)
1 User first establishes a connection to the proxy application on the firewall
2 The proxy application gathers information concerning the connection and the requesting user
Connection Process
![Page 56: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/56.jpg)
3 This information is used to determine whether the request should be permitted - if approved, the proxy creates another connection from the firewall to the intended destination
Connection Process (cont.)
![Page 57: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/57.jpg)
4 The proxy shuttles the user data from one connection to the other
Connection Process (cont.)
![Page 58: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/58.jpg)
Initial connection must go through the proxy application on the firewall, not to the intended destination
Proxy application must obtain the IP address of the intended destination
Proxy Challenges
![Page 59: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/59.jpg)
Direct Connection
Modified Client
Invisible Proxy
Proxy Connections
![Page 60: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/60.jpg)
Connect directly to the firewall proxy using the address of the firewall and the port number of the proxy
Least preferred method
Requires two addresses for each connection:
Address of firewall
Address of the intended destination
Direct Connection
![Page 61: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/61.jpg)
Applications are executed client-side, at the user’s computer
Effective and transparent
The need to have a modified client application for each network service is a significant drawback
Modified Client
![Page 62: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/62.jpg)
No need to modify client applications
Users don’t have to direct their communication to the firewall
Packets are automatically redirected to an awaiting proxy as they enter the firewall
Invisible Proxy
![Page 63: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/63.jpg)
New applications must be developed for each supported service
Proxy Limitations
![Page 64: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/64.jpg)
Three traditional methods for verifying someone’s identity:
“Something known” - a password
“Something possessed” - a key to a lock, or a smartcard
“Something embodied” - fingerprint or retinal scan
User Authentication
![Page 65: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/65.jpg)
Information provided by log files:
Time and date of session start
Time and date of session end
Source host address
Destination host address
Activity Logging
![Page 66: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/66.jpg)
Information provided by log files (cont.):
Protocol
Destination Port
Action taken - accepted or denied
User name - if authentication used
Activity Logging (cont.)
![Page 67: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/67.jpg)
Administrators may review the logs to look for suspicious activities:
Repeated failed connection attempts
Flood of allowed connection attempts going to the same host
Connections made at odd hours
Multiple failed authentication attempts
Audit Information
![Page 68: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/68.jpg)
Unit II - Chapter 1The Need for a Firewall
![Page 69: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/69.jpg)
Intranet
Internet Services RAS Financial connection (Reuters, Bloomberg, etc) Extranet etc.
Firewall need (discussion)
![Page 70: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/70.jpg)
Lab 1What Firewall is Best?
![Page 71: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/71.jpg)
Discussion Lab
Company intranetRestricted Network
Corporate Data Center
Internet
Place firewall(s) in this network.
![Page 72: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/72.jpg)
Discussion lab
Internet connection Email, ftp, dns, web public Web surfing and ftp
Intranet Oracle server
![Page 73: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/73.jpg)
Company intranet
Firewall
Restricted Network
Corporate Data Center
Internet
Discussion Lab
Possible solution.
Firewall
![Page 74: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/74.jpg)
Unit II - Chapter 2Security Hazards
![Page 75: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/75.jpg)
Describe the threat of opens systems networking
Identify simple denial of service attacks
Identify packet sniffing
Identify IP spoofing
Security Hazards: Objectives
![Page 76: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/76.jpg)
A standard approach to computing and networking that allows for:
Greater interoperability
Flexibility
Portability of software and system components
Open Systems Internetworking
![Page 77: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/77.jpg)
Isolated “Islands” of Phone Connectivity
![Page 78: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/78.jpg)
Phone Connectivity No Longer Isolated
![Page 79: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/79.jpg)
Increased connectivity increases the threat of attack
The more networks that are connected, the greater chance of those networks being infiltrated
Open Systems Threat
![Page 80: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/80.jpg)
Denial-of-Service
Network Packet Sniffing
IP Spoof Attack
Internet Attacks Simplified
![Page 81: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/81.jpg)
Denial of Service
![Page 82: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/82.jpg)
A simple attack where the attacker repeatedly sends their victim voluminous amounts of electronic mail until the network can no longer handle the volume - denying them of mail service
Denial-of-Service Attack
![Page 83: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/83.jpg)
AttackerMail ServerTarget Mailbox
Flood of E-mailto Target
Denial of Service Mail Attack
![Page 84: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/84.jpg)
The attacker “listens in” to the data on your network with a packet sniffer, capturing data and displaying it in a readable manner
Source and destination users usually don’t even know that they’ve been “sniffed”
Network Packet Sniffing
![Page 85: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/85.jpg)
Attacker
Network
TCP Packet Copies
Original TCP Packet
Original TCP Packet
Network Packet Sniffing Attack
![Page 86: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/86.jpg)
The attacker uses the unique IP address of an unsuspecting target user, presumably for illicit purposes
An IP spoof becomes a serious attack if the external attacker claims to have an IP address that is internal to the targeted network
IP Spoof Attack
![Page 87: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/87.jpg)
External10.35.25.6
Internal10.12.1.1
Internal10.12.1.5
PacketFilter
Reports source addressto be 10.12.1.1
Filter assumes packet isfrom trusted source, and allowsdata into the network
IP Spoof Attack
![Page 88: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/88.jpg)
Unit III - Chapter 1Firewall Features
![Page 89: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/89.jpg)
Access Rules and Lists
Host Spoofing Controls
Basic Access Control
![Page 90: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/90.jpg)
Host-Based
Describes the sets of services allowed for each host or network
Service-Based
Identifies the sets of hosts or networks that may use each service
Access Rules and Lists
![Page 91: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/91.jpg)
Reducing the threat of spoofing IP addresses:
Restriction of the “source routing option” allows a host to control the route taken to return to the source host address
Control by network interface also reduces the threat
Host Spoofing Controls
![Page 92: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/92.jpg)
Domain Name System (DNS)
DNS servers share information
An attacker could possible redefine the address of a trusted host within a network to an address outside the network
Supported Services
![Page 93: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/93.jpg)
Finger
Used to find out logins, user names, and information concerning a users previous login
Supported Services (cont.)
![Page 94: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/94.jpg)
File Transfer Protocol (FTP)
A separate network connection is usually made from the destination host back to the original FTP connection
Most FTP servers supports a PASV (passive mode) capability allowing the connection to originate from the client rather than the server
Supported Services (cont.)
![Page 95: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/95.jpg)
Internet Control Messaging Protocol (ICMP)
Used to send error or test messages between systems
“PING” uses ICMP to send echo requests to see if a host is reachable
Supported Services (cont.)
![Page 96: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/96.jpg)
Internet Relay Chat (IRC)
Using IRC, a user can contact an IRC server and join an Internet conversation
Threats associated with IRC are of a “social engineering” nature - an attacker may contact a user through IRC and convince them to compromise their network
Supported Services (cont.)
![Page 97: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/97.jpg)
Network News Transfer Protocol (NNTP)
Allows users to access newsgroups to read information or participate in discussions
Network File System (NFS)
Allows users to share file systems with other users
Little security and vulnerable to attacks
Supported Services (cont.)
![Page 98: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/98.jpg)
Network Time Protocol (NTP)
A service used to synchronize clocks between computers and networks
Supported Services (cont.)
![Page 99: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/99.jpg)
rlogin
Developed at the University of California at Berkeley
Used for remote access between local systems, but not recommended for use across the Internet because of lack of proper authentication capability
Supported Services (cont.)
![Page 100: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/100.jpg)
TELNET
Standard remote login protocol application
Provides a character-based connection between two systems
Supported Services (cont.)
![Page 101: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/101.jpg)
Authentication Mechanisms
User Authentication
![Page 102: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/102.jpg)
Firewalls in multiple geographic locations should be administered by a single group within the company
With central administration the administrator configures the firewalls from a central database they all share
Remote/Central Administration
![Page 103: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/103.jpg)
Recording the action in a log or alarm file
Sending e-mail to an administrator
Displaying a message on the firewall console
Sending an SNMP alarm to a network manager system
Actions Taken From Alarms
![Page 104: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/104.jpg)
Activating and sending a message to an administrator’s pager
Running a specialized application or script file from the firewall
Actions Taken From Alarms (cont.)
![Page 105: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/105.jpg)
Dual-Host Firewalls
Splitting the functions of a firewall between two hosts to force attackers to break into two systems for a successful attack
Integrity Scanner
An application on the firewall that continually scans the firewall for any unauthorized changes to files, file size, or devices
Firewall Integrity
![Page 106: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/106.jpg)
Invisibility
A firewall that can’t be seen is difficult to attack
Firewall Integrity (cont.)
![Page 107: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/107.jpg)
Address Mapping
Day and Time Restrictions
Load Control
Tunneling
Virtual Private Networks (VPN)
Hacker Traps
Special Features
![Page 108: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/108.jpg)
Most organizations have invalid or illegal IP addressing internally
Firewalls can map illegal addresses internally to legal addresses as packets leave the network
Address Mapping
![Page 109: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/109.jpg)
LAN
192.168.1.3192.168.1.4
192.168.1.1192.168.1.2
Illegal IP address192.168.1.2
Legal IP address204.32.38.1
InternalExternal
Address Mapping
![Page 110: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/110.jpg)
Security policies can be set to restrict certain network access based on day and time
Day and Time Restrictions
![Page 111: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/111.jpg)
x
FTP allowed FTP disallowed
Day and Time Restrictions
![Page 112: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/112.jpg)
Limits the number of simultaneous connections permitted to a host
Helps protect against flooding attacks
Load Control
![Page 113: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/113.jpg)
Limiting the number of simultaneous connections
x
Load Control
![Page 114: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/114.jpg)
Enables encryption all or selected communication between two or more sites
Requires cooperating firewalls to encrypt and decrypt packets as they are sent and received
Virtual Private Networks (VPN)
![Page 115: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/115.jpg)
Companyintranet 1
Companyintranet 2
Internet
Firewall Firewall
Not encryptedPRIVATE
Not encryptedPRIVATE
EncryptedPUBLIC
Virtual Private Networks (VPNs)
![Page 116: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/116.jpg)
Sometimes referred to as “lures and traps” or “honey pots”
Intruders think they have succeeded in breaking into the network when in reality they have been redirected to a “safe” place on the network
Hacker Traps
![Page 117: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/117.jpg)
Unit III - Chapter 2Security Policies
![Page 118: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/118.jpg)
Flexibility
Service-access
Firewall Design
Information
Remote Access
Security Policy Philosophies
![Page 119: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/119.jpg)
Flexibility
Ability to adapt or change the policy
Flexible due to the following considerations:
Internet changes
Internet risks
Security Policy Philosophies (cont.)
![Page 120: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/120.jpg)
Service Access
Internal user issues
Remote access policies
External connections
Security Policy Philosophies (cont.)
![Page 121: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/121.jpg)
Firewall Design
Permit any service unless it is expressly denied
Deny any service unless it is expressly permitted
Security Policy Philosophies (cont.)
![Page 122: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/122.jpg)
Information concerns
Web browsing
Security Policy Philosophies (cont.)
![Page 123: Firewall Essentials](https://reader036.vdocuments.us/reader036/viewer/2022081505/555a0809d8b42ad00a8b5405/html5/thumbnails/123.jpg)
Remote Access
A user’s dial-out capability might become an intruder dial-up threat
Outside users must be forced to pass through the advanced authentication features of the firewall
Security Policy Philosophies (cont.)