Firewall & its configurations
17,019 views
27 slides
May 17, 2015
Slide 1 of 27
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
About This Presentation
It covers basic details about firewall from history, its capabilities and configurations..
Slide Content
Preetha/ME-CSE/I
Firewall: Introduction to the past
•Idea came from construction industry in 19
th
century.
–Structure of metal sheets in houses, flights etc were the first
physical firewall.
–Metal sheets protected from fire.
•In 1980’s
–Usage of internet was rapidly growing.
–Businesses established and implemented networks.
•Difficulties faced !
–Huge network data traffic.
–Allocating the different networks.
•Solutions !
–Procedure of firewall implemented in routers.
–Networks were controlled.
Preetha/ME-CSE/I
•Idea came from construction industry in 19
th
century.
–Structure of metal sheets in houses, flights etc were the first
physical firewall.
–Metal sheets protected from fire.
•In 1980’s
–Usage of internet was rapidly growing.
–Businesses established and implemented networks.
•Difficulties faced !
–Huge network data traffic.
–Allocating the different networks.
•Solutions !
–Procedure of firewall implemented in routers.
–Networks were controlled.
Preetha/ME-CSE/I
Firewall: People who made it
important.
–Clifford Stoll a US astronomer and computer expert, discovered that
German spies accessing his system.
After this incident US started to implement firewall security in the
government networks.
–Bill Cheswick the author of the famous security book “Firewalls and
Internet Security” set up a simple electronic jail to observe anattacker.
He devoted himself and brought a huge impact on awareness of
firewall and internet and network security.
–Robert Tappan Morris created Morris Worm which was the virus
that awakened all the network administrators and made them think of
the importance of firewall. The networks administrators weren’t
expecting anything like this. The worm spread around networks
around the world. 10% of the internet was infected.
Preetha/ME-CSE/I
important.
–Clifford Stoll a US astronomer and computer expert, discovered that
German spies accessing his system.
After this incident US started to implement firewall security in the
government networks.
–Bill Cheswick the author of the famous security book “Firewalls and
Internet Security” set up a simple electronic jail to observe anattacker.
He devoted himself and brought a huge impact on awareness of
firewall and internet and network security.
–Robert Tappan Morris created Morris Worm which was the virus
that awakened all the network administrators and made them think of
the importance of firewall. The networks administrators weren’t
expecting anything like this. The worm spread around networks
around the world. 10% of the internet was infected.
Preetha/ME-CSE/I
FIREWALL
•A firewall is a system designed to prevent
unauthorized access to or from a network.
•Firewalls can be implemented in both hardware and
software, or a combination of both.
•Firewalls are frequently used to prevent unauthorized
internet users from accessing private networks
connected to the Internet
Preetha/ME-CSE/I
•A firewall is a system designed to prevent
unauthorized access to or from a network.
•Firewalls can be implemented in both hardware and
software, or a combination of both.
•Firewalls are frequently used to prevent unauthorized
internet users from accessing private networks
connected to the Internet
Preetha/ME-CSE/I
Design goals
•All traffic from inside to outside and vice versa, must
pass through the firewall.
•Only authorized traffic (defined by the local security
policy) will be allowed to pass.
•Firewall itself is immune to penetration.
Preetha/ME-CSE/I
•All traffic from inside to outside and vice versa, must
pass through the firewall.
•Only authorized traffic (defined by the local security
policy) will be allowed to pass.
•Firewall itself is immune to penetration.
Preetha/ME-CSE/I
Four general techniques
•Service control
–Determines the types of Internet services that can be
accessed, inbound or outbound.
•Direction control
–Determines the direction in which particular service
requests are allowed to flow through the firewall.
•User control
–Controls access to a service according to which user is
attempting to access it.
•Behavior control
–Controls how particular services are used (e.g. filter e-
mail).
Preetha/ME-CSE/I
•Service control
–Determines the types of Internet services that can be
accessed, inbound or outbound.
•Direction control
–Determines the direction in which particular service
requests are allowed to flow through the firewall.
•User control
–Controls access to a service according to which user is
attempting to access it.
•Behavior control
–Controls how particular services are used (e.g. filter e-
mail).
Preetha/ME-CSE/I
Capabilities of firewall
•Act as single choke point that keeps
unauthorized users out of the protected
network.
•Provides a location for monitoring security-
related events.
•Can serve as the platform for IPSec.
Preetha/ME-CSE/I
•Act as single choke point that keeps
unauthorized users out of the protected
network.
•Provides a location for monitoring security-
related events.
•Can serve as the platform for IPSec.
Preetha/ME-CSE/I
Types of FirewallTypes of Firewall
•Types of Firewall:
–Packet-filtering routers
–Application-level gateways
–Circuit-level gateways
Preetha/ME-CSE/I
•Types of Firewall:
–Packet-filtering routers
–Application-level gateways
–Circuit-level gateways
Preetha/ME-CSE/I
Packet-filtering router
•Simplest, fastest firewall component .
•Examine each IP packet (no context) and permit or
deny according to rules .
•The router is typically configured to filter packets
going in both directions.
•The packet filter is typically set up as a list of rules
based on matches to fields in the IP or TCP header.
•If there is no match , then default action is
taken(discard or forward).
Preetha/ME-CSE/I
•Simplest, fastest firewall component .
•Examine each IP packet (no context) and permit or
deny according to rules .
•The router is typically configured to filter packets
going in both directions.
•The packet filter is typically set up as a list of rules
based on matches to fields in the IP or TCP header.
•If there is no match , then default action is
taken(discard or forward).
Preetha/ME-CSE/I
Packet-Filtering router
Preetha/ME-CSE/I
Preetha/ME-CSE/I
•Advantages:
–Simplicity
–Transparency to users
–High speed
•Disadvantages:
–Difficulty of setting up packet filter rules
–Does not support advanced user
authentication schemes.
–Generally vulnerable to attacks.
Preetha/ME-CSE/I
–Simplicity
–Transparency to users
–High speed
•Disadvantages:
–Difficulty of setting up packet filter rules
–Does not support advanced user
authentication schemes.
–Generally vulnerable to attacks.
Preetha/ME-CSE/I
Cont..
•Possible attacks
–IP address spoofing - is the creation of Internet
Protocol(IP) packets with a source IP address.
–Source routing attacks- an attacker could use
source routing to direct packets to bypass existing
security restrictions.
–Tiny fragment attacks-attacker uses IP
fragmentation option to create extremely small
fragments and force the TCP header information
into a separate packet fragment.
Preetha/ME-CSE/I
•Possible attacks
–IP address spoofing - is the creation of Internet
Protocol(IP) packets with a source IP address.
–Source routing attacks- an attacker could use
source routing to direct packets to bypass existing
security restrictions.
–Tiny fragment attacks-attacker uses IP
fragmentation option to create extremely small
fragments and force the TCP header information
into a separate packet fragment.
Preetha/ME-CSE/I
Stateful Packet Filters
•Also referred to as dynamic packet filtering.
•Stateful inspection is a firewall architecture that works at the
network layer.
•Unlike packet filtering, which examines a packet based on the
information in its header, Stateful inspection tracks each
connection traversing all interfaces of the firewall and makes
sure they are valid.
•filtering decisions are based not only on administrator-defined
rules (as in static packet filtering) but also on context that has
been established by prior packets that have passed through the
firewall.
•Better able to detect bogus packets.
Preetha/ME-CSE/I
•Also referred to as dynamic packet filtering.
•Stateful inspection is a firewall architecture that works at the
network layer.
•Unlike packet filtering, which examines a packet based on the
information in its header, Stateful inspection tracks each
connection traversing all interfaces of the firewall and makes
sure they are valid.
•filtering decisions are based not only on administrator-defined
rules (as in static packet filtering) but also on context that has
been established by prior packets that have passed through the
firewall.
•Better able to detect bogus packets.
Preetha/ME-CSE/I
Application Level Gateway (or Proxy)
–Also known as application proxy or application-level proxy
–An application gateway is an application program that runs
on a firewall system between two networks.
–The user connects the gateway using TCP/Ip application
and gateway asks the user for name of remote host to be
accessed.
–When user responds & provides a valid user ID &
authentication information , the gateway contacts the
application on the remote host and relays TCP segments
containing the application data between the 2 endpoints.
–Once connected, the proxy makes all packet-forwarding
decisions. Since all communication is conducted through
the proxy server, computers behind the firewall are
protected.
–Can control traffic at application level .
•Need separate proxies for each service
Preetha/ME-CSE/I
–Also known as application proxy or application-level proxy
–An application gateway is an application program that runs
on a firewall system between two networks.
–The user connects the gateway using TCP/Ip application
and gateway asks the user for name of remote host to be
accessed.
–When user responds & provides a valid user ID &
authentication information , the gateway contacts the
application on the remote host and relays TCP segments
containing the application data between the 2 endpoints.
–Once connected, the proxy makes all packet-forwarding
decisions. Since all communication is conducted through
the proxy server, computers behind the firewall are
protected.
–Can control traffic at application level .
•Need separate proxies for each service
Preetha/ME-CSE/I
Cont..
•Advantages:
–Higher security than packet filters.
–Easy to log and audit all incoming traffic.
•Disadvantages:
–Additional processing overhead on each connection.
Preetha/ME-CSE/I
•Advantages:
–Higher security than packet filters.
–Easy to log and audit all incoming traffic.
•Disadvantages:
–Additional processing overhead on each connection.
Preetha/ME-CSE/I
Circuit-level gateway
–Specialized function performed by an
Application-level Gateway for certain applications.
–Gateway set up two TCP connections:
•One between itself & TCP user on an inner host.
•One between itself & TCP user on an outer host.
– Once two connections are established , the
gateway typically relays TCP segments from one
connection to the other without examining the
contents.
Preetha/ME-CSE/I
–Specialized function performed by an
Application-level Gateway for certain applications.
–Gateway set up two TCP connections:
•One between itself & TCP user on an inner host.
•One between itself & TCP user on an outer host.
– Once two connections are established , the
gateway typically relays TCP segments from one
connection to the other without examining the
contents.
Preetha/ME-CSE/I
Circuit-level gateway
Preetha/ME-CSE/I
Preetha/ME-CSE/I
Bastion host
–A system identified by the firewall
administrator as a critical strong point in the
network´s security.
Characteristics:
•The bastion host serves as a platform for an application-
level or circuit-level gateway.
•Only services considered by network admin are
installed on the bastion host.
Preetha/ME-CSE/I
–A system identified by the firewall
administrator as a critical strong point in the
network´s security.
Characteristics:
•The bastion host serves as a platform for an application-
level or circuit-level gateway.
•Only services considered by network admin are
installed on the bastion host.
Preetha/ME-CSE/I
Firewall ConfigurationsFirewall Configurations
•In addition to the use of simple configuration
of a single system (single packet filtering
router or single gateway), more complex
configurations are possible.
–Screened host firewall system (single-homed
bastion host)
–Screened host firewall system (dual-homed bastion
host)
–Screened-subnet firewall system.
Preetha/ME-CSE/I
•In addition to the use of simple configuration
of a single system (single packet filtering
router or single gateway), more complex
configurations are possible.
–Screened host firewall system (single-homed
bastion host)
–Screened host firewall system (dual-homed bastion
host)
–Screened-subnet firewall system.
Preetha/ME-CSE/I
Screened host firewall system (single-
homed bastion host)
•Firewall consists of two systems:
–A packet-filtering router.
–A bastion host.
•The router is configured so that
–For traffic from internet , only IP packets destined for
the bastion host are allowed in.
–For traffic from the internal network , only IP packets
from the bastion host are allowed out.
•The bastion host performs authentication and
proxy functions.
Preetha/ME-CSE/I
homed bastion host)
•Firewall consists of two systems:
–A packet-filtering router.
–A bastion host.
•The router is configured so that
–For traffic from internet , only IP packets destined for
the bastion host are allowed in.
–For traffic from the internal network , only IP packets
from the bastion host are allowed out.
•The bastion host performs authentication and
proxy functions.
Preetha/ME-CSE/I
Screened host firewall system (single-
homed bastion host)
Preetha/ME-CSE/I
homed bastion host)
Preetha/ME-CSE/I
Screened host firewall, dual-homed
bastion configuration
–The packet-filtering router is not completely
compromised.
–Traffic between the Internet and other hosts
on the private network has to flow through
the bastion host.
Preetha/ME-CSE/I
bastion configuration
–The packet-filtering router is not completely
compromised.
–Traffic between the Internet and other hosts
on the private network has to flow through
the bastion host.
Preetha/ME-CSE/I
Screened host firewall, dual-homed
bastion configuration
Preetha/ME-CSE/I
bastion configuration
Preetha/ME-CSE/I
Screened subnet firewall
configuration
–Most secure configuration of the three.
–Two packet-filtering routers are used.
–Creation of an isolated sub-network.
•Which consist of simply the bastion host, may also
include one or more information servers and modems.
Preetha/ME-CSE/I
configuration
–Most secure configuration of the three.
–Two packet-filtering routers are used.
–Creation of an isolated sub-network.
•Which consist of simply the bastion host, may also
include one or more information servers and modems.
Preetha/ME-CSE/I
Screened subnet firewall configuration
Preetha/ME-CSE/I
Preetha/ME-CSE/I
•Advantages:
–Three levels of defense to prevent intruders.
–The outside router advertises only the existence
of the screened subnet to the Internet (internal
network is invisible to the Internet).
–The inside router advertises only the existence
of the screened sub-net to the internal network (
the systems on the inside cannot construct
direct routes to the internet).
Preetha/ME-CSE/I
–Three levels of defense to prevent intruders.
–The outside router advertises only the existence
of the screened subnet to the Internet (internal
network is invisible to the Internet).
–The inside router advertises only the existence
of the screened sub-net to the internal network (
the systems on the inside cannot construct
direct routes to the internet).
Preetha/ME-CSE/I
Summary
–firewalls
–types of firewalls
•packet-filter, stateful inspection, application
proxy, circuit-level.
–Bastion host
–Firewall configurations
Preetha/ME-CSE/I
–firewalls
–types of firewalls
•packet-filter, stateful inspection, application
proxy, circuit-level.
–Bastion host
–Firewall configurations
Preetha/ME-CSE/I
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 17,019
- Slides 27
- Favorites 12
- Age 3855 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
33 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
36 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
33 views
14
Fertility awareness methods for women in the society
Isaiah47
30 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
29 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
30 views