Firewall Configuration. Firewall Configuration. Solution Firewall Principles

(1)

Firewall Configuration

z

Firewall Principles

z

Firewall Characteristics

z

Types of Firewalls

z

Firewall Deployments

Firewall Principles

z

Internet connectivity is a common

component of today

’

s networks

¾

Benefits:

Access to wide variety of resourcesAccess to wide variety of resources

Exposure for company on InternetExposure for company on Internet

¾

Risks:

Outside world could gain access Outside world could gain access internal resources

internal resources

If poorly configured, can result in network If poorly configured, can result in network security breach

security breach

Solution

z

Implement a Firewall

¾

Boundary between the Internet and

the internal network

Firewall

Internal Network Internal Network Internet

(2)

Firewall Characteristics

z

All traffic that navigates between the

_{All traffic that navigates between the}

internal network and the external

network must pass through the firewall

z

Only authorized traffic should be

allowed to pass

z

The firewall must be immune

to penetration

Features To Have

On A Firewall

z

Direction Control

z

_{Service Control}

Service Control

z

User Control

z

_{Behavior Control}

Behavior Control

z

Auditing

z

_{Network Address Translation (NAT)}

Network Address Translation (NAT)

z

Port Mapping

Features To Have

On A Firewall

z

Direction Control

¾

¾ Different rules can be defined for incoming Different rules can be defined for incoming or outgoing traffic

or outgoing traffic

z

Service control

¾

¾ Define what protocols can be used. Based on an Define what protocols can be used. Based on an IP address, Port Address or protocol ID level IP address, Port Address or protocol ID level

Incoming Rules Incoming Rules Web Server:443 Web Server:443 Any.* Any.* Web Server:80 Web Server:80 Any:* Any:* Destination Destination Source Source Outgoing Rules Outgoing Rules Any:* Any:* Web Server:443 Web Server:443 Any:* Any:* Web Server:80 Web Server:80 Destination Destination Source Source

Features To Have

On A Firewall

z

User Control

¾

¾ Only allows authorized users to pass Only allows authorized users to pass

traffic through firewall or to access resource traffic through firewall or to access resource on internal network

on internal network

z

Behavior control

¾

¾ Sets how applications can be usedSets how applications can be used ¾

¾ Mail filter for viruses or specific forms Mail filter for viruses or specific forms of attachments

of attachments

z

Auditing

¾

(3)

Internet Internet Firewall 192.168.10.1 192.168.10.1 192.168.10.2 131.107.2.200 131.107.2.200

Network Address Translation Network Address Translation 200.200.20.1 200.200.20.1 192.168.10.1 192.168.10.1 131.107.2.200 131.107.2.200 Destination Destination Source Source

Features To Have

On A Firewall

z

Network Address

Translation (NAT)

Internal Network Internal Network Firewall 131.107.2.200 131.107.2.200 Internal Network Internal Network 192.168.10.1 192.168.10.2 192.168.10.3

Features To Have

On A Firewall

z

Port Mapping

Port Mapping Port Mapping 80 80 80 80 Port Port 200.200.20.1 200.200.20.1 192.168.10.3 192.168.10.3 131.107.2.200 131.107.2.200 Destination Destination Source Source 200.200.20.1 200.200.20.1 Internet Internet

Firewall Limitations

z

Cannot protect against attacks that

bypass the firewall

¾

¾ Remote Access Services on Internal NetworkRemote Access Services on Internal Network

Firewall Firewall Internet Internet Modem Modem

Types Of Firewalls

z

Packet

-

Filter Firewall

z

Circuit

-

Level Firewalls

z

Application

-

Level with Proxy

Service

z

Dynamic Packet Filter Firewalls

z

(4)

Packet

-

Filter Firewall

z

Analyze traffic at the transport layer

_{Analyze traffic at the transport layer}

of the OSI model

z

Compare each packet to a series

of rules for the interface

z

Apply both incoming and

outgoing rules

Circuit

-

Level Firewalls

z

Each packet that passes through a firewall is

¾

¾ A connection requestA connection request ¾

¾ Data being transported across an existing Data being transported across an existing connection

connection

z

Works as a referee to ensure that a proper

3

3 -

-

way handshake takes place, if not, then

drops connection

z

A table of valid connections is maintained.

¾

¾ Current session stateCurrent session state ¾

¾ Sequence info for both client and serverSequence info for both client and server

Circuit

-

Level Firewalls

z

Firewall does not permit an end

-

to

-

end

connection

z

Establishes two separate connections

¾

¾ One between an inner host and the firewallOne between an inner host and the firewall ¾

¾ One between an outer host and the firewallOne between an outer host and the firewall

Outer Connection

Inner Connection

Application

-

Level With

Proxy Service

z

Evaluates data at the application level before

allowing connection to take place

z

Requires configuration of client hosts

¾

¾ Internal client sends request to a proxy serverInternal client sends request to a proxy server ¾

¾ Transparent to userTransparent to user ¾

¾ More precise rules can be developed based More precise rules can be developed based on actual protocol

on actual protocol

z

Achieves performance gains

¾

¾ Cache information to reduce external Cache information to reduce external bandwidth usage

bandwidth usage ¾

(5)

Dynamic Packet Filter

Firewalls

z

Combines services of application and packet

filter firewalls

z

Allows security rules to be created on the fly

z

Provides UDP transport support

¾

¾ Firewall records info on all UDP packets that cross Firewall records info on all UDP packets that cross (source port destination port)

(source port destination port) ¾

¾ Response must be returned to original requestorResponse must be returned to original requestor ¾

¾ If this does not occur, drop packets!If this does not occur, drop packets! ¾

¾ If not returned in a timely fashion, If not returned in a timely fashion, drop packets!

drop packets!

Kernel Proxy Firewalls

z

Rules are implemented at kernel level

z

Information is discarded without being

passed up the network stack

z

For each new session, a new TCP/IP stack

is generated on the fly with the following

properties:

¾

¾ Contains protocol proxies required only Contains protocol proxies required only for that session

for that session ¾

¾ Can be customized to implement investigation Can be customized to implement investigation of the data transmission

of the data transmission ¾

¾ Network packet can be reNetwork packet can be re--inspected at each levelinspected at each level ¾

¾ A packet to be discarded before it reaches A packet to be discarded before it reaches the application level

the application level

Firewall Configurations

z

Bastion Host

z

De

-

Militarized Zones

¾

Three

-

Pronged DMZ

¾

Mid

-

Ground DMZ

Bastion Host

z

Used for smaller networks

z

Only purpose is to protect internal

network from external network

(6)

De

-

Militarized Zone (DMZ)

z

Places all Internet accessible resources

_{Places all Internet accessible resources}

in separate segment of network

z

All traffic (inbound and outbound) is

screened by administrator

-

defined

rules

z

Rules are defined for interaction

between all network segments

Three

Three-

-Pronged DMZ

Pronged DMZ

z

_{Only one firewall required}

Only one firewall required

Firewall Firewall Internet Internet DMZDMZ Private Network Private Network

Mid

Mid-

-Ground DMZ

Ground DMZ

z

z Might be implemented with two different firewall Might be implemented with two different firewall products

products z

z More cost, but can be more secure!More cost, but can be more secure!

Private Network Private Network External Firewall Internal Firewall Internet Internet DMZ DMZ