FIREWALL AND NAT Lecture 7a

(1)

Slide title In CAPITALS

50 pt

Slide subtitle 32 pt

Muhammad Rizwan Asghar

August 3, 2015

Lecture 7a

COMPSCI 726

(2)

field

customer or

partner logotypes. See Best practice for example. 40 pt Slide subtitle 24 pt Text 24 pt 5 20 pt

FIREWALL

 An integrated collection of security measures designed

to control the flow of traffic into and out of a network

 Similar to firewalls in building construction

– Both are intended to isolate one "network" or

"compartment" from another

(3)

field

customer or

FIREWALL POLICIES

 To protect private networks and individual devices from

the dangers of the Internet, a firewall can be employed

to filter incoming or outgoing traffic based on a

predefined set of rules called firewall policies

Trusted internal network

Firewall policies

(4)

field

customer or

FIREWALL POLICIES: APPROACHES

 Two approaches to creating firewall policies

 Blacklist approach (default-allow)

– All packets are allowed through except those that fit the rules

defined specifically in a blacklist

– Pros: flexible in ensuring that service to the internal network

is not disrupted by the firewall

– Cons: unexpected forms of malicious traffic could go through

 Whitelist approach (default-deny)

– Packets are dropped or rejected unless they are specifically

allowed by the firewall

– Pros: A safer approach to defining a firewall ruleset

(5)

field

customer or

(6)

field

customer or

(7)

field

customer or

PERSONAL FIREWALLS

 Runs on the computer of the user

 Same filtering capabilities as network firewall

 Filter may also distinguish between computer programs

(8)

field

customer or

FIREWALLS

 What protocol level?

(9)

field

customer or

NETWORK LEVEL FIREWALLS

 Filter on IP header fields

– Source IP address

(10)

field

customer or

TRANSPORT LEVEL FIREWALLS

 Filters additionally on TCP header fields

– Source Port

– Destination Port

– Flags (SYN, ACK)

(11)

field

customer or

APPLICATION LEVEL FIREWALLS

 Inspects the contents of packets

 May filter certain websites

 Firewall may accept only trusted connections

 Logging of accepted connections is easy

 Performance may be problematic

(12)

field

customer or

(13)

field

customer or

STATELESS FIREWALLS

 Treats each packet in isolation

 Has no memory of previous packets

 For each packet, check firewall rules again

 Easy to implement

 Very efficient

 Can not easily handle protocols that use

random ports

(14)

field

customer or

STATELESS FIREWALLS

action

src

port

dest

port

flags

comment

allow

{our-host}

*

25

Our packets to their SMTP port

allow

*

25 *

*

ACK

Their replies

action

src

port

dest

port

flags

comment

allow

{our-host}

*

Our outgoing calls

allow

*

ACK

Replies to our calls

allow

*

>1024

Traffic to non servers

action

src

port

dest

port

flags

comment

deny

{ATTACK}

*

Deny traffic from

(15)

field

customer or

STATEFUL FIREWALLS

 Can tell when packets are part of legitimate

sessions originating within a trust network

 Maintain tables containing

– Active connections

 IP addresses

 Ports

 Sequence numbers

(16)

field

customer or

STATEFUL FIREWALLS



IF (packet belongs to an existing “association”)

 THEN {accept packet}

 ELSE {check firewall rules;



IF (packet may pass)



THEN {store “association” in state table}



ELSE {discard packet}}

 Time-out inactive connections

(17)

field

customer or

STATEFUL FIREWALLS

 Associations may be

– TCP connections

– UDP flows

– ICMP request/response pairs

 Stateful firewalls can, for example, be

configured to

– Allow “associations” initiated by internal systems

– Deny “associations” initiated by external systems

(18)

field

customer or

(19)

field

customer or

NETWORK ADDRESS TRANSLATION

(NAT)

 NAT is a router function where IP addresses are

replaced at the boundary of a private network

 NAT is a method that enables hosts on private

networks to communicate with hosts on the Internet

 A tool in conserving global address space allocations

 Devices inside a local network not explicitly

addressable, visible by outside world

(20)

field

customer or

(21)

field

customer or

TYPES OF NAT

 Four types of NAT exist

– Full cone NAT

– Restricted cone NAT

(22)

field

customer or

FULL CONE NAT

Full cone NAT

Port

IP

(23)

field

customer or

FULL CONE NAT

Full cone NAT

Port

IP

(24)

field

customer or

FULL CONE NAT

Full cone NAT

Port

IP

(25)

field

customer or

FULL CONE NAT

Public Internet

Full cone NAT

Port

IP

(26)

field

customer or

FULL CONE NAT

Public Internet

Full cone NAT

Port

IP

(27)

field

customer or

FULL CONE NAT

Private LAN

Public Internet

Full cone NAT

Port

IP

(28)

field

customer or

RESTRICTED CONE NAT

Restricted cone NAT

Port

IP

(29)

field

customer or

RESTRICTED CONE NAT

Restricted cone NAT

Port

IP

(30)

field

customer or

RESTRICTED CONE NAT

Restricted cone NAT

Port

IP

(31)

field

customer or

RESTRICTED CONE NAT

Public Internet

Restricted cone NAT

Port

IP

(32)

field

customer or

RESTRICTED CONE NAT

Public Internet

Restricted cone NAT

Port

IP

(33)

field

customer or

RESTRICTED CONE NAT

Restricted cone NAT

Port

IP

(34)

field

customer or

RESTRICTED CONE NAT

Public Internet

Restricted cone NAT

Port

IP

(35)

field

customer or

RESTRICTED CONE NAT

Public Internet

Restricted cone NAT

Port

IP

(36)

field

customer or

RESTRICTED CONE NAT

Private LAN

Public Internet

Restricted cone NAT

Port

IP

(37)

field

customer or

PORT RESTRICTED CONE NAT

Port restricted cone NAT

Port

IP

(38)

field

customer or

PORT RESTRICTED CONE NAT

Port restricted cone NAT

Port

IP

(39)

field

customer or

PORT RESTRICTED CONE NAT

Port restricted cone NAT

Port

IP

(40)

field

customer or

PORT RESTRICTED CONE NAT

Public Internet

Port restricted cone NAT

Port

IP

(41)

field

customer or

PORT RESTRICTED CONE NAT

Port restricted cone NAT

Port

IP

Private LAN

Public Internet

(42)

field

customer or

SYMMETRIC NAT

Symmetric NAT

Port

IP

(43)

field

customer or

SYMMETRIC NAT

Symmetric NAT

Port

IP

(44)

field

customer or

SYMMETRIC NAT

Symmetric NAT

Port

IP

(45)

field

customer or

(46)

field

customer or

SYMMETRIC NAT

Symmetric NAT

Port

IP

(47)

field

customer or

(48)

field

customer or

SYMMETRIC NAT

Symmetric NAT

Port

IP

(49)

field

customer or

SYMMETRIC NAT

Symmetric NAT

Port

IP

Private LAN

Public Internet

(50)

field

customer or

(51)

field

customer or

(52)

field

customer or

(53)

field

customer or

(54)

field

customer or

FIREWALLS VS NAT

 Origin of NATs is different from that of firewalls

 In general, NATs do not inspect application data

 NATs can be compared to transport level firewalls

 Like certain firewall configurations, certain type of

(55)

field

customer or

FIREWALL AND NAT TOOLS

 For *nix users (for both firewall and NAT)

– iptables

 For Windows users

(56)

field

customer or

VIRTUALBOX

 A hypervisor

 It can be installed on a number of host operating

systems including

– Linux, OS X, Windows, Solaris and OpenSolaris

 It supports creation and management of guest virtual

machines running versions and derivations of

– Windows, Linux, BSD, OS/2, Solaris and others

(57)

field

customer or

SUMMARY

 Firewall is software that blocks unauthorised network

access

 Firewalls are not a standalone solution

– Combined with anti-virus software and IDS

 Firewalls are effective only if configured correctly

 Use several different firewall configurations to protect a

network

 NAT conceals IP addresses of devices on the internal

network from external locations

(58)

field

customer or

RESOURCES

 Read Chapter 11 of

Network Security Essentials – Applications and

Standards

Fourth Edition

William Stallings

Prentice Hall

ISBN 0-13-706792-5

 Anatomy: A Look Inside Network Address Translators,

available at:

(59)

field

customer or