Firewalls
Outlines:
• What is a firewall
• Wh an organi ation needs a fire all
• Why an organization needs a firewall
• Types of firewalls and technologies
• Deploying a firewall
• What is a VPN
By: Arash Habibi Lashkari July ‐ 2010
1 Network Security – 06
Introduction
• Computer virus have become today’s headline newsComputer virus have become today s headline news
• With the increasing use of the Internet, it has
become easier for virus to spreadp • Virus show us loopholes in software
What
is
a
Firewall
?
A fi ll
• A firewall :
– Acts as a security gateway
between two networks
Internet
between two networks
• Usually between trusted and untrusted networks (such as between a corporate network
Corporate Network Gateway
between a corporate network and the Internet)
Corporate Site
3 Network Security – 06
What
is
a
Firewall
?
• A firewall :A firewall :
– Acts as a security gateway between two networks
Tracks and controls net ork
Internet
Corporate Network
– Tracks and controls network communications
• Decides whether to pass,
Corporate Network Gateway
reject, encrypt, or log
communications (Access
Control) Control)
Corporate Site
Why Firewalls are Needed
Why
Firewalls
are
Needed
•
Prevent attacks from untrusted networks
Prevent
attacks
from
untrusted networks
•
Protect
data
integrity
of
critical
information
d
fid
•
Preserve
customer
and
partner
confidence
5 Network Security – 06
Evolution
of
Firewalls
Stateful Inspection
Application Proxy
Packetac et Filter
Packet Filter
• Packets examined at the network layer
Packet
Filter
• Useful “first line” of defense ‐ commonly deployed
on routers
• Simple accept or reject decision model
• Simple accept or reject decision model
• No awareness of higher protocol layers
Applications Presentations Sessions Applications Presentations Sessions Presentations Sessions T t Applications Transport Data Link Physical Data Link Physical Transport Data Link Physical Network Transport Network Network
Physical Physical Physical
7 Network Security – 06
Application Gateway or Proxy
Application
Gateway
or
Proxy
• Packets examined at the application layer
• Application/Content filtering possible ‐ prevent
FTP “put” commands, for example
• Modest performance
• Scalability limited
Applications Presentations
Sessions
Applications Presentations
Sessions Presentations
Sessions Applications
Transport
Data Link Data Link
Transport Data Link
Network Network Network
Transport
Stateful Inspection
Stateful
Inspection
• Packets Inspected between data link layer and network layer in
the OS kernel
• State tables are created to maintain connection context
• Invented by Check Point
Applications Presentations Applications Presentations Presentations Sessions Applications
Invented by Check Point
Sessions Transport Sessions Transport Network Network Network Transport Data Link Physical Data Link Physical Data Link Physical
INSPECT Engine DynamicDynamic INSPECT Engine Dynamic Dynamic
State Tables State TablesDynamic Dynamic
State Tables State TablesDynamic
State Tables
9 Network Security – 06
Network
Address
Translation
(NAT)
192 172 1 1 192 172 1 254
Internet Internet
Internal IP Addresses
219.22.165.1
Corporate LAN
192.172.1.1-192.172.1.254
Public
IP Address(es)
• Converts a network’s illegal IP addresses to legal
bl dd
Corporate LAN
or public IP addresses
– Hides the true addresses of individual hosts, protecting
them from attack t e o attac
Port
Address
Translation
—
Hiding
PATGlobal PATGlobal 192.168.0.15
10 10..00..00..22 10 10..00..00..22 10.0.0.2
192
192..168168..00..1515 192
192..168168..00..1515
49090 23 2000 10.0.0.2 23 172
172..3030..00..5050 172
172..3030..00..5050 172
172..3030..00..5050 172
172..3030..00..5050
23
10 10..00..00..33 10 10..00..00..33
23
192
192..168168..00..1515 192
192..168168..00..1515
10.0.0.3 2001 23 49090 23 172
172..3030..00..5050 172
172..3030..00..5050 172
172..3030..00..5050 172
172..3030..00..5050
23 23
11 Network Security – 06
Personal Firewalls
Personal
Firewalls
•
Need arises from always on connections
Need
arises
from
always
on
connections
•
Your
PC
is
not
protected
enough
by
your
OS
•
Intrusion
detection
facilities
•
Different
e e t e e s o secu ty
levels
of
security
Firewall
Deployment
DMZ
•
Corporate
Network
Gateway
Internet
Demilitarized Zone (DMZ)
Public Servers
Gateway
–
Protect
internal
network from attack
Public Servers
Corporate Network Gateway
network
from
attack
–
Most
common
d
l
Human Resources Network
deployment
point
Corporate p Site
Firewall
Deployment
• Corporate Network
Gateway
• Internal Segment Gateway
Internet
Public Servers
g y
– Protect sensitive segments (Finance, HR, Product
Development)
Demilitarized Zone (Publicly-accessible
servers)
– Provide second layer of defense
– Ensure protection against
i l k d i
Human Resources Network
internal attacks and misuse
Corporate
Internal Segment Gateway
p Site
15 Network Security – 06
Firewall
Deployment
• Corporate Network
Gateway
Internet
Public Servers DMZ
• Internal Segment
Gateway
• Server‐Based Firewall
– Protect individual
application servers
Human Resources Network
application servers
– Files protect
Corporate
Server-Based Firewall
p Site
Firewall
Deployment
•
Hardware appliance based firewall
•
Hardware
appliance
based
firewall
– Single platform, software pre‐installedC b d t t ll i ti
– Can be used to support small organizations or
branch offices with little IT support
S ft
b
d fi
ll
•
Software
based
firewall
– Flexible platform deployment options
– Can scale as organization grows
17 Network Security – 06
Summary
Summary
•
Firewalls foundation of an enterprise
Firewalls
foundation
of
an
enterprise
security
policy
•
Stateful Inspection is the leading firewall
•
Stateful
Inspection
is
the
leading
firewall
What
is
a
VPN?
Acme Corp Site 1
• A VPN is a private connection VPN
Site 1
p
over an open network
• A VPN includes authentication InternetInternet
and encryption to protect data
integrity and confidentiality
VPN
Acme Corp Sit 2 Site 2
19 Network Security – 06
Why
Use
Virtual
Private
Networks?
•
More flexibility
More
flexibility
– Leverage ISP point of presence
Use multiple connection types (cable DSL T1 T3)
– Use multiple connection types (cable, DSL, T1, T3)
– Most attacks originate within an organization
Why
Use
Virtual
Private
Networks?
•
More flexibility
•
More
flexibility
•
More
scalability
– Add new sites, users quickly
– Scale bandwidth to demand
21 Network Security – 06
Why
Use
Virtual
Private
Networks?
•
More flexibility
•
More
flexibility
•
More
scalability
•
Lower costs
•
Lower
costs
– Reduced frame relay/leased line costs
Reduced long distance
– Reduced long distance
– Reduced equipment costs (modem
banks,CSU/DSUs) banks,CSU/DSUs)
Types
of
VPNs
Corporate Sit
•
Remote
Access
VPN
– Provides access to internal
Site
corporate network over the
Internet
– Reduces long distance,
modem bank, and technical
t t
Internet Internet
support costs
– PAP,CHAP,RADIUS
23 Network Security – 06
Types
of
VPNs
C t
Corporate Site
• Remote Access VPN
• Site‐to‐Site VPN
Connects multiple offices
– Connects multiple offices over Internet
– Reduces dependencies on
frame relay and leased lines InternetInternet
frame relay and leased lines
Branch Office
Types
of
VPNs
• Remote Access VPN
Corporate Site
• Remote Access VPN
• Site‐to‐Site VPN
• Extranet VPN
• Extranet VPN
– Provides business
partners access to critical
Internet Internet
information (leads, sales
tools, etc)
– Reduces transaction and
Internet Internet
Reduces transaction and
operational costs
Partner #2
Partner #1 25
Types
of
VPNs
D t b
• Remote Access VPN
• Site‐to‐Site VPN
Database Server
• Extranet VPN
• Client/Server VPN InternetInternet
LAN clients
– Protects sensitive
internal
communications communications
LAN clients with sensitive data
Components
of
a
VPN
E
ti
•
Encryption
•
Key
management
•
Message
authentication
•
Entity authentication
Entity
authentication
27 Network Security – 06
Encryption
Joe’s PC to HR Server
Encrypted Encrypted
HR Server
Encrypted Encrypted
Joe’s PC
E-Mail Server
All Other Traffic Cleartext
Mary’s PC
• Current standards: DES and Triple‐DES
– Over 20 years in the fieldOver 20 years in the field
• AES beginning deployment
– New standard
– More computationally efficientMore computationally efficient
Key
Management
P bli k
t
t
•
Public
key
cryptosystems
enable
secure
exchange
of
i t
t k
private
crypto
keys
across
open
networks
•
Re
‐
keying
at
appropriate
intervals
•
IKE
=
Internet
Key
Exchange
protocols
– Incorporates ISAKMP/Oakley
29 Network Security – 06
Authentication
• IPsec standards focus on authentication of two networkIPsec standards focus on authentication of two network
devices to each other
– IP address/preshared key Digital certificates
– Digital certificates
• User authentication is added on top if required
– RADIUS and TACACS+ are the standard protocols for authentication servers
• XAUTH is being added to the standards to address user
Point
‐
to
‐
Point
Tunneling
Protocol
• Layer 2 remote access VPN distributed with Windows product
family family
– Addition to Point‐to‐Point Protocol (PPP)
– Allows multiple Layer 3 Protocols
h d
• Uses proprietary authentication and encryption
• Limited user management and scalability
• Known security vulnerabilitiesKnown security vulnerabilities Corporate Network PPTP RAS Server
Corporate Network
Internet
Remote PPTP Client
ISP Remote Access
Layer
2
Tunneling
Protocol
(L2TP)
• Layer 2 remote access VPN protocol
– Combines and extends PPTP and L2F (Cisco supported protocol)
– Weak authentication and encryption
– Does not include packet authentication, data integrity, or key management
– Must be combined with IPSec for enterprise‐level security
Remote L2TP Client
L2TP Server
Corporate Network
Internet
Protocol
Security
(IPSec)
L
3
t
l f
t
i t
t
•
Layer
3
protocol
for
remote
access,
intranet,
and
extranet
VPNs
– Internet standard for VPNs
– Provides flexible encryption and message
h i i /i i
authentication/integrity
– Includes key management
33 Network Security – 06
Components
of
an
IPSec
VPN
• Encryptionyp • DES, 3DES, and more
• Message
Authentication
DES, 3DES, and more
• HMAC‐MD5, HMAC‐SHA‐1,
or others
Di it l C tifi t Sh d
• Entity
Authentication
• Key
• Digital Certificates, Shared
Secrets, Hybrid Mode IKE
• Internet Key Exchange
Key
Encryption Explained
Encryption
Explained
•
Used to convert data to a secret code for
Used
to
convert
data
to
a
secret
code
for
transmission
over
an
untrusted
network
Clear Text
Clear Text Encrypted TextEncrypted Text Encryption
Algorithm “The cow jumped
over the moon”
“4hsd4e3mjvd3sd a1d38esdf2w4d” Clear Text
Clear Text
35 Network Security – 06
Symmetric
Encryption
•
Same key used to encrypt and decrypt
•
Same
key
used
to
encrypt
and
decrypt
message
•
Faster than asymmetric encryption
Faster
than
asymmetric
encryption
•
Examples:
DES,
3DES,
RC5,
Rijndael
Shared Secret Key Shared Secret Key
Asymmetric
Encryption
• Different keys used to encrypt and decrypt
message (One public, one private)
• Examples include RSA, DSA, SHA‐1, MD‐5
Bob
Bob AliceAlice
Bob
Bob AliceAlice
Alice Public Key
Alice Public Keyyy Alice Private KeyAlice Private Key Encrypt
Encrypt
y y Decrypt
Decrypt
37 Network Security – 06
Secure Virtual Network Architecture Extranet Partner Site IPSec-compliant Gateway RSA ACE/Server Corporate Network FireWall 1
Trend InterScan , WebManager , eManager
& StoneBeat Security Cluster RSA Advanced PKI VPN-1/FireWall-1 Partner Site VPN-1 SecuRemote & RSA SecurID
LDAP Directory FireWall-1 Gateway & StoneBeat FullCluster VPN-1 SecureClient & RSA SecurID VPN-1
SecureServer
FloodGate-1 QoS
Dial-up
& RSA SecurID
Remote Users ConnectControl Server Load ISS RealSecure Broadband VPN-1
Accelerator Card RSA ACE/Agent
E t i M t C l
Extranet Application Server Server Load Balancing Router RealSecure Intrusion Detection VPN-1/FireWall-1
Enterprise Management Console
Questions
Lab 3
Install Kool Firewall Install Kool Firewall
And Capture the packets
and kill the suspicious
packets
39 Network Security – 06