Firewalls. Outlines: By: Arash Habibi Lashkari July Network Security 06

(1)

Firewalls

Outlines:

• What is a firewall

• Wh an organi ation needs a fire all

• Why an organization needs a firewall

• Types of firewalls and technologies

• Deploying a firewall

• What is a VPN

By: Arash Habibi Lashkari July ‐ 2010

1 Network Security – 06

(2)

Introduction

• Computer virus have become today’s headline newsComputer virus have become today s headline news

• With the increasing use of the Internet, it has

become easier for virus to spreadp • Virus show us loopholes in software

(3)

What

is

a

Firewall

?

A fi ll

• A firewall :

– Acts as a security gateway

between two networks

Internet

between two networks

• Usually between trusted and untrusted networks (such as between a corporate network

Corporate Network Gateway

between a corporate network and the Internet)

Corporate Site

(4)

What

is

a

Firewall

?

• A firewall :A firewall :

– Acts as a security gateway between two networks

Tracks and controls net ork

Internet

Corporate Network

– Tracks and controls network communications

• Decides whether to pass,

reject, encrypt, or log

communications (Access

Control) Control)

(5)

Why Firewalls are Needed

Why

Firewalls

are

Needed

• Prevent attacks from untrusted networks

Prevent

attacks

from

untrusted networks

• Protect

data

integrity

of

critical

information

d

fid

• _Preserve

_customer

_and

_partner

_confidence

(6)

Evolution

of

Firewalls

Stateful Inspection

Application Proxy

Packetac et Filter

(7)

Packet Filter

• Packets examined at the network layer

Packet

Filter

• Useful “first line” of defense ‐ commonly deployed

on routers

• Simple accept or reject decision model

• No awareness of higher protocol layers

Applications Presentations Sessions Applications Presentations Sessions Presentations Sessions T t Applications Transport Data Link Physical Data Link Physical Transport Data Link Physical Network Transport Network Network

Physical Physical Physical

(8)

Application Gateway or Proxy

Application

Gateway

or

Proxy

• Packets examined at the application layer

• Application/Content filtering possible ‐ prevent

FTP “put” commands, for example

• Modest performance

• Scalability limited

Applications Presentations

Sessions

Applications Presentations

Sessions Presentations

Sessions Applications

Transport

Data Link Data Link

Transport Data Link

Network Network Network

Transport

(9)

Stateful Inspection

Stateful

Inspection

• Packets Inspected between data link layer and network layer in

the OS kernel

• State tables are created to maintain connection context

• Invented by Check Point

Applications Presentations Applications Presentations Presentations Sessions Applications

Invented by Check Point

Sessions Transport Sessions Transport Network Network Network Transport Data Link Physical Data Link Physical Data Link Physical

INSPECT Engine DynamicDynamic INSPECT Engine Dynamic Dynamic

State Tables State TablesDynamic Dynamic

State Tables State TablesDynamic

State Tables

(10)

Network

Address

Translation

(NAT)

192 172 1 1 192 172 1 254

Internet Internet

Internal IP Addresses

219.22.165.1

Corporate LAN

192.172.1.1-192.172.1.254

Public

IP Address(es)

• Converts a network’s illegal IP addresses to legal

bl dd

Corporate LAN

or public IP addresses

– Hides the true addresses of individual hosts, protecting

them from attack t e o attac

(11)

Port

Address

Translation

—

Hiding

PATGlobal PATGlobal 192.168.0.15

10 10..00..00..22 10 10..00..00..22 10.0.0.2

192

192..168168..00..1515 192

192..168168..00..1515

49090 23 2000 10.0.0.2 23 172

172..3030..00..5050 172

172..3030..00..5050

23

10 10..00..00..33 10 10..00..00..33

23

192

192..168168..00..1515 192

192..168168..00..1515

10.0.0.3 2001 23 49090 23 172

172..3030..00..5050 172

172..3030..00..5050

23 23

(12)

Personal Firewalls

Personal

Firewalls

• _{Need arises from always on connections}

_Need

_arises

_from

_always

_on

_connections

• Your

PC

is

not

protected

enough

by

your

OS

• _Intrusion

_detection

_facilities

• Different

e e t e e s o secu ty

levels

of

security

(13)

(14)

Firewall

Deployment

DMZ

• Corporate

Network

Gateway

Internet

Demilitarized Zone (DMZ)

Public Servers

Gateway

–

Protect

internal

network from attack

Public Servers

network

from

attack

–

Most

common

d

l

Human Resources Network

deployment

point

Corporate p Site

(15)

Firewall

Deployment

• Corporate Network

Gateway

• Internal Segment Gateway

Internet

Public Servers

g y

– Protect sensitive segments (Finance, HR, Product

Development)

Demilitarized Zone (Publicly-accessible

servers)

– Provide second layer of defense

– Ensure protection against

i l k d i

internal attacks and misuse

Corporate

Internal Segment Gateway

p Site

(16)

Firewall

Deployment

• Corporate Network

Gateway

Internet

Public Servers DMZ

• Internal Segment

Gateway

• Server‐Based Firewall

– Protect individual

application servers

– Files protect

Corporate

Server-Based Firewall

p Site

(17)

Firewall

Deployment

• Hardware appliance based firewall

• Hardware

appliance

based

firewall

– Single platform, software pre‐installed

C b d t t ll i ti

– Can be used to support small organizations or

branch offices with little IT support

S ft

b

d fi

ll

• _Software

_based

_firewall

– Flexible platform deployment options

– Can scale as organization grows

(18)

Summary

• Firewalls foundation of an enterprise

Firewalls

foundation

of

an

enterprise

security

policy

• Stateful Inspection is the leading firewall

• Stateful

Inspection

is

the

leading

firewall

(19)

What

is

a

VPN?

Acme Corp Site 1

• A VPN is a private connection VPN

Site 1

p

over an open network

• A VPN includes authentication InternetInternet

and encryption to protect data

integrity and confidentiality

VPN

Acme Corp Sit 2 Site 2

(20)

Why

Use

Virtual

Private

Networks?

• More flexibility

More

flexibility

– Leverage ISP point of presence

Use multiple connection types (cable DSL T1 T3)

– Use multiple connection types (cable, DSL, T1, T3)

– Most attacks originate within an organization

(21)

Why

Use

Virtual

Private

Networks?

• More flexibility

• More

flexibility

• More

scalability

– Add new sites, users quickly

– Scale bandwidth to demand

(22)

Why

Use

Virtual

Private

Networks?

• _{More flexibility}

• _More

_flexibility

• _More

_scalability

• Lower costs

• Lower

costs

– Reduced frame relay/leased line costs

Reduced long distance

– Reduced long distance

– Reduced equipment costs (modem

banks,CSU/DSUs) banks,CSU/DSUs)

(23)

Types

of

VPNs

Corporate Sit

• Remote

Access

VPN

– Provides access to internal

Site

corporate network over the

Internet

– Reduces long distance,

modem bank, and technical

t t

support costs

– PAP,CHAP,RADIUS

(24)

Types

of

VPNs

C t

• Remote Access VPN

• Site‐to‐Site VPN

Connects multiple offices

– Connects multiple offices over Internet

– Reduces dependencies on

frame relay and leased lines InternetInternet

frame relay and leased lines

Branch Office

(25)

Types

of

VPNs

• Extranet VPN

– Provides business

partners access to critical

information (leads, sales

tools, etc)

– Reduces transaction and

Reduces transaction and

operational costs

Partner #2

Partner #1 25

(26)

Types

of

VPNs

D t b

Database Server

• Extranet VPN

• Client/Server VPN InternetInternet

LAN clients

– Protects sensitive

internal

communications communications

LAN clients with sensitive data

(27)

Components

of

a

VPN

E

ti

• Encryption

• Key

management

• _Message

_{authentication}

• _{Entity authentication}

_Entity

_{authentication}

(28)

Encryption

Joe’s PC to HR Server

Encrypted Encrypted

HR Server

Encrypted Encrypted

Joe’s PC

E-Mail Server

All Other Traffic Cleartext

Mary’s PC

• Current standards: DES and Triple‐DES

– Over 20 years in the fieldOver 20 years in the field

• AES beginning deployment

– New standard

– More computationally efficientMore computationally efficient

(29)

Key

Management

P bli k

t

• Public

key

cryptosystems

enable

secure

exchange

of

i t

t k

private

crypto

keys

across

open

networks

• Re

‐

keying

at

appropriate

intervals

• IKE

=

Internet

Key

Exchange

protocols

– Incorporates ISAKMP/Oakley

(30)

Authentication

• IPsec standards focus on authentication of two networkIPsec standards focus on authentication of two network

devices to each other

– IP address/preshared key Digital certificates

– Digital certificates

• User authentication is added on top if required

– RADIUS and TACACS+ are the standard protocols for authentication servers

• XAUTH is being added to the standards to address user

(31)

Point

‐

to

‐

Point

Tunneling

Protocol

• Layer 2 remote access VPN distributed with Windows product

family family

– Addition to Point‐to‐Point Protocol (PPP)

– Allows multiple Layer 3 Protocols

h d

• Uses proprietary authentication and encryption

• Limited user management and scalability

• Known security vulnerabilitiesKnown security vulnerabilities Corporate Network PPTP RAS Server

Internet

Remote PPTP Client

ISP Remote Access

(32)

Layer

2 Tunneling

Protocol

(L2TP)

• Layer 2 remote access VPN protocol

– Combines and extends PPTP and L2F (Cisco supported protocol)

– Weak authentication and encryption

– Does not include packet authentication, data integrity, or key management

– Must be combined with IPSec for enterprise‐level security

Remote L2TP Client

L2TP Server

(33)

Internet

Protocol

Security

(IPSec)

L

3 t

l f

t

i t

t

• Layer

3 protocol

for

remote

access,

intranet,

and

extranet

VPNs

– Internet standard for VPNs

– Provides flexible encryption and message

h i i /i i

authentication/integrity

– Includes key management

(34)

Components

of

an

IPSec

VPN

• Encryptionyp _• _{DES, 3DES, and more}

• Message

Authentication

DES, 3DES, and more

• HMAC‐MD5, HMAC‐SHA‐1,

or others

Di it l C tifi t Sh d

• Entity

Authentication

• Key

• Digital Certificates, Shared

Secrets, Hybrid Mode IKE

• Internet Key Exchange

Key

(35)

Encryption Explained

Encryption

Explained

• Used to convert data to a secret code for

Used

to

convert

data

to

a

secret

code

for

transmission

over

an

untrusted

network

Clear Text

Clear Text Encrypted TextEncrypted Text Encryption

Algorithm “The cow jumped

over the moon”

“4hsd4e3mjvd3sd a1d38esdf2w4d” Clear Text

Clear Text

(36)

Symmetric

Encryption

• _{Same key used to encrypt and decrypt}

• _Same

_key

_used

_to

_encrypt

_and

_decrypt

message

• _{Faster than asymmetric encryption}

_Faster

_than

_asymmetric

_encryption

• Examples:

DES,

3DES,

RC5,

Rijndael

Shared Secret Key Shared Secret Key

(37)

Asymmetric

Encryption

• Different keys used to encrypt and decrypt

message (One public, one private)

• Examples include RSA, DSA, SHA‐1, MD‐5

Bob

Bob _Alice_Alice

Bob

Bob _Alice_Alice

Alice Public Key

Alice Public Keyyy Alice Private KeyAlice Private Key Encrypt

Encrypt

y y Decrypt

Decrypt

(38)

Secure Virtual Network Architecture Extranet Partner Site IPSec-compliant Gateway RSA ACE/Server Corporate Network FireWall 1

Trend InterScan , WebManager , eManager

& StoneBeat Security Cluster RSA Advanced PKI VPN-1/FireWall-1 Partner Site VPN-1 SecuRemote & RSA SecurID

LDAP Directory FireWall-1 Gateway & StoneBeat FullCluster VPN-1 SecureClient & RSA SecurID VPN-1

SecureServer

FloodGate-1 QoS

Dial-up

& RSA SecurID

Remote Users ConnectControl Server Load ISS RealSecure Broadband VPN-1

Accelerator Card RSA ACE/Agent

E t i M t C l

Extranet Application Server Server Load Balancing Router RealSecure Intrusion Detection VPN-1/FireWall-1

Enterprise Management Console

(39)

Questions

Lab 3

Install Kool Firewall Install Kool Firewall

And Capture the packets

and kill the suspicious

packets