Upload
haleem81
View
230
Download
0
Embed Size (px)
Citation preview
8/7/2019 Firewall Technologies & Architecture
http://slidepdf.com/reader/full/firewall-technologies-architecture 1/31
By
Hafiz Muhammad Usman
L1F09MSCS0015
8/7/2019 Firewall Technologies & Architecture
http://slidepdf.com/reader/full/firewall-technologies-architecture 2/31
Firewall
A firewall is a part of a computer system or network that is
designed to block unauthorized access while permitting
authorized communications.
8/7/2019 Firewall Technologies & Architecture
http://slidepdf.com/reader/full/firewall-technologies-architecture 3/31
Firewall Technologies
Wide range of firewall technologies are:
Personal firewalls
Packet filters
Network Address Translation (NAT) firewalls Circuit-level firewalls
Proxy firewalls
Stateful firewalls
Transparent firewalls
Virtual firewalls
8/7/2019 Firewall Technologies & Architecture
http://slidepdf.com/reader/full/firewall-technologies-architecture 4/31
Personal Firewalls
o Designed to protect a single host.
o Hardened shell around the host system, whether it is a
server, desktop, or laptop.
o Outbound traffic is to be permitted and inbound trafficrequires inspection.
o Include various profiles that accommodate the typical
traffic a system might see.
8/7/2019 Firewall Technologies & Architecture
http://slidepdf.com/reader/full/firewall-technologies-architecture 5/31
Packet Filtering Firewall
Filter traffic based on simple packet characteristics.
Examines the IP packet header, the source and
destination IP addresses, and the port combinations,
then it applies filtering rules. Packet filtering is fast, flexible, transparent and cheap.
Most routers will provide packet filtering capabilities
and do not require powerful hardware.
IP
addresses can be spoofed so not enough itself. Stateless so cannot inspect outbound traffic and
dynamically generate rules permitting the return traffic
to an outbound flow
8/7/2019 Firewall Technologies & Architecture
http://slidepdf.com/reader/full/firewall-technologies-architecture 6/31
Packet Filtering Firewall
8/7/2019 Firewall Technologies & Architecture
http://slidepdf.com/reader/full/firewall-technologies-architecture 7/31
8/7/2019 Firewall Technologies & Architecture
http://slidepdf.com/reader/full/firewall-technologies-architecture 8/31
Network Address Translation
(NAT)
The basic purpose of NAT is to multiplex traffic from
an internal network and present it to a wider network.
Only allow connections that originate from the inside of
the firewall. Stateful and maps the addresses of internal systems to
an external address.
The ability to place an entire network behind a single IP
address is based on the mapping of port numbers on the NAT firewall.
8/7/2019 Firewall Technologies & Architecture
http://slidepdf.com/reader/full/firewall-technologies-architecture 9/31
Table. Network Address Translation
Source IP Source Port NAT IP NAT port Destination IP Destination Port
192.168.1.1 3844 172.28.230.55 3844 10.100.100.44 80
192.168.1.2 4687 172.28.230.55 4687 10.100.100.44 80
192.168.1.1 4687 172.28.230.55 63440 10.100.100.44 80
8/7/2019 Firewall Technologies & Architecture
http://slidepdf.com/reader/full/firewall-technologies-architecture 10/31
Circuit-level Gateways
Work at the session layer of the OSI model and monitor
"handshaking´ between packets to decide whether the
traffic is legitimate.
Traffic to a remote computer is modified to make it
appear as though it originated from the circuit-levelfirewall.
Modification is useful in hiding information about a
protected network.
Drawback is that it does not filter individual packets ina given connection.
8/7/2019 Firewall Technologies & Architecture
http://slidepdf.com/reader/full/firewall-technologies-architecture 11/31
Proxy Firewall
Operate at the application layer
A proxy firewall forces all client applications on
workstations protected by the firewall to use the
firewall itself as a gateway. The firewall then authorizes
each packet for each protocol differently. Acts as an intermediary between two end systems
Proxy server firewalls have large processor and
memory requirements in order to support many
simultaneous users. To support various services, the proxy firewall must
have a specific service running for each protocol FTP
proxy for file transfers.
8/7/2019 Firewall Technologies & Architecture
http://slidepdf.com/reader/full/firewall-technologies-architecture 12/31
Proxy firewalls can look much more deeply into the
packets of a connection and apply additional rules. Disadvantages are delay,complex configuration as well
as their speed.
Finally, if there is no specific proxy service for a
particular network application you cannot put that behind firewall.
8/7/2019 Firewall Technologies & Architecture
http://slidepdf.com/reader/full/firewall-technologies-architecture 13/31
8/7/2019 Firewall Technologies & Architecture
http://slidepdf.com/reader/full/firewall-technologies-architecture 14/31
tateful Firewalls
Modern Stateful firewalls combine aspects and
capabilities of NAT firewalls, circuit-level firewalls,
and proxy firewalls into one system.
These firewalls filter traffic initially based on packet
characteristics like the packet-filtering firewall but alsoinclude session checks to make sure that the specific
session is allowed.
Include proxy-filtering aspects by inspecting the
application layer data as well through the use of
specific services e.g fixup command in PIX OS 6.
8/7/2019 Firewall Technologies & Architecture
http://slidepdf.com/reader/full/firewall-technologies-architecture 15/31
8/7/2019 Firewall Technologies & Architecture
http://slidepdf.com/reader/full/firewall-technologies-architecture 16/31
Transparent Firewalls
transparent firewalls sit at Layer 2, the data link layer,
and monitor Layer 3+ traffic.
A pply packet-filtering rules.
A ppear invisible to the end user and to an attacker so
cannot be attacked.
The benefits of a transparent :
y Zero configuration
y Performance
y Stealth
Lower overhead enables them to provide better
performance as well as deeper packet inspection.
8/7/2019 Firewall Technologies & Architecture
http://slidepdf.com/reader/full/firewall-technologies-architecture 17/31
Virtual Firewalls
Multiple logical firewalls running on a single physicaldevice.
This arrangement allows for multiple networks to be
protected by a unique firewall running a unique security
policy.
Service providers do so by defining separate security
domains controlled by a separate logical virtual
firewall.
Available only in higher-end firewalls because of
memory requirements and CPU capabilities for eachvirtual fir ewall.
8/7/2019 Firewall Technologies & Architecture
http://slidepdf.com/reader/full/firewall-technologies-architecture 18/31
DEMILITARIZED ZONES
A demilitarized zone (DMZ) isolates hosts which are
accessible from outside the network (e.g. a web server
or FTP server) from internal servers. The external hosts
are placed in a separate network zone, on a separate
adapter, connected to the firewall. This creates the
DMZ. This is easily achieved with a firewall with three
or more interfaces.
All traffic between zones, and all traffic from the
Internet to all zones, is checked by the firewall.
In this way, each zone is isolated, and the systems in
each zone only trust other systems within the same
zone.
8/7/2019 Firewall Technologies & Architecture
http://slidepdf.com/reader/full/firewall-technologies-architecture 19/31
8/7/2019 Firewall Technologies & Architecture
http://slidepdf.com/reader/full/firewall-technologies-architecture 20/31
ingle-Firewall Architectures
The single-firewall architecture is simpler because it
relies on the use of a single firewall device with which
to filter and control the flow of traffic.
With a single firewall implementation, there aredifferent designs:
y Internet firewall with a single DMZ
y Internet firewall with multiple DMZs
yInternet-screening firewall (no
DMZ)
8/7/2019 Firewall Technologies & Architecture
http://slidepdf.com/reader/full/firewall-technologies-architecture 21/31
Internet Firewall with a Single DMZ
8/7/2019 Firewall Technologies & Architecture
http://slidepdf.com/reader/full/firewall-technologies-architecture 22/31
Internet Firewall with Multiple DMZs
8/7/2019 Firewall Technologies & Architecture
http://slidepdf.com/reader/full/firewall-technologies-architecture 23/31
Internet-Screening Firewall (No
DMZ)
It prevents external hosts from initiating connections to
any protected resource.
Filter and restrict traffic from internal hosts to external
resources, typically through the use of content-filteringsoftware such asWebsense or SurfControl.
Internet-screening firewalls are also frequently
implemented for remote office scenarios, because it is
relatively rare that a remote office contains resources
that need to be accessed from external sources.
8/7/2019 Firewall Technologies & Architecture
http://slidepdf.com/reader/full/firewall-technologies-architecture 24/31
Dual-Firewall Architectures
8/7/2019 Firewall Technologies & Architecture
http://slidepdf.com/reader/full/firewall-technologies-architecture 25/31
PIX/ASA firewall
The PIX/ASA is a powerful stateful packet-inspectionfirewall with some basic application-inspection
capabilities.
Cisco PIX Firewall and ASA Models SOHO solution e.g. PIX 501
Medium- to large-office solution e.g. PIX 515E
Enterprise office and service provider solution
8/7/2019 Firewall Technologies & Architecture
http://slidepdf.com/reader/full/firewall-technologies-architecture 26/31
Firewall Security Policy
PIX implements a combination of the following elementsto assist in making filtering decisions:
Separate the network into zones based on security
levels
UseA
CLs to permit or deny traffic A pply Network Address Translation (NAT)
A pply authentication, authorization, and accounting
(AAA) for through traffic
A pply web or FT
Pfiltering
8/7/2019 Firewall Technologies & Architecture
http://slidepdf.com/reader/full/firewall-technologies-architecture 27/31
Additional Features of ASA
Use theAIP SSM to perform deep packetinspection on the data.
Use the CSC SSM to perform threat protectionand content control for antivirus, antispyware,
antispam, antiphishing, URL blocking, contentfiltering, and file blocking.
A pply QoS policies to give priority to certaintypes of network traffic.
8/7/2019 Firewall Technologies & Architecture
http://slidepdf.com/reader/full/firewall-technologies-architecture 28/31
Firewall Modes of Operation
Router Mode
Transparent Mode
Stateful InspectionThrough Cisco adaptive security algorithm (ASA).
The ASA uses a stateful approach to security. Every
inbound packet is checked exhaustively against the
ASA and against connection state information in
memory
8/7/2019 Firewall Technologies & Architecture
http://slidepdf.com/reader/full/firewall-technologies-architecture 29/31
ASA Algorithm Allow any traffic connections that originate from the
inside, higher-security, network to an external, lower-
security network unless specifically denied by an ACL.
Allow any traffic for which application inspection has
been configured and the traffic has been determined to
be acceptable traffic. Drop and log attempts to initiate connections to a
translation slot from the outside unless there is anACL
that permits that connection.
Drop and log source routed IP packets. Deny all ICMP traffic from lower-security interfaces
through the firewall except if explicitly permitted.
Permit all ICMP traffic to the firewall itself
8/7/2019 Firewall Technologies & Architecture
http://slidepdf.com/reader/full/firewall-technologies-architecture 30/31
Cisco PIX ASA Operation
8/7/2019 Firewall Technologies & Architecture
http://slidepdf.com/reader/full/firewall-technologies-architecture 31/31
References
http://en.wikipedia.org/wiki/Firewall_(computing)
http://articles.techrepublic.com.com/5100-10878_11-
1039779.html
http://en.wikipedia.org/wiki/Stateful_firewall http://www.webopedia.com/DidYouKnow/Hardware_S
oftware/2004/firewall_types.asp
http://www.tech2u.com.au/products/dsl/pdf/Firewall_ Ar
chitecture.pdf Firewall Fundamentals Cisco press