Upload
eitan
View
33
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Firewalls. Types of Firewalls Inspection Methods Static Packet Inspection Stateful Packet Inspection NAT Application Firewalls Firewall Architecture Configuring, Testing, and Maintenance. Internet. Server Host. Client 192.168.5.7. Figure 5-12: Network Address Translation (NAT). - PowerPoint PPT Presentation
Citation preview
1
Firewalls
Types of Firewalls
Inspection Methods Static Packet Inspection Stateful Packet Inspection NAT Application Firewalls
Firewall Architecture
Configuring, Testing, and Maintenance
2
Figure 5-12: Network Address Translation (NAT)
ServerHost
Client192.168.5.7
NATFirewall
1
3
Internet
2
4Sniffer
From 192.168.5.7,Port 61000 From 60.5.9.8,
Port 55380
To 60.5.9.8,Port 55380
To 192.168.5.7,Port 61000
IP Addr
192.168.5.7
. . .
Port
61000
. . .
Internal
IP Addr
60.5.9.8
. . .
Port
55380
. . .
External
TranslationTable
3
Firewalls
Types of Firewalls
Inspection Methods Static Packet Inspection Stateful Packet Inspection NAT Application Firewalls
Firewall Architecture
Configuring, Testing, and Maintenance
4
Figure 5-13: Application Firewall Operation
Browser HTTP Proxy WebserverApplication
1. HTTP RequestFrom 192.168.6.77
2.Filtering
3. ExaminedHTTP RequestFrom 60.45.2.6
4. HTTPResponse to
60.45.2.6
6. ExaminedHTTP
Response To192.168.6.77
5.Filtering on Post Out,
Hostname, URL, MIME, etc. In
Application Firewall60.45.2.6
FTPProxy
SMTP(E-Mail)ProxyClient PC
192.168.6.77
Webserver123.80.5.34
Outbound Filtering on Put Inbound and Outbound
Filtering on Obsolete Commands, Content
5
Figure 5-14: Header Destruction With Application Firewalls
AppMSG
(HTTP)
Orig.TCPHdr
Orig.IP
Hdr
AppMSG
(HTTP)
NewTCPHdr
NewIP
Hdr
AppMSG
(HTTP)
Attacker1.2.3.4
Webserver123.80.5.34
Application Firewall60.45.2.6
Header RemovedArriving Packet New Packet
Application Firewall Strips Original Headers from Arriving PacketsCreates New Packet with New Headers
This Stops All Header-Based Packet Attacks
X
6
Figure 5-15: Protocol Spoofing
InternalClient PC
60.55.33.12
Attacker1.2.3.4
TrojanHorse
1. Trojan Transmitson Port 80
to Get ThroughSimple PacketFilter Firewall
2. Protocol is Not HTTPFirewall Stops
The Transmission
XApplication
Firewall
7
Figure 5-16: Circuit Firewall
Webserver60.80.5.34
Circuit Firewall(SOCKS v5)60.34.3.31
ExternalClient
123.30.82.5
1. Authentication
2. Transmission
5. Passed Reply: No Filtering
3. Passed Transmission: No Filtering
4. Reply
8
Firewalls
Types of Firewalls
Inspection Methods
Firewall Architecture Single site in large organization Home firewall SOHO firewall router Distributed firewall architecture
Configuring, Testing, and Maintenance
9
Figure 5-17: Single-Site Firewall Architecture for a Larger Firm with a Single Site
InternetInternet
1. Screening Router 60.47.1.1 Last
Rule=Permit All
2. Main Firewall Last Rule=Deny All
172.18.9.x Subnet
3. Internal Firewall
4. Client Host
Firewall
Marketing Client on
172.18.5.x Subnet
Accounting Server on 172.18.7.x
Subnet
5. Server Host
Firewall
6. DMZ
Public Webserver 60.47.3.9
SMTP Relay Proxy
60.47.3.10
HTTPProxy Server
60.47.3.1
External DNS Server
60.47.3.4
10
Figure 5-18: Home Firewall
InternetService Provider
Home PC
BroadbandModem
PCFirewall
Always-OnConnection
UTPCord
CoaxialCable
11
Figure 5-19: SOHO Firewall Router
Broadband Modem (DSL orCable)
SOHORouter
---Router
DHCP Sever,NAT Firewall, and
Limited Application Firewall
Ethernet SwitchInternet Service Provider
User PC
User PC
User PC
UTP
UTP
UTP
Many Access Routers Combine the Router and Ethernet Switch in a Single Box
12
Figure 5-20: Distributed Firewall Architecture
Internet
Home PCFirewall
Management Console
Site A Site B