network

hardsweetlipsNetworking and Communications

Oct 28, 2013 (3 years and 9 months ago)

55 views

© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

Chapter Nine

Firewalls

© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

Learning Objectives


To learn the TCP/IP and OSI models.


To understand the underlying components
of firewalls, including their benefits and
limitations.


To learn important factors to consider in
designing a firewall.

© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

What is a firewall?


Used to control the flow of traffic (both
inflows and outflows, but primarily inflows)
between networks


The connected networks can be internal or a
combination of internal and external
networks

© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

Characteristics of Good Firewalls


All traffic from inside the corporate network
to outside the network, and vice
-
versa, must
pass through it;


Only authorized traffic, as defined by the
security policy, is allowed to pass through
it; and


the system itself is immune to penetration.

Cheswick and Belloven, 1994

© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

Transmission Control Protocol/
Internet Protocol
-

TCP/IP


A conglomeration of underlying protocols
designed to enable communications
between computers across networks

© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

4 Basic Layers of TCP/IP


Physical/Network Layer

-

Accepts and transmits
network packets over the physical network.
Physical networking protocols, such as Ethernet,
and logical protocols, such as Address Resolution
Protocol (ARP), are run at this layer.


IP Layer

-

Responsible for routing packets across
the network. Routing protocols, such as Routing
Information Protocol (RIP) and Interior Gateway
Routing Protocol (IGRP), are run at this layer.


© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

4 Basic Layers of TCP/IP
(cont.)


Transport Layer

-

Manages the virtual
session between two computers for TCP for
providing end
-
to
-
end communication.


Application Layer

-

Manages the
networking applications and formats data
for transmission.

© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

Open Systems Interconnect (OSI)


Developed by the International
Organization for Standardization


A seven layer model that further divides the
layers from the TCP/IP model


The seven layers are discussed in chapter
seven.

© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

APPLICATION

HTTP


the desired program

LAYER




TRANSPORT


TCP


provides the

LAYER



or


connection




UDP




NETWORK


IP


locates the destination

LAYER




IP address





& routes message




LINK



Ethernet physical devices

LAYER

TCP/IP

Application
-
based

filtering
-


firewall



Packet
-
filtering
-

routers

© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

PHYSICAL

DATA LINK

NETWORK

NETWORK

INTERFACE

TRANSPORT

SESSION

PRESENTATION

APPLICATION

INTERNET (IP)

TRANSPORT

APPLICATION

TCP/IP MODEL

OSI MODEL

© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

Firewalls can be configured as...


Software used to analyze traffic and make
decisions


Software and hardware
-

routers
-

Lucent
Technologies routers (next slide)

© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

Firewall Filtering



Firewall features that are standard on all
Lucent routers.


Separate input and output filters on:


Source and destination address


Protocol (TCP/IP, IPX, UDP, ICMP, RIP, OSPF,
BGP)


Protocol service (Web, e
-
mail, FTP)


Established sessions


Packet logging


Extended Frame Relay filtering (variable
-
length
packet switching data transmission)

www.lucent.com

© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

Static Firewalls


Pre
-
configured rulebases are used for traffic
passing decisions


Default permit

-

the firewall allows all
traffic except that which is explicitly
blocked by the firewall rulebase


Default deny

-

the firewall denies all traffic
except that which is explicitly allowed by
the firewall rulebase

© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

Dynamic Firewalls


Also uses rulebases, but the denial and
permission of any service can be established
for a given time period


Stateful inspection is also a dynamic
configuration

© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

Components of Firewalls


Chokes
-

limit the flow of packets between
networks. Read packets and determine,
based on the rules, if the traffic should pass


Gates
-

act as a control point for external
connections. They control the external
connections.

© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

GATE

CHOKE


DEFAULT

DENY

Application Level

Filtering Rule
-

Deny everything except

Telnet & FTP

PACKETS

FTP FTP TELNET

Corporate

Internal

Network

SMTP HTTP SMTP

Rejected Packets

© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

Firewall Functions


Packet Filtering


Network Address Translation


Application
-
level Proxies


Stateful Inspection


Virtual Private Networks; and


Real
-
time Monitoring

© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

Packet
-
Filtering


Controls traffic at the TCP/IP level


Examines the source and destination
addresses of data packets


Examines the source and destination service
ports


Examines the packet types and packet
options


Permits or denies based on an access control
list

© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

Packet Filtering Routers


Limit traffic based on the transport level of
OSI network model


Transport level filters include filtering
against certain types of transport protocols,
such as UDP or TCP

© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

Proxies


Controlling network traffic at the application
level is desirable


Application
-
level proxies replace the normal
service (application) with the firewall’s service
(application). This allows the firewall to
examine the data within the connection by
passing it through the firewall


Two separate and distinct connections are used


source user to firewall


firewall to destination


© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

IP Spoofing


An attacker disguises his/her originating
host server or router as that of another host
or router


An external hacker may gain access to an
internal network by disguising him/herself
as an internal system user and pass through
the firewall checkpoint

© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

How can IP Spoofing be
prevented?


Don’t let internal IP addresses be known to
outsiders!


© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

Stateful Inspection


Compares each packet to a state table


Tracks inbound and outbound connections


Authorized connections are recorded to a
state table


Subsequent, identical connections are
allowed without repeated authorization
processes


© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

Virtual Private Networks (VPNs)


Create a secure tunnel through an untrusted
network, such as the Internet


Authentication and encryption techniques
are used to implement VPNs


© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

Real
-
Time Monitoring


Firewalls that continuously monitor and
report certain “unusual” activity to systems
administrators, including automatically
paging them


Audit logs

track the details of all successful
and failed connections made through the
firewall

Internet

Firewall system

Router

Router

Corporate Internal network

Ethernet segments

© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

Demilitarized Zone


A sub
-
network that is located between the
internal network and the external network


Can help to limit and control the traffic that
is passed to the internal network


Good web servers, but slows the processing
time

Internet

Corporate Internal network

Gateway

Systems

Filter
-

Internet Access Router

Filter
-

Bastion Host

Demilitarized Zone

© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

Securing the Firewall
-

Policy


Network Security Access Policy

-

A high
-
level policy of
network security


services allowed must be defined as well as how they may
be used


processes that must be taken to make changes to rulebases
must be determined


processes for acceptable exceptions to policy and
supporting documentation necessary must be determined


Firewall Design Policy

-

addresses how the denied services
will be restricted and how the allowed services will be
permitted


© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

Computer

Resources

Security

Policy

Network

Service

Access

Policy

Firewall

Design

Policy

EXAMPLES


Floppy disk and hard drive back
-
up


Shredding of printed, unclaimed, sensitive


documents


Virus scanning software

General Rule:
Deny access to a specific

host computer from internal addresses

Exception:

Allow selected internal users

using strong authentication devices to access

this system next Wednesday from 2
-

4 PM


How will e
-
mail requests be directed to a


specific e
-
mail site?


How will FTP PUT commands be restricted?

© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

Securing the Firewall
-

Administration


The 1998 CSI/FBI reported mismanagement
as the number 1 reason for firewall breaches


Rulebases should be periodically reviewed


Administration procedures should be
documented and followed.


The number of administrator accounts should
be limited and one
-
time passwords used

© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

Securing the Firewall
-

Services


Only approved vendor software should be
used


Unnecessary and potentially dangerous
services should not be used


telnet


FTP


Finger

© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

Securing the Firewall
-

Internal
Firewalls


Internal firewalls can be used to protect one
area of a company from other, unauthorized
users


This limits areas that are compromised by
hackers

© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

Securing the Firewall
-

Operating
System Controls


User and group settings


file and directory permissions


remote file system access


operating system initialization files


scheduling of jobs


other core operating system settings


trusting relationships


networking services monitor

© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

Firewall Design Factors


Deny Capability
-

The firewall should be able
to support a “deny all services, except those
specifically permitted” policy.


Filtering
-

The ability to judiciously and
dynamically employ filtering techniques, such
as permit or deny services, for each host
system is crucial to a good firewall design.


Security Policy
-

Developing a security policy
is a precursor to designing and implementing
effective firewalls.

© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

Firewall Design Factors
-

(cont.)


Dynamic
-

Networking environments are fluid and
the firewall design should allow agility.


Authentication
-

The firewall design should utilize
strong authentication devices and be continually
updated to incorporate the most advanced and
feasible authentication devices that emerge.


Flexible Filtering
-

The firewall should employ a
flexible IP filtering language that can filter on as
many attributes as is deemed necessary

© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

Firewall Design Factors
-

(cont.)


Recognize Dangerous Services
-

.

It should
identify such services and either disable them
for outside users or use proxy services in
DMZs to reduce exposure from such services.


Filter Dial
-
in Access
-

It should be able to
filter dial
-
in access and limit access ports.


Audit Logs
-

It should log traffic and
suspicious activity and should displayed it in
an easy to understand format.

© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

Firewall Design Factors
-

(cont.)


Current Version
-

It should have the most
secured version of the operating system installed
with any known patches to known problems
installed as well.


Good Documentation
-

The firewall development
process should be implemented in a fashion that
provides checkpoints and a verifiable log of
actions taken during its development,
implementation, and maintenance.



© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

Choosing a Firewall Vendor


The reputation of the vendor. Request references and check
them!


Does the software meet the requirements as set forth in the
network service access policy and firewall design policy?


Does the vendor have 24 hour, 365 days a year support? How
reliable is this support?


Does the vendor provide training?


How frequently has this vendor released updates and patches
to known security holes in the past? What is their
commitment to do so in the future? What support do they
provide in installing security patches?


How does this software fit in with future networking
expansion plans?


© 2000 McGraw
-
Hill Co. Greenstein
and Lenk

Limitations of Security Provided
by Firewalls


Firewalls are just one component of security


If this point is not understood, the
installation of a firewall can be
misunderstood and overly relied upon
-

this
is dangerous!