What Is A Firewall? Firewall, VPN, Firewall, VPN, IDS/IPSIDS/IPS
What is a Firewall?Firewall,VPN, IDS/IPS Ahmet Burak CanHacettepe UniversityA firewall is hardware, software, or a combination ofboth that is used to prevent unauthorized programs orInternet users from accessing a private network and/ora single computerabc@hacettepe.edu.tr12Hardware vs. Software FirewallsWhat is a Firewall ? A firewall :Internet Acts as a security gatewaybetween two networks Tracks and controls networkcommunications Decides whether to pass,reject, encrypt, or logcommunications (AccessControl)Hardware Firewalls Protect an entire network Implemented on the router level Usually more expensive, harder to configure“Allow trafficTraffic“Blockto Internet”fromInternet” Software Firewalls Protect a single computer Usually less expensive, easier to configureCorporateSite34
Evolution of FirewallsPacket FilterPackets examined at the network layerUseful “first line” of defense - commonly deployed onrouters Simple accept or reject decision model No awareness of higher protocol layers portTransportTransportNetworkNetworkNetworkData LinkData LinkData LinkPhysicalPhysicalPhysicalStage of Evolution5Packet FilterHow to Configure a Packet FilterSimplest of components Uses transport-layer information onlyStart with a security policy Specify allowable packets in terms of logical expressionson packet fields Rewrite expressions in syntax supported by yourvendor General rules - least privilege 6 IP Source Address, Destination AddressProtocol/Next Header (TCP, UDP, ICMP, etc)TCP or UDP source & destination portsTCP Flags (SYN, ACK, FIN, RST, PSH, etc)ICMP message type All that is not expressly permitted is prohibited If you do not need it, eliminate itExamples: DNS uses port 53 No incoming port 53 packets except known trusted servers78
Packet Filter Configuration - 1Packet Filter Configuration - 2Every ruleset is followed by an implicit rule reading like lockMORDOR*allow**destportflagscomment***We don’t trust thesesiteOUR-GW25*Connection to ourSMTP portcommentdefaultooactionNow suppose that we want to implement the policy “any inside hostcan send mail to the outside”.Suppose we want to allow inbound mail (SMTP, port 25) but only toour gateway machine.Also suppose that mail from some particular site MORDOR is to beblocked.9Packet Filter Configuration - 310Packet Filter Configuration - 4Our defined restriction is based solely on thedestination’s port number. With this rule, an enemy can access any internalmachines on port 25 from an outside machine. action srcallowport dest***port25flags*commentConnection tooutside SMTP port This solution allows calls from any port on an insidemachine, and will direct them to port 25 on an outsidemachine. So why is it wrong?11What can be a better solution ?12
Packet Filter Configuration - 5action srcport destportflags*allow{our hosts}**25allow*25**Application Gateway or ProxyPackets examined at the application layer Application/Content filtering possible - prevent FTP“put” commands, for example Modest performance Scalability limited commentConnection tooutside SMTP portACK SMTP repliesThe first rule restricts that only inside machines canaccess to outside machines on port 25. In second rule, the ACK signifies that the packet is partof an ongoing conversation. Packets without ACK are connection establishment messages,which are only permited from internal hosts by the first rule. With the second rule, outside hosts can send back packets toinside hosts on port Data LinkData LinkData LinkPhysicalPhysicalPhysical1314Stateful Inspection Network Address Translation (NAT)Packets Inspected between data link layer and network layer in theOS kernelState tables are created to maintain connection contextInvented by Check Point192.172.1.1-192.172.1.254InternalIP AddressesCorporate LAN219.22.165.1InternetPublicIP nsTransportSessionsTransportNetworkTransportData LinkData LinkData LinkPhysicalPhysicalPhysicalConverts a network’s illegal IP addresses to legal orpublic IP addresses Hides the true addresses of individual hosts, protecting themfrom attack Allows more devices to be connected to the networkNetworkNetworkINSPECT Engine DynamicStateDynamicTablesStateDynamicTablesState Tables1516
Firewall DeploymentWhat is a VPN?A VPN is a private connection over an open network A VPN includes authentication and encryption toprotect data integrity and confidentiality Types: Corporate NetworkGateway InternetPublic ServersInternal SegmentGateway Protect sensitivesegments (Finance, HR,Product Development) Provide second layer ofdefense Ensure protectionagainst internal attacksand misuseDemilitarized Zone(Publicly-accessibleservers) Human ResourcesNetworkRemote Access VPNSite-to-Site VPNExtranet VPNClient/Server VPNInternal Segment GatewayCorporateSite1718Types of VPNs Remote Access VPN Provides access to internalcorporate network over theInternet Reduces long distance,modem bank, and technicalsupport costs PAP, CHAP, RADIUSTypes of VPNsCorporateSite CorporateSiteSite-to-Site VPN Connects multiple officesover Internet Reduces dependencies onframe relay and leased linesInternetInternetBranchOffice1920
Types of VPNs Types of VPNsCorporateSiteExtranet VPN Provides business partnersaccess to critical information(leads, sales tools, etc) Reduces transaction andoperational costs DatabaseServerClient/Server VPN Protects sensitive N clients withsensitive dataPartner #2Partner #12122Overview of IDS/IPS Overview of IDS/IPS Intrusion A system that performs automatically the process of intrusiondetection. A set of actions aimed at compromising the security goals(confidentiality, integrity, availability of a computing/networkingresource) Intrusion detectionIntrusion prevention system (IPS) A system that has an ambition to both detect intrusions andmanage responsive actions. Technically, an IPS contains an IDS and combines it withpreventive measures (firewall, antivirus, vulnerability assessment)that are often implemented in hardware. The process of identifying and responding to intrusion activities Intrusion detection system (IDS)Intrusion prevention The process of both detecting intrusion activities and managingresponsive actions throughout the network.2324
Components of Intrusion Detection Systemsystem activities areobservableIntrusion Detection Approaches Audit RecordsModeling Features: evidences extracted from audit data Analysis approach: piecing the evidences togetherAudit DataPreprocessor Misuse detection (a.k.a. signature-based) Anomaly detection (a.k.a. statistical-based)Activity DataDetectionModelsDetection EngineAlarmsDecisionTableDecision Enginenormal and intrusiveactivities have distinctevidence Deployment: Network-based or Host-based Network based: monitor network traffic Host based: monitor computer processesAction/Report2526
The process of identifying and responding to intrusion activities Intrusion prevention The process of both detecting intrusion activities and managing responsive actions throughout the network. 23 Overview of IDS/IPS Intrusion detection system (IDS) A system that performs automatically the process of intrusion detection.
A firewall philosophy is the part of your site's security policy that applies strictly to the firewall, and defines your overall goals for the firewall. Setting and documenting a firewall philosophy provides written guidelines that any administrator can follow in implementing the firewall deployment. If you identify how resources, applications,
Deliverable: Firewall installed per customer's requirements, according to Supported Firewall Configurations and Service Order. 2.1.2 FIREWALL MAINTENANCE Tasks include: Updates to firewall firmware as deemed necessary by Company to keep firewall operating efficiently, securely and with latest usable features and management capabilities.
Internal Segmentation Firewall VPN Gateway The FortiGate-VM on OCI delivers next generation firewall capabilities for organizations of all sizes, with the flexibility to be deployed as next generation firewall, internal segmentation firewall and/or VPN gateway. It protects against cyber threats with high performance, security efficacy and deep .
Cisco IOS Firewall Overview Cisco IOS Firewall Overview The Cisco IOS Firewall set provides network security with integrated, inline security solutions. The Cisco IOS Firewall set is comprised of a suite of services that allow administrators to provisi
Cisco IOS Firewall: Zone-based policy firewall VRF-aware stateful inspection routing firewall Stateful inspection transparent firewall Advanced application inspection and control HTTPS, FTP, and Telnet Authentication Proxy Dynamic and static port security Firewall state
the McAfee Firewall Admin Console client software, the hardware or virtual platform for running the firewall software. Configuration B. comprises: the McAfee Firewall Enterprise software, including its SecureOS operating system, the McAfee Firewal
Cisco ASA 5500 Series Configuration Guide using the CLI 36 Configuring the Identity Firewall This chapter describes how to configure the ASA for the Identity Firewall. The chapter includes the following sections: Information About the Identity Firewall, page 1 † Licensing for the Identity Firewall, page 8 † Guidelines and Limitations .
Advanced Firewall Manager. Welcome to the F5 BIG-IP data center firewall Deployment Guide. This document provides guidance on configuring BIG-IP with AFM (Advanced Firewall Manager) and LTM (Local Traffic Manager) as a high-security, high-availability, high-performance dual-stack data center network firewall and IPv6/IPv4 gateway.
