Guide to Firewalls and VPNs, 3 rd Edition Chapter Four Introduction to Firewalls.

Slides:



Advertisements
Similar presentations
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
Advertisements

Guide to Network Defense and Countermeasures Second Edition
IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Chapter 11 Firewalls.
Guide to Network Defense and Countermeasures Second Edition
Firewall Configuration Strategies
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Learning Objectives Upon completion of this material, you should be able to:
Firewall Planning and Design Chapter 1. Learning Objectives Understand the misconceptions about firewalls Realize that a firewall is dependent on an effective.
Guide to Network Defense and Countermeasures Third Edition
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World
Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey
Security Technology. Objectives Understand the role of physical design in the implementation of a comprehensive security program Understand firewall technology.
Firewall Planning and Design
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology. BRUCE SCHNEIER,
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Firewall Slides by John Rouda
Network Security (Firewall) Instructor: Professor Morteza Anvari Student: Xiuxian Chen ID: Term: Spring 2001.
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
Chapter 5: Firewall Planning and Design
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
NW Security and Firewalls Network Security
Intranet, Extranet, Firewall. Intranet and Extranet.
Network Security Essentials Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 6: Packet Filtering
Chapter 13 – Network Security
Guide to Firewalls and VPNs, 3rd Edition
Firewalls & VPNs Principles of Information Security Chapter 6 Part 1.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
FIREWALLS Prepared By: Hilal TORGAY Uğurcan SOYLU.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 5 Firewall Planning and Design By Whitman, Mattord, & Austin© 2008 Course Technology.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Firewall Technologies Prepared by: Dalia Al Dabbagh Manar Abd Al- Rhman University of Palestine
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
Network Security Technologies CS490 - Security in Computing Copyright © 2005 by Scott Orr and the Trustees of Indiana University.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Firewall Security.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
Security fundamentals Topic 10 Securing the network perimeter.
SYSTEM ADMINISTRATION Chapter 10 Public vs. Private Networks.
1 CNLab/University of Ulsan Chapter 19 Firewalls  Packet Filtering Firewall  Application Gateway Firewall  Firewall Architecture.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Security fundamentals
CompTIA Security+ Study Guide (SY0-401)
Security Methods and Practice CET4884
CONNECTING TO THE INTERNET
Firewalls.
CompTIA Security+ Study Guide (SY0-401)
Firewalls.
Firewalls Routers, Switches, Hubs VPNs
Presentation transcript:

Guide to Firewalls and VPNs, 3 rd Edition Chapter Four Introduction to Firewalls

Guide to Firewalls and VPNs, 3 rd Edition Overview Identify common misconceptions about firewalls Explain why a firewall is dependent on an effective security policy Understand what a firewall does Describe the types of firewall protection Recognize the limitations of firewalls 2

Guide to Firewalls and VPNs, 3 rd Edition Introduction Firewalls and related technical controls are a fundamental security tool Overview of the issues involved in planning and designing firewalls Each individual firewall –Combination of software and hardware components 3

Guide to Firewalls and VPNs, 3 rd Edition Firewalls Explained Firewall –Anything that can filter the transmission of packets of digital information –As they attempt to pass through an interface between networks Basic security functions: –Packet filtering –Application proxy 4

Guide to Firewalls and VPNs, 3 rd Edition Misconceptions about Firewalls Software firewalls –Permit authorized traffic to pass through while blocking unauthorized and unwanted traffic –Need constant maintenance to keep up with the latest security threats –Work best as part of a multilayered approach to network security 5

Guide to Firewalls and VPNs, 3 rd Edition An Analogy: Office Tower Security Guard Firewall performs same types of functions as does a security guard at a checkpoint –Monitors entry and exit points –Scans for viruses and repairing infected files before they invade the network –Can be configured to send out alert messages and notify staff of break-ins or if viruses are detected 6

Guide to Firewalls and VPNs, 3 rd Edition Firewall Security Features Advanced security functions offered by some firewalls –Logging –VPN –Authentication –Shielding hosts inside the network so that attackers cannot identify them and use them as staging areas for sustained attacks –Caching data –Filtering content that is considered inappropriate 7

Guide to Firewalls and VPNs, 3 rd Edition Firewall Network Perimeter Security Perimeter –Boundary between two zones of trust –Blurred by Extranet VPN Mobile devices Benefit of locating firewall at the perimeter –Set up a checkpoint where you can block viruses and infected messages before they get inside 8

Guide to Firewalls and VPNs, 3 rd Edition Firewall Network Perimeter Security (cont’d.) 9 Figure 4-2 VPN Cengage Learning 2012

Guide to Firewalls and VPNs, 3 rd Edition Firewall Components Packet filter Proxy server Authentication system Software that perform Network or Port Address Translation (NAT or PAT) Bastion host –Has only the bare essentials –See Figure

Guide to Firewalls and VPNs, 3 rd Edition Firewall Components (cont’d.) 11 Figure 4-3 DMZ Cengage Learning 2012

Guide to Firewalls and VPNs, 3 rd Edition Firewall Security Tasks Restricting access from outside the network –Regulate which packets of information can enter the network –Firewall that does packet filtering protects networks from port scanning attacks Restricting unauthorized access from inside the network –Prevent damage from malicious and careless employees 12

Guide to Firewalls and VPNs, 3 rd Edition Technical Details Ports Ports –Allow many network services to share a single network address Socket –Combination of a sender’s full address and receiver’s address Port numbers come in two flavors: –Well-known ports: number 1023 or below –Ephemeral ports: number from 1024 to

Guide to Firewalls and VPNs, 3 rd Edition Firewall Security Tasks (cont’d.) Limiting employee access to external hosts –Provide precise control of how employees inside the network use external resources –Act as a proxy server Protecting critical resources –Protect from varied types of attacks Protecting against hacking –Attacks can also have tangible organization-wide impact 14

Guide to Firewalls and VPNs, 3 rd Edition Firewall Security Tasks (cont’d.) Providing centralization –Centralizes security for the organization it protects Enabling documentation –Provide information to the network administrator in the form of log files Providing for authentication –Users with registered usernames and passwords are recognized by the server and allowed to enter Contributing to a VPN –Connects two companies’ networks over the Internet 15

Guide to Firewalls and VPNs, 3 rd Edition Types of Firewall Protection Firewalls work in different ways Seven-layer OSI networking model –See Figure

Guide to Firewalls and VPNs, 3 rd Edition Types of Firewall Protection 17 Figure 4-5 Firewalls in the OSI Cengage Learning 2012

Guide to Firewalls and VPNs, 3 rd Edition Packet Filtering Packet –Sometimes called a datagram –Basic element of network data –Contains two types of information: header and data Packet-filtering firewall –Functions at the IP level –Determines whether to drop a packet or forward it to the next network connection based on the rules programmed into the firewall 18

Guide to Firewalls and VPNs, 3 rd Edition Packet Filtering (cont’d.) Filtering firewalls –Inspect packets at the network layer (Layer 3) of the OSI model –When device finds a packet that violates a rule, it stops the packet from traveling from one network to another –Based on a combination of the following: IP source and destination address Direction (inbound or outbound) TCP or UDP (User Datagram Protocol) source and destination port 19

Guide to Firewalls and VPNs, 3 rd Edition Packet Filtering (cont’d.) 20 Figure 4-9 Packet Filtering Cengage Learning 2012

Guide to Firewalls and VPNs, 3 rd Edition Packet Filtering (cont’d.) Stateless packet-filtering firewalls –Ignores the state of the connection between the internal computer and the external computer Stateful packet-filtering firewalls –Examination of the data contained in a packet and the state of the connection between the internal and the external computer –State table Kept in a memory location called the cache. –Can leave the system vulnerable to a DoS or DDoS attack 21

Guide to Firewalls and VPNs, 3 rd Edition Packet Filtering (cont’d.) Packet-filtering rules –Depends on the establishment of rules Must have a basic understanding of how some of the various protocols that make up the Internet function –Internet Control Message Protocol (ICMP) –User Datagram Protocol (UDP) –TCP filtering –IP filtering 22

Guide to Firewalls and VPNs, 3 rd Edition PAT and NAT Each computer on a network is assigned an IP address Port Address Translation (PAT) and Network Address Translation (NAT) –Make internal network addresses invisible to outside computers –Function as an outbound network-level proxy 23

Guide to Firewalls and VPNs, 3 rd Edition PAT and NAT (cont’d.) 24 Figure 4-11 Port Address Translation Cengage Learning 2012

Guide to Firewalls and VPNs, 3 rd Edition Application Layer Gateways Work at the Application layer Control the way applications inside the network access external networks by setting up proxy services Minimize the effect of viruses, worms, Trojan horses, and other malware Run special software that enable them to act as a proxy for a specific service request 25

Guide to Firewalls and VPNs, 3 rd Edition Application Layer Gateways (cont’d.) Primary disadvantage –Designed for a specific protocol –Cannot easily be reconfigured to protect against attacks on other protocols Valuable security benefit –Can be configured to allow or deny (both actions can be taken as a result of filtering) specific content, such as viruses and executables 26

Guide to Firewalls and VPNs, 3 rd Edition Offline “X” Marks the Spot Letter “x” used in two ways –10.10.x.x, where the “x” indicates a value in the range of 0 to 254 that can be assigned by the user organization –Represent “any” value, but in a different location Any address that meets the defined portion of the address 27

Guide to Firewalls and VPNs, 3 rd Edition Technical Details Fresh Hot CIDR “CIDR” –Classless Inter-Domain Routing CIDR Mask –Mitigate the inefficiencies in the way IP addresses used to be organized and assigned Assigns addresses using the demarcation between network address and host address Slash (/) and number following the slash –Indicate where the boundary between network address and host address is located 28

Guide to Firewalls and VPNs, 3 rd Edition Firewall Categories “Processing mode” –How the firewall examines the network traffic that it is trying to filter “Generation” –Level of technology a firewall has –Later generations being more complex and more recently developed “Structure” –Kind of structure for which the firewalls are intended 29

Guide to Firewalls and VPNs, 3 rd Edition Processing Mode Five major processing-mode categories for firewalls: –Packet-filtering firewalls, application gateways, circuit gateways, MAC layer firewalls, and hybrids –Most are hybrids Packet-filtering firewalls –Three kinds of packet-filtering firewalls: Static filtering, dynamic filtering, and stateful inspection 30

Guide to Firewalls and VPNs, 3 rd Edition Processing Mode (cont’d.) Application gateways –Frequently installed on a dedicated computer, –Separate from the filtering router –Commonly used in conjunction with a filtering router Circuit gateways –Operates at the transport layer –Connections are authorized based on addresses 31

Guide to Firewalls and VPNs, 3 rd Edition Processing Mode (cont’d.) MAC layer firewalls –Operate at the media access control sublayer of the data link layer –Consider specific host computer’s identity Hybrid firewalls –Combine the elements of various types of firewalls 32

Guide to Firewalls and VPNs, 3 rd Edition Firewall Generations First-generation firewalls –Static packet-filtering firewalls Second-generation firewalls –Application-level firewalls or proxy servers Third-generation firewalls –Stateful inspection firewalls Fourth-generation firewalls –Also known as dynamic packet-filtering firewalls –Allow only a particular packet with a particular source, destination, and port address to enter 33

Guide to Firewalls and VPNs, 3 rd Edition Firewall Generations (cont’d.) Fifth-generation firewalls –Kernel proxies –Works under Windows NT Executive Kernel of Windows NT 34

Guide to Firewalls and VPNs, 3 rd Edition Firewall Structures Commercial-grade firewall appliances –Stand-alone, self-contained combinations of computing hardware and software –Have many of the features of a general-purpose computer –With the addition of firmware-based instructions Increase reliability and performance Minimize the likelihood of being compromised 35

Guide to Firewalls and VPNs, 3 rd Edition Firewall Structures (cont’d.) Commercial-grade firewall systems –Consists of application software that is configured for the firewall application –Runs on a general-purpose computer Full-featured, commercial-grade firewall packages –Check Point Power-1 –Cisco ASA –Microsoft Internet Security & Acceleration Server –McAfee Firewall Enterprise (Sidewinder) 36

Guide to Firewalls and VPNs, 3 rd Edition Firewall Structures (cont’d.) Small office/home office (SOHO) firewall appliances –Most effective methods of improving computing security in the SOHO setting –Serves first as a stateful firewall –Enables inside-to-outside access –Can be configured to allow limited TCP/IP port forwarding and/or screened subnet capabilities 37

Guide to Firewalls and VPNs, 3 rd Edition Firewall Structures (cont’d.) Broadband router devices –Can function as packet-filtering firewalls –Enhanced to combine the features of wireless access points (WAPs) as well as small stackable LAN switches in a single device Provide more than simple NAT services –Include packet filtering, port filtering, and simple intrusion detection systems –Restrict access to specific MAC addresses 38

Guide to Firewalls and VPNs, 3 rd Edition Firewall Structures (cont’d.) 39 Figure 4-12 Example SOHO Cengage Learning 2012

Guide to Firewalls and VPNs, 3 rd Edition Firewall Structures (cont’d.) Software firewalls –Many of the firewalls in Table 4-4 provide free versions of their software –Not fully functional –“You get what you pay for” 40

Guide to Firewalls and VPNs, 3 rd Edition Firewall Structures (cont’d.) Free firewall tools on the Internet –Most of the free firewall software also run on a free operating system –Convenience, simplicity, and unbeatable price Netfilter –Firewall software that comes with the Linux 2.4 kernel –Powerful solution for stateless and stateful packet filtering, NAT, and packet processing 41

Guide to Firewalls and VPNs, 3 rd Edition Firewall Structures (cont’d.) Software vs. hardware: the SOHO firewall debate –Hardware device If the attacker manages to crash the firewall system –Computer and information are still safely behind the now-disabled connection Assigned a nonroutable IP address Virtually impossible to reach from the outside –Software device Can be disabled and allow free network access 42

Guide to Firewalls and VPNs, 3 rd Edition43 Table 4-4 Common Software Firewalls As Rated by CNET (

Guide to Firewalls and VPNs, 3 rd Edition Firewall Architectures Packet-filtering routers –Can be configured to reject packets that the organization does not allow into the network Screened host firewalls –Combine the packet-filtering router with a separate, dedicated firewall Application proxy server 44

Guide to Firewalls and VPNs, 3 rd Edition Firewall Architectures (cont’d.) 45 Figure 4-17 Screened Host Cengage Learning 2012

Guide to Firewalls and VPNs, 3 rd Edition Firewall Architectures (cont’d.) Dual-homed host firewalls –Bastion host contains two NICs rather than one –One NIC is connected to the external network –One is connected to the internal network –All traffic must physically go through the firewall to move between the internal and external networks 46

Guide to Firewalls and VPNs, 3 rd Edition Firewall Architectures (cont’d.) 47 Figure 4-18 Dual-Homed Cengage Learning 2012

Guide to Firewalls and VPNs, 3 rd Edition Firewall Architectures (cont’d.) Screened subnet firewalls (with DMZ) –Dominant architecture used today –Subnet firewall consisting of two or more internal bastion hosts behind a packet-filtering router –Each host protecting the trusted network –Many variants of the screened subnet architecture 48

Guide to Firewalls and VPNs, 3 rd Edition Firewall Architectures (cont’d.) 49 Figure 4-19 Screened Cengage Learning 2012

Guide to Firewalls and VPNs, 3 rd Edition Limitations Of Firewalls Cannot be expected to do everything Should not be the only form of protection for a network 50

Guide to Firewalls and VPNs, 3 rd Edition Summary Firewall filters the transmission of packets of digital information –As they attempt to pass through a network boundary Packet filtering –Key function of any firewall Application layer gateways –Control the way applications inside the network access external networks Firewalls can be categorized by: –Processing mode, generation, or structure 51

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.