© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 6 Firewall Design Strategies.

Slides:



Advertisements
Similar presentations
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Advertisements

Guide to Network Defense and Countermeasures Second Edition
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Firewall Configuration Strategies
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
System and Network Security Practices COEN 351 E-Commerce Security.
Firewall Ercan Sancar & Caner Sahin. Index History of Firewall Why Do You Need A Firewall Working Principle Of Firewalls Can a Firewall Really Protect.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Chapter 10 Firewalls. Introduction seen evolution of information systems now everyone want to be on the Internet and to interconnect networks has persistent.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Security Awareness: Applying Practical Security in Your World
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Firewall Slides by John Rouda
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
IP Ports and Protocols used by H.323 Devices Liane Tarouco.
Chapter 6: Packet Filtering
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
Chapter 13 – Network Security
1 Chapter 6: Proxy Server in Internet and Intranet Designs Designs That Include Proxy Server Essential Proxy Server Design Concepts Data Protection in.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Firewall Technologies Prepared by: Dalia Al Dabbagh Manar Abd Al- Rhman University of Palestine
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
1 Firewalls G53ACC Chris Greenhalgh. 2 Contents l Attacks l Principles l Simple filters l Full firewall l Books: Comer ch
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
Karlstad University Firewall Ge Zhang. Karlstad University A typical network topology Threats example –Back door –Port scanning –…–…
1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.
Security fundamentals Topic 10 Securing the network perimeter.
© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 6 Implementing Infrastructure Controls.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
Overview of Firewalls. Outline Objective Background Firewalls Software Firewall Hardware Firewall Demilitarized Zone (DMZ) Firewall Types Firewall Configuration.
Role Of Network IDS in Network Perimeter Defense.
© ITT Educational Services, Inc. All rights reserved.Page 1 IS3220 Information Technology Infrastructure Security Class Agenda 1  Learning Objectives.
IS3220 Information Technology Infrastructure Security
SYSTEM ADMINISTRATION Chapter 10 Public vs. Private Networks.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Security fundamentals
Securing the Network Perimeter with ISA 2004
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Firewalls.
6.6 Firewalls Packet Filter (=filtering router)
Access Control Lists CCNA 2 v3 – Module 11
Firewalls Purpose of a Firewall Characteristic of a firewall
IS4680 Security Auditing for Compliance
Firewalls Chapter 8.
Presentation transcript:

© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 6 Firewall Design Strategies

© ITT Educational Services, Inc. All rights reserved.Page 2 IS3220 Information Technology Infrastructure Security Class Agenda 1  Learning Objectives  Lesson Presentation and Discussions.  Discussion on Assignments.  Discussion on Lab Activities.  Break Times. 10 Minutes break in every 1 Hour.  Note: Submit all Assignment and labs due today.

© ITT Educational Services, Inc. All rights reserved.Page 3 IS3220 Information Technology Infrastructure Security Class Agenda 2  Theory: 6:00pm -8:00pm  Lab: 8:15pm to 11:00pm

© ITT Educational Services, Inc. All rights reserved.Page 4 IS3220 Information Technology Infrastructure Security Learning Objective and Key Concepts Learning Objectives  Assess firewall design strategies Key Concepts  Organization traffic and AUP policy review  Strategies for public Internet and private network separation  Firewall rules for restricting and permitting data transit  Use of protected demilitarized zones (DMZs)  Security strategies and requirements for availability

© ITT Educational Services, Inc. All rights reserved.Page 5 IS3220 Information Technology Infrastructure Security EXPLORE: CONCEPTS

© ITT Educational Services, Inc. All rights reserved.Page 6 IS3220 Information Technology Infrastructure Security Exploitable Programming Bugs  Firewalls run software  Bugs are result of human error in the software  Once discovered, bugs are typically addressed and corrected in software patches

© ITT Educational Services, Inc. All rights reserved.Page 7 IS3220 Information Technology Infrastructure Security Buffer Overflow  Memory-based attack  Typically a result of poor programming  Can result in code injection  Used for systems crashing

© ITT Educational Services, Inc. All rights reserved.Page 8 IS3220 Information Technology Infrastructure Security Fragmentation  Overlapping Full or partial overlapping datagrams  Overrun Excessively large datagrams  Potential result in denial of service

© ITT Educational Services, Inc. All rights reserved.Page 9 IS3220 Information Technology Infrastructure Security Firewalking  A technique to learn to configure the firewall from outside.  Attacker learns firewall configuration systematically  Can occur from inside or outside the firewall  Takes advantage of internally known good IP address

© ITT Educational Services, Inc. All rights reserved.Page 10 IS3220 Information Technology Infrastructure Security Internal Code Planting  Requires access from inside the network environment  Involves either a hacker or a user placing malicious code onto internal systems  Assumes the firewall has lenient outbound traffic restrictions  Results in internally initiated connections connecting to malicious internet presence

© ITT Educational Services, Inc. All rights reserved.Page 11 IS3220 Information Technology Infrastructure Security Denial of Service (DoS)  Flooding attack that overwhelms systems  Often causes system shut down or failure  May manifest as performance problems  DOS attack is difficult to fix.

© ITT Educational Services, Inc. All rights reserved.Page 12 IS3220 Information Technology Infrastructure Security Encrypted Transport  Two main forms of communication encryption tunnel mode transport mode  Tunnel mode encrypts the original payload and header  Transport mode encrypts only the payload  Firewall cannot filter encrypted data

© ITT Educational Services, Inc. All rights reserved.Page 13 IS3220 Information Technology Infrastructure Security Encrypted Transport (cont.)  May choose to support or allow encryption of specific types over specific protocols or ports, but disallow and prevent encrypted communications elsewhere  Firewall rules of encrypted traffic can range from full allowance to full denial  May allow encryption over a specific port or only certain users

© ITT Educational Services, Inc. All rights reserved.Page 14 IS3220 Information Technology Infrastructure Security Gateway Bottlenecks  Gateway or pass-through firewall can become a bottleneck during high-traffic periods  DoS attack can consume all processing capabilities of the firewall

© ITT Educational Services, Inc. All rights reserved.Page 15 IS3220 Information Technology Infrastructure Security Malware Scanning  Benefits Scanning for various malware: viruses, trojans, spam, spyware, etc.  Drawbacks: Potential of negative impact on performance -Wirespeed performance -Memory and CPU implications Requires regular maintenance and update Feature set may not be comparable to other dedicated solutions or may not complement current mechanisms

© ITT Educational Services, Inc. All rights reserved.Page 16 IS3220 Information Technology Infrastructure Security IDS and IPS  Benefits Logical pairing of functionality Reduction in administrative overhead of maintaining multiple devices  Drawbacks Potential performance implications -Wirespeed Possible feature set limitations

© ITT Educational Services, Inc. All rights reserved.Page 17 IS3220 Information Technology Infrastructure Security VPN Endpoint  Benefits Reduction in administrative overhead of maintaining multiple devices  Drawbacks Potential performance implications Possible feature set limitations as compared to stand alone solutions

© ITT Educational Services, Inc. All rights reserved.Page 18 IS3220 Information Technology Infrastructure Security EXPLORE: ROLES

© ITT Educational Services, Inc. All rights reserved.Page 19 IS3220 Information Technology Infrastructure Security Reverse Proxy  Reverse proxy allows access to internal Web site content from the public network  Use Firewall Caching.  Benefits Enhanced security Encryption Reverse caching

© ITT Educational Services, Inc. All rights reserved.Page 20 IS3220 Information Technology Infrastructure Security Improving Performance  Firewalls should function at Wirespeed  Wire-speed, refers to any function that tends to support this data transfer rate without slowing it down  Firewall should not introduce latency or delay in communication.

© ITT Educational Services, Inc. All rights reserved.Page 21 IS3220 Information Technology Infrastructure Security Improving firewall  Improve firewall using Caching and load balancing  Caching is holding of offend-accessed content in memory on the firewall.

© ITT Educational Services, Inc. All rights reserved.Page 22 IS3220 Information Technology Infrastructure Security Load Balancing  Load Balancing is where firewall filtering workload is across multiple parallel firewalls.  Benefits:  Redundancy and fault tolerance to improve availability.

© ITT Educational Services, Inc. All rights reserved.Page 23 IS3220 Information Technology Infrastructure Security

© ITT Educational Services, Inc. All rights reserved.Page 24 IS3220 Information Technology Infrastructure Security Port Forwarding  Receipt of IP traffic based on IP/port number  IP/port number forwards to another IP/port number  Benefits Ability to utilize a single public IP address Maps to multiple other internal destinations No direct connectivity to internal resources

© ITT Educational Services, Inc. All rights reserved.Page 25 IS3220 Information Technology Infrastructure Security Combining Port Forwarding with NAT Private IP addresses of the internal systems are masked from the public network

© ITT Educational Services, Inc. All rights reserved.Page 26 IS3220 Information Technology Infrastructure Security EXPLORE: CONTEXT

© ITT Educational Services, Inc. All rights reserved.Page 27 IS3220 Information Technology Infrastructure Security Bastion Hosts  A bastion host is a specialized computer that is deliberately exposed on a public network  Simple single-layer architecture  Reside outside of the firewall or in the demilitarized zone (DMZ)  Typically serve as the first point of connection from the Internet  Can be a software or hardware solution

© ITT Educational Services, Inc. All rights reserved.Page 28 IS3220 Information Technology Infrastructure Security Categories of Bastion Hosts  Proprietary OS Built specifically to be bastion hosts Example Cisco IOS  General-Purpose OS Serve as client or server Oss Can be configured to serve as bastion hosts Example: Windows, Linux, Mac etc.

© ITT Educational Services, Inc. All rights reserved.Page 29 IS3220 Information Technology Infrastructure Security Bastion Host Placement Ingress/egress architecture with a bastion host in the DMZ

© ITT Educational Services, Inc. All rights reserved.Page 30 IS3220 Information Technology Infrastructure Security Ingress/Egress Filtering Common Rules on Firewalls  Access to insecure Internet Web sites (HTTP)  Access to secure Internet Web sites HTTP over SSL or TLS  Access to other Internet Web site protocols SQL and Java  Inbound Internet  Outbound Internet

© ITT Educational Services, Inc. All rights reserved.Page 31 IS3220 Information Technology Infrastructure Security Ingress/Egress Filtering  External entities initiating connection  Inbound rules when an internal resource is specifically hosted for the purposes of being accessed by external entities  Use a single IP address for a single host  Correct subnet or range designation for a collection of hosts  Specify the port when possible

© ITT Educational Services, Inc. All rights reserved.Page 32 IS3220 Information Technology Infrastructure Security Ingress/Egress Filtering Communications Commonly Blocked  All ICMP traffic originating from the Internet  Any traffic directed specifically to the firewall  Any traffic to known closed ports  Any traffic to known ports of known malware  Inbound TCP 53 to block external DNS zone transfer requests  Inbound UDP 53 to block external DNS user queries  Any traffic from IP addresses on a blacklist  Any traffic from internal IP addresses that are not assigned

© ITT Educational Services, Inc. All rights reserved.Page 33 IS3220 Information Technology Infrastructure Security EXPLORE: RATIONALE

© ITT Educational Services, Inc. All rights reserved.Page 34 IS3220 Information Technology Infrastructure Security Firewall Rules  Sometimes called a filter  An instruction set that indicates how a firewall should take action on a particular type of network traffic

© ITT Educational Services, Inc. All rights reserved.Page 35 IS3220 Information Technology Infrastructure Security Firewall Rules General Guidelines  Direction matters – validate source and target addresses  Deny All rule always goes at the bottom of the list  Denial exceptions go at the top of the list  Rules pertaining to more common traffic belong closer to the top of the list  Keep the number of rules to a minimum

© ITT Educational Services, Inc. All rights reserved.Page 36 IS3220 Information Technology Infrastructure Security Ports  What ports should be allowed? Any required environmentally-specific application ports  What ports should be blocked? All others with a Deny All rule

© ITT Educational Services, Inc. All rights reserved.Page 37 IS3220 Information Technology Infrastructure Security Logging and Monitoring  Why log? Validation that firewall rules are configured properly Historical tracking and trend analysis Reactive tracking and tracing to attacks  What data should be logged? All connection rejections All traffic to successfully transverse through the firewall Firewall configuration changes Access to the firewall system

© ITT Educational Services, Inc. All rights reserved.Page 38 IS3220 Information Technology Infrastructure Security Logging and Monitoring (cont.)  Monitoring allows for alerting  Alerting allows for prompt response  Review log files regularly!

© ITT Educational Services, Inc. All rights reserved.Page 39 IS3220 Information Technology Infrastructure Security Summary  Organization traffic and AUP policy review  Public Internet and private network separation  Firewall rules for restricting and permitting data transit  Use of protected demilitarized zones (DMZs)  Security strategies and requirements for availability

© ITT Educational Services, Inc. All rights reserved.Page 40 IS3220 Information Technology Infrastructure Security Assignment and Lab  Discussion 6: 1 Firewall Security Strategies  Lab #6: 6.2 Using Social Engineering Techniques to Plan Attack

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.