Download presentation
Presentation is loading. Please wait.
1
FIREWALL By Abhishar Baloni I.D
2
WHAT IS A FIREWALL A firewall is a system or group of systems that enforces an access control policy between two networks. The actual means by which this is accomplished varies widely, but in principle, the firewall can be thought of as a pair of mechanisms: one which exists to block traffic, and the other which exists to permit traffic.
3
FIREWALL
4
WHAT FIREWALL DOES A firewall is simply a program or hardware device that filters the information coming through the Internet connection into your private network or computer system. If an incoming packet of information is flagged by the filters, it is not allowed through. A Firewall disrupts free communication between trusted and un-trusted networks, attempting to manage the information flow and restrict dangerous free access. There are numerous mechanisms employed to do this, each one being somewhere between completely preventing packets flowing, which would be equivalent to completely disconnected networks, and allowing free exchange of data, which would be equivalent to having no Firewall.
5
HOW DOES A FIREWALL PROTECT
A Firewall normally includes mechanisms for protection at the Network Layer Transport Layer Application Layer Encryption
6
FIREWALL DESIGN ISSUES
Define goals: What services do you want? How much can it cost? Provide a business justification for services. Who/what are you trying to protect, from whom / against what (threats)? What known weaknesses need to be addressed? What risks (likelihood and consequences or impact) do the above threats entail? Develop a strategy to counter the unacceptable threats: policy, organisation, processes and specific technical mechanisms.
7
TYPES OF FIREWALLS There are a number of different kinds of technique which may be employed by a Firewall in order to correctly identify a conversation and act on it. The techniques used by a particular Firewall have an impact on the accuracy with which it can identify traffic, the level of sophistication of the checks it can implement, its complexity and therefore its cost
8
PACKET FILTER Packets (small chunks of data) are analyzed against a set of filters. Packets that make it through the filters are sent to the requesting system and all others are discarded. A Firewall implementing a packet filter looks at one packet at a time, and considers it in isolation in order to make a forwarding decision. Because of the way that a packet filtering Firewall works, it can implement a restricted range of filtering decisions.
9
APPLICATION PROXIES Information from the Internet is retrieved by the firewall which acts as a proxy server and then sent to the requesting system and vice versa. Firewall forms a connection to the internal server, only passing on application protocol elements that pass it's strict checks of correctness.
10
STATEFUL INSPECTION A newer method that doesn't examine the contents of each packet but instead compares certain key parts of the packet to a database of trusted information. Information traveling from inside the firewall to the outside is monitored for specific defining characteristics, and then incoming information is compared to these characteristics. If the comparison yields a reasonable match, the information is allowed through. Otherwise it is discarded.
11
HOLES AND INCOMING TRAFFIC
Holes are the unsecured pieces of code in our system or application programs. The attacker uses these holes to get into our system or network. An example of the kind of hole which is typically opened up in a Firewall is that necessary for mail delivery.
12
On the Internet, a protocol called SMTP is used to deliver between mail servers. This works in effect by the mail sender's machine connecting to the mail recipient's server and pushing the . In order to accept mail from the Internet onto a local mail server it is usual to open up a hole which allows any server to connect to the local mail server. Unfortunately what this does is open up the internal mail server to any attack that is possible against the software installed on it, and if this is at all complex, there will be lots of potential attacks.
13
NO HOLES: THE DEMILITARISED ZONE (DMZ)
DMZ refers to a part of the network that is neither part of the internal network nor directly part of the Internet. Typically, this is the area between your Internet access router and your bastion host, though it can be between any two policy-enforcing components of your architecture.
14
MAKING THE FIREWALL FIT
Firewalls are customizable. This means that you can add or remove filters based on several conditions. Some of these are : IP addresses Domain names Protocols Ports Specific words and phrases
15
WHAT FIREWALL PROTECTS US FROM
Remote login Application backdoors SMTP session hijacking Operating system bugs Denial of service bombs Macros Spam
16
FIREWALL ARCHITECTURE
There are many possible ways to set up a Firewall. The choice of Firewall depends on cost, performance, availability needs and the sensitivity of the information being protected by the firewall. Highly secure, high performance, high availability systems are not cheap.
17
BASIC FILTER ARCHITECTURE (SCREENING ROUTER)
The cheapest (and least secure) setup involves using a router (which can filter inbound and outbound packets on each interface) to screen access to one (or more) internal servers. A router is normally needed anyway to connect to the Internet, so the filter is for free. This server is the starting point for all outside connections. Internal clients who wish to access the outside do so via this screened server.
18
BASIC FILTER ARCHITECTURE
19
DUAL HOMED FIREWALL ARCHITECTURE
In this classical firewall architecture, a host is setup with two network interfaces, one connected to the outside, one to the inside. Packet forwarding is disabled on the gateway, information is passed at the application level. The gateway can be reached from both sides, but traffic cannot directly flow across it. Normally, a router is also needed for Internet connection.
20
DUAL HOMED FIREWALL ARCHITECTURE
21
SCREENED HOST ARCHITECTURE
22
SCREENED SUBNET (OR DMZ) ARCHITECTURE
This architecture is an extension of the screened host architecture. The classical firewall setup is a packet filter between the outside and a "semi-secure" or De-Militarized Zone (DMZ) subnet where the proxies lie (this allows the outside only restricted access services in the DMZ Zone). The DMZ is further separated from the internal network by another packet filter which only allows connections to/from the proxies.
23
SCREENED SUBNET (OR DMZ) ARCHITECTURE
24
INVISIBLE FILTER ARCHITECTURE
25
ENCRYPTING FIREWALLS / TUNNELS
26
CONCLUSION The level of security you establish will determine how many of threats can be stopped by your firewall. The highest level of security would be to simply block everything. Obviously that defeats the purpose of having an Internet connection. But a common rule of thumb is to block everything, and then begin to select what types of traffic you will allow. You can also restrict traffic that travels through the firewall so that only certain types of information, such as , can get through. This is a good rule for businesses that have an experienced network administrator that understands what the needs are and knows exactly what traffic to allow through. For most of us, it is probably better to work with the defaults provided by the firewall developer unless there is a specific reason to change it.
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.