Presentation is loading. Please wait.

Presentation is loading. Please wait.

Compare Firewall products Yan xie 2001825 Term Project of Network Security.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Compare Firewall products Yan xie 2001825 Term Project of Network Security."— Presentation transcript:

1 Compare Firewall products Yan xie 2001825 Term Project of Network Security

2 2 Introduction Why do we need a Firewall The definition of Firewall Some benefits and disadvantages of Firewalls Types of Firewall Compare features of some Firewall products

3 3 Why do we need a Firewall Security Vulnerability on the Internet and local network area Venerable TCP/IP service Lack of Security policy Complexity of configuration Weak authentication Ease if spying and monitoring Ease of spoofing Flawed LAN Service and Mutually Trusting Host-based security does not scale

4 4 The definition of Firewall What is Firewall A firewall is any one of several ways of protecting one network from another untrusted network. in principle, the firewall can be thought of a pair of mechanisms one exists to block traffic, and the other exist to permit traffic. Some firewall place a great emphasis on blocking traffic, while others emphasize permitting traffic.

5 5 The definition of Firewall Firewall Components 1.Network policy includes service access policy and firewall desig n policy A service access policy that define those service that will be allowed or denied from the restricted network Firewall design policy describe how the firewall will actually restrict and filter the service defined in network access policy Permit any service unless it is expressly denied Deny any service unless it is expressly permitted

6 6 Firewall components (cont) 2.Advanced authentication mechanisms (smart card, authentication token) 3.Packet filtering (source address, destination address, TCP/UDP source port, TCP/UDP destination port) 4.Application gateways  Information hiding  Robust authentication and logging  Cost-effective  Less-complex filtering rules

7 7 Benefits of a Firewall Protection from vulnerable service Control access to site systems privacy Logging and statistics on network Enhance concentrate security

8 8 Disadvantages of Firewall Restricted access to desirable services Large potential for back doors Little protection from inside attacks Potential threat from Multicast IP transmissions Restriction of configuration Do not against virus

9 9 Types of Firewall Packet Filter Firewall  The most common and easiest firewall to apply for small, uncomplicated sites  allow selective access to systems and services depen ding on source address, destination address, TCP/UD P source port, TCP/UDP destination port.  inherent dangerous services such as NIS, NFS and X Windows are blocked.

10 10 Packet Filtering Firewall Figure: Packet Filtering Firewall System IP Packet Filtering Router I nternet

11 11 Packet Filter Firewall  Little or no logging capability  It is difficult to test and find out the vulnerability of system  The filtering router will became unmanageable, if complex filtering rule are required  The least lever of firewall, because of no application awareness

12 12 Types of Firewall Dual-homed Gateway Firewall  implement the second design policy, deny all services unless they are specially permitted  a complete block to IP traffic between the Internet and protected site. Proxy servers on the gateway provide services and access  Provide proxy service for Telnet and Ftp as well as e-mail service which firewall can accept all site mails and forward to system.  Log access and log attempts or find intruder activity.  Segregating traffic concerned with an information server from other traffic to and from the site. Any intruder penetration of the information server would be prevented by dual-homed gateway.  If any vulnerabilities or a technique on the host is compromised, an intruder could subvert the firewall and do some harmful activities.

13 13 Dual-home Gateway Firewall Application Gateway IP Filtering Info Server Figure: Dual-home Gateway Firewall with Router Internet

14 14 Screen Host Firewall  combines a packet-filtering with an application gateway located on the protected subnet side of the router  the router filters or screens dangerous protocol from reaching the applic ation gateway and system  The rejections of the application traffic depend on:  Application traffic from Internet sites to the application gateway gets routed. all other traffic from Internet sites gets rejects.  The router rejects any application traffic originating from the inside unless it came from the application gateway.

15 15 Screened Host Firewall Since the router just limits the application traffic to the application gat eway, so the configuration is not as complex as a packet filtering fire wall. gateway needs only one network interface and doesn’t required a separate subnet between the application gate and the router, It may let firewall more flexible. the router may get the permission to pass some trusted services and directly to system. So the firewall should use two design policies to restrict how many and what types of services are routed directly to site system.

16 16 Screen Host Firewall Info Server IP Filtering Internet Application Gateway Figure: Screen Host Firewall

17 17 Screen Subnet Firewall  Screened subnet firewall can be used to locate each component of the firewall on a separate system  The outer router will rout traffic according to the follow rules:  Application traffic from the application gateway to Internet systems gets routed.  E-mail traffic from the E-mail server to Internet sites gets routed.  Application traffic from the E-mail server to the application gateway gets routed.  E-mail traffic from Internet sites to the E-mail server gets routed.  Ftp, Gopher, etc, traffic from Internet sites to the information server gets routed.  All other traffic gets rejected.

18 18 Screened Subnet Firewall  The inner passer traffic to and from on the screened according the follow rules  Application traffic from the application gateway to system gets routed.  E-mail traffic from the E-mail server to system gets routed.  Application traffic to the application gateway from site gets routed.  E-mail traffic from system to the E-mail server gets routed.  Ftp, Gopher, etc, traffic from system to the information server gets routed.  All other traffic gets rejected.

19 19 Screened Subnet Firewall Advantages of screened subnet firewall  The two routed is more difficult to intruders to attack, because he should subvert both of routers to access system.  Only application gateway, E-mail server, and information server would be known as system by Internet, no other system name would be known in DNS database, which would be accessible to outside systems.  Application gateway can use authentication software to authenticate all inbound connection.  More flexible by permitting certain trusted services to pass between Internet and system.

20 20 Screened Subnet Firewall Application Gateway E-mail Server Info Server Internet Figure: Screened Subnet Firewall

21 21 Firewall Products Interlock of ANS Communication  an application gateway based firewalls designed to secure access between IP networks.  The Access Control Rule Base is the facility used to define the Interlock’s access control  ensure Intra-network protection by control access between segm ents for an internal TCP/IP network  Modified source code, deleted the function of resending of IP, redirection of ICMP, and source router

22 22 Interlock  Authentication  Standard Password  SecurID and PINPAD  Non-authentication service can not be required authentication  Access control  first check to see if there is a specific rule for the user  application checks for rules associated with Group containing the user  the user get access  Do not support  Confidentiality  Integrity  Serial-line protection

23 23 Nov*IX for NetWare Nov*IX of Firefox  Nov*IX for NetWare is a packet filter firewall  enable you to connect a Novell NetWare network to TCP/IP host system over TCP/IP networks  Authentication NetWare-based password facility for authorizing all outgoing connection through the server For incoming connection user authentication can be implemented for remote clients by using login and password in to bindery or directory services, For specific authentication FTP user require a user name and password that are verified in the NetWare Bindery to be authorized for connection the FTP server detect and prevent IP spoofing

24 24 Nov*IX for NetWare  Access Control extracts the data from the packet and puts the data in an IP packet for transmission onto the Internet For incoming Internet traffic, data is remove from IP packets and put into IPX packets before entering the NetWare network Network managers can specify the port addresses that are acceptable or those that are unacceptable.  Do not support Confidentiality Integrity Protection against “back door”

25 25 CyberGuard Firewall  CyberGuard Firewall is a combination of packet-filter gateway, proxy gateway, and a bastion host  Authentication  Using password in user authentication  a dynamically generated password from a hand-held token card plus personal identification of SecurID user authentication  Host authentication has the ability to detect IP spoofing.  Access Control hide internal host names and addresses, interface with standard client and servers allows and blocks the router of specific network services base on a dynamic return path based on service type, protocol, source and destination names or addresses, sub-network mask, direction of transfer, and established connection

26 26 CyberGuard Firewall Enhanced Security  Mandatory Access  Multilevel Directories  Secure Device Handing  Privileges  Confidentiality  private network packet is encrypted and placed into the data portion of the packet that is sent out by firewall  The internal host source and destination address, the private network information, and the original data are encrypted  Integrity  enables a counter that prevent replay attacks  By using MAC within encryption process, it can detect and prevent modification of any data in the packet, including the address

27 27 Firewall-1 Check Point Firewall-1  Locate in the kernel of OS, below the Network layer  Check the IP addresses and Ports number at the same time  Store and refresh the state and context in a dynamic state table  Authentication Password Internal Firewall-1 Password SecurID S/key Cryptography-based authentication

28 28 Firewall-1  Access Control Stateful Inspection extracts the state-related information required for security decisions from all application layers maintains this information in dynamic state tables for evaluating subsequent connection attempts Rule Based  Confidentiality & Integrity Session Key: DES, encrypt the message Encryption Key: Diffe-hellman generate secret key for each gateway Certificate Authority key: RSA authenticating the encryption key Support encryption speed greater than 10Mbps

29 29 Compare Firewall Products companyauthenticationAccess Control ConfidentialIntegrityProtocol/service InterlockANS √√FTP,Telnet,Login,SMTP, NNTP,X windows, WWW, Gopher, Http,Real Audio LPD, NTP Nov*IXFireFox √√Packet filtering TCP,UDP,NNTP,HTTP CyberGuard √√ √ √FTP,Telnet,Login,SMTP, NNTP,HTTP,Gopher, x11, Socks, Enhanced pass through Proxy Firewall-1Check Point √√ √ √Complete TCP/IP protocols

30 30 Suggestion Firewall with Modem Pool Firewall can not defend “back door” Collect modems connect to a terminal server Terminal server is a computer design for connecting modem to a network Terminal server provides restriction to connect some system Packet Filtering prevent insider system directly connecting to the modem pool Application gateway’s authentication will be used to authentication user either from modem or from Internet

31 31 Suggestion Multicast IP Transmission Minimize the unnecessary exposure of hosts to traffic Transmission be passed only the request come from insider user Allow the packet sent to ports designed by requesting host and Firewall kernel as unused

32 32 Conclusion Choosing a firewall provide confidentiality and integrity A updatable firewall should be consider Suitable service access policy and design policy Proper configuration and implementation depends on specific application Using more device to improve security such as Intrusion detection and anti-virus software

33 33 Reference Firewalls: A complete Guide by Marcus Goncalves The Firewall Report by OUTLINK Market Research Firewalls: An Expert Roundtable by a panel of distinguish experts 1997IEEE Keeping your site comfortably secure: An Introduction to Internet Firewalls by National Institute of Standards and technology Establish Firewall Policy by Cobb, Director of Special Projects

Download ppt "Compare Firewall products Yan xie 2001825 Term Project of Network Security."

Similar presentations

FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
—On War, Carl Von Clausewitz

—On War, Carl Von Clausewitz
Chapter 11 Firewalls.

Chapter 11 Firewalls.
Firewall Configuration Strategies

Firewall Configuration Strategies
Firewall COSC 513 By Lerraj Khommeteeyuthakan. Introduction to Firewall zA method for keeping a network secure zFirewall is an approach to security zHelps.

Firewall COSC 513 By Lerraj Khommeteeyuthakan. Introduction to Firewall zA method for keeping a network secure zFirewall is an approach to security zHelps.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Chapter 10 Firewalls. Introduction seen evolution of information systems now everyone want to be on the Internet and to interconnect networks has persistent.

Chapter 10 Firewalls. Introduction seen evolution of information systems now everyone want to be on the Internet and to interconnect networks has persistent.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Electronic Commerce 2. Definition Ecommerce is the process of buying and selling products and services via distributed electronic media, usually the World.

Electronic Commerce 2. Definition Ecommerce is the process of buying and selling products and services via distributed electronic media, usually the World.
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey

Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
An Analysis of Firewalls

An Analysis of Firewalls

Similar presentations

Ads by Google