Presentation is loading. Please wait.

Presentation is loading. Please wait.

© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 6 Firewall Design Strategies.

Published byMelissa Hampton Modified over 8 years ago

Similar presentations

Presentation on theme: "© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 6 Firewall Design Strategies."— Presentation transcript:

1 © ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 6 Firewall Design Strategies

2 © ITT Educational Services, Inc. All rights reserved.Page 2 IS3220 Information Technology Infrastructure Security Class Agenda 1  Learning Objectives  Lesson Presentation and Discussions.  Discussion on Assignments.  Discussion on Lab Activities.  Break Times. 10 Minutes break in every 1 Hour.  Note: Submit all Assignment and labs due today.

3 © ITT Educational Services, Inc. All rights reserved.Page 3 IS3220 Information Technology Infrastructure Security Class Agenda 2  Theory: 6:00pm -8:00pm  Lab: 8:15pm to 11:00pm

4 © ITT Educational Services, Inc. All rights reserved.Page 4 IS3220 Information Technology Infrastructure Security Learning Objective and Key Concepts Learning Objectives  Assess firewall design strategies Key Concepts  Organization traffic and AUP policy review  Strategies for public Internet and private network separation  Firewall rules for restricting and permitting data transit  Use of protected demilitarized zones (DMZs)  Security strategies and requirements for availability

5 © ITT Educational Services, Inc. All rights reserved.Page 5 IS3220 Information Technology Infrastructure Security EXPLORE: CONCEPTS

6 © ITT Educational Services, Inc. All rights reserved.Page 6 IS3220 Information Technology Infrastructure Security Exploitable Programming Bugs  Firewalls run software  Bugs are result of human error in the software  Once discovered, bugs are typically addressed and corrected in software patches

7 © ITT Educational Services, Inc. All rights reserved.Page 7 IS3220 Information Technology Infrastructure Security Buffer Overflow  Memory-based attack  Typically a result of poor programming  Can result in code injection  Used for systems crashing

8 © ITT Educational Services, Inc. All rights reserved.Page 8 IS3220 Information Technology Infrastructure Security Fragmentation  Overlapping Full or partial overlapping datagrams  Overrun Excessively large datagrams  Potential result in denial of service

9 © ITT Educational Services, Inc. All rights reserved.Page 9 IS3220 Information Technology Infrastructure Security Firewalking  A technique to learn to configure the firewall from outside.  Attacker learns firewall configuration systematically  Can occur from inside or outside the firewall  Takes advantage of internally known good IP address

10 © ITT Educational Services, Inc. All rights reserved.Page 10 IS3220 Information Technology Infrastructure Security Internal Code Planting  Requires access from inside the network environment  Involves either a hacker or a user placing malicious code onto internal systems  Assumes the firewall has lenient outbound traffic restrictions  Results in internally initiated connections connecting to malicious internet presence

11 © ITT Educational Services, Inc. All rights reserved.Page 11 IS3220 Information Technology Infrastructure Security Denial of Service (DoS)  Flooding attack that overwhelms systems  Often causes system shut down or failure  May manifest as performance problems  DOS attack is difficult to fix.

12 © ITT Educational Services, Inc. All rights reserved.Page 12 IS3220 Information Technology Infrastructure Security Encrypted Transport  Two main forms of communication encryption tunnel mode transport mode  Tunnel mode encrypts the original payload and header  Transport mode encrypts only the payload  Firewall cannot filter encrypted data

13 © ITT Educational Services, Inc. All rights reserved.Page 13 IS3220 Information Technology Infrastructure Security Encrypted Transport (cont.)  May choose to support or allow encryption of specific types over specific protocols or ports, but disallow and prevent encrypted communications elsewhere  Firewall rules of encrypted traffic can range from full allowance to full denial  May allow encryption over a specific port or only certain users

14 © ITT Educational Services, Inc. All rights reserved.Page 14 IS3220 Information Technology Infrastructure Security Gateway Bottlenecks  Gateway or pass-through firewall can become a bottleneck during high-traffic periods  DoS attack can consume all processing capabilities of the firewall

15 © ITT Educational Services, Inc. All rights reserved.Page 15 IS3220 Information Technology Infrastructure Security Malware Scanning  Benefits Scanning for various malware: viruses, trojans, spam, spyware, etc.  Drawbacks: Potential of negative impact on performance -Wirespeed performance -Memory and CPU implications Requires regular maintenance and update Feature set may not be comparable to other dedicated solutions or may not complement current mechanisms

16 © ITT Educational Services, Inc. All rights reserved.Page 16 IS3220 Information Technology Infrastructure Security IDS and IPS  Benefits Logical pairing of functionality Reduction in administrative overhead of maintaining multiple devices  Drawbacks Potential performance implications -Wirespeed Possible feature set limitations

17 © ITT Educational Services, Inc. All rights reserved.Page 17 IS3220 Information Technology Infrastructure Security VPN Endpoint  Benefits Reduction in administrative overhead of maintaining multiple devices  Drawbacks Potential performance implications Possible feature set limitations as compared to stand alone solutions

18 © ITT Educational Services, Inc. All rights reserved.Page 18 IS3220 Information Technology Infrastructure Security EXPLORE: ROLES

19 © ITT Educational Services, Inc. All rights reserved.Page 19 IS3220 Information Technology Infrastructure Security Reverse Proxy  Reverse proxy allows access to internal Web site content from the public network  Use Firewall Caching.  Benefits Enhanced security Encryption Reverse caching

20 © ITT Educational Services, Inc. All rights reserved.Page 20 IS3220 Information Technology Infrastructure Security Improving Performance  Firewalls should function at Wirespeed  Wire-speed, refers to any function that tends to support this data transfer rate without slowing it down  Firewall should not introduce latency or delay in communication.

21 © ITT Educational Services, Inc. All rights reserved.Page 21 IS3220 Information Technology Infrastructure Security Improving firewall  Improve firewall using Caching and load balancing  Caching is holding of offend-accessed content in memory on the firewall.

22 © ITT Educational Services, Inc. All rights reserved.Page 22 IS3220 Information Technology Infrastructure Security Load Balancing  Load Balancing is where firewall filtering workload is across multiple parallel firewalls.  Benefits:  Redundancy and fault tolerance to improve availability.

23 © ITT Educational Services, Inc. All rights reserved.Page 23 IS3220 Information Technology Infrastructure Security

24 © ITT Educational Services, Inc. All rights reserved.Page 24 IS3220 Information Technology Infrastructure Security Port Forwarding  Receipt of IP traffic based on IP/port number  IP/port number forwards to another IP/port number  Benefits Ability to utilize a single public IP address Maps to multiple other internal destinations No direct connectivity to internal resources

25 © ITT Educational Services, Inc. All rights reserved.Page 25 IS3220 Information Technology Infrastructure Security Combining Port Forwarding with NAT Private IP addresses of the internal systems are masked from the public network

26 © ITT Educational Services, Inc. All rights reserved.Page 26 IS3220 Information Technology Infrastructure Security EXPLORE: CONTEXT

27 © ITT Educational Services, Inc. All rights reserved.Page 27 IS3220 Information Technology Infrastructure Security Bastion Hosts  A bastion host is a specialized computer that is deliberately exposed on a public network  Simple single-layer architecture  Reside outside of the firewall or in the demilitarized zone (DMZ)  Typically serve as the first point of connection from the Internet  Can be a software or hardware solution

28 © ITT Educational Services, Inc. All rights reserved.Page 28 IS3220 Information Technology Infrastructure Security Categories of Bastion Hosts  Proprietary OS Built specifically to be bastion hosts Example Cisco IOS  General-Purpose OS Serve as client or server Oss Can be configured to serve as bastion hosts Example: Windows, Linux, Mac etc.

29 © ITT Educational Services, Inc. All rights reserved.Page 29 IS3220 Information Technology Infrastructure Security Bastion Host Placement Ingress/egress architecture with a bastion host in the DMZ

30 © ITT Educational Services, Inc. All rights reserved.Page 30 IS3220 Information Technology Infrastructure Security Ingress/Egress Filtering Common Rules on Firewalls  Access to insecure Internet Web sites (HTTP)  Access to secure Internet Web sites HTTP over SSL or TLS  Access to other Internet Web site protocols SQL and Java  Inbound Internet e-mail  Outbound Internet e-mail

31 © ITT Educational Services, Inc. All rights reserved.Page 31 IS3220 Information Technology Infrastructure Security Ingress/Egress Filtering  External entities initiating connection  Inbound rules when an internal resource is specifically hosted for the purposes of being accessed by external entities  Use a single IP address for a single host  Correct subnet or range designation for a collection of hosts  Specify the port when possible

32 © ITT Educational Services, Inc. All rights reserved.Page 32 IS3220 Information Technology Infrastructure Security Ingress/Egress Filtering Communications Commonly Blocked  All ICMP traffic originating from the Internet  Any traffic directed specifically to the firewall  Any traffic to known closed ports  Any traffic to known ports of known malware  Inbound TCP 53 to block external DNS zone transfer requests  Inbound UDP 53 to block external DNS user queries  Any traffic from IP addresses on a blacklist  Any traffic from internal IP addresses that are not assigned

33 © ITT Educational Services, Inc. All rights reserved.Page 33 IS3220 Information Technology Infrastructure Security EXPLORE: RATIONALE

34 © ITT Educational Services, Inc. All rights reserved.Page 34 IS3220 Information Technology Infrastructure Security Firewall Rules  Sometimes called a filter  An instruction set that indicates how a firewall should take action on a particular type of network traffic

35 © ITT Educational Services, Inc. All rights reserved.Page 35 IS3220 Information Technology Infrastructure Security Firewall Rules General Guidelines  Direction matters – validate source and target addresses  Deny All rule always goes at the bottom of the list  Denial exceptions go at the top of the list  Rules pertaining to more common traffic belong closer to the top of the list  Keep the number of rules to a minimum

36 © ITT Educational Services, Inc. All rights reserved.Page 36 IS3220 Information Technology Infrastructure Security Ports  What ports should be allowed? 443 80 25 Any required environmentally-specific application ports  What ports should be blocked? All others with a Deny All rule

37 © ITT Educational Services, Inc. All rights reserved.Page 37 IS3220 Information Technology Infrastructure Security Logging and Monitoring  Why log? Validation that firewall rules are configured properly Historical tracking and trend analysis Reactive tracking and tracing to attacks  What data should be logged? All connection rejections All traffic to successfully transverse through the firewall Firewall configuration changes Access to the firewall system

38 © ITT Educational Services, Inc. All rights reserved.Page 38 IS3220 Information Technology Infrastructure Security Logging and Monitoring (cont.)  Monitoring allows for alerting  Alerting allows for prompt response  Review log files regularly!

39 © ITT Educational Services, Inc. All rights reserved.Page 39 IS3220 Information Technology Infrastructure Security Summary  Organization traffic and AUP policy review  Public Internet and private network separation  Firewall rules for restricting and permitting data transit  Use of protected demilitarized zones (DMZs)  Security strategies and requirements for availability

40 © ITT Educational Services, Inc. All rights reserved.Page 40 IS3220 Information Technology Infrastructure Security Assignment and Lab  Discussion 6: 1 Firewall Security Strategies  Lab #6: 6.2 Using Social Engineering Techniques to Plan Attack

Download ppt "© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 6 Firewall Design Strategies."

Similar presentations

Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Firewall Configuration Strategies

Firewall Configuration Strategies
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Firewall Ercan Sancar & Caner Sahin. Index History of Firewall Why Do You Need A Firewall Working Principle Of Firewalls Can a Firewall Really Protect.

Firewall Ercan Sancar & Caner Sahin. Index History of Firewall Why Do You Need A Firewall Working Principle Of Firewalls Can a Firewall Really Protect.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Chapter 10 Firewalls. Introduction seen evolution of information systems now everyone want to be on the Internet and to interconnect networks has persistent.

Chapter 10 Firewalls. Introduction seen evolution of information systems now everyone want to be on the Internet and to interconnect networks has persistent.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.

Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

Similar presentations

Ads by Google