SlideShare une entreprise Scribd logo

Firewalls

Télécharger en tant que PPT, PDF
I
Israel Marcus
1  sur  30
Firewalls
Firewall Types • Static packet filter • Dynamic (stateful) packet filter • Circuit-level gateway • Application-level gateway (proxy) • Stateful inspection • Intrusion prevention • Unified Threat Management (UTM)
Network security is simply the proper balance of trust and performance • The higher up the OSI layer the architecture goes to examine the information within the packet, the more processor cycles the architecture consumes • The higher up in the OSI layer at which an architecture examines packets, the greater the level of protection the architecture provides, since more information is available upon which to base decisions
Firewalls and OSI Layers
Fields within the IP Packet
Static Packet Filter • One of the oldest firewall architectures • Operates at the network layer (OSI layer 3) • The decision to accept or deny a packet is based upon:  Source address  Destination address  Application or protocol  Source port number  Destination port number
Firewall Rules Before forwarding a packet: the firewall compares the IP header and TCP header against a set of rules that dictate whether the firewall should deny or permit the packet to pass
Packet Filter Limitation A packet filter only examines data in the IP header and TCP header; it cannot know the difference between a real and a forged address. If an address is present and meets the packet filter rules along with the other rule criteria, the packet will be allowed to pass
IP Address Spoofing A hacker can substitute: – the actual source address on a malicious packet with – the source address of known trusted client
Static Packet Filter Considerations Pro’s Con’s Low impact on network performance Operates only at network layer, therefore it only examines IP and TCP headers Low cost - now included with many operating systems Unaware of packet payload – offers low level of security Lacks state awareness – may require numerous ports be left open to facilitate services that use dynamically allocated ports Susceptible to IP spoofing Difficult to create rules (order of preference) Only provides for a low level of protection
Dynamic (Stateful) Packet Filter • The dynamic packet filter is “aware” of the difference between a new and an established connection • Once a connection is established, it is entered into a table that typically resides in RAM • Subsequent packets are compared to this table in RAM, most often by software running at the operating system (OS) kernel level • When the packet is found to be an existing connection, it is allowed to pass without any further inspection
Dynamic Packet Filter Considerations Pro’s Con’s Lowest impact of all examined architectures on network performance (when designed to be fully SMP-compliant) Operates only at network layer, therefore it only examines IP and TCP headers Low cost – now included in some operating systems Unaware of packet payload State awareness provides measurable performance benefit Susceptible to IP spoofing Difficult to create rules Can introduce additional risk, if connection can be established without following the RFC 3-way handshake Only provides for a low level of protection
Circuit Level Gateway • The Circuit-Level Gateway operates at the session layer (OSI 5) • Extension to packet filter, adding verification of proper handshaking (SYN, ACK and sequence numbers)
Circuit Level Gateway Considerations Pro’s Con’s Low to moderate impact on network performance Share many of the same negative issues associated with packet filter Breaks direct connection to server behind firewall Allows any data to simply pass through the connection Higher level of security than a static or dynamic (stateful) packet filter Only provides for low to moderate level of security
Application Level Gateway • Like a circuit-level gateway, an application-level gateway intercepts incoming and outgoing packets (proxy), preventing any direct connection between a trusted server or client and an un-trusted host • Two important differences: proxies are application specific entire packet is examined at the application layer • Like a circuit-level gateway, an application-level gateway intercepts incoming and outgoing packets (proxy), preventing any direct connection between a trusted server or client and an un-trusted host • Two important differences: proxies are application specific entire packet is examined at the application layer
Example of an Application • As an example: an FTP Application Level Gateway can filter dozens of commands to allow a high granularity on the permissions of specific users of the protected FTP service • As an example: an FTP Application Level Gateway can filter dozens of commands to allow a high granularity on the permissions of specific users of the protected FTP service
Going A Step Further: Strong Application Proxies Strong application proxies extend the level of security: Instead of copying the entire datagram on behalf of the user, a strong application proxy creates a new empty datagram; only those commands and data found acceptable are copied from the original datagram.
Transparent Application Level Gateways Thanks to Technology • 32-bit environment • SMP (Symmetric Multiprocessing)
Stateful Inspection • Stateful inspection combines the many aspects of dynamic packet filtering, circuit-level and application-level gateways • While stateful inspection has the inherent ability to inspect all seven layers of the OSI model, most installations only operate as a dynamic packet filter at the network layer of the model
Stateful Inspection Considerations Pro’s Con’s Offers the ability to inspect all Seven layers of the OSI model Provides an integral dynamic (stateful) packet filter Fast when operated as dynamic packet filter, however many SMP- compliant dynamic packet filters are actually faster The single-threaded process of the stateful inspection engine has a dramatic impact on performance Many believe the failure to break the client/server model creates an unacceptable security risk No stateful inspection-based firewall has achieved higher than a Common Criteria EAL 2
Intrusion Prevention Systems (IPS) • Interpret the intent of data contained in application payload • Provide application level analysis and verification • Understand enough of protocols to take decisions without the overhead of application proxies •Use patterns matching, heuristics and behavioral analysis to detect attacks
Network IPS / Host IPS Pro’s Con’s Provide application level analysis and verification Primarily signature based IPS includes heuristics, behavioral patterns
Firewall With Protocol & Application Awareness
1. New packet arrives at the external interface Layer 4 data is tested to validate that the IP source and destination, as well as service ports, are acceptable to the security policy of the firewall The TCP three-way-handshake is fully validated for each and every connection This approach effectively eliminates any possibility of SYN flooding 1. New packet arrives at the external interface Layer 4 data is tested to validate that the IP source and destination, as well as service ports, are acceptable to the security policy of the firewall The TCP three-way-handshake is fully validated for each and every connection This approach effectively eliminates any possibility of SYN flooding Strong Application Firewall
2. For each “good” packet, a new empty datagram is created on the internal side of the firewall Creating a brand new datagram completely eliminates the possibility that an attacker could hide malicious data in any unused protocol headers or, for that matter, in any unused flags or other datagram fields 2. For each “good” packet, a new empty datagram is created on the internal side of the firewall Creating a brand new datagram completely eliminates the possibility that an attacker could hide malicious data in any unused protocol headers or, for that matter, in any unused flags or other datagram fields Strong Application Firewall
3. Protocol anomaly testing is performed on the packet to validate that all protocol headers are within clearly defined protocol specifications This enables an administrator to minimize or eliminate the risk of many security issues that commonly plague SMTP applications on the Internet today, such as: – Worms and virus attacks – Mail relay attacks – Mime attacks – SPAM attacks – Buffer overflow attacks – Address spoofing attacks – Covert channel attacks 3. Protocol anomaly testing is performed on the packet to validate that all protocol headers are within clearly defined protocol specifications This enables an administrator to minimize or eliminate the risk of many security issues that commonly plague SMTP applications on the Internet today, such as: – Worms and virus attacks – Mail relay attacks – Mime attacks – SPAM attacks – Buffer overflow attacks – Address spoofing attacks – Covert channel attacks Strong Application Firewall
4. The application proxy applies the (very granular) command-level controls and validates these against the permission level of the user The application proxy approach provides the ultimate level of application awareness and control; administrators have the granularity of control needed to determine exactly what kind of access is available to each user 4. The application proxy applies the (very granular) command-level controls and validates these against the permission level of the user The application proxy approach provides the ultimate level of application awareness and control; administrators have the granularity of control needed to determine exactly what kind of access is available to each user Strong Application Firewall
5. Once the packet has been recognized as protocol-compliant and the application-level commands validated against the security policy for that user, the permitted content is copied to the new datagram on the internal side of the firewall The application proxy breaks the client/server connection, effectively removing any direct link between the attacker and the protected server. By copying and forwarding only “good” contents, the application proxy firewall can eliminate virtually all protocol level and covert channel attacks 5. Once the packet has been recognized as protocol-compliant and the application-level commands validated against the security policy for that user, the permitted content is copied to the new datagram on the internal side of the firewall The application proxy breaks the client/server connection, effectively removing any direct link between the attacker and the protected server. By copying and forwarding only “good” contents, the application proxy firewall can eliminate virtually all protocol level and covert channel attacks Strong Application Firewall
Strong Application Firewall
• Universal Threat Management security appliances are products that unify and integrate multiple security features integrated onto a single hardware platform. Qualification for inclusion within this category requires network firewall capabilities, network intrusion detection and prevention (IDP), and gateway anti-virus (AV) functionality. • Universal Threat Management security appliances are products that unify and integrate multiple security features integrated onto a single hardware platform. Qualification for inclusion within this category requires network firewall capabilities, network intrusion detection and prevention (IDP), and gateway anti-virus (AV) functionality. Unified Threat Management (UTM)

Recommandé

I ptable
I ptableI ptable
I ptable
Sandeep Gupta
 
Types of firewall
Types of firewallTypes of firewall
Types of firewall
Pina Parmar
 
Linux and firewall
Linux and firewallLinux and firewall
Linux and firewall
Mhmud Khraibene
 
Firewalls
FirewallsFirewalls
Firewalls
University of Central Punjab
 
Firewall Essentials
Firewall EssentialsFirewall Essentials
Firewall Essentials
Sylvain Maret
 
Firewalls
FirewallsFirewalls
Firewalls
Munesh Kumar
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewall
Coder Tech
 
Firewall
FirewallFirewall
Firewall
Manikyala Rao
 

Recommandé

I ptable
I ptableI ptable
I ptable
Sandeep Gupta
 
Types of firewall
Types of firewallTypes of firewall
Types of firewall
Pina Parmar
 
Linux and firewall
Linux and firewallLinux and firewall
Linux and firewall
Mhmud Khraibene
 
Firewalls
FirewallsFirewalls
Firewalls
University of Central Punjab
 
Firewall Essentials
Firewall EssentialsFirewall Essentials
Firewall Essentials
Sylvain Maret
 
Firewalls
FirewallsFirewalls
Firewalls
Munesh Kumar
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewall
Coder Tech
 
Firewall
FirewallFirewall
Firewall
Manikyala Rao
 
Firewall
FirewallFirewall
Firewall
Nilkanth Shingala
 
Types Of Firewall Security
Types Of Firewall SecurityTypes Of Firewall Security
Types Of Firewall Security
iberrywifisecurity
 
Firewalls
FirewallsFirewalls
Firewalls
Kalluri Madhuri
 
Firewall
FirewallFirewall
Firewall
syeda zoya mehdi
 
Firewalls and packet filters
Firewalls and packet filtersFirewalls and packet filters
Firewalls and packet filters
MOHIT AGARWAL
 
Cyber security tutorial1
Cyber security tutorial1Cyber security tutorial1
Cyber security tutorial1
sweta dargad
 
Firewall and its Types
Firewall and its TypesFirewall and its Types
Firewall and its Types
crisma baby mathew
 
Cyber security tutorial2
Cyber security tutorial2Cyber security tutorial2
Cyber security tutorial2
sweta dargad
 
Firewall ppt
Firewall pptFirewall ppt
Firewall ppt
OECLIB Odisha Electronics Control Library
 
Firewals in Network Security NS10
Firewals in Network Security NS10Firewals in Network Security NS10
Firewals in Network Security NS10
koolkampus
 
Gateway and firewall
Gateway and firewallGateway and firewall
Gateway and firewall
vinayh.vaghamshi _
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Security
lalithambiga kamaraj
 
Firewall and its purpose
Firewall and its purposeFirewall and its purpose
Firewall and its purpose
Rohit Phulsunge
 
Firewall management introduction
Firewall management introductionFirewall management introduction
Firewall management introduction
Raghava Sharma
 
Windows 7 firewall & its configuration
Windows 7 firewall & its configurationWindows 7 firewall & its configuration
Windows 7 firewall & its configuration
Soban Ahmad
 
The Perfect Linux Security Firewalls
The Perfect Linux Security Firewalls The Perfect Linux Security Firewalls
The Perfect Linux Security Firewalls
david rom
 
Firewall & its Services
Firewall & its ServicesFirewall & its Services
Firewall & its Services
Navdeep Dhingra
 
Advance firewalls
Advance firewallsAdvance firewalls
Advance firewalls
Subi Mastermind
 
Presentation, Firewalls
Presentation, FirewallsPresentation, Firewalls
Presentation, Firewalls
kkkseld
 
Firewall Basing
Firewall BasingFirewall Basing
Firewall Basing
Pina Parmar
 
Comparison: VNS3 vs Vyatta
Comparison: VNS3 vs VyattaComparison: VNS3 vs Vyatta
Comparison: VNS3 vs Vyatta
Cohesive Networks
 
Vyatta cloud expo-sjc_2012-share
Vyatta cloud expo-sjc_2012-shareVyatta cloud expo-sjc_2012-share
Vyatta cloud expo-sjc_2012-share
Scott Sneddon
 

Contenu connexe

Tendances

Cyber security tutorial1
Cyber security tutorial1Cyber security tutorial1
Cyber security tutorial1
sweta dargad
 
Firewals in Network Security NS10
Firewals in Network Security NS10Firewals in Network Security NS10
Firewals in Network Security NS10
koolkampus
 
Presentation, Firewalls
Presentation, FirewallsPresentation, Firewalls
Presentation, Firewalls
kkkseld
 

Tendances (20)

Firewall
FirewallFirewall
Firewall
 
Types Of Firewall Security
Types Of Firewall SecurityTypes Of Firewall Security
Types Of Firewall Security
 
Firewalls
FirewallsFirewalls
Firewalls
 
Firewall
FirewallFirewall
Firewall
 
Firewalls and packet filters
Firewalls and packet filtersFirewalls and packet filters
Firewalls and packet filters
 
Cyber security tutorial1
Cyber security tutorial1Cyber security tutorial1
Cyber security tutorial1
 
Firewall and its Types
Firewall and its TypesFirewall and its Types
Firewall and its Types
 
Cyber security tutorial2
Cyber security tutorial2Cyber security tutorial2
Cyber security tutorial2
 
Firewall ppt
Firewall pptFirewall ppt
Firewall ppt
 
Firewals in Network Security NS10
Firewals in Network Security NS10Firewals in Network Security NS10
Firewals in Network Security NS10
 
Gateway and firewall
Gateway and firewallGateway and firewall
Gateway and firewall
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Security
 
Firewall and its purpose
Firewall and its purposeFirewall and its purpose
Firewall and its purpose
 
Firewall management introduction
Firewall management introductionFirewall management introduction
Firewall management introduction
 
Windows 7 firewall & its configuration
Windows 7 firewall & its configurationWindows 7 firewall & its configuration
Windows 7 firewall & its configuration
 
The Perfect Linux Security Firewalls
The Perfect Linux Security Firewalls The Perfect Linux Security Firewalls
The Perfect Linux Security Firewalls
 
Firewall & its Services
Firewall & its ServicesFirewall & its Services
Firewall & its Services
 
Advance firewalls
Advance firewallsAdvance firewalls
Advance firewalls
 
Presentation, Firewalls
Presentation, FirewallsPresentation, Firewalls
Presentation, Firewalls
 
Firewall Basing
Firewall BasingFirewall Basing
Firewall Basing
 

En vedette

6 weeks training for B-tech students
6 weeks training for B-tech students6 weeks training for B-tech students
6 weeks training for B-tech students
anujvns
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentation
Amandeep Kaur
 
Introduction of firewall slides
Introduction of firewall slidesIntroduction of firewall slides
Introduction of firewall slides
rahul kundu
 

En vedette (10)

Comparison: VNS3 vs Vyatta
Comparison: VNS3 vs VyattaComparison: VNS3 vs Vyatta
Comparison: VNS3 vs Vyatta
 
Vyatta cloud expo-sjc_2012-share
Vyatta cloud expo-sjc_2012-shareVyatta cloud expo-sjc_2012-share
Vyatta cloud expo-sjc_2012-share
 
Конференция Brocade. 4. Развитие технологии Brocade VCS, новое поколение комм...
Конференция Brocade. 4. Развитие технологии Brocade VCS, новое поколение комм...Конференция Brocade. 4. Развитие технологии Brocade VCS, новое поколение комм...
Конференция Brocade. 4. Развитие технологии Brocade VCS, новое поколение комм...
 
#NSD14 - Sécuriser l'infrastructure réseau des datacenters
#NSD14 - Sécuriser l'infrastructure réseau des datacenters#NSD14 - Sécuriser l'infrastructure réseau des datacenters
#NSD14 - Sécuriser l'infrastructure réseau des datacenters
 
OVNC 2015-THE NEW IP - Open Networking Architecture with SDN & NFV
OVNC 2015-THE NEW IP - Open Networking Architecture with SDN & NFVOVNC 2015-THE NEW IP - Open Networking Architecture with SDN & NFV
OVNC 2015-THE NEW IP - Open Networking Architecture with SDN & NFV
 
Brocade Ethernet Fabrics and the ODDC
Brocade Ethernet Fabrics and the ODDCBrocade Ethernet Fabrics and the ODDC
Brocade Ethernet Fabrics and the ODDC
 
Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)
 
6 weeks training for B-tech students
6 weeks training for B-tech students6 weeks training for B-tech students
6 weeks training for B-tech students
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentation
 
Introduction of firewall slides
Introduction of firewall slidesIntroduction of firewall slides
Introduction of firewall slides
 

Similaire à Firewalls

Packet Filter Firewall and Application Level Gateway.pptx
Packet Filter Firewall and Application Level Gateway.pptxPacket Filter Firewall and Application Level Gateway.pptx
Packet Filter Firewall and Application Level Gateway.pptx
ssuserec53e73
 
Firewall
FirewallFirewall
Firewall
Muuluu
 
Cryptography Project by Aelsayed & Kyasser.pdf
Cryptography Project by Aelsayed & Kyasser.pdfCryptography Project by Aelsayed & Kyasser.pdf
Cryptography Project by Aelsayed & Kyasser.pdf
ahmeddeath6
 

Similaire à Firewalls (20)

Firewall
FirewallFirewall
Firewall
 
Packet Filter Firewall and Application Level Gateway.pptx
Packet Filter Firewall and Application Level Gateway.pptxPacket Filter Firewall and Application Level Gateway.pptx
Packet Filter Firewall and Application Level Gateway.pptx
 
Firewall
FirewallFirewall
Firewall
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementation
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementation
 
CSC437-Fall2013-Module-7-Firewalls-IDS.pdf
CSC437-Fall2013-Module-7-Firewalls-IDS.pdfCSC437-Fall2013-Module-7-Firewalls-IDS.pdf
CSC437-Fall2013-Module-7-Firewalls-IDS.pdf
 
firewall.ppt
firewall.pptfirewall.ppt
firewall.ppt
 
firewalls.ppt
firewalls.pptfirewalls.ppt
firewalls.ppt
 
Firewalls (6)
Firewalls (6)Firewalls (6)
Firewalls (6)
 
Firewall
FirewallFirewall
Firewall
 
Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters
 
Introduction to firewalls
Introduction to firewallsIntroduction to firewalls
Introduction to firewalls
 
Network Security_Dr Shivashankar_Module 5.pdf
Network Security_Dr Shivashankar_Module 5.pdfNetwork Security_Dr Shivashankar_Module 5.pdf
Network Security_Dr Shivashankar_Module 5.pdf
 
Network defenses
Network defensesNetwork defenses
Network defenses
 
Firewall and It's Types
Firewall and It's TypesFirewall and It's Types
Firewall and It's Types
 
FIREWALL
FIREWALLFIREWALL
FIREWALL
 
Cryptography Project by Aelsayed & Kyasser.pdf
Cryptography Project by Aelsayed & Kyasser.pdfCryptography Project by Aelsayed & Kyasser.pdf
Cryptography Project by Aelsayed & Kyasser.pdf
 
Firewalls by Puneet Bawa
Firewalls by Puneet BawaFirewalls by Puneet Bawa
Firewalls by Puneet Bawa
 
Firewall
FirewallFirewall
Firewall
 
Network security
Network security Network security
Network security
 

Plus de Israel Marcus

2013 Glossary of Financial Terms
2013 Glossary of Financial Terms2013 Glossary of Financial Terms
2013 Glossary of Financial Terms
Israel Marcus
 
Data Base Fundamentals
Data Base FundamentalsData Base Fundamentals
Data Base Fundamentals
Israel Marcus
 
Climate and the built environment
Climate and the built environmentClimate and the built environment
Climate and the built environment
Israel Marcus
 
ארבע ידיעות
ארבע ידיעותארבע ידיעות
ארבע ידיעות
Israel Marcus
 
Value at Risk Mapping
Value at Risk MappingValue at Risk Mapping
Value at Risk Mapping
Israel Marcus
 
cours_machines_fluide_compressible
cours_machines_fluide_compressiblecours_machines_fluide_compressible
cours_machines_fluide_compressible
Israel Marcus
 
What is Virtualization
What is VirtualizationWhat is Virtualization
What is Virtualization
Israel Marcus
 
Fundamentals of Networking
Fundamentals of NetworkingFundamentals of Networking
Fundamentals of Networking
Israel Marcus
 
The AJDC and North African Jewry (2)
The AJDC and North African Jewry (2)The AJDC and North African Jewry (2)
The AJDC and North African Jewry (2)
Israel Marcus
 

Plus de Israel Marcus (20)

BIM
BIMBIM
BIM
 
2013 Glossary of Financial Terms
2013 Glossary of Financial Terms2013 Glossary of Financial Terms
2013 Glossary of Financial Terms
 
Data Base Fundamentals
Data Base FundamentalsData Base Fundamentals
Data Base Fundamentals
 
security
securitysecurity
security
 
What is NAC
What is NACWhat is NAC
What is NAC
 
Climate and the built environment
Climate and the built environmentClimate and the built environment
Climate and the built environment
 
EnergyPlus
EnergyPlusEnergyPlus
EnergyPlus
 
sod ha-ibur
sod ha-ibursod ha-ibur
sod ha-ibur
 
ארבע ידיעות
ארבע ידיעותארבע ידיעות
ארבע ידיעות
 
Talmud
TalmudTalmud
Talmud
 
Flight Basics
Flight BasicsFlight Basics
Flight Basics
 
VAROPS
VAROPSVAROPS
VAROPS
 
Value at Risk Mapping
Value at Risk MappingValue at Risk Mapping
Value at Risk Mapping
 
cours_machines_fluide_compressible
cours_machines_fluide_compressiblecours_machines_fluide_compressible
cours_machines_fluide_compressible
 
Capital_adequacy_6
Capital_adequacy_6Capital_adequacy_6
Capital_adequacy_6
 
DeltaPlus
DeltaPlusDeltaPlus
DeltaPlus
 
What is Virtualization
What is VirtualizationWhat is Virtualization
What is Virtualization
 
Fundamentals of Networking
Fundamentals of NetworkingFundamentals of Networking
Fundamentals of Networking
 
The AJDC and North African Jewry (2)
The AJDC and North African Jewry (2)The AJDC and North African Jewry (2)
The AJDC and North African Jewry (2)
 
What is Encryption
What is EncryptionWhat is Encryption
What is Encryption
 

Firewalls

  • 2. Firewall Types • Static packet filter • Dynamic (stateful) packet filter • Circuit-level gateway • Application-level gateway (proxy) • Stateful inspection • Intrusion prevention • Unified Threat Management (UTM)
  • 3. Network security is simply the proper balance of trust and performance • The higher up the OSI layer the architecture goes to examine the information within the packet, the more processor cycles the architecture consumes • The higher up in the OSI layer at which an architecture examines packets, the greater the level of protection the architecture provides, since more information is available upon which to base decisions
  • 5. Fields within the IP Packet
  • 6. Static Packet Filter • One of the oldest firewall architectures • Operates at the network layer (OSI layer 3) • The decision to accept or deny a packet is based upon:  Source address  Destination address  Application or protocol  Source port number  Destination port number
  • 7. Firewall Rules Before forwarding a packet: the firewall compares the IP header and TCP header against a set of rules that dictate whether the firewall should deny or permit the packet to pass
  • 8. Packet Filter Limitation A packet filter only examines data in the IP header and TCP header; it cannot know the difference between a real and a forged address. If an address is present and meets the packet filter rules along with the other rule criteria, the packet will be allowed to pass
  • 9. IP Address Spoofing A hacker can substitute: – the actual source address on a malicious packet with – the source address of known trusted client
  • 10. Static Packet Filter Considerations Pro’s Con’s Low impact on network performance Operates only at network layer, therefore it only examines IP and TCP headers Low cost - now included with many operating systems Unaware of packet payload – offers low level of security Lacks state awareness – may require numerous ports be left open to facilitate services that use dynamically allocated ports Susceptible to IP spoofing Difficult to create rules (order of preference) Only provides for a low level of protection
  • 11. Dynamic (Stateful) Packet Filter • The dynamic packet filter is “aware” of the difference between a new and an established connection • Once a connection is established, it is entered into a table that typically resides in RAM • Subsequent packets are compared to this table in RAM, most often by software running at the operating system (OS) kernel level • When the packet is found to be an existing connection, it is allowed to pass without any further inspection
  • 12. Dynamic Packet Filter Considerations Pro’s Con’s Lowest impact of all examined architectures on network performance (when designed to be fully SMP-compliant) Operates only at network layer, therefore it only examines IP and TCP headers Low cost – now included in some operating systems Unaware of packet payload State awareness provides measurable performance benefit Susceptible to IP spoofing Difficult to create rules Can introduce additional risk, if connection can be established without following the RFC 3-way handshake Only provides for a low level of protection
  • 13. Circuit Level Gateway • The Circuit-Level Gateway operates at the session layer (OSI 5) • Extension to packet filter, adding verification of proper handshaking (SYN, ACK and sequence numbers)
  • 14. Circuit Level Gateway Considerations Pro’s Con’s Low to moderate impact on network performance Share many of the same negative issues associated with packet filter Breaks direct connection to server behind firewall Allows any data to simply pass through the connection Higher level of security than a static or dynamic (stateful) packet filter Only provides for low to moderate level of security
  • 15. Application Level Gateway • Like a circuit-level gateway, an application-level gateway intercepts incoming and outgoing packets (proxy), preventing any direct connection between a trusted server or client and an un-trusted host • Two important differences: proxies are application specific entire packet is examined at the application layer • Like a circuit-level gateway, an application-level gateway intercepts incoming and outgoing packets (proxy), preventing any direct connection between a trusted server or client and an un-trusted host • Two important differences: proxies are application specific entire packet is examined at the application layer
  • 16. Example of an Application • As an example: an FTP Application Level Gateway can filter dozens of commands to allow a high granularity on the permissions of specific users of the protected FTP service • As an example: an FTP Application Level Gateway can filter dozens of commands to allow a high granularity on the permissions of specific users of the protected FTP service
  • 17. Going A Step Further: Strong Application Proxies Strong application proxies extend the level of security: Instead of copying the entire datagram on behalf of the user, a strong application proxy creates a new empty datagram; only those commands and data found acceptable are copied from the original datagram.
  • 18. Transparent Application Level Gateways Thanks to Technology • 32-bit environment • SMP (Symmetric Multiprocessing)
  • 19. Stateful Inspection • Stateful inspection combines the many aspects of dynamic packet filtering, circuit-level and application-level gateways • While stateful inspection has the inherent ability to inspect all seven layers of the OSI model, most installations only operate as a dynamic packet filter at the network layer of the model
  • 20. Stateful Inspection Considerations Pro’s Con’s Offers the ability to inspect all Seven layers of the OSI model Provides an integral dynamic (stateful) packet filter Fast when operated as dynamic packet filter, however many SMP- compliant dynamic packet filters are actually faster The single-threaded process of the stateful inspection engine has a dramatic impact on performance Many believe the failure to break the client/server model creates an unacceptable security risk No stateful inspection-based firewall has achieved higher than a Common Criteria EAL 2
  • 21. Intrusion Prevention Systems (IPS) • Interpret the intent of data contained in application payload • Provide application level analysis and verification • Understand enough of protocols to take decisions without the overhead of application proxies •Use patterns matching, heuristics and behavioral analysis to detect attacks
  • 22. Network IPS / Host IPS Pro’s Con’s Provide application level analysis and verification Primarily signature based IPS includes heuristics, behavioral patterns
  • 23. Firewall With Protocol & Application Awareness
  • 24. 1. New packet arrives at the external interface Layer 4 data is tested to validate that the IP source and destination, as well as service ports, are acceptable to the security policy of the firewall The TCP three-way-handshake is fully validated for each and every connection This approach effectively eliminates any possibility of SYN flooding 1. New packet arrives at the external interface Layer 4 data is tested to validate that the IP source and destination, as well as service ports, are acceptable to the security policy of the firewall The TCP three-way-handshake is fully validated for each and every connection This approach effectively eliminates any possibility of SYN flooding Strong Application Firewall
  • 25. 2. For each “good” packet, a new empty datagram is created on the internal side of the firewall Creating a brand new datagram completely eliminates the possibility that an attacker could hide malicious data in any unused protocol headers or, for that matter, in any unused flags or other datagram fields 2. For each “good” packet, a new empty datagram is created on the internal side of the firewall Creating a brand new datagram completely eliminates the possibility that an attacker could hide malicious data in any unused protocol headers or, for that matter, in any unused flags or other datagram fields Strong Application Firewall
  • 26. 3. Protocol anomaly testing is performed on the packet to validate that all protocol headers are within clearly defined protocol specifications This enables an administrator to minimize or eliminate the risk of many security issues that commonly plague SMTP applications on the Internet today, such as: – Worms and virus attacks – Mail relay attacks – Mime attacks – SPAM attacks – Buffer overflow attacks – Address spoofing attacks – Covert channel attacks 3. Protocol anomaly testing is performed on the packet to validate that all protocol headers are within clearly defined protocol specifications This enables an administrator to minimize or eliminate the risk of many security issues that commonly plague SMTP applications on the Internet today, such as: – Worms and virus attacks – Mail relay attacks – Mime attacks – SPAM attacks – Buffer overflow attacks – Address spoofing attacks – Covert channel attacks Strong Application Firewall
  • 27. 4. The application proxy applies the (very granular) command-level controls and validates these against the permission level of the user The application proxy approach provides the ultimate level of application awareness and control; administrators have the granularity of control needed to determine exactly what kind of access is available to each user 4. The application proxy applies the (very granular) command-level controls and validates these against the permission level of the user The application proxy approach provides the ultimate level of application awareness and control; administrators have the granularity of control needed to determine exactly what kind of access is available to each user Strong Application Firewall
  • 28. 5. Once the packet has been recognized as protocol-compliant and the application-level commands validated against the security policy for that user, the permitted content is copied to the new datagram on the internal side of the firewall The application proxy breaks the client/server connection, effectively removing any direct link between the attacker and the protected server. By copying and forwarding only “good” contents, the application proxy firewall can eliminate virtually all protocol level and covert channel attacks 5. Once the packet has been recognized as protocol-compliant and the application-level commands validated against the security policy for that user, the permitted content is copied to the new datagram on the internal side of the firewall The application proxy breaks the client/server connection, effectively removing any direct link between the attacker and the protected server. By copying and forwarding only “good” contents, the application proxy firewall can eliminate virtually all protocol level and covert channel attacks Strong Application Firewall
  • 30. • Universal Threat Management security appliances are products that unify and integrate multiple security features integrated onto a single hardware platform. Qualification for inclusion within this category requires network firewall capabilities, network intrusion detection and prevention (IDP), and gateway anti-virus (AV) functionality. • Universal Threat Management security appliances are products that unify and integrate multiple security features integrated onto a single hardware platform. Qualification for inclusion within this category requires network firewall capabilities, network intrusion detection and prevention (IDP), and gateway anti-virus (AV) functionality. Unified Threat Management (UTM)