2. 1. Definition of Firewall
2. Need of Firewall
3. Firewall Design Principles
4. Firewall Characteristics
5. What a Firewall Can Do?
6. What a Firewall Can’t Do?
7. Architecture of Firewall
8. Types Of Firewall
9. Implementation of Firewall
10. Deployment of Firewall
11. Report & Conclusion
2/4/2013 Firewall 2
3. •Here is how Bob Shirey defines it in RFC 2828.
•An internetwork gateway that restricts data
communication traffic to and from one of the
connected networks (the one said to be "inside"
the firewall) and thus protects that network's
system resources against threats from the
other network (the one that is said to be
"outside" the firewall). (See: guard, security
gateway.)
2/4/2013 Firewall 3
4. Rules Determine
WHO ? WHEN ?
WHAT ? HOW ?
My
INTERNET PC
Secure
Private
Firewall Network
2/4/2013 Firewall 4
5. What is a Firewall ?
A firewall : Internet
◦ Acts as a security
gateway between two
networks
Usually between trusted “Allow Traffic
and untrusted networks to Internet”
(such as between a
corporate network and
the Internet)
◦ Tracks and controls
network
communications
Decides whether to
pass, reject, encrypt, o
r log communications
(Access Control) Corporate
Site
2/4/2013 Firewall 5
6. Firewalls History
• First generation - packet filters
• The first paper published on firewall technology was in 1988, when Jeff
Mogul from Digital Equipment Corporation (DEC) developed filter systems
known as packet filter firewalls.
• Second generation - circuit level
• From 1980-1990 two colleagues from AT&T Company, developed the
second generation of firewalls known as circuit level firewalls.
• Third generation - application layer
• Publications by Gene Spafford of Purdue University, Bill Cheswick at AT&T
Laboratories described a third generation firewall. also known as proxy
based firewalls.
•Subsequent generations
• In 1992, Bob Braden and Annette DeSchon at the University of Southern
California (USC) were developing their own fourth generation packet filter
firewall system.
• In 1994 an Israeli company called Check Point Software Technologies built
this into readily available software known as FireWall-1.
• Cisco, one of the largest internet security companies in the world released
their PIX ” Private Internet Exchange ” product to the public in 1997.
2/4/2013 Firewall 6
7. Theft or disclosure of internal data
Unauthorized access to internal hosts
Interception or alteration of data
Vandalism & denial of service
Wasted employee time
Bad publicity, public embarassment, and
law suits
2/4/2013 Firewall 7
8. The Nature of Today’s Attackers
Who are these “hackers” who are trying to break into your
computer?
Most people imagine someone at a keyboard late at night, guessing
passwords to steal confidential data from a computer system.
This type of attack does happen, but it makes up a very small
portion of the total network attacks that occur.
Today, worms and viruses initiate the vast majority of attacks.
Worms and viruses generally find their targets randomly.
As a result, even organizations with little or no confidential
information need firewalls to protect their networks from these
automated attackers.
2/4/2013 Firewall 8
9. Firewall Design Principles
1. Information systems undergo a steady evolution (from small LAN`s
to Internet connectivity)
2. Strong security features for all workstations and servers not
established
3. The firewall is inserted between the premises network and the
Internet
4. Aims:
1. Establish a controlled link
2. Protect the premises network from Internet-based attacks
3. Provide a single choke point
2/4/2013 Firewall 9
10. Firewall Characteristics
Design goals:
1. All traffic from inside to outside must pass through the firewall
(physically blocking all access to the local network except via the
firewall)
2. Only authorized traffic (defined by the local security police) will
be allowed to pass
3. The firewall itself is immune to penetration (use of trusted
system with a secure operating system)
2/4/2013 Firewall 10
11. Firewall Characteristics
Four general techniques:
1. Service control
• Determines the types of Internet services that can be accessed,
inbound or outbound
2. Direction control
• Determines the direction in which particular service requests are
allowed to flow
3. User control
• Controls access to a service according to which user is attempting
to access it
4. Behavior control
• Controls how particular services are used (e.g. filter e-mail)
2/4/2013 Firewall 11
12. What Firewalls Can Do
Positive Effects
Negative Effects
2/4/2013 Firewall 12
13. What Firewalls Do (Positive Effects)
Positive Effects
User authentication.
Firewalls can be configured to require user authentication. This
allows network administrators to control ,track specific user activity.
Auditing and logging.
By configuring a firewall to log and audit activity, information may
be kept and analyzed at a later date.
2/4/2013 Firewall 13
14. What Firewalls Do (Positive Effects)
Anti-Spoofing - Detecting when the source of the network traffic is
being "spoofed", i.e., when an individual attempting to access a
blocked service alters the source address in the message so that the
traffic is allowed.
Network Address Translation (NAT) - Changing the network
addresses of devices on any side of the firewall to hide their true
addresses from devices on other sides. There are two ways NAT is
performed:
◦ One-to-One - where each true address is translated to a unique translated
address.
◦ Many-to-One - where all true addresses are translated to a single
address, usually that of the firewall.
2/4/2013 Firewall 14
15. What Firewalls Do (Positive Effects)
Virtual Private Networks
VPNs are communications sessions traversing public networks that
have been made virtually private through the use of encryption
technology. VPN sessions are defined by creating a firewall rule that
requires encryption for any session that meets specific criteria.
2/4/2013 Firewall 15
16. What Firewalls Do (Negative Effects)
Negative Effects
Although firewall solutions provide many benefits, negative effects
may also be experienced.
◦ Traffic bottlenecks. By forcing all network traffic to pass through the
firewall, there is a greater chance that the network will become congested.
◦ Single point of failure. In most configurations where firewalls are the
only link between networks, if they are not configured correctly or are
unavailable, no traffic will be allowed through.
◦ Increased management responsibilities. A firewall often adds to
network management responsibilities and makes network troubleshooting
more complex.
2/4/2013 Firewall 16
17. What a Firewall Can’t Do
• Do Firewalls Prevent Viruses and Trojans? NO!! A
firewall can only prevent a virus or Trojan from accessing the
internet while on your machine
• 95% of all viruses and Trojans are received via e-mail,
through file sharing (like Kazaa or Gnucleus) or through
direct download of a malicious program
• Firewalls can't prevent this -- only a good anti-virus software
program can however , once installed on your PC, many viruses
and Trojans "call home" using the internet to the hacker that designed
it
• This lets the hacker activate the Trojan and he/she can now use your
PC for his/her own purposes
• A firewall can block the call home and can alert you if there is
suspicious behavior taking place on your system
2/4/2013 Firewall 17
19. Screening Router
In te rn e t/
U n tru ste d
N e tw o rk
R o u te s o r b lo c k s p a c k e ts , a s
d e te rm in e d b y s e c u rity p o lic y
S c re e n in g R o u te r
In te rn a l T ru ste d N e tw o rk
D e s k to p
M a in fra m e D a ta b a s e
S e rv e r
2/4/2013 Firewall 19
20. In te rn e t/
Simple Firewall U n tru ste d
N e tw o rk
R o u te s o r b lo c k s p a c k e ts , a s
d e te rm in e d b y s e c u rity p o lic y
F ire w a ll th e n h a n d le s tra ffic
a d d itio n a lly to m a in ta in m o re S c re e n in g R o u te r
s e c u rity
F ire w a ll
In te rn a l T ru ste d N e tw o rk
D e s k to p
M a in fra m e D a ta b a s e
S e rv e r
w e b , s m tp
2/4/2013 Firewall 20
21. Multi-Legged Firewall
In te rn e t/
U n tru ste d
N e tw o rk
R o u te s o r b lo c k s p a c k e ts , a s
d e te rm in e d b y s e c u rity p o lic y
F ire w a ll th e n h a n d le s tra ffic
S c re e n in g R o u te r
a d d itio n a lly to m a in ta in m o re
s e c u rity
D M Z n o w o ffe rs a s e c u re D M Z S e m i-T ru ste d N e tw o rk
s a n d b o x to h a n d le u n -tru s te d F ire w a ll
c o n n e c tio n s to in te rn e t s e rv ic e s
In te rn a l T ru ste d N e tw o rk
W e b S e rv e r S M T P S e rv e r S e rv e r
D e s k to p
M a in fra m e D a ta b a s e
S e rv e r
2/4/2013 Firewall 21
22. Firewall In te rn e t/
U n tru ste d
N e tw o rk
Sandwich
S c re e n in g R o u te r
R o u te s o r b lo c k s p a c k e ts , a s
d e te rm in e d b y s e c u rity p o lic y
F ire w a ll th e n h a n d le s tra ffic O u ts id e F ire w a ll
a d d itio n a lly to m a in ta in m o re
s e c u rity
D M Z n o w o ffe rs a s e c u re
DMZ
n e tw o rk to h a n d le u n -tru s te d
S e m i-tru ste d D M Z S e m i-T ru ste d N e tw o rk
c o n n e c tio n s to in te rn e t s e rv ic e s
n e tw o rk
S e p a ra tio n o f s e c u rity p o lic y
c o n tro ls b e tw e e n in s id e a n d
o u ts id e fire w a lls
W e b S e rv e r S M T P S e rv e r S e rv e r
In s id e F ire w a ll
In te rn a l T ru ste d N e tw o rk
D e s k to p
M a in fra m e D a ta b a s e
A p p S e rv e r
2/4/2013 Firewall 22
23. Layered Firewall
R o u te s o r b lo c k s p a c k e ts , a s
d e te rm in e d b y s e c u rity p o lic y
F ire w a ll th e n h a n d le s tra ffic
a d d itio n a lly to m a in ta in m o re
s e c u rity In te rn e t /U n -
tru ste d N e tw o rk
D M Z n o w o ffe rs a s e c u re
n e tw o rk to h a n d le u n -tru s te d
c o n n e c tio n s to in te rn e t s e rv ic e s
In s id e F ire w a ll
S e p a ra tio n o f s e c u rity p o lic y
c o n tro ls n e tw o rk s w ith in y o u r
tru s te d n e tw o rk a s w e ll a s y o u DMZ
s e m i a n d u n -tru s te d n e tw o rk s S e m i-tru ste d
n e tw o rk
F e n c e s k e e p h o n e s t p e o p le
h o n e s t!
In s id e F ire w a ll
M a in fra m e
U se r N e tw o rk H R N e tw o rk
N e tw o rk
In te rn a l F ire w a ll In te rn a l F ire w a ll
In te rn a l F ire w a ll
D e ve lo p m e n t
N e tw o rk
2/4/2013 Firewall 23
24. Types of Firewalls
Common types of Firewalls:
1. Packet-filtering routers
2. Application-level gateways
3. Circuit-level gateways
4. Bastion host
5. Distributed Firewall System
6. Virtual Private Network (VPN)
2/4/2013 Firewall 24
25. Packet-filtering Router
◦ Applies a set of rules to each incoming IP packet
and then forwards or discards the packet
◦ Filter packets going in both directions
◦ The packet filter is typically set up as a list of
rules based on matches to fields in the IP or TCP
header
◦ Two default policies (discard or forward)
2/4/2013 Firewall 25
26. Packet Filtering Firewall
Trusted Firewall Untrusted
Network rule set Network
Packet is Blocked or Discarded
2/4/2013 Firewall 26
27. Packet Filtering Firewall
A packet filtering firewall is often called a network layer firewall because
the filtering is primarily done at the network layer (layer three) or the
transport layer (layer four) of the OSI reference model.
2/4/2013 Firewall 27
29. Packet-filtering Router
Advantages:
◦ Simplicity
◦ Transparency to users
◦ High speed
Disadvantages:
◦ Difficulty of setting up packet filter rules
◦ Lack of Authentication
2/4/2013 Firewall 29
30. Application-level Gateway
Gateway sits between user
on inside and server on gateway-to-remote
outside. Instead of talking host ftp session
directly, user and server talk host-to-gateway
ftp session
through proxy.
Allows more fine grained and
sophisticated control than
packet filtering. For
example, ftp server may not
allow files greater than a set
size.
A mail server is an example application
of an application gateway gateway
◦ Can’t deposit mail in
recipient’s mail server
without passing through
sender’s mail server
2/4/2013 Firewall 30
32. Application-level Gateway
•Advantages
1. Proxy can log all connections, activity in connections
2. Proxy can provide caching
3. Proxy can do intelligent filtering based on content
4. Proxy can perform user-level authentication
•Disadvantages
1. Not all services have proxied versions
2. May need different proxy server for each service
3. Requires modification of client
4. Performance
2/4/2013 Firewall 32
33. Circuit-level Gateway
1. Stand-alone system
2. Specialized function performed by an Application-level Gateway
3. Sets up two TCP connections
4. The gateway typically relays TCP segments from one connection
to the other without examining the contents
5. The security function consists of determining which connections
will be allowed
6. Typically use is a situation in which the system administrator
trusts the internal users
7. An example is the SOCKS package
2/4/2013 Firewall 33
35. Bastion Host
Highly secure host system
A system identified by the firewall administrator as a critical strong
point in the network´s security
The bastion host serves as a platform for an application-level or
circuit-level gateway
Potentially exposed to "hostile" elements
Hence is secured to withstand this
◦ Disable all non-required services; keep it simple
Trusted to enforce trusted separation between network
connections
Runs circuit / application level gateways
◦ Install/modify services you want
Or provides externally accessible services
2/4/2013 Firewall 35
37. Distributed Firewalls
A central management node sets the
security policy enforced by individual hosts
Combination of high-level policy
specification with file distribution
mechanism
Advantages:
◦ Lack of central point of failure
◦ Ability to protect machines outside topologically
isolated space
◦ Great for laptops
Disadvantage:
◦ Harder to allow in certain services, whereas it’s
easy to block 2/4/2013 Firewall 37
38. Distributed Firewalls Drawback
Allowing in certain services works if and
only if you’re sure the address can’t be
spoofed
◦ Requires anti-spoofing protection
◦ Must maintain ability to roam safely
Solution: IPsec
◦ A machine is trusted if and only if it can perform
proper cryptographic authentication
2/4/2013 Firewall 38
39. Virtual Private Network (VPN)
Used to connect two private networks via the
internet
◦ Provides an encrypted tunnel between the two private
networks
◦ Usually cheaper than a private leased line but should be
studied on an individual basis
◦ Once established and as long as the encryption remains
secure the VPN is impervious to exploitation
◦ For large organizations using VPNs to connect
geographically diverse sites, always attempt to use the
same ISP to get best performance.
Try to avoid having to go through small Mom-n-Pop ISPs as
they will tend to be real bottlenecks
2/4/2013 Firewall 39
42. Firewall Deployment
DMZ
Corporate Network Internet
Gateway Demilitarized Zone
(DMZ)
◦ Protect internal Public Servers
network from attack
Corporate Network
◦ Most common Gateway
deployment point
Human Resources
Network
Corporate
Site
2/4/2013 Firewall 42
43. Firewall Deployment
Corporate Network Internet
Gateway Public Servers
Internal Segment
Gateway Demilitarized Zone
(Publicly-accessible
◦ Protect sensitive servers)
segments
(Finance, HR, Product
Development) Human Resources
Network
◦ Provide second layer of
defense
Internal Segment Gateway
◦ Ensure protection
against internal
attacks and misuse Corporate
Site
2/4/2013 Firewall 43
44. Firewall Deployment
Corporate Internet
Public Servers
Network Gateway DMZ
Internal Segment
Gateway
Server-Based
Firewall
Human Resources
Network
◦ Protect individual
application servers Server-Based
Firewall
◦ Files protect Corporate
Site
SAP
Server
2/4/2013 Firewall 44
45. The“2002 Computer Security Institute /FBI Computer Crime
and Security Survey” Reported:
90% of survey respondents (primarily larger corporations) detected
computer security breaches. Respondents reported a wide range of
attacks:
44% detected system penetration from the outside
44% detected denial of service attacks
76% detected employee abuse of Internet access privileges
85% detected computer viruses, worms, etc.
80% acknowledged financial losses due to computer security
breaches
44% were willing and/or able to quantify their financial losses (these
losses were $455 million).
Most serious losses occurred through theft of proprietary information
and financial fraud.
74% cited their Internet connections as a frequent point of attack and
33% cited their internal systems ands frequent point of attack
34% reported intrusions to law enforcement (up from only 16% in
1996)
2/4/2013 Firewall 45
46. Future of Firewalls
Firewalls will continue to advance as the
attacks on IT infrastructure become more
and more sophisticated
More and more client and server
applications are coming with native
support for proxied environments
Firewalls that scan for viruses as they
enter the network and several firms are
currently exploring this idea, but it is not
yet in wide use
2/4/2013 Firewall 46
47. Conclusion
It is clear that some form of security for
private networks connected to the
Internet is essential
A firewall is an important and necessary
part of that security, but cannot be
expected to perform all the required
security functions.
2/4/2013 Firewall 47