Firewall Technologies

Topic A
Introduction/Network Perimeter Defence

1
 Learning Objectives
You will learn:
Understand the network perimeter defense
Identify the perimeter of a trusted network
Identify the devices that provide defense at the
network perimeter
Explain the functions of devices located at the
perimeter of a network
Designing the firewall to implement the policy
Understand the need for keeping log files of devices at
the perimeter
2
 Introduction
Security must be a primary concern when designing
an optimum network
Security means protecting or maintaining CIA.
CIA stands for Confidentiality, Integrity & Availability
The opposite of CIA is DAD
DAD stands for Disclosure, Alteration & Denial
A complete network security solution featuring formal
authentication, authorization, confidentiality,
availability and integrity measures, reduce the
likelihood of an unauthorized intrusion.

3
 Security Policy
A security policy is typically a document that outlines specific
requirements or rules that must be met.
Usually point-specific, covering a single area
(A password policy should state that passwords must be
sufficient to properly secure a resource)
A security standard is typically a collection of system-specific or
procedural-specific requirements that must be met by everyone.
(A password standard specifies that a password generator
should be used)
A security guideline is typically a collection of system-specific or
procedural-specific suggestions for best practices.
(A password guideline lists all the company approved, licensed
password generators)

4
 Network Complexity
Internet IDS

Intranet Firewalls

Extranet Scanner

Public servers Filters

Internal servers VPN

5
 Risk Assessment
Risk factors Countermeasures
Worth Prevention
Cryptography
Attraction
Firewalls
Threat Vulnerability scanning
Vulnerability Detection
Probability Intrusion detection systems
Log analysis
Digital signatures

Proper risk management is the future of digital security.

6
 Cost of Security & Risk
Assessment
Annualized Rate of Occurrence (ARO)
(Likelihood of a risk occurring within a year)
Single Loss Expectancy (SLE)
(Total cost of the risk if the risk occurs)
Annual Loss Expectancy (ALE)
(ARO & SLE decide the ALE)
Eg:
A web server failing probability - 30% (ARO)
If the e-commerce site hosted in this server generates $10,000.00 an hour.
Assume the site is down for 2 hour and cost of repairing the server is
$6000.00
Then SLE of the risk =$26000.00
Money in the budget to deal with the risk (ALE) = $26000*ARO
= $7,800
7
 What is network perimeter?
Every network has a perimeter - a gateway to the Internet
A security perimeter surrounds the network and computers, with a
single entry point for external traffic
A perimeter is a fortified boundary of our network
A concept of deploying several layers of defence that mitigate
security threats is called defence-in-depth

Traditional techniques
PC1 PC2 PC3

` ` `
Server
Security Internet
IP filtering gateways
Proxy gateways
Device
Network perimeter

Combinations (defense in depth)

8
 Defence-in-Depth
A multilayer model that defines layers of
protection for your network
Each layer has network- and host-defence
features
Each layer is capable of stopping a network or
host attack
The basic foundation of network security
Provide multiple chokepoints to contain malicious
activity and keep it from spreading throughout
your network
9
 Defence-in-Depth
At a high level, defence-in-depth defines four
main layers of protection for your network
and an abstract layer that encompasses
security best practices
Authentication layer
Perimeter layer
Network intrusion prevention layer
Host intrusion prevention layer
Security best practices
10
 Types of Network

Network Classifications
Trusted
Semi-trusted
Untrusted

11
 Network Classifications
Trusted Networks
Inside network security perimeter
The networks you are trying to protect
Semi-Trusted Networks
Allow access to some database materials and e-mail
May include WebSever, DNS, proxy, and modem
servers
Not for confidential or proprietary information
Referred to as the demilitarized zone (DMZ)
Untrusted Networks
Outside your security perimeter
Outside your control
12
 Perimeter Networks

Perimeter
Classifications
Outermost perimeter
Internal perimeters

13
 Perimeter classification
Outermost Perimeter
Router used to separate network from ISP’s network
Identifies separation point between assets you control and
those you do not
Most insecure area of a network infrastructure
Normally reserved for routers, firewalls, public Internet
servers (HTTP, FTP, Gopher)
Internal Perimeters
Represent additional boundaries where other security
measures are in place
Represent the boundary where you keep the networks you
are trying to protect

14
 Perimeter Devices
Network Hardware Devices: These devices can be considered
perimeter devices depending on where they are placed within your
network infrastructure. They include routers, firewalls, modems,
switches, and wireless hubs. If any of these devices have access to
both an external network and any part of the internal network, it is
considered a perimeter device.
Servers: These devices may be considered perimeter devices
depending on their connectivity to the Internet and intranet. For
example, any server (Network Access Server) that communicates with
both the Internet and intranet and is multihomed could be considered
a perimeter device.
Clients: Remote location clients that connect to the internal network
from external networks, because these clients may open doorways to
the network.

15
 Perimeter Devices (contd…)
Perimeter security is traditionally provided by a perimeter devices
such as firewall.
The base definition of a perimeter device is any device that routes
packets between two networks i.e. (firewall, router, and switch).
An unsecured perimeter device could compromise your corporate
network.

Supplier
Main Office

Is this a Perimeter
Internet Customer Device ?

Manufacturing Branch Office

Telecommuter Mobile user
16
 A SMB (small-sized to medium sized business)
network and its perimeter devices

A firewall in front of the Internet is not the only

perimeter device.
Outside Perimeter Router
Dirty DMZ

DMZ

Protected DMZ
Firewall

Inside
DMZ Servers

Corporate Network

Internal Servers

17
 Perimeter - ownership
The base definition of a perimeter device is any device that
routes packets between two networks i.e. (firewall, router, and
switch).

18
 Perimeter Security Topologies
Perimeter networks
Put in place firewalls and routers on network edge
Permit secure communications between the organization and
third parties
Key enablers for many mission-critical network services
Include demilitarized zones (DMZs), extranets, and intranets
Goal of the perimeter is to selectively admit or deny data
flows from other networks based on several criteria:
Type (protocol)
Source
Destination
Content

19
 Firewalls
Hardware or software device that provides a means of securing
a computer or network from unwanted intrusion
Dedicated physical device that protects network from intrusion
Software feature added to a router, switch, or other device that
prevents traffic to or from part of a network
Firewall inspects packets and sessions to determine if they
should be transmitted to or from the protected network or
instead dropped.
Firewalls have become a single point of network access where
traffic can be analyzed and controlled using firewall scripts that
define application, address, and user parameters.
These scripts help protect the connectivity paths to external
networks and data centres.

20
 What Do Firewalls Protect
Against?
Denial of service (DoS)
Ping of death
Teardrop or Raindrop attacks
SYN flood
LAND attack
Brute force
smurf attacks
IP spoofing
21
 How Do Firewalls Work?
Network address translation (NAT)
Basic packet filtering
Stateful packet inspection (SPI)
Application gateways
Access control lists (ACL)

22
 Routers
Network management device that sits
between network segments and routes traffic
from one network to another
Allows networks to communicate with one
another
Allows Internet to function
Act as digital traffic cop (with addition of
packet filtering)

23
 How a Router Moves
Information
Examines electronic envelope surrounding a packet,
compares address to list of addresses contained in
router’s lookup tables
Determines which router to send the packet to next,
based on changing network conditions

24
 Perimeter/Firewall Router
functions
Protection Service
Sniffer or snooping
capabilities
Control unauthorized access
Control session replay
Control inbound connections
Control outbound connections
Packet filtering
Method
Control evesdropping with the TCP/IP service
and network layer encryption
Use AAA and ACS. Also use access list
filtering and PIX firewall
Control which TCP/IP sessions are authorized
Permit inbound traffic to DMZ only
Allow connections only for required service
Filter private addresses
Allow valid IP addresses to the outside world
Use pre-defined access lists
Control vty lines and access
Ensure routing updates are authenticated
25
 Switches
Provide same function as bridges (divide collision domains), but
employ application-specific integrated circuits (ASICs) that are
optimized for the task
Reduce collision domain to two nodes (switch and host)
Main benefit over hubs
Separation of collision domains limits the possibility of sniffing

Switch security:
ACLs
Virtual Local Area Networks (VLANs)

26
 Security Problems with
Switches
Common ways of switch hijacking
Try default passwords which may not have
been changed
Sniff network to get administrator
password via SNMP or Telnet

27
 Securing a Switch
Isolate all management interfaces
Manage switch by physical connection to a serial port
or through secure shell (SSH) or other encrypted
method
Use separate switches or hubs for DMZs to physically
isolate them from the network and prevent VLAN
jumping
Put switch behind dedicated firewall device
Maintain the switch; install latest version of software
and security patches
Read product documentation
Set strong passwords

28
 VLAN (Virtual Local Area
Network)
VLANs are used to separate subnets and implement
security zones.
It is commonly assumed that Virtual LANs are fully
isolated from each other.
The possibility to send packets across different zones
would render such separations useless, as a
compromised machine in a low security zone could
initiate denial of service attacks against computers in
a high security zone.
Another threat lies in the possibility to “destroy” the
virtual architecture, performing indeed a DoS (Denial
Of Service) against a whole network architecture.

29
 Virtual Local Area Network
Broadcast domain within a switched network
Uses encryption and other security mechanisms to
ensure that
Only authorized users can access the network
Data cannot be intercepted
Clusters users in smaller groups
Increases security from hackers
Reduces possibility of broadcast storm

30
 Layer 2 Attacks
Media Access Control (MAC) attack
BASIC VLAN Hopping attack
Double Encapsulation VLAN Hopping attack
Address Resolution Protocol (ARP) attack
Spanning Tree Attack
VLAN Trunking Protocol attack
VLAN Management Policy Server (VMPS)/ VLAN
Query Protocol (VQP) attack
Cisco Discovery Protocol (CDP) Attack
Private VLAN (PVLAN) attack

31
 Perimeter Expansion
Increased bandwidth: Technology
Remote offices
Cryptography
Telecommuters
Roaming users Content scanning
Partners Intrusion detection
As a consequence: Vulnerability scanning
Greater potential of Countermeasures
attacks and vulnerabilities
Data integrity attacks Prevention
Harder detection Detection
Reaction

32
 What we can do at perimeter?
Application Proxy Packet Filtering
System Simple packet
Presentation Stateful filtering
Inspection Stateful filtering
Session
Proxy filtering
Transport Packet Content filtering
filtering
Network Intrusion Detection
Intrusion prevention
Data Link
Physical
33
 Packet filters (Routers)
Application Application Application Advantage
High performance
Presentation Presentation Presentation
Scalability
Session Session Application
Session
independence
Transport Transport Transport Disadvantage
Low security
Network Network Network No screening in
upper layers
Data Link Data Link Data Link No state or
application
Physical Physical Physical information

34
 Proxy systems/
Application Layer Gateways
Application Application Application Advantage
Good security
Presentation Presentation Presentation
Application layer
awareness
Session Session Session
Disadvantage
Transport Transport Transport Poor performance
Limited
Network Network Network application
support
Data Link Data Link Data Link

Physical Physical Physical

35
 Stateful Inspection
Application Application Application Advantage
High security
Presentation Presentation Presentation
Scalability
Session Session Extensibility
Session
Independence
Transport Transport Transport Application layer
awareness
Network Network Network Disadvantage
Expensive
Data Link Data Link Data Link

Physical Physical Physical

36
 Security processes
Every day
New processes are being transformed into electronic forms
New vulnerabilities and patches emerge
Event logs must be analyzed
Appropriate actions must be taken
As a consequence
Security is a process
Services serve better than products
Expert teams specialized in security are needed

37
 Event logging
Full, fine-grained event logs are vital for
detection
Easy to process, human readable
Log analysis: statistics, expert systems,
manual
Audit Logs

38
 Logging
Logging process controls the distribution of
logging messages to the various destinations
such as logging buffer, terminal lines, or a
syslog server depending on the configuration.
Can set the severity level of the messages
Possible to time stamp the messages
Logging is enabled by the following
command:
RouterA(config)# logging on

39
 Logging level
Command Purpose
logging console level Limits the messages logged to
the console with a level up to
and including the specified level
argument
logging monitor level Limits the messages logged to
the terminal lines with a level up
to and including the specified
level argument
logging trap level Limits the messages logged to
the SYSLOG servers with a level
up to and including the specified
level argument
40
Syslog Severity Levels and
Their Messages

41
 SYSLOG
SYSLOG is a protocol that is widely used to
inspect the behaviour of a certain device.
By installing a SYSLOG server daemon on a
PC, we can check the status of all devices
that are configured to use that server.
RouterA#config t
SYSLOG Server 150.100.1.0/24
Router(config)#logging 150.100.1.242
RouterA#(config)#logging trap warnings
RouterA#(config)#end
150.100.1.242 RouterA RouterA#

42
 Chapter Summary
A perimeter is a fortified boundary of our network.
Trusted network is a network you are trying to
protect which is inside the network security
perimeter.
Perimeter device is any device that routes packets
between two networks.
Perimeter devices (Routers and firewalls) can act as
Packet filters, stateful filters and proxy filters.
Firewall inspects packets and sessions to determine if
they should be transmitted to or from the protected
network or instead dropped.
Event logging is vital for detection, prevention,
analysis and statistics.
43
 Review Questions
What is CIA?
Confidentiality, Integrity & Availability
What is SLE?
Single Loss Expectancy (How much money would be lost if the risk occurred)
List three potential threats from inside an organization?
Authenticated users, unauthorized programs and unpatched software
What is a perimeter?
A perimeter is a fortified boundary of our network.
Name three broad classification of network.
Trusted, Semi-trusted and Untrusted network
Which perimeter device inspects packets and sessions to determine if they should
be transmitted to or from the protected network or instead dropped.
Firewall
Name three methods to secure the switch.
Refer to page 27
Name three security mechanisms, which can be done at the perimeter.
Network Firewalls, VPN Concentrators and Built-In VPNs, Proxy Systems ,
IDS/IPS Devices, Web Application Firewalls, Switched Network Firewalls,
Network Devices, VLANs 44
Thank you?

45