Documente Academic
Documente Profesional
Documente Cultură
Technology
Agenda
What is a firewall
Why an organization needs a firewall
Types of firewalls and technologies
Deploying a firewall
What is a VPN
What is a Firewall ?
A firewall :
Internet
Corporate Network
Gateway
Corporate
Site
What is a Firewall ?
A firewall :
Internet
Decides whether
to pass, reject,
encrypt, or log
communications
(Access Control)
Allow traffic
Traffic
Block
to Internet
from
Internet
Corporate
Site
How it works?
A Firewall disrupts free communication between trusted and untrusted networks, attempting to manage the information flow and
restrict dangerous free access.
There are numerous mechanisms employed to do this, each one
being somewhere between completely preventing packets flowing,
which would be equivalent to completely disconnected networks, and
allowing free exchange of data, which would be equivalent to having
no Firewall.
In order to understand how each of these works, it is first necessary
to understand the basics of how data moves across the Internet.
Protocols: tcp/ip
The underlying way that data moves across the Internet is in
individual packets called Internet Protocol (IP) datagrams.
Each packet is completely self contained, and has the unique
address of the originating computer (source-address), and
intended recipient computer (destination address).
On it's journey between the source and destination, the
packet is forwarded by routers which simply forward it on,
one hop at a time to it's destination.
TCP
To have a complete conversation in order
to e.g. send an e-mail, or view a web page, a
sequence of packets are grouped together
using something called Transmission Control
Protocol (the TCP bit of TCP/IP).
Evolution of Firewalls
Stateful
Inspection
Application
Proxy
Packet
Filter
Stage of Evolution
Packet Filter
Packets examined at the network layer
Useful first line of defense - commonly deployed
on routers
Simple accept or reject decision model
Applications
Applications
Applications
Presentations
Presentations
Presentations
Sessions
Sessions
Sessions
Transport
Transport
Transport
Network
Network
Network
Data Link
Data Link
Data Link
Physical
Physical
Physical
Applications
Applications
Presentations
Presentations
Presentations
Sessions
Sessions
Sessions
Transport
Transport
Transport
Network
Network
Network
Data Link
Data Link
Data Link
Physical
Physical
Physical
Stateful Inspection
Packets Inspected between data link layer and network layer in
the OS kernel
State tables are created to maintain connection context
Invented by Check Point
Applications
Applications
Presentations
Applications
Presentations
Sessions
Presentations
Sessions
Transport
Sessions
Transport
Network
Transport
Network
Network
Data Link
Data Link
Data Link
Physical
Physical
Physical
INSPECT Engine
Dynamic
StateDynamic
Tables
StateDynamic
Tables
State Tables
STATEFUL INSPECTION
Stateful inspection takes the basic principles of packet filtering
and adds the concept of history, so that the Firewall considers
the packets in the context of previous packets.
So for example, it records when it sees a TCP SYN packet in an
internal table, and in many implementations will only allow
TCP packets that match an existing conversation to be
forwarded to the network..
STATEFUL INSPECTION
This has a number of advantages over simpler packet filtering:
It is possible to build up Firewall rules for protocols which cannot be
properly controlled by packet filtering (e.g. UDP based protocols).
More complete control of traffic is possible.
Equally, there are some disadvantages to a stateful inspection solution, in
that the implementation is necessarily more complex and therefore more
likely to be buggy.
It also requires a device with more memory and a more powerful CPU etc
for a given traffic load, as information has to be stored about each and
every traffic flow seen over a period of time
Internal
IP Addresses
Corporate LAN
219.22.165.1
Internet
Public
IP Address(es)
This is not really a Firewall technology at all, but is often confused with one!
NAT is a pragmatic solution to the issue of IP address limitations.
When a network is connected to the Internet, the computers on that network
need to be given addresses so that other computers on the Internet can send
packets to them.
Because IP addresses are a somewhat limited resource, and have to be
unique across the globe, they are assigned hierarchically by a central
authority and passed down in blocks to service providers who then make
them available to their customers.
192.168.0.15
172.30.0.50
172.30.0.50
49090
2000
23
23
10.0.0.3
192.168.0.15
172.30.0.50
172.30.0.50
49090
2001
23
23
10.0.0.2
10.0.0.3
Personal Firewalls
Firewall Deployment
DMZ
Corporate Network
Gateway
Internet
Demilitarized Zone
(DMZ)
Public Servers
Corporate Network
Gateway
Human Resources
Network
Corporate
Site
Firewall Deployment
Corporate Network
Gateway
Internal Segment Gateway
Internet
Public Servers
Demilitarized Zone
(Publicly-accessible
servers)
Human Resources
Network
Corporate
Site
Firewall Deployment
Corporate Network
Gateway
Internal Segment
Gateway
Server-Based Firewall
Internet
Public Servers
DMZ
Human Resources
Network
Protect individual
application servers
Files protect
Server-Based
Firewall
Corporate
Site
SAP
Server
Firewall Deployment
Hardware appliance based firewall
Single platform, software pre-installed
Can be used to support small organizations or
branch offices with little IT support
Summary
Firewalls foundation of an enterprise
security policy
Stateful Inspection is the leading firewall
technology
What is a VPN?
Acme Corp
Acme
Site Corp
1
A VPN is a private
connection over an
open network
A VPN includes
authentication and
encryption to protect
data integrity and
confidentiality
VPN
Internet
VPN
Acme Corp
Site 2
Types of VPNs
Remote Access VPN
Provides access to internal
corporate network over the
Internet
Reduces long distance,
modem bank, and technical
support costs
PAP,CHAP,RADIUS
Corporate
Site
Internet
Types of VPNs
Corporate
Site
Branch
Office
Internet
Types of VPNs
Corporate
Site
Internet
Partner #2
Partner #1
Types of VPNs
Database
Server
LAN
clients
Protects sensitive
internal
communications
LAN clients with
sensitive data
Internet
Components of a VPN
Encryption
Key management
Message authentication
Entity authentication
Encryption
Joes PC to HR Server
Encrypted
Joes PC
Marys PC
HR Server
E-Mail Server
Key Management
Public key cryptosystems
enable secure exchange of
private crypto keys across
open networks
Re-keying at appropriate intervals
IKE = Internet Key Exchange protocols
Incorporates ISAKMP/Oakley
Authentication
IPsec standards focus on authentication of two network
devices to each other
IP address/preshared key
Digital certificates
Access
ISP Remote
Switch
Internet
Internet
Encryption Explained
Used to convert data to a secret code for
transmission over an untrusted network
Encrypted Text
Clear Text
The cow jumped
over the moon
Encryption
Algorithm
4hsd4e3mjvd3sd
a1d38esdf2w4d
Symmetric Encryption
Same key used to encrypt and decrypt
message
Faster than asymmetric encryption
Examples: DES, 3DES, RC5, Rijndael
Asymmetric Encryption
Different keys used to encrypt and decrypt
message (One public, one private)
Examples include RSA, DSA, SHA-1, MD-5
Bob
Alice
RSA
Advanced PKI
Corporate
Network
Trend InterScan ,
WebManager , eManager
& StoneBeat
Security Cluster
IPSec-compliant
Gateway
Extranet
Partner Site
FireWall-1
LDAP
Directory
VPN-1
SecuRemote
& RSA SecurID
VPN-1/FireWall-1
Gateway &
Dial-up
StoneBeat FullCluster
FloodGate-1
QoS
VPN-1
SecureServer
VPN-1
SecureClient
& RSA SecurID
VPN-1
Accelerator Card
RSA
ACE/Agent
Broadband
ConnectControl
Server Load
Balancing
ISS
RealSecure
Intrusion
Detection
Remote Users
Router
Extranet
Application Server
VPN-1/FireWall-1
Nokia Appliance
Remote Office
Thank You!