An Introduction to Firewall

Technology

Agenda

What is a firewall
Why an organization needs a firewall
Types of firewalls and technologies
Deploying a firewall
What is a VPN

What is a Firewall ?
A firewall :

Internet

Acts as a security gateway

between two networks
Usually between trusted
and untrusted networks
(such as between a
corporate network and
the Internet)

Corporate Network
Gateway

Corporate
Site

What is a Firewall ?
A firewall :

Internet

Acts as a security gateway

between two networks
Tracks and controls
network communications

Decides whether
to pass, reject,
encrypt, or log
communications
(Access Control)

Allow traffic
Traffic
Block
to Internet
from
Internet

Corporate
Site

Why Firewalls are Needed

Prevent attacks from untrusted networks
Protect data integrity of critical information
Preserve customer and partner confidence

How it works?
A Firewall disrupts free communication between trusted and untrusted networks, attempting to manage the information flow and
restrict dangerous free access.
There are numerous mechanisms employed to do this, each one
being somewhere between completely preventing packets flowing,
which would be equivalent to completely disconnected networks, and
allowing free exchange of data, which would be equivalent to having
no Firewall.
In order to understand how each of these works, it is first necessary
to understand the basics of how data moves across the Internet.

Protocols: tcp/ip
The underlying way that data moves across the Internet is in
individual packets called Internet Protocol (IP) datagrams.
Each packet is completely self contained, and has the unique
address of the originating computer (source-address), and
intended recipient computer (destination address).
On it's journey between the source and destination, the
packet is forwarded by routers which simply forward it on,
one hop at a time to it's destination.

TCP
To have a complete conversation in order
to e.g. send an e-mail, or view a web page, a
sequence of packets are grouped together
using something called Transmission Control
Protocol (the TCP bit of TCP/IP).

Under TCP, a complete conversation looks

something like this:

Simpler requests: UDP

TCP is a bit cumbersome for simple requests, so a streamlined protocol
called User Datagram Protocol also exists. This doesn't have the same
connection setup overhead and tends to be used for simpler conversations
which perhaps only involve a simple information exchange, which may be
repeated if packets are lost and things go wrong.
A domain name service request, used to get an IP address for a host
name.
A similar port mechanism is used in UDP to route packets to the
appropriate application on the host.

Evolution of Firewalls
Stateful
Inspection
Application
Proxy

Packet
Filter

Stage of Evolution

Packet Filter
Packets examined at the network layer
Useful first line of defense - commonly deployed
on routers
Simple accept or reject decision model
Applications

Applications

Applications

Presentations

Presentations

Presentations

Sessions

Sessions

Sessions

Transport

Transport

Transport

Network

Network

Network

Data Link

Data Link

Data Link

Physical

Physical

Physical

Advantages of Packet Filter

It is simple to implement, which means that it is
much more unlikely that exploitable bugs exist in
the Firewall code.
The same simplicity means that rule sets tend to
be less complex, and again are less likely to
contain unintentional access routes.
It can be implemented on relatively inexpensive
hardware, meaning that simple, cheap boxes can
do packet filtering for very large numbers of user
connections.

Application Gateway or Proxy

Packets examined at the application layer
Application/Content filtering possible - prevent
FTP put commands, for example
Modest performance
Scalability limited
Applications

Applications

Applications

Presentations

Presentations

Presentations

Sessions

Sessions

Sessions

Transport

Transport

Transport

Network

Network

Network

Data Link

Data Link

Data Link

Physical

Physical

Physical

Stateful Inspection
Packets Inspected between data link layer and network layer in
the OS kernel
State tables are created to maintain connection context
Invented by Check Point
Applications
Applications

Presentations

Applications

Presentations

Sessions

Presentations

Sessions

Transport

Sessions

Transport

Network

Transport
Network

Network

Data Link

Data Link

Data Link

Physical

Physical

Physical

INSPECT Engine

Dynamic
StateDynamic
Tables
StateDynamic
Tables
State Tables

STATEFUL INSPECTION
Stateful inspection takes the basic principles of packet filtering
and adds the concept of history, so that the Firewall considers
the packets in the context of previous packets.
So for example, it records when it sees a TCP SYN packet in an
internal table, and in many implementations will only allow
TCP packets that match an existing conversation to be
forwarded to the network..

STATEFUL INSPECTION
This has a number of advantages over simpler packet filtering:
It is possible to build up Firewall rules for protocols which cannot be
properly controlled by packet filtering (e.g. UDP based protocols).
More complete control of traffic is possible.
Equally, there are some disadvantages to a stateful inspection solution, in
that the implementation is necessarily more complex and therefore more
likely to be buggy.
It also requires a device with more memory and a more powerful CPU etc
for a given traffic load, as information has to be stored about each and
every traffic flow seen over a period of time

Network Address Translation (NAT)

192.172.1.1-192.172.1.254

Internal
IP Addresses
Corporate LAN

219.22.165.1
Internet

Public
IP Address(es)

Converts a networks illegal IP addresses to legal

or public IP addresses
Hides the true addresses of individual hosts, protecting
them from attack
Allows more devices to be connected to the network

Network Address Translation

This is not really a Firewall technology at all, but is often confused with one!
NAT is a pragmatic solution to the issue of IP address limitations.
When a network is connected to the Internet, the computers on that network
need to be given addresses so that other computers on the Internet can send
packets to them.
Because IP addresses are a somewhat limited resource, and have to be
unique across the globe, they are assigned hierarchically by a central
authority and passed down in blocks to service providers who then make
them available to their customers.

Network Address Translation

The way that NAT works is very similar to stateful
inspection firewalling, but with the added twist that the
Firewall modifies the address part of all packets on the
way through.
The NAT gateway sees an outgoing packet from an internal
private address, to an external global Internet address. It
makes a note of the (internal, private) source address of
the packet, and the destination server address and port
number. It then overwrites the source IP address with it's
own single global Internet address and sends it on
towards the Internet.

Port Address TranslationHiding

PATGlobal
192.168.0.15
10.0.0.2

192.168.0.15

172.30.0.50

172.30.0.50

49090

2000

23

23

10.0.0.3

192.168.0.15

172.30.0.50

172.30.0.50

49090

2001

23

23

10.0.0.2

10.0.0.3

Personal Firewalls

Need arises from always on connections

Your PC is not protected enough by your OS
Intrusion detection facilities
Different levels of security
Templates

Firewall Deployment
DMZ

Corporate Network
Gateway

Internet
Demilitarized Zone
(DMZ)
Public Servers

Protect internal network

from attack
Most common deployment
point

Corporate Network
Gateway

Human Resources
Network

Corporate
Site

Firewall Deployment
Corporate Network
Gateway
Internal Segment Gateway

Internet
Public Servers

Protect sensitive segments

(Finance, HR, Product
Development)
Provide second layer of
defense
Ensure protection against
internal attacks and misuse

Demilitarized Zone
(Publicly-accessible
servers)

Human Resources
Network

Internal Segment Gateway

Corporate
Site

Firewall Deployment
Corporate Network
Gateway
Internal Segment
Gateway
Server-Based Firewall

Internet
Public Servers
DMZ

Human Resources
Network

Protect individual
application servers
Files protect

Server-Based
Firewall
Corporate
Site

SAP
Server

Firewall Deployment
Hardware appliance based firewall
Single platform, software pre-installed
Can be used to support small organizations or
branch offices with little IT support

Software based firewall

Flexible platform deployment options
Can scale as organization grows

Summary
Firewalls foundation of an enterprise
security policy
Stateful Inspection is the leading firewall
technology

What is a VPN?
Acme Corp
Acme
Site Corp
1

A VPN is a private
connection over an
open network
A VPN includes
authentication and
encryption to protect
data integrity and
confidentiality

VPN

Internet

VPN

Acme Corp
Site 2

Why Use Virtual Private Networks?

More flexibility
Leverage ISP point of presence
Use multiple connection types (cable, DSL, T1, T3)
Most attacks originate within an organization

Why Use Virtual Private Networks?

More flexibility
More scalability
Add new sites, users quickly
Scale bandwidth to demand

Why Use Virtual Private Networks?

More flexibility
More scalability
Lower costs
Reduced frame relay/leased line costs
Reduced long distance
Reduced equipment costs (modem
banks,CSU/DSUs)
Reduced technical support

Types of VPNs
Remote Access VPN
Provides access to internal
corporate network over the
Internet
Reduces long distance,
modem bank, and technical
support costs
PAP,CHAP,RADIUS

Corporate
Site

Internet

Types of VPNs
Corporate
Site

Remote Access VPN

Site-to-Site VPN
Connects multiple offices
over Internet
Reduces dependencies on
frame relay and leased lines

Branch
Office

Internet

Types of VPNs
Corporate
Site

Remote Access VPN

Site-to-Site VPN
Extranet VPN
Provides business
partners access to critical
information (leads, sales
tools, etc)
Reduces transaction and
operational costs

Internet

Partner #2

Partner #1

Types of VPNs

Remote Access VPN

Site-to-Site VPN
Extranet VPN
Client/Server VPN

Database
Server

LAN
clients

Protects sensitive
internal
communications
LAN clients with
sensitive data

Internet

Components of a VPN

Encryption
Key management
Message authentication
Entity authentication

Encryption
Joes PC to HR Server
Encrypted
Joes PC

Marys PC

HR Server

All Other Traffic

Cleartext

E-Mail Server

Current standards: DES and Triple-DES

Over 20 years in the field

AES beginning deployment

New standard
More computationally efficient
Longer keys = more secure

Key Management
Public key cryptosystems
enable secure exchange of
private crypto keys across
open networks
Re-keying at appropriate intervals
IKE = Internet Key Exchange protocols
Incorporates ISAKMP/Oakley

Authentication
IPsec standards focus on authentication of two network
devices to each other
IP address/preshared key
Digital certificates

User authentication is added on top if required

RADIUS and TACACS+ are the standard protocols for
authentication servers

XAUTH is being added to the standards to address user

authentication

Point-to-Point Tunneling Protocol

Layer 2 remote access VPN distributed with Windows product family
Addition to Point-to-Point Protocol (PPP)
Allows multiple Layer 3 Protocols

Uses proprietary authentication and encryption

Limited user management and scalability
Known security vulnerabilities
Corporate Network
PPTP RAS Server

Remote PPTP Client

Access
ISP Remote
Switch

Internet

Layer 2 Tunneling Protocol (L2TP)

Layer 2 remote access VPN protocol
Combines and extends PPTP and L2F (Cisco supported protocol)
Weak authentication and encryption
Does not include packet authentication, data integrity, or key
management
Must be combined with IPSec for enterprise-level security
Corporate Network

Remote L2TP Client

L2TP Server

Internet

ISP L2TP Concentrator

Internet Protocol Security (IPSec)

Layer 3 protocol for remote access, intranet,
and extranet VPNs
Internet standard for VPNs
Provides flexible encryption and message
authentication/integrity
Includes key management

Components of an IPSec VPN

Encryption
Message
Authentication
Entity
Authentication
Key
Management

DES, 3DES, and more

HMAC-MD5, HMAC-SHA-1,
or others
Digital Certificates, Shared
Secrets,Hybrid Mode IKE
Internet Key Exchange
(IKE), Public Key
Infrastructure (PKI)

All managed by security associations (SAs)

Encryption Explained
Used to convert data to a secret code for
transmission over an untrusted network

Encrypted Text

Clear Text
The cow jumped
over the moon

Encryption
Algorithm

4hsd4e3mjvd3sd
a1d38esdf2w4d

Symmetric Encryption
Same key used to encrypt and decrypt
message
Faster than asymmetric encryption
Examples: DES, 3DES, RC5, Rijndael

Shared Secret Key

Asymmetric Encryption
Different keys used to encrypt and decrypt
message (One public, one private)
Examples include RSA, DSA, SHA-1, MD-5
Bob

Alice

Alice Public Key

Encrypt

Alice Private Key

Decrypt

Secure Virtual Network Architecture

RSA
ACE/Server

RSA
Advanced PKI

Corporate
Network

Trend InterScan ,
WebManager , eManager
& StoneBeat
Security Cluster

IPSec-compliant
Gateway

Extranet
Partner Site

FireWall-1

LDAP
Directory

VPN-1
SecuRemote
& RSA SecurID

VPN-1/FireWall-1
Gateway &

Dial-up

StoneBeat FullCluster
FloodGate-1
QoS
VPN-1
SecureServer

VPN-1
SecureClient
& RSA SecurID
VPN-1
Accelerator Card

RSA
ACE/Agent
Broadband

ConnectControl
Server Load
Balancing

ISS
RealSecure
Intrusion
Detection

Remote Users
Router

Extranet
Application Server

Web Server Pool

Enterprise Management Console

Policy-based Management
Reporting
Account Management
Open Security Extension

VPN-1/FireWall-1
Nokia Appliance

Remote Office

Thank You!