Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Firewall Categorization Methods Firewalls can be categorized by: processing mode, development era, or intended structure.
  • First generation firewalls are static packet filtering firewalls and filter packets according to their headers as the packets travel to and from the organization’s networks. Second generation firewalls are application-level firewalls or proxy servers — dedicated systems that are separate from the filtering router and that provide intermediate services for requestors. Third generation firewalls are stateful inspection firewalls, and monitor network connections between internal and external systems using state tables. Fourth generation firewalls are dynamic packet filtering firewalls and allow only a particular packet with a particular source, destination, and port address to enter. Fifth generation firewalls are kernel proxy and are a specialized form that works under the Windows NT Executive, which is the kernel of Windows NT.
  • There are a number of popular symmetric encryption cryptosystems. One of the most familiar is Data Encryption Standard (DES), developed in 1977 by IBM and based on the Data Encryption Algorithm (DEA). DEA uses a 64-bit block size and a 56-bit key. The algorithm begins by adding parity bits to the key (resulting in 64 bits) and then apples the key in 16 rounds of XOR, substitution, and transposition operations. With a 56 bit key, the algorithm has 256 possible keys to choose from (over 72 quadrillion). DES is a federally approved standard for nonclassified data. DES was cracked in 1997 when Rivest-Shamir-Aldeman (RSA) put a bounty on the algorithm. RSA offered a $10,000 reward for the first person or team to crack the algorithm. Fourteen thousand users collaborated over the Internet to finally break the encryption.
  • Asymmetric Encryption Another category of encryption techniques is asymmetric encryption, also known as public key encryption. Whereas the symmetric encryption systems are based on a single key to both encrypt and decrypt a message, asymmetric encryption uses two different keys. Either key can be used to encrypt or decrypt the message, however, if Key A is used to encrypt the message, only Key B can decrypt, and if Key B is used to encrypt a message, only Key A can decrypt it. The public key is stored in a public location, where anyone can use it. The private key, as its name suggests, is a secret known only to the owner of the key pair. The problem with asymmetric encryption is that it requires four keys to hold a single conversation between two parties. Asymmetric encryption is not as efficient as symmetric encryptions in terms of CPU computations. As a result, the hybrid system described in the section on Public Key Infrastructure is more commonly used, instead of a pure asymmetric system.
  • Security

    1. 1. Firewall Categorization Methods <ul><li>Firewalls can be categorized by processing mode, development era, or intended structure </li></ul><ul><li>Five processing modes that firewalls can be categorized by are: </li></ul><ul><ul><li>Packet filtering </li></ul></ul><ul><ul><li>Application gateways </li></ul></ul><ul><ul><li>Circuit gateways </li></ul></ul><ul><ul><li>MAC layer firewalls </li></ul></ul><ul><ul><li>Hybrids </li></ul></ul>
    2. 4. Firewalls Categorized by Development Generation <ul><li>First generation : static packet filtering firewalls </li></ul><ul><li>Second generation : application-level firewalls or proxy servers </li></ul><ul><li>Third generation : stateful inspection firewalls </li></ul><ul><li>Fourth generation : dynamic packet filtering firewalls; allow only packets with particular source, destination and port addresses to enter </li></ul><ul><li>Fifth generation : kernel proxies; specialized form working under kernel of Windows NT </li></ul>
    3. 6. Packet Filters <ul><li>Either block or allow transmission of packets of information based on criteria such as port, IP address, and protocol </li></ul><ul><li>Review the header, strip it off, and replace it with a new header before sending it to a specific location within the network </li></ul><ul><li>Fundamental components of firewalls </li></ul>
    4. 7. Viewing Header Contents
    5. 8. The Use of Rules
    6. 9. The Use of Rules
    7. 11. Stateful Packet Filtering
    8. 12. Dual-Homed Host Proxy Server Configuration
    9. 14. Figure 8-3 Symmetric Encryption Example
    10. 15. Cryptographic Algorithms <ul><li>Data Encryption Standard (DES): one of most popular symmetric encryption cryptosystems </li></ul><ul><ul><li>64-bit block size; 56-bit key </li></ul></ul><ul><ul><li>Adopted by NIST in 1976 as federal standard for encrypting non-classified information </li></ul></ul><ul><li>Triple DES (3DES): created to provide security far beyond DES </li></ul><ul><li>Advanced Encryption Standard (AES): developed to replace both DES and 3DES </li></ul>
    11. 16. Cryptographic Algorithms <ul><li>Asymmetric Encryption (public key encryption) </li></ul><ul><ul><li>Uses two different but related keys; either key can encrypt or decrypt message </li></ul></ul><ul><ul><li>If Key A encrypts message, only Key B can decrypt </li></ul></ul><ul><ul><li>Highest value when one key serves as private key and the other serves as public key </li></ul></ul>
    12. 17. Figure 8-4 Using Public Keys
    13. 19. A Public Key Generated by PGP
    14. 20. Network Address Translation (NAT) <ul><li>Used, by most firewalls, to shield a private network from outside interference </li></ul><ul><ul><li>Translates between private addresses inside a network and public addresses outside the network </li></ul></ul><ul><ul><li>Done transparently (unnoticed by external computers) </li></ul></ul><ul><ul><li>Internal IP addresses remain hidden </li></ul></ul><ul><li>Performed by NAT proxy servers </li></ul><ul><ul><li>Uses an address table to do translations </li></ul></ul><ul><ul><li>Ex: a computer inside accesses a computer outside </li></ul></ul><ul><ul><ul><li>Change source IP address to its own address </li></ul></ul></ul><ul><ul><ul><li>Change source port number to a unique number </li></ul></ul></ul><ul><ul><ul><ul><li>Used as an index to the original source IP address </li></ul></ul></ul></ul><ul><ul><ul><li>Performs reverse operations for response packets </li></ul></ul></ul>
    15. 21. Network Address Translation (NAT) NAT Firewall Client From, Port 31789 From, Port 13472 Internet Server Host IP Addr … Port 31789 … IP Addr … Port 13472 … Internal External Translation Table 1 2
    16. 22. Network Address Translation (NAT) NAT Firewall Client Internet Server Host To, Port 31789 To, Port 13472 Translation Table IP Addr … Port 31789 … IP Addr … Port 13472 … Internal External 4 3
    17. 23. Tunneling Protocols Used with VPNs <ul><li>IPSec </li></ul><ul><li>PPTP (Point-to-Point Tunneling Protocol) </li></ul><ul><li>L2TP (Layer 2 Tunneling Protocol) </li></ul><ul><li>PPP over SSL (Point-to-Point Protocol over Secure Sockets Layer) </li></ul>
    18. 24. IPSec <ul><li>IPSec provides: </li></ul><ul><ul><li>Encryption of the data part of packets </li></ul></ul><ul><ul><li>Authentication </li></ul></ul><ul><ul><li>Encapsulation between two VPN hosts </li></ul></ul><ul><ul><li>Two security methods (AH and ESP) </li></ul></ul><ul><ul><li>Capability to work in two modes (transport and tunnel) </li></ul></ul>
    19. 25. PPTP <ul><li>Developed by Microsoft for granting VPN access to remote users over dial-up connections </li></ul><ul><li>Uses Microsoft Point-to-Point Encryption (MPPE) to encrypt data </li></ul><ul><li>Useful if support for older clients is needed </li></ul><ul><li>Compatible with Network Address Translation (NAT) </li></ul><ul><li>Replaced by L2TP </li></ul>
    20. 26. L2TP <ul><li>Extension to PPP that enables dial-up users to establish a VPN connection to a remote access server </li></ul><ul><li>Uses IPSec to encrypt data </li></ul><ul><li>Incompatible with NAT but provides a higher level of encryption and authentication </li></ul>
    21. 27. PPP Over SSL <ul><li>UNIX based method for creating VPNs </li></ul><ul><li>Both combine existing tunnel system (PPP) with a way of encrypting data in transport (SSL) </li></ul><ul><ul><li>SSL </li></ul></ul><ul><ul><ul><li>Public key encryption system used to provide secure communications over the Web </li></ul></ul></ul>
    22. 29. Detecting Unauthorized Access <ul><li>Intrusion Detection Systems (IDSs): </li></ul><ul><ul><li>Network-based IDSs </li></ul></ul><ul><ul><ul><li>Install IDS sensors on network circuits and monitor packets </li></ul></ul></ul><ul><ul><ul><li>Reports intrusions to IDS Management Console </li></ul></ul></ul><ul><ul><li>Host-based IDSs </li></ul></ul><ul><ul><ul><li>Monitor all activity on the server as well as incoming server traffic </li></ul></ul></ul><ul><ul><li>Application-based IDSs </li></ul></ul><ul><ul><ul><li>Special form of host-based IDSs </li></ul></ul></ul><ul><ul><ul><li>Monitor just one application, such as a Web server </li></ul></ul></ul>
    23. 30. Techniques Used by IDSs <ul><li>Misuse detection </li></ul><ul><ul><li>Compares monitored activities with signatures of known attacks </li></ul></ul><ul><ul><li>If an attack is recognized the IDS issues an alert and discards the packet </li></ul></ul><ul><ul><li>Challenge: keep database current </li></ul></ul><ul><li>Anomaly detection </li></ul><ul><ul><li>Operates in stable computing environments </li></ul></ul><ul><ul><li>Looks for major deviations from the “normal” parameters of network operation </li></ul></ul><ul><ul><ul><li>e.g., a large number of failed logins </li></ul></ul></ul><ul><ul><li>When detected, an alert is issued, packets discarded </li></ul></ul><ul><ul><li>Problem: false alarms (valid traffic different from normal) </li></ul></ul>
    24. 31. Use of IDSs with Firewalls