2. Introduction <ul><li>The vastness of the internet, along with the differences among its visitors, creates a most unique melting pot. </li></ul><ul><li>It also contains a great potential for misuse, abuse and criminal activity. </li></ul><ul><li>A number of organizations have been attacked or probed by intruders, resulting in heavy production losses and embarrassment. </li></ul><ul><li>On 1996 the US Department of Defense announced that its computer systems were attacked 250,000 times in the preceding year and most of these attacks went undetected. </li></ul><ul><li>The web site of the United States Information Agency which was broken by internet vandals. </li></ul><ul><li>But all is not lost: the F IREWALL still stands as the biggest and the best weapon for keeping the evil forces lurking along the miles of the information superhighway at bay. </li></ul>
3. Data Transmission in TCP/IP Networks: <ul><li>The internet is like a railroad, sort of. </li></ul>TCP/IP and the OSI reference model.
4. What Are F IREWALLs ?? A firewall A F IREWALL is a system ( either software or hardware or both ) that enforces an access control policy between two networks.
5. What can F IREWALL protect against, and what they cannot? <ul><li>They Can: </li></ul><ul><li>F irewalls are excellent at enforcing the corporate security policy . </li></ul><ul><li>F irewalls are used to restrict access to specific services . </li></ul><ul><li>F irewalls are singular in purpose. </li></ul><ul><li>F irewalls are excellent auditors . </li></ul><ul><li>F irewalls are very good at alerting appropriate people of events. </li></ul><ul><li>They Cannot: </li></ul><ul><li>Firewalls cannot protect against what is authorized. </li></ul><ul><li>Firewalls are only as effective as the rules they are configured to enforce . </li></ul><ul><li>Firewalls cannot stop social engineers or an authorized user intentionally using their access malicious purposes. </li></ul><ul><li>Firewalls cannot fix poor administrative practices or poorly designed security policy. </li></ul><ul><li>Firewalls cannot stop attacks in which traffic does not pass through them . </li></ul>
6. Firewall Technology Application Level e.g. Proxy Servers Network Level e.g. packet filtering Both categories together .
7. F IREWALL Architectures <ul><li>F IREWALL primarily functions using four fundamental methods: </li></ul><ul><li>Packet Filters. </li></ul><ul><li>Application Gateways. </li></ul><ul><li>Circuit-level Gateways. </li></ul><ul><li>Stateful Packet Inspection. </li></ul>
8. 1- Packet Filters: A packet is like a letter. TCP/IP Packet structure.
9. How Packet filtering works: <ul><li>Creating a Rule Set: </li></ul><ul><li>In order to provide an example of packet filtering we need to create a rule set. </li></ul><ul><li>The rule set contains the following criteria: </li></ul><ul><li>1- Type of protocol. </li></ul><ul><li>2- Source address. </li></ul><ul><li>3- Destination address. </li></ul><ul><li>4- Source port. </li></ul><ul><li>5- Destination port. </li></ul><ul><li>6- The action the firewall should take when the rule set is not matched. </li></ul>(Example) Network topology for the packet filtering. (Example) Network topology for the packet filtering.
10. Sample packet filtering rule set. The flow of the packet filtering example. DENY
11. Advantages and disadvantages: <ul><li>Advantages: </li></ul><ul><li>It creates little overhead, so the performance of the screening device is less impacted. </li></ul><ul><li>It’s relatively inexpensive or even free. </li></ul><ul><li>It provides good traffic management. </li></ul><ul><li>Disadvantages : </li></ul><ul><li>It allows direct connections to internal host from external clients. </li></ul><ul><li>It leaves many holes in the network perimeter. That’s because it can only examine the traffic at the transport layer (TCP or UDP) or at the network layer (ICMP or IP protocol type). </li></ul><ul><li>It’s difficult to manage and scale in complex environments. Because in multilayered security environment, all packet filters in both network traffic directions must be synchronized. </li></ul><ul><li>It’s vulnerable to attacks that “spoof “ source addresses that match internal IP addressing schemes, unless it’s especially configured to prevent this issue. </li></ul><ul><li>It offers no user authentication. </li></ul>
13. How it works: Overview of application gateway virtual connections. ALLOWED ONLY SSH
14. Advantages and Disadvantages of Application Gateways <ul><li>Advantages : </li></ul><ul><li>Application level gateways tend to be more secure than packet filters. Rather than trying to deal with the numerous possible combinations that are to be allowed and forbidden at the TCP and IP level, the application level gateway need only scrutinize a few allowable applications. In addition it’s easy to log and audit all incoming traffic at the application level. </li></ul><ul><li>Disadvantages : </li></ul><ul><li>Prime disadvantage of the application level gateway is the additional processing overhead on each connection. In effect there are two spliced connections between the end users, with the gate way at the splice point, and the gateway must examine and forward all traffic in both directions. </li></ul>
16. Disadvantages: <ul><li>Most circuit level gateways are configurable on a TCP port basis. This does have disadvantage in that the circuit level gateway may not examine each packet at the application layer. This allows applications to utilize TCP ports that were opened for other, legitimate applications, several peer to peer applications can be configured to run on arbitrary ports, such as TCP 80 and TCP 443 (commonly opened for web browsing). This opens the possibility for misuse and exposes potential vulnerabilities inherent in these applications. </li></ul><ul><li>There are several other disadvantages to using circuit level gateway as a sole meaning of protecting a network. Inbound connection, are in general, not allowed, unless the functionality is built into the gateway as a separate application. Some client applications cannot be modified to support SOCKS or proxying. This would prevent them from accessing external resources through a gateway. </li></ul>
17. Bastion Host: <ul><li>It is a computer that is the central component in a network security architecture, often the main entrance to the network, intended to protect. </li></ul><ul><li>It’s running a proxy software. </li></ul><ul><li>It’s usually the most critical, and therefore the best secured, system in the network. </li></ul><ul><li>An other kind of bastion host called a victim machine ( also called a sacrificial lamb). </li></ul><ul><li>Bastion hosts are used in all arrangements that use a proxy server. </li></ul>
18. 3- Stateful Packet Inspection: How it works: T he logic flow of stateful packet inspection.
19. Advantages and Disadvantages of SPI: <ul><li>Advantages: </li></ul><ul><li>The connection table greatly reduces the chance that a packet will be spoofed to appear as it were part of an existing connection. </li></ul><ul><li>The ability to look into the data of certain packet types. </li></ul><ul><li>Disadvantages: </li></ul><ul><li>It does not protect the internal hosts to the same degree as an application layer firewall. </li></ul><ul><li>it does not act as proxy or setup a separate connection on behalf of the source. </li></ul>
20. Firewall Configurations 1- Screened Network (Packet Filtering Only): A simple firewall that uses a screening router
21. 2- Dual-Homed Gateway: A dual homed host has two IP addresses.
22. 3- Screened Host: The screened-host configuration.
23. Benefits & Disadvantages: <ul><li>Benefits : </li></ul><ul><li>More flexible than a dual-homed gateway firewall. </li></ul><ul><li>The rules for packet filter can be less a complex than for a screened network configuration because most or all the traffic will be directed to the application gateway. </li></ul><ul><li>If either component fails in an “open” condition, so that it no longer blocks anything, the other component still affords some measure of protection. </li></ul><ul><li>Disadvantages: </li></ul><ul><li>The two components of the firewall need to be configured carefully to work together correctly. </li></ul><ul><li>The flexibility of the system can lead to the temptation to take shortcuts that can subvert security. </li></ul>
24. 4- Screened Subnet: The screened-host configuration. Demilitarized Zone
25. Benefits & Disadvantages: <ul><li>Benefits : </li></ul><ul><li>The chief benefit is an other layer of protection. </li></ul><ul><li>To gain access to the protected network, an attacker would have to go through two routers and the application gateway-not impossible, but more difficult than with a screened-host firewall. </li></ul><ul><li>Disadvantages: </li></ul><ul><li>It’s the most expensive configuration (of those described here). </li></ul><ul><li>With three machines. Including two routers with their rule tables, configuration of the overall system can become quite complicated. </li></ul>
26. Other firewall Configuration: <ul><li>You can come up with variations of the configurations described here to suit your security policy. </li></ul><ul><li>You might want to use more bastion hosts to separate traffic for different services. </li></ul><ul><li>You could add more layers of screened subnets to deal with traffic to and from networks with varying degrees of trustworthiness. </li></ul>
27. The point: <ul><li>There are no hard and fast rules for how a F irewall should be set up. Just remember a couple of guidelines: </li></ul><ul><li>Avoid the temptation to take shortcuts around more burdensome aspects of the security policy. Effective security sometimes means inconvenience. </li></ul><ul><li>Keep it as simple as possible. More is not necessarily better, especially if adding more elements to your firewall makes it impossibly complex to set up and administer, or so difficult to use that users resort to unauthorized shortcuts. </li></ul>
28. Practical F IREWALL Implementation Acme’s organizational chart shows a simple management structure with function consolidated in three main departments: production, sales/marketing, and finance. New Orleans
29. S ecurity I ssue: Defining the internet connection : <ul><li>S olutions: </li></ul><ul><li>The system could be created so that no information flows out of Acme via the channel. </li></ul><ul><li>Other data that the Web provider might need for the home page, such as announcements of new products, updates on product availability, special promotions, and so on, could likewise be transferred via some secure method - e.g., a one way email service on the company’s intranet-such that no files need to be transferred via the internet for this service. </li></ul><ul><li>Information about ACME’s products. </li></ul><ul><li>Web users will have the ability to send Email messages to any of Acme’s regional sales offices, generating a call back from the appropriate salesperson. </li></ul>
30. S ecurity I ssue: Determining Who Need Access: <ul><li>S olutions: </li></ul>This table shows where various information inside Acme is created and how it’s shared.
31. S ecurity I ssue: Identifying Weak Spots in Information Flow: <ul><li>Limiting access to servers with remote (that is, dial up) access capabilities. </li></ul><ul><li>Securing sensitive design data. </li></ul><ul><li>Preventing employees who should not have access to certain information from getting that information. </li></ul>The beginnings of the Acme intranet with a server for each department. I N T R A N E T
32. <ul><li>First, sales reps take the orders from the customers and input the information into computer order forms on their notebook computers. </li></ul><ul><li>They compile the orders into single data files for transfer to the regional sales office. </li></ul><ul><li>Next, sales representatives begin the process of uploading the sales onto the company’s FTP order sites, located at each of the regional sales offices. </li></ul><ul><li>This is accomplished by using communications software on the notebook computer to dial into the regional office’s “modem center” via a cellular phone built into the notebook computer. </li></ul><ul><li>Anywhere an organization uses a standard telephone line for remote access; a danger exists that the number, and thus the line, may be attacked by a hacker. </li></ul>S ecurity I ssue: Managing Remote Access:
33. S olutions: <ul><li>Acme decides to use a two-stage firewall at this point in its system. </li></ul><ul><li>Acme decides to use the Modem Security Enforcer , that requires users to call in, and pass a two-step password test, then hangs up the system and calls the user back at a pre-established telephone number . </li></ul><ul><li>After the salesperson successfully passes through the modem security, the salesperson encounters the second firewall located on the Sales/Marketing Web server. </li></ul><ul><li>the second firewall located on the Sales/Marketing Web server. Acme uses a proxy server such Borderware Firewall Server which accepts the data from the salesperson's notebook-generated order file and passes it through to the FTP site on the intranet. </li></ul><ul><li>Any data that comes back to the notebook during this process is protected by means of a Network Address Translation (also provided by Borderware's Firewall Server), which changes the actual internal addressing on information sent out to the remote computer. </li></ul>Here is the Sales/Marketing part of the Acme intranet with the firewalls added.
34. <ul><li>A process similar to that described here is used for transferring the data from the three sales offices to the main office. </li></ul><ul><li>That is, the sales orders are combined into a single, larger format order and transferred to the various offices and the appropriate shipping points. </li></ul><ul><li>Here, however, no public telephone lines are used . Rather, dedicated " T l" telephone lines are used to move the data from the sales offices to the shipping point and main office internal FTP sites, respectively. </li></ul>This diagram shows a typical sales order as it travels from the point of sale to the production and shipping facilities.
35. <ul><li>the regional (and central) sales offices must make available to the sales force the latest information concerning changes to product lines, pricing information, shipping delays, and so on. As with previous tasks, Acme is not only concerned that this information be made available but also that the process of making it available be as secure as possible. </li></ul><ul><li>Also, as noted previously in the Table, all offices (sales, marketing, and finance) must be able to access production figures and shipping times from the main production facility. </li></ul>S ecurity I ssue: Managing Remote Access: <ul><li>These tasks can be accomplished using a secure e-mail system. Thus, the Acme intranet design team decides that, due to the need to pass queries and other short messages among various employees, the primary intranet system will be supplemented with a dedicated mail server system to handle only internal e-mail. </li></ul>S olutions:
36. S ecurity I ssue: Managing Internal Access to Sensitive Information <ul><li>Acme's Finance Department presents some unique challenges in that all of the other departments must have access to some of the data (for example, budgeting information) but should not be allowed access to other data (for example, the president's expense account) in that department. </li></ul>
37. S olutions: Acme's Secure Server Net approach to controlling data in the Finance Department. (One such product is Borderware’s Secure Server Net system) Tri Homed Gateway
38. Additional Security Needs: <ul><li>A similar approach could be used in any department that has both information that should be available company-wide and data that should be used within that department only. </li></ul><ul><li>In addition to the firewall placement matters mentioned here, Acme will also employ other, more traditional, computer security measures. For example, all users will have unique user names and passwords, providing an additional level of security inside the firewalls. These passwords will have relatively short expiration dates and will be changed approximately every 60 days. </li></ul>
39. S ecurity I ssue: Security Issue: Virus Detection & Removal <ul><li>Virus detection and removal software will be used on all Acme computers (desktop and notebooks) </li></ul>Acme's Future: <ul><li>Acme will begin to automate the flow of essential data around the company. At the same time, the company will ensure with each new phase of automation that sensitive and proprietary information is protected and, as important, that the company's intranet is guarded from outside attacks by unscrupulous hackers. </li></ul>
40. The completed Acme intranet, included the firewalls described in the chapter.