A Presentation OnSubmitted To :-          Presented By :-                  2/4/2013   Firewall      1
1.    Definition of Firewall2.    Need of Firewall3.    Firewall Design Principles4.    Firewall Characteristics5.    What...
•Here is how Bob Shirey defines it in RFC 2828.  •An internetwork gateway that restricts data  communication traffic to an...
Rules Determine            WHO ? WHEN ?            WHAT ? HOW ?                                                           ...
What is a Firewall ?    A firewall :                     Internet     ◦ Acts as a security       gateway between two     ...
Firewalls History•   First generation - packet filters      •   The first paper published on firewall technology was in 19...
   Theft or disclosure of internal data   Unauthorized access to internal hosts   Interception or alteration of data  ...
The Nature of Today’s Attackers   Who are these “hackers” who are trying to break into your    computer?     Most people ...
Firewall Design Principles1. Information systems undergo a steady evolution (from small LAN`s   to Internet connectivity)2...
Firewall CharacteristicsDesign goals:    1. All traffic from inside to outside must pass through the firewall       (physi...
Firewall CharacteristicsFour general techniques:1. Service control    • Determines the types of Internet services that can...
What Firewalls Can Do Positive Effects Negative Effects                     2/4/2013   Firewall   12
What Firewalls Do                            (Positive Effects)Positive Effects   User authentication.     Firewalls can ...
What Firewalls Do                             (Positive Effects)   Anti-Spoofing - Detecting when the source of the netwo...
What Firewalls Do                           (Positive Effects)   Virtual Private Networks     VPNs are communications ses...
What Firewalls Do                               (Negative Effects)   Negative Effects    Although firewall solutions prov...
What a Firewall Can’t Do•   Do Firewalls Prevent Viruses and Trojans? NO!! A    firewall can only prevent a virus or Troja...
Firewall Architectures   Screening Router   Simple Firewall   Multi-Legged firewall   Firewall Sandwich   Layered Sec...
Screening Router                                                                In te rn e t/                             ...
In te rn e t/Simple Firewall                                                        U n tru ste d                         ...
Multi-Legged Firewall                                                                     In te rn e t/                   ...
Firewall                                                                   In te rn e t/                                  ...
Layered Firewall R o u te s o r b lo c k s p a c k e ts , a s d e te rm in e d b y s e c u rity p o lic y   F ire w a ll t...
Types of Firewalls   Common types of Firewalls:    1.   Packet-filtering routers    2.   Application-level gateways    3....
Packet-filtering Router◦ Applies a set of rules to each incoming IP packet  and then forwards or discards the packet◦ Filt...
Packet Filtering Firewall     Trusted             Firewall                           Untrusted     Network             rul...
Packet Filtering Firewall    A packet filtering firewall is often called a network layer firewall because     the filteri...
Packet Filtering           2/4/2013   Firewall   28
Packet-filtering Router   Advantages:    ◦ Simplicity    ◦ Transparency to users    ◦ High speed   Disadvantages:    ◦ D...
Application-level Gateway   Gateway sits between user    on inside and server on                                     gate...
Application Gateways/Proxies                   2/4/2013   Firewall   31
Application-level Gateway•Advantages  1.   Proxy   can   log all connections, activity in connections  2.   Proxy   can   ...
Circuit-level Gateway1. Stand-alone system2. Specialized function performed by an Application-level Gateway3. Sets up two ...
Circuit Level         2/4/2013   Firewall   34
Bastion Host   Highly secure host system   A system identified by the firewall administrator as a critical strong    poi...
Screened Host Architecture                 2/4/2013   Firewall   36
Distributed Firewalls A central management node sets the  security policy enforced by individual hosts Combination of hi...
Distributed Firewalls Drawback   Allowing in certain services works if and    only if you’re sure the address can’t be   ...
Virtual Private Network (VPN)   Used to connect two private networks via the    internet    ◦ Provides an encrypted tunne...
Virtual Private Network (VPN)                  2/4/2013   Firewall   40
Implementations   Software    ◦   Devil-Linux    ◦   Dotdefender    ◦   ipfirewall    ◦   PF    ◦   Symantec …   Hardwar...
Firewall Deployment                                                  DMZ    Corporate Network          Internet     Gatew...
Firewall Deployment    Corporate Network             Internet     Gateway                                             Pub...
Firewall Deployment  Corporate                    Internet                                                          Publi...
The“2002 Computer Security Institute /FBI Computer Crime     and Security Survey” Reported:   90% of survey respondents (...
Future of Firewalls Firewalls will continue to advance as the  attacks on IT infrastructure become more  and more sophist...
Conclusion It is clear that some form of security for  private networks connected to the  Internet is essential A firewa...
2/4/2013   Firewall   48
2/4/2013   Firewall   49
Upcoming SlideShare
Loading in …5
×

Firewall presentation

3,923 views
3,894 views

Published on

Firewall presentation

  1. 1. A Presentation OnSubmitted To :- Presented By :- 2/4/2013 Firewall 1
  2. 2. 1. Definition of Firewall2. Need of Firewall3. Firewall Design Principles4. Firewall Characteristics5. What a Firewall Can Do?6. What a Firewall Can’t Do?7. Architecture of Firewall8. Types Of Firewall9. Implementation of Firewall10. Deployment of Firewall11. Report & Conclusion 2/4/2013 Firewall 2
  3. 3. •Here is how Bob Shirey defines it in RFC 2828. •An internetwork gateway that restricts data communication traffic to and from one of the connected networks (the one said to be "inside" the firewall) and thus protects that networks system resources against threats from the other network (the one that is said to be "outside" the firewall). (See: guard, security gateway.) 2/4/2013 Firewall 3
  4. 4. Rules Determine WHO ? WHEN ? WHAT ? HOW ? MyINTERNET PC Secure Private Firewall Network 2/4/2013 Firewall 4
  5. 5. What is a Firewall ?  A firewall : Internet ◦ Acts as a security gateway between two networks  Usually between trusted “Allow Traffic and untrusted networks to Internet” (such as between a corporate network and the Internet) ◦ Tracks and controls network communications  Decides whether to pass, reject, encrypt, o r log communications (Access Control) Corporate Site 2/4/2013 Firewall 5
  6. 6. Firewalls History• First generation - packet filters • The first paper published on firewall technology was in 1988, when Jeff Mogul from Digital Equipment Corporation (DEC) developed filter systems known as packet filter firewalls.• Second generation - circuit level • From 1980-1990 two colleagues from AT&T Company, developed the second generation of firewalls known as circuit level firewalls.• Third generation - application layer • Publications by Gene Spafford of Purdue University, Bill Cheswick at AT&T Laboratories described a third generation firewall. also known as proxy based firewalls.•Subsequent generations • In 1992, Bob Braden and Annette DeSchon at the University of Southern California (USC) were developing their own fourth generation packet filter firewall system. • In 1994 an Israeli company called Check Point Software Technologies built this into readily available software known as FireWall-1. • Cisco, one of the largest internet security companies in the world released their PIX ” Private Internet Exchange ” product to the public in 1997. 2/4/2013 Firewall 6
  7. 7.  Theft or disclosure of internal data Unauthorized access to internal hosts Interception or alteration of data Vandalism & denial of service Wasted employee time Bad publicity, public embarassment, and law suits 2/4/2013 Firewall 7
  8. 8. The Nature of Today’s Attackers Who are these “hackers” who are trying to break into your computer? Most people imagine someone at a keyboard late at night, guessing passwords to steal confidential data from a computer system. This type of attack does happen, but it makes up a very small portion of the total network attacks that occur. Today, worms and viruses initiate the vast majority of attacks. Worms and viruses generally find their targets randomly. As a result, even organizations with little or no confidential information need firewalls to protect their networks from these automated attackers. 2/4/2013 Firewall 8
  9. 9. Firewall Design Principles1. Information systems undergo a steady evolution (from small LAN`s to Internet connectivity)2. Strong security features for all workstations and servers not established3. The firewall is inserted between the premises network and the Internet4. Aims: 1. Establish a controlled link 2. Protect the premises network from Internet-based attacks 3. Provide a single choke point 2/4/2013 Firewall 9
  10. 10. Firewall CharacteristicsDesign goals: 1. All traffic from inside to outside must pass through the firewall (physically blocking all access to the local network except via the firewall) 2. Only authorized traffic (defined by the local security police) will be allowed to pass 3. The firewall itself is immune to penetration (use of trusted system with a secure operating system) 2/4/2013 Firewall 10
  11. 11. Firewall CharacteristicsFour general techniques:1. Service control • Determines the types of Internet services that can be accessed, inbound or outbound2. Direction control • Determines the direction in which particular service requests are allowed to flow3. User control • Controls access to a service according to which user is attempting to access it4. Behavior control • Controls how particular services are used (e.g. filter e-mail) 2/4/2013 Firewall 11
  12. 12. What Firewalls Can Do Positive Effects Negative Effects 2/4/2013 Firewall 12
  13. 13. What Firewalls Do (Positive Effects)Positive Effects User authentication. Firewalls can be configured to require user authentication. This allows network administrators to control ,track specific user activity. Auditing and logging. By configuring a firewall to log and audit activity, information may be kept and analyzed at a later date. 2/4/2013 Firewall 13
  14. 14. What Firewalls Do (Positive Effects) Anti-Spoofing - Detecting when the source of the network traffic is being "spoofed", i.e., when an individual attempting to access a blocked service alters the source address in the message so that the traffic is allowed. Network Address Translation (NAT) - Changing the network addresses of devices on any side of the firewall to hide their true addresses from devices on other sides. There are two ways NAT is performed: ◦ One-to-One - where each true address is translated to a unique translated address. ◦ Many-to-One - where all true addresses are translated to a single address, usually that of the firewall. 2/4/2013 Firewall 14
  15. 15. What Firewalls Do (Positive Effects) Virtual Private Networks VPNs are communications sessions traversing public networks that have been made virtually private through the use of encryption technology. VPN sessions are defined by creating a firewall rule that requires encryption for any session that meets specific criteria. 2/4/2013 Firewall 15
  16. 16. What Firewalls Do (Negative Effects) Negative Effects Although firewall solutions provide many benefits, negative effects may also be experienced. ◦ Traffic bottlenecks. By forcing all network traffic to pass through the firewall, there is a greater chance that the network will become congested. ◦ Single point of failure. In most configurations where firewalls are the only link between networks, if they are not configured correctly or are unavailable, no traffic will be allowed through. ◦ Increased management responsibilities. A firewall often adds to network management responsibilities and makes network troubleshooting more complex. 2/4/2013 Firewall 16
  17. 17. What a Firewall Can’t Do• Do Firewalls Prevent Viruses and Trojans? NO!! A firewall can only prevent a virus or Trojan from accessing the internet while on your machine• 95% of all viruses and Trojans are received via e-mail, through file sharing (like Kazaa or Gnucleus) or through direct download of a malicious program• Firewalls cant prevent this -- only a good anti-virus software program can however , once installed on your PC, many viruses and Trojans "call home" using the internet to the hacker that designed it• This lets the hacker activate the Trojan and he/she can now use your PC for his/her own purposes• A firewall can block the call home and can alert you if there is suspicious behavior taking place on your system 2/4/2013 Firewall 17
  18. 18. Firewall Architectures Screening Router Simple Firewall Multi-Legged firewall Firewall Sandwich Layered Security Architecture 2/4/2013 Firewall 18
  19. 19. Screening Router In te rn e t/ U n tru ste d N e tw o rkR o u te s o r b lo c k s p a c k e ts , a sd e te rm in e d b y s e c u rity p o lic y S c re e n in g R o u te r In te rn a l T ru ste d N e tw o rk D e s k to p M a in fra m e D a ta b a s e S e rv e r 2/4/2013 Firewall 19
  20. 20. In te rn e t/Simple Firewall U n tru ste d N e tw o rk R o u te s o r b lo c k s p a c k e ts , a s d e te rm in e d b y s e c u rity p o lic y F ire w a ll th e n h a n d le s tra ffic a d d itio n a lly to m a in ta in m o re S c re e n in g R o u te r s e c u rity F ire w a ll In te rn a l T ru ste d N e tw o rk D e s k to p M a in fra m e D a ta b a s e S e rv e r w e b , s m tp 2/4/2013 Firewall 20
  21. 21. Multi-Legged Firewall In te rn e t/ U n tru ste d N e tw o rk R o u te s o r b lo c k s p a c k e ts , a s d e te rm in e d b y s e c u rity p o lic y F ire w a ll th e n h a n d le s tra ffic S c re e n in g R o u te r a d d itio n a lly to m a in ta in m o re s e c u rity D M Z n o w o ffe rs a s e c u re D M Z S e m i-T ru ste d N e tw o rk s a n d b o x to h a n d le u n -tru s te d F ire w a llc o n n e c tio n s to in te rn e t s e rv ic e s In te rn a l T ru ste d N e tw o rk W e b S e rv e r S M T P S e rv e r S e rv e r D e s k to p M a in fra m e D a ta b a s e S e rv e r 2/4/2013 Firewall 21
  22. 22. Firewall In te rn e t/ U n tru ste d N e tw o rkSandwich S c re e n in g R o u te r R o u te s o r b lo c k s p a c k e ts , a s d e te rm in e d b y s e c u rity p o lic y F ire w a ll th e n h a n d le s tra ffic O u ts id e F ire w a ll a d d itio n a lly to m a in ta in m o re s e c u rity D M Z n o w o ffe rs a s e c u re DMZ n e tw o rk to h a n d le u n -tru s te d S e m i-tru ste d D M Z S e m i-T ru ste d N e tw o rk c o n n e c tio n s to in te rn e t s e rv ic e s n e tw o rk S e p a ra tio n o f s e c u rity p o lic y c o n tro ls b e tw e e n in s id e a n d o u ts id e fire w a lls W e b S e rv e r S M T P S e rv e r S e rv e r In s id e F ire w a ll In te rn a l T ru ste d N e tw o rk D e s k to p M a in fra m e D a ta b a s e A p p S e rv e r 2/4/2013 Firewall 22
  23. 23. Layered Firewall R o u te s o r b lo c k s p a c k e ts , a s d e te rm in e d b y s e c u rity p o lic y F ire w a ll th e n h a n d le s tra ffic a d d itio n a lly to m a in ta in m o re s e c u rity In te rn e t /U n - tru ste d N e tw o rk D M Z n o w o ffe rs a s e c u re n e tw o rk to h a n d le u n -tru s te dc o n n e c tio n s to in te rn e t s e rv ic e s In s id e F ire w a ll S e p a ra tio n o f s e c u rity p o lic y c o n tro ls n e tw o rk s w ith in y o u r tru s te d n e tw o rk a s w e ll a s y o u DMZ s e m i a n d u n -tru s te d n e tw o rk s S e m i-tru ste d n e tw o rk F e n c e s k e e p h o n e s t p e o p le h o n e s t! In s id e F ire w a ll M a in fra m e U se r N e tw o rk H R N e tw o rk N e tw o rk In te rn a l F ire w a ll In te rn a l F ire w a ll In te rn a l F ire w a ll D e ve lo p m e n t N e tw o rk2/4/2013 Firewall 23
  24. 24. Types of Firewalls Common types of Firewalls: 1. Packet-filtering routers 2. Application-level gateways 3. Circuit-level gateways 4. Bastion host 5. Distributed Firewall System 6. Virtual Private Network (VPN) 2/4/2013 Firewall 24
  25. 25. Packet-filtering Router◦ Applies a set of rules to each incoming IP packet and then forwards or discards the packet◦ Filter packets going in both directions◦ The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header◦ Two default policies (discard or forward) 2/4/2013 Firewall 25
  26. 26. Packet Filtering Firewall Trusted Firewall Untrusted Network rule set Network Packet is Blocked or Discarded 2/4/2013 Firewall 26
  27. 27. Packet Filtering Firewall  A packet filtering firewall is often called a network layer firewall because the filtering is primarily done at the network layer (layer three) or the transport layer (layer four) of the OSI reference model. 2/4/2013 Firewall 27
  28. 28. Packet Filtering 2/4/2013 Firewall 28
  29. 29. Packet-filtering Router Advantages: ◦ Simplicity ◦ Transparency to users ◦ High speed Disadvantages: ◦ Difficulty of setting up packet filter rules ◦ Lack of Authentication 2/4/2013 Firewall 29
  30. 30. Application-level Gateway Gateway sits between user on inside and server on gateway-to-remote outside. Instead of talking host ftp session directly, user and server talk host-to-gateway ftp session through proxy. Allows more fine grained and sophisticated control than packet filtering. For example, ftp server may not allow files greater than a set size. A mail server is an example application of an application gateway gateway ◦ Can’t deposit mail in recipient’s mail server without passing through sender’s mail server 2/4/2013 Firewall 30
  31. 31. Application Gateways/Proxies 2/4/2013 Firewall 31
  32. 32. Application-level Gateway•Advantages 1. Proxy can log all connections, activity in connections 2. Proxy can provide caching 3. Proxy can do intelligent filtering based on content 4. Proxy can perform user-level authentication•Disadvantages 1. Not all services have proxied versions 2. May need different proxy server for each service 3. Requires modification of client 4. Performance 2/4/2013 Firewall 32
  33. 33. Circuit-level Gateway1. Stand-alone system2. Specialized function performed by an Application-level Gateway3. Sets up two TCP connections4. The gateway typically relays TCP segments from one connection to the other without examining the contents5. The security function consists of determining which connections will be allowed6. Typically use is a situation in which the system administrator trusts the internal users7. An example is the SOCKS package 2/4/2013 Firewall 33
  34. 34. Circuit Level 2/4/2013 Firewall 34
  35. 35. Bastion Host Highly secure host system A system identified by the firewall administrator as a critical strong point in the network´s security The bastion host serves as a platform for an application-level or circuit-level gateway Potentially exposed to "hostile" elements Hence is secured to withstand this ◦ Disable all non-required services; keep it simple Trusted to enforce trusted separation between network connections Runs circuit / application level gateways ◦ Install/modify services you want Or provides externally accessible services 2/4/2013 Firewall 35
  36. 36. Screened Host Architecture 2/4/2013 Firewall 36
  37. 37. Distributed Firewalls A central management node sets the security policy enforced by individual hosts Combination of high-level policy specification with file distribution mechanism Advantages: ◦ Lack of central point of failure ◦ Ability to protect machines outside topologically isolated space ◦ Great for laptops Disadvantage: ◦ Harder to allow in certain services, whereas it’s easy to block 2/4/2013 Firewall 37
  38. 38. Distributed Firewalls Drawback Allowing in certain services works if and only if you’re sure the address can’t be spoofed ◦ Requires anti-spoofing protection ◦ Must maintain ability to roam safely Solution: IPsec ◦ A machine is trusted if and only if it can perform proper cryptographic authentication 2/4/2013 Firewall 38
  39. 39. Virtual Private Network (VPN) Used to connect two private networks via the internet ◦ Provides an encrypted tunnel between the two private networks ◦ Usually cheaper than a private leased line but should be studied on an individual basis ◦ Once established and as long as the encryption remains secure the VPN is impervious to exploitation ◦ For large organizations using VPNs to connect geographically diverse sites, always attempt to use the same ISP to get best performance.  Try to avoid having to go through small Mom-n-Pop ISPs as they will tend to be real bottlenecks 2/4/2013 Firewall 39
  40. 40. Virtual Private Network (VPN) 2/4/2013 Firewall 40
  41. 41. Implementations Software ◦ Devil-Linux ◦ Dotdefender ◦ ipfirewall ◦ PF ◦ Symantec … Hardware ◦ Cisco PIX ◦ DataPower ◦ SofaWare Technologies 2/4/2013 Firewall 41
  42. 42. Firewall Deployment DMZ  Corporate Network Internet Gateway Demilitarized Zone (DMZ) ◦ Protect internal Public Servers network from attack Corporate Network ◦ Most common Gateway deployment point Human Resources Network Corporate Site 2/4/2013 Firewall 42
  43. 43. Firewall Deployment  Corporate Network Internet Gateway Public Servers  Internal Segment Gateway Demilitarized Zone (Publicly-accessible ◦ Protect sensitive servers) segments (Finance, HR, Product Development) Human Resources Network ◦ Provide second layer of defense Internal Segment Gateway ◦ Ensure protection against internal attacks and misuse Corporate Site 2/4/2013 Firewall 43
  44. 44. Firewall Deployment  Corporate Internet Public Servers Network Gateway DMZ  Internal Segment Gateway  Server-Based Firewall Human Resources Network ◦ Protect individual application servers Server-Based Firewall ◦ Files protect Corporate Site SAP Server 2/4/2013 Firewall 44
  45. 45. The“2002 Computer Security Institute /FBI Computer Crime and Security Survey” Reported: 90% of survey respondents (primarily larger corporations) detected computer security breaches. Respondents reported a wide range of attacks: 44% detected system penetration from the outside 44% detected denial of service attacks 76% detected employee abuse of Internet access privileges 85% detected computer viruses, worms, etc. 80% acknowledged financial losses due to computer security breaches 44% were willing and/or able to quantify their financial losses (these losses were $455 million). Most serious losses occurred through theft of proprietary information and financial fraud. 74% cited their Internet connections as a frequent point of attack and 33% cited their internal systems ands frequent point of attack 34% reported intrusions to law enforcement (up from only 16% in 1996) 2/4/2013 Firewall 45
  46. 46. Future of Firewalls Firewalls will continue to advance as the attacks on IT infrastructure become more and more sophisticated More and more client and server applications are coming with native support for proxied environments Firewalls that scan for viruses as they enter the network and several firms are currently exploring this idea, but it is not yet in wide use 2/4/2013 Firewall 46
  47. 47. Conclusion It is clear that some form of security for private networks connected to the Internet is essential A firewall is an important and necessary part of that security, but cannot be expected to perform all the required security functions. 2/4/2013 Firewall 47
  48. 48. 2/4/2013 Firewall 48
  49. 49. 2/4/2013 Firewall 49

×