7. EC-Council
Галт хана
Transmission Control Protocol/Internet Protocol
(TCP/IP) 4 layer model:
• Application: Prepares messages from users, sends and receives
data for particular applications. Example: HTTP
• Transport: Converts messages to packets, provides services for
transporting application layer data between networks. Example:
TCP
• Network/Internet: Converts packets to datagrams, network
routing. Example IPv4, IPv6
• Physical: Transmission as bits, uses physical network
components to send data through the network
At the
• Sending end: data passed from Application layer down to layers
below, each layer adds extra information
• Receiving end: data is passed upwards from Physical layer
10. EC-Council
Энгийн багцыг шүүх /Simple packet
filter/
Багцыг шүүлт нь сүлжээний түвшинд ажилладаг
Энгийн багцын шүүлт нь багц бүрийг тус тусад нь шалгадаг
• Нэг холболтын багц байсан ч ялгаагүй тусад нь шалгана
Багц бүрийг дамжуулах эсэхийг тусад нь шийднэ
Багцын толгой мэдээллийг
шалгана. Үүнд:
• IP header fields (Source or
Destination IP Addresses)
• The Protocol (UDP, TCP or
ICMP)
• TCP/UDP port numbers (Source
or Destination Port Numbers)
• Direction the packet is travelling
(in/out of the internal network)
• ICMP message type
• TCP SYN and ACK bits
11. EC-Council
Энгийн багцыг шүүх /Simple packet
filter/
Routers, L3 switches энэ үүргээр ажилладаг.
Дүрмийн хүснэгтийг үүсгэдэг.
access-list outside1 extended permit tcp any 202.21.96.208
255.255.255.240 eq https
Access control list гэж нэрлэдэг:
• Each rule consists of conditions and an action
• For each packet, the first matching rule is found
• Two possible actions: allow or block
• Ingress filtering: filtering inbound traffic
• Egress filtering: filtering outbound traffic
12. EC-Council
Энгийн багцыг шүүх /Simple packet
filter/
Policy Firewall Setting
Block inbound TCP packets with
ACK=0
Prevents external clients from making
TCP connections with internal clients,
but allows internal clients to connect to
outside.
No outside Web access. Drop all outgoing packets to any IP
address, port 80
No incoming TCP connections,
except those for institution’s public
Web server only.
Drop all incoming TCP SYN packets to
any IP except 130.207.244.203, port 80
Prevent your network from being
used for a smurf DoS attack.
Drop all ICMP packets going to a
“broadcast” address (eg
130.207.255.255).
Prevent your network from being
tracerouted
Drop all outgoing ICMP TTL expired
traffic
17. EC-Council
Application layer Firewall
filters packets on
application data as well as
on IP/TCP/UDP fields.
example: allow select
internal users to telnet
outside.
1. require all telnet users to telnet
through gateway.
2. for authorized users, gateway sets
up telnet connection to dest host.
Gateway relays data between 2
connections
3. router filter blocks all telnet
connections not originating from
gateway.
21. EC-Council
Firewall Application level proxy server
Firewall is a router (computer which is able to forward packets between
two or more networks) with some restriction rules applied.
Most of current routers can be used as an easy firewall (most of routers
allows to define restrictions). It applies by example to Cisco routers,
Linux systems,... But real firewall is more complicated. It implements
mechanisms to allow dynamically opened holes for incoming
connections (for FTP sessions by example) and more.
Firewall works on the packet level. It can apply rules on packets (by
checking the source/destination IP address, source/destination port,...)
to decide whether the packet will be forwarded or denied.
Proxy works on application protocol level. They doesn't work on
packet level so they can't forward packets.
The client station have to be configured to use firewall as default
gateway.
Applications on the client PC have to be configured to use proxy
server to access Internet servers.
If you disable the firewall (only the router works) all LAN station have
direct and full Internet access.
You can imagine the firewall as a set of restrictive rules (all is enabled
when these rules are inactive). So you can eliminate/change some
rules to create a hole (range) of port by example.
Services which use low-level TCP/IP protocols (ping, traceroute,..) will
work behind firewall (if they are not disabled by firewall restrictions).
Services which use low-level TCP/IP protocols (ping, traceroute,..)
will not work behind proxy.
Application proxy server is a computer which is able to handle
requests in some communication protocols
(HTTP,FTP,SOCKS,..). For each used protocol appropriate proxy
service must be enabled.
If you disable proxy there is no way to connect from the LAN to
the Internet servers.
Application layer Firewall vs
Application Proxy Gateway
22. EC-Council
ASA Models
Multi-Service
(Firewall/VPN and IPS)
PerformanceandScalability
CampusBranch OfficeSOHO Internet
Edge
ASA 5585 SSP-60
(40 Gbps, 350K cps)
ASA 5585 SSP-40
(20 Gbps, 240K cps)
ASA 5585 SSP-20
(10 Gbps, 140K cps)
ASA 5585 SSP-10
(4 Gbps, 65K cps)
ASA 5540
(650 Mbps,25K cps)
ASA 5520
(450 Mbps,12K cps)
ASA 5510
(300 Mbps, 9K cps)
ASA 5505
(150 Mbps, 4000 cps)
ASA 5550
(1.2 Gbps, 36K cps)
ASA SM
(16 Gbps, 300K cps)
Data
Center
* Mbps and Gbps = maximum throughput * cps = maximum connection per second
23. EC-Council
Хувийн галт хана
Хувийн галт хана нь програм хангамж хэлбэртэй
байна
• Windows XP, Vista and Mac OSX all include a personal
firewall.
• Vendors such as ZoneAlarm, and Sygate provide a free version
of their product for personal use.
24. EC-Council
Галт ханын энгийн архитектур
FIREWALL
INTERNAL NETWORKS
DNS
SERVER
WEB
SERVER
EMAIL
SERVER
CLIENT PC’s
INTERNET
25. EC-Council
Галт ханын DMZ архитектур
EXTERIOR
FIREWALL
DMZ NETWORK
INTERNAL
NETWORKS
INTERIOR
FIREWALL
DNS
SERVER
WEB
SERVER
EMAIL
SERVER
INTERNET
26. EC-Council
8-26
Intrusion detection systems
packet filtering:
• operates on TCP/IP headers only
• no correlation check among sessions
IDS: intrusion detection system
• deep packet inspection: look at packet contents
(e.g., check character strings in packet against
database of known virus, attack strings)
• examine correlation among multiple packets
– port scanning
– network mapping
– DoS attack
28. EC-Council
8-28
Limitations of firewalls and gateways
IP spoofing: router can’t
know if data “really”
comes from claimed
source
if multiple app’s. need
special treatment, each
has own app. gateway.
client software must
know how to contact
gateway.
• e.g., must set IP address
of proxy in Web browser
filters often use all or
nothing policy for UDP.
many highly protected
sites still suffer from
attacks.