3. Need for Firewall
Protects System from Vulnerable Services : For example,
firewalls could be configured to block services like NFS from
entering or leaving the subnet.
Controlled Access to Systems : For example, seal off access to
some information servers (like database servers) while allowing
the others (like mailing servers).
Privacy : Firewalls can block useful information from reaching
the hands of attackers.
Security: Firewalls offers a high degree of security because they
provide a single point at which security needs to be maintained.
Protection of network and its resources: To protect our network
& its resources from malicious users & accidents that originate
outside of our network.
Firewall
“Monitors and controls incoming and out coming
traffic based on a predefined rules”
5. Characteristics of firewall
All traffic from inside to outside, and vice versa, must pass
through the firewall. This is achieved by physically blocking all
access to the local network except via the firewall.
Only authorized traffic, as defined by the local security policy,
will be allowed to pass. Various types of firewalls are used,
which implement various types of security policies.
The firewall itself is immune to penetration. This implies the
use of a hardened system with a secured operating system.
Trusted computer systems are suitable for hosting a firewall and
often required in government applications.
6. Firewall Access Policy
A critical component in the planning and implementation of a
firewall is specifying a suitable access policy
o Types of traffic authorized to pass through the firewall.
o Includes address ranges, protocols, applications and content
types
The policy should be developed from the organization’s security
risk assessment.
Should be developed from a broad specification of which traffic
types the organization needs to support
o Then refined to detail the filter elements which can then
be implemented within an appropriate firewall topology.
8. Types of Firewall
Different types of firewalls are as follows:
1. Packet Filtering Firewall: A packet filtering firewall
applies a set of rules to each incoming and outgoing IP packet
and then forwards or discards the packet. Filtering rules are
based on information contained in a network packet:
Source IP address: The IP address of the system that
originated the IP packet (e.g., 192.178.1.1).
Destination IP address: The IP address of the system the IP
packet is trying to reach (e.g., 192.168.1.2).
Source and destination transport-level address: The
transport-level (e.g., TCP or UDP) port number, which defines
applications such as SNMP or TELNET. •
IP protocol field: Defines the transport protocol.
Interface: For a firewall with three or more ports, which
interface of the firewall the packet came from or which
interface of the firewall the packet is destined for.
9. Types of Firewall
2. Stateful Inspection Firewall: A stateful packet
inspection firewall tightens up the rules for TCP traffic by
creating a directory of outbound TCP connections.
There is an entry for each currently established connection.
The packet filter will now allow incoming traffic to high-
numbered ports only for those packets that fit the profile of
one of the entries in this directory.
A stateful packet inspection firewall reviews the same packet
information as a packet filtering firewall, but also records
information about TCP connections.
keep track of TCP sequence numbers to prevent attacks that
depend on the sequence number
inspect data for protocols like FTP, IM, and SIPS
10. Types of Firewall:
3. Application Proxy Firewall: An application – level
gateway, also called an application proxy, acts as a rely of
application – level traffic.
user requests service from proxy.
proxy validates request as legal.
then actions request and returns result to user.
can log / audit traffic at application level.
Advantages of application proxy firewall
More secure than packet filter firewalls
Easy to log and audit incoming traffic
Disadvantages of application proxy firewall
Additional processing overhead on each connection
11. Types of Firewall
4. Circuit-Level Proxy firewall: This can be a stand – alone
system or it can be a specialized functions performed by an
application – level gateway for certain applications.
It does not permit an end – to – end TCP connection; rather,
the gateway sets two TCP connections.
A typical use of the circuit – level gateway is a situation in
which the system administrator trusts the internal users.
The gateway can be configured to support application – level
or proxy service on inbound connections and circuit – level
functions for outbound connections.
Advantages of circuit-level proxy firewall
comparatively inexpensive and provide Anonymity to the private
network.
Disadvantages of circuit-level proxy firewall
do not filter Individual Packets
13. Firewall Basing
It is common to base a firewall on a stand-alone machine running a
common operating system, such as UNIX or Linux. Some additional
firewall basing are as follows:
1. Bastion Host: A bastion host is a system identified by the
firewall administrator as a critical strong point in the network’s
security. It serves as a platform for an application level or circuit
level gateway. Some common characteristics :
o Executes a secure version of its OS, making it a hardened
system.
o Only the services that the network administrator considers
essential are installed on the bastion host.
o It may require some additional authentication before user is
allowed access to the proxy services.
2. Host-based Firewalls: A host based firewall is a software
module used to secure an individual host. Such modules are
available in many OS or can be provided as an add-on
packages. It filters and restricts the flow of packages.
14. Firewall Basing
2. Host – based Firewalls: Advantages of host based
firewalls are as follows:
Filtering rules can be tailored to the host environment
Protection is provided independent of technology.
3. Personal Firewalls: Personal firewall controls traffic
between a personal computer or work – stations on one side
and the Internet or Enterprise network on the other side.
These functionality can be used in the home environment and
on corporate internets. It is the software module on the
personal computer.
Firewall functionality can also be housed in a router that
connects all of the home computers to a DSL, cable modem, or
other internet interface.
16. Firewall Location and configuration
a firewall is positioned to provide a protective barrier between an external
source of traffic and an internal network
DMZ Networks: a common firewall configuration that includes
an additional network segment between an internal and an external
firewall. An external firewall is placed at the edge of a local or
enterprise network, just inside the boundary router that connects to
the Internet or some wide area network (WAN). One or more
internal firewalls protect the bulk of the enterprise network.
Between these two types of firewalls are one or more networked
devices in a region referred to as a DMZ (demilitarized zone)
network.
Virtual Private Networks: a VPN consists of a set of
computers that interconnect by means of a relatively unsecure
network and that make use of encryption and special protocols to
provide security. At each corporate site, workstations, servers, and
databases are linked by one or more local area networks (LANs).
17. Firewall Location and configuration
Distributed Firewalls: These firewalls protect against
internal attacks and provide protection tailored to specific
machines and applications. An important aspect of a distributed
firewall configuration is security monitoring.
Summary of Firewall Locations and Topologies: A
spectrum of firewall locations and topologies.
Host-resident firewall
Screening router
Single bastion inline:
Single bastion
Double bastion inline
Double bastion
Distributed firewall configuration
19. Intrusion Prevention Systems
The range of security products is the intrusion prevention system (IPS),
also known as intrusion detection and prevention system (IDPS). It is
an extension of an IDS that includes the capability to attempt to block
or prevent detected malicious activity.
Host-Based IPS: A host-based IPS (HIPS) can make use of
either signature/heuristic or anomaly detection techniques to
identify attacks. . Examples of the types of malicious behavior
addressed by a HIPS include the following:
o Modification of system resources
o Privilege-escalation exploits
Network-Based IPS: The IPS device applies filters to the
full content of the flow every time a new packet for the flow
arrives. When a flow is determined to be malicious, the latest and
all subsequent packets belonging to the suspect flow are dropped
20. Intrusion Prevention Systems
Distributed or Hybrid: The final category of IPS is in a
distributed or hybrid approach. This gathers data from a large
number of host and network-based sensors, relays this
intelligence to a central analysis system able to correlate, and
analyze the data, which can then return updated signatures and
behavior patterns to enable all of the coordinated systems to
respond and defend against malicious behavior. A number of
such systems have been proposed. One of the best known is the
digital immune system.
Snort Inline: Snort Inline adds three new rule types that
provide intrusion prevention features:
Drop: Snort rejects a packet based on the options defined in
the rule and logs the result.
Reject: Snort rejects a packet and logs the result
Sdrop: Snort rejects a packet but does not log the packet.
22. Unified Threat Management Product
“Products that include multiple security features integrated into one
box. To be included in this category, [an appliance] must be able to
perform network firewalling, network intrusion detection and
prevention and gateway anti-virus. All of the capabilities in the
appliance need not be used concurrently, but the functions must exist
inherently in the appliance.”