session7 Firewalls and VPN


Published on

Published in: Education, Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

session7 Firewalls and VPN

  1. 1. ‫أكاديمية الحكومة اإللكترونية الفلسطينية‬The Palestinian eGovernment Academy www.egovacademy.psSecurity Tutorial Sessions 7 PalGov © 2011 1
  2. 2. AboutThis tutorial is part of the PalGov project, funded by the TEMPUS IV program of theCommission of the European Communities, grant agreement 511159-TEMPUS-1-2010-1-PS-TEMPUS-JPHES. The project website: www.egovacademy.psProject Consortium: Birzeit University, Palestine University of Trento, Italy (Coordinator ) Palestine Polytechnic University, Palestine Vrije Universiteit Brussel, Belgium Palestine Technical University, Palestine Université de Savoie, France Ministry of Telecom and IT, Palestine University of Namur, Belgium Ministry of Interior, Palestine TrueTrust, UK Ministry of Local Government, PalestineCoordinator:Dr. Mustafa JarrarBirzeit University, P.O.Box 14- Birzeit, PalestineTelfax:+972 2 2982935 mjarrar@birzeit.eduPalGov © 2011 2
  3. 3. © Copyright NotesEveryone is encouraged to use this material, or part of it, but should properlycite the project (logo and website), and the author of that part.No part of this tutorial may be reproduced or modified in any form or by anymeans, without prior written permission from the project, who have the fullcopyrights on the material. Attribution-NonCommercial-ShareAlike CC-BY-NC-SAThis license lets others remix, tweak, and build upon your work non-commercially, as long as they credit you and license their new creationsunder the identical terms. PalGov © 2011 3
  4. 4. Tutorial 5: Information SecuritySession 7: Firewalls and VPNSession 7 Outline: • Session 7 ILO’s. • Firewalls • VPNs PalGov © 2011 4
  5. 5. Tutorial 5: Session 7: Firewalls and VPNAfter completing this session you will be ableto:• B: Intellectual Skills • b3: Design end-to-end secure and available systems. • b4: Design integral and confidentiality services. PalGov © 2011 5
  6. 6. Tutorial 5: Information SecuritySession 7: Firewalls and VPNSession 7 Outline: • Session 7 ILO’s. • Firewalls • VPNs PalGov © 2011 6
  7. 7. Firewalls• A firewall is an effective means of protecting a local system or network of systems from network-based security threats by restricting network services only to authorized access. Firewalls are themselves immune to being penetrated by intruders.• A firewall can be hardware or it can be software or it can of both hardware and software. PalGov © 2011 7
  8. 8. Firewall Design Principles• Wide spread of use of computer networks as Information systems undergo a steady evolution (from small LAN`s to Internet connectivity)• Strong security features for all workstations and servers not established.• Privacy of information is highly deemed. PalGov © 2011 8
  9. 9. Firewall Design Principles• The firewall is inserted between a private network and the Internet or other networks.• Aims: – Establish a controlled link. – Protect a private network from attacks from users or programs. – Provide a single point through which the traffic is monitored. PalGov © 2011 9
  10. 10. Firewall Characteristics• Design goals: – All traffic from inside to outside must pass through the firewall (physically blocking all access to the local network except via the firewall) – Only authorized traffic (defined by the local security policy) will be allowed to pass – The firewall itself is immune to penetration (use of trusted system with a secure operating system) PalGov © 2011 10
  11. 11. Firewall CharacteristicsThere are four general techniques for applyingfirewalls to networks :• Service control – Determines the types of services that can be accessed through the Internet.• Direction control – It determines flow direction of services. PalGov © 2011 11
  12. 12. Firewall Characteristics• User control – Controls which user(s) can have access to which services.• Behavior control – Controls how particular services are used (e.g. filter e-mail) PalGov © 2011 12
  13. 13. Types of FirewallsThere are four common types of Firewalls: – Packet-filtering routers – State-full Inspection Firewall – Application-level gateways – Circuit-level gateways PalGov © 2011 13
  14. 14. Types of Firewalls PalGov © 2011 14
  15. 15. Types of Firewalls PalGov © 2011 15
  16. 16. Packet-Filtering Router (1) PalGov © 2011 16
  17. 17. Packet-filtering Router (2)– Applies a set of rules to each incoming IP packet and then forwards or discards the packet– Filter packets going in both directions– The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header– Two default policies (discard or forward) PalGov © 2011 17
  18. 18. Packet-filtering Router (3)• Advantages: – Simplicity – Transparency to users – High speed• Disadvantages: – Difficulty of setting up packet filter rules – Lack of Authentication• Possible attacks and appropriate countermeasures – IP address spoofing – Source routing attacks – Tiny fragment attacks PalGov © 2011 18
  19. 19. Application / Content Filtering -level Gateway (1) PalGov © 2011 19
  20. 20. Application-level Gateway (2)• Application-level Gateway – Also called proxy server – Acts as a relay of application-level traffic – Can work as content filtering FW.• Advantages: – Higher security than packet filters – Only need to scrutinize a few allowable applications – Easy to log and audit all incoming traffic• Disadvantages: – Additional processing overhead on each connection (gateway as splice point) PalGov © 2011 20
  21. 21. Circuit-level Gateway (1) PalGov © 2011 21
  22. 22. Circuit-level Gateway (2)– Stand-alone system or– Specialized function performed by an Application- level Gateway– Sets up two TCP connections– The gateway typically relays TCP segments from one connection to the other without examining the contents PalGov © 2011 22
  23. 23. Circuit-level Gateway (3)– The security function consists of determining which connections will be allowed– Typically use is a situation in which the system administrator trusts the internal users– An example is the SOCKS package PalGov © 2011 23
  24. 24. Types of Firewalls• Bastion Host – A system identified by the firewall administrator as a critical strong point in the network´s security – The bastion host serves as a platform for an application-level or circuit-level gateway PalGov © 2011 24
  25. 25. Firewall Basing• several options for locating firewall:• bastion host• individual host-based firewall• personal firewall PalGov © 2011 25
  26. 26. Firewall Locations PalGov © 2011 26
  27. 27. Firewall Configurations• In addition to the use of simple configuration of a single system (single packet filtering router or single gateway), more complex configurations are possible PalGov © 2011 27
  28. 28. Distributed Firewalls PalGov © 2011 28
  29. 29. Firewall Configurations• Screened host firewall system (single-homed bastion host) PalGov © 2011 29
  30. 30. Firewall Configurations• Screened host firewall system (dual-homed bastion host) PalGov © 2011 30
  31. 31. Firewall Configurations• Screened-subnet firewall system PalGov © 2011 31
  32. 32. Unified Threat Management Products PalGov © 2011 32
  33. 33. Tutorial 5: Information SecuritySession 7: Firewalls and VPNSession 7 Outline: • Session 7 ILO’s. • Firewalls • SOCKS Protocols • VPN PalGov © 2011 33
  34. 34. Socks Protocols• Communication between clinets and servers behind firewalls can be done using SOCKS protocol.• SOCKS uses to primitive operations: BIND/CONNECT• Used by many applications including browsers...( ex. Dropbox)• SOCKS4 / SOCKS5 PalGov © 2011 34
  35. 35. SOCKS CONNECT Socks proxy 2. connect()server S 2. The proxy connects to S. From now on the traffic flows from host A to server S 1. CONNECT in both directions 1. Host A connects to the SOCKS proxy and Host A asks to establish a connection with Server S. PalGov © 2011 35
  36. 36. Binding process1.The client A connects to the SOCKS proxy and asks to bind a public port mapped to the local port 4445 allowing incoming connection from server S2. The socks proxy reply with the public port (i.e. 33102) really used to accept incoming sockets3. When S connects to the port 33102 of the proxy, the host A is warned and traffic can flow from S to A and viceversa conveyed by the proxy PalGov © 2011 36
  37. 37. Comparing SOCKS4 and SOCKS5• SOCKS4 doesnt support authentication while SOCKS5 has the built-in mechanism to support a variety of authentications methods.• SOCKS4 doesnt support UDP proxy while SOCKS5 does.• SOCKS4 clients require full support of DNS while SOCKS5 clients can rely on SOCKS5 server to perform the DNS lookup. PalGov © 2011 37
  38. 38. Firewall Examples• MS Windows firewalls• Cisco firewalls• Other firewalls…. PalGov © 2011 38
  39. 39. Windows Firewall• New layered security model.• Provides: – host-based, – two-way network traffic filtering – Blocks unauthorized network traffic• Integrated with Internet Protocol Security (IPsec)• Important part of network’s isolation strategy. PalGov © 2011 39
  40. 40. Windows Firewall Key ScenariosYou can use Windows Firewall with Advanced Security to help implement the following key technologies and scenarios:• Network Location-Aware Host Firewall• Server and Domain Isolation• Network Access Protection• DirectAccess • Refer to [6] for more details PalGov © 2011 40
  41. 41. Cisco ASA firewall• LAB session 8. PalGov © 2011 41
  42. 42. Tutorial 5: Information SecuritySession 7: Firewalls and VPNSession 7 Outline: • Session 7 ILO’s. • Firewalls • SOCKS Protocols • VPN PalGov © 2011 42
  43. 43. Virtual Private Networks (VPN)• VPNs are set of tools used to securely connect networks at different locations using public network as the transport layer.• Cryptography (including CIA/AAA) is used to implement VPNs to protect against eavesdropping and active attacks. PalGov © 2011 43
  44. 44. VPN Usage• VPNs are most commonly used today for telecommuting and linking branch offices via secure WANs.• IPSEC VPN (refer to session 5)• MS VPN PalGov © 2011 44
  45. 45. VPN Protocols for Secure Network CommunicationsOther VPN protocols that encrypt communicationsinclude: •Internet Protocol Security (IPSec)—an architecture, protocol, and related Internet Key Exchange (IKE) protocol. •Layer 2 Forwarding (L2F)—created by Cisco Systems. •Layer 2 Tunneling Protocol (L2TP)— PPTP and L2F •Point-to-Point Tunneling Protocol (PPTP)— 3Com, Ascend, Microsoft, and ECI Telematics). PalGov © 2011 45
  46. 46. Virtual Private Networks (using IPSEC) PalGov © 2011 46
  47. 47. IPSec problems• Slow progress resulted in a splintering of efforts during the mid-90s• SSL was one such offshoot, developed to provide application-level security rather than network level security.• Traditional IPSec implementations required a great deal of kernel code, complicating cross-platform porting efforts.• IPSec is a complex production with a relatively steep learning curve for new users. • See session 5 for more details PalGov © 2011 47
  48. 48. VPN using (L2TP)•L2TP is a mature IETF standards track•L2TP encapsulates Point-to-Point Protocol(PPP) frames to be sent over IP, X.25, framerelay, or asynchronous transfer mode (ATM)networks.•When configured to use IP as its transport,L2TP can be used as a VPN tunneling protocolover the Internet. PalGov © 2011 48
  49. 49. VPN using (L2TP)• L2TP with PPP provides a wide range of user authentication options: • CHAP, • MS-CHAP, • MS-CHAPv2 • and Extensible Authentication Protocol (EAP)• L2TP/IPSec provides well-defined and interoperable tunneling, with the strong security. PalGov © 2011 49
  50. 50. VPN using PPTP•PPTP provides authenticated and encryptedcommunications between a client and agateway or between two gateways•No need for a public key infrastructure•Uses a user ID and password.•Simple, multiprotocol support, and ability totraverse a broad range of IP networks.•The use of PPP provides ability to negotiateauthentication, encryption, and IP addressassignment services PalGov © 2011 50
  51. 51. References1. William Stallings and Lawrie Brown2. Lecture Notes by David Chadwick 2011, True-Trust3. Cryptography and Network Security, Behrouz A. Forouzan.4. SOCKS5 IETF RFC SOCKS4 ol6. Introduction to Windows Firewall with Advanced Security, Microsoft Corporation,Updated: December 20097. Microsoft Privacy Protected Network Access: Virtual Private Networking and Intranet Security, White Paper PalGov © 2011 51
  52. 52. Summary• In this session we discussed the following: – Introduced need for & purpose of firewalls – Types of firewalls • Packet filter, state-full inspection, application and circuit gateways – VPNs PalGov © 2011 52
  53. 53. Thanks Dr. Nael Salman PalGov © 2011 53