Introduction <ul><li>It is an integrated collection of security measures designed to prevent unauthorized electronic access to a network computer system. </li></ul><ul><li>Firewall technology emerged in the late 1980s. </li></ul><ul><li>The predecessors to firewalls for network security were the routers. </li></ul>
Firewall’s Function <ul><li>A Firewall’s function within a network is similar to firewalls with fire doors in building construction. In former case, it is used to prevent network intrusion to the private network. In latter case, it is intended to contain and delay structural fire from spreading to adjacent structures . </li></ul>
Generations Of Firewall <ul><li>1st Generation(1988) </li></ul><ul><li>The first paper published on firewall technology was in 1988, DEC developed filter systems known as ‘packet filters’. </li></ul><ul><li>2nd Generation(1989-1990) </li></ul><ul><li>AT&T Bell Laboratories developed the second generation of firewalls, calling them circuit level firewalls. </li></ul><ul><li>3rd Generation(1991) – Application layer firewall </li></ul>
Network Layer & Packet Filter <ul><li>It operates at a relatively low level of the TCP/IP protocol stack, not allowing packets to pass through the firewall unless they match the established rule set. </li></ul><ul><li>Network Layer </li></ul>Stateful Firewalls Stateless Firewalls
Application Layer <ul><li>Application layer firewalls work on the application level of the TCP/IP stack and may intercept all packets traveling to or from an application. In principle, application firewalls can prevent all unwanted outside traffic from reaching protected machines. </li></ul>
Proxies <ul><li>A proxy device (running either on dedicated hardware or as software on a general purpose machine) may act as a firewall by responding to input packets in the manner of an application. </li></ul>
Network Address Translation <ul><li>Firewall often have the NAT functionality, and the hosts protected behind a firewall commonly have address in the ‘private address range’. </li></ul><ul><li>Purpose : The purpose of such functionality is to hide the true address of protected hosts. </li></ul>
BASIC TYPES OF FIREWALL IMPLEMENTATION <ul><li>There are 3 types of basic firewall implementation </li></ul><ul><li>Transparent / Bridging Firewalls </li></ul><ul><li>The Sandwich Firewall </li></ul><ul><li>VLAN Switch Implementation </li></ul>
Transparent / Bridging Firewall <ul><li>A "transparent" firewall is an amalgam of a proxy firewall and a NAT firewall. An internal machine only has to know where to send packets to reach the outside, similar to a NAT firewall. However, the firewall may "transparently" invoke proxy-like mechanisms on certain traffic, for security purposes, rather than just blindly forwarding it through. The internal machines may or may not have a private IP address range. </li></ul>
The Sandwich Firewall Implementation <ul><li>A Firewall which consists of redundant firewalls placed between two layers of redundant Firewall Load Balancers (FLB) is called a “Sandwich firewall” </li></ul>
Firewall VLAN Implementation <ul><li>A VLAN-enabled firewall and switch communicate over an 802.1Q trunk. The switch forwards tagged packets to the firewall. The firewall classifies packets, taking into consideration the tags in combination with other fields like protocol, IP address, and port. It then takes the appropriate action, based on firewall policies. </li></ul>
CISCO PIX <ul><li>Cisco PIX (Private Internet eXchange) is a popular IP firewall and network address translation (NAT) appliance. It was one of the first products in this market segment. </li></ul><ul><li>The Cisco PIX® 501 Security Appliance delivers enterprise-class security for smallofﬁces and teleworkers in a reliable, plug-and-play purpose-built appliance. Ideal forsecuring high-speed “always on” broadband environments, the Cisco PIX 501 SecurityAppliance, which is part of the world-leading Cisco PIX Security Appliance Series,provides robust integrated security capabilities, small ofﬁce networking features, and powerful remote management capabilities in a compact, all-in-one solution. </li></ul>CISCO PIX 501
DESCRIPTION OF OPERATION <ul><li>The PIX runs a custom-written proprietary operating system originally called Finesse ( F ast I nter NE t S erver E xecutive), but now the software is known simply as PIX OS. </li></ul>
<ul><li>It is classified as a network layer firewall with stateful inspection, although technically the PIX would more precisely be called a Layer 4, or Transport Layer Firewall, as its access is not restricted to Network Layer routing, but socket based connections (a port and an IP Address - Port communications occur at Layer 4). </li></ul><ul><li>By design it allows internal connections out (outbound traffic), and only allows inbound traffic that is a response to a valid request or is allowed by an Access Control List (ACL) or a conduit . </li></ul>
<ul><li>The PIX can be configured to perform many functions including network address translation (NAT) and port address translation (PAT), as well as being a virtual private network (VPN) endpoint appliance. </li></ul><ul><li>The PIX was the first commercially available firewall product to introduce protocol specific filtering with the introduction of the "fixup" command. The PIX "fixup" capability allows the Firewall to apply additional security policies to connections identified as using specific protocols. Two protocols for which specific fixup behaviors were developed are DNS and SMTP. </li></ul><ul><li>The PIX can be managed by a command line interface (CLI) or a graphical user interface (GUI). The CLI is accessible from the serial console, telnet and SSH. </li></ul><ul><li>As the PIX is an acquired product, the CLI was originally not aligned with the Cisco IOS syntax. Starting with version 7.0, the configuration is much more IOS-like. As the PIX only supports IP traffic (as opposed to IPX, DECNet, etc.), in most configuration commands 'ip' is omitted. The configuration is upwards compatible, but not downwards . </li></ul>
HARDWARE DESCRIPTION <ul><li>The PIX was constructed using Intel-based/Intel-compatible motherboards; the PIX 501 used an AMD 5x86 processor, and all other standalone models used Intel 80486 through Pentium III processors. Nearly all PIXes used Ethernet NIC's with Intel 82557, 82558, and 82559 network chipsets, but some older models are occasionally found with 3COM 3c590 and 3c595 Ethernet cards, Olicom-based Token-Ring cards, and Interphase-based FDDI cards. </li></ul>
PIX ARCHITECTURE <ul><li>PIX architecture is built around the ASA security engine that performs the inspection and maintains the session state information and handles the network translation.The inspection sequence is performed as follows: </li></ul><ul><li>A packet is entering an interface and PIX evaluates the security level for the source and destination interfaces. A low-to-high is allowed only if there is an access-list/conduit that allows the connection and a high-to-low is allowed by default unless a specific access-list/outbound denies it. </li></ul><ul><li>ASA creates an entry in the statefull session table and the timers are started for that session. </li></ul>
<ul><li>The packet enters is checked against the statefull session table. If it is part of an already established flow is passed forward in order to be routed out and eventually translated if specified. </li></ul><ul><li>If the packet is identified as part of a new session it is checked against the access-list applied to the inbound interface (or against the conduits for versions earlier than 6.3) </li></ul>
<ul><li>As the packet passed the inbound security check is passed to ASA that performs the inbound network translation (destination NAT). </li></ul><ul><li>The packet gets routed out to the interface designated by the routing table. </li></ul><ul><li>At the exit interface eventual source translation is performed - if specified by using global statements and nat groups </li></ul><ul><li>The packet is delivered out to the next hop router or to the final destination if it is present in the local firewall’s subnets. </li></ul>
Research Importance of Web Application Firewall Technology for Protecting Web-based Resources By ICSA Labs
<ul><li>Objectives of the white paper: </li></ul><ul><li>Review the essential of different traditional security technologies. </li></ul><ul><li>Discussion as to why dedicated web application firewalls are necessary to protect web resources. </li></ul><ul><li>Suggestion of a deployment model to illustrate the relative locations of the above mentioned technologies within a simplified enterprise network. </li></ul>
Existing Technologies for Network Security Protocol-Enforcing Network Firewalls They provide the first line of defense by arresting most basic protocol attacks at the network boundary, including protocol-based denial of service attacks. They primarily operate in the network, session, and transport layers of the Open Systems Interconnection (OSI) reference model.
Intrusion Prevention Systems IPS can be deployed at various locations within an enterprise network. IPS agents monitor network traffic and scan for signatures of a wide range of known attacks. IPS is effective at providing signature scanning, pattern matching, anomaly detection, and behavioral-based functionality for a broad range of known attacks that make it past perimeter defenses.
Outbound Content Filtering They provide access control for internal corporate users as they access information from the Internet. Content filtering provides protection to an enterprise by preventing users from accessing malicious or otherwise dangerous external content by enforcing white and black lists of known good and known bad Internet sites. More sophisticated content filtering platforms provide additional protection by monitoring other services, including instant messaging and file transfer systems such as FTP and peer-to-peer (P2P).
Anti-Malware Gateways “ Malware” refers to malicious code such as viruses, Trojans, rootkits, macro viruses, etc., as well as other undesirable content such as spyware and phishing links. Anti-malware gateways scan inbound and outbound content, including email, instant messaging, and file downloads, for code that can compromise client security. Recent enhancements include outbreak prevention by which a gateway can signal other security devices to limit propagation when malware is detected.
Web Application Firewalls Web application firewalls (WAFs) deal specifically with web-based traffic. They employ a wide range of functions to work with perimeter firewall and IPS technology to increase application attack prevention. Most WAFs include HTTP/HTTPS protocol enforcement and negative signature detection. Other protection mechanisms include URL normalization and scanning, positive security functionality that enforces proper application operation and page logic flow, and adaptive learning modules that can update security policies on the fly.
Continued WAFs can recognize and be configured to police the usage of specific web application elements and functions, such as web objects, form fields, and, most importantly, application session logic. WAFs enforce proper context of the HTML request and response, as well as provide semantic awareness of the relationships of the various web objects present on a web site, WAFs can be deployed between perimeter defenses and the web servers they protect, or installed directly on web server platforms as host-based WAFs.
Conclusion Dedicated WAFs are designed specifically for HTTP/HTTPS protocols and are required in addition to traditional security technologies to provide a complete solution for securing web applications. They provide web-specific functionality and application language-specific functionality. These capabilities are vital to preventing sophisticated attacks and protecting valuable information assets.