1. N A V D E E P S I N G H
Firewall & its Services
2. What is a Firewall ?
Firewall is a device or a software feature designed to
control the flow of trafic into and out-of a network.
Firewall interconnects networks with different trust.
Firewall implements and enforces a security policy
between networks.
4. Firewall Zones
Trusted Zone
By default the LAN is trusted.
Trusted zone contains a numerical value of 100
which means highest level of trust.
Untrusted Zone
Untrusted zone contains a numerical value of 0
which means lowest level of trust.
A WAN port can only be mapped to an Untrusted
Zone.
6. Types of Firewalls
Software Based Firewalls
Run as additional program on Personal Computers
Known as Personal Firewalls
Most of the SBFs get automatically configured and
updated after installation.
Examples of SBFs are:- Windows Firewall,
Kaspersky Firewall, Zone Alarm Pro Firewall
Also there are some open source firewall available.
Exa:- OpenWRT, PfSense, Untangle Gateway, IPcop.
7. Types of Firewalls
Hardware Based Firewalls
Hardware based firewalls are the first line of defense against the
cyber attacks.
HBFs are more expensive as compared to SBFs.
Traditionally HBFs were only used to carry out Packet Filtering.
Today HBFs have built-in Intrusion Prevention System and
Intrusion Detection System IPS/IDPS
When IDPS detects a malicious activity it sends a signal, drops
the packet, blocks the IP and resets the connection.
Some Hardware Based Firewall providers are:
CISCO
ProSafe
D-Link
SonicWall
Netgear
8. Cisco Firewalls
Cisco Firepower 9300 (Latest Series-9000 & 4100)
1.2 Tbps clustered throughput
57 million concurrent connections, with application control
500,000 new connections per second
High-end Next Gen. Firewall (NGFW)
9. Firewall Services
The following services are provided by Firewalls:
Packet Filtering
Stateful packet Inspection
Proxying
Authentication
Logging
Content Filtering
Network Address Translation
10. Packet Filtering
Each incoming data packet is examined by the firewall.
The header of the each packet is compared to the pre-
configured set of rules.
An allow or deny decision is made based on the results.
Rules of packet filtering are:
Protocol Type (TCP,IP,UDP,ICMP,ESP,etc)
Source Address
Source Port
Destination Address
Destination Port
11. Packet Filtering
Packet Filtering Firewalls works on the Network
Layer (layer 3) and Transport Layer (layer 4) of the
OSI model of reference.
12. Stateful Packet Inspection
All packets are examined and the header information
is stored in dynamic state session table.
State table is used verify the data packets from the
same connection.
The rules of stateful packet inspection are:
Protocol Type (TCP,IP,UDP,ICMP,ESP,etc)
Source Address
Source Port
Destination Address
Destination Port
Connection State
13. Stateful Packet Inspection
In Stateful Packet Inspection technique the firewall
examines the headers of all incoming data packets
from the level of network layer to the application
layer of the OSI Model of reference.
14. Proxy Services
Proxy/Application gateway acts as an intermediate between
the connections.
Each connection can only communicate with other by going
through the proxy/application gateway.
Proxy/Application gateway operates at the Application
layer (Layer 7) of the OSI Model of reference.
When a client issues a request from an untrusted network,
a connection is established between the client and
proxy/gateway. The proxy/gateway compares the request
to the set of rules, if finds the request valid, it sends a
connection request to the destination on the behalf of the
client.
15. Proxy Services
Proxy Servers also provide some other services:
Logging:-Proxy servers makes log of the each
communication.
Content Filtering
Authentication
16. NAT(Network Address Translation)
NAT is a method that enables hosts on private networks to
communicate with hosts on the Internet.
NAT is mostly used to translate between public address and
private address.
NAT can be also used for Public to Public Address Translation
and Private to Private Address Translation.
NAT hides the IP address and IP address structure of the
internal network.
In NAT the actual IP address/port used in an internal network
is translated to the outside IP address/outside port.
This is done by replacing the local IP address from the header
of the data packet with the outside IP address.
17. Types of NAT
Static NAT
Static NAT performs one to one translation between two
addresses or between a port on one address to a port on
another address.
18. Types of NAT
Static NAT
Static NAT maps a block on external IP addresses to
the same size block of internal IP addresses.
NAT maps a specific port to come through the firewall
rather than all ports.
Static NAT allows the internal client to maintain their
set-up information.
Multiple ISP’s can be enlisted to provide a degree of
fault-tolerant access to the system. If network
performance or quality degrades, connections can be
swapped to another supplier.
19. Dynamic NAT
Dynamic does not perform one to one translation but
instead maps a group on internal IP addresses to a
pool of external IP addresses.
20. Dynamic NAT
These mappings can be set to expire if they are not used
within a programmable period of time.
Dynamic NAT works as firewall between internal network
and the outside network or internet.
Dynamic NAT only allows the connections that originate
inside the internal domain.
A computer on an external network can not connect to one
of the internal servers unless the internal node has initiated
the contact.
21. Load Sharing NAT
Load Sharing NAT(LSNAT) distributes a session load
across a pool of servers.
LSNAT is most often used in embedded server farms where
a single blade server is unable to handle the increasing
number of clients or sessions.
22. References
Intro_firewalls by Aaron Balchunas (routeralely.com)
University of Cambridge-University Information Services
(Academic & Infrastructure)-” Firewalls and Network
Address Translation”.
CISCO-Security Guide, Cisco ACE Application Control
Engine-”Configuring Network Address Translation”
University of Virginia-Department of Computer Science-
”module17-nat”
CISCO NGFW-product guide-Firepower 9300 -“at-a-
glance-c45-734810.pdf”, Title “Threat-Centric Security for
Service Providers “