WG
Uploaded byWaldemar Gomes
PPT, PDF131 views

Chapter 03

The document discusses different firewall configuration strategies, including restrictive firewalls that block all access by default and connectivity-based firewalls that allow all traffic by default and then block specific types. It describes using security components like screening routers, dual-homed hosts, screened hosts, and DMZs to implement firewall rules and defend against common attacks. The goal is to design perimeter security that integrates firewalls and components to create protected areas according to an organization's security policy and needs.

Embed presentation

Download to read offline
Firewall Configuration Strategies Chapter 3
Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Understand the goals that underlie a firewall’s configuration Identify and implement different firewall configuration strategies Employ methods of adding functionality to your firewall
Establishing Rules and Restrictions for Your Firewall Rules give firewalls specific criteria for making decisions about whether to allow packets through or drop them All firewalls have a rules file—the most important configuration file on the firewall
The Role of the Rules File Establishes the order the firewall should follow Tells the firewall which packets should be blocked and which should be allowed Requirements  Need for scalability  Importance of enabling productivity of end users while maintaining adequate security
Restrictive Firewalls Block all access by default; permit only specific types of traffic to pass through
Strategies for Implementing a Security Policy Follow the concept of least privilege Spell out services that employees cannot use Use and maintain passwords Choose an approach  Open  Optimistic  Cautious  Strict  Paranoid
Connectivity-Based Firewalls Have fewer rules; primary orientation is to let all traffic pass through, then block specific types of traffic
Overview to Firewall Configuration Strategies Criteria  Scalable  Take communication needs of individual employees into account  Deal with IP address needs of the organization
Scalability Provide for the firewall’s growth by recommending a periodic review and upgrading software and hardware as needed
Productivity The stronger and more elaborate the firewall, the slower the data transmissions Important features of firewall: processing and memory resources available to the bastion host
Productivity
Dealing with IP Address Issues If service network needs to be privately rather than publicly accessible, which DNS will its component systems use? If you mix public and private addresses, how will Web server and DNS servers communicate? Let the proxy server do the IP forwarding (it’s the security device)
Firewall Configuration Strategies
Firewall Configuration Strategies Settle on general approaches; establish rules for them Deploy firewalls, routers, VPN tunnels, and other tools in a way that will implement rules Use security components to defend against common attacks
Using Security Components to Defend Against Attacks
Screening Router Filters traffic passing between one network and another Simple, minimally secure Two interfaces—external and internal— each with its own unique IP address Performs IP forwarding, based on an access control list (ACL)
Screening Router
Stateful Packet Filtering
Dual-Homed Host A workstation with an internal interface and an external interface to the Internet Disadvantage  Host serves as a single point of entry to the organization
Screened Host Similar to dual-homed host, but the host is dedicated to performing security functions Sits exposed on the perimeter of the network rather than behind the firewall Requires two network connections Also called a dual-homed gateway or bastion host
Screened Host
Two Routers, One Firewall Router positioned on the outside  Performs initial, static packet filtering Router positioned just inside the network  Routes traffic to appropriate computers in the LAN being protected  Can do stateful packet filtering
Two Routers, One Firewall
DMZ Screened Subnet Screened subnet  Network exposed to external network, but partially protected by a firewall Three-pronged firewall  Three network interfaces connect it to:  External network  DMZ  Protected LAN Service network  Screened subnet that contains an organization’s publicly accessible server
DMZ Screened Subnet
Three-Pronged Firewall with Only One Firewall Advantages  Simplification  Lower cost Disadvantages  Complexity  Vulnerability  Performance
Common Service Network Systems Those that contain Web and mail servers Those that contain DNS servers Those that contain tunneling servers
Multiple-Firewall DMZs Achieve the most effective Defense in Depth Help achieve load distribution Added security offsets slowdown in performance Two or more firewalls can be used to protect  Internal network  One DMZ  Two DMZs  Branch offices that need to connect to main office’s internal network
Two Firewalls, One DMZ Two firewalls used to set up three separate networks (tri-homed firewall)  Internal protected network (behind DMZ)  External private network or service network (within DMZ)  External network (outside DMZ) Advantage  Enables control of traffic in the three networks
Two Firewalls, One DMZ
Two Firewalls, Two DMZs Setting up separate DMZs for different parts of the organization helps balance the traffic load between them
Two Firewalls, Two DMZs
Multiple Firewalls to Protect Branch Offices
Load Distribution Through Layering of Firewalls
Reverse Firewalls Inspect and monitor traffic going out of a network rather than trying to block what’s coming in Help block Distributed Denial of Service (DDoS) attacks
Specialty Firewalls Protect specific types of network communications (eg, e-mail, instant-messaging) Examples  Mail Marshal and WebMarshal by Marshal Software  OpenReach includes a small-scale packet-filtering firewall for its VPN  VOISS Proxy Firewall (VF-1) by VocalData  Speedware Corporation sells its own firewall software
Approaches That Add Functionality to a Firewall Network Address Translation (NAT) Encryption Application proxies VPNs Intrusion detection systems (IDSs)
NAT Converts publicly accessible IP addresses to private ones and vice versa; shields IP addresses of computers on the protected network from those on the outside
NAT
Encryption Takes a request, turns it into gibberish using a private key; exchanges the public key with the recipient firewall or router Recipient decrypts the message and presents it to the end user in understandable form
Encryption
Application Proxies Act on behalf of a host; receive requests, rebuild them from scratch, and forward them to the intended location as though the request originated with it (the proxy) Can be set up with either a dual-homed host or a screened host system
Application Proxies Dual-homed setup  Host that contains the firewall or proxy server software has two interfaces, one to the Internet and one to the internal network being protected Screened subnet system  Host that holds proxy server software has a single network interface  Packet filters on either side of the host filter out all traffic except that destined for proxy server software
Application Proxies on a Dual-Homed Host
VPNs Connect internal hosts with specific clients in other organizations Connections are encrypted and limited only to machines with specific IP addresses VPN gateway can:  Go on a DMZ  Bypass the firewall and connect directly to the internal LAN
VPN Gateway Bypassing the Firewall
Intrusion Detection Systems Can be installed in external and/or internal routers at the perimeter of the network Built into many popular firewall packages
IDS Integrated into Perimeter Routers
IDS Positioned Between Firewall and Internet
Chapter Summary How to design perimeter security for a network that integrates firewalls with a variety of other software and hardware components Rules and restrictions that influence configuration of a security perimeter Security configurations that either perform firewall functions or that use firewalls to create protected areas

More Related Content

PDF
session7 Firewalls and VPN
byMustafa Jarrar
 
PDF
Week14 Pre
bys1160247
 
PDF
Firewalls
byDr.Florence Dayana
 
PDF
Firewall architectures
byArun Mahajan
 
PPT
Dmz
byأحلام انصارى
 
PPTX
Firewall and It's Types
byHem Pokhrel
 
PPT
Firewall
bylmbriscoe
 
PPT
Firewall
bynayakslideshare
 
session7 Firewalls and VPN
byMustafa Jarrar
 
Week14 Pre
bys1160247
 
Firewalls
byDr.Florence Dayana
 
Firewall architectures
byArun Mahajan
 
Dmz
byأحلام انصارى
 
Firewall and It's Types
byHem Pokhrel
 
Firewall
bylmbriscoe
 
Firewall
bynayakslideshare
 

What's hot

PPT
Firewall Architecture
byYovan Chandel
 
PPT
Firewals in Network Security NS10
bykoolkampus
 
PPTX
Firewall
bySaurabh Chauhan
 
PPT
Firewalls
byRam Dutt Shukla
 
PPT
Network Security
byphanleson
 
PPTX
Linux and firewall
byMhmud Khraibene
 
PPT
Windows 7 firewall & its configuration
bySoban Ahmad
 
PPTX
firewall and its types
byMohammed Maajidh
 
PDF
Network firewall function & benefits
byAnthony Daniel
 
PPTX
Firewall
byShivank Shah
 
PPT
Firewall protection
byVC Infotech
 
PPTX
Firewalls
byvaishnavi
 
PPT
Lecture 4 firewalls
byrajakhurram
 
PPTX
Firewall & packet filter new
byKarnav Rana
 
PPTX
Firewall and vpn
byJoseph Sebastian
 
PPT
Firewall intro
byamar_panchal
 
DOCX
Firewall configuration
byNutan Kumar Panda
 
PDF
Firewall fundamentals
byThang Man
 
DOCX
Firewall
bysyeda zoya mehdi
 
PPTX
Firewall presentation
byyogendrasinghchahar
 
Firewall Architecture
byYovan Chandel
 
Firewals in Network Security NS10
bykoolkampus
 
Firewall
bySaurabh Chauhan
 
Firewalls
byRam Dutt Shukla
 
Network Security
byphanleson
 
Linux and firewall
byMhmud Khraibene
 
Windows 7 firewall & its configuration
bySoban Ahmad
 
firewall and its types
byMohammed Maajidh
 
Network firewall function & benefits
byAnthony Daniel
 
Firewall
byShivank Shah
 
Firewall protection
byVC Infotech
 
Firewalls
byvaishnavi
 
Lecture 4 firewalls
byrajakhurram
 
Firewall & packet filter new
byKarnav Rana
 
Firewall and vpn
byJoseph Sebastian
 
Firewall intro
byamar_panchal
 
Firewall configuration
byNutan Kumar Panda
 
Firewall fundamentals
byThang Man
 
Firewall
bysyeda zoya mehdi
 
Firewall presentation
byyogendrasinghchahar
 

Similar to Chapter 03

PPT
Presentation, Firewalls
bykkkseld
 
PPT
Presentation, Firewalls
bykkkseld
 
PPTX
UNIT-4 network information security ID system
byagasyabutolia
 
PPT
Firewalls
byUniversity of Central Punjab
 
PPTX
Firewall
byIdris Shah
 
PPT
Firewall in tell communication_Basics.ppt
byMohammedAli580048
 
PPTX
firrewall and intrusion prevention system.pptx
byfatimagull32
 
PPT
firewall.ppt
byssuser530a07
 
PPTX
Computing security ppt for firewall and its application.pptx
byStargaze4
 
PPTX
Firewall
byAravindharamanan S
 
PPT
Firewalls (1056778990099000000000000).ppt
byTamilArasan564275
 
PPT
Unified Threat Management
byTapas Shome
 
PPT
Network security
byVikas Jagtap
 
PPT
Day4
byJai4uk
 
PPT
Network security
byPresentaionslive.blogspot.com
 
PPT
chapter22-Network and Security-By-MIT.ppt
byKamranHussainAwan
 
PPTX
Firewalls - 24.pptx_____________________
byarjunpanditarjunpand
 
PPTX
firewall filtering and communication domain
byMohammedAli580048
 
PPTX
Firewall ( Cyber Security)
byJainam Shah
 
PPT
Firewall
bythinkahead.net
 
Presentation, Firewalls
bykkkseld
 
Presentation, Firewalls
bykkkseld
 
UNIT-4 network information security ID system
byagasyabutolia
 
Firewalls
byUniversity of Central Punjab
 
Firewall
byIdris Shah
 
Firewall in tell communication_Basics.ppt
byMohammedAli580048
 
firrewall and intrusion prevention system.pptx
byfatimagull32
 
firewall.ppt
byssuser530a07
 
Computing security ppt for firewall and its application.pptx
byStargaze4
 
Firewall
byAravindharamanan S
 
Firewalls (1056778990099000000000000).ppt
byTamilArasan564275
 
Unified Threat Management
byTapas Shome
 
Network security
byVikas Jagtap
 
Day4
byJai4uk
 
Network security
byPresentaionslive.blogspot.com
 
chapter22-Network and Security-By-MIT.ppt
byKamranHussainAwan
 
Firewalls - 24.pptx_____________________
byarjunpanditarjunpand
 
firewall filtering and communication domain
byMohammedAli580048
 
Firewall ( Cyber Security)
byJainam Shah
 
Firewall
bythinkahead.net
 

Recently uploaded

PPTX
SriLank SLT LTE Network Sharing V2.pptx
bynthuang
 
PPTX
CaseStudy-CloudMigration -For USE CASE -Customer Success Info -6-Aug-25.pptx
bywinlentech
 
PPTX
Computer Science Degree for College .pptx
byHanenek1
 
PPTX
COĞRAFYA ödevi 70 sayfa güzeldir hayırlı olsun
bydtilter
 
PPTX
Computer Networks 01[1 using all terms].pptx
bywaqasahmedbhatti633
 
PPTX
Types of Cryptograph Symmetric Ceaser cipher and also about Assymetric
byhamzaabdulqadeer11
 
PDF
ARTIFICIAL INTELLIGENCE DEVELOPMENT SERVICE
bydavidjohansen1597
 
PDF
Top 5 Snapchat Tracker Apps for Safe and Responsible Monitoring
byMichael Carter
 
PPTX
Bibhav Singh.pptx it's very useful for us it's in very good and very nice
byabhishekjaiswal5th33
 
PDF
Beacon Kit slides tech framework for world game (s) pdf
bySteven McGee
 
PDF
ARTIFICIAL INTELLIGENCE DEVELOPMENT SERVICE
bydavidjohansen1597
 
PDF
Here are the winners of KALIDASA SAMMAN.
byglcppro
 
PDF
WShell Gameplay and Games of Games of Games
byzramirezmtz9
 
PPTX
mc l2 Overview of Computer and Web-Technology.pptx
byavanikharde
 
PPTX
Introduction Digital Signal Processing.pptx
byumairmuhammad0409
 
PPTX
Artificial Intelligence (AI) Technology Project Proposal _ by Slidesgo.pptx
byadhyaadi804
 
PDF
Design For Test - Getting Test Automation value from Design Expressions.
byDavid Harrison
 
PPT
Lecture_3 Network Securityyyeyeyyeeyyeywy.ppt
bysawsan202
 
PDF
tokiohotellistening.pdf for tokiohotelfans
byrafaelgombos1234
 
PPT
Lecture_3 Network Securityeyeyggegeg.ppt
bysawsan202
 
SriLank SLT LTE Network Sharing V2.pptx
bynthuang
 
CaseStudy-CloudMigration -For USE CASE -Customer Success Info -6-Aug-25.pptx
bywinlentech
 
Computer Science Degree for College .pptx
byHanenek1
 
COĞRAFYA ödevi 70 sayfa güzeldir hayırlı olsun
bydtilter
 
Computer Networks 01[1 using all terms].pptx
bywaqasahmedbhatti633
 
Types of Cryptograph Symmetric Ceaser cipher and also about Assymetric
byhamzaabdulqadeer11
 
ARTIFICIAL INTELLIGENCE DEVELOPMENT SERVICE
bydavidjohansen1597
 
Top 5 Snapchat Tracker Apps for Safe and Responsible Monitoring
byMichael Carter
 
Bibhav Singh.pptx it's very useful for us it's in very good and very nice
byabhishekjaiswal5th33
 
Beacon Kit slides tech framework for world game (s) pdf
bySteven McGee
 
ARTIFICIAL INTELLIGENCE DEVELOPMENT SERVICE
bydavidjohansen1597
 
Here are the winners of KALIDASA SAMMAN.
byglcppro
 
WShell Gameplay and Games of Games of Games
byzramirezmtz9
 
mc l2 Overview of Computer and Web-Technology.pptx
byavanikharde
 
Introduction Digital Signal Processing.pptx
byumairmuhammad0409
 
Artificial Intelligence (AI) Technology Project Proposal _ by Slidesgo.pptx
byadhyaadi804
 
Design For Test - Getting Test Automation value from Design Expressions.
byDavid Harrison
 
Lecture_3 Network Securityyyeyeyyeeyyeywy.ppt
bysawsan202
 
tokiohotellistening.pdf for tokiohotelfans
byrafaelgombos1234
 
Lecture_3 Network Securityeyeyggegeg.ppt
bysawsan202
 

Chapter 03

  • 1.
  • 2.
    Learning Objectives Set upfirewall rules that reflect an organization’s overall security approach Understand the goals that underlie a firewall’s configuration Identify and implement different firewall configuration strategies Employ methods of adding functionality to your firewall
  • 3.
    Establishing Rules and Restrictionsfor Your Firewall Rules give firewalls specific criteria for making decisions about whether to allow packets through or drop them All firewalls have a rules file—the most important configuration file on the firewall
  • 4.
    The Role ofthe Rules File Establishes the order the firewall should follow Tells the firewall which packets should be blocked and which should be allowed Requirements  Need for scalability  Importance of enabling productivity of end users while maintaining adequate security
  • 5.
    Restrictive Firewalls Block allaccess by default; permit only specific types of traffic to pass through
  • 6.
    Strategies for Implementinga Security Policy Follow the concept of least privilege Spell out services that employees cannot use Use and maintain passwords Choose an approach  Open  Optimistic  Cautious  Strict  Paranoid
  • 7.
    Connectivity-Based Firewalls Have fewerrules; primary orientation is to let all traffic pass through, then block specific types of traffic
  • 8.
    Overview to Firewall ConfigurationStrategies Criteria  Scalable  Take communication needs of individual employees into account  Deal with IP address needs of the organization
  • 9.
    Scalability Provide for thefirewall’s growth by recommending a periodic review and upgrading software and hardware as needed
  • 10.
    Productivity The stronger andmore elaborate the firewall, the slower the data transmissions Important features of firewall: processing and memory resources available to the bastion host
  • 11.
  • 12.
    Dealing with IPAddress Issues If service network needs to be privately rather than publicly accessible, which DNS will its component systems use? If you mix public and private addresses, how will Web server and DNS servers communicate? Let the proxy server do the IP forwarding (it’s the security device)
  • 13.
  • 14.
    Firewall Configuration Strategies Settleon general approaches; establish rules for them Deploy firewalls, routers, VPN tunnels, and other tools in a way that will implement rules Use security components to defend against common attacks
  • 15.
    Using Security Componentsto Defend Against Attacks
  • 16.
    Screening Router Filters trafficpassing between one network and another Simple, minimally secure Two interfaces—external and internal— each with its own unique IP address Performs IP forwarding, based on an access control list (ACL)
  • 17.
  • 18.
  • 19.
    Dual-Homed Host A workstationwith an internal interface and an external interface to the Internet Disadvantage  Host serves as a single point of entry to the organization
  • 20.
    Screened Host Similar todual-homed host, but the host is dedicated to performing security functions Sits exposed on the perimeter of the network rather than behind the firewall Requires two network connections Also called a dual-homed gateway or bastion host
  • 21.
  • 22.
    Two Routers, OneFirewall Router positioned on the outside  Performs initial, static packet filtering Router positioned just inside the network  Routes traffic to appropriate computers in the LAN being protected  Can do stateful packet filtering
  • 23.
  • 24.
    DMZ Screened Subnet Screenedsubnet  Network exposed to external network, but partially protected by a firewall Three-pronged firewall  Three network interfaces connect it to:  External network  DMZ  Protected LAN Service network  Screened subnet that contains an organization’s publicly accessible server
  • 25.
  • 26.
    Three-Pronged Firewall withOnly One Firewall Advantages  Simplification  Lower cost Disadvantages  Complexity  Vulnerability  Performance
  • 27.
    Common Service Network Systems Thosethat contain Web and mail servers Those that contain DNS servers Those that contain tunneling servers
  • 28.
    Multiple-Firewall DMZs Achieve themost effective Defense in Depth Help achieve load distribution Added security offsets slowdown in performance Two or more firewalls can be used to protect  Internal network  One DMZ  Two DMZs  Branch offices that need to connect to main office’s internal network
  • 29.
    Two Firewalls, OneDMZ Two firewalls used to set up three separate networks (tri-homed firewall)  Internal protected network (behind DMZ)  External private network or service network (within DMZ)  External network (outside DMZ) Advantage  Enables control of traffic in the three networks
  • 30.
  • 31.
    Two Firewalls, TwoDMZs Setting up separate DMZs for different parts of the organization helps balance the traffic load between them
  • 32.
  • 33.
    Multiple Firewalls toProtect Branch Offices
  • 34.
  • 35.
    Reverse Firewalls Inspect andmonitor traffic going out of a network rather than trying to block what’s coming in Help block Distributed Denial of Service (DDoS) attacks
  • 36.
    Specialty Firewalls Protect specifictypes of network communications (eg, e-mail, instant-messaging) Examples  Mail Marshal and WebMarshal by Marshal Software  OpenReach includes a small-scale packet-filtering firewall for its VPN  VOISS Proxy Firewall (VF-1) by VocalData  Speedware Corporation sells its own firewall software
  • 37.
    Approaches That Add Functionalityto a Firewall Network Address Translation (NAT) Encryption Application proxies VPNs Intrusion detection systems (IDSs)
  • 38.
    NAT Converts publicly accessibleIP addresses to private ones and vice versa; shields IP addresses of computers on the protected network from those on the outside
  • 39.
  • 40.
    Encryption Takes a request,turns it into gibberish using a private key; exchanges the public key with the recipient firewall or router Recipient decrypts the message and presents it to the end user in understandable form
  • 41.
  • 42.
    Application Proxies Act onbehalf of a host; receive requests, rebuild them from scratch, and forward them to the intended location as though the request originated with it (the proxy) Can be set up with either a dual-homed host or a screened host system
  • 43.
    Application Proxies Dual-homed setup Host that contains the firewall or proxy server software has two interfaces, one to the Internet and one to the internal network being protected Screened subnet system  Host that holds proxy server software has a single network interface  Packet filters on either side of the host filter out all traffic except that destined for proxy server software
  • 44.
    Application Proxies ona Dual-Homed Host
  • 45.
    VPNs Connect internal hostswith specific clients in other organizations Connections are encrypted and limited only to machines with specific IP addresses VPN gateway can:  Go on a DMZ  Bypass the firewall and connect directly to the internal LAN
  • 46.
  • 47.
    Intrusion Detection Systems Canbe installed in external and/or internal routers at the perimeter of the network Built into many popular firewall packages
  • 48.
    IDS Integrated intoPerimeter Routers
  • 49.
    IDS Positioned BetweenFirewall and Internet
  • 50.
    Chapter Summary How todesign perimeter security for a network that integrates firewalls with a variety of other software and hardware components Rules and restrictions that influence configuration of a security perimeter Security configurations that either perform firewall functions or that use firewalls to create protected areas