2. What is a Firewall ?
Acts as a security gateway
between two networks
Usually between trusted and
untrusted networks (such as
between a establishment
network and the Internet)
Internet
Network Gateway
3. What is a Firewall ?
Tracks and controls network
communications
Decides whether to pass,
reject, encrypt, or log
communications (Access
Control)
“Allow Traffic
to Internet”
Internet
“Block traffic
from Internet”
4. What is a Firewall?
A choke point of control and monitoring
Interconnects networks with differing trust
Imposes restrictions on network services
• only authorized traffic is allowed
Auditing and controlling access
• can implement alarms for abnormal behavior
Itself immune to penetration
Provides perimeter defence
5. Why Firewalls are Needed
Prevent attacks from untrusted networks
Protect data integrity of critical information
Preserve customer and partner confidence
6. Implementation of Firewalls
A firewall may be implemented as a standalone hardware
device or in the form of a software on a client computer or a
proxy server
• The two types of firewall are generally known as the
hardware firewall and the software firewall
A firewall that stands in between two networks will inspect a
packet that is ready to pass between the networks and allow or
block the packet based on the rules set for the firewall to
operate
7. General Firewall Features
Port Control
Network Address Translation
Application Monitoring (Program Control)
Packet Filtering
Data encryption
Reporting/logging
e-mail virus protection
Pop-up ad blocking
Cookie digestion
Spy ware protection
9. SRX High End Portfolio
SRX 3600
SRX 3400
SRX 5600
SRX 5800
10. SRX Branch Portfolio
Large Branch/Regional Office
Small Office
SRX100
Small to Medium Office
SRX210
SRX650
SRX240
SRX220
11. SRX Series—Firewall, Zones, & Policies
ZONE “UNTRUST”
Originating Zone
SRX
ZONE “Accounting”
ZONE “Trust”
Policy—Deny All
Policy—Allow All
INTERNET
Originating Zone
ZONE “Guest”
Originating Zone
12. Security Zone
A security zone is a collection of one or more network
segments requiring the regulation of inbound and outbound
traffic through policies
Traffic enters into one security zone and goes out on another
security zone
13. Types
Functional Zone
• Used for special purposes, like management interfaces
Security Zone
• Logical entities to which one or more interfaces are bound
• Building blocks for policies
Trust Zone/ Untrust Zone
• Available only in the factory configuration
• Used for initial connection to the device
14. Zone Config
Configuring Host Inbound Traffic
Inbound traffic from devices directly connected to the device's
interfaces is dropped by default
Protect the device against attacks launched from systems
Can prohibit use of other applications on the same or different
interfaces of a zone
Must enable all expected host-inbound traffic
Zone Creation
15. Security Policies
• To allow traffic to pass from one security zone to
another in each dir
Zone A Zone B
Zone B Zone A
16. Security Policies
Policies perform the actions on the traffic attempting to cross
from one security zone to another
• Deny
• Permit
• Reject
• Encrypt
• Decrypt
• Authenticate
• Prioritize
• Filter
• Monitor
17. Security Policies
Each policy is associated with match criteria as :
A source zone
A destination zone
One or many source address names/address set names
One or many destination address names/ address set names
One or many application names/application set names
18. 2
3
Security Policy:
from private zone to external zone
If Source IP address = Host B
Destination IP address = Host D
Application = SSH
then permit traffic
Internet
D
B
Steps:
1. Host B initiates SSH to Host D Flow B D
2. Security policy permits that flow
3. The flow triggers reverse flow creation; both flows result in a formed
session
4. The return traffic, Host D Host B receives permission also
External
Zone
Private
Zone
B
Public
Zone
A
1
2
4
Source
Address
Prot
Source
Port
B
D
6
6
29200
22
Destination
Address
Destination
Port
Int
22
D
B 29200
.
ge-0/0/0
ge-1/0/0
Session Table
C
Security Policy Conceptual Example
19. D
B
Devise security policies as per fol criteria:
Host A will be able to comm with Host C and D.
Host B can comm with Host C and vice versa.
Host C can comm with D.
D can comm with all on smtp except B.
D can only accept smtp traffic
B
A
C
Scenario
20. From Host To Host Application Action
Host A Host C Any Permit
Host A Host D SMTP Permit
Host B Host C Any Permit
Host C Host B Any Permit
Host C Host D SMTP Permit
Host D Host B Any Deny
Any Host D SMTP Permit
Scenario