Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Firewall Essentials


Published on

Firewall training

Published in: Technology

Firewall Essentials

  1. 1. Firewall Essentials By Sylvain Maret / Datelec Networks SA March 2000
  2. 2. Welcome to Introduction to Firewall Essentials This course is intended to provide you with an understanding of key concepts and theories associated with firewalls, security policies and attacks directed toward your network.
  3. 3. Course Objectives <ul><li>Understand firewall basics, including the definition of a firewall, firewall functions and the need for firewalls </li></ul><ul><li>Understand firewall technologies, including TCP/IP basics, routers and application-level gateways (proxies) </li></ul>
  4. 4. Course Objectives (cont.) <ul><li>Understand security hazards </li></ul><ul><li>Understand cryptography, including the need for encryption and virtual private networks (VPNs) </li></ul>
  5. 5. Course Map <ul><li>Firewall Essentials </li></ul><ul><ul><li>Unit I </li></ul></ul><ul><ul><ul><li>Chapter 1: What is a Firewall? </li></ul></ul></ul><ul><ul><ul><li>Chapter 2: Types of Firewalls </li></ul></ul></ul><ul><ul><ul><li>Chapter 3: How Firewalls Work </li></ul></ul></ul>
  6. 6. Course Map <ul><li>Firewall Essentials </li></ul><ul><ul><li>Unit II </li></ul></ul><ul><ul><ul><li>Chapter 1: The Need for a Firewall </li></ul></ul></ul><ul><ul><ul><li>Chapter 2: Security Hazards </li></ul></ul></ul>
  7. 7. Course Map <ul><li>Firewall Essentials </li></ul><ul><ul><li>Unit III </li></ul></ul><ul><ul><ul><li>Chapter 1: Firewall Features </li></ul></ul></ul><ul><ul><ul><li>Chapter 2: Security Policies </li></ul></ul></ul><ul><li>Open Discussion </li></ul>
  8. 8. Unit I - Chapter 1 What is a Firewall? Firewall Essentials
  9. 9. Securing a Network Firewall Visiting Packets
  10. 10. <ul><li>Placed at the entrance to an organization’s intranet </li></ul><ul><li>Placed inside an internal network </li></ul><ul><li>Placed between RAS and internal network </li></ul><ul><li>It is the check point for communication to an outside network </li></ul>Firewall Location
  11. 11. Company intranet Firewall Router Restricted Network Corporate Data Center Firewall Internet Firewall Location Firewall
  12. 12. <ul><li>Network packet (level 3) </li></ul><ul><li>Network session (level 7) </li></ul>Communicating Across a Network
  13. 13. <ul><li>Contains all the information required to route it to the final destination </li></ul><ul><li>Contains the information to deliver it to the correct application on the destination system </li></ul><ul><li>Requires five specific pieces of information for routing </li></ul>Network Packet
  14. 14. IP Packet Components U. S. Mail Address Components Comments Destination IP address Street address and zip code Each host on an IP Internet or intranet must have a unique IP address Protocol Organization name The standard protocols above IP are TCP and UDP Destination port number Recipient name Identifies the network application to receive the packet Source IP address Sender’s return address So the application knows where to send replies Source port number Sender’s name To identify the application of the sending host for return packets Comparing IP Packet with a Letter Address
  15. 15. <ul><li>Network - similar to a zip code, the primary information used by routers to deliver the packet to the correct LAN </li></ul><ul><li>Host - similar to a letter address, directs the packet to the correct host on the LAN </li></ul>Division of IP Address
  16. 16. LAN LAN To: “ Mailing” a Letter
  17. 17. <ul><li>The total data sent between an initial request and the completion of that request </li></ul><ul><li>Evident at the user or application level of the protocol stack </li></ul>Network Session
  18. 18. <ul><li>Access Control </li></ul><ul><li>Authentication </li></ul><ul><li>Activity Logging </li></ul><ul><li>Other Firewall Services </li></ul>Standard Firewall Services
  19. 19. <ul><li>Allows the firewall to consider the network interface where the packet enters </li></ul><ul><li>Prevents or limits IP spoofing </li></ul><ul><li>“ Don’t talk to me unless I talk to you first” </li></ul>Access Control
  20. 20. <ul><li>Standards have usually relied on passwords or smartcards or token </li></ul><ul><li>No based on IP address but user level </li></ul>Authentication
  21. 21. <ul><li>Allows the firewall to record information concerning all successful and failed session attempts </li></ul><ul><li>Referred to as an audit log </li></ul>Activity Logging
  22. 22. <ul><li>Proxy Applications </li></ul><ul><li>Virus Scanning </li></ul><ul><li>Address Mapping </li></ul><ul><li>Virtual Private Networks (VPN) </li></ul>Other Firewall Services
  23. 23. <ul><li>Three classes of firewall administrator interfaces: </li></ul><ul><ul><li>Text-file based administration </li></ul></ul><ul><ul><li>Text-menu based administration </li></ul></ul><ul><ul><li>GUI-based administration </li></ul></ul>Firewall Administration Interfaces
  24. 24. <ul><li>Popular in routers and homegrown firewalls </li></ul><ul><li>Interface of choice for UNIX administrators </li></ul><ul><li>Easier to make errors </li></ul>Text-File Based Administration
  25. 25. <ul><li>Reduces likelihood of errors </li></ul><ul><li>Less flexibility of control </li></ul><ul><li>Limited visual feedback to changes made </li></ul>Text-Menu Based Administration
  26. 26. <ul><li>Most prominent </li></ul><ul><li>Easier to use </li></ul><ul><li>Less prone to errors </li></ul>GUI-Based Administration
  27. 27. <ul><li>A firewall can reduce the vulnerabilities on a network, not eliminate them </li></ul><ul><li>Firewalls act as filters </li></ul>Actual Security Provided
  28. 28. Unit I - Chapter 2 Types of Firewalls Firewall Essentials
  29. 29. <ul><li>Packet Filter </li></ul><ul><li>Application-Level Gateway </li></ul><ul><li>Stateful Inspection </li></ul>Three Basic Types of Firewalls
  30. 30. <ul><li>Referred to as filtering routers with a set of simple rules </li></ul><ul><li>Determines whether a packet should pass based on the source and destination information within the packet </li></ul><ul><li>Process is performed at the kernel level </li></ul>Packet Filter Firewall
  31. 31. <ul><li>Less secure than application-level gateway firewalls </li></ul>Packet Filter Firewall (cont.)
  32. 32. Packet Filter Application Level Kernel Level Filter Route DROP PASS Packets Network 1 Network 2 Network 3 Packet Filtering Firewall
  33. 33. <ul><li>Does not allow packets to pass directly between networks </li></ul><ul><li>Original connections are made to a proxy on the firewall </li></ul>Application-level Gateway Firewall
  34. 34. <ul><li>Requires a separate application for each network service </li></ul><ul><ul><li>TELNET </li></ul></ul><ul><ul><li>FTP </li></ul></ul><ul><ul><li>E-mail </li></ul></ul><ul><ul><li>WWW </li></ul></ul>Application-level Gateway Firewall (cont.)
  35. 35. Application-Level Gateway Application Level Kernel Level Route Packets Network 1 Network 2 Network 3 Proxy Proxy Application-level Gateway Firewall
  36. 36. <ul><li>Ensures the highest level of firewall security by performing the following functions: </li></ul><ul><ul><li>Accessing, analyzing and utilizing communication information </li></ul></ul><ul><ul><li>Communication-derived state </li></ul></ul><ul><ul><li>Application-derived state </li></ul></ul><ul><ul><li>Information Manipulation </li></ul></ul>Stateful Packet Filtering
  37. 37. <ul><li>Communication information </li></ul><ul><ul><li>Information from all seven layers of the packet </li></ul></ul>Stateful Inspection
  38. 38. <ul><li>Communication-derived state </li></ul><ul><ul><li>State information derived from previous communications </li></ul></ul>Stateful Inspection
  39. 39. <ul><li>Application-derived state </li></ul><ul><ul><li>State information derived from other applications </li></ul></ul>Stateful Inspection
  40. 40. <ul><li>Information manipulation </li></ul><ul><ul><li>Evaluation of flexible expressions based on the following: </li></ul></ul><ul><ul><ul><li>communication information </li></ul></ul></ul><ul><ul><ul><li>communication-derived state </li></ul></ul></ul><ul><ul><ul><li>application-derived state </li></ul></ul></ul>Stateful Inspection
  41. 41. Inspect Engine Dynamic State Tables Application Presentation Session Transport Network DataLink Physical Application Presentation Session Transport DataLink Physical Network Application Presentation Session Transport Network DataLink Physical Check Point’s FireWall-1 Stateful Inspection
  42. 42. Comparison of Firewall Architecture
  43. 43. Unit I - Chapter 3 How Firewalls Work Firewall Essentials
  44. 44. <ul><li>Identify the packet processing locations on a firewall </li></ul><ul><li>Describe packet filtering and its limitations </li></ul><ul><li>Describe proxy applications and their limitations </li></ul><ul><li>Identify user authentication </li></ul><ul><li>Describe firewall auditing </li></ul>How Firewalls Work: Objectives
  45. 45. <ul><li>Application Level </li></ul><ul><ul><li>Proxy services </li></ul></ul><ul><li>Kernel Level </li></ul><ul><ul><li>Routers and host-based packet filters </li></ul></ul><ul><li>Network Interface Card (NIC) Level </li></ul>Packet Processing Locations
  46. 46. Application Kernel Network Cards Proxy Application Level Kernel Level Network Card Level Possible Firewall Processing Locations - Packet Processing Locations Within a Firewall
  47. 47. <ul><li>May occur at any one of the processing locations </li></ul><ul><li>Most often supported at the NIC or kernel level </li></ul><ul><li>Passes or drops packet based on source and destination IP addressing </li></ul>Packet Filtering
  48. 48. Field Purpose Source IP address Destination IP address Upper level protocol TCP source port number TCP destination port number Host address of sender Host address of service provider Different protocols offer different services A random number greater than 1024 Indicates service such as Telnet or HTTP Fields of Interest for Packet Filtering
  49. 49. HTTP Filtering Router HTTP Packet + FTP Packet X Pass Drop X X X
  50. 50. Rule Number 1 Source Address Destination Address Protocol Source Port Number Action 2 3 4 5 10.56. * 10.122. * * * * 10.122. * 10.56. * 10.56. * * * TCP TCP TCP * * * 23 * * Drop Pass Pass Pass Drop Example Rule List
  51. 51. Match Rule # Source Address Destination Address Protocol Source Port Number Action Taken TCP TCP other TCP TCP 23567 6723 23568 23 1543 23 (Telnet) 23 (Telnet) 23 (Telnet) 98455 25 (mail) Pass Drop Drop Pass Pass Destination Port Number 2 1 5 3 4 Example Packets and Resulting Actions
  52. 52. <ul><li>Some rules could leave open doors to the network </li></ul><ul><li>Difficult to determine examine exactly what the rules permit </li></ul>Limitations of Packet Filtering
  53. 53. <ul><li>Applications on proxy gateways that act on behalf of the user requesting service through the firewall </li></ul>Proxy Applications
  54. 54. Application-level Gateway Application Level Kernel Level 2 Authorization Database Proxy 2 1 3 4 User Destination Host Connection Process Using an Application-level Gateway
  55. 55. <ul><li>1 User first establishes a connection to the proxy application on the firewall </li></ul><ul><li>2 The proxy application gathers information concerning the connection and the requesting user </li></ul>Connection Process
  56. 56. <ul><li>3 This information is used to determine whether the request should be permitted - if approved, the proxy creates another connection from the firewall to the intended destination </li></ul>Connection Process (cont.)
  57. 57. <ul><li>4 The proxy shuttles the user data from one connection to the other </li></ul>Connection Process (cont.)
  58. 58. <ul><li>Initial connection must go through the proxy application on the firewall, not to the intended destination </li></ul><ul><li>Proxy application must obtain the IP address of the intended destination </li></ul>Proxy Challenges
  59. 59. <ul><li>Direct Connection </li></ul><ul><li>Modified Client </li></ul><ul><li>Invisible Proxy </li></ul>Proxy Connections
  60. 60. <ul><li>Connect directly to the firewall proxy using the address of the firewall and the port number of the proxy </li></ul><ul><li>Least preferred method </li></ul><ul><li>Requires two addresses for each connection: </li></ul><ul><ul><li>Address of firewall </li></ul></ul><ul><ul><li>Address of the intended destination </li></ul></ul>Direct Connection
  61. 61. <ul><li>Applications are executed client-side, at the user’s computer </li></ul><ul><li>Effective and transparent </li></ul><ul><li>The need to have a modified client application for each network service is a significant drawback </li></ul>Modified Client
  62. 62. <ul><li>No need to modify client applications </li></ul><ul><li>Users don’t have to direct their communication to the firewall </li></ul><ul><li>Packets are automatically redirected to an awaiting proxy as they enter the firewall </li></ul>Invisible Proxy
  63. 63. <ul><li>New applications must be developed for each supported service </li></ul>Proxy Limitations
  64. 64. <ul><li>Three traditional methods for verifying someone’s identity: </li></ul><ul><ul><li>“ Something known” - a password </li></ul></ul><ul><ul><li>“ Something possessed” - a key to a lock, or a smartcard </li></ul></ul><ul><ul><li>“ Something embodied” - fingerprint or retinal scan </li></ul></ul>User Authentication
  65. 65. <ul><li>Information provided by log files: </li></ul><ul><ul><li>Time and date of session start </li></ul></ul><ul><ul><li>Time and date of session end </li></ul></ul><ul><ul><li>Source host address </li></ul></ul><ul><ul><li>Destination host address </li></ul></ul>Activity Logging
  66. 66. <ul><li>Information provided by log files (cont.): </li></ul><ul><ul><li>Protocol </li></ul></ul><ul><ul><li>Destination Port </li></ul></ul><ul><ul><li>Action taken - accepted or denied </li></ul></ul><ul><ul><li>User name - if authentication used </li></ul></ul>Activity Logging (cont.)
  67. 67. <ul><li>Administrators may review the logs to look for suspicious activities: </li></ul><ul><ul><li>Repeated failed connection attempts </li></ul></ul><ul><ul><li>Flood of allowed connection attempts going to the same host </li></ul></ul><ul><ul><li>Connections made at odd hours </li></ul></ul><ul><ul><li>Multiple failed authentication attempts </li></ul></ul>Audit Information
  68. 68. Unit II - Chapter 1 The Need for a Firewall Firewall Essentials
  69. 69. <ul><li>Intranet </li></ul><ul><li>Internet Services </li></ul><ul><li>RAS </li></ul><ul><li>Financial connection (Reuters, Bloomberg, etc) </li></ul><ul><li>Extranet </li></ul><ul><li>etc. </li></ul>Firewall need (discussion)
  70. 70. Lab 1 What Firewall is Best?
  71. 71. Discussion Lab Company intranet Restricted Network Corporate Data Center Internet Place firewall(s) in this network.
  72. 72. Discussion lab <ul><li>Internet connection </li></ul><ul><ul><li>Email, ftp, dns, web public </li></ul></ul><ul><ul><li>Web surfing and ftp </li></ul></ul><ul><li>Intranet </li></ul><ul><ul><li>Oracle server </li></ul></ul>
  73. 73. Company intranet Firewall Restricted Network Corporate Data Center Internet Discussion Lab Possible solution. Firewall
  74. 74. Unit II - Chapter 2 Security Hazards Firewall Essentials
  75. 75. <ul><li>Describe the threat of opens systems networking </li></ul><ul><li>Identify simple denial of service attacks </li></ul><ul><li>Identify packet sniffing </li></ul><ul><li>Identify IP spoofing </li></ul>Security Hazards: Objectives
  76. 76. <ul><li>A standard approach to computing and networking that allows for: </li></ul><ul><ul><li>Greater interoperability </li></ul></ul><ul><ul><li>Flexibility </li></ul></ul><ul><ul><li>Portability of software and system components </li></ul></ul>Open Systems Internetworking
  77. 77. Isolated “Islands” of Phone Connectivity
  78. 78. Phone Connectivity No Longer Isolated
  79. 79. <ul><li>Increased connectivity increases the threat of attack </li></ul><ul><ul><li>The more networks that are connected, the greater chance of those networks being infiltrated </li></ul></ul>Open Systems Threat
  80. 80. <ul><li>Denial-of-Service </li></ul><ul><li>Network Packet Sniffing </li></ul><ul><li>IP Spoof Attack </li></ul>Internet Attacks Simplified
  81. 81. Denial of Service
  82. 82. <ul><li>A simple attack where the attacker repeatedly sends their victim voluminous amounts of electronic mail until the network can no longer handle the volume - denying them of mail service </li></ul>Denial-of-Service Attack
  83. 83. Attacker Mail Server Target Mailbox Flood of E-mail to Target Denial of Service Mail Attack
  84. 84. <ul><li>The attacker “listens in” to the data on your network with a packet sniffer, capturing data and displaying it in a readable manner </li></ul><ul><li>Source and destination users usually don’t even know that they’ve been “sniffed” </li></ul>Network Packet Sniffing
  85. 85. Attacker Network TCP Packet Copies Original TCP Packet Original TCP Packet Network Packet Sniffing Attack
  86. 86. <ul><li>The attacker uses the unique IP address of an unsuspecting target user, presumably for illicit purposes </li></ul><ul><li>An IP spoof becomes a serious attack if the external attacker claims to have an IP address that is internal to the targeted network </li></ul>IP Spoof Attack
  87. 87. External Internal Internal Packet Filter Reports source address to be Filter assumes packet is from trusted source, and allows data into the network IP Spoof Attack
  88. 88. Unit III - Chapter 1 Firewall Features Firewall Essentials
  89. 89. <ul><li>Access Rules and Lists </li></ul><ul><li>Host Spoofing Controls </li></ul>Basic Access Control
  90. 90. <ul><li>Host-Based </li></ul><ul><ul><li>Describes the sets of services allowed for each host or network </li></ul></ul><ul><li>Service-Based </li></ul><ul><ul><li>Identifies the sets of hosts or networks that may use each service </li></ul></ul>Access Rules and Lists
  91. 91. <ul><li>Reducing the threat of spoofing IP addresses: </li></ul><ul><ul><li>Restriction of the “source routing option” allows a host to control the route taken to return to the source host address </li></ul></ul><ul><ul><li>Control by network interface also reduces the threat </li></ul></ul>Host Spoofing Controls
  92. 92. <ul><li>Domain Name System (DNS) </li></ul><ul><ul><li>DNS servers share information </li></ul></ul><ul><ul><li>An attacker could possible redefine the address of a trusted host within a network to an address outside the network </li></ul></ul>Supported Services
  93. 93. <ul><li>Finger </li></ul><ul><ul><li>Used to find out logins, user names, and information concerning a users previous login </li></ul></ul>Supported Services (cont.)
  94. 94. <ul><li>File Transfer Protocol (FTP) </li></ul><ul><ul><li>A separate network connection is usually made from the destination host back to the original FTP connection </li></ul></ul><ul><ul><li>Most FTP servers supports a PASV (passive mode) capability allowing the connection to originate from the client rather than the server </li></ul></ul>Supported Services (cont.)
  95. 95. <ul><li>Internet Control Messaging Protocol (ICMP) </li></ul><ul><ul><li>Used to send error or test messages between systems </li></ul></ul><ul><ul><li>“ PING” uses ICMP to send echo requests to see if a host is reachable </li></ul></ul>Supported Services (cont.)
  96. 96. <ul><li>Internet Relay Chat (IRC) </li></ul><ul><ul><li>Using IRC, a user can contact an IRC server and join an Internet conversation </li></ul></ul><ul><ul><li>Threats associated with IRC are of a “social engineering” nature - an attacker may contact a user through IRC and convince them to compromise their network </li></ul></ul>Supported Services (cont.)
  97. 97. <ul><li>Network News Transfer Protocol (NNTP) </li></ul><ul><ul><li>Allows users to access newsgroups to read information or participate in discussions </li></ul></ul><ul><li>Network File System (NFS) </li></ul><ul><ul><li>Allows users to share file systems with other users </li></ul></ul><ul><ul><li>Little security and vulnerable to attacks </li></ul></ul>Supported Services (cont.)
  98. 98. <ul><li>Network Time Protocol (NTP) </li></ul><ul><ul><li>A service used to synchronize clocks between computers and networks </li></ul></ul>Supported Services (cont.)
  99. 99. <ul><li>rlogin </li></ul><ul><ul><li>Developed at the University of California at Berkeley </li></ul></ul><ul><ul><li>Used for remote access between local systems, but not recommended for use across the Internet because of lack of proper authentication capability </li></ul></ul>Supported Services (cont.)
  100. 100. <ul><li>TELNET </li></ul><ul><ul><li>Standard remote login protocol application </li></ul></ul><ul><ul><li>Provides a character-based connection between two systems </li></ul></ul>Supported Services (cont.)
  101. 101. <ul><li>Authentication Mechanisms </li></ul>User Authentication
  102. 102. <ul><li>Firewalls in multiple geographic locations should be administered by a single group within the company </li></ul><ul><li>With central administration the administrator configures the firewalls from a central database they all share </li></ul>Remote/Central Administration
  103. 103. <ul><li>Recording the action in a log or alarm file </li></ul><ul><li>Sending e-mail to an administrator </li></ul><ul><li>Displaying a message on the firewall console </li></ul><ul><li>Sending an SNMP alarm to a network manager system </li></ul>Actions Taken From Alarms
  104. 104. <ul><li>Activating and sending a message to an administrator’s pager </li></ul><ul><li>Running a specialized application or script file from the firewall </li></ul>Actions Taken From Alarms (cont.)
  105. 105. <ul><li>Dual-Host Firewalls </li></ul><ul><ul><li>Splitting the functions of a firewall between two hosts to force attackers to break into two systems for a successful attack </li></ul></ul><ul><li>Integrity Scanner </li></ul><ul><ul><li>An application on the firewall that continually scans the firewall for any unauthorized changes to files, file size, or devices </li></ul></ul>Firewall Integrity
  106. 106. <ul><li>Invisibility </li></ul><ul><ul><li>A firewall that can’t be seen is difficult to attack </li></ul></ul>Firewall Integrity (cont.)
  107. 107. <ul><li>Address Mapping </li></ul><ul><li>Day and Time Restrictions </li></ul><ul><li>Load Control </li></ul><ul><li>Tunneling </li></ul><ul><li>Virtual Private Networks (VPN) </li></ul><ul><li>Hacker Traps </li></ul>Special Features
  108. 108. <ul><li>Most organizations have invalid or illegal IP addressing internally </li></ul><ul><li>Firewalls can map illegal addresses internally to legal addresses as packets leave the network </li></ul>Address Mapping
  109. 109. LAN Illegal IP address Legal IP address Internal External Address Mapping
  110. 110. <ul><li>Security policies can be set to restrict certain network access based on day and time </li></ul>Day and Time Restrictions
  111. 111. Day and Time Restrictions x FTP allowed FTP disallowed
  112. 112. <ul><li>Limits the number of simultaneous connections permitted to a host </li></ul><ul><li>Helps protect against flooding attacks </li></ul>Load Control
  113. 113. Limiting the number of simultaneous connections x Load Control
  114. 114. <ul><li>Enables encryption all or selected communication between two or more sites </li></ul><ul><li>Requires cooperating firewalls to encrypt and decrypt packets as they are sent and received </li></ul>Virtual Private Networks (VPN)
  115. 115. Company intranet 1 Company intranet 2 Internet Firewall Firewall Not encrypted PRIVATE Not encrypted PRIVATE Encrypted PUBLIC Virtual Private Networks (VPNs)
  116. 116. <ul><li>Sometimes referred to as “lures and traps” or “honey pots” </li></ul><ul><li>Intruders think they have succeeded in breaking into the network when in reality they have been redirected to a “safe” place on the network </li></ul>Hacker Traps
  117. 117. Unit III - Chapter 2 Security Policies Firewall Essentials
  118. 118. <ul><li>Flexibility </li></ul><ul><li>Service-access </li></ul><ul><li>Firewall Design </li></ul><ul><li>Information </li></ul><ul><li>Remote Access </li></ul>Security Policy Philosophies
  119. 119. <ul><li>Flexibility </li></ul><ul><ul><li>Ability to adapt or change the policy </li></ul></ul><ul><ul><li>Flexible due to the following considerations: </li></ul></ul><ul><ul><ul><li>Internet changes </li></ul></ul></ul><ul><ul><ul><li>Internet risks </li></ul></ul></ul>Security Policy Philosophies (cont.)
  120. 120. <ul><li>Service Access </li></ul><ul><ul><li>Internal user issues </li></ul></ul><ul><ul><li>Remote access policies </li></ul></ul><ul><ul><li>External connections </li></ul></ul>Security Policy Philosophies (cont.)
  121. 121. <ul><li>Firewall Design </li></ul><ul><ul><li>Permit any service unless it is expressly denied </li></ul></ul><ul><ul><li>Deny any service unless it is expressly permitted </li></ul></ul>Security Policy Philosophies (cont.)
  122. 122. <ul><li>Information concerns </li></ul><ul><ul><li>E-mail </li></ul></ul><ul><ul><li>Web browsing </li></ul></ul>Security Policy Philosophies (cont.)
  123. 123. <ul><li>Remote Access </li></ul><ul><ul><li>A user’s dial-out capability might become an intruder dial-up threat </li></ul></ul><ul><ul><li>Outside users must be forced to pass through the advanced authentication features of the firewall </li></ul></ul>Security Policy Philosophies (cont.)