Post on 21-Dec-2015
1
Firewall Overview
EECS710 Fall 2006Presenter: Michael LeaProfessor Hossein Saiedian
2
Firewalls
1. Firewall Defined2. Benefits 3. Firewall Misconceptions4. Firewall Technologies5. Application and Design
3
Firewall
6. Deployment Methodology 7. Monitoring, Maintenance, and
Support 8. Firewall Selection Criteria9. Deployment Exercise 10.Question and Answer11.Summary
4
Firewall Defined
• A Firewall is security device which is configured to permit, deny or proxy data connections
• Firewall rule sets are based upon the organization's security policy
• Firewalls can either be hardware and/or software based
5
Firewall Defined
• Firewall's primary task is to control traffic between computer networks with different zones of trust
• Example of different zones internal (trusted) network and the Internet (untrusted)
6
Firewall Defined
• Firewalls are based on least privilege principle and separation of duties
• Firewalls require a experienced administrator– Considerable understanding of network
protocols– In depth knowledge of Security assurance
7
Benefits of a firewall
• Provide Additional security • Protection between a private and public
network• Provide internal protection within a private
network for security access• Controls to stop or limit the spread of
Virus/Worm• Cost savings on Circuit costs
8
Benefits of a firewall
• Business Enabler – Connect your Company to the Internet– Provide Remote access
• Enforce Security Policy control by controlling network access
• Disaster Recovery
9
Firewall Misconceptions
• Security is holistic• Firewalls can give a false sense of
security– Wireless Network– Small mistakes can render a firewall
worthless as a security tool – Modem bypass
10
Firewall Misconceptions
Internet
Outside
Inside
DMZ
WWW Server
Email Server
Firewall
Internet Router
Internet Worm
TCP 80 is Open
11
Firewall Misconceptions
Internet
Outside
Inside
Firewall
Internet RouterMalicious Web Site
Active X ControlsJava
Web Surfer
12
Firewall Technologies
• Application Firewall• IPS• Anti-X• NAT/PAT• HA• VPN• Content Filter
13
Application Firewall
• Provides protection to Application servers
• Can provide protection to Web Server
• Provides Critical protection that IPS and other security tools can not provide
14
Protection Provided for
• SQL Injection • Cross-Site Scripting • Command Injection • Cookie/Session Poisoning • Buffer Overflow • Zero Day Attacks• Many other Attacks and Hacks
15
SQL Injection
Standard Login – Web based Application
16
SQL Injection
User has access to view her salary information
17
SQL Injection
Hacker using SQL Injection
18
SQL Injection
Instead of authenticating the user it returns the salary results
19
SQL Injection
Hacker changes the payroll database
"SELECT * FROM TableSalary where EmployeeID='' OR 1=1; INSERT INTO TableSalary (EmployeeID, EmployeeName, Salary, IncomeTax, ProfessionalTax, HRA) VALUES (5,'Bad','$70,000', 0, 0, 0)--'"
20
SQL Injection
The results of the new salary change
21
IPS
Intrusion Protection Systems provides deep packet inspection to protect network assets
22
IPS
Provide protection against attacks• Protects critical Network
infrastructure• Protects servers from worms• Provide Zero Day attack protection
23
Anti-X
Provides protection from the following threats:• Spyware• Spam• Malware• Phishing Attempts• Virus protection
24
NAT/PAT
NAT (Network Address Translation)• Used to map a public address to a private address• Also known as network masquerading or IP-masquerading• Involves re-writing the source and/or destination addresses of IP packets as they pass
through a router or firewall• Private Network Addresses are 192.168.x.x, 172.16.x.x through 172.31.x.x, and
10.x.x.x • Can also be utilized when address spaces overlap
25
NAT/PAT
Internet
Email Server
Web Server
23.2.29.30
NAT Example
10.1.1.10 10.1.1.20
OutsideInside
10.1.1.1
NAT Rule
Map 23.2.29.30 à 10.1.1.10
Map 23.2.29.30 à 10.1.1.20
26
NAT Overloading
• NAT Overloading is used to conserve address space• Only 4,294,967,296 addressable host devices with
IPV4
NAT overload utilizes unique TCP or UDP source port (1024-65535)
27
PAT
Internet
Email Server
Web Server
23.2.29.30
PAT Example
10.1.1.10 10.1.1.20
OutsideInside
10.1.1.1
PAT Rule
Map 23.2.29.30 – TCP 80 (WWW), TCP (443) à 10.1.1.20
Map 23.2.29.30 – TCP 25 (SMTP) à 10.1.1.10 (25)
*** PAT only required one registered address
28
HA
High Availability
29
VPN
• VPN provides for a secure connection across a untrusted network by utilizing encryption
• VPN can be used as for Wide Area connectivity • VPN can be used for host based connections • Can be utilized for backup connection
30
VPN Deployment
Site-to-Site Deployment
31
VPN Client Deployment
• SSL VPN• IPSEC • Security checks on local client
– Check for virus protection– Check for key stroke logger– Provide for client clean up after session
is completed
32
VPN Client Deployment
• SSL VPN• IPSEC • Security checks on local client
– Check for virus protection– Check for key stroke logger– Provide for client clean up after session
is completed
33
VPN Split Tunneling
34
VPN Best Practices
Utilize AES – 256 bitUtilize Security check on clientsDisable Split tunnelingUtilize two factor authentication to
include two of the following– Token based authentication– Password– Biometrics
35
Content Filtering
• Used to filter access to web sites • Can also limit acces to other services such
as IM, FTP, P2P, and other services• Provides for additional security
– Phishing protection– Malicious Site blocked
• Provides for monitoring of employee activity• Controls employee access based on HR
policies
36
Content FilteringTypical Content filtering Deployment
37
Deployment
InternetSimple Firewall
Deployment
Outside
Inside
DMZ
WWW Server
Email Server
Firewall
Internet Router
38
Multiple Firewall Deployment
Internet
Multiple Firewall Deployment
Outside
Inside
DMZ
WWW Server
Email Server
Firewall
Internet Router
Data Center
Branch Office
Business Partner
Inside
InsideInside
Outside
Outside
Outside
39
Deployment Best Practices
• Test Deployment before placing into production
• Verify all features and functions• Verify security• Run security test against the Firewall
deployment to test security
40
Monitoring, Maintenance, and Support• Monitoring most take place or security incidents
may go unnoticed and undetected• To maintain ongoing security assurance Firewall
must be monitored, maintained, and supported • Firewalls that do not receive appropriate ongoing
maintenance will not be less affective as new security threats arise
• Vendor support must be maintained or new security threats will be able to exploit the Firewall
41
Monitoring
• At a minimum firewall logs should be monitored on a daily basis
• Firewall alerts that register high should be reacted to in real time
42
Monitoring SIM
SIM (Security Incident Management)• Provides a central logging point for
all security reporting devices• Built in rule set to provide event
correlation from security devices• Centralizes security monitoring
43
SIM
Correlates Data from • Syslog• SNMP• SDEE• Netflow• Endpoint event logs
44
SIM
45
SIM Benefits
• Centralized Repository for Security Events
• Classification of Security Incidents• Rapidly locate and mitigate a attack• Reduction of false positives• Leverage your investment in security
equipment• Reduction of security events with the
use of correlation
46
Maintenance
• Monitor your vendor for security updates and or patch
• Run periodic security assessments against your firewall (inside and outside assessments)
• Verify that firewall software level is up to date• Monitor industry for new technologies• Keep a close watch within the security
community about new attack vectors
47
Support
• Maintain ongoing support contracts on equipment while it is in production
• Have skilled staff to support your firewall or outsource the activity to a Security Service provider
48
Firewall Selection
When making a firewall purchase the following items should be considered
• Security• Features (IPS, AV control, etc)• Cost• Maintenance Cost
49
Firewall Selection
• Vendor support model• Logging and Monitoring support• Performance requirements
– Maximum connections– Maximum connections/second– Maximum Firewall Throughput
50
Firewall Selection
• Future scaling requirements• HA (Active/Active, Active/Passive or
None)• Content filtering• Number of Supported interfaces• Types of support interface (Fiber,
Copper, and or WAN)
51
Firewall Selection
• Management software (Single firewall or Enterprise management)
• Reliability MTBF• Routing protocol support
52
Summary
Firewalls are a integral part of network that provide for Security Assurance
Firewalls are constantly changing as information security technology changes
As technology changes it is critical for Security managers and decision makers to adopt to new security threats and challenges
53
Deployment Exercise
SMTP Deployment
54
Deployment Exercise
!--- Define the IP address for the inside interface. interface Ethernet3
nameif inside security-level 100
ip address 192.168.1.1 255.255.255.0
55
Deployment Exercise
!--- Define the IP address for the outside interface.
interface Ethernet4 nameif outside security-level 0 ip address 209.164.3.1 255.255.255.248
56
Deployment Exercise
!--- Create an access list that permits Simple !--- Mail Transfer Protocol (SMTP) traffic from anywhere!--- to the host at 209.164.3.5 (our server). The name of this
list is !--- smtp. Add additional lines to this access list as required.!--- Note: There is one and only one access list allowed per!--- interface per direction (for example, inbound on the
outside interface).
access-list smtp extended permit tcp any host 209.164.3.5 eq smtp
57
Deployment Exercise
!--- Specify that any traffic that originates inside from the!--- 192.168.2.x network NATs (PAT) to 209.164.3.1 if!--- such traffic passes through the outside interface.
global (outside) 1 209.164.3.1nat (inside) 1 192.168.2.0 255.255.255.0
58
Deployment Exercise
!--- Define a static translation between 192.168.2.57 on the inside and
!--- 209.164.3.5 on the outside. These are the addresses to be used by
!--- the server located inside the PIX Firewall.
static (inside,outside) 209.164.3.5 192.168.2.57 netmask 255.255.255.255
59
Deployment Exercise
!--- Apply the access list named smtp inbound on the outside interface.
access-group smtp in interface outside
60
Deployment Exercise
!--- Instruct the PIX to hand any traffic destined for 192.168.x.x!--- to the router at 192.168.1.2.
route inside 192.168.0.0 255.255.0.0 192.168.1.2 1
61
Deployment Exercise
!--- Set the default route to 209.164.3.2.!--- The PIX assumes that this address is a router address.
route outside 0.0.0.0 0.0.0.0 209.164.3.2 1
62
Deployment Exercise
!--- SMTP/ESMTP is inspected as "inspect esmtp" is included in the map.
policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp
63
Deployment Exercise
Control access from our SP Spool serverOriginal configaccess-list smtp extended permit tcp any host 209.164.3.5 eq
smtp
To allow only 202.202.202.25access-list smtp extended permit tcp host 202.202.202.25 host
209.164.3.5 eq smtp
64
Question and Answer
65
Close