Post on 08-Jun-2015
Firewall Categorization Methods
Firewalls can be categorized by processing mode, development era, or intended structure
Five processing modes that firewalls can be categorized by are: Packet filtering Application gateways Circuit gateways MAC layer firewalls Hybrids
Firewalls Categorized by Development Generation
First generation: static packet filtering firewalls
Second generation: application-level firewalls or proxy servers
Third generation: stateful inspection firewalls
Fourth generation: dynamic packet filtering firewalls; allow only packets with particular source, destination and port addresses to enter
Fifth generation: kernel proxies; specialized form working under kernel of Windows NT
Packet Filters
Either block or allow transmission of packets of information based on criteria such as port, IP address, and protocol
Review the header, strip it off, and replace it with a new header before sending it to a specific location within the network
Fundamental components of firewalls
Viewing Header Contents
The Use of Rules
The Use of Rules
Stateful Packet Filtering
Dual-Homed Host Proxy Server Configuration
Figure 8-3 Symmetric Encryption Example
Cryptographic Algorithms
Data Encryption Standard (DES): one of most popular symmetric encryption cryptosystems
64-bit block size; 56-bit key
Adopted by NIST in 1976 as federal standard for encrypting non-classified information
Triple DES (3DES): created to provide security far beyond DES
Advanced Encryption Standard (AES): developed to replace both DES and 3DES
Cryptographic Algorithms
Asymmetric Encryption (public key encryption)
Uses two different but related keys; either key can encrypt or decrypt message
If Key A encrypts message, only Key B can decrypt
Highest value when one key serves as private key and the other serves as public key
Figure 8-4 Using Public Keys
A Public Key Generated by PGP
Network Address Translation (NAT)
Used, by most firewalls, to shield a private network from outside interference Translates between private addresses inside a network and public
addresses outside the network Done transparently (unnoticed by external computers) Internal IP addresses remain hidden
Performed by NAT proxy servers Uses an address table to do translations Ex: a computer inside accesses a computer outside
Change source IP address to its own address Change source port number to a unique number
Used as an index to the original source IP address Performs reverse operations for response packets
Network Address Translation (NAT)
1
2
NATFirewall
Client
From 172.47.9.6,Port 31789 From 192.168.34.2,
Port 13472
Internet
ServerHost
IP Addr
172.47.9.6
…
Port
31789
…
IP Addr
192.168.34.2
…
Port
13472
…
Internal ExternalTranslation Table
Network Address Translation (NAT)
43NAT
FirewallClient
Internet
ServerHost
To 172.47.9.6,Port 31789
To 192.168.34.2,Port 13472
Translation Table
IP Addr
172.47.9.6
…
Port
31789
…
IP Addr
192.168.34.2
…
Port
13472
…
Internal External
Tunneling Protocols Used with VPNs
IPSec
PPTP (Point-to-Point Tunneling Protocol)
L2TP (Layer 2 Tunneling Protocol)
PPP over SSL (Point-to-Point Protocol over Secure Sockets Layer)
IPSec
IPSec provides: Encryption of the data part of packets Authentication Encapsulation between two VPN hosts Two security methods (AH and ESP) Capability to work in two modes (transport and
tunnel)
PPTP
Developed by Microsoft for granting VPN access to remote users over dial-up connections
Uses Microsoft Point-to-Point Encryption (MPPE) to encrypt data
Useful if support for older clients is needed
Compatible with Network Address Translation (NAT)
Replaced by L2TP
L2TP
Extension to PPP that enables dial-up users to establish a VPN connection to a remote access server
Uses IPSec to encrypt data
Incompatible with NAT but provides a higher level of encryption and authentication
PPP Over SSL
UNIX based method for creating VPNs
Both combine existing tunnel system (PPP) with a way of encrypting data in transport (SSL) SSL
Public key encryption system used to provide secure communications over the Web
Detecting Unauthorized AccessIntrusion Detection Systems (IDSs): Network-based IDSs
Install IDS sensors on network circuits and monitor packets Reports intrusions to IDS Management Console
Host-based IDSs Monitor all activity on the server as well as incoming server
traffic
Application-based IDSs Special form of host-based IDSs Monitor just one application, such as a Web server
Techniques Used by IDSsMisuse detection Compares monitored activities with signatures of known
attacks If an attack is recognized the IDS issues an alert and
discards the packet Challenge: keep database current
Anomaly detection Operates in stable computing environments Looks for major deviations from the “normal” parameters of
network operation e.g., a large number of failed logins
When detected, an alert is issued, packets discarded Problem: false alarms (valid traffic different from normal)
Use of IDSs with Firewalls