Compare Firewall products Yan xie 2001825 Term Project of Network Security.
-
date post
19-Dec-2015 -
Category
Documents
-
view
214 -
download
0
Transcript of Compare Firewall products Yan xie 2001825 Term Project of Network Security.
![Page 1: Compare Firewall products Yan xie 2001825 Term Project of Network Security.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649d265503460f949fd2d5/html5/thumbnails/1.jpg)
Compare Firewall productsCompare Firewall products
Yan xie
2001825
Term Project of Network Security
![Page 2: Compare Firewall products Yan xie 2001825 Term Project of Network Security.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649d265503460f949fd2d5/html5/thumbnails/2.jpg)
2
IntroductionIntroduction
Why do we need a Firewall The definition of Firewall Some benefits and disadvantages of Firewalls Types of Firewall Compare features of some Firewall products
![Page 3: Compare Firewall products Yan xie 2001825 Term Project of Network Security.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649d265503460f949fd2d5/html5/thumbnails/3.jpg)
3
Why do we need a FirewallWhy do we need a Firewall
Security Vulnerability on the Internet and local
network area• Venerable TCP/IP service• Lack of Security policy• Complexity of configuration• Weak authentication• Ease if spying and monitoring• Ease of spoofing• Flawed LAN Service and Mutually Trusting• Host-based security does not scale
![Page 4: Compare Firewall products Yan xie 2001825 Term Project of Network Security.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649d265503460f949fd2d5/html5/thumbnails/4.jpg)
4
The definition of FirewallThe definition of Firewall
What is Firewall
A firewall is any one of several ways of protecting one
network from another untrusted network. in principle, the firewall can be thought of a pair of mechanisms one
exists to block traffic, and the other exist to permit traffic. Some firewall place a great emphasis on blocking traffic, while others emphasize permitting traffic.
![Page 5: Compare Firewall products Yan xie 2001825 Term Project of Network Security.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649d265503460f949fd2d5/html5/thumbnails/5.jpg)
5
The definition of FirewallThe definition of Firewall
Firewall Components1. Network policy includes service access policy and firewall
design policy• A service access policy that define those service that will be
allowed or denied from the restricted network
• Firewall design policy describe how the firewall will actually
restrict and filter the service defined in network access
policy
Permit any service unless it is expressly denied
Deny any service unless it is expressly permitted
![Page 6: Compare Firewall products Yan xie 2001825 Term Project of Network Security.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649d265503460f949fd2d5/html5/thumbnails/6.jpg)
6
Firewall components (cont)Firewall components (cont)
2. Advanced authentication mechanisms (smart card,
authentication token)
3. Packet filtering (source address, destination address,
TCP/UDP source port, TCP/UDP destination port)
4. Application gateways Information hiding Robust authentication and logging Cost-effective Less-complex filtering rules
![Page 7: Compare Firewall products Yan xie 2001825 Term Project of Network Security.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649d265503460f949fd2d5/html5/thumbnails/7.jpg)
7
Benefits of a FirewallBenefits of a Firewall
Protection from vulnerable service
Control access to site systems privacy Logging and statistics on network Enhance concentrate security
![Page 8: Compare Firewall products Yan xie 2001825 Term Project of Network Security.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649d265503460f949fd2d5/html5/thumbnails/8.jpg)
8
Disadvantages of FirewallDisadvantages of Firewall
• Restricted access to desirable services• Large potential for back doors• Little protection from inside attacks• Potential threat from Multicast IP transmissions• Restriction of configuration• Do not against virus
![Page 9: Compare Firewall products Yan xie 2001825 Term Project of Network Security.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649d265503460f949fd2d5/html5/thumbnails/9.jpg)
9
Types of FirewallTypes of Firewall
Packet Filter Firewall The most common and easiest firewall to apply for
small, uncomplicated sites
allow selective access to systems and services
depending on source address, destination address, TCP/UDP source port, TCP/UDP destination port.
inherent dangerous services such as NIS, NFS and
X Windows are blocked.
![Page 10: Compare Firewall products Yan xie 2001825 Term Project of Network Security.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649d265503460f949fd2d5/html5/thumbnails/10.jpg)
10
Packet Filtering FirewallPacket Filtering Firewall
Figure: Packet Filtering Firewall
System
IP Packet Filtering Router
Internet
![Page 11: Compare Firewall products Yan xie 2001825 Term Project of Network Security.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649d265503460f949fd2d5/html5/thumbnails/11.jpg)
11
Packet Filter FirewallPacket Filter Firewall
Little or no logging capability It is difficult to test and find out the vulnerability of
system
The filtering router will became unmanageable, if
complex filtering rule are required
The least lever of firewall, because of no application
awareness
![Page 12: Compare Firewall products Yan xie 2001825 Term Project of Network Security.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649d265503460f949fd2d5/html5/thumbnails/12.jpg)
12
Types of FirewallTypes of Firewall
Dual-homed Gateway Firewall implement the second design policy, deny all services unless they are specially permitted a complete block to IP traffic between the Internet and protected site. Proxy servers on the gateway provide services and access Provide proxy service for Telnet and Ftp as well as e-mail service which
firewall can accept all site mails and forward to system. Log access and log attempts or find intruder activity. Segregating traffic concerned with an information server from other traffic to and from the site. Any intruder penetration of the information server would be prevented by dual-homed gateway. If any vulnerabilities or a technique on the host is compromised, an intruder could subvert the firewall and do some harmful activities.
![Page 13: Compare Firewall products Yan xie 2001825 Term Project of Network Security.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649d265503460f949fd2d5/html5/thumbnails/13.jpg)
13
Dual-home Gateway FirewallDual-home Gateway Firewall
Application GatewayIP Filtering
Info Server
Figure: Dual-home Gateway Firewall with Router
Internet
![Page 14: Compare Firewall products Yan xie 2001825 Term Project of Network Security.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649d265503460f949fd2d5/html5/thumbnails/14.jpg)
14
Screen Host FirewallScreen Host Firewall
Screen Host Firewall combines a packet-filtering with an application gateway located on the
protected subnet side of the router the router filters or screens dangerous protocol from reaching the
application gateway and system The rejections of the application traffic depend on:
Application traffic from Internet sites to the application gateway gets routed. all other traffic from Internet sites gets rejects.
The router rejects any application traffic originating from the inside unless it
came from the application gateway.
![Page 15: Compare Firewall products Yan xie 2001825 Term Project of Network Security.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649d265503460f949fd2d5/html5/thumbnails/15.jpg)
15
Screened Host FirewallScreened Host Firewall
Since the router just limits the application traffic to the application gateway, so the configuration is not as complex as a packet filtering firewall.
gateway needs only one network interface and doesn’t required a
separate subnet between the application gate and the router, It may
let firewall more flexible.
the router may get the permission to pass some trusted services and directly to system. So the firewall should use two design policies to
restrict how many and what types of services are routed directly to
site system.
![Page 16: Compare Firewall products Yan xie 2001825 Term Project of Network Security.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649d265503460f949fd2d5/html5/thumbnails/16.jpg)
16
Screen Host FirewallScreen Host Firewall
Info Server
IP Filtering
Internet
Application Gateway
Figure: Screen Host Firewall
![Page 17: Compare Firewall products Yan xie 2001825 Term Project of Network Security.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649d265503460f949fd2d5/html5/thumbnails/17.jpg)
17
Screen Subnet FirewallScreen Subnet Firewall
Screen Subnet Firewall Screened subnet firewall can be used to locate each component
of the firewall on a separate system The outer router will rout traffic according to the follow rules:
Application traffic from the application gateway to Internet systems
gets routed. E-mail traffic from the E-mail server to Internet sites gets routed. Application traffic from the E-mail server to the application gateway
gets routed. E-mail traffic from Internet sites to the E-mail server gets routed. Ftp, Gopher, etc, traffic from Internet sites to the information server
gets routed. All other traffic gets rejected.
![Page 18: Compare Firewall products Yan xie 2001825 Term Project of Network Security.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649d265503460f949fd2d5/html5/thumbnails/18.jpg)
18
Screened Subnet FirewallScreened Subnet Firewall
The inner passer traffic to and from on the screened
according the follow rules Application traffic from the application gateway to system gets
routed. E-mail traffic from the E-mail server to system gets routed. Application traffic to the application gateway from site gets routed. E-mail traffic from system to the E-mail server gets routed. Ftp, Gopher, etc, traffic from system to the information server gets
routed. All other traffic gets rejected.
![Page 19: Compare Firewall products Yan xie 2001825 Term Project of Network Security.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649d265503460f949fd2d5/html5/thumbnails/19.jpg)
19
Screened Subnet FirewallScreened Subnet Firewall
Advantages of screened subnet firewall
The two routed is more difficult to intruders to attack, because he should subvert both of routers to access system.
Only application gateway, E-mail server, and information server would be known as system by Internet, no other system name
would be known in DNS database, which would be accessible to outside systems.
Application gateway can use authentication software to
authenticate all inbound connection. More flexible by permitting certain trusted services to pass
between Internet and system.
![Page 20: Compare Firewall products Yan xie 2001825 Term Project of Network Security.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649d265503460f949fd2d5/html5/thumbnails/20.jpg)
20
Screened Subnet FirewallScreened Subnet Firewall
Application Gateway
E-mail Server
Info Server
Internet
Figure: Screened Subnet Firewall
![Page 21: Compare Firewall products Yan xie 2001825 Term Project of Network Security.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649d265503460f949fd2d5/html5/thumbnails/21.jpg)
21
Firewall ProductsFirewall Products
Interlock of ANS Communication
an application gateway based firewalls designed to secure
access between IP networks. The Access Control Rule Base is the facility used to define the
Interlock’s access control ensure Intra-network protection by control access between
segments for an internal TCP/IP network Modified source code, deleted the function of resending of IP,
redirection of ICMP, and source router
![Page 22: Compare Firewall products Yan xie 2001825 Term Project of Network Security.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649d265503460f949fd2d5/html5/thumbnails/22.jpg)
22
InterlockInterlock
Authentication Standard Password SecurID and PINPAD Non-authentication service can not be required authentication
Access control first check to see if there is a specific rule for the user application checks for rules associated with Group containing the user the user get access
Do not support Confidentiality Integrity Serial-line protection
![Page 23: Compare Firewall products Yan xie 2001825 Term Project of Network Security.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649d265503460f949fd2d5/html5/thumbnails/23.jpg)
23
Nov*IX for NetWareNov*IX for NetWare
Nov*IX of Firefox Nov*IX for NetWare is a packet filter firewall enable you to connect a Novell NetWare network to TCP/IP host
system over TCP/IP networks Authentication
NetWare-based password facility for authorizing all outgoing
connection through the server For incoming connection user authentication can be implemented for
remote clients by using login and password in to bindery or directory services,
For specific authentication FTP user require a user name and
password that are verified in the NetWare Bindery to be authorized
for connection the FTP server detect and prevent IP spoofing
![Page 24: Compare Firewall products Yan xie 2001825 Term Project of Network Security.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649d265503460f949fd2d5/html5/thumbnails/24.jpg)
24
Nov*IX for NetWareNov*IX for NetWare
Access Control extracts the data from the packet and puts the data in an IP packet
for transmission onto the Internet For incoming Internet traffic, data is remove from IP packets and
put into IPX packets before entering the NetWare network Network managers can specify the port addresses that are
acceptable or those that are unacceptable. Do not support
Confidentiality Integrity Protection against “back door”
![Page 25: Compare Firewall products Yan xie 2001825 Term Project of Network Security.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649d265503460f949fd2d5/html5/thumbnails/25.jpg)
25
CyberGuard FirewallCyberGuard Firewall
CyberGuard Firewall CyberGuard Firewall is a combination of packet-filter gateway,
proxy gateway, and a bastion host Authentication
Using password in user authentication a dynamically generated password from a hand-held token card plus
personal identification of SecurID user authentication Host authentication has the ability to detect IP spoofing.
Access Control hide internal host names and addresses, interface with standard client and servers allows and blocks the router of specific network services base on a dynamic return path based on service type, protocol, source and destination names or addresses, sub-network mask, direction of transfer, and established connection
![Page 26: Compare Firewall products Yan xie 2001825 Term Project of Network Security.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649d265503460f949fd2d5/html5/thumbnails/26.jpg)
26
CyberGuard FirewallCyberGuard Firewall Enhanced Security
Mandatory Access Multilevel Directories Secure Device Handing Privileges
Confidentiality private network packet is encrypted and placed into the data portion of the packet that is sent out by firewall The internal host source and destination address, the private network information, and the original data are encrypted
Integrity enables a counter that prevent replay attacks By using MAC within encryption process, it can detect and prevent modification of any data in the packet, including the address
![Page 27: Compare Firewall products Yan xie 2001825 Term Project of Network Security.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649d265503460f949fd2d5/html5/thumbnails/27.jpg)
27
Firewall-1 Check PointFirewall-1 Check Point
Firewall-1 Locate in the kernel of OS , below the Network layer Check the IP addresses and Ports number at the same time Store and refresh the state and context in a dynamic state table Authentication
Password Internal Firewall-1 Password SecurID S/key Cryptography-based authentication
![Page 28: Compare Firewall products Yan xie 2001825 Term Project of Network Security.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649d265503460f949fd2d5/html5/thumbnails/28.jpg)
28
Firewall-1 Firewall-1
Access Control Stateful Inspection
extracts the state-related information required for security
decisions from all application layers maintains this information in dynamic state tables for evaluating
subsequent connection attempts Rule Based
Confidentiality & Integrity Session Key: DES, encrypt the message Encryption Key: Diffe-hellman generate secret key for each gateway Certificate Authority key: RSA authenticating the encryption key Support encryption speed greater than 10Mbps
![Page 29: Compare Firewall products Yan xie 2001825 Term Project of Network Security.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649d265503460f949fd2d5/html5/thumbnails/29.jpg)
29
Compare Firewall ProductsCompare Firewall Products
company authentication Access Control Confidential Integrity Protocol/service
Interlock ANS √ √ FTP,Telnet,Login,SMTP,
NNTP,X windows, WWW,
Gopher, Http,Real Audio
LPD, NTP
Nov*IX FireFox √ √ Packet filtering
TCP,UDP,NNTP,HTTP
CyberGuard CyberGuard √ √ √ √ FTP,Telnet,Login,SMTP,
NNTP,HTTP,Gopher, x11,
Socks, Enhanced pass
through Proxy
Firewall-1 Check Point √ √ √ √ Complete TCP/IP protocols
![Page 30: Compare Firewall products Yan xie 2001825 Term Project of Network Security.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649d265503460f949fd2d5/html5/thumbnails/30.jpg)
30
SuggestionSuggestion
Firewall with Modem Pool Firewall can not defend “back door” Collect modems connect to a terminal server Terminal server is a computer design for connecting modem to a
network Terminal server provides restriction to connect some system Packet Filtering prevent insider system directly connecting to the modem
pool Application gateway’s authentication will be used to authentication user
either from modem or from Internet
![Page 31: Compare Firewall products Yan xie 2001825 Term Project of Network Security.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649d265503460f949fd2d5/html5/thumbnails/31.jpg)
31
SuggestionSuggestion
Multicast IP Transmission Minimize the unnecessary exposure of hosts to traffic Transmission be passed only the request come from insider user Allow the packet sent to ports designed by requesting host and Firewall
kernel as unused
![Page 32: Compare Firewall products Yan xie 2001825 Term Project of Network Security.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649d265503460f949fd2d5/html5/thumbnails/32.jpg)
32
ConclusionConclusion
Choosing a firewall provide confidentiality and integrity A updatable firewall should be consider Suitable service access policy and design policy Proper configuration and implementation depends on
specific application Using more device to improve security such as Intrusion
detection and anti-virus software
![Page 33: Compare Firewall products Yan xie 2001825 Term Project of Network Security.](https://reader036.fdocuments.us/reader036/viewer/2022062515/56649d265503460f949fd2d5/html5/thumbnails/33.jpg)
33
ReferenceReference
Firewalls: A complete Guide by Marcus Goncalves
The Firewall Report by OUTLINK Market Research
Firewalls: An Expert Roundtable by a panel of distinguish experts 1997IEEE
Keeping your site comfortably secure: An Introduction to Internet Firewalls
by National Institute of Standards and technology
Establish Firewall Policy by Cobb, Director of Special Projects