Firewall Technologies & Architecture

8/7/2019 Firewall Technologies & Architecture

http://slidepdf.com/reader/full/firewall-technologies-architecture 1/31

By

Hafiz Muhammad Usman

L1F09MSCS0015



Firewall

A firewall is a part of a computer system or network that is

designed to block unauthorized access while permitting

authorized communications.



Firewall Technologies

Wide range of firewall technologies are:

Personal firewalls

Packet filters

Network Address Translation (NAT) firewalls Circuit-level firewalls

Proxy firewalls

Stateful firewalls

Transparent firewalls

Virtual firewalls



Personal Firewalls

o Designed to protect a single host.

o Hardened shell around the host system, whether it is a

server, desktop, or laptop.

o Outbound traffic is to be permitted and inbound trafficrequires inspection.

o Include various profiles that accommodate the typical

traffic a system might see.



Packet Filtering Firewall

Filter traffic based on simple packet characteristics.

Examines the IP packet header, the source and

destination IP addresses, and the port combinations,

then it applies filtering rules. Packet filtering is fast, flexible, transparent and cheap.

Most routers will provide packet filtering capabilities

and do not require powerful hardware.

IP

addresses can be spoofed so not enough itself. Stateless so cannot inspect outbound traffic and

dynamically generate rules permitting the return traffic

to an outbound flow



Packet Filtering Firewall



Network Address Translation

(NAT)

The basic purpose of NAT is to multiplex traffic from

an internal network and present it to a wider network.

Only allow connections that originate from the inside of

the firewall. Stateful and maps the addresses of internal systems to

an external address.

The ability to place an entire network behind a single IP

address is based on the mapping of port numbers on the NAT firewall.



Table. Network Address Translation

Source IP Source Port NAT IP NAT port Destination IP Destination Port

192.168.1.1 3844 172.28.230.55 3844 10.100.100.44 80

192.168.1.2 4687 172.28.230.55 4687 10.100.100.44 80

192.168.1.1 4687 172.28.230.55 63440 10.100.100.44 80



Circuit-level Gateways

Work at the session layer of the OSI model and monitor

"handshaking´ between packets to decide whether the

traffic is legitimate.

Traffic to a remote computer is modified to make it

appear as though it originated from the circuit-levelfirewall.

Modification is useful in hiding information about a

protected network.

Drawback is that it does not filter individual packets ina given connection.



Proxy Firewall

Operate at the application layer

A proxy firewall forces all client applications on

workstations protected by the firewall to use the

firewall itself as a gateway. The firewall then authorizes

each packet for each protocol differently. Acts as an intermediary between two end systems

Proxy server firewalls have large processor and

memory requirements in order to support many

simultaneous users. To support various services, the proxy firewall must

have a specific service running for each protocol FTP

proxy for file transfers.



Proxy firewalls can look much more deeply into the

packets of a connection and apply additional rules. Disadvantages are delay,complex configuration as well

as their speed.

Finally, if there is no specific proxy service for a

particular network application you cannot put that behind firewall.



tateful Firewalls

Modern Stateful firewalls combine aspects and

capabilities of NAT firewalls, circuit-level firewalls,

and proxy firewalls into one system.

These firewalls filter traffic initially based on packet

characteristics like the packet-filtering firewall but alsoinclude session checks to make sure that the specific

session is allowed.

Include proxy-filtering aspects by inspecting the

application layer data as well through the use of

specific services e.g fixup command in PIX OS 6.



Transparent Firewalls

transparent firewalls sit at Layer 2, the data link layer,

and monitor Layer 3+ traffic.

A pply packet-filtering rules.

A ppear invisible to the end user and to an attacker so

cannot be attacked.

The benefits of a transparent :

y Zero configuration

y Performance

y Stealth

Lower overhead enables them to provide better

performance as well as deeper packet inspection.



Virtual Firewalls

Multiple logical firewalls running on a single physicaldevice.

This arrangement allows for multiple networks to be

protected by a unique firewall running a unique security

policy.

Service providers do so by defining separate security

domains controlled by a separate logical virtual

firewall.

Available only in higher-end firewalls because of

memory requirements and CPU capabilities for eachvirtual fir ewall.



DEMILITARIZED ZONES

A demilitarized zone (DMZ) isolates hosts which are

accessible from outside the network (e.g. a web server

or FTP server) from internal servers. The external hosts

are placed in a separate network zone, on a separate

adapter, connected to the firewall. This creates the

DMZ. This is easily achieved with a firewall with three

or more interfaces.

All traffic between zones, and all traffic from the

Internet to all zones, is checked by the firewall.

In this way, each zone is isolated, and the systems in

each zone only trust other systems within the same

zone.



ingle-Firewall Architectures

The single-firewall architecture is simpler because it

relies on the use of a single firewall device with which

to filter and control the flow of traffic.

With a single firewall implementation, there aredifferent designs:

y Internet firewall with a single DMZ

y Internet firewall with multiple DMZs

yInternet-screening firewall (no

DMZ)



Internet Firewall with a Single DMZ



Internet Firewall with Multiple DMZs



Internet-Screening Firewall (No

DMZ)

It prevents external hosts from initiating connections to

any protected resource.

Filter and restrict traffic from internal hosts to external

resources, typically through the use of content-filteringsoftware such asWebsense or SurfControl.

Internet-screening firewalls are also frequently

implemented for remote office scenarios, because it is

relatively rare that a remote office contains resources

that need to be accessed from external sources.



Dual-Firewall Architectures



PIX/ASA firewall

The PIX/ASA is a powerful stateful packet-inspectionfirewall with some basic application-inspection

capabilities.

Cisco PIX Firewall and ASA Models SOHO solution e.g. PIX 501

Medium- to large-office solution e.g. PIX 515E

Enterprise office and service provider solution



Firewall Security Policy

PIX implements a combination of the following elementsto assist in making filtering decisions:

Separate the network into zones based on security

levels

UseA

CLs to permit or deny traffic A pply Network Address Translation (NAT)

A pply authentication, authorization, and accounting

(AAA) for through traffic

A pply web or FT

Pfiltering



Additional Features of ASA

Use theAIP SSM to perform deep packetinspection on the data.

Use the CSC SSM to perform threat protectionand content control for antivirus, antispyware,

antispam, antiphishing, URL blocking, contentfiltering, and file blocking.

A pply QoS policies to give priority to certaintypes of network traffic.



Firewall Modes of Operation

Router Mode

Transparent Mode

Stateful InspectionThrough Cisco adaptive security algorithm (ASA).

The ASA uses a stateful approach to security. Every

inbound packet is checked exhaustively against the

ASA and against connection state information in

memory



ASA Algorithm Allow any traffic connections that originate from the

inside, higher-security, network to an external, lower-

security network unless specifically denied by an ACL.

Allow any traffic for which application inspection has

been configured and the traffic has been determined to

be acceptable traffic. Drop and log attempts to initiate connections to a

translation slot from the outside unless there is anACL

that permits that connection.

Drop and log source routed IP packets. Deny all ICMP traffic from lower-security interfaces

through the firewall except if explicitly permitted.

Permit all ICMP traffic to the firewall itself



Cisco PIX ASA Operation



References

http://en.wikipedia.org/wiki/Firewall_(computing)

http://articles.techrepublic.com.com/5100-10878_11-

1039779.html

http://en.wikipedia.org/wiki/Stateful_firewall http://www.webopedia.com/DidYouKnow/Hardware_S

oftware/2004/firewall_types.asp

http://www.tech2u.com.au/products/dsl/pdf/Firewall_ Ar

chitecture.pdf Firewall Fundamentals Cisco press

Firewall Technologies & Architecture

Documents

Transcript of Firewall Technologies & Architecture