View
214
Download
0
Category
Tags:
Preview:
Citation preview
Compare Firewall productsCompare Firewall products
Yan xie
2001825
Term Project of Network Security
2
IntroductionIntroduction
Why do we need a Firewall The definition of Firewall Some benefits and disadvantages of Firewalls Types of Firewall Compare features of some Firewall products
3
Why do we need a FirewallWhy do we need a Firewall
Security Vulnerability on the Internet and local
network area• Venerable TCP/IP service• Lack of Security policy• Complexity of configuration• Weak authentication• Ease if spying and monitoring• Ease of spoofing• Flawed LAN Service and Mutually Trusting• Host-based security does not scale
4
The definition of FirewallThe definition of Firewall
What is Firewall
A firewall is any one of several ways of protecting one
network from another untrusted network. in principle, the firewall can be thought of a pair of mechanisms one
exists to block traffic, and the other exist to permit traffic. Some firewall place a great emphasis on blocking traffic, while others emphasize permitting traffic.
5
The definition of FirewallThe definition of Firewall
Firewall Components1. Network policy includes service access policy and firewall
design policy• A service access policy that define those service that will be
allowed or denied from the restricted network
• Firewall design policy describe how the firewall will actually
restrict and filter the service defined in network access
policy
Permit any service unless it is expressly denied
Deny any service unless it is expressly permitted
6
Firewall components (cont)Firewall components (cont)
2. Advanced authentication mechanisms (smart card,
authentication token)
3. Packet filtering (source address, destination address,
TCP/UDP source port, TCP/UDP destination port)
4. Application gateways Information hiding Robust authentication and logging Cost-effective Less-complex filtering rules
7
Benefits of a FirewallBenefits of a Firewall
Protection from vulnerable service
Control access to site systems privacy Logging and statistics on network Enhance concentrate security
8
Disadvantages of FirewallDisadvantages of Firewall
• Restricted access to desirable services• Large potential for back doors• Little protection from inside attacks• Potential threat from Multicast IP transmissions• Restriction of configuration• Do not against virus
9
Types of FirewallTypes of Firewall
Packet Filter Firewall The most common and easiest firewall to apply for
small, uncomplicated sites
allow selective access to systems and services
depending on source address, destination address, TCP/UDP source port, TCP/UDP destination port.
inherent dangerous services such as NIS, NFS and
X Windows are blocked.
10
Packet Filtering FirewallPacket Filtering Firewall
Figure: Packet Filtering Firewall
System
IP Packet Filtering Router
Internet
11
Packet Filter FirewallPacket Filter Firewall
Little or no logging capability It is difficult to test and find out the vulnerability of
system
The filtering router will became unmanageable, if
complex filtering rule are required
The least lever of firewall, because of no application
awareness
12
Types of FirewallTypes of Firewall
Dual-homed Gateway Firewall implement the second design policy, deny all services unless they are specially permitted a complete block to IP traffic between the Internet and protected site. Proxy servers on the gateway provide services and access Provide proxy service for Telnet and Ftp as well as e-mail service which
firewall can accept all site mails and forward to system. Log access and log attempts or find intruder activity. Segregating traffic concerned with an information server from other traffic to and from the site. Any intruder penetration of the information server would be prevented by dual-homed gateway. If any vulnerabilities or a technique on the host is compromised, an intruder could subvert the firewall and do some harmful activities.
13
Dual-home Gateway FirewallDual-home Gateway Firewall
Application GatewayIP Filtering
Info Server
Figure: Dual-home Gateway Firewall with Router
Internet
14
Screen Host FirewallScreen Host Firewall
Screen Host Firewall combines a packet-filtering with an application gateway located on the
protected subnet side of the router the router filters or screens dangerous protocol from reaching the
application gateway and system The rejections of the application traffic depend on:
Application traffic from Internet sites to the application gateway gets routed. all other traffic from Internet sites gets rejects.
The router rejects any application traffic originating from the inside unless it
came from the application gateway.
15
Screened Host FirewallScreened Host Firewall
Since the router just limits the application traffic to the application gateway, so the configuration is not as complex as a packet filtering firewall.
gateway needs only one network interface and doesn’t required a
separate subnet between the application gate and the router, It may
let firewall more flexible.
the router may get the permission to pass some trusted services and directly to system. So the firewall should use two design policies to
restrict how many and what types of services are routed directly to
site system.
16
Screen Host FirewallScreen Host Firewall
Info Server
IP Filtering
Internet
Application Gateway
Figure: Screen Host Firewall
17
Screen Subnet FirewallScreen Subnet Firewall
Screen Subnet Firewall Screened subnet firewall can be used to locate each component
of the firewall on a separate system The outer router will rout traffic according to the follow rules:
Application traffic from the application gateway to Internet systems
gets routed. E-mail traffic from the E-mail server to Internet sites gets routed. Application traffic from the E-mail server to the application gateway
gets routed. E-mail traffic from Internet sites to the E-mail server gets routed. Ftp, Gopher, etc, traffic from Internet sites to the information server
gets routed. All other traffic gets rejected.
18
Screened Subnet FirewallScreened Subnet Firewall
The inner passer traffic to and from on the screened
according the follow rules Application traffic from the application gateway to system gets
routed. E-mail traffic from the E-mail server to system gets routed. Application traffic to the application gateway from site gets routed. E-mail traffic from system to the E-mail server gets routed. Ftp, Gopher, etc, traffic from system to the information server gets
routed. All other traffic gets rejected.
19
Screened Subnet FirewallScreened Subnet Firewall
Advantages of screened subnet firewall
The two routed is more difficult to intruders to attack, because he should subvert both of routers to access system.
Only application gateway, E-mail server, and information server would be known as system by Internet, no other system name
would be known in DNS database, which would be accessible to outside systems.
Application gateway can use authentication software to
authenticate all inbound connection. More flexible by permitting certain trusted services to pass
between Internet and system.
20
Screened Subnet FirewallScreened Subnet Firewall
Application Gateway
E-mail Server
Info Server
Internet
Figure: Screened Subnet Firewall
21
Firewall ProductsFirewall Products
Interlock of ANS Communication
an application gateway based firewalls designed to secure
access between IP networks. The Access Control Rule Base is the facility used to define the
Interlock’s access control ensure Intra-network protection by control access between
segments for an internal TCP/IP network Modified source code, deleted the function of resending of IP,
redirection of ICMP, and source router
22
InterlockInterlock
Authentication Standard Password SecurID and PINPAD Non-authentication service can not be required authentication
Access control first check to see if there is a specific rule for the user application checks for rules associated with Group containing the user the user get access
Do not support Confidentiality Integrity Serial-line protection
23
Nov*IX for NetWareNov*IX for NetWare
Nov*IX of Firefox Nov*IX for NetWare is a packet filter firewall enable you to connect a Novell NetWare network to TCP/IP host
system over TCP/IP networks Authentication
NetWare-based password facility for authorizing all outgoing
connection through the server For incoming connection user authentication can be implemented for
remote clients by using login and password in to bindery or directory services,
For specific authentication FTP user require a user name and
password that are verified in the NetWare Bindery to be authorized
for connection the FTP server detect and prevent IP spoofing
24
Nov*IX for NetWareNov*IX for NetWare
Access Control extracts the data from the packet and puts the data in an IP packet
for transmission onto the Internet For incoming Internet traffic, data is remove from IP packets and
put into IPX packets before entering the NetWare network Network managers can specify the port addresses that are
acceptable or those that are unacceptable. Do not support
Confidentiality Integrity Protection against “back door”
25
CyberGuard FirewallCyberGuard Firewall
CyberGuard Firewall CyberGuard Firewall is a combination of packet-filter gateway,
proxy gateway, and a bastion host Authentication
Using password in user authentication a dynamically generated password from a hand-held token card plus
personal identification of SecurID user authentication Host authentication has the ability to detect IP spoofing.
Access Control hide internal host names and addresses, interface with standard client and servers allows and blocks the router of specific network services base on a dynamic return path based on service type, protocol, source and destination names or addresses, sub-network mask, direction of transfer, and established connection
26
CyberGuard FirewallCyberGuard Firewall Enhanced Security
Mandatory Access Multilevel Directories Secure Device Handing Privileges
Confidentiality private network packet is encrypted and placed into the data portion of the packet that is sent out by firewall The internal host source and destination address, the private network information, and the original data are encrypted
Integrity enables a counter that prevent replay attacks By using MAC within encryption process, it can detect and prevent modification of any data in the packet, including the address
27
Firewall-1 Check PointFirewall-1 Check Point
Firewall-1 Locate in the kernel of OS , below the Network layer Check the IP addresses and Ports number at the same time Store and refresh the state and context in a dynamic state table Authentication
Password Internal Firewall-1 Password SecurID S/key Cryptography-based authentication
28
Firewall-1 Firewall-1
Access Control Stateful Inspection
extracts the state-related information required for security
decisions from all application layers maintains this information in dynamic state tables for evaluating
subsequent connection attempts Rule Based
Confidentiality & Integrity Session Key: DES, encrypt the message Encryption Key: Diffe-hellman generate secret key for each gateway Certificate Authority key: RSA authenticating the encryption key Support encryption speed greater than 10Mbps
29
Compare Firewall ProductsCompare Firewall Products
company authentication Access Control Confidential Integrity Protocol/service
Interlock ANS √ √ FTP,Telnet,Login,SMTP,
NNTP,X windows, WWW,
Gopher, Http,Real Audio
LPD, NTP
Nov*IX FireFox √ √ Packet filtering
TCP,UDP,NNTP,HTTP
CyberGuard CyberGuard √ √ √ √ FTP,Telnet,Login,SMTP,
NNTP,HTTP,Gopher, x11,
Socks, Enhanced pass
through Proxy
Firewall-1 Check Point √ √ √ √ Complete TCP/IP protocols
30
SuggestionSuggestion
Firewall with Modem Pool Firewall can not defend “back door” Collect modems connect to a terminal server Terminal server is a computer design for connecting modem to a
network Terminal server provides restriction to connect some system Packet Filtering prevent insider system directly connecting to the modem
pool Application gateway’s authentication will be used to authentication user
either from modem or from Internet
31
SuggestionSuggestion
Multicast IP Transmission Minimize the unnecessary exposure of hosts to traffic Transmission be passed only the request come from insider user Allow the packet sent to ports designed by requesting host and Firewall
kernel as unused
32
ConclusionConclusion
Choosing a firewall provide confidentiality and integrity A updatable firewall should be consider Suitable service access policy and design policy Proper configuration and implementation depends on
specific application Using more device to improve security such as Intrusion
detection and anti-virus software
33
ReferenceReference
Firewalls: A complete Guide by Marcus Goncalves
The Firewall Report by OUTLINK Market Research
Firewalls: An Expert Roundtable by a panel of distinguish experts 1997IEEE
Keeping your site comfortably secure: An Introduction to Internet Firewalls
by National Institute of Standards and technology
Establish Firewall Policy by Cobb, Director of Special Projects
Recommended