Figure 5-1: Border Firewall Firewallshossein/Teaching/Fa07... · 4 19 Figure 5-3: Firewall Hardware and Software Host Firewalls {Defense in depth Normally used in conjunction with

1

1

Firewalls

Chapter 5

Revised March 2004Panko, Corporate Computer and Network SecurityCopyright 2004 Prentice-Hall

2

Figure 5-1: Border Firewall

1. Internet(Not Trusted)

Attacker

1. Internal CorporateNetwork (Trusted)

2.InternetBorderFirewall

3


3.AttackPacket


Attacker2.InternetBorderFirewall

4.LogFile

4. Dropped Packet(Ingress)

4



LegitimateUser



5. Passed LegitimatePacket (Ingress) 5. Legitimate

Packet

5



Attacker



4.LogFile

7. Dropped Packet(Egress)

7. Passed Packet(Egress)

6



Attacker

6. HardenedClient PC

6. HardenedServer 1. Internal Corporate

Network (Trusted)


6. Attack Packet thatGot Through Firewall

Hardened HostsProvide Defense

in Depth

2

7

Figure 5-2: Types of Firewall Inspection

Packet InspectionExamines IP, TCP, UDP, and ICMP headers

Static packet inspection (described later)Stateful inspection (described later)

Application InspectionExamines application layer messages

8


Network Address Translation (NAT)Hides IP addresses and port numbers

Denial-of-Service (DoS) InspectionDetects and stops DoS attacks

AuthenticationRequires senders to authenticate themselves

9


Virtual Private Network (VPN) Handling

VPNs are protected packet streams (see Chapter 8)

Packets are encrypted for confidentiality, so firewall inspection is impossible

VPNs typically bypass firewalls, making border security weaker

10


Hybrid Firewalls

Most firewalls offer more than one type of filtering

However, firewalls normally do not do antivirus filtering

Some firewalls pass packets to antivirus filtering servers

11

Firewalls

Firewall Hardware and SoftwareScreening router firewallsComputer-based firewallsFirewall appliancesHost firewalls (firewalls on clients and servers)

Inspection Methods

Firewall Architecture

Configuring, Testing, and Maintenance

12

Figure 5-3: Firewall Hardware and Software

Screening Router Firewalls

Add firewall software to router

Usually provide light filtering only

Expensive for the processing power—usually must upgrade hardware, too

3

13


Screening Router Firewalls

Screens out incoming “noise” of simple scanning attacks to make the detection of serious attacks easier

Good location for egress filtering—can eliminate scanning responses, even from the router

14


Computer-Based Firewalls

Add firewall software to server with an existing operating system: Windows or UNIX

Can be purchased with power to handle any load

Easy to use because know operating system

15



Firewall vendor might bundle firewall software with hardened hardware and operating system software

General-purpose operating systems result in slower processing

16



Security: Attackers may be able to hack the operating system

Change filtering rules to allow attack packets in

Change filtering rules to drop legitimate packets

17


Firewall AppliancesBoxes with minimal operating systems

Therefore, difficult to hack

Setup is minimal

Not customized to specific firm’s situation

Must be able to update

18


Host Firewalls

Installed on hosts themselves (servers and sometimes clients)

Enhanced security because of host-specific knowledge

For example, filter out everything but webserver transmissions on a webserver

4

19


Host Firewalls

Defense in depth

Normally used in conjunction with other firewalls

Although on single host computers attached to internet, might be only firewall

20


Host Firewalls

The firm must manage many host firewalls

If not centrally managed, configuration can be a nightmare

Especially if rule sets change frequently

21


Host Firewalls

Client firewalls typically must be configured by ordinary users

Might misconfigure or reject the firewall

Need to centrally manage remote employee computers

22

Perspective

Computer-Based FirewallFirewall based on a computer with a full operating system

Host FirewallA firewall on a host (client or server)

23

Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering

PerformanceRequirements

Traffic Volume (Packets per Second)

Complexityof Filtering:Number of

FilteringRules,

ComplexityOf rules, etc.

If a firewall cannot inspect packetsfast enough, it will drop unchecked

packets rather than pass them

24

Firewalls

Firewall Hardware and SoftwareInspection Methods

Static Packet InspectionStateful Packet InspectionNATApplication FirewallsIPSs

Firewall ArchitectureConfiguring, Testing, and Maintenance

5

25

Figure 5-5: Static Packet Filter Firewall

IP-H

IP-H

TCP-H

UDP-H Application Message

Application Message

IP-H ICMP-H

Only IP, TCP, UDP and ICMPHeaders Examined

Permit(Pass)

Deny(Drop)

Corporate Network The Internet

LogFile

StaticPacketFilter

Firewall

ICMP Message

26

Figure 5-5: Static Packet Filter Firewall

IP-H

IP-H

TCP-H

UDP-H Application Message

Application Message

IP-H ICMP-H

Arriving PacketsExamined One at a Time, in Isolation;

This Misses Many Arracks

Permit(Pass)

Deny(Drop)

Corporate Network The Internet

LogFile

StaticPacketFilter

Firewall

ICMP Message

27

Figure 5-6: Access Control List (ACL) For Ingress Filtering at a Border Router

1. If source IP address = 10.*.*.*, DENY [private IP address range]

2. If source IP address = 172.16.*.* to 172.31.*.*, DENY [private IP address range]

3. If source IP address = 192.168.*.*, DENY [private IP address range]

4. If source IP address = 60.40.*.*, DENY [firm’s internal address range]

28

Figure 5-6: Access Control List (ACL) for Ingress Filtering at a Border Router

5. If source IP address = 1.2.3.4, DENY [black-holed address of attacker]

6. If TCP SYN=1 AND FIN=1, DENY [crafted attack packet]

29


7. If destination IP address = 60.47.3.9 AND TCP destination port=80 OR 443, PASS [connection to a public webserver]

8. If TCP SYN=1 AND ACK=0, DENY [attempt to open a connection from the outside]

30


9. If TCP destination port = 20, DENY [FTP data connection]

10. If TCP destination port = 21, DENY [FTP supervisory control connection]

11. If TCP destination port = 23, DENY [Telnet data connection]

12. If TCP destination port = 135 through 139, DENY [NetBIOS connection for clients]

6

31


13. If TCP destination port = 513, DENY [UNIX rlogin without password]14. If TCP destination port = 514, DENY [UNIX rsh launch shell without login]15. If TCP destination port = 22, DENY [SSH for secure login, but some versions are insecure]16. If UDP destination port=69, DENY [Trivial File Transfer Protocol; no login necessary]

32


17. If ICMP Type = 0, PASS [allow incoming echo reply messages]

DENY ALL

33


DENY ALLLast rule

Drops any packets not specifically permitted by earlier rules

In the previous ACL, Rules 8-17 are not needed; Deny all would catch them

34

Figure 5-7: Access Control List (ACL) for Egress Filtering at a Border Router

1. If source IP address = 10.*.*.*, DENY [private IP address range]

2. If source IP address = 172.16.*.* to 172.31.*.*, DENY [private IP address range]

3. If source IP address = 192.168.*.*, DENY [private IP address range]

4. If source IP address NOT = 60.47.*.*, DENY [not in internal address range]

Rules 1-3 are not needed because of this rule

35


5. If ICMP Type = 8, PASS [allow outgoing echo messages]

6. If Protocol=ICMP, DENY [drop all other outgoing ICMP messages]

7. If TCP RST=1, DENY [do not allow outgoing resets; used in host scanning]

36


8. If source IP address = 60.47.3.9 and TCP source port = 80 OR 443, PERMIT [public webserver responses]

Needed because next rule stops all packets from well-known port numbers

9. If TCP source port=0 through 49151, DENY [well-known and registered ports]

10. If UDP source port=0 through 49151, DENY [well-known and registered ports]

7

37


11. If TCP source port =49152 through 65,536, PASS [allow outgoing client connections]

12. If UDP source port = 49152 through 65,536, PERMIT [allow outgoing client connections]

Note: Rules 9-12 only work if all hosts follow IETF rules for port assignments (well-known, registered, and ephemeral). Windows computers do. Unix computers do not

38


13. DENY ALLNo need for Rules 9-12

39

Firewalls

Firewall Hardware and Software

Inspection MethodsStatic Packet InspectionStateful Packet InspectionNATApplication Firewalls



40

Figure 5-8: Stateful Inspection Firewalls

Default BehaviorPermit connections initiated by an internal hostDeny connections initiated by an external hostCan change default behavior with ACL

InternetInternet

Automatically Accept Connection Attempt

Router

Automatically Deny Connection Attempt

New

41


State of Connection: Open or Closed

State: Order of packet within a dialog

Often simply whether the packet is part of an open connection

42


Stateful Firewall Operation

If accept a connection…

Record the two IP addresses and port numbers in state table as OK (open) (Figure 5-9)

Accept future packets between these hosts and ports with no further inspection

This can miss some attacks, but it catches almost everything except attacks based on application message content

New

8

43

Figure 5-9: Stateful Inspection Firewall Operation I

ExternalWebserver123.80.5.34

InternalClient PC

60.55.33.12

1.TCP SYN Segment

From: 60.55.33.12:62600To: 123.80.5.34:80

2.Establish

Connection 3.TCP SYN Segment

From: 60.55.33.12:62600To: 123.80.5.34:80

Stateful Firewall

Type

TCP

InternalIP

60.55.33.12

InternalPort

62600

ExternalIP

123.80.5.34

ExternalPort

80

Status

OK

Connection Table

Note: OutgoingConnectionsAllowed By

Default

44

Figure 5-9: Stateful Inspection Firewall Operation I

ExternalWebserver123.80.5.34

InternalClient PC

60.55.33.12

6.TCP SYN/ACK Segment

From: 123.80.5.34:80To: 60.55.33.12:62600 5.

Check ConnectionOK;

Pass the Packet


From: 123.80.5.34:80To: 60.55.33.12:62600

Stateful Firewall

Type

TCP

InternalIP

60.55.33.12

InternalPort

62600

ExternalIP

123.80.5.34

ExternalPort

80

Status

OK

Connection Table

45


Stateful Firewall Operation

For UDP, also record two IP addresses and port numbers in the state table

Type

TCP

UDP

InternalIP

60.55.33.12

60.55.33.12

InternalPort

62600

63206

ExternalIP

123.80.5.34

1.8.33.4

ExternalPort

80

69

Status

OK

OK

Connection Table

46


Static Packet Filter Firewalls are Stateless

Filter one packet at a time, in isolation

If a TCP SYN/ACK segment is sent, cannot tell if there was a previous SYN to open a connection

But stateful firewalls can (Figure 5-10)

47

Figure 5-10: Stateful Firewall Operation II

AttackerSpoofingExternal

Webserver10.5.3.4

InternalClient PC

60.55.33.12

Stateful Firewall

2.Check

Connection Table: No Connection

Match: Drop

1.Spoofed

TCP SYN/ACK SegmentFrom: 10.5.3.4.:80

To: 60.55.33.12:64640

Type

TCP

UDP

InternalIP

60.55.33.12

60.55.33.12

InternalPort

62600

63206

ExternalIP

123.80.5.34

222.8.33.4

ExternalPort

80

69

Status

OK

OK

Connection Table

48


Static Packet Filter Firewalls are Stateless

Filter one packet at a time, in isolation

Cannot deal with port-switching applications

But stateful firewalls can (Figure 5-11)

9

49

Figure 5-11: Port-Switching Applications with Stateful Firewalls

ExternalFTP Server123.80.5.34

InternalClient PC

60.55.33.12

1.TCP SYN Segment

From: 60.55.33.12:62600To: 123.80.5.34:21

2.To EstablishConnection 3.

TCP SYN SegmentFrom: 60.55.33.12:62600

To: 123.80.5.34:21

Stateful Firewall

Type

TCP

InternalIP

60.55.33.12

InternalPort

62600

ExternalIP

123.80.5.34

ExternalPort

21

Status

OK

State Table

Step 2

50

Figure 5-11: Port-Switching Applications with Stateful Firewalls

ExternalFTP

Server123.80.5.34

InternalClient PC

60.55.33.12


From: 123.80.5.34:21To: 60.55.33.12:62600

Use Ports 20and 55336 forData Transfers

5.To Allow,EstablishSecond

Connection


From: 123.80.5.34:21To: 60.55.33.12:62600

Use Ports 20and 55336 for

Data Transfers

Stateful Firewall

Type

TCP

TCP

InternalIP

60.55.33.12

60.55.33.12

InternalPort

62600

55336

ExternalIP

123.80.5.34

123.80.5.34

ExternalPort

21

20

Status

OK

OK

State Table

Step 2

Step 5

51


Stateful Inspection Access Control Lists (ACLs)

Primary allow or deny applications (port numbers)

Simple because no need for probe packet rules because they are dropped automatically

Simplicity of stateful firewall gives speed and therefore low cost

Stateful firewalls are dominant today for the main corporate border firewalls

New

52

Firewalls




53

Figure 5-12: Network Address Translation (NAT)

ServerHost

Client192.168.5.7

NATFirewall

1

Internet2

Sniffer

From 192.168.5.7,Port 61000 From 60.5.9.8,

Port 55380

IP Addr192.168.5.7

. . .

Port61000

. . .

InternalIP Addr60.5.9.8

. . .

Port55380

. . .

External

TranslationTable

54


ServerHost

Client192.168.5.7

NATFirewall

3

Internet

4 SnifferTo 60.5.9.8,Port 55380

To 192.168.5.7,Port 61000

IP Addr192.168.5.7

. . .

Port61000

. . .

InternalIP Addr60.5.9.8

. . .

Port55380

. . .

External

TranslationTable

10

55


Sniffers on the Internet cannot learn internal IP addresses and port numbers

Only learn the translated address and port number

By themselves, provide a great deal of protection against attacks

External attackers cannot create a connection to an internal computers

56

Firewalls




57

Figure 5-13: Application Firewall Operation

Browser HTTP Proxy WebserverApplication

1. HTTP RequestFrom 192.168.6.77

2.Filtering

3. ExaminedHTTP RequestFrom 60.45.2.6

Client PC192.168.6.77

Webserver123.80.5.34

Application Firewall60.45.2.6

Filtering:Blocked URLs,

Post Commands, etc.

58



4. HTTPResponse to

60.45.2.6

6. ExaminedHTTP

Response To192.168.6.77

5.Filtering on

Hostname, URL, MIME, etc.


Client PC192.168.6.77


59



FTPProxy

SMTP(E-Mail)Proxy

Client PC192.168.6.77


Outbound Filtering on

PUTInbound and Outbound Filtering on Obsolete Commands, Content

A Separate Proxy Program is Neededfor Each Application Filtered on the Firewall

60

Figure 5-14: Header Destruction With Application Firewalls

AppMSG

(HTTP)

Orig.TCPHdr

Orig.IP

Hdr

AppMSG

(HTTP)

NewTCPHdr

NewIP

Hdr

AppMSG

(HTTP)

Attacker1.2.3.4



Header RemovedArrivingPacket New Packet

Application Firewall Strips Original Headers from Arriving PacketsCreates New Packet with New Headers

This Stops All Header-Based Packet Attacks

X

11

61

Figure 5-15: Protocol Spoofing

InternalClient PC

60.55.33.12

Attacker1.2.3.4

TrojanHorse

1.Trojan Transmits

on Port 80to Get ThroughSimple PacketFilter Firewall

2.Protocol is Not HTTP

Firewall StopsThe Transmission

XApplication

Firewall

62

Relay Operation

Application Firewalls Use Relay operation

Act as server to clients, clients to servers

This is slow, so traditionally application firewalls could only handle limited traffic


1. HTTP RequestFrom 192.168.6.77

2.Filtering

3. ExaminedHTTP RequestFrom 60.45.2.6

63

Automatic Protections in Relay Operation

Protocol FidelityApplication that spoofs the port number of another operation (e.g., Port 80) will not work in relay operation

Header DestructionIP, TCP, UDP, and ICMP headers dropped at firewall so cannot do damage

IP Address HidingSniffer on the Internet only learns the application firewall’s IP address

64

Other Application Firewall Protections

Stopping Certain Application CommandsHTTP: Stop POSTTCP: Stop PUTE-Mail: Stop obsolete commands used by attackers

Blocked IP Addresses and URLsBlack lists

Blocking File TypesUse MIME and other identification methods

65

Figure 5-16: Circuit Firewall

Webserver60.80.5.34

Circuit Firewall(SOCKS v5)60.34.3.31

ExternalClient

123.30.82.5

1. Authentication2. Transmission

5. Passed Reply: No Filtering

3. Passed Transmission: No Filtering

4. Reply

Generic Type of Application Firewall

66

Firewalls




New

12

67

Intrusion Prevention System (IPS)

Provide More Sophisticated Inspection

Examine Streams of PacketsLook for patterns that cannot be diagnosed by looking at individual packets (such as denial-of-service attacksAnd cannot be diagnosed by simply accepting packets that are part of a connection

Do Deep Packet InspectionExamine all headers at all layers—internet, transport, and application

New

68

Intrusion Prevention System (IPS)

IPSs Act Proactively

Once an attack is diagnosed, future packets in the attacks are blocked

This frightens many firms because if an IPS acts incorrectly, it effectively generates a self-serve denial of service attack

First that use IPSs may only permit the most definitively identifiable attacks to be blocked, such as SYN flood denial of service attacks.

New

69

Firewalls

Types of Firewalls

Inspection Methods

Firewall ArchitectureSingle site in large organizationHome firewallSOHO firewall routerDistributed firewall architecture


70

Figure 5-17: Single-Site Firewall Architecture for a Larger Firm with a Single Site

InternetInternet

1. Screening Router 60.47.1.1 Last

Rule=Permit All

172.18.9.x Subnet

Marketing Client on

172.18.5.x Subnet

Accounting Server on 172.18.7.x

Subnet

Public Webserver 60.47.3.9

SMTP Relay Proxy

60.47.3.10

HTTPProxy Server

60.47.3.1

External DNS Server

60.47.3.4

Screening Router FirewallUses Static Packet Filtering.

Drops Simple Attacks.Prevents Probe Replies

from Getting Out.

Last Rule is Permit Allto Let Main Firewall

Handle Everything butSimple Attacks

71


InternetInternet

2. Main Firewall Last Rule=Deny All

172.18.9.x Subnet

Marketing Client on

172.18.5.x Subnet


Subnet


SMTP Relay Proxy

60.47.3.10

HTTPProxy Server

60.47.3.1

External DNS Server

60.47.3.4Main FirewallUses Stateful Inspection

Last Rule is Deny All

72


InternetInternet172.18.9.x

Subnet

3. Internal Firewall

4. Client Host

Firewall

Marketing Client on

172.18.5.x Subnet


Subnet


SMTP Relay Proxy

60.47.3.10

HTTPProxy Server

60.47.3.1

External DNS Server

60.47.3.4Internal Firewalls and

Hardened HostsProvide Defense in Depth

Stop Attacks from Inside

Stop External Attacks that Get Past theMain Firewall

13

73


InternetInternet

172.18.9.x Subnet

Marketing Client on

172.18.5.x Subnet


Subnet

5. Server Host

Firewall

6. DMZ


SMTP Relay Proxy

60.47.3.10

HTTPProxy Server

60.47.3.1

External DNS Server

60.47.3.4

Servers that must beaccessed from outside

are placed in aspecial subnet called the

Demilitarized Zone (DMZ).

Attackers cannot get toOther subnets from there

DMZ serversare specially hardened

74

Figure 5-18: Home Firewall

InternetService Provider

Home PC

BroadbandModem

PCFirewall

Always-OnConnection

UTPCord

CoaxialCable

Windows XP has an internal firewall

Originally called the Internet Connection FirewallDisabled by default

After Service Pack 2 called the Windows FirewallEnabled by default

New

75

Figure 5-19: SOHO Firewall Router

Broadband Modem (DSL orCable)

SOHORouter

---Router

DHCP Sever,NAT Firewall, and

Limited Application Firewall

Ethernet SwitchInternet Service Provider

User PC

User PC

User PC

UTPUTP

UTP

Many Access Routers Combine the Router and Ethernet Switch in a Single Box

76

Figure 5-20: Distributed Firewall Architecture

Internet

Home PCFirewall

Management Console

Site A Site B

Remote Managementis needed to

reduce management labor

Dangerous becauseif an attacker compromises

it, they own the network

Remote PCsmust be actively

managedcentrally

77

Figure 5-21: Other Security Architecture Issues

Host and Application Security (Chapters 6 and 9)

Antivirus Protection (Chapter 4)

Intrusion Detection Systems (Chapter 10)

Virtual Private Networks (Chapter 8)

Policy Enforcement System

78

Firewalls

Types of Firewalls

Inspection Methods



14

79

Figure 5-22: Configuring, Testing, and Maintaining Firewalls

Firewall Misconfiguration is a Serious Problem

ACL rules must be executed in series

Easy to make misordering problems

Easy to make syntax errors

80


Create Policies Before ACLs

Policies are easier to read than ACLs

Can be reviewed by others more easily than ACLs

Policies drive ACL development

Policies also drive testing

81


Must test Firewalls with Security AuditsAttack your own firewall based on your policies

Only way to tell if policies are being supported

Maintaining FirewallsNew threats appear constantly

ACLs must be updated constantly if firewall is to be effective

82

Figure 5-23: FireWall-1 Modular Management Architecture

Log Files

Application Module(GUI)

Create, Edit Policies

Application Module(GUI)

Read Log Files

Management Module Stores Policies Stores

Log Files

Policy

Log FileData

Policy

Log File Entry

Firewall Module Enforces Policy

Sends Log Entries

Firewall Module Enforces Policy

Sends Log Entries

83

Figure 5-24: FireWall-1 Service Architecture

Internal Client

2. Statefully Filtered Packet 1. Arriving Packet

External Server

4. Content Vectoring Protocol

FireWall-1 Firewall

3. DoS Protection Optional

Authentications

5. Statefully Filtered

Packet Plus Application Inspection

Third-Party Application Inspection

Firewall84

Figure 5-25: Security Level-Based Stateful Filtering in PIX Firewalls

InternetInternet

Internal Network

Automatically Accept Connection

Security Level Outside=0

Automatically Reject Connection

Security Level Inside=100

Connections Are Allowed from More Secure Networks to

Less Secure Networks

Security Level=60

Router

15

85

Topics Covered

Border FirewallsSit between a trusted and untrusted networkDrop and log attack packets

Types of Firewall InspectionStatic packet inspectionStateful inspectionApplication proxy firewallsNATDenial-of-Service, Authentication, VPNs

86

Topics Covered

Firewall Hardware and Software

Screening firewall router

Computer-based firewalls

Firewall appliances

Host firewalls (firewalls on clients and servers)

Performance is critical; overloaded firewalls drop packets they cannot filter

87

Topics Covered

Static Packet InspectionExamine IP, TCP, UDP, and ICMP headersExamine packets one at a timeMiss many attacks

Used primarily in screening firewall routersAccess Control Lists (ACLs)

List of if-then pass/deny statementsApplied in order (sensitive to misordering)For main firewall, last rule is Deny AllFor screening firewall, last rule is Pass All

88

Topics Covered

Stateful InspectionPackets that Attempt to Open Connections

By default, permits all internally initiated connections

By default, denies all externally initiated connections

ACLs can change default behavior

89

Topics Covered

Stateful InspectionOther Packets

Permitted if part of established connectionDenied if not part of established connections

ImportanceFast and therefore inexpensiveCatches almost all attacksDominates main border firewall market

90

Topics Covered

Network Address Translation (NAT)Operation

Internal host sends a packet to an external host

NAT device replaces source IP address and TCP or UDP port number with stand-in values

When packets are sent back, the stand-in values are replaced with the original value

Transparent to internal and external hosts

16

91

Topics Covered

Network Address Translation (NAT)Why?

To hide internal host IP addresses and port numbers from sniffers on the Internet

To permit firms to have more hosts than they have assigned public IP addresses

Perspective

Often used in other types of firewalls

92

Topics Covered

Application FirewallsInspect application messages

Catch attacks that other firewalls cannot

Usually do NOT do antivirus filtering

Programs that do filtering are called proxies

Proxies are application-specific

Circuit firewalls are not application-specific; use required authentication for control

93

Topics Covered

Application FirewallsRelay operation

Application firewall acts as server to clients, clients to servers

This is slow, so traditionally application firewalls could only handle limited traffic

94

Topics Covered

Application Firewalls

Automatic Protection from Relay Operation

Protocol fidelity: stops port spoofing

Header destruction: no IP, TCP, UDP, or ICMP attacks

IP address hiding

95

Topics Covered

Application FirewallsCommand-based filtering (HTTP POST, etc.)

Host or URL filtering (black lists)

File type filtering (MIME, etc.)

NOT antivirus filtering

96

Topics Covered

Intrusion Prevention Systems (IPSs)Use sophisticated detection methods created for intrusion detection systems

Examine streams of packets, not just individual packetsDeep inspection: filter all layer messages in a packet

But unlike IDSs, do not simply report attacksStop detected attacks

New

17

97

Topics Covered

Intrusion Prevention Systems (IPSs)Spectrum of attack detection confidence

Stop attacks detected with high confidence

Do not stop attacks with low detection confidence because doing so can create a self-inflicted DoS Attack

New

98

Topics Covered

Intrusion Prevention Systems (IPSs)Sophisticated filtering in processing-intensive

Traditional IDSs could not filter in real-time so could not be placed in-line with traffic

ASICs provide higher speeds, allowing IPSs to be placed in-line with traffic

New

99

Firewall Architectures

Site ProtectionScreening Firewall Router (Static Packet)

Main Border Firewall (Stateful)

Internal Firewalls

Host Firewalls

DMZ

Defense in Depth

100


Site ProtectionDMZ

For hosts that must face Internet attack

Must be hardened (bastion hosts)

Public webservers, etc.

Application firewalls

External DNS server

101


Home FirewallHost firewalls are especially needed for always-on broadband connection

SOHO FirewallSeparate firewall between the switch and the broadband modem

Some broadband modems do NAT, providing considerable protection

102


Distributed Firewall ArchitectureMost firms have multiple sites

Multiple firewalls at many sites

A central manager controls them

If the manager is hacked, very bad

Management traffic must be encrypted

18

103


ConfigurationFirewalls must be configured (ACLs designed, etc.)

TestingConfiguration errors are common, so firewalls must be tested

MaintenanceMust be reconfigured frequently over time as the threat environment changes

Documents

Figure 5-1: Border Firewall Firewallshossein/Teaching/Fa07... · 4 19 Figure 5-3: Firewall Hardware and Software Host Firewalls {Defense in depth Normally used in conjunction with