Upload
faizulemizal
View
26
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Module 07 - Firewalls
Citation preview
Network Security Administrator
Module VII:
Firewalls
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Introduction
Defining Firewall Security Features
Components involved in Firewall
Handling Threats and Security Tasks
How to protection against hacking?
Introduction to Packet Filtering
Limitations of Firewalls
Evaluating firewall packages
Different firewall configurations
Reverse and Specialty Firewalls
Module Objectives
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Module Flow
Introduction Security Features
Multiple components
Handling threats and security tasks
Protection against hacking
Packet Filtering
Limitations of firewalls
Evaluating firewall packages
Different firewall configurations
Reverse firewalls
Specialty firewalls
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Firewall: Introduction
Combination of hardware and software that monitors the transmission of packets over the network
Performs two basic security functions:•Packet filtering:
–Allows or denies transfer of packets based on security policy rules
•Application proxy gateway:–Provides network services to users within the
firewall
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Firewalls: Security Features
Logs access (authorized/unauthorized) in and out of a network
Establishes a Virtual Private Network (VPN ) link to another computer
Secures host within the network to prevent attackers intrusions
Filters inappropriate content such as executable mail attachments
Securing Individual Users:
• Provides anti-virus programs that alerts users on detecting e-mail attachment or file containing virus
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Firewalls: Perimeter Security for Networks
Firewall resides on the outer boundary (perimeter) of a network providing security
Network boundary connects one network to another
VPN owns its own perimeter firewall
Benefits:
• Blocks viruses and infected e-mail messages prior intrusion
• Logs passing traffic and protects the entire network
• ‘subnet’ minimizes the damage incurred from an attack
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Firewall: Multiple Components
Packet Filters:
• Controls access to a network by analyzing
the incoming and outgoing packets
Proxy Server:
• Intercepts all requests to real server and tries processing the request
Authentication System:
• Identifies users based on usernames and passwords
Network Address Translation (NAT):
• Segregates IP addresses into two sets and enables LAN to use the addresses for internal and external traffic respectively
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Firewalls: Handling Threats and Security Tasks
Restricting access form outside the network:
• Inspect each packet against the required authorized criteria (protocols/IP addresses/approved list)
• Packet filtering scans for network addresses and open ports
• Port scanning determines the type of service running
• netstat.exe displays the number of connections opened on the current system
• HTTP is one of the commonly exploited services
• Other services include:
– SNMP: Port 25
– POP3: Port 110
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Firewalls: Handling Threats and Security Tasks
Restricting unauthorized access from inside the network:
• Prevent users inserting virus infected floppy disks into the system
• Prevent users accessing computers via remote access software
• Never ooze out confidential information (social engineering attacks)
• Train firewall administrators to filter IP packets
• Scan e-mail messages with executable attachments
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Firewalls: Handling Threats and Security Tasks
Restricting client’s access to external host:• Installing a proxy server software that
makes high level application connections on behalf of internal hosts
• Single firewall product provides outbound packet filtering and proxy services
• Application proxies prevents unauthorized access to the Internet
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Firewalls: Handling Threats and Security Tasks
Securing critical resources from:
• Worms: Intrudes and replicates via e-mail attachment or downloaded file
• Viruses: Intrudes into the systems and consumes all memory and brings the system to a halt
• Trojan Horses: Programs that contain malicious code
• Distributed Denial Of Service Attacks: Occurs when server is inundated with requests causing the server to shut down
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Firewalls: Protection Against Hacking
Loss of data:• Personal and financial information
must be protected against loss
Loss of time:• Time spent in recovering files,
rebuilding servers and dealing with security breaches
Staff resources: • Time taken away from regular
business activities to recover data files
Confidentiality:• Stores confidential information of
users across the network
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Firewalls: Centralization and Documentation
Centralization:• Simplifies the network administrator
activities• Network perimeter allows security
measures • Manages the network traffic
Documentation:• Log files record intentional and
unintentional break-ins,identifying weak points for strengthening the system
• Recognizing intruders and apprehending them for theft or damage
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Multilayer Firewall Protection
Firewalls work at different stages of the OSI model
Application Application-level gateway
Presentation EncryptionSession SOCKS proxy serverTransport Packet filteringNetwork NATPhysical N/AData Link N/A
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Packet Filtering
Key function of any firewall
Packet Filters:
• Valuable elements in perimeter security
• Advantage:
– Do not take up bandwidth
Packet consists of two types of information:
• Header
• Data
Packet headers decide whether to block or permit the packet through a firewall
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Stateful Packet Filtering
In te rn e t
R o u t e r
E t h e r n e t
1 . H o s t a t t e m p t s t o c o n n e c t w w w .c o u r s e .c o m
2 . R o u t e r c h e c k s fo r s t a t e t a b le a n d s e e s t h a t n o c o n e e c t io n
e x is t s , s t a t e e n t r y c r e a t e d a n d r e q u e s t p a s s e d t o r u le b a s e
3 . R u le t h a t in t e r n a l h o s t s a c c e s s T C P / 8 0 e x is t s ; p a c k e t s a r e
a llo w e d t o p a s s t h r o u g h
4 . P a c k e t s r e c e iv e d b y c o u r s e .c o m W e b s e r v e r ; S Y N / A C K
r e p ly s e n t t o f ir e w a ll
5 . P a c k e t s r e c e iv e d s t a t e t a b le e n t r y r e f e r e n c e d
6 . P a c k e ts a llo w e d to p a s s
S ta te T a b leS o u rc e I P : w w w .c o u rs e .c o m
S o u rc e p o rt: 7 0D e s tin a tio n I P : 1 0 .0 .0 .6D e s t in a t io n p o rt: 1 0 8 7
T ra n s p o rt: T C P
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Screening Router
Placed between the client computer and Internet to perform packet-filtering
Two interfaces:
• External
• Internal
ACL (access control list) specifies the rules applied to block packet flow
Stateful Packet-Filtering:
• Only if a secured router sends data outbound can it receive data inbound
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Screening Router
192.168.2.2 192.168.2.3 192.168.2.4 192.168.2.5 192.168.2.6
Router
InternetRouter is set to routeonly to 192.168.2.2
through 192.168.2.5
External Interface192.168.1.200/24
Traffic from Internetcannot reach here
Router
Internal Interface192.168.2.1/24
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Dual-Homed Host
PC connecting to the Internet that has two NICs and secured by a firewall
By default it disables packet flow through the network
Limitation:
• Passwords can be cracked
• Single protection layer
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Types of Firewall Configurations
ICMP Type Description
Screening router Packet filtering router located between client computer and the Internet
Dual-homed host Client computer, which is firewall of the Internet host
Screened host Host computer with firewall that is dedicated to security functions
Two routers with one firewall
Routers that perform packet filtering and are located on the internal and external interfaces of the firewall
DMZ screened subnet Network of public access servers that is external to the secured internal network
Multi-firewall DMZ DMZ with added security by two firewalls
Reverse firewalls Firewalls that inspect outgoing traffic, not incoming traffic
Specialty firewalls Firewalls to specifically secure certain communications like the e-mail
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Screened Host
Also known as dual-homed gateway or bastion host
Requires two network interfaces
Resides on the perimeter of the network
Places a router that performs packet filtering between the screened host and the Internet
Differs from bastion hosts and dual-homed hosts on the basis of strong security services
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Screened Host
Internet
2. Firew all equipped w ith proxy server
softw are functions in place of host
and m akes request
Applicationgatew ay1. H ost m akes request
to connect to Internet
3. Proxy server connects to Internet
Router
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Two Routers With One Firewall
Routers are located on both sides of screened host
• Packet filtering is performed by external router:
– Initial
– Static
• Internal router:
– Routes traffic to computers in secured LANs
– Performs stateful packet filtering
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Two Routers With One Firewall
Internet
RouterLAN Gateway
WWW.Server 10.1.1.43
E-mail Server 10.1.1.29
FTP Server10.1.1.33
IP Address10.1.1.1/44
Firewall
Router
IP Address192.168.1.2/44
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
DMZ Screened Subnet
Network exposed to external network but partially secured with firewall
Service network or perimeter network:
• Subnet in the DMZ that is attached to a firewall
Three-pronged firewall is the firewall in a DMZ that connects to three distinct networks:
• External network
• DMZ screened subnet
• LAN
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
DMZ Screened Subnet
E-mail server WWW
Server
Firewall
DMZ
Internet
RouterLAN Gateway
IP Address10.1.1.1/44
Router
IP Address192.168.1.2/44
192.168.2.1/44
172.30.1.1/44 192.168..2. 29192.168..2. 43
192.168..2.33FTP Server
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Multi-firewall DMZ
Additional firewalls increase the security of organization’s network
Performance decreases with increased security
Two or more firewalls enhances security using:
• Internal network
• One DMZ
• Two DMZ
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Multiple-Firewalls DMZs: Two Firewalls, One DMZ
Two firewalls set up a three-pronged (tri-homed) firewall:• Internal protected network (behind DMZ)
• External private network or service network (within DMZ)
• External network (outside DMZ)
Advantage:• Controls traffic in three networks
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Multiple-Firewalls Dmzs: Two Firewalls, One DMZ
Router
LAN Gateway
Active directory
Internal network
E-mail server
WWWServer
FTP server
Router
Firewall
Internet
External network
Firewall
DMZ
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Multiple-firewall DMZS: Two Firewalls, Two DMZS
Different parts of organization can employ different DMZs to balance traffic load
Tunnel server grants off-site access to tunneling client ignoring access to other servers in the internal LAN
Stateful failover firewall:• A second firewall used in case the first firewall fails
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Multiple-firewall DMZS: Two Firewalls, Two DMZS
IP Address
Email -server
LAN Gateway
Router
Firewall
Hub
Hub
Router
DMZ
www server FTP
server
Fail over Firewall
Accounting
DMZ
Tunnel Server
Tunneling ClientInternet
IP Address
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Specialty Firewalls and Reverse Firewalls
Specialty Firewalls:• Designed to secure specific network
communication• Supervises and restrains specific traffic flowing
through the network• Examples:
– OpenReach consists of packet-filtering firewall for its VPN
– VOISS Proxy firewall– Speedware Corporation’s Autobahn Application
Firewall
Reverse Firewalls:• Device that inspects the outgoing traffic from the
network• Does not block the traffic• Identifies DDoS (Distributed Denial of Service)
attacks
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Summary
Firewall is a hardware/software monitoring the transmission of packets bypassing the perimeter of a network
Resides on the perimeter of a network restricting unauthorized access
Several components exists that enables protecting against hacking
Operates at various stages of the OSI model
Monitors and limits specific traffic flowing through the network