Embed Size (px)
Citation preview
Firewall basics.
Page 2
Instructor, PACE-IT Program – Edmonds Community College
Areas of Expertise Industry Certification PC Hardware Network
Administration IT Project
Management
Network Design User Training IT Troubleshooting
Qualifications Summary
Education M.B.A., IT Management, Western Governor’s University B.S., IT Security, Western Governor’s University
Entrepreneur, executive leader, and proven manger with 10+ years of experience turning complex issues into efficient and effective solutions. Strengths include developing and mentoring diverse workforces, improving processes, analyzing business needs and creating the solutions required— with a focus on technology.
Brian K. Ferrill, M.B.A.
Page 3
Firewall basics.
– Types of firewalls.
– Firewall settings and techniques.
PACE-IT.
Page 4
Types of firewalls.Firewall basics.
Page 5
Types of firewalls.
– Host based firewalls.» Installed on the node—usually a desktop computer—
that needs the protection. Often used in conjunction with a network-based firewall.
• Are always software applications.
– Network based firewalls.» Usually installed on the perimeter of the network
segment that needs the protection.• Are used to protect private networks from public
networks.• Can be a network appliance—specially designed and
deployed to provide firewall services.• Can be a software application—either as part of a
router’s operating system or as a specialty application on a server that is providing routing functions.
– Small office/home office (SOHO) firewalls.
» In most cases, the network firewall is provided by a wide area network (WAN) connection device (e.g., router).
» A host-based firewall is often used in conjunction with a network based firewall.
Firewall basics.
Page 6
Types of firewalls.
– Stateless inspection firewalls.» Examine all packets either entering or leaving the
network against a set of rules—called an access control list (ACL).
• The ACL rules are defined as static values by an administrator.
• Starting from the first rule in the ACL, if a packet matches a rule, the rule is enforced and the ACL is exited.
• Do not care about the state of the connection, all packets are examined.
– Stateful inspection firewalls.» As a general rule, connections are not allowed to be
made from outside of the local network segment being protected.
» Only the initial packets going from inside the network to an outside network are inspected against an ACL.
» Once the connection is established, the firewall monitors the state of the connection.
• Allow packets to flow between the inside node and outside address, as long as the state of the connection remains valid.
Firewall basics.
Page 7
Types of firewalls.
– Application aware firewalls.» Firewalls that not only examine the packets, but also
the application protocol that is being used (e.g., FTP or HTTP).
• Allow or deny decisions are made based on the application layer protocol as well as other ACL rules.
• Slower but more thorough in protecting the private network.
– Context aware firewalls.» Firewalls that can identify not only applications, but
also users and/or devices—the context.• Can be used to restrict or allow traffic based on the
context as well as other ACL rules.
– UTM (unified threat management) devices.
» Network appliances that include not only a firewall service, but other services as well—intrusion detection services or intrusion prevention services.
• One concern with a UTM device is that it can create a single point of failure. What happens to the network if the UTM device fails?
Firewall basics.
Page 8
Types of firewalls.
Most often, firewalls are implemented on a router’s interface or at the host level.
When implemented on the router interface, the firewall takes part in the routing process. When implemented at the host level, the firewall protects the host on which it resides.An exception to these scenarios is the implementation of a virtual wire firewall. This type of firewall is a network based firewall that resides between two devices and provides neither routing nor switching functions. It contains two interfaces and, as traffic passes between the interfaces, the packets are compared to an ACL.
Firewall basics.
Page 9
Firewall settings and techniques.Firewall basics.
Page 10
Firewall settings and techniques.
– ACL (access control list).» Each firewall interface may have two ACLs associated
with it.• Inbound: examines all packets inbound on the
interface.• Outbound: examines all packet outbound on the
interface.» Contains a set of administrator defined rules that either
allow or block (deny) packet traffic.• Rules can be based on such criteria as source or
destination IP address, MAC address, protocol, and time of day.
• Packets are examined against the set of rules; once a rule is matched (e.g., deny FTP packets from leaving the network), the rule is enforced and the ACL is exited.
» The last rule of any ACL is an implicit deny.• If the packet being evaluated does not match any of
the explicit rules of the ACL, the implicit deny is enacted and the packet is blocked (dropped).
• Care and caution should be used when creating an ACL because of the implicit deny that terminates every list.
Firewall basics.
Page 11
Firewall settings and techniques.
– Firewall placement.» Perimeter (external) placement requires that the
firewall be placed at the outside edge—usually at the WAN connection—of the LAN (local area network) segment.
• Stateful inspection firewalls work well on the perimeter. They are usually slower to make the initial connection, but once it is achieved, they offer better performance.
» Internal placement requires that the firewall be placed in a logical central location—usually used to route between different internal private networks.
• Stateless inspection firewalls work well for internal placement. They are faster to make connections and require less memory.
– Demilitarized zone (DMZ).» A specific area (zone) created—usually between two
firewalls—that allows outside access to network resources (e.g., a Web server), while the internal network is still protected from outside traffic.
• The external facing router allows specific outside traffic into the DMZ, while the internal router prevents that same outside traffic from entering the internal network.
Firewall basics.
Page 12
What was covered.Firewall basics.
Host-based firewalls protect a single host. Network-based firewalls protect a network segment. In most SOHO situations, there is a combination of a network-based firewall (at the WAN connection) and software host-based firewalls (on the hosts). Stateless firewalls inspect all packets, while stateful inspection firewalls track the state of a connection. Application aware firewalls examine the application level protocols being used. Context aware firewalls can also determine user and type of device. UTM devices offer more than just firewall services (e.g., IDS and IPS), but may also create a single point of failure. Virtual wire firewalls are a type of network based firewall that doesn’t take part in the routing or switching functions.
Topic
Types of firewalls.
Summary
Each firewall interface may have two ACLs—one on the inbound side and one on the outbound side. An ACL is a set of rules that either allow or block traffic based on a set of administrator defined rules. The last rule in an ACL is an implicit deny statement. Stateful inspection firewalls work well for external placement, while stateless inspection firewalls work well for internal network placement. A DMZ is a zone created—usually between two firewalls—that allows some outside access to network resources, while the the internal network remains protected.
Firewall settings and techniques.
Page 13
THANK YOU!
This workforce solution was 100 percent funded by a $3 million grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties, or assurances of any kind, express or implied, with respect to such information, including any information on linked sites and including, but not limited to, accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership. Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53.PACE-IT is an equal opportunity employer/program and auxiliary aids and services are available upon request to individuals with disabilities. For those that are hearing impaired, a video phone is available at the Services for Students with Disabilities (SSD) office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call 425.354.3113 on a video phone for more information about the PACE-IT program. For any additional special accommodations needed, call the SSD office at 425.640.1814. Edmonds Community College does not discriminate on the basis of race; color; religion; national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran status; or genetic information in its programs and activities.
