Firewall & its Services

NAVD EEP S INGH

Firewall & its Services

What is a Firewall ?

Firewall is a device or a software feature designed to control the flow of trafic into and out-of a network.

Firewall interconnects networks with different trust.

Firewall implements and enforces a security policy between networks.

Firewall Zones

Trusted ZoneUntrusted ZoneDemilitarized Zone(DMZ)

Firewall Zones

Trusted ZoneBy default the LAN is trusted.Trusted zone contains a numerical value of

100 which means highest level of trust.Untrusted Zone

Untrusted zone contains a numerical value of 0 which means lowest level of trust.

A WAN port can only be mapped to an Untrusted Zone.

Firewall Zones

Demilitarized ZoneDMZs are less trusted zonesPublic Zone is demilitarized zone and has a

trust value of 50

Types of Firewalls

Software Based FirewallsRun as additional program on Personal

ComputersKnown as Personal FirewallsMost of the SBFs get automatically

configured and updated after installation. Examples of SBFs are:- Windows Firewall,

Kaspersky Firewall, Zone Alarm Pro FirewallAlso there are some open source firewall

available. Exa:- OpenWRT, PfSense, Untangle Gateway, IPcop.

Types of Firewalls

Hardware Based Firewalls Hardware based firewalls are the first line of defense against

the cyber attacks. HBFs are more expensive as compared to SBFs. Traditionally HBFs were only used to carry out Packet Filtering. Today HBFs have built-in Intrusion Prevention System and

Intrusion Detection System IPS/IDPS When IDPS detects a malicious activity it sends a signal, drops

the packet, blocks the IP and resets the connection. Some Hardware Based Firewall providers are:

CISCO ProSafe D-Link SonicWall Netgear

Cisco Firewalls

Cisco Firepower 9300 (Latest Series-9000 & 4100)1.2 Tbps clustered throughput57 million concurrent connections, with application

control500,000 new connections per secondHigh-end Next Gen. Firewall (NGFW)

Firewall Services

The following services are provided by Firewalls:Packet FilteringStateful packet InspectionProxying

Authentication Logging Content Filtering

Network Address Translation

Packet Filtering

Each incoming data packet is examined by the firewall.The header of the each packet is compared to the pre-

configured set of rules.An allow or deny decision is made based on the results.Rules of packet filtering are:

Protocol Type (TCP,IP,UDP,ICMP,ESP,etc) Source Address Source Port Destination Address Destination Port

Packet Filtering

Packet Filtering Firewalls works on the Network Layer (layer 3) and Transport Layer (layer 4) of the OSI model of reference.

Stateful Packet Inspection

All packets are examined and the header information is stored in dynamic state session table.

State table is used verify the data packets from the same connection.

The rules of stateful packet inspection are: Protocol Type (TCP,IP,UDP,ICMP,ESP,etc) Source Address Source Port Destination Address Destination Port Connection State

Stateful Packet Inspection

In Stateful Packet Inspection technique the firewall examines the headers of all incoming data packets from the level of network layer to the application layer of the OSI Model of reference.

Proxy Services

Proxy/Application gateway acts as an intermediate between the connections.

Each connection can only communicate with other by going through the proxy/application gateway.

Proxy/Application gateway operates at the Application layer (Layer 7) of the OSI Model of reference.

When a client issues a request from an untrusted network, a connection is established between the client and proxy/gateway. The proxy/gateway compares the request to the set of rules, if finds the request valid, it sends a connection request to the destination on the behalf of the client.

Proxy Services

Proxy Servers also provide some other services:Logging:-Proxy servers makes log of the each

communication.Content FilteringAuthentication

NAT(Network Address Translation)

NAT is a method that enables hosts on private networks to communicate with hosts on the Internet.

NAT is mostly used to translate between public address and private address.

NAT can be also used for Public to Public Address Translation and Private to Private Address Translation.

NAT hides the IP address and IP address structure of the internal network.

In NAT the actual IP address/port used in an internal network is translated to the outside IP address/outside port.

This is done by replacing the local IP address from the header of the data packet with the outside IP address.

Types of NAT

Static NATStatic NAT performs one to one translation between

two addresses or between a port on one address to a port on another address.

Types of NAT

Static NATStatic NAT maps a block on external IP addresses

to the same size block of internal IP addresses.NAT maps a specific port to come through the

firewall rather than all ports. Static NAT allows the internal client to maintain

their set-up information.Multiple ISP’s can be enlisted to provide a degree

of fault-tolerant access to the system. If network performance or quality degrades, connections can be swapped to another supplier.

Dynamic NAT

Dynamic does not perform one to one translation but instead maps a group on internal IP addresses to a pool of external IP addresses.

Dynamic NAT

These mappings can be set to expire if they are not used within a programmable period of time.

Dynamic NAT works as firewall between internal network and the outside network or internet.

Dynamic NAT only allows the connections that originate inside the internal domain.

A computer on an external network can not connect to one of the internal servers unless the internal node has initiated the contact.

Load Sharing NAT

Load Sharing NAT(LSNAT) distributes a session load across a pool of servers.

LSNAT is most often used in embedded server farms where a single blade server is unable to handle the increasing number of clients or sessions.

References

Intro_firewalls by Aaron Balchunas (routeralely.com)University of Cambridge-University Information

Services (Academic & Infrastructure)-” Firewalls and Network Address Translation”.

CISCO-Security Guide, Cisco ACE Application Control Engine-”Configuring Network Address Translation”

University of Virginia-Department of Computer Science-”module17-nat”

CISCO NGFW-product guide-Firepower 9300 -“at-a-glance-c45-734810.pdf”, Title “Threat-Centric Security for Service Providers “

Thank You