1

Firewalls

Types of Firewalls

Inspection Methods Static Packet Inspection Stateful Packet Inspection NAT Application Firewalls

Firewall Architecture

Configuring, Testing, and Maintenance

2

Figure 5-12: Network Address Translation (NAT)

ServerHost

Client192.168.5.7

NATFirewall

1

3

Internet

2

4Sniffer

From 192.168.5.7,Port 61000 From 60.5.9.8,

Port 55380

To 60.5.9.8,Port 55380

To 192.168.5.7,Port 61000

IP Addr

192.168.5.7

. . .

Port

61000

. . .

Internal

IP Addr

60.5.9.8

. . .

Port

55380

. . .

External

TranslationTable

3

Firewalls

Types of Firewalls

Inspection Methods Static Packet Inspection Stateful Packet Inspection NAT Application Firewalls

Firewall Architecture

Configuring, Testing, and Maintenance

4

Figure 5-13: Application Firewall Operation

Browser HTTP Proxy WebserverApplication

1. HTTP RequestFrom 192.168.6.77

2.Filtering

3. ExaminedHTTP RequestFrom 60.45.2.6

4. HTTPResponse to

60.45.2.6

6. ExaminedHTTP

Response To192.168.6.77

5.Filtering on Post Out,

Hostname, URL, MIME, etc. In

Application Firewall60.45.2.6

FTPProxy

SMTP(E-Mail)ProxyClient PC

192.168.6.77

Webserver123.80.5.34

Outbound Filtering on Put Inbound and Outbound

Filtering on Obsolete Commands, Content

5

Figure 5-14: Header Destruction With Application Firewalls

AppMSG

(HTTP)

Orig.TCPHdr

Orig.IP

Hdr

AppMSG

(HTTP)

NewTCPHdr

NewIP

Hdr

AppMSG

(HTTP)

Attacker1.2.3.4

Webserver123.80.5.34

Application Firewall60.45.2.6

Header RemovedArriving Packet New Packet

Application Firewall Strips Original Headers from Arriving PacketsCreates New Packet with New Headers

This Stops All Header-Based Packet Attacks

X

6

Figure 5-15: Protocol Spoofing

InternalClient PC

60.55.33.12

Attacker1.2.3.4

TrojanHorse

1. Trojan Transmitson Port 80

to Get ThroughSimple PacketFilter Firewall

2. Protocol is Not HTTPFirewall Stops

The Transmission

XApplication

Firewall

7

Figure 5-16: Circuit Firewall

Webserver60.80.5.34

Circuit Firewall(SOCKS v5)60.34.3.31

ExternalClient

123.30.82.5

1. Authentication

2. Transmission

5. Passed Reply: No Filtering

3. Passed Transmission: No Filtering

4. Reply

8

Firewalls

Types of Firewalls

Inspection Methods

Firewall Architecture Single site in large organization Home firewall SOHO firewall router Distributed firewall architecture

Configuring, Testing, and Maintenance

9

Figure 5-17: Single-Site Firewall Architecture for a Larger Firm with a Single Site

InternetInternet

1. Screening Router 60.47.1.1 Last

Rule=Permit All

2. Main Firewall Last Rule=Deny All

172.18.9.x Subnet

3. Internal Firewall

4. Client Host

Firewall

Marketing Client on

172.18.5.x Subnet

Accounting Server on 172.18.7.x

Subnet

5. Server Host

Firewall

6. DMZ

Public Webserver 60.47.3.9

SMTP Relay Proxy

60.47.3.10

HTTPProxy Server

60.47.3.1

External DNS Server

60.47.3.4

10

Figure 5-18: Home Firewall

InternetService Provider

Home PC

BroadbandModem

PCFirewall

Always-OnConnection

UTPCord

CoaxialCable

11

Figure 5-19: SOHO Firewall Router

Broadband Modem (DSL orCable)

SOHORouter

---Router

DHCP Sever,NAT Firewall, and

Limited Application Firewall

Ethernet SwitchInternet Service Provider

User PC

User PC

User PC

UTP

UTP

UTP

Many Access Routers Combine the Router and Ethernet Switch in a Single Box

12

Figure 5-20: Distributed Firewall Architecture

Internet

Home PCFirewall

Management Console

Site A Site B