44
5/21/2018 An Introduction to Firewall Technology
1/44
An Introduction to FirewallTechnology
:
E-Mail : [email protected]
TEL : 04-2202-1221
5/21/2018 An Introduction to Firewall Technology
2/44
Agenda
What is a firewall
Why an organization needs a firewall
Types of firewalls and technologiesDeploying a firewall
What is a VPN
5/21/2018 An Introduction to Firewall Technology
3/44
What is a Firewall ?
A firewall :
Acts as a securitygateway between two
networks Usually between trusted
and untrusted networks(such as between acorporate network andthe Internet)
Internet
Corporate
Site
Corporate NetworkGateway
5/21/2018 An Introduction to Firewall Technology
4/44
What is a Firewall ?
A firewall :
Acts as a securitygateway between two
networks Tracks and controls
network communications
Decides whetherto pass, reject,encrypt, or logcommunications(Access Control)
Corporate
Site
Allow Traffic
to Internet
Internet
Block traffic
from Internet
5/21/2018 An Introduction to Firewall Technology
5/44
Why Firewalls are Needed
Prevent attacks from untrustednetworks
Protect data integrity of criticalinformation
Preserve customer and partner
confidence
5/21/2018 An Introduction to Firewall Technology
6/44
Evolution of Firewalls
PacketFilter
Stateful
Inspection
Stage of Evolution
Application
Proxy
5/21/2018 An Introduction to Firewall Technology
7/44
Packets examined at the network layer
Useful first lineof defense - commonlydeployed on routers
Simple accept or reject decision modelNo awareness of higher protocol layers
Packet Filter
Applications
Presentations
Sessions
Transport
DataLink
Physical
Data Link
Physical
Applications
Presentations
Sessions
Transport
Data Link
Physical
Network
Presentations
Sessions
Transport
Applications
Network Network
5/21/2018 An Introduction to Firewall Technology
8/44
Application Gateway or Proxy
Applications
Presentations
Sessions
Transport
Data Link
Physical
Data Link
Physical
Applications
Presentations
Sessions
Transport
Data Link
Physical
Network NetworkNetwork
Presentations
Sessions
Transport
Applications
Packets examined at the application layer
Application/Content filtering possible -prevent FTP putcommands, for example
Modest performanceScalability limited
5/21/2018 An Introduction to Firewall Technology
9/44
Stateful Inspection
Applications
Presentations
Sessions
Transport
Data Link
Physical
Data Link
Physical
Applications
Presentations
Sessions
Transport
Data Link
Physical
Network Network
Network
Presentations
Sessions
Transport
INSPECT Engine
Applications
DynamicState TablesDynamic
State TablesDynamic
State Tables
Packets Inspected between data link layer and networklayer in the OS kernel
State tables are created to maintain connection context
Invented by Check Point
5/21/2018 An Introduction to Firewall Technology
10/44
Network Address Translation(NAT)
Converts a networks illegal IP addresses tolegal or public IP addresses Hides the true addresses of individual hosts,
protecting them from attack Allows more devices to be connected to the
network
Internet
Internal
IP Addresses
219.22.165.1
Corporate LAN
192.172.1.1-192.172.1.254
Public
IP Address(es)
5/21/2018 An Introduction to Firewall Technology
11/44
Port Address Translation
Hiding
192.168.0.15
10.0.0.2
49090
23
10.0.0.3
2000
2001
23
10.0.0.3
49090
23
10.0.0.2
PATGlobal
23
172.30.0.50
192.168.0.15
172.30.0.50
192.168.0.15
172.30.0.50
172.30.0.50
5/21/2018 An Introduction to Firewall Technology
12/44
Personal Firewalls
Need arises from always onconnections
Your PC is not protected enough byyour OS
Intrusion detection facilities
Different levels of security
Templates
5/21/2018 An Introduction to Firewall Technology
13/44
Firewall Deployment
Corporate NetworkGateway
Protect internal network
from attack Most common
deployment point
Internet
Human Resources
Network
Corporate
Site
Demilitarized Zone
(DMZ)
Public Servers
DMZ
Corporate Network
Gateway
5/21/2018 An Introduction to Firewall Technology
14/44
Firewall Deployment
Corporate NetworkGateway
Internal Segment
Gateway Protect sensitive
segments (Finance, HR,Product Development)
Provide second layer ofdefense
Ensure protection againstinternal attacks andmisuse
Internet
Human Resources
Network
Corporate
Site
Public Servers
Demilitarized Zone(Publicly-accessible
servers)
Internal Segment Gateway
5/21/2018 An Introduction to Firewall Technology
15/44
Firewall Deployment
Corporate NetworkGateway
Internal SegmentGateway
Server-BasedFirewall
Protect individualapplication servers
Files protect
Internet
Human Resources
Network
Corporate
Site
Server-Based
Firewall
SAP
Server
Public Servers
DMZ
5/21/2018 An Introduction to Firewall Technology
16/44
Firewall Deployment
Hardware appliance based firewall
Single platform, software pre-installed
Can be used to support small organizationsor branch offices with little IT support
Software based firewall
Flexible platform deployment options
Can scale as organization grows
5/21/2018 An Introduction to Firewall Technology
17/44
Summary
Firewalls foundation of an enterprisesecurity policy
Stateful Inspection is the leadingfirewall technology
5/21/2018 An Introduction to Firewall Technology
18/44
/?
?
webemail
5/21/2018 An Introduction to Firewall Technology
19/44
JavaActiveX
5/21/2018 An Introduction to Firewall Technology
20/44
5/21/2018 An Introduction to Firewall Technology
21/44
What is a VPN?
A VPN is a privateconnection over anopen network
A VPN includesauthentication andencryption toprotect dataintegrity andconfidentiality
VPN
VPN
Internet
Acme Corp
Acme Corp
Site 2
Acme Corp
Site 1
5/21/2018 An Introduction to Firewall Technology
22/44
Why Use Virtual PrivateNetworks?
More flexibility
Leverage ISP point of presence
Use multiple connection types (cable, DSL,T1, T3)
Most attacks originate within anorganization
5/21/2018 An Introduction to Firewall Technology
23/44
Why Use Virtual PrivateNetworks?
More flexibility
More scalability
Add new sites, users quickly Scale bandwidth to demand
5/21/2018 An Introduction to Firewall Technology
24/44
Why Use Virtual PrivateNetworks?
More flexibility
More scalability
Lower costs Reduced frame relay/leased line costs
Reduced long distance
Reduced equipment costs (modem
banks,CSU/DSUs) Reduced technical support
5/21/2018 An Introduction to Firewall Technology
25/44
Types of VPNs
Remote Access VPN
Provides access tointernal corporatenetwork over the
Internet Reduces long distance,
modem bank, andtechnical support costs
PAP,CHAP,RADIUS
Internet
Corporate
Site
5/21/2018 An Introduction to Firewall Technology
26/44
Types of VPNs
Remote Access VPN
Site-to-Site VPN
Connects multiple offices
over Internet Reduces dependencies
on frame relay andleased lines
Internet
Branch
Office
Corporate
Site
5/21/2018 An Introduction to Firewall Technology
27/44
Types of VPNs
Remote Access VPN
Site-to-Site VPN
Extranet VPN Provides business
partners access tocritical information(leads, sales tools, etc)
Reduces transactionand operational costs
Corporate
Site
Internet
Partner #1
Partner #2
5/21/2018 An Introduction to Firewall Technology
28/44
Types of VPNs
Remote Access VPN
Site-to-Site VPN
Extranet VPNClient/Server VPN
Protects sensitiveinternal
communications
InternetLAN
clients
Database
Server
LAN clients with
sensitive data
5/21/2018 An Introduction to Firewall Technology
29/44
Components of a VPN
Encryption
Key management
Message authenticationEntity authentication
5/21/2018 An Introduction to Firewall Technology
30/44
Encryption
Current standards: DES and Triple-DES Over 20 years in the field
AES beginning deployment New standard
More computationally efficient
Longer keys = more secure
HR Server
E-Mail Server
Joes PC to HR Server
All Other Traffic
Cleartext
Encrypted
Marys PC
Joes PC
5/21/2018 An Introduction to Firewall Technology
31/44
Key Management
Public key cryptosystemsenable secure exchange ofprivate crypto keys acrossopen networks
Re-keying at appropriate intervals
IKE = Internet Key Exchange protocols Incorporates ISAKMP/Oakley
5/21/2018 An Introduction to Firewall Technology
32/44
Authentication
IPsec standards focus on authentication of twonetwork devices to each other
IP address/preshared key
Digital certificates
User authentication is added on top if required RADIUS and TACACS+ are the standard protocols for
authentication servers
XAUTH is being added to the standards to address
user authentication
P i t t P i t T li
5/21/2018 An Introduction to Firewall Technology
33/44
Point-to-Point TunnelingProtocol
Layer 2 remote access VPN distributed with Windows productfamily Addition to Point-to-Point Protocol (PPP)
Allows multiple Layer 3 Protocols
Uses proprietary authentication and encryptionLimited user management and scalability
Known security vulnerabilities
InternetRemote PPTP Client
ISP Remote Access
Switch
PPTP RAS Server
Corporate Network
L 2 T li P t l
5/21/2018 An Introduction to Firewall Technology
34/44
Layer 2 Tunneling Protocol(L2TP)
Layer 2 remote access VPN protocol Combines and extends PPTP and L2F (Cisco supported
protocol)
Weak authentication and encryption
Does not include packet authentication, data integrity, orkey management
Must be combined with IPSec for enterprise-level security
Internet
Remote L2TP Client
ISP L2TP Concentrator
L2TP Server
Corporate Network
I t t P t l S it
5/21/2018 An Introduction to Firewall Technology
35/44
Internet Protocol Security(IPSec)
Layer 3 protocol for remote access,intranet, and extranet VPNs
Internet standard for VPNs Provides flexible encryption and message
authentication/integrity
Includes key management
5/21/2018 An Introduction to Firewall Technology
36/44
Components of an IPSec VPN
Encryption
MessageAuthentication
EntityAuthentication
Key
Management
DES, 3DES, and more
HMAC-MD5, HMAC-SHA-1, or others
Digital Certificates,Shared Secrets,HybridMode IKE
Internet Key Exchange(IKE), Public Key
Infrastructure (PKI)
All managed by security associations (SAs)
5/21/2018 An Introduction to Firewall Technology
37/44
Encryption Explained
Used to convert data to a secret codefor transmission over an untrusted
network
Encryption
Algorithm
The cow jumped
over the moon
4hsd4e3mjvd3sd
a1d38esdf2w4d
Clear Text Encrypted Text
5/21/2018 An Introduction to Firewall Technology
38/44
Symmetric Encryption
Same key used to encrypt and decryptmessage
Faster than asymmetric encryption
Examples: DES, 3DES, RC5, Rijndael
Shared Secret Key
5/21/2018 An Introduction to Firewall Technology
39/44
Asymmetric Encryption
Different keys used to encrypt and decryptmessage (One public, one private)
Examples include RSA, DSA, SHA-1, MD-5
Alice Public Key
Encrypt
Alice Private Key
Decrypt
Bob Alice
5/21/2018 An Introduction to Firewall Technology
40/44
Internet
PGP IDEARSAMD5
S/MIME
SSL TCP/IP
RSARC2RC4MD53-DES
PCT TCP/IP
RSARC2RC4MD5
S-HTTP HTTP
RSADES
SET&
CyberCash
Internet
RSAMD5RC2
5/21/2018 An Introduction to Firewall Technology
41/44
Internet
DNSSEC RSAMD5
IPSec IP Diffie-HellmanDES3DESRC4IDEA
Kerberos DES
SSH RSADiffie-HellmanDES3-DESBlowfish
DES Keys
5/21/2018 An Introduction to Firewall Technology
42/44
DES Keys
40-Bit 56-Bit 168-Bit3-DES
400 5 38
1 12 556 1019
1
0.02 21 1017
5/21/2018 An Introduction to Firewall Technology
43/44
VPN-1/FireWall-1
Gateway &StoneBeat FullCluster
Extranet
Partner Site
IPSec-compliant
Gateway
VPN-1
SecuRemote& RSA SecurID
VPN-1
SecureClient
& RSA SecurID
Remote Users
Remote OfficeVPN-1/FireWall-1
Nokia Appliance
Enterprise Management Console
Policy-based Management
Reporting
Account Management
Open Security Extension
Web Server Pool
Extranet
Application Server
ConnectControl
Server LoadBalancing
VPN-1
SecureServer
LDAP
Directory
FloodGate-1QoS
RSA
ACE/Server
CorporateNetwork
Router
ISS
RealSecureIntrusion
Detection
Dial-up
Broadband
FireWall-1
Trend InterScan ,
WebManager , eManager
& StoneBeat
Security Cluster
Secure Virtual Network Architecture
VPN-1
Accelerator Card
RSA
Advanced PKI
RSA
ACE/Agent
5/21/2018 An Introduction to Firewall Technology
44/44
Thank You!
