Compare Firewall productsCompare Firewall products

Yan xie

2001825

Term Project of Network Security

2

IntroductionIntroduction

Why do we need a Firewall The definition of Firewall Some benefits and disadvantages of Firewalls Types of Firewall Compare features of some Firewall products

3

Why do we need a FirewallWhy do we need a Firewall

Security Vulnerability on the Internet and local

network area• Venerable TCP/IP service• Lack of Security policy• Complexity of configuration• Weak authentication• Ease if spying and monitoring• Ease of spoofing• Flawed LAN Service and Mutually Trusting• Host-based security does not scale

4

The definition of FirewallThe definition of Firewall

What is Firewall

A firewall is any one of several ways of protecting one

network from another untrusted network. in principle, the firewall can be thought of a pair of mechanisms one

exists to block traffic, and the other exist to permit traffic. Some firewall place a great emphasis on blocking traffic, while others emphasize permitting traffic.

5

The definition of FirewallThe definition of Firewall

Firewall Components1. Network policy includes service access policy and firewall

design policy• A service access policy that define those service that will be

allowed or denied from the restricted network

• Firewall design policy describe how the firewall will actually

restrict and filter the service defined in network access

policy

Permit any service unless it is expressly denied

Deny any service unless it is expressly permitted

6

Firewall components (cont)Firewall components (cont)

2. Advanced authentication mechanisms (smart card,

authentication token)

3. Packet filtering (source address, destination address,

TCP/UDP source port, TCP/UDP destination port)

4. Application gateways Information hiding Robust authentication and logging Cost-effective Less-complex filtering rules

7

Benefits of a FirewallBenefits of a Firewall

Protection from vulnerable service

Control access to site systems privacy Logging and statistics on network Enhance concentrate security

8

Disadvantages of FirewallDisadvantages of Firewall

• Restricted access to desirable services• Large potential for back doors• Little protection from inside attacks• Potential threat from Multicast IP transmissions• Restriction of configuration• Do not against virus

9

Types of FirewallTypes of Firewall

Packet Filter Firewall The most common and easiest firewall to apply for

small, uncomplicated sites

allow selective access to systems and services

depending on source address, destination address, TCP/UDP source port, TCP/UDP destination port.

inherent dangerous services such as NIS, NFS and

X Windows are blocked.

10

Packet Filtering FirewallPacket Filtering Firewall

Figure: Packet Filtering Firewall

System

IP Packet Filtering Router

Internet

11

Packet Filter FirewallPacket Filter Firewall

Little or no logging capability It is difficult to test and find out the vulnerability of

system

The filtering router will became unmanageable, if

complex filtering rule are required

The least lever of firewall, because of no application

awareness

12

Types of FirewallTypes of Firewall

Dual-homed Gateway Firewall implement the second design policy, deny all services unless they are specially permitted a complete block to IP traffic between the Internet and protected site. Proxy servers on the gateway provide services and access Provide proxy service for Telnet and Ftp as well as e-mail service which

firewall can accept all site mails and forward to system. Log access and log attempts or find intruder activity. Segregating traffic concerned with an information server from other traffic to and from the site. Any intruder penetration of the information server would be prevented by dual-homed gateway. If any vulnerabilities or a technique on the host is compromised, an intruder could subvert the firewall and do some harmful activities.

13

Dual-home Gateway FirewallDual-home Gateway Firewall

Application GatewayIP Filtering

Info Server

Figure: Dual-home Gateway Firewall with Router

Internet

14

Screen Host FirewallScreen Host Firewall

Screen Host Firewall combines a packet-filtering with an application gateway located on the

protected subnet side of the router the router filters or screens dangerous protocol from reaching the

application gateway and system The rejections of the application traffic depend on:

Application traffic from Internet sites to the application gateway gets routed. all other traffic from Internet sites gets rejects.

The router rejects any application traffic originating from the inside unless it

came from the application gateway.

15

Screened Host FirewallScreened Host Firewall

Since the router just limits the application traffic to the application gateway, so the configuration is not as complex as a packet filtering firewall.

gateway needs only one network interface and doesn’t required a

separate subnet between the application gate and the router, It may

let firewall more flexible.

the router may get the permission to pass some trusted services and directly to system. So the firewall should use two design policies to

restrict how many and what types of services are routed directly to

site system.

16

Screen Host FirewallScreen Host Firewall

Info Server

IP Filtering

Internet

Application Gateway

Figure: Screen Host Firewall

17

Screen Subnet FirewallScreen Subnet Firewall

Screen Subnet Firewall Screened subnet firewall can be used to locate each component

of the firewall on a separate system The outer router will rout traffic according to the follow rules:

Application traffic from the application gateway to Internet systems

gets routed. E-mail traffic from the E-mail server to Internet sites gets routed. Application traffic from the E-mail server to the application gateway

gets routed. E-mail traffic from Internet sites to the E-mail server gets routed. Ftp, Gopher, etc, traffic from Internet sites to the information server

gets routed. All other traffic gets rejected.

18

Screened Subnet FirewallScreened Subnet Firewall

The inner passer traffic to and from on the screened

according the follow rules Application traffic from the application gateway to system gets

routed. E-mail traffic from the E-mail server to system gets routed. Application traffic to the application gateway from site gets routed. E-mail traffic from system to the E-mail server gets routed. Ftp, Gopher, etc, traffic from system to the information server gets

routed. All other traffic gets rejected.

19

Screened Subnet FirewallScreened Subnet Firewall

  Advantages of screened subnet firewall

The two routed is more difficult to intruders to attack, because he should subvert both of routers to access system.

Only application gateway, E-mail server, and information server would be known as system by Internet, no other system name

would be known in DNS database, which would be accessible to outside systems.

Application gateway can use authentication software to

authenticate all inbound connection. More flexible by permitting certain trusted services to pass

between Internet and system.

 

20

Screened Subnet FirewallScreened Subnet Firewall

Application Gateway

E-mail Server

Info Server

Internet

Figure: Screened Subnet Firewall

21

Firewall ProductsFirewall Products

Interlock of ANS Communication

an application gateway based firewalls designed to secure

access between IP networks. The Access Control Rule Base is the facility used to define the

Interlock’s access control ensure Intra-network protection by control access between

segments for an internal TCP/IP network Modified source code, deleted the function of resending of IP,

redirection of ICMP, and source router

22

InterlockInterlock

Authentication Standard Password SecurID and PINPAD Non-authentication service can not be required authentication

Access control first check to see if there is a specific rule for the user application checks for rules associated with Group containing the user the user get access

Do not support Confidentiality Integrity Serial-line protection

23

Nov*IX for NetWareNov*IX for NetWare

Nov*IX of Firefox Nov*IX for NetWare is a packet filter firewall enable you to connect a Novell NetWare network to TCP/IP host

system over TCP/IP networks Authentication

NetWare-based password facility for authorizing all outgoing

connection through the server For incoming connection user authentication can be implemented for

remote clients by using login and password in to bindery or directory services,

For specific authentication FTP user require a user name and

password that are verified in the NetWare Bindery to be authorized

for connection the FTP server detect and prevent IP spoofing

24

Nov*IX for NetWareNov*IX for NetWare

Access Control extracts the data from the packet and puts the data in an IP packet

for transmission onto the Internet For incoming Internet traffic, data is remove from IP packets and

put into IPX packets before entering the NetWare network Network managers can specify the port addresses that are

acceptable or those that are unacceptable. Do not support

Confidentiality Integrity Protection against “back door”

25

CyberGuard FirewallCyberGuard Firewall

CyberGuard Firewall CyberGuard Firewall is a combination of packet-filter gateway,

proxy gateway, and a bastion host Authentication

Using password in user authentication a dynamically generated password from a hand-held token card plus

personal identification of SecurID user authentication Host authentication has the ability to detect IP spoofing.

Access Control hide internal host names and addresses, interface with standard client and servers allows and blocks the router of specific network services base on a dynamic return path based on service type, protocol, source and destination names or addresses, sub-network mask, direction of transfer, and established connection

26

CyberGuard FirewallCyberGuard Firewall Enhanced Security

Mandatory Access Multilevel Directories Secure Device Handing Privileges

Confidentiality private network packet is encrypted and placed into the data portion of the packet that is sent out by firewall The internal host source and destination address, the private network information, and the original data are encrypted

Integrity enables a counter that prevent replay attacks By using MAC within encryption process, it can detect and prevent modification of any data in the packet, including the address

27

Firewall-1 Check PointFirewall-1 Check Point

Firewall-1 Locate in the kernel of OS , below the Network layer Check the IP addresses and Ports number at the same time Store and refresh the state and context in a dynamic state table Authentication

Password Internal Firewall-1 Password SecurID S/key Cryptography-based authentication

28

Firewall-1 Firewall-1

Access Control Stateful Inspection

extracts the state-related information required for security

decisions from all application layers maintains this information in dynamic state tables for evaluating

subsequent connection attempts Rule Based

Confidentiality & Integrity Session Key: DES, encrypt the message Encryption Key: Diffe-hellman generate secret key for each gateway Certificate Authority key: RSA authenticating the encryption key Support encryption speed greater than 10Mbps

29

Compare Firewall ProductsCompare Firewall Products

company authentication Access Control Confidential Integrity Protocol/service

Interlock ANS √ √ FTP,Telnet,Login,SMTP,

NNTP,X windows, WWW,

Gopher, Http,Real Audio

LPD, NTP

Nov*IX FireFox √ √ Packet filtering

TCP,UDP,NNTP,HTTP

CyberGuard CyberGuard √ √ √ √ FTP,Telnet,Login,SMTP,

NNTP,HTTP,Gopher, x11,

Socks, Enhanced pass

through Proxy

Firewall-1 Check Point √ √ √ √ Complete TCP/IP protocols

30

SuggestionSuggestion

Firewall with Modem Pool Firewall can not defend “back door” Collect modems connect to a terminal server Terminal server is a computer design for connecting modem to a

network Terminal server provides restriction to connect some system Packet Filtering prevent insider system directly connecting to the modem

pool Application gateway’s authentication will be used to authentication user

either from modem or from Internet

31

SuggestionSuggestion

Multicast IP Transmission Minimize the unnecessary exposure of hosts to traffic Transmission be passed only the request come from insider user Allow the packet sent to ports designed by requesting host and Firewall

kernel as unused

32

ConclusionConclusion

Choosing a firewall provide confidentiality and integrity A updatable firewall should be consider Suitable service access policy and design policy Proper configuration and implementation depends on

specific application Using more device to improve security such as Intrusion

detection and anti-virus software

33

ReferenceReference

Firewalls: A complete Guide by Marcus Goncalves

The Firewall Report by OUTLINK Market Research

Firewalls: An Expert Roundtable by a panel of distinguish experts 1997IEEE

Keeping your site comfortably secure: An Introduction to Internet Firewalls

by National Institute of Standards and technology

Establish Firewall Policy by Cobb, Director of Special Projects