FirewallsSlide 2Protection MethodsOther common Firewall ServicesAdditional services sometimes providedPacket FiltersLimitations of Packet FiltersNetwork Address TranslationProxiesSlide 10Content filteringVirtual Private Networks (VPN)VPNs (more)Effective Border SecurityProblems Firewalls can’t fixBorder Security OptionsFiltered Packed ServicesSingle firewall, internal public serversSingle firewall, internal public serversDMZBastion HostFree Firewall Software PackagesHome & Personal RoutersEnterprise FirewallsFirewallsCS-455Dick SteflikFirewalls•Sits between two networks–Used to protect one from the other–Places a bottleneck between the networks •All communications must pass through the bottleneck – this gives us a single point of controlProtection Methods•Packet Filtering–Rejects TCP/IP packets from unauthorized hosts and/or connection attempts bt unauthorized hosts •Network Address Translation (NAT)–Translates the addresses of internal hosts so as to hide them from the outside world–Also known as IP masquerading •Proxy Services–Makes high level application level connections to external hosts on behalf of internal hosts to completely break the network connection between internal and external hostsOther common Firewall Services•Encrypted Authentication –Allows users on the external network to authenticate to the Firewall to gain access to the private network•Virtual Private Networking–Establishes a secure connection between two private networks over a public network•This allows the use of the Internet as a connection medium rather than the use of an expensive leased lineAdditional services sometimes provided•Virus Scanning–Searches incoming data streams for virus signatures so theey may be blocked–Done by subscription to stay current •McAfee / Norton•Content Filtering–Allows the blocking of internal users from certain types of content. •Usually an add-on to a proxy server•Usually a separate subscription service as it is too hard and time consuming to keep currentPacket Filters•Compare network and transport protocols to a database of rules and then forward only the packets that meet the criteria of the rules•Implemented in routers and sometimes in the TCP/IP stacks of workstation machines–in a router a filter prevents suspicious packets from reaching your network–in a TCP/IP stack it prevents that specific machine from responding to suspicious traffic•should only be used in addition to a filtered router not instead of a filtered routerLimitations of Packet Filters•IP addresses of hosts on the protected side of the filter can be readily determined by observing the packet traffic on the unprotected side of the filter•filters cannot check all of the fragments of higher level protocols (like TCP) as the TCP header information is only available in the first fragment.–Modern firewalls reconstruct fragments then checks them•filters are not sophisticated enough to check the validity of the application level protocols imbedded in the TCP packetsNetwork Address Translation•Single host makes requests on behalf of all internal users–hides the internal users behind the NAT’s IP address–internal users can have any IP address•should use the reserved ranges of 192.168.n.m or 10.n.m.p to avoid possible conflicts with duplicate external addresses•Only works at the TCP/IP level–doesn’t do anything for addresses in the payloads of the packetsProxies•Hides internal users from the external network by hiding them behind the IP of the proxy•Prevents low level network protocols from going through the firewall eliminating some of the problems with NAT•Restricts traffic to only the application level protocols being proxied•proxy is a combination of a client and a server; internal users send requests to the server portion of the proxy which then sends the internal users requests out through its client ( keeps track of which users requested what, do redirect returned data back to appropriate user)Proxies•Address seen by the external network is the address of the proxy•Everything possible is done to hide the identy if the internal user –e-mail addresses in the http headers are not propigated through the proxy10•Doesn’t have to be actual part of the Firewall, any server sitting between the two networks and be usedContent filtering•Since an enterprise owns the computing and network facilities used by employees, it is perfectly within it’s rights to attempt to limit internet access to sites that could be somehow related to business–Since the proxy server is a natural bottle neck for observing all of the external requests being made from the internal network it is the natural place to check content–This is usually done by subscription to a vendor that specializes in categorizing websites into content types based on observation–Usually an agent is installed into the proxy server that compares URL requests to a database of URLs to reject–All access are then logged and reported, most companies then review the reported access violations and usually a committee reviews and decides whether or not any personnel action should be taken (letter of reprimand, dismissal, ect)–Sites that are usually filtered are those containing information about or pertaining to:•Gambling•PornographyVirtual Private Networks (VPN)•Used to connect two private networks via the internet–Provides an encrypted tunnel between the two private networks–Usually cheaper than a private leased line but should be studied on an individual basis –Once established and as long as the encryption remains secure the VPN is impervious to exploitation–For large organizations using VPNs to connect geographically diverse sites, always attempt to use the same ISP to get best performance. •Try to avoid having to go through small Mom-n-Pop ISPs as they will tend to be real bottlenecksVPNs (more)•Many firewall products include VPN capabilities•But, most Operating Systems provide VPN capabilities–Windows NT provides a point-to-point tunneling protocol via the Remote Access server–Windows 2000 provides L2TP and IPSec–Most Linux distributions support encrypted tunnels one way or another•Point-to-Point Protocol (PPP) over Secure Sockets Layer (SSL)•Encrypted Authentication–Many enterprises provide their employees VPN access from the Internet for work-at-home programs or for employees on-the-road•Usually done with a VPN