1Firewalls(February 25, 2013)© Abdou Illia – Spring 20132Test your Firewall knowledge Which of the following is true about firewalls?a) A firewall is a hardware deviceb) A firewall is a software programc) Firewalls could be hardware or software Which of the following is true about firewalls?a) They are used to protect a whole network against attacksb) They are used to protect single computers against attacksc) Both a and b.3Test your Firewall knowledge (cont) Which of the following is true about firewalls?a) They are configured to monitor inbound traffic and protect against attacks by intrudersb) They are configured to monitor outbound traffic and prevent specific types of messages from leaving the protected network.c) Both a and b24Firewall: definition Hardware or software tool used to protect a single host1or an entire network2by “sitting” between a trusted network (or a trusted host) and an untrusted network Applying preconfigured rules and/or traffic knowledge to allow or deny access to incoming and outgoing traffic1 Host-based or personal firewall 2 network-based firewallUntrusted networkTrusted networkPC with Host-basedFirewallPC with Host-basedFirewallNetwork-BasedFirewall5Questions What is the main advantage of having a host-based firewall in addition to having a network-based one?Answer:_________________________________________ What kind of security issue could be associated with having host-based firewall on users PCs?Answer:__________________________________________Untrusted networkTrusted networkPC with Host-basedFirewallPC with Host-basedFirewallNetwork-BasedFirewall6Firewall ArchitectureMost firms have multiplefirewalls. Their arrangementis called the firm’sfirewall architectureInternetMain BorderFirewall172.18.9.x SubnetMarketing Client on 172.18.5.x SubnetAccounting Server on 172.18.7.x SubnetPublic Webserver 60.47.3.9SMTP ApplicationProxy Server 60.47.3.10HTTPApplicationProxy Server 60.47.3.1External DNS Server 60.47.3.4ScreeningRouterFirewallInternalFirewallHostFirewallHostFirewallEmail Server on 172.18.6.x SubnetHostFirewallDemilitarized Zone (DMZ)37Firewall ArchitectureInternetMain BorderFirewall172.18.9.x SubnetMarketing Client on 172.18.5.x SubnetAccounting Server on 172.18.7.x SubnetPublic Webserver 60.47.3.9SMTP ApplicationProxy Server 60.47.3.10HTTPApplicationProxy Server 60.47.3.1External DNS Server 60.47.3.4ScreeningRouterFirewallInternalFirewallHostFirewallHostFirewallThe DMZ is a subnet that includes most vulnerable hosts to attacks; i.e. hosts that provide services to outsideusers. Common hosts in DMZ: Public web servers, Public DNS servers, public FTP servers, Email proxy servers.Host in DMZ must be heavily protected.Email Server on 172.18.6.x SubnetHostFirewallDemilitarized Zone (DMZ)8Questions What is a DMZ? Why are public web servers usually put in the DMZ? Why are public DNS servers usually put in the DMZ? Which of the following may be placed in a DMZ?a) A SMTP proxy serverb) A server that contains files available for downloading by employeesc) An File Transfer Protocol serverd) A SQL (Structured Query Language) database server What IP addresses should a DNS server in the DMZ be able to find?a) All company’s IP addresses b) Only the IP addresses of the computers in the internal subnetc) Only the IP addresses of the computers in the DMZ You work as the security administrator at King.com. King.com has been receiving a high volume of attacks on the king.com web site. You want to collect information on the attackers so that legal action can be taken. Which of the following can you use to accomplish this?a) A DMZ (Demilitarized Zone).b) A honey pot.c) A firewall.d) None of the above.9Basic Firewall OperationAttack Packet 11. Internet(Not Trusted)AttackerLogFileDropped Packet(Ingress)LegitimateUserLegitimate Packet 1Attack Packet 1Internal Corporate Network (Trusted)BorderFirewallPassed LegitimatePacket (Ingress)Legitimate Packet 1Egress filtering: filtering packets leaving to external networksIngress filtering:filtering packets coming from external networksLegitimate Packet 2Passed Packet(Egress)Legitimate Packet 2410Connection Source IP Destination IP StateConnection 1 123.12.13.4 60.47.3.9:80 TCP openingConnection 2 213.14.33.56 60.47.3.9:80 Data transfer…… ………. ………. ………Types of Firewalls Static Packet Filtering Firewalls (1stgeneration) Inspect TCP, UDP, IP headers to make filtering decisions Do static filtering of individual packets based on configured ruleset (or Access Control List) Prevent attacks that use IP or port spoofing, etc. Stateful Packet Filtering Firewalls (2ndgeneration) Inspect TCP, UDP, IP headers to make filtering decisions Do stateful filtering by checking the firewall’s state table for relation of packets to packets already filtered If packet does not match existing connect, ruleset (static filt.) is used If packet matches existing connection, it is allowed to pass Prevent SYN attacks, teardrops, etc. State TableIP-HIP-HTCP-HUDP-H Application Layer MessageApplication Layer Message11Types of Firewalls (cont.) Application Firewalls (3rdgeneration) Also called proxy firewalls Inspect the Application Layer message (e.g. HTTP requests, emails, etc. Specialized proxy firewalls more effective than general-purpose HTTP proxy firewalls for HTTP requests SMTP proxy firewalls for SMTP emails FTP proxy firewall for FTP-based file transfer requests Prevent malware attacksIP-HIP-HTCP-HUDP-H Application Layer MessageApplication Layer MessageHTTPProxyBrowserWebserverApplication1. HTTP Request2. Passed inspectedHTTP Request3. HTTPResponse4. Passed inspectedHTTP ResponseLogFile12Types of Firewalls (cont.) Network Address Translation Firewall Replace IP address in outgoing message by a spoof IP address Hide internal hosts’ IP address to outsiders Help prevent IP spoofing attacks using internal IP addressesHost IP Address Outgoing IP Address Request ID135.12.23.12 135.12.20.1 120121135.12.22.2 135.12.20.2 120122135.12.21.3 135.12.20.3 120123…….. …….. ………135.12.20.1135.12.20.2135.12.20.3135.12.23.12135.12.22.2135.12.21.3513Network Address Translation (Cont)ServerHostClient192.168.5.7NATFirewall1Internet2SnifferFrom 192.168.5.7,Port 61000From 60.5.9.8,Port 55380IP Addr192.168.5.7. . .Port61000. . .InternalIP Addr60.5.9.8. . .Port55380. . .ExternalTranslationTable14Network Address