Post on 29-Jan-2016
Firewalls
Anand Sharma
Austin Wellman
Kingdon Barrett
Overview Firewall Knowledge from UNIX Entry-Level Firewalls What is a Firewall? What is an IDS?
IDS implementation methodologies Who needs an IDS?
Firewall or IDS?
What is a Firewall?
How are they used? Where do firewalls live?
On the borders of Network Segments Two-way static routes between mutually trusting
subnets Interdepartmental routing within an organization
How are they used?
NAT configuration for a private/business network
Firewall Interfaces: external (public presence) and internal (gateway address)
whiteruby.rit.edu vs. whiteruby.tuesday.local
Internal Network Addresses: *.tuesday.local
Basic Firewall Operation
Why do you need it?
• Protection against unauthorized connections
• Blocking unnecessary port access
• Preventing malicious and “harmless” software from phoning home
Firewalls fall into four broad categories:
• Packet filters.
• Circuit level gateways.
• Application level gateways.
• Stateful multilayer inspection firewalls.
Packet filtering firewalls work at the network level of the OSI model, or the IP layer of TCP/IP. They
are usually part of a router.
Second Generation - Circuit Level
Application Layer Firewalls work at the top level. They evaluate packet data
according to rules to allow or deny connections.
Stateful Multilayer Inspection Firewalls
Software Firewall
Software Firewall
Pros• Does not require additional
hardware.• Does not require
additional computer wiring.• A good option for single
computers.• They are very easy to
configure
Cons• Since they run on your
computer they require resources (CPU, memory and disk space) from your system.
• They can introduce incompatibilities into your operating system.
• One copy is typically required for each computer.
Hardware Firewall
Hardware Firewall Pros
They tend to provide more complete protection than software firewalls
• A hardware firewall can protect more than one system at a time
• They do not effect system performance since they do not run on your system.
• They are independent of your operating system and applications.
Cons• They tend to be
expensive, although if you have a number of machines to protect it can cost less to purchase one hardware firewall than a number of copies of a software product.
• Since they do not run on your computer, they can be challenging to configure.
Choosing the right firewall:
• The size of your network
• The level of security you’re looking for
• The amount of money your willing to pay
• Compatibility and interoperability
Available Firewalls - Windows Built in
Pros Available on every
Windows computer by default as of SP2
• No configuration needed beyond enabling it for it to work
Cons• Who will police the
police? • Outgoing transmissions
limited very little if at all• Could create a false
sense of security in normal users
Available Firewalls - ISA Server
• Useful for a large business network• Based on a combination of Application
Layer and Packet Filtering technology• Allows restriction of outgoing access by
user, program, destination, and other criteria
• Restricts incoming access as necessary• VPN support
Scriptable Firewall Systems
OpenBSD (pf) http://www.openbsd.org/faq/pf/
FreeBSD (ipf, ipfw) http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf.html http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.ht
ml
Linux 2.4 and later (iptables) http://www.netfilter.org/
Getting Started with Firewalls
You Need: One (1) computer with two (2) network interfaces Somebody else's network (read: the Internet) Several of your own computers A hub or a switch to connect your own computers
together
Getting Started with Firewalls
Software Firewalls: m0n0wall – http://m0n0.ch/wall/ Smoothwall – http://smoothwall.net/ or
http://smoothwall.org/ (Clever marketing! Check this out, it's two different websites)
Intermission
• Talk amongst yourselves!
What is Intrusion Detection?
Host-based IDS Single tapped network host
Network-based IDS One or more tapped network segments Tapped gateways or firewalls
Circuit-Level Firewalls
TCP Handshaking Authorized connections are counted New traffic is automatically allowed for open
connections Every circuit acts as a data source for IDS-type
analysis or logging “Intelligent” network switches
Paranoia? Watch what you say!
Big Brother IDS
Snort: The De-Facto IDS http://www.snort.org/docs/
Monitor Everything, Log and Classify Build Signatures for:
Legitimate Use Patterns Attacks Patterns
Tap Placement is Everything: http://www.snort.org/docs/iss-placement.pdf
Where to Tap?
Network Gateways Connections from users to the internet
Circuit-level Tap Monitor connections between local network users
Host-based IDS System Logs and user information Decrypted traffic
Conclusions
Is there anybody left in the audience who wants to see a large-scale IDS implemented here at RIT?
Definitely not me! Or across your ISP's network?
Definitely not me! Questions?