1OFF SYMB - 04/21/23

Firewalls Basics

2OFF SYMB - 04/21/23

Overview

• Why we have firewalls

• What a firewall does

• Why is the firewall configured the way it is

3OFF SYMB - 04/21/23

Why Do We Have Firewalls??

• Recent Network Security Compromises

— Pentagon Domain Name Server

— March AFB Web Server

— Senate Web Server

• Network hacking has been simplified by the proliferation of tools available on the Internet

— Satan

— Crack

— Ping of Death

4OFF SYMB - 04/21/23

Why Do We Have Firewalls??

Establishes a physical perimeter to protect your internal assets. Centralizes & consolidates management & enforcement of network access

policies. Saves $$ by consolidating security measures, investments, & admin. but ... … also consolidates your risks (all eggs in one basket)

Guard or Firewall

Internet

Attackers

User

Localarea

networkUser

Internal Servers

User

Internal Servers

Internal Servers

Internal Servers

Components:Your Policy: “Deny access to any service unless it is expressly permitted” implemented & enforced via a combination of:

Each Component performs a different role in implementing

your policy

• Hardware,• OS Software,• Application Software

5OFF SYMB - 04/21/23

What does the Firewall Do??Overview

• Proxying

• Stateful Packet Inspection

• IP Filtering

• Access Control Lists

• Network Address Translation

• Logging

• Centralized Security Policy

• Type Enforcement

6OFF SYMB - 04/21/23

Proxying

• Proxies are applications “running” on the firewall built to intercept communications for specific protocols and will explicitly allow only necessary, secure, and valid operations.

— Proxies are written by the vendor to handle a specific type of traffic (RealAudio, SQL*NET)

— Proxies examine all packets of a connection and therefore exact a performance penalty

7OFF SYMB - 04/21/23

Stateful Packet Inspection

• Stateful Packet Inspection (SPI) technology keeps tables to track the status of each connection, as well as commands that appear in the data stream, and regulates traffic flow accordingly.

— The tables are checked before data is processed by the OS of the firewall

— Header information from the original connection passes through the firewall unchanged if the defined policy allows the access.

8OFF SYMB - 04/21/23

IP Filtering

• IP Filtering allows all ports for a particular protocol (TCP,UDP,ICMP) to pass through the firewall

— IP filters allows packets to pass through unaltered and does not check headers for traffic types

— IP filtering provides very little protection and should not be used (Consider it a hole in the firewall)

9OFF SYMB - 04/21/23

Access Control Lists

• Access Control List (ACL) is a mechanism that permits IP addresses to communicate in accordance to certain rules

• ACLs are used in conjunction with proxies, SPI, and IP filters

• ACLs provide granularity to the control over access

10OFF SYMB - 04/21/23

Network Address Translation

• Network Address Translation (NAT) hides the addresses of all devices initiating connections from inside your network by converting their source address to the firewall's external address.

• NAT prevents external threats from gaining knowledge of the internal network structure of the base

11OFF SYMB - 04/21/23

Logging

• Firewalls provide a central logging point that records all connections both successful and failed

• These logs can then be parsed to determine problem areas ( i.e. Misconfigured internal machines, person engaging in improper use of the network)

12OFF SYMB - 04/21/23

Centralized Security Policy

• Reduces the number of systems that are exposed to security risks as only the firewall is exposed to attacks from the Internet

• Gives a single point at which an administrator can control network access to and from the Internet

• Simplifies security management by providing a GUI

13OFF SYMB - 04/21/23

Type Enforcement Advantages

Provides “breach containment” Separates applications into domains Controls which resources each domain

can accessSoftware in a domain is granted access only

to resources it needs, and forbidden access to anything else

An access violation is triggered if any access outside of the current domain is attempted

Restricts malicious activity to the offending or compromised domain

Unique to the Sidewinder firewall

Admin

User

News Network

Telnet

FTP

WWW

14OFF SYMB - 04/21/23

Network Security Policy

• Defines overall roles and responsibilities of network security

• Defines security requirements, principles, and policies

• Network Infrastructure Services and Protocols Policy

— Listing of 33 infrastructure services and policies, their vulnerabilities, and usage policy