Information System Security,Arab Academy for Banking and

Financial Sceinces-AABFS

Presented to:

Dr.Lo’ai Tawalbeh

By:

Mohammad Ababneh

Mohammad MkhaimerSummer 2006

1. Definition

Simply defined as a collection of components placed between two networks to protect a private network from unauthorized intrusion.

firewall

administerednetwork

publicInternet

firewall

Definition ……..cont……….

INTERNET

INTERNET

Firewall

SecurePrivate

Network

WHO ? WHEN ?WHAT ? HOW ?

My PC

Rules Determine

2. Introduction• firewalls alone do not provide complete

protection from Internet-borne problems.

• they are just one part of a total information security program.

• firewalls and firewall environments are discussed in the context of Internet connectivity and the TCP/IP protocol suite

• However, firewalls have applicability in network environments that do not include or require Internet connectivity

Introduction…..cont……………

Modern firewalls operate on the following OSI model layers.

3. What is at Risk?

- Loss of Data.

- Confidential data.

- Network Downtime.

- Staff time.

- Hijacked Computer.

- Reputation.

4. Threats

Targeted versus untargeted attacks.

•Viruses, worms, and trojans.

•Malicious content and malware.

•Denial-of-service (DoS) attacks.

•Zombies.

•Compromise of personal information

and spyware.

•Social engineering.

•Insecure/poorly designed applications.

5. What Firewalls do- Protects the resources of an internal network.

- Restrict external access.

- Log Network activities.

-Intrusion detection

-DoS

- Act as intermediary

- Centralized Security Management• Carefully administer one firewall to control internet

traffic of many machines.• Internal machines can be administered with less care.

6. Disadvantages

• Performance may suffer

• Single point of failure.

7. Firewall Products Classification

• H/W – Platform-Linux, Solaris, Windows,….system.-Proprietary (Nokia-Box, Cisco PIX)

• Software-Checkpoint FireWall 1 (FW-1)-NetGuard Guardian

• Perimeter Firwall-Checkpoint-PIX-Sun SPF

• Stand Alone Box (Appliance)- Satic Wall- Watch Guard FireBox- Netscreen

• Personal FireWall– BlackICE– Zone Alarm

8. Taxonomy

Firewalls

Personal Firewalls

Network Firewalls

Packet FilterFirewalls

Packet FilterFirewalls

Circuit LevelGateways

ApplicationLevel

Firewalls

NATFirewalls

StatefulFirewall

StatefulFirewall

8.1 Personal firewalls

• FW on the Client Machine.

• Allows/blocks traffic based on:– Packet types– Local applications

• Centralized Configuration

• Coupled to Personal Intrusion Detection

• Example: ZoneAlarm,BlackICE, PGP FireWall , IDS, Windows XP

8.2 Packet Filter Firewalls

• The most basic fundamental type of firewall

• Routing devices that include access control functionality for system addresses and communication sessions.

• packet filters operate at Layer 3 (Network) of the OSI model.

Packet Filtering

• Filter traffic based on simple packet criteria.• filters packet-by-packet, decides to

Accept/Deny/Discard packet based on certain/configurable criteria – Filter Rulesets.

• Typically stateless: do not keep a table of the connection state of the various traffic that flows through them.

Should arriving packet be allowed

in? Departing packet let out?

Packet Filtering (cont.)• Typically deployed within TCP/IP network

infrastructures.• Not dynamic enough to be considered true

firewalls.• Usually located at the boundary of a

network.• Their main strength points: Speed and

Flexibility.

8.3 Stateful packet filtering

OSI Layers Addressed by Stateful Inspection

Traditional view:• Content filtering

- Based on the content of packets.

- Blocking packets with some patterns in the content.

• Specific filtering: ICMP inspection is based on what state the conversation between hosts is in(TCP SYN and ACK)

Modern view

• Statful firewalls combine aspects of NAT, circuit level firewalls, and proxy firewalls

• More complex than their constituent component firewalls

• Nearly all modern firewalls in the market today are staful

Basic Weaknesses Associated with Packet Filters\ Statful:

• They cannot prevent attacks that employ application-specific vulnerabilities or functions.

• Logging functionality present in packet filter firewalls is limited

• Most packet filter firewalls do not support advanced user authentication schemes.

• Vulnerable to attacks and exploits that take advantage of problems within the TCP/IP specification and protocol stack, such as network layer address spoofing.

• Susceptible to security breaches caused by improper configurations.

8.4 Application / Proxy FireWall

• Filters packets on application data as well as on IP/TCP/UDP fields.

• The interaction is controlled at the application layer.

host-to-gatewaytelnet session

gateway-to-remote host telnet session

applicationgateway

router and filter

OSI Layers Addressed by Application-Proxy Gateway Firewalls

Application/Proxy Servers…cont…

• A proxy server is an application that mediates traffic between two network segments.

• With the proxy acting as mediator, the source and destination systems never actually “connect”.

• Filtering Hostile Code: Proxies can analyze the payload of a packet of data and make decision as to whether this packet should be passed or dropped.

How A Proxy Passes Traffic?

Internal Host Remote Server

Proxy Server

Data Request Data Request

HTTP Application

Application / Proxy Firewall….cont..

Application/proxy Firewalls..cont….

OSI Layers Addressed by

Application-Proxy Gateway Firewalls

Typical Proxy Agents

Advantages:•Extensive logging capability• Allow security enforcementof user authentication . • less vulnerable to address spoofing attacks.

Disadvantages:

•Complex Configuration.• limited in terms of support for new network applications and protocols. • Speed!!.

8.5 Network Address Translation (NAT)- Existed for a short period of time; now NAT is part of

every firewall

-Developed in response to two major issues in network engineering and security:

• First, network address translation is an effective tool for hiding the network-addressing schema present behind a firewall environment.

• Second, the depletion of the IP address space has caused some organizations to use NAT for mapping non-routable IP addresses to a smaller set of legal addresses.

NAT goals– Allow use of internal IP-addresses– Hide internal network structure– Disable direct internet connections

NAT-types– Dynamic

• For connections from inside to outside• There may be fewer outside addresses than internal

addresses– Static

• For connections from outside to specific servers inside• One-to-one address mapping (fixed)

8.6 Firewalls - Circuit Level Gateway

• relays two TCP connections (session layer)• imposes security by limiting which such

connections are allowed• once created usually relays traffic without

examining contents• Monitor handshaking between packets to decide

whether the traffic is legitimate • typically used when trust internal users by allowing

general outbound connections• SOCKS commonly used for this

8.6 Firewalls - Circuit Level Gateway

9. Firewall Standards

• International Computer Security Association (ICSA)• Firewall Product Developers Consortium (FWPD) Product

Certification Criteria• Common Criteria Evaluation Assurance Level – Application-

Level Firewall and Traffic Filter Firewall Protection Profiles• Network Equipment Building Standards (NEBS) Compliance• Internet Protocol Security Protocol Working Group (IPsec)• National Institute of Standards and Technology (NIST) Firewall

protection profile

10

Bastion Host

• highly secure host system • potentially exposed to "hostile" elements • hence is secured to withstand this • may support 2 or more net connections• may be trusted to enforce trusted

separation between network connections• runs circuit / application level gateways • or provides externally accessible services

Firewall Configurations

Firewall Configurations

Firewall Configurations

DNSServer

Intra1

InternetOuter Firewall/Router

Firewall

Inner Firewall/Router

Firewall

SW

SW

MailServer

WebServer

DMZ

• The key to security awareness is embedded in the word security

• The key to security awareness is embedded in the word security

SEC- -Y

If not you, who? If not now, when?