Firewall Technologies

Topic C
Firewall Configuration
Part 1

1
Learning Objectives
You will learn:
Understand the purpose of a firewall
Learn various firewall technologies
Identify the network services
Defining a firewall policy
Designing the firewall to implement the policy
Understand the inspection and filtering techniques
The common ways of firewall protection
Learn how to configure firewall
2
Firewall Function
The overall purpose of the
firewall is to ensure that a
secure and reliable network is
always available. This is
accomplished by:
Protecting the internal network
from external attacks and threats
Controlling access of internal
machines to the Internet
Ensuring that external Internet
users only have access to those
internal resources and services
that are necessary to conduct
business

3
 Firewalls
Hardware or software device that provides a
means of securing a computer or network
from unwanted intrusion
Dedicated physical device that protects
network from intrusion
Software feature added to a router, switch,
or other device that prevents traffic to or
from part of a network

4
 Management Cycle for
Firewall Protection
1. Draft a written security policy
2. Design the firewall to implement the
security policy
3. Implement the design by installing selected
hardware and software
4. Test the firewall
5. Review new threats, requirements for
additional security, and updates to systems
and software; repeat process from first step
5
 Drafting a Security Policy
By carefully considering the following
questions, a robust security policy can
be drafted:
What am I protecting?
From whom?
What services does my company need to
access over the network?
Who gets access to what resources?
Who administers the network?
6
 Available Targets and
Who Is Aiming at Them
Determine what resources in your
organization need to be protected
Common areas of attack
Web servers
Mail servers
FTP servers
Databases
Intruders
Sport hackers
Malicious hackers
7
 Other Considerations in
Drafting a Security Policy…
Which services should be available?
Catalogue which services need to be available to your
company’s employees
Available services usually mean holes in your firewall
Important to lock out those services that are not needed
Who gets access to which resources?
List employees or groups of employees along with files and
file servers and databases and database servers they need
to access
List which employees need remote access to the network
Who administers the network?
In a large network, there may be more than one person
responsible for administering it
Determine up front who these people are, and the scope of
individual management control
8
 Firewall policy
The firewall policy is a high level document
describing acceptable incoming and outgoing network
traffic and requires very little understanding of
technology
The firewall policy should include the following
minimum key components:
The purpose of the firewall
A basic explanation of how the firewall handles traffic
Information on the services or applications that are allowed
Information on the services or applications that are denied
Documented procedures for how changes to the firewall are
requested and approved

9
 Network Design
Network design plays an important role in
how the firewall policy is structured.

•VLAN boundaries
•Subnet boundaries
•Routing boundaries

10
 Firewall Policy considerations
Risks you intend to manage
Services you intend to offer (outbound)
Services you intend to request (inbound)
Network traffic that must go through
the firewall

11
 Designing the Firewall
to Implement the Policy
Determine individual(s) and scope of
individual management control
Select appropriate technology to deploy
the firewall
Determine the generalized service rules
Identify the specific rules applicable to
individual organizations

12
 What Do Firewalls Protect
Against?
Denial of service (DoS)
Ping of death
Teardrop or Raindrop attacks
SYN flood
LAND attack
Brute force or smurf attacks
IP spoofing
13
 Services to offer to the outside
The three main services to allow
through the firewall are DNS, SMTP and
HTTP
Hardening a server consists of removing
any unnecessary services or accounts
and modifying the system configuration
to remove any weak default settings.

14
 Generalized firewall rules for the
server subnet (sample)
Allow incoming DNS connections to the DNS server
Allow incoming SMTP connections to the SMTP mail
server
Allow incoming HTTP and HTTPS connections to the
web server
Deny all other incoming Internet traffic bound for the
server subnet
Allow outgoing DNS connections from the DNS server
Deny all other outgoing DNS connections
Allow outgoing SMTP connections from the SMTP
mail server
Deny all other outgoing SMTP connections
15
 Services to offer to the outside
(DNS)
DNS is a service that is invisible to most users, but is
essential for communication with the outside world.
DNS uses port 53 over both TCP and UDP protocols
DNS uses TCP for zone transfers between the master and
slave DNS servers.
access-list 101 permit udp any host 192.0.2.11 eq 53
(Allow all incoming UDP DNS traffic from the internet to go to the
local DNS server with the IP address 192.0.2.11)
access-list 102 permit udp host 192.168.10.12 any eq 53
(Allow the local DNS server 192.168.10.12 to make DNS queries of
servers that are on the external network)

16
 Services to offer to the outside
(SMTP)
SMTP allow computers to connect each other and
send e-mail
SMTP uses port 25 for communication
The firewall must allow both incoming and outgoing
port 25 connections to the SMTP server
access-list 101 permit tcp any host 192.0.2.11 eq 25
Only corporate mail server (SMTP server) should be
allowed to make outgoing port 25 SMTP connections
access-list 102 permit tcp host 192.168.10.12 any eq 25

17
 Services to offer to the outside
(HTTP)
WWW is the most widely used resource on the Internet
HTTP uses TCP port 80 and HTTPS uses port 443 for
communication
Firewall must ensure corporate web server is available to the
Internet community
Incoming webserver traffic
access-list 102 permit tcp any host 192.168.10.12 eq 80
access-list 102 permit tcp any host 192.168.10.12 eq 443
Outgoing webserver traffic
access-list 103 permit tcp host 192.168.10.12 any eq 80
access-list 103 permit tcp host 192.168.10.12 any eq 443

18
 Other network services
Instant Messaging
NetMeeting
Peer-to-peer (P2P) Applications (BitTorrent,
eDonkey, Kazaa, Gnutella, iMesh, etc)
ICMP
Telnet and FTP
SSH
Windows Terminal Services
19
 Defining Physical Security
Controls
Physical media selection
Network topography
Physical device security

Physical device security includes:

(1) identifying the location of the devices
(2) limiting the physical access, and
(3) having appropriate environmental safeguards in place
The infrastructure equipment includes more than just the
networks and the routers, firewalls, switches, and network
access servers that interconnect the networks.
20
 Defining Logical Security
Controls
Logical security controls
create boundaries between
network segments
control the flow of traffic between
different cable segments
provide security when traffic is
logically filtered between
networks
Critical to understand the path
the data is taking from one
point to another
Logical boundaries usually
exist between subnets
routing policies and VLANs can
cause confusion in logical traffic
flow

21
 Ensuring system and data
Integrity
Assurance of valid traffic in the
network
Expected traffic such as:
Supported services
Unspoofed traffic
Data that has not been altered
A common way to ensure
infrastructure integrity is with
firewalls.
Firewalls are deployed at critical
ingress and egress points of the
network infrastructure.

22
 Firewall Basics
A firewall is defined as a gateway or access server (hardware or
software–based) that are designated as buffers between any
connected public network and private network.
An internetwork gateway that restricts data communication
traffic to and from one of the connected networks (the one said
to be "inside" the firewall) and thus protects that network's
system resources against threats from the other network (the
one that is said to be "outside" the firewall)
It separates a trusted network from an untrusted network
A firewall has multiple interfaces, but isolates traffic between
each one.
The simplest firewall has one outside and inside interface

23
 Firewall

A firewall acts like a sentry. If implemented, it

guards a corporate network by standing between
the network and the outside world.

24
 Firewall Placement
Secure
My
PC Private
INTERNET Network

Firewall
Firewalls are typically located
between the trusted networks and
untrusted networks.
Three types of inspection
methodologies:
Packet filtering and stateless
filtering
Stateful filtering
Deep packet layer inspection
25
 Hardware Firewalls
Two most common
hardware-based
firewalls are:
Cisco Secure Private
Internet Exchange
(PIX) firewall
Netscreen firewall

26
Threats from inside and outside a
corporate network
Inside information can
leak out from here
Router
Internet

Corporate network
Outside threats can
come from here

At a broad level, there are two kinds of attack

leaking critical corporate information
Entering outside threats to corporate network

27
 How Do Firewalls Work?
Network address translation (NAT)
Basic packet filtering
Stateful packet inspection (SPI)
Application gateways
Access control lists (ACL)

28
 Classifications of firewalls
Packet filtering
These firewalls rely solely on the TCP, UDP, ICMP, and IP headers
of individual packets to permit or deny traffic. The packet filter
looks at a combination of traffic direction (inbound or outbound),
IP source and destination address, and TCP or UDP source and
destination port numbers.
Circuit filtering
These firewalls control access by keeping state information and
reconstructing the flow of data associated with the traffic. A circuit
filter won’t pass a packet from one side to the other unless it is
part of an established connection.
Application gateway
These firewalls process messages specific to particular IP
applications. These gateways are tailored to specific protocols and
cannot easily protect traffic using newer protocols.

29
 Firewall Configuration
Six important commands are used to produce a
basic working configuration for the PIX Firewall:
interface
nameif
ip address
nat
global
route
http://www.ciscopress.com/articles/article.asp?p
=25326
30
Configuring the PIX Firewall
Some examples of configuration commands:
(1) interface ethernet0 100full
(2) nameif ethernet0 outside security0
(3) ip address inside 10.10.10.14 255.255.255.0
(4) nat (inside) 1 10.10.10.0 255.255.255.0
(5) nat (inside) 1 10.0.0.0 255.0.0.0
(6) global (outside) 1 192.168.10.15-192.168.1.62
netmask 255.255.255.0
(7) global (outside) 1 192.168.10.65
netmask 255.255.255.0

A default route configuration:

(8) route outside 0.0.0.0 0.0.0.0 192.168.1.3 1

31
 Chapter Summary
Firewall is a hardware or software device that provides a means
of securing a computer or network from unwanted intrusion.
The firewall policy is a high level document describing
acceptable incoming and outgoing network traffic
The three main services to allow through the firewall are DNS,
SMTP and HTTP
The factors to consider for physical device security are
Identifying the location of the device, Limiting physical access
and appropriate environmental safeguards
Logical security controls like Subnet boundaries, Routing
boundaries and VLAN boundaries create boundaries between
network segments.
A firewall acts like a sentry. If implemented, it guards a
corporate network by standing between the network and the
outside world.

32
Review Questions
The firewall policy is a high level document describing acceptable
__________ network traffic and requires very little understanding of
technology.
incoming and outgoing
Name three networks can be connected to a firewall.
Private networks, Public Networks and DMZ networks
Firewall should be situated ___________
between a corporate network and the outside network
The firewall strategy is ________________________
“Block everything and only allow traffic that is explicitly permitted”
______ provides the ability for internal computers to use a single
external IP address for communication with other systems on the
Internet.
NAT
33
Thank you?

34
Firewall Technologies

Topic C
Firewall Configuration
Part 2

35
Learning Objectives
You will learn:
Understand the purpose of a firewall
Learn various firewall technologies
Identify the network services
Defining a security policy
Designing the firewall to implement the policy
Understand the inspection and filtering techniques
The common ways of firewall protection
Learn how to configure firewall
36
 Firewall - categories
Firewalls fall into four broad categories:
Packet filter
Circuit level gateways
Application gateways
Stateful multilayer inspection firewalls
Reference:
http://www.vicomsoft.com/learning-
center/firewalls/
37
 Packet-filtering firewall
Application
Packet filtering firewalls work at
Presentation
the network layer of the OSI
model, or the IP layer of TCP/IP. Session
Transport
In a packet filtering firewall,
each packet is compared to a set Network
of criteria before it is forwarded. Data Link
Rules can include source and Physical
destination IP address, source
and destination port number and
protocol used
The advantage of packet filtering
firewalls is their low cost and low
impact on network performance.
38
 Packet filtering firewall-
Implementation
Packet filtering is typically implemented on
two kinds of platforms
general purpose computers acting as routers
special purpose routers
adding filtering to a router
can negatively impact routing, and therefore
networking, performance
may require additional memory
The most common reasons for choosing a
general purpose computer include:
same host for firewall and other functions
existing in-depth knowledge of the chosen
platform
eliminating filtering load on a special purpose
router

39
Packet Filtering-How it works?
Firewall system examines
each packet that enters it
and allows through only
those packets that match a
predefined set of rules
Can be configured to
screen information based
on many data fields:
Protocol type
IP address
TCP/UDP port
Source routing information

40
 Packet Filtering - uses
As a first line of defence (perimeter router)
When security policies can be implemented
completely in a packet filter and authentication is
not an issue.
In SOHO networks that require minimal security
and are concerned about cost.
Provide a minimal level of protection to keep out
many types of network threats and attacks.

41
 Packet filters - pros & cons
Advantages:
Compatibility: Packet filters do not modify the packet
stream so they work with any protocol
Performance: Packet filters are very fast since they look
only at the headers
Scalability: Since packet filters are simple, it is easy to scale
the solution.
Disadvantages:
Low security: Packet filters do not look at the data portion
of the packets, so attacks can flow right through them
No advanced protocol support: Since these filters do not
keep track of connections, there is no way to support
dynamic changes in data.

42
 Application level gateways
Application
Application level gateways, also Presentation
called proxies, are application Session
specific. Transport

They can filter packets at the Network

Data Link
application layer of the OSI
Physical
model
They offer a high level of security,
but have a significant impact on
network performance.

43
 Application gateway - Operation
An internal user contacts the
application gateway using
TCP/IP application, such as
HTTP, FTP or TELNET
Application gateway asks the
user about the remote host
(domain name, IP address etc).
Also asks user id and the
password
User provides this information
Application gateway now access
the remote host on behalf of the
user, and passes the packets of
the user to the remote host.

44
 Proxy firewall - pros & cons
Advantages:
Security: Since proxy buffers the entire connection, it has
the ability to do content filtering on the entire connection.
Application level awareness: Since the proxy fully
understands the protocol, it makes sure all the data follow
the standards.
Disadvantages:
Performance: Since the entire connection is buffered, and
there are two connections for every connection, proxy
firewalls are the slowest type of firewalls.
Scalability: Application layer firewall break the Client/Server
model, and this breaks some applications.
Application support: Application layer firewalls are specific to
the protocol they are written for. Not all protocols are able
to go through a proxy.

45
 Stateful Packet Inspection
(SPI)
Controls access to network by analyzing
incoming/outgoing packets and letting Application
them pass or not based on IP addresses Presentation
of source and destination Session
Examines a packet based on information Transport
in its header
Network
Enhances security by allowing the filter
Data Link
to distinguish on which side of firewall a
Physical
connection was initiated; essential to
blocking IP spoofing attacks

46
 Stateful inspection firewalls
Application
Stateful multilayer inspection Presentation
firewalls combine the aspects of the
Session
other three types of firewalls
Transport
They filter packets at the network
layer, determine whether session Network
packets are legitimate and evaluate Data Link
contents of packets at the Physical
application layer.
They are expensive and offer a high
level of security, good performance
and transparency to end users.

47
 Stateful inspection - Advantages
High performance: The stateful inspection engine is
written into the kernel and is very fast.
Application awareness: The engine has the ability to
detect dynamic changes in data.
Security: The entire packet is looked at when going
through the gateway.
Transparency: Stateful inspection does not modify
the packets by default and is transparent to the client
and server.
Extensibility: Additional components can be added to
the stateful inspection engine adding functionality on
the fly.

48
 Firewall - OSI and TCP/IP layers
Firewalls operate at different
layers to use different criteria to
restrict traffic.
The lowest layer at which a
firewall can work is layer three.
The lower in the stack the
packet is intercepted, the more
secure the firewall.
If the intruder cannot get past
level three, it is impossible to
gain control of the operating
system.

49
 Designing the firewall
Design Guidelines:
Formulate the firewall policy
Select the firewall architecture
Identify the firewall requirements
Select the firewall functions
Perimeter Security functions:
Allow desired traffic into the network
Controls DoS attack
Allows Internet services to outside world
Ensures against attacks that misuse HTTP for
malicious purpose
50
 Developing a security policy
The key to a good design is based on a
security policy
Who is allowed to access resources?
What they are allowed with resources?
How to protect the resources?
What action for security issues?
What cost?
Without a security policy, the firewall system
might be creating a security risk.
51
 Select the firewall architecture
Designing a firewall requires that you understand and
identify the boundaries between security domains in
your network.
The most common boundary where firewalls are
applied today is between an organization’s internal
networks and the Internet.
When establishing an Internet firewall, the first thing
you must decide is its basic architecture.
Architecture refers to the inventory of components
(hardware and software), and the connectivity and
distribution of functions among them.
There are two classes of firewall architectures:
single layer architectures
multiple layer architectures
52
 Single Layer Architecture
One network host is allocated all firewall Single Layer

functions and is connected to each Architecture

network for which it is to control access.

This approach is usually chosen when
containing cost is a primary factor or
when there are only two networks to
interconnect.
It has the advantage that everything
there is to know about the firewall resides Firewall
on that one host.
Private
The greatest disadvantage is its Network
Internet

susceptibility to implementation flaws or Single Layer Architecture

configuration errors — depending on the
type, a single flaw or error might allow
firewall penetration.

53
 Multiple layer architecture
Firewall functions are distributed
among a small number of hosts,
typically connected in series, with DMZ
networks between them.
This approach is more difficult to
design and operate, but can provide
substantially greater security
The most common design approach
for this type of architecture is an Internal
Firewall
Internet
Firewall

Internet firewall composed of two Private

Network
Internet

hosts interconnected with one DMZ

network. Multi Layer Architecture

DMZ

54
 Select the firewall topology
Firewall functions can be deployed in a wide
variety of ways, there are a small number of
commonly deployed architectures.
Basic border firewall architecture
Basic firewall with untrustworthy host
architecture
Basic firewall with DMZ network architecture
Dual firewall with DMZ network architecture

55
 Basic border firewall
architecture
A basic border firewall is
Basic border
a single host firewall
architecture
interconnecting an
organization’s internal
network and some
untrusted network,
typically the Internet.
In this configuration,
the single host provides
all firewall functions.
56
 Basic firewall with untrustworthy
host architecture
To the basic border firewall, add a
host that resides on an untrusted Basic firewall with untrustworthy
network where the firewall cannot host architecture

protect it.
That host is minimally configured
and carefully managed to be as
secure as possible.
The firewall is configured to
require incoming and outgoing
traffic to go through the
untrustworthy host.
The host is referred to as
untrustworthy because it cannot
be protected by the firewall.

57
 Basic firewall with DMZ
network architecture
In a DMZ network, the untrusted host
is brought “inside” the firewall, but
placed on a network by itself
The firewall host then interconnects
three networks.
This increases the security, reliability,
and availability of the untrusted host,
but it does not increase the level of
trust that other “inside” hosts can
afford it.
Public web site or ftp server can easily
be placed on the DMZ network,
creating a public services network.
58
 Dual firewall with DMZ
network architecture
The organization’s internal network is
further isolated from the
untrustworthy network by adding a
second firewall host.
By connecting the untrustworthy
network to one firewall host, the
organization’s internal network to the
other, and the DMZ between, traffic
between the internal network and the
Internet must traverse two firewalls
and the DMZ.

59
 Architectural tradeoffs
Firewalls are very much part of an organization’s
mission-critical infrastructure
Make architectural tradeoffs in designing firewall
Architectural characteristics that must be considered
include
performance
availability
reliability
security
cost
manageability
configurability
function

60
 Select the firewall functions
Firewall functions available in today's
products include
packet filtering,
application proxies
stateful inspection filtering.

61
Security Level Example

The firewall has the following interfaces:

A connection to the internet

A connection to the DMZ

A connection to a remote company

A connection to the internal network

62
 Chapter Summary
Four broad firewall categories are Packet-filtering
firewalls, Application gateway firewall, Stateful
firewall, Stateful multilayer inspection firewalls.
Firewalls operate at different layers to use different
criteria to restrict traffic.
Main Firewall design guidelines are formulate the
security policy, select the firewall architecture,
identify the firewall requirements and select the
firewall functions.
Firewalls are very much part of an organization’s
mission-critical infrastructure. Make architectural
tradeoffs in designing firewall.

63
 Review Questions
In a ________ firewall, each packet is compared to a set of
criteria before it is forwarded.
Packet filtering
________firewall offer a high level of security, but have a
significant impact on network performance.
Application gateway (proxy)
_________ firewall filter packets at the network layer,
determine whether session packets are legitimate and evaluate
contents of packets at the application layer.
Stateful multilayer
________ is the key to a good firewall design.
Security policy
What are the two classes of firewall architectures:
single layer architectures and multiple layer architectures

64
Thank you?

65