Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd Logo
Upload

Welcome to Scribd!

  • 110 views

    Firewalls and VPN

    Uploaded by

    John Lagman

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd

    Firewalls and VPN

    Uploaded by

    John Lagman
    110 views48 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Download as pptx, pdf, or txt
    110 views48 pages

    Firewalls and VPN

    Uploaded by

    John Lagman

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Download as pptx, pdf, or txt
    You are on page 1of 48

    Information Security

    Session: Firewalls and VPN

    Session Outline:
    • Session ILO’s.
    • Firewalls
    • VPNs

    1
    Session : Firewalls and VPN

    After completing this session you will be able


    to:

    • B: Intellectual Skills
    • b3: Design end-to-end secure and available systems.
    • b4: Design integral and confidentiality services.

    2
    Information Security
    Session: Firewalls and VPN

    Session Outline:
    • Session 7 ILO’s.
    • Firewalls
    • VPNs

    3
    Firewalls

    • A firewall is an effective means of


    protecting a local system or network of
    systems from network-based security threats by
    restricting network services only to
    authorized access. Firewalls are
    themselves immune to being penetrated by
    intruders.
    • A firewall can be hardware or it can be
    software or it can of both hardware and
    software. 4
    Firewall Design Principles

    • Wide spread of use of computer networks as


    Information systems undergo a steady
    evolution (from small LAN`s to Internet
    connectivity)
    • Strong security features for all workstations
    and servers not established.
    • Privacy of information is highly deemed.

    5
    Firewall Design Principles

    • The firewall is inserted between a


    private network and the Internet or other
    networks.
    • Aims:
    – Establish a controlled link.
    – Protect a private network from attacks from users or
    programs.
    – Provide a single point through which the
    traffic is monitored.
    6
    Firewall Characteristics

    • Design goals:
    – All traffic from inside to outside must pass
    through the firewall (physically blocking all access
    to the local network except via the firewall)
    – Only authorized traffic (defined by the local
    security policy) will be allowed to pass
    – The firewall itself is immune to penetration (use of
    trusted system with a secure operating system)

    7
    Firewall Characteristics

    There are four general techniques for applying


    firewalls to networks :
    • Service control
    – Determines the types of services that can be accessed
    through the Internet.
    • Direction control
    – It determines flow direction of services.

    8
    Firewall Characteristics

    • User control
    – Controls which user(s) can have access to which
    services.
    • Behavior control
    – Controls how particular services are used (e.g.
    filter e-mail)

    9
    Types of Firewalls

    There are four common types of


    Firewalls:
    – Packet-filtering routers
    – State-full Inspection Firewall
    – Application-level gateways
    – Circuit-level gateways

    10
    Types of Firewalls

    11
    Types of Firewalls

    12
    Packet-Filtering Router (1)

    13
    Packet-filtering Router (2)

    – Applies a set of rules to each incoming IP packet


    and then forwards or discards the packet
    – Filter packets going in both directions
    – The packet filter is typically set up as a list of rules
    based on matches to fields in the IP or TCP header
    – Two default policies (discard or forward)

    14
    Packet-filtering Router (3)
    • Advantages:
    – Simplicity
    – Transparency to users
    – High speed
    • Disadvantages:
    – Difficulty of setting up packet filter rules
    – Lack of Authentication
    • Possible attacks and appropriate countermeasures
    – IP address spoofing
    – Source routing attacks
    – Tiny fragment attacks
    15
    Application / Content Filtering -
    level Gateway (1)

    16
    Application-level Gateway (2)

    • Application-level Gateway
    – Also called proxy server
    – Acts as a relay of application-level traffic
    – Can work as content filtering FW.
    • Advantages:
    – Higher security than packet filters
    – Only need to scrutinize a few allowable applications
    – Easy to log and audit all incoming traffic
    • Disadvantages:
    – Additional processing overhead on each connection (gateway as
    splice point)

    17
    Circuit-level Gateway (1)

    18
    Circuit-level Gateway (2)

    – Stand-alone system or
    – Specialized function performed by an Application-
    level Gateway
    – Sets up two TCP connections
    – The gateway typically relays TCP segments from
    one connection to the other without examining the
    contents

    19
    Circuit-level Gateway (3)

    – The security function consists of determining


    which connections will be allowed
    – Typically use is a situation in which the system
    administrator trusts the internal users
    – An example is the SOCKS package

    20
    Types of Firewalls

    • Bastion Host
    – A system identified by the firewall administrator as
    a critical strong point in the network´s security
    – The bastion host serves as a platform for an
    application-level or circuit-level gateway

    21
    Firewall Basing

    • several options for locating firewall:


    • bastion host
    • individual host-based firewall
    • personal firewall

    22
    Firewall Locations

    23
    Firewall Configurations

    • In addition to the use of simple


    configuration of a single system (single
    packet filtering router or single gateway), more
    complex configurations are possible

    24
    Distributed Firewalls

    25
    Firewall Configurations

    • Screened host firewall system (single-homed bastion


    host)

    26
    Firewall Configurations

    • Screened host firewall system (dual-homed


    bastion host)

    PALGOV © 2011 27
    Firewall Configurations

    • Screened-subnet firewall system

    PALGOV © 2011 28
    Unified Threat Management Products

    PALGOV © 2011 29
    Tutorial: Information
    Security

    Session: Firewalls and VPN

    Session Outline:
    • Session ILO’s.
    • Firewalls
    • SOCKS Protocols
    • VPN

    PALGOV © 2011 30
    Socks Protocols

    • Communication between clinets and servers


    behind firewalls can be done using SOCKS
    protocol.
    • SOCKS uses to primitive operations:
    BIND/CONNECT
    • Used by many applications including
    browsers...( ex. Dropbox)
    • SOCKS4 / SOCKS5
    31
    SOCKS CONNECT

    Socks proxy

    2. connect()

    server S 2. The proxy


    connects to S.
    From now on the
    traffic flows from
    host A to server S
    1. CONNECT in both directions

    1. Host A connects to the


    SOCKS proxy and asks
    Host A to establish a
    connection with Server
    S.
    32
    Binding process

    1.The client A connects to the SOCKS proxy and


    asks to bind a public port mapped to the local
    port 4445 allowing incoming connection from
    server S
    2.The socks proxy reply with the public port (i.e.
    33102) really used to accept incoming sockets
    3.When S connects to the port 33102 of the proxy,
    the host A is warned and traffic can flow from S to
    A and viceversa conveyed by the proxy

    33
    Comparing SOCKS4 and SOCKS5

    • SOCKS4 doesn't support authentication while SOCKS5 has


    the built-in mechanism to support a variety of
    authentications methods.

    • SOCKS4 doesn't support UDP proxy while SOCKS5


    does.

    • SOCKS4 clients require full support of DNS while SOCKS5


    clients can rely on SOCKS5 server to perform the DNS
    lookup.

    34
    Firewall Examples

    • MS Windows firewalls
    • Cisco firewalls
    • Other firewalls….

    35
    Windows Firewall

    • New layered security model.


    • Provides:
    – host-based,
    – two-way network traffic filtering
    – Blocks unauthorized network traffic
    • Integrated with Internet Protocol Security
    (IPsec)
    • Important part of network’s isolation
    strategy.
    36
    Windows Firewall Key Scenarios

    You can use Windows Firewall with Advanced


    Security to help implement the following key
    technologies and scenarios:

    • Network Location-Aware Host Firewall


    • Server and Domain Isolation
    • Network Access Protection
    • DirectAccess
    • Refer to [6] for more details
    37
    Tutorial 5: Information
    Security

    Session: Firewalls and VPN

    Session Outline:
    • Session ILO’s.
    • Firewalls
    • SOCKS Protocols
    • VPN

    38
    Virtual Private Networks (VPN)

    • VPNs are set of tools used to securely


    connect networks at different locations
    using public network as the transport
    layer.
    • Cryptography (including CIA/AAA) is
    used to implement VPNs to protect
    against eavesdropping and active
    attacks.
    39
    VPN Usage

    • VPNs are most commonly used today for telecommuting and linking
    branch offices via secure WANs.
    • IPSEC VPN (refer to session 5)
    • MS VPN

    40
    VPN Protocols for Secure Network
    Communications

    Other VPN protocols that encrypt communications


    include:
    • Internet Protocol Security (IPSec)—an
    architecture, protocol, and related Internet Key
    Exchange (IKE) protocol.
    • Layer 2 Forwarding (L2F)—created by Cisco
    Systems.
    • Layer 2 Tunneling Protocol (L2TP)— PPTP
    and L2F
    • Point-to-Point Tunneling Protocol (PPTP)—
    3Com, Ascend, Microsoft, and ECI Telematics). 41
    Virtual Private Networks (using IPSEC)

    42
    IPSec problems
    • Slow progress resulted in a splintering of
    efforts during the mid-90s
    • SSL was one such offshoot, developed to
    provide application-level security rather than
    network level security.
    • Traditional IPSec implementations required a
    great deal of kernel code, complicating cross-
    platform porting efforts.
    • IPSec is a complex production with a relatively
    steep learning curve for new users.
    • See session 5 for more details
    43
    VPN using (L2TP)

    •L2TP is a mature IETF standards track


    •L2TP encapsulates Point-to-Point Protocol
    (PPP) frames to be sent over IP, X.25, frame
    relay, or asynchronous transfer mode (ATM)
    networks.
    •When configured to use IP as its transport, L2TP
    can be used as a VPN tunneling protocol over the
    Internet.

    44
    VPN using (L2TP)

    • L2TP with PPP provides a wide range of


    user authentication options:
    • CHAP,
    • MS-CHAP,
    • MS-CHAPv2
    • and Extensible Authentication
    Protocol (EAP)
    • L2TP/IPSec provides well-defined and
    interoperable tunneling, with the strong
    security. 45
    VPN using PPTP

    •PPTP provides authenticated and encrypted


    communications between a client and a gateway
    or between two gateways
    •No need for a public key infrastructure
    •Uses a user ID and password.
    •Simple, multiprotocol support, and ability to
    traverse a broad range of IP networks.
    •The use of PPP provides ability to negotiate
    authentication, encryption, and IP address
    assignment services
    46
    References

    1. William Stallings and Lawrie Brown


    2. Lecture Notes by David Chadwick 2011, True-Trust
    3. Cryptography and Network Security, Behrouz A.
    Forouzan.
    4. SOCKS5 IETF RFC
    http://www.ietf.org/rfc/rfc1928.txt
    5. SOCKS4 http://archive.socks.permeo.com/protocol/socks4.p
    rotoc ol
    6. Introduction to Windows Firewall with Advanced
    Security, Microsoft Corporation,Updated: December
    2009
    7. Microsoft Privacy Protected Network Access: Virtual
    Private Networking and Intranet Security, White Paper
    47
    Summary

    • In this session we discussed the following:


    – Introduced need for & purpose of firewalls
    – Types of firewalls
    • Packet filter, state-full inspection, application and circuit
    gateways
    – VPNs

    48

    You might also like