Network Security Administrator

Module VII: Firewalls

Module Objectives
~ ~ ~ ~ ~ ~

Introduction Defining Firewall Security Features Components involved in Firewall Handling Threats and Security Tasks How to protection against hacking? Introduction to Packet Filtering

~Limitations ~ ~ ~

of Firewalls

Evaluating firewall packages Different firewall configurations Reverse and Specialty Firewalls

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Module Flow
Introduction Security Features Multiple components

Packet Filtering

Protection against hacking

Handling threats and security tasks

Limitations of firewalls

Evaluating firewall packages

Different firewall configurations

Specialty firewalls
EC-Council

Reverse firewalls
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Firewall: Introduction
~

Combination of hardware and software that monitors the transmission of packets over the network
~Performs

two basic security functions:

Packet filtering:
Allows or denies transfer of packets based on security policy rules

Application proxy gateway:

Provides network services to users within the firewall

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Firewalls: Security Features

~

Logs access (authorized/unauthorized) in and out of a network Establishes a Virtual Private Network (VPN ) link to another computer Secures host within the network to prevent attackers intrusions Filters inappropriate content such as executable mail attachments Securing Individual Users: Provides anti-virus programs that alerts users on detecting e-mail attachment or file containing virus

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Firewalls: Perimeter Security for Networks

~

Firewall resides on the outer boundary (perimeter) of a network providing security Network boundary connects one network to another VPN owns its own perimeter firewall Benefits: Blocks viruses and infected e-mail messages prior intrusion Logs passing traffic and protects the entire network subnet minimizes the damage incurred from an attack

~ ~ ~

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Firewall: Multiple Components

~

Packet Filters: Controls access to a network by analyzing the incoming and outgoing packets

Proxy Server: Intercepts all requests to real server and tries processing the request Identifies users based on usernames and passwords Segregates IP addresses into two sets and enables LAN to use the addresses for internal and external traffic respectively

Authentication System: Network Address Translation (NAT):

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Firewalls: Handling Threats and Security Tasks

~

Restricting access form outside the network:

Inspect each packet against the required authorized criteria (protocols/IP addresses/approved list) Packet filtering scans for network addresses and open ports Port scanning determines the type of service running netstat.exe displays the number of connections opened on the current system HTTP is one of the commonly exploited services Other services include:
SNMP: Port 25 POP3: Port 110

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Firewalls: Handling Threats and Security Tasks

~

Restricting unauthorized access from inside the network: Prevent users inserting virus infected floppy disks into the system Prevent users accessing computers via remote access software Never ooze out confidential information (social engineering attacks) Train firewall administrators to filter IP packets Scan e-mail messages with executable attachments

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Firewalls: Handling Threats and Security Tasks

~

Restricting clients access to external host:

Installing a proxy server software that makes high level application connections on behalf of internal hosts Single firewall product provides outbound packet filtering and proxy services Application proxies prevents unauthorized access to the Internet

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Firewalls: Handling Threats and Security Tasks

~

Securing critical resources from:

Worms: Intrudes and replicates via email attachment or downloaded file Viruses: Intrudes into the systems and consumes all memory and brings the system to a halt Trojan Horses: Programs that contain malicious code Distributed Denial Of Service Attacks: Occurs when server is inundated with requests causing the server to shut down

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Firewalls: Protection Against Hacking

~

Loss of data:
Personal and financial information must be protected against loss

Loss of time:
Time spent in recovering files, rebuilding servers and dealing with security breaches

Staff resources:
Time taken away from regular business activities to recover data files

Confidentiality:
Stores confidential information of users across the network
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

EC-Council

Firewalls: Centralization and Documentation

~

Centralization:
Simplifies the network administrator activities Network perimeter allows security measures Manages the network traffic

Documentation:
Log files record intentional and unintentional break-ins,identifying weak points for strengthening the system Recognizing intruders and apprehending them for theft or damage

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Multilayer Firewall Protection

~

Firewalls work at different stages of the OSI model

Application Presentation Session Transport Network Physical Data Link Application-level gateway Encryption SOCKS proxy server Packet filtering NAT N/A N/A
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

EC-Council

Packet Filtering
~ ~

Key function of any firewall Packet Filters: Valuable elements in perimeter security Advantage: Do not take up bandwidth

Packet consists of two types of information: Header Data

Packet headers decide whether to block or permit the packet through a firewall

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Stateful Packet Filtering

In te r n e t 3 . R u le t h a t in t e r n a l h o s t s a c c e s s T C P / 8 0 e x is t s ; p a c k e t s a r e a llo w e d t o p a s s t h r o u g h 4 . P a c k e t s r e c e iv e d b y c o u r s e .c o m W eb serv er; S Y N /A C K r e p ly s e n t t o f ir e w a ll

R o u ter

5 . P a c k e t s r e c e iv e d s t a t e t a b le en try referen ced 2 . R o u t e r c h e c k s f o r s t a t e t a b le a n d s e e s t h a t n o c o n e e c t io n e x is t s , s t a t e e n t r y c r e a t e d a n d r e q u e s t p a s s e d t o r u le b a s e

S t a t e T a b le S o u r c e I P : w w w .c o u r s e .c o m S o u rc e p o rt: 7 0 D e s t in a t io n I P : 1 0 .0 .0 .6 D e s t in a t io n p o r t : 1 0 8 7 T ra n sp o rt: T C P

E th ern et

6 . P a c k e ts a llo w e d to p a s s

1. H o st attem p ts to co n n ect w w w .c o u r s e .c o m

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Screening Router
~ ~

Placed between the client computer and Internet to perform packet-filtering Two interfaces: External Internal

~ ~

ACL (access control list) specifies the rules applied to block packet flow Stateful Packet-Filtering: Only if a secured router sends data outbound can it receive data inbound

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Screening Router
External Interface 192.168.1.200/24 Internal Interface 192.168.2.1/24 Router
Router

Router is set to route only to 192.168.2.2 through 192.168.2.5

Internet

Traffic from Internet cannot reach here

192.168.2.2

192.168.2.3

192.168.2.4

192.168.2.5

192.168.2.6

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Dual-Homed Host
~ ~ ~

PC connecting to the Internet that has two NICs and secured by a firewall By default it disables packet flow through the network Limitation: Passwords can be cracked Single protection layer

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Types of Firewall Configurations

ICMP Type Screening router Dual-homed host Screened host Two routers with one firewall DMZ screened subnet Multi-firewall DMZ Reverse firewalls Specialty firewalls Description Packet filtering router located between client computer and the Internet Client computer, which is firewall of the Internet host Host computer with firewall that is dedicated to security functions Routers that perform packet filtering and are located on the internal and external interfaces of the firewall Network of public access servers that is external to the secured internal network DMZ with added security by two firewalls Firewalls that inspect outgoing traffic, not incoming traffic Firewalls to specifically secure certain communications like the e-mail
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

EC-Council

Screened Host
~ ~ ~ ~ ~

Also known as dual-homed gateway or bastion host Requires two network interfaces Resides on the perimeter of the network Places a router that performs packet filtering between the screened host and the Internet Differs from bastion hosts and dual-homed hosts on the basis of strong security services

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Screened Host
In terne t

3. P roxy server connects to Internet

R ou ter

2. Firew all equ ipped w ith proxy server softw are fu nctions in place of host and m akes requ est

1. H ost m akes requ est to connect to Internet

A pplication gatew ay

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Two Routers With One Firewall

~

Routers are located on both sides of screened host Packet filtering is performed by external router: Initial Static Internal router: Routes traffic to computers in secured LANs Performs stateful packet filtering

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Two Routers With One Firewall

Internet

IP Address 192.168.1.2/44 Router

Firewall IP Address 10.1.1.1/44

LAN Gateway

Router

WWW.Server 10.1.1.43

E-mail Server 10.1.1.29

FTP Server 10.1.1.33

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

EC-Council

DMZ Screened Subnet

~

Network exposed to external network but partially secured with firewall Service network or perimeter network: Subnet in the DMZ that is attached to a firewall

Three-pronged firewall is the firewall in a DMZ that connects to three distinct networks: External network DMZ screened subnet LAN

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

DMZ Screened Subnet

Internet

IP Address 192.168.1.2/44 Router DMZ 192.168.2.1/44 IP Address 10.1.1.1/44 Firewall E-mail server

LAN Gateway

Router 172.30.1.1/44

192.168..2. 29

192.168..2. 43

WWW Server

192.168..2.33

FTP Server

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Multi-firewall DMZ
~ ~ ~

Additional firewalls increase the security of organizations network Performance decreases with increased security Two or more firewalls enhances security using: Internal network One DMZ Two DMZ

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Multiple-Firewalls DMZs: Two Firewalls, One DMZ

~

Two firewalls set up a three-pronged (trihomed) firewall:

Internal protected network (behind DMZ) External private network or service network (within DMZ) External network (outside DMZ)

Advantage:
Controls traffic in three networks

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Multiple-Firewalls Dmzs: Two Firewalls, One DMZ

External network Internet Internal network DMZ Firewall Router Router Firewall E-mail server LAN Gateway

WWW Server FTP server

Active directory

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Multiple-firewall DMZS: Two Firewalls, Two DMZS

~ ~ ~

Different parts of organization can employ different DMZs to balance traffic load Tunnel server grants off-site access to tunneling client ignoring access to other servers in the internal LAN Stateful failover firewall:
A second firewall used in case the first firewall fails

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Multiple-firewall DMZS: Two Firewalls, Two DMZS

Internet IP Address Fail over Firewall Router DMZ Hub Tunnel Server IP Address Firewall Hub Router www server FTP server Email server Tunneling Client

Accounting DMZ

LAN Gateway

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Specialty Firewalls and Reverse Firewalls

~

Specialty Firewalls:
Designed to secure specific network communication Supervises and restrains specific traffic flowing through the network Examples:
OpenReach consists of packet-filtering firewall for its VPN VOISS Proxy firewall Speedware Corporations Autobahn Application Firewall

Reverse Firewalls:
Device that inspects the outgoing traffic from the network Does not block the traffic Identifies DDoS (Distributed Denial of Service) attacks

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Summary
~ ~ ~ ~ ~

Firewall is a hardware/software monitoring the transmission of packets bypassing the perimeter of a network Resides on the perimeter of a network restricting unauthorized access Several components exists that enables protecting against hacking Operates at various stages of the OSI model Monitors and limits specific traffic flowing through the network

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited