Information System Security,
Arab Academy for Banking and
Financial Sceinces-AABFS
Presented to:
Dr.Lo’ai Tawalbeh
By:
Mohammad Ababneh
Mohammad Mkhaimer
Summer 2006
1. Definition
firewall
Simply defined as a collection of components
placed between two networks to protect a
private network from unauthorized intrusion.
public
Internet
administered
network
firewall
Definition ……..cont……….
Rules Determine
WHO ? WHEN ?
WHAT ? HOW ?
My
PC
INTERNE
T
Firewall
Secure
Private
Network
2. Introduction
• firewalls alone do not provide complete
protection from Internet-borne problems.
• they are just one part of a total information
security program.
• firewalls and firewall environments are
discussed in the context of Internet
connectivity and the TCP/IP protocol suite
• However, firewalls have applicability in
network environments that do not include
or require Internet connectivity
Introduction…..cont……………
Modern firewalls operate on the following
OSI model layers.
3. What is at Risk?
- Loss of Data.
- Confidential data.
- Network Downtime.
- Staff time.
- Hijacked Computer.
- Reputation.
4. Threats
Targeted versus untargeted attacks.
•Viruses, worms, and trojans.
•Malicious content and malware.
•Denial-of-service (DoS) attacks.
•Zombies.
•Compromise of personal information
and spyware.
•Social engineering.
•Insecure/poorly designed applications.
5. What Firewalls do
- Protects the resources of an internal network.
- Restrict external access.
- Log Network activities.
-Intrusion detection
-DoS
- Act as intermediary
- Centralized Security Management
• Carefully administer one firewall to control internet
traffic of many machines.
• Internal machines can be administered with less care.
6. Disadvantages
• Performance may suffer
• Single point of failure.
7. Firewall Products Classification
• H/W – Platform
-Linux, Solaris,
Windows,….system.
-Proprietary (Nokia-Box,
Cisco PIX)
• Software
-Checkpoint FireWall 1
(FW-1)
-NetGuard Guardian
• Perimeter Firwall
-Checkpoint
-PIX
-Sun SPF
• Stand Alone Box
(Appliance)
- Satic Wall
- Watch Guard FireBox
- Netscreen
• Personal FireWall
– BlackICE
– Zone Alarm
8. Taxonomy
Firewalls
Personal
Firewalls
Packet Filter
Firewalls
Stateful
Firewall
Network
Firewalls
Packet Filter
Firewalls
Stateful
Firewall
Circuit Level
Gateways
Application
Level
Firewalls
NAT
Firewalls
8.1 Personal firewalls
• FW on the Client
Machine.
• Allows/blocks traffic
based on:
– Packet types
– Local applications
•
Centralized
Configuration
• Coupled to Personal
Intrusion Detection
• Example:
ZoneAlarm,BlackICE,
PGP FireWall , IDS,
Windows XP
8.2 Packet Filter Firewalls
• The most basic
fundamental type of firewall
• Routing devices that
include access control
functionality for system
addresses and
communication sessions.
• packet filters operate at
Layer 3 (Network) of the
OSI model.
Packet Filtering
Should arriving
packet be allowed
in? Departing packet
let out?
• Filter traffic based on simple packet criteria.
• filters packet-by-packet, decides to
Accept/Deny/Discard packet based on
certain/configurable criteria – Filter
Rulesets.
• Typically stateless: do not keep a table of
the connection state of the various traffic
that flows through them.
Packet Filtering (cont.)
• Typically deployed within TCP/IP network
infrastructures.
• Not dynamic enough to be considered true
firewalls.
• Usually located at the boundary of a
network.
• Their main strength points: Speed and
Flexibility.
8.3 Stateful packet filtering
Traditional view:
• Content filtering
- Based on the content of
packets.
- Blocking packets with
some patterns in the content.
• Specific filtering: ICMP
inspection is based on what state
the conversation between hosts is
in(TCP SYN and ACK)
OSI Layers Addressed by Stateful Inspection
Modern view
• Statful firewalls combine aspects of NAT,
circuit level firewalls, and proxy firewalls
• More complex than their constituent
component firewalls
• Nearly all modern firewalls in the market
today are staful
Basic Weaknesses Associated with Packet
Filters\ Statful:
• They cannot prevent attacks that employ applicationspecific vulnerabilities or functions.
• Logging functionality present in packet filter firewalls
is limited
• Most packet filter firewalls do not support advanced
user authentication schemes.
• Vulnerable to attacks and exploits that take
advantage of problems within the TCP/IP specification
and protocol stack, such as network layer address
spoofing.
• Susceptible to security breaches caused by improper
configurations.
8.4 Application / Proxy FireWallgateway-to-remote
host telnet session
• Filters packets on
application data as well as
on IP/TCP/UDP fields.
• The interaction is
controlled at the
application layer.
host-to-gateway
telnet session
application
gateway
router and filter
OSI Layers Addressed by Application-Proxy Gateway Firewalls
Application/Proxy Servers…cont…
• A proxy server is an application that mediates
traffic between two network segments.
• With the proxy acting as mediator, the source
and destination systems never actually “connect”.
• Filtering Hostile Code: Proxies can analyze the
payload of a packet of data and make decision
as to whether this packet should be passed or
dropped.
How A Proxy Passes Traffic?
HTTP Application
Data Request
Data Request
Proxy Server
Internal Host
Remote Server
Application / Proxy Firewall….cont..
Application/proxy Firewalls..cont….
Advantages:
•Extensive logging capability
• Allow security enforcement
of user authentication .
• less vulnerable to address
spoofing attacks.
Typical Proxy Agents
Disadvantages:
•Complex Configuration.
• limited in terms of support for new
network applications and protocols.
• Speed!!.
OSI Layers Addressed by
Application-Proxy Gateway Firewalls
8.5 Network Address Translation (NAT)
- Existed for a short period of time; now NAT is part of
every firewall
-Developed in response to two major issues in network
engineering and security:
• First, network address translation is an effective tool for
hiding the network-addressing schema present behind a
firewall environment.
• Second, the depletion of the IP address space has
caused some organizations to use NAT for mapping nonroutable IP addresses to a smaller set of legal
addresses.
NAT goals
– Allow use of internal IP-addresses
– Hide internal network structure
– Disable direct internet connections
NAT-types
– Dynamic
• For connections from inside to outside
• There may be fewer outside addresses than internal
addresses
– Static
• For connections from outside to specific servers inside
• One-to-one address mapping (fixed)
8.6 Firewalls - Circuit Level Gateway
• relays two TCP connections (session layer)
• imposes security by limiting which such
connections are allowed
• once created usually relays traffic without
examining contents
• Monitor handshaking between packets to decide
whether the traffic is legitimate
• typically used when trust internal users by allowing
general outbound connections
• SOCKS commonly used for this
8.6 Firewalls - Circuit Level Gateway
9. Firewall Standards
• International Computer Security Association (ICSA)
• Firewall Product Developers Consortium (FWPD) Product
Certification Criteria
• Common Criteria Evaluation Assurance Level – ApplicationLevel Firewall and Traffic Filter Firewall Protection Profiles
• Network Equipment Building Standards (NEBS) Compliance
• Internet Protocol Security Protocol Working Group (IPsec)
• National Institute of Standards and Technology (NIST) Firewall
protection profile
10
Bastion Host
•
•
•
•
•
highly secure host system
potentially exposed to "hostile" elements
hence is secured to withstand this
may support 2 or more net connections
may be trusted to enforce trusted
separation between network connections
• runs circuit / application level gateways
• or provides externally accessible services
Firewall Configurations
Firewall Configurations
Firewall Configurations
DMZ
DNS
Mail
Web
Server Server Server
Firewall
Internet
Outer Firewall/Router
Firewall
SW
Intra1
Inner Firewall/Router
SW
• The key to security awareness is embedded in
the word security
SEC-
-Y
If not you, who? If not now, when?