Professional Documents
Culture Documents
disadvantages
Compare their performances
Demonstrate their applications
What is a Firewall?
A firewall is a system of hardware and
In other words
A data sentry at the
point
Monitor security-related events (audit, log)
Provide strong authentication
Allow virtual private networks
firewall
employee
Insider cooperates with an external attacker
Protect against the transfer of virus-
Internet
Log
Notify
Internet
Attack
Firewall technologies
Common firewall technologies:
They may be classified into four categories:
TCP, UDP . . .
IP
Transport
Network
TCP, UDP . . .
IP
Data Link
Physical
WAN
LAN
10
model
Applies packet filters based on access
rules
Source address
Destination address
Application or protocol
Source port number
Destination port number
11
12
of a router.
Packet filtering relies on Network Layer and
Transport Layer information contained in the
headers of data packets to police traffic.
This information includes source IP address and
port number, destination IP address and port
number, and protocol used (e.g., TCP, UDP, ICMP).
This information is used as the criteria in network
access rules. These rules are organized into
several filter sets and each set handles traffic
coming to the firewall over a specific interface.
C. Ding -- COMP581 -- L25
13
Other host
action
name
port
name
port
comments
block
microsoft.com
Block everything
from MS
allow
My-gateway
25
Allow incoming
mail
14
Direction
Source
Address
Destination Protocol
Address
# Source
# Destin.
Port
Port
Action
Slide 16
1
Out
10.56.199*
Drop
Out
10.56*
10.122*
TCP
23 (Telnet)
Pass
In
10.122*
10.56.199*
TCP
23 (Telnet)
Pass
In & Out
10.56.199*
TCP
25 (Mail)
Pass
In
TCP
513 (rlogin)
Drop
In
201.32.4.76
Drop
Out
TCP
20 (FTP)
Pass
In
10.56.199*
TCP
20 (FTP)
Drop
15
ACK: = positive acknowledgement message for the sender from the receiver.
Typically just one bit.
C. Ding -- COMP581 -- L25
16
Internal
Network
Output
Filter
Input
Filter
Access Rules
Access Rules
Network
Network
Data Link
Router
Data Link
Internet
Physical
Physical
17
Disadvantages:
Hard to configure filtering rules
Hard to test filtering rules
Dont hide network topology (due to
transparency)
May not be able to provide enough control over
traffic
18
19
20
21
22
23
Internal
Network
Application
Application
Transport
Transport
Network
Network
Data Link
Data Link
Internet
Physical
Physical
Router
24
25
security
26
application
Not transparent to users
Expensive
27
28
29
Inspection Module
Network
Data Link
Physical
Network
Router
Data Link
Internet
Physical
30
Dynamic Filtering
Stateful Inspection firewalls
dynamically open and close
ports (application specific
connection points) based
on access policies.
Protected Private Network
Internet
Other traffic
from public
network
is blocked
31
32
Stateful Inspection
Weaknesses
Need to provide new client program
Might have problems with the availability
33
34
General Performance
35
36
RADIUS Support
Remote Authentication Dial-In User
Services
37
Head office
Telephony
Services
38
Firewall checks
policy rules to
validate sender
Internet
User initiates
web session
Firewall opens
required port
and allows traffic
to pass to
public network
39
Internet
User communicates
with Internet
using a private
IP address
Firewall translates
return flow from
Public to
Private address
40
FTP Server
Internet
If connection is valid
the state table is
updated
and connection to
FTP Server
established
Access rules
verified
FTP connection
initiated from
public network
41
Session Logging
The firewall can be configured to log an
42
Notification SNMP/SMTP
Email sent to
specified
address
Protected private network
Firewall detects
attack
(Port Scan)
Internet
SNMP Trap
message
to management
platform
43
DMZ
Web Server
Firewall detects
attack
(SYN Flood)
Server
Internet
Email sent to
System
Manager
Firewall automatically
reconfigured to deny all
External access to WEB
Server
44
Secure management
Secure encrypted and authenticated
remote management
45
46
Internet
Deny all access from the Internet to the private
network
Protected private network
Internet
47
Semi-Militarised Zone
Protected private network
All
Private network for
unauthorised
corporate servers
traffic is
and users
blocked
Internet
WEB
Server
SMZ
Mail
Server
Semi Militarised Zone
All other
SMZ
Firewall policy limits incoming
incoming access to traffic
WEB and mail server blocked
from public network
48
Internet
WEB
Login:hacker
Server
Password:please
OK Then!
SMZ
Mail
Server
Semi-Militarised Zone
49
Demilitarised Zone
Open access
between
private LAN
and DMZ
WEB
Server
Internet
Allow
SMTP,
From here
to there
only
DMZ
Mail
Server
Static filters
between private LAN
and DMZ used to
control access
Demilitarised Zone
50
Concluding Remarks
All that a firewall can do its to control network
51