Professional Documents
Culture Documents
Application layer
BGP
DHCP
DNS
FTP
HTTP
SMTP
SNMP
SSH
Telnet
TLS/SSL
XMPP
more...
Transport layer
TCP
UDP
DCCP
SCTP
RSVP
more...
Internet Layer
Link layer
IP
IPv4
IPv6
ICMP
IGMP
IPsec
More
ARP
NDP
Tunnels
L2TP
PPP
MAC
Ethernet
DSL
ISDN
FDDI
more
Firewalls
Overview of Firewalls
As the name implies, a firewall acts to provide
secured access between two networks
A firewall may be implemented as a standalone
hardware device or in the form of a software on
a client computer or a proxy server
The two types of firewall are generally known as the
hardware firewall and the software firewall
What is a Firewall?
A choke point of control and monitoring
Interconnects networks with differing trust
Imposes restrictions on network services
only authorized traffic is allowed
Hardware Firewall
What is it?
10
Remote logins
Application backdoors
SMTP session hijacking
E-mail Addresses
Spam
Denial of service
E-mail bombs
E-mail sent 1000s of times till mailbox is full
Macros
Viruses
11
Software Firewall
What it is?
Also called Application Level Firewalls
It is firewall that operate at the Application
Layer of the OSI
They filter packets at the network layer
It Operating between the Datalink Layer and
the Network Layer
It monitor the communication type (TCP, UDP,
ICMP, etc.) as well as the origination of the
packet, destination port of the packet, and
application (program) the packet is coming
from or headed to.
12
13
14
Firewalls Characteristics
Design goals:
1. All traffic form the inside to outside must
pass through the firewall (physically
blocking all access to the local network
except via firewall).
2. Only Authorized traffic ( defined by the local
security policy) will be allowed to pass.
3. The firewall itself is immune to penetration
( use of trusted systems with secure
operating systems).
17
Firewall Characteristics
18
Firewall Characteristics
3. User Control: controls access to a service
according to which user is attempting to
access it.
4. Behavior Control: controls how particular
service are used (e.g. filter e-mail)
19
Classification of Firewall
Characterized by protocol level it
controls in
Packet filtering
Circuit gateways
Application gateways
20
21
Packet-Filtering-Router
Applies a set of rules to each incoming IP
packet and then forwards or discards the
packet.
Filter packets going in both directions.
The packet filter is typically set up as a list
of rule based on matches to fields in the IP
or TCP header.
Two default polices( discards or forwards).
22
Port Numbering
TCP connection
Permanent assignment
Variable use
Packet-Filtering-Router
1.
2.
3.
1.
2.
Advantages:
Simplicity.
Transparency to users.
High speed
Disadvantages:
Difficulty of setting up packet filter walls.
Lack of Authentication.
25
Firewall Gateways
Firewall runs set of proxy programs
Proxies filter incoming, outgoing packets
All incoming traffic directed to firewall
All outgoing traffic appears to come from firewall
Circuit-level gateways/proxies
Working on TCP level
26
27
Application-Level Filtering
Has full access to protocol
user requests service from proxy
proxy validates request as legal
then actions request and returns result to user
Application-Level-Gateway
Advantages:
1. Higher security than packet filter
2. Only need securitize a few allowable
applications.
3. Easy to log and audit all incoming traffic.
Disadvantages:
Additional processing overhead on each
connection (Gateway as splice point).
29
Outside host
& outside
connection
30
IN
OUT
IN
OUT
IN
OUT
IN
31
32
34
Bastion Host
Host-Based Firewalls
s/w module used to secure individual host
Firewall Configurations
Single-homed bastion host
37
Firewall Configurations
Dual-homed bastion host
38
Firewall Configurations
Screened-subnet firewall
39
What is a VPN?
A virtual private
network (VPN) is a
network that uses
public means of
transmission
(Internet) as its
WAN link
40
42
44
VPN Protocols
There are three main
protocols that power the vast
majority of VPNs:
PPTP
L2TP
IPsec
All three protocols emphasize
encryption and
authentication; preserving
data integrity that may be
sensitive and allowing
clients/servers to establish an
identity on the network
45
VPN Protocols
(continued)
Internet
Protocol Security Protocol (IPSec) provides
47
Security Topologies
Any network that is connected (directly or
indirectly) to your organization, but is not
controlled by your organization, represents
a risk.
Firewalls deployed on the network edge
enforce security policies and create choke
points on network perimeters.
Include demilitarized zones (DMZs)
extranets, and intranets .
48
49
Security Zones
Three Main Security Zones.
Trusted sites
Unclassified sites
Restricted sites
e.g.- Internet Explorer.
Includes 4 predefined zones.
50
51
52
DMZ
Typically contains devices accessible to
Internet traffic
Web (HTTP) servers
FTP servers
SMTP (e-mail) servers
DNS servers
Optional, more secure approach to a
simple firewall; may include a proxy server
53
54
Intranet
Typically a collection of all LANs inside the
firewall (campus network.)
Either a network topology or application
(usually a Web portal) used as a single
point of access to deliver services to
employees
Shares company information and
computing resources among employees
Allows access to public Internet through
firewalls that screen communications in
both directions to maintain company
security
57
Extranet
Private network that uses Internet protocol
and public telecommunication system to
provide various levels of accessibility to
outsiders
Requires security and privacy
Firewall management
Issuance and use of digital certificates or
other user authentication
Encryption of messages
Use of VPNs that tunnel through the public
network
58
VLAN introduction
VLANs logically segment switched
networks based on the functions, project
teams, or applications of the organization
regardless of the physical location or
connections to the network.
All workstations and servers used by a
particular workgroup share the same
VLAN, regardless of the physical
connection or location.
59
VLAN introduction
A workstation in a VLAN group is restricted
to communicating with file servers in the
same VLAN group.
60
VLAN introduction
VLANs function by logically segmenting the
network into different broadcast domains so that
packets are only switched between ports that are
designated for the same VLAN.
Routers in VLAN topologies provide broadcast
filtering, security, and traffic flow management.
61
VLAN introduction
VLANs address scalability, security, and
network management.
Switches may not bridge any traffic
between VLANs, as this would violate the
integrity of the VLAN broadcast domain.
Traffic should only be routed between
VLANs.
62
63
64
VLAN operation
Each switch port could be assigned to a different
VLAN.
Ports assigned to the same VLAN share
broadcasts.
Ports that do not belong to that VLAN do not
share these broadcasts.
65
VLAN operation
Users attached to the same shared segment,
share the bandwidth of that segment.
Each additional user attached to the shared
medium means less bandwidth and fall of
network performance.
VLANs offer more bandwidth to users than a
shared network.
The default VLAN for every port in the switch is
the management VLAN.
The management VLAN is always VLAN 1 and
may not be deleted. All other ports on the switch
may be reassigned to alternate VLANs.
66
VLAN operation
Dynamic VLANs allow for membership based on
the MAC address of the device connected to the
switch port.
As a device enters the network, it queries a
database within the switch for a VLAN
membership.
67
VLAN operation
In port-based or port-centric VLAN membership,
the port is assigned to a specific VLAN
membership independent of the user or system
attached to the port.
All users of the same port must be in the same
VLAN.
68
Benefits of VLANs
The key benefit of VLANs is that they permit
the network administrator to organize the
LAN logically instead of physically.
Performance
Formation of Virtual Workgroups
Simplified Administration
Reduced Cost eliminate need Expn. routers
Security
Improved management
69
VLAN Limitations
Broadcast limitations
Device limitations
Port Constraints
70
VLAN types
There are three basic VLAN memberships for determining
and controlling how a packet gets assigned: Port-based VLANs
MAC address based
Protocol based VLANs
e.g. Protocol - IP VLAN- 1
Membership by IP subnet Address IP- 23.2.24 VLAN -1
Higher Layer VLANS
The frame headers are encapsulated or modified to reflect
a VLAN ID before the frame is sent over the link between
switches.
Before forwarding to the destination device, the frame
header is changed back to the original format.
71
VLAN types
Port-based VLANs
MAC address based VLANs
Protocol based VLANs
72
Membership by Port
73
Email Security
Electronic Mail
Send text , picture, videos and sounds
Security is extremely important issue.
Email msg. has two portions.
Content and Header (like postal system.)
Header Which are followed by the actual
msg contents.
Header Include -- From, To ,Subject & Date.
74
Threats to E-mail
Message interception(confidentiality)
Message interception(blocked delivery)
Message content modification
Message origin modification
Message content forgery (fake ,dummy) by outsider
Message origin forgery by outsider
Message content forgery by recipient
Message origin forgery by recipient
Denial of message transmission
75
Viruses :
E-mail Threats
Spam :
76
E-mail Threats
Phishing
the fraudulent (criminal,illegal) practice of sending
emails purporting (seem) to be from reputable
companies in order to induce individuals to reveal
personal information, such as passwords and credit
card numbers,online.
e.g. simulated a bank
Direct you to a false site.
Ask you to confirm your account information
False site look like the real website.
77
SMTP
Simple Mail Transfer Protocol
Request/Response based
78