What are the types of Firewalls?
Packet filtering router, Gateway firewalls (screened host, dual homed gateway firewall, screened subnet firewall), Additional Concepts (NAT, stateful inspection)
What is a packet filtering router?
the router is the entry and exist point to a network so it should be used as a firewall. Packet filtering routers use ACLs to provide security.
What two principles is an ACL based on?
sequential processing
deny all except when explicitly permitted
What are the ACL orders of operation?
Deny person, deny family, permit friend—– deny all
Describe the flowchart for ACL operation?
1 - is there an ACL? 2 - Check for permit 3 - Routing 4 - Is there an ACL at the other end? 5 - Is the packet permitted?
What are the parts of a standard acl?
access-list acl number (1-99) permit/deny source[mask]
interface interface-number
ip access-group acl-number in/out
What are the parts of an extended acl?
access-list acl-number(100-199) permit/deny protocol source[source-mask] destination[destination-mask] [eq port number]
interface interface-number
ip access-group acl number in/out
What is the rule of thumb for choosing an interface for Standard ACLs?
bind it closest to the network being protected
What is the rule of thumb for choosing an interface for extended ACLs
place it closest to the source network whenever possible
What are the limitations of packet filtering?
- works up to the layer 3 only
- address spoofing can penetrate ACLs
- Testing of complex ACLs is difficult
- Chews up router processing time
- Filtering of specific application commands is not possible
- State information is not stored
- Allows direct TCP connection between outside and inside networks
What pieces are part of a gateway firewall?
Inside server and client, Outside server and client, Bastion host (proxy client and servers)
What is a bastion host?
A special gateway host that acts as a relay for all services. Acts as a proxy/client server for each application. BH eliminates the direct exchange of packets between the private and outside network
What are some design features of bastion hosts?
- execute a secure version of the OS
- only essential services are installed
- each proxy is independent
- each proxy can be configured to allow access only to specific hosts
- each proxy can be configured to support only a subset of the applications command set
- BH will require additional authentication from the user
- Users are not permitted to log on to BHs
- No disk access is performed by the proxies
Describe a screened host firewall
- BH resides on the same network segment as the private network hosts and secure servers
- packet filter is configured to let in traffic only to BH
- inside systems may be permitted to have direct access to the Internet or may have to use proxy services
- Information servers do not require high security
- Outside and inside users may be permitted to access the information servers directly
–high flexibility, low security
describe a dual homed gateway firewall
- BH has two network interfaces
- all traffic destined for private network forced through BH which means that they have to set up proxies
- Information servers can be placed on separate segment so that outside users can access them without setting up proxies – high security and low flexibility
describe a screened subnet firewall
Instead of having a dual homed BH, it uses two routers. The BH and the information servers are placed on the segment between the two routers. Defines a DMS network between the private network and the outside network.
Direct transmission of traffic across DMZ is prohibited.
Outer Router R2:
Inbound traffic - allows only to BH or to information servers
Outbound traffic - allows only from BH
Inner Router R1
Inbound traffic - allows only from BH
Outbound traffic allows only to BH and possible to information servers
Good flexibility and good security
What does NAT stand for?
Network Address Translation?
What is the NAT concept?
One of the important features of a gateway firewall is that IP addresses of the private network need not be advertised to outside networks. This is made possible by translating the internal or private addresses to external or public addresses.
In addition to providing security NAT is also very useful in mitigating the problem of IP address depletion
Describe a static NAT
Every internal host is assigned a unique external address. The address mapping is fixed (1 to 1).
Simplest to set up
Least efficient in terms of address preservation
Useful when internal hosts have to be accessible from outside
Describe a dynamic NAT
Each private IP address is dynamically assigned a public address at the NAT on a demand basis. The address mapping function can change.
Many to a pool
- solves the static NAT problem of inefficiency
- however if the NAT runs out of a registered addresses to allocate then access is denied
many to 1 NAT
- this technique enables translation of multiple IP addresses to one single address by using different client port numbers. Useful when a large number of internal users requires simultaneous connection to the outside network.
A company has 15 servers and 1000 clients. How many public addresses does it need?
Needs 16 IP addresses, 15 static and 1 dynamic
What are some of the limitations of traditional firewalls?
- limited security for connectionless services
- for such services, the firewall acts mainly like a packet filter
Even for connection-oriented services, spoofing can penetrate the firewall - these limitations are caused because traditional firewalls do not store the state or context information of the interaction
What is a stateful inspection firewalls
- basic principles of gateway firewall plus the state and context of an ongoing interaction – the history of the transaction
- history of port numbers and addresses used, types of requests, sequence numbers
- stateful inspection allows more intelligent decision making by manipulating information based on previous communication and application states.
What is a host firewall?
placed on clients and servers, last line of defense, offer tailored security because of fewer functions to support on host
-
Review of Networking Concepts15
-
Introduction to Network Security22
-
Denial of Service and Social Engineering17
-
Firewalls26
-
Basic Cryptography29
-
Public Key Cryptosystems, Digital Signatures, and Key Exchange Algos18
-
Virtual Private Networks15
-
Security in Wireless Networks20
-
Higher Level Security Protocols4
-
Establishing a Security Plan8
