Applications Presentation Session Transport Network DataLink Physical

SMTP

FTP

DNS

HTTP

TELNET

Applications

TCP ICMP IP

UDP ARP RARP

Protocolsspecifictotheunderlyingphysicalmedia usedfordatacommunicationatthehardwarelevel

 A firewall is hardware, software, or a combination of both that is used to prevent unauthorized programs or Internet users from accessing a private network and/or a single computer

Insideinformationcan leakoutfromhere

Router

Internet

Outside dangers can comefromhere

Corporatenetwork

Internet Firewall

Corporatenetwork

Afirewallissoftwareorhardwarethat checks information coming from the Internetoranetwork,andtheneither blocksitorallowsittopassthroughto your computer, depending on your firewallsettings.

Hardwarevs.SoftwareFirewalls
HardwareFirewalls
Protectanentirenetwork Implementedontherouterlevel Usuallymoreexpensive,harderto configure

SoftwareFirewalls
Protectasinglecomputer Usuallylessexpensive,easiertoconfigure

TypesofFirewalls Application Gateways

PacketFilters

PacketFilters Functioningofpacketfilter
Packet filtering inspects each packet passing through the network and accepts or rejects it basedonuserdefinedrules.
Apacketfilterdoesnotanalyzethecontentsofapacket; it decides whether to pass it or not based on the addressinginformationofthepacket.
Passthepacketthroughasetofrules,basedonthecontentsoftheIP & transport header fields of the packet. If match with set of rules, decidewhethertoacceptordiscardthepacketbasedonthatrule

If there is no match with any rule, take the default action. The default action can be discard all packets or accept all packets

PacketFilters

Internal (Private) Network

Internet

Functioningofpacketfilter

ApplicationGateway
Appliessecuritymechanismstospecificapplications, suchasFTPandTelnetservers. An application gateway is also called as a proxy server (deputy or substitute). The proxy server effectivelyhidesthetruenetworkaddresses.

WorkingofApplicationGateway
HTTP SMTP FTP TELNET

Insideconnection Applicationgateway

Outsideconnection

An internal user contacts the application gateway usingaTCP/IPapplication,suchasHTTPorTELNET The application gateway asks the user about the remote host with which the user wants to set up a connectionforactualcommunication. Theapplicationgatewaynowaccesstheremotehost onbehalfoftheuserandpasses the packets of the usertotheremotehost

Circuitgateway
Sourceaddress= 178.29.10.90 Sourceaddress= 178.29.10.70

IPpacket
HTTP SMTP FTP TELNET

IPpacket

InsideHost
IPaddress= 178.29.10.90

Applicationgateway
IPaddress= 178.29.10.70

OutsideHost

It creates new connection between itself and the remote host

Firewallconfigurations ScreenedHostFirewall,SingleHomedBastion

Applicationgateway
HTTP SMTP FTP TELNET Internet

Packet filter Internalnetwork

Thepacketfilterensuresthattheincomingtrafficisallowedonlyifitisdestinedfor theapplicationgateway,byexaminingthedestinationaddressfield. Theapplicationgatewayperformauthenticationandproxyfunctions. Also it ensures that the outgoing traffic is allowed only if it is originating from the applicationgateway,byexamining the source addressfield.

Thepacketfilterensuresthattheincomingtrafficisallowed only if it is destined for the application gateway, by examiningthedestinationaddressfield. Alsoitensuresthattheoutgoingtrafficisallowedonlyifitis originating from the application gateway, by examining the sourceaddressfield. The application gateway perform authentication and proxy functions. Advantages:Thisconfigurationincreasesthesecurityofthe network by performing checks at both packet and applicationlevel Disadvantages : The internal users are connected to the applicationgateway&packetfilter.Soifthepacketfilteris attacked,thenwholenetworkisexposedtotheattacker.

ScreenedHostFirewall,DualHomedBastion

Applicationgateway
HTTP SMTP FTP TELNET Internet

Packet filter Internalnetwork

The packet filter connects only to the application gateway, which in turn, has a separate connectionwiththeinternalhosts.

Directconnectionbetweentheinternalhostsandthepacketfilterareavoided. Thereforeifthepacketfilterissuccessfullyattacked,onlytheapplicationgatewayis visibletotheattacker.Theinternalhostsareprotected.

Direct connection between the internal hosts and thepacketfilterareavoided. The packet filter connects only to the application gateway, which in turn, has a separate connection withtheinternalhosts. Thereforeifthepacketfilterissuccessfullyattacked, only the application gateway is visible to the attacker.Theinternalhostsareprotected.

ScreenedSubnetFirewall

Applicationgateway

Packet filter

HTTP SMTP FTP TELNET

Internet
Packet filter

Internalnetwork

Twopacketfiltersareused,onebetweentheInternet&theapplicationgatewayand anotherbetweentheapplicationgateway&theinternalnetwork. The attacker does not come to know about the internal network , unless it breaks into both the packet filter and the single application gateway standing between them.

LimitationofFirewall
Insiderintrusion: DirectInternettraffic: Virusattack:

Security topology defines the network design and implementationfromasecurityperspective Securitytopologycoversfourprimaryareasofconcern: DesignGoals Technologies SecurityZones BusinessRequirements

DesignGoals The design goals of a security topology must deal with issues of confidentiality,integrity,availability,andaccountability. SecurityZones Thetermsecurityzonedescribesdesignmethodsthatisolatesystems fromothersystemsornetworks. The following present the key aspects of creating and designing securityzones. Internet Intranet Extranet DMZ

Internet TheInternetisaglobalnetworkthatconnectscomputerand networkstogether.

Intranet Intranetsareprivatenetworksimplementedandmaintainedbyan individualcompanyororganization.Intranetaccessislimitedto systemswithintheIntranet.Intranetsusethesametechnologiesused bytheInternet.IntranetscanbeconnectedtotheInternetbutarenot availableforaccesstousersthatarenotauthorizedtobepartofthe Intranet.

Extranet ExtranetsextendIntranetstoincludeoutsideconnectionsto partners.AnExtranetallowsyoutoconnecttoapartnerby aprivatenetworkoraconnectionusingasecure communicationschannelusingtheInternet.Extranet connectionsinvolveconnectionsthatarebetween trustworthyorganizations.

Corporate LAN Corporate LAN

PrivateConnectionor VPNonInternet

DMZ ADemilitarizedZone(DMZ)isanareawhereyoucanplacea public server for access by people you might not trust otherwise. By isolating a server in a DMZ, you can hide or removeaccesstootherareasofyournetwork.Youcanstill access the server using your network, but others are not abletoaccessotherresourcesinyournetwork.Thiscanbe accomplishedusingfirewallstoisolateyournetwork.

Technologies
VirtualLocalAreaNetworks(VLANs),NetworkAddressTranslation(NAT)and Tunneling.

VLAN AVLANallowsyoutocreategroupsofusersandsystemsandsegment themonthenetwork.Thissegmentationallowstohidesegmentsof thenetworkfromothersegmentsandcontrolaccess.VLANscanalso besetuptocontrolthepathsthatdatatakestogetfromonepointto another.

Tunneling
Tunnelingreferstotheabilitytocreateavirtualdedicatedconnection betweentwosystemsornetworks.Thetunneliscreatedbetweenthe two ends by encapsulating the data in a mutually agreed upon protocol for transmission. In most tunnels, the data passed through thetunnelappearsattheothersideaspartofthenetwork.Tunneling protocolsusuallyincludedatasecurityaswellasencryption.

NAT(NetworkAddressTranslation): NAT allows an organization to present a single address to theInternetforallcomputerconnections.

The NAT server provides IP addresses to the hosts or systems in the networkandtracksinboundandoutboundtraffic.