Академический Документы
Профессиональный Документы
Культура Документы
SMTP
FTP
DNS
HTTP
TELNET
Applications
TCP ICMP IP
Protocolsspecifictotheunderlyingphysicalmedia usedfordatacommunicationatthehardwarelevel
A firewall is hardware, software, or a combination of both that is used to prevent unauthorized programs or Internet users from accessing a private network and/or a single computer
Insideinformationcan leakoutfromhere
Router
Internet
Corporatenetwork
Internet Firewall
Corporatenetwork
Afirewallissoftwareorhardwarethat checks information coming from the Internetoranetwork,andtheneither blocksitorallowsittopassthroughto your computer, depending on your firewallsettings.
Hardwarevs.SoftwareFirewalls
HardwareFirewalls
Protectanentirenetwork Implementedontherouterlevel Usuallymoreexpensive,harderto configure
SoftwareFirewalls
Protectasinglecomputer Usuallylessexpensive,easiertoconfigure
PacketFilters
PacketFilters Functioningofpacketfilter
Packet filtering inspects each packet passing through the network and accepts or rejects it basedonuserdefinedrules.
Apacketfilterdoesnotanalyzethecontentsofapacket; it decides whether to pass it or not based on the addressinginformationofthepacket.
Passthepacketthroughasetofrules,basedonthecontentsoftheIP & transport header fields of the packet. If match with set of rules, decidewhethertoacceptordiscardthepacketbasedonthatrule
If there is no match with any rule, take the default action. The default action can be discard all packets or accept all packets
PacketFilters
Internet
Functioningofpacketfilter
ApplicationGateway
Appliessecuritymechanismstospecificapplications, suchasFTPandTelnetservers. An application gateway is also called as a proxy server (deputy or substitute). The proxy server effectivelyhidesthetruenetworkaddresses.
WorkingofApplicationGateway
HTTP SMTP FTP TELNET
Insideconnection Applicationgateway
Outsideconnection
An internal user contacts the application gateway usingaTCP/IPapplication,suchasHTTPorTELNET The application gateway asks the user about the remote host with which the user wants to set up a connectionforactualcommunication. Theapplicationgatewaynowaccesstheremotehost onbehalfoftheuserandpasses the packets of the usertotheremotehost
Circuitgateway
Sourceaddress= 178.29.10.90 Sourceaddress= 178.29.10.70
IPpacket
HTTP SMTP FTP TELNET
IPpacket
InsideHost
IPaddress= 178.29.10.90
Applicationgateway
IPaddress= 178.29.10.70
OutsideHost
Firewallconfigurations ScreenedHostFirewall,SingleHomedBastion
Applicationgateway
HTTP SMTP FTP TELNET Internet
Thepacketfilterensuresthattheincomingtrafficisallowed only if it is destined for the application gateway, by examiningthedestinationaddressfield. Alsoitensuresthattheoutgoingtrafficisallowedonlyifitis originating from the application gateway, by examining the sourceaddressfield. The application gateway perform authentication and proxy functions. Advantages:Thisconfigurationincreasesthesecurityofthe network by performing checks at both packet and applicationlevel Disadvantages : The internal users are connected to the applicationgateway&packetfilter.Soifthepacketfilteris attacked,thenwholenetworkisexposedtotheattacker.
ScreenedHostFirewall,DualHomedBastion
Applicationgateway
HTTP SMTP FTP TELNET Internet
Direct connection between the internal hosts and thepacketfilterareavoided. The packet filter connects only to the application gateway, which in turn, has a separate connection withtheinternalhosts. Thereforeifthepacketfilterissuccessfullyattacked, only the application gateway is visible to the attacker.Theinternalhostsareprotected.
ScreenedSubnetFirewall
Applicationgateway
Packet filter
Internet
Packet filter
Internalnetwork
Twopacketfiltersareused,onebetweentheInternet&theapplicationgatewayand anotherbetweentheapplicationgateway&theinternalnetwork. The attacker does not come to know about the internal network , unless it breaks into both the packet filter and the single application gateway standing between them.
LimitationofFirewall
Insiderintrusion: DirectInternettraffic: Virusattack:
Security topology defines the network design and implementationfromasecurityperspective Securitytopologycoversfourprimaryareasofconcern: DesignGoals Technologies SecurityZones BusinessRequirements
DesignGoals The design goals of a security topology must deal with issues of confidentiality,integrity,availability,andaccountability. SecurityZones Thetermsecurityzonedescribesdesignmethodsthatisolatesystems fromothersystemsornetworks. The following present the key aspects of creating and designing securityzones. Internet Intranet Extranet DMZ
DMZ ADemilitarizedZone(DMZ)isanareawhereyoucanplacea public server for access by people you might not trust otherwise. By isolating a server in a DMZ, you can hide or removeaccesstootherareasofyournetwork.Youcanstill access the server using your network, but others are not abletoaccessotherresourcesinyournetwork.Thiscanbe accomplishedusingfirewallstoisolateyournetwork.
Technologies
VirtualLocalAreaNetworks(VLANs),NetworkAddressTranslation(NAT)and Tunneling.
Tunneling
Tunnelingreferstotheabilitytocreateavirtualdedicatedconnection betweentwosystemsornetworks.Thetunneliscreatedbetweenthe two ends by encapsulating the data in a mutually agreed upon protocol for transmission. In most tunnels, the data passed through thetunnelappearsattheothersideaspartofthenetwork.Tunneling protocolsusuallyincludedatasecurityaswellasencryption.