An Introduction to Firewall

Technology

:
E-Mail : Jason_Pan@tc.syscom.com.tw
TEL : 04-2202-1221

Agenda
What is a firewall
Why an organization needs a firewall
Types of firewalls and technologies
Deploying a firewall
What is a VPN


What is a Firewall ?
A firewall :
Acts as a security
gateway between two
networks
Usually between trusted
and untrusted networks
(such as between a
corporate network and
the Internet)
Internet
Corporate
Site
Corporate Network
Gateway

What is a Firewall ?
A firewall :
Acts as a security
gateway between two
networks
Tracks and controls
network communications
Decides whether
to pass, reject,
encrypt, or log
communications
(Access Control)
Corporate
Site
Allow Traffic
to Internet
Internet
Block traffic
from Internet

Why Firewalls are Needed
Prevent attacks from untrusted
networks
Protect data integrity of critical
information
Preserve customer and partner
confidence

Evolution of Firewalls
Packet
Filter
Stateful
Inspection
Stage of Evolution
Application
Proxy

Packets examined at the network layer
Useful first line of defense - commonly
deployed on routers
Simple accept or reject decision model
No awareness of higher protocol layers
Packet Filter
Applications
Presentations
Sessions
Transport
Data Link
Physical
Data Link
Physical
Applications
Presentations
Sessions
Transport
Data Link
Physical
Network
Presentations
Sessions
Transport
Applications
Network Network

Application Gateway or Proxy
Applications
Presentations
Sessions
Transport
Data Link
Physical
Data Link
Physical
Applications
Presentations
Sessions
Transport
Data Link
Physical
Network Network
Network
Presentations
Sessions
Transport
Applications
Packets examined at the application layer
Application/Content filtering possible -
prevent FTP put commands, for example
Modest performance
Scalability limited

Stateful Inspection
Applications
Presentations
Sessions
Transport
Data Link
Physical
Data Link
Physical
Applications
Presentations
Sessions
Transport
Data Link
Physical
Network Network
Network
Presentations
Sessions
Transport
INSPECT Engine
Applications
Dynamic
State Tables
Dynamic
State Tables
Dynamic
State Tables
Packets Inspected between data link layer and network
layer in the OS kernel
State tables are created to maintain connection context
Invented by Check Point

Network Address Translation
(NAT)
Converts a networks illegal IP addresses to
legal or public IP addresses
Hides the true addresses of individual hosts,
protecting them from attack
Allows more devices to be connected to the
network
Internet
Internal
IP Addresses
219.22.165.1
Corporate LAN
192.172.1.1-192.172.1.254
Public
IP Address(es)

Port Address Translation
Hiding
192.168.0.15
10.0.0.2
49090
23
10.0.0.3
2000
2001
23
10.0.0.3
49090
23
10.0.0.2
PATGlobal
23
172.30.0.50
192.168.0.15
172.30.0.50
192.168.0.15
172.30.0.50
172.30.0.50

Personal Firewalls
Need arises from always on
connections
Your PC is not protected enough by
your OS
Intrusion detection facilities
Different levels of security
Templates



Firewall Deployment
Corporate Network
Gateway
Protect internal network
from attack
Most common
deployment point

Internet
Human Resources
Network
Corporate
Site
Demilitarized Zone
(DMZ)
Public Servers
DMZ
Corporate Network
Gateway

Firewall Deployment
Corporate Network
Gateway
Internal Segment
Gateway
Protect sensitive
segments (Finance, HR,
Product Development)
Provide second layer of
defense
Ensure protection against
internal attacks and
misuse


Internet
Human Resources
Network
Corporate
Site
Public Servers
Demilitarized Zone
(Publicly-accessible
servers)
Internal Segment Gateway

Firewall Deployment
Corporate Network
Gateway
Internal Segment
Gateway
Server-Based
Firewall
Protect individual
application servers
Files protect
Internet
Human Resources
Network
Corporate
Site
Server-Based
Firewall
SAP
Server
Public Servers
DMZ

Firewall Deployment
Hardware appliance based firewall
Single platform, software pre-installed
Can be used to support small organizations
or branch offices with little IT support
Software based firewall
Flexible platform deployment options
Can scale as organization grows


Summary
Firewalls foundation of an enterprise
security policy
Stateful Inspection is the leading
firewall technology


/
?

web email


Java ActiveX

What is a VPN?
A VPN is a private
connection over an
open network
A VPN includes
authentication and
encryption to
protect data
integrity and
confidentiality
VPN
VPN
Internet
Acme Corp
Acme Corp
Site 2
Acme Corp
Site 1

Why Use Virtual Private
Networks?
More flexibility
Leverage ISP point of presence
Use multiple connection types (cable, DSL,
T1, T3)

Most attacks originate within an
organization

Why Use Virtual Private
Networks?
More flexibility
More scalability
Add new sites, users quickly
Scale bandwidth to demand

Why Use Virtual Private
Networks?
More flexibility
More scalability
Lower costs
Reduced frame relay/leased line costs
Reduced long distance
Reduced equipment costs (modem
banks,CSU/DSUs)
Reduced technical support



Types of VPNs
Remote Access VPN
Provides access to
internal corporate
network over the
Internet
Reduces long distance,
modem bank, and
technical support costs
PAP,CHAP,RADIUS
Internet
Corporate
Site

Types of VPNs
Remote Access VPN
Site-to-Site VPN
Connects multiple offices
over Internet
Reduces dependencies
on frame relay and
leased lines
Internet
Branch
Office
Corporate
Site

Types of VPNs
Remote Access VPN
Site-to-Site VPN
Extranet VPN
Provides business
partners access to
critical information
(leads, sales tools, etc)
Reduces transaction
and operational costs

Corporate
Site
Internet
Partner #1
Partner #2

Types of VPNs
Remote Access VPN
Site-to-Site VPN
Extranet VPN
Client/Server VPN
Protects sensitive
internal
communications
Internet
LAN
clients
Database
Server
LAN clients with
sensitive data

Components of a VPN
Encryption
Key management
Message authentication
Entity authentication

Encryption
Current standards: DES and Triple-DES
Over 20 years in the field
AES beginning deployment
New standard
More computationally efficient
Longer keys = more secure
HR Server
E-Mail Server
Joes PC to HR Server
All Other Traffic
Cleartext
Encrypted
Marys PC
Joes PC

Key Management
Public key cryptosystems
enable secure exchange of
private crypto keys across
open networks
Re-keying at appropriate intervals
IKE = Internet Key Exchange protocols
Incorporates ISAKMP/Oakley

Authentication
IPsec standards focus on authentication of two
network devices to each other
IP address/preshared key
Digital certificates
User authentication is added on top if required
RADIUS and TACACS+ are the standard protocols for
authentication servers
XAUTH is being added to the standards to address
user authentication





Point-to-Point Tunneling
Protocol
Layer 2 remote access VPN distributed with Windows product
family
Addition to Point-to-Point Protocol (PPP)
Allows multiple Layer 3 Protocols
Uses proprietary authentication and encryption
Limited user management and scalability
Known security vulnerabilities
Internet
Remote PPTP Client
ISP Remote Access
Switch
PPTP RAS Server
Corporate Network

Layer 2 Tunneling Protocol
(L2TP)
Layer 2 remote access VPN protocol
Combines and extends PPTP and L2F (Cisco supported
protocol)
Weak authentication and encryption
Does not include packet authentication, data integrity, or
key management
Must be combined with IPSec for enterprise-level security
Internet
Remote L2TP Client
ISP L2TP Concentrator
L2TP Server
Corporate Network

Internet Protocol Security
(IPSec)
Layer 3 protocol for remote access,
intranet, and extranet VPNs
Internet standard for VPNs
Provides flexible encryption and message
authentication/integrity
Includes key management



Components of an IPSec VPN
Encryption
Message
Authentication
Entity
Authentication
Key
Management


DES, 3DES, and more
HMAC-MD5, HMAC-
SHA-1, or others
Digital Certificates,
Shared Secrets,Hybrid
Mode IKE
Internet Key Exchange
(IKE), Public Key
Infrastructure (PKI)
All managed by security associations (SAs)

Encryption Explained
Used to convert data to a secret code
for transmission over an untrusted
network

Encryption
Algorithm
The cow jumped
over the moon
4hsd4e3mjvd3sd
a1d38esdf2w4d
Clear Text
Encrypted Text

Symmetric Encryption
Same key used to encrypt and decrypt
message
Faster than asymmetric encryption
Examples: DES, 3DES, RC5, Rijndael

Shared Secret Key

Asymmetric Encryption
Different keys used to encrypt and decrypt
message (One public, one private)
Examples include RSA, DSA, SHA-1, MD-5
Alice Public Key
Encrypt
Alice Private Key
Decrypt
Bob
Alice

Internet

PGP IDEARSAMD5

S/MIME

SSL TCP/IP

RSARC2RC4
MD53-DES

PCT TCP/IP

RSARC2RC4
MD5

S-HTTP HTTP

RSADES

SET&
CyberCash
Internet

RSAMD5RC2


Internet
DNSSEC RSAMD5
IPSec IP Diffie-Hellman
DES 3DESRC4
IDEA

Kerberos DES
SSH RSADiffie-Hellman
DES3-DES
Blowfish


DES Keys

40-Bit 56-Bit 168-Bit
3-DES

400 5 38

1 12 556 10
19

1

0.02 21 10
17


VPN-1/FireWall-1
Gateway &
StoneBeat FullCluster
Extranet
Partner Site
IPSec-compliant
Gateway
VPN-1
SecuRemote
& RSA SecurID
VPN-1
SecureClient
& RSA SecurID
Remote Users
Remote Office
VPN-1/FireWall-1
Nokia Appliance
Enterprise Management Console
Policy-based Management
Reporting
Account Management
Open Security Extension
Web Server Pool
Extranet
Application Server
ConnectControl
Server Load
Balancing
VPN-1
SecureServer
LDAP
Directory
FloodGate-1
QoS
RSA
ACE/Server
Corporate
Network
Router
ISS
RealSecure
Intrusion
Detection
Dial-up
Broadband
FireWall-1
Trend InterScan ,
WebManager , eManager
& StoneBeat
Security Cluster
Secure Virtual Network Architecture
VPN-1
Accelerator Card
RSA
Advanced PKI
RSA
ACE/Agent

Thank You!