Академический Документы
Профессиональный Документы
Культура Документы
Technology
:
E-Mail : Jason_Pan@tc.syscom.com.tw
TEL : 04-2202-1221
Agenda
What is a firewall
Why an organization needs a firewall
Types of firewalls and technologies
Deploying a firewall
What is a VPN
What is a Firewall ?
A firewall :
Acts as a security
gateway between two
networks
Usually between trusted
and untrusted networks
(such as between a
corporate network and
the Internet)
Internet
Corporate
Site
Corporate Network
Gateway
What is a Firewall ?
A firewall :
Acts as a security
gateway between two
networks
Tracks and controls
network communications
Decides whether
to pass, reject,
encrypt, or log
communications
(Access Control)
Corporate
Site
Allow Traffic
to Internet
Internet
Block traffic
from Internet
Why Firewalls are Needed
Prevent attacks from untrusted
networks
Protect data integrity of critical
information
Preserve customer and partner
confidence
Evolution of Firewalls
Packet
Filter
Stateful
Inspection
Stage of Evolution
Application
Proxy
Packets examined at the network layer
Useful first line of defense - commonly
deployed on routers
Simple accept or reject decision model
No awareness of higher protocol layers
Packet Filter
Applications
Presentations
Sessions
Transport
Data Link
Physical
Data Link
Physical
Applications
Presentations
Sessions
Transport
Data Link
Physical
Network
Presentations
Sessions
Transport
Applications
Network Network
Application Gateway or Proxy
Applications
Presentations
Sessions
Transport
Data Link
Physical
Data Link
Physical
Applications
Presentations
Sessions
Transport
Data Link
Physical
Network Network
Network
Presentations
Sessions
Transport
Applications
Packets examined at the application layer
Application/Content filtering possible -
prevent FTP put commands, for example
Modest performance
Scalability limited
Stateful Inspection
Applications
Presentations
Sessions
Transport
Data Link
Physical
Data Link
Physical
Applications
Presentations
Sessions
Transport
Data Link
Physical
Network Network
Network
Presentations
Sessions
Transport
INSPECT Engine
Applications
Dynamic
State Tables
Dynamic
State Tables
Dynamic
State Tables
Packets Inspected between data link layer and network
layer in the OS kernel
State tables are created to maintain connection context
Invented by Check Point
Network Address Translation
(NAT)
Converts a networks illegal IP addresses to
legal or public IP addresses
Hides the true addresses of individual hosts,
protecting them from attack
Allows more devices to be connected to the
network
Internet
Internal
IP Addresses
219.22.165.1
Corporate LAN
192.172.1.1-192.172.1.254
Public
IP Address(es)
Port Address Translation
Hiding
192.168.0.15
10.0.0.2
49090
23
10.0.0.3
2000
2001
23
10.0.0.3
49090
23
10.0.0.2
PATGlobal
23
172.30.0.50
192.168.0.15
172.30.0.50
192.168.0.15
172.30.0.50
172.30.0.50
Personal Firewalls
Need arises from always on
connections
Your PC is not protected enough by
your OS
Intrusion detection facilities
Different levels of security
Templates
Firewall Deployment
Corporate Network
Gateway
Protect internal network
from attack
Most common
deployment point
Internet
Human Resources
Network
Corporate
Site
Demilitarized Zone
(DMZ)
Public Servers
DMZ
Corporate Network
Gateway
Firewall Deployment
Corporate Network
Gateway
Internal Segment
Gateway
Protect sensitive
segments (Finance, HR,
Product Development)
Provide second layer of
defense
Ensure protection against
internal attacks and
misuse
Internet
Human Resources
Network
Corporate
Site
Public Servers
Demilitarized Zone
(Publicly-accessible
servers)
Internal Segment Gateway
Firewall Deployment
Corporate Network
Gateway
Internal Segment
Gateway
Server-Based
Firewall
Protect individual
application servers
Files protect
Internet
Human Resources
Network
Corporate
Site
Server-Based
Firewall
SAP
Server
Public Servers
DMZ
Firewall Deployment
Hardware appliance based firewall
Single platform, software pre-installed
Can be used to support small organizations
or branch offices with little IT support
Software based firewall
Flexible platform deployment options
Can scale as organization grows
Summary
Firewalls foundation of an enterprise
security policy
Stateful Inspection is the leading
firewall technology
/
?
web email
Java ActiveX
What is a VPN?
A VPN is a private
connection over an
open network
A VPN includes
authentication and
encryption to
protect data
integrity and
confidentiality
VPN
VPN
Internet
Acme Corp
Acme Corp
Site 2
Acme Corp
Site 1
Why Use Virtual Private
Networks?
More flexibility
Leverage ISP point of presence
Use multiple connection types (cable, DSL,
T1, T3)
Most attacks originate within an
organization
Why Use Virtual Private
Networks?
More flexibility
More scalability
Add new sites, users quickly
Scale bandwidth to demand
Why Use Virtual Private
Networks?
More flexibility
More scalability
Lower costs
Reduced frame relay/leased line costs
Reduced long distance
Reduced equipment costs (modem
banks,CSU/DSUs)
Reduced technical support
Types of VPNs
Remote Access VPN
Provides access to
internal corporate
network over the
Internet
Reduces long distance,
modem bank, and
technical support costs
PAP,CHAP,RADIUS
Internet
Corporate
Site
Types of VPNs
Remote Access VPN
Site-to-Site VPN
Connects multiple offices
over Internet
Reduces dependencies
on frame relay and
leased lines
Internet
Branch
Office
Corporate
Site
Types of VPNs
Remote Access VPN
Site-to-Site VPN
Extranet VPN
Provides business
partners access to
critical information
(leads, sales tools, etc)
Reduces transaction
and operational costs
Corporate
Site
Internet
Partner #1
Partner #2
Types of VPNs
Remote Access VPN
Site-to-Site VPN
Extranet VPN
Client/Server VPN
Protects sensitive
internal
communications
Internet
LAN
clients
Database
Server
LAN clients with
sensitive data
Components of a VPN
Encryption
Key management
Message authentication
Entity authentication
Encryption
Current standards: DES and Triple-DES
Over 20 years in the field
AES beginning deployment
New standard
More computationally efficient
Longer keys = more secure
HR Server
E-Mail Server
Joes PC to HR Server
All Other Traffic
Cleartext
Encrypted
Marys PC
Joes PC
Key Management
Public key cryptosystems
enable secure exchange of
private crypto keys across
open networks
Re-keying at appropriate intervals
IKE = Internet Key Exchange protocols
Incorporates ISAKMP/Oakley
Authentication
IPsec standards focus on authentication of two
network devices to each other
IP address/preshared key
Digital certificates
User authentication is added on top if required
RADIUS and TACACS+ are the standard protocols for
authentication servers
XAUTH is being added to the standards to address
user authentication
Point-to-Point Tunneling
Protocol
Layer 2 remote access VPN distributed with Windows product
family
Addition to Point-to-Point Protocol (PPP)
Allows multiple Layer 3 Protocols
Uses proprietary authentication and encryption
Limited user management and scalability
Known security vulnerabilities
Internet
Remote PPTP Client
ISP Remote Access
Switch
PPTP RAS Server
Corporate Network
Layer 2 Tunneling Protocol
(L2TP)
Layer 2 remote access VPN protocol
Combines and extends PPTP and L2F (Cisco supported
protocol)
Weak authentication and encryption
Does not include packet authentication, data integrity, or
key management
Must be combined with IPSec for enterprise-level security
Internet
Remote L2TP Client
ISP L2TP Concentrator
L2TP Server
Corporate Network
Internet Protocol Security
(IPSec)
Layer 3 protocol for remote access,
intranet, and extranet VPNs
Internet standard for VPNs
Provides flexible encryption and message
authentication/integrity
Includes key management
Components of an IPSec VPN
Encryption
Message
Authentication
Entity
Authentication
Key
Management
DES, 3DES, and more
HMAC-MD5, HMAC-
SHA-1, or others
Digital Certificates,
Shared Secrets,Hybrid
Mode IKE
Internet Key Exchange
(IKE), Public Key
Infrastructure (PKI)
All managed by security associations (SAs)
Encryption Explained
Used to convert data to a secret code
for transmission over an untrusted
network
Encryption
Algorithm
The cow jumped
over the moon
4hsd4e3mjvd3sd
a1d38esdf2w4d
Clear Text
Encrypted Text
Symmetric Encryption
Same key used to encrypt and decrypt
message
Faster than asymmetric encryption
Examples: DES, 3DES, RC5, Rijndael
Shared Secret Key
Asymmetric Encryption
Different keys used to encrypt and decrypt
message (One public, one private)
Examples include RSA, DSA, SHA-1, MD-5
Alice Public Key
Encrypt
Alice Private Key
Decrypt
Bob
Alice
Internet
PGP IDEARSAMD5
S/MIME
SSL TCP/IP
RSARC2RC4
MD53-DES
PCT TCP/IP
RSARC2RC4
MD5
S-HTTP HTTP
RSADES
SET&
CyberCash
Internet
RSAMD5RC2
Internet
DNSSEC RSAMD5
IPSec IP Diffie-Hellman
DES 3DESRC4
IDEA
Kerberos DES
SSH RSADiffie-Hellman
DES3-DES
Blowfish
DES Keys
40-Bit 56-Bit 168-Bit
3-DES
400 5 38
1 12 556 10
19
1
0.02 21 10
17
VPN-1/FireWall-1
Gateway &
StoneBeat FullCluster
Extranet
Partner Site
IPSec-compliant
Gateway
VPN-1
SecuRemote
& RSA SecurID
VPN-1
SecureClient
& RSA SecurID
Remote Users
Remote Office
VPN-1/FireWall-1
Nokia Appliance
Enterprise Management Console
Policy-based Management
Reporting
Account Management
Open Security Extension
Web Server Pool
Extranet
Application Server
ConnectControl
Server Load
Balancing
VPN-1
SecureServer
LDAP
Directory
FloodGate-1
QoS
RSA
ACE/Server
Corporate
Network
Router
ISS
RealSecure
Intrusion
Detection
Dial-up
Broadband
FireWall-1
Trend InterScan ,
WebManager , eManager
& StoneBeat
Security Cluster
Secure Virtual Network Architecture
VPN-1
Accelerator Card
RSA
Advanced PKI
RSA
ACE/Agent
Thank You!