Firewall Workshop

Network Security Group

Objectives
 Introduce Firewall Fundamentals
 Learn about Firewall Types
– Packet Filters
– Application Proxy
– Stateful Inspection
 Learn about various Firewall design
construction techniques
Firewall Fundamentals
 A Network Security Interface between two
networks
 Acts as barrier between a secure and an open
environment
 First in the Line of Defense
 Key objectives of Firewalls
– Enforce Security Policies
– Permit access based only upon strong access controls
and predefined roles
– Create Security Domains consistent with information
classification
– Eliminate Unwanted traffic
Firewall Fundamentals Contd.,
– Isolate secure domains from hostile domains
• May be internal or external
– Permit the secure domain to touch the hostile domain
but not the other way round
 Internal Firewalls
– Used to create Security Domains
– Protection for sensitive departments or applications
– Used to add Security Layers
– Forcing an external intruder to breach several firewalls
to get the sensitive information
Firewall Fundamentals Contd.,
 External Firewalls
– May be multi-layered
– Outside to protect DMZ (De-militarized Zone)
– Inside to protect the balance of the organization
 Firewall Policies
– Recommended
• Anything not allowed explicitly is forbidden
– Not Recommended
• Anything not explicitly forbidden is allowed
Firewall Fundamentals Contd.,
 Firewalls cannot protect against
– Any intrusions that bypasses the Firewall
– Employee Misconduct
– Employee Ignorance
• Sharing Passwords
• Responding to Social Engineering Probes without verification
• Running downloaded software without Virus Checks
 Improper Firewall selection and usage
 Firewalls are not forever and may be defeated in the best of
the environments
 No one Firewall is ideal for all applications
 Different vendors use different design criteria
 Commercial Firewalls are often combinations of firewall
technologies
Firewall Types
 Packet Filter
 Application Proxy
 Stateful Inspection
Firewall Types-Packet Filter
 Basic Firewall
 Suitable when the security requirements are low
 Often used as Internal Firewall when there is an
external firewall providing enhanced protection
 Implemented at the IP Layer in TCP/IP
 Looks at source and destination addresses,filters
information based on the contents of the packet
header
 Not recommended for sensitive data protection
 Configured using Access Control Lists
Firewall Types-Packet Filter
Firewall Types-Packet Filter Contd.,
 Problems with Packet Filters
– Won’t permit FTP without opening up
– Won’t permit external access
 When are Packet Filters NOT the best
solution?
– The internal domain is very sensitive
• Mission Critical client-server applications
• Financial Resources
– High Profile Site – attracts intrusions
– Very complex internetworks
Firewall Types-Packet Filter Contd.,
 Routers act as Packet Filter Firewalls
 Problems with Routers when used as Firewall
– Created to pass traffic, not to reject
– Easy to misconfigure
– Function based upon packet header information
• Addresses
• Ports
– Does not care about applications accessed or executed
Firewall Types-Application Proxy
 Operates at the application layer
 Opens up a port only when necessary and
under pre-defined circumstances
 Hides the internal network
 No direct connection between the source
and destination hosts
 Uses more resources in the machine
acting as Application proxy
Firewall Types-Application Proxy
 Firewall Types-Application Proxy
Contd.,

 Application Proxy need to be aware of the

applications for which it is proxying for
 Most secured Firewall type
 Benefits
– Don’t depend upon packet header information
– Deal with the application layer, not the TCPIP
layers which can be spoofed
– Provide user authentication features
– Easy to configure to enforce security policy
Firewall Types-Stateful Inspection
 Covers all the disadvantages inherent in Packet
Filters and Application Proxies
 Works at the all layers from Network Layer to
Application layer
 Opens ports only when necessary
 Follows ‘Default Deny’ policy for all the ports
 Hides internal IP addresses using NAT
 Direct connection exists between source and
destination
Firewall Types-Stateful Inspection
Contd.,
Firewall Connectivity Designs
 Dual Homed
 Gate & Choke
 Bastion Host
 Triple Homed
Dual Homed Firewall Design
 Firewall with two
Internet interface cards
 Segregates the
LL
network into two
Internet Router
security domains

Firewall

Internal Network
Gate & Choke Firewall Design
 Firewall with two
Internet interface cards
 Segregates the
Internet Router LL
network into two
Gate
security domains
 Gate Server is a
Firewall
Proxy server
Internal Network
acting as proxy for
accessing web
Bastion Host Configuration
 Firewall with two
Internet interface cards
 Segregates the
Internet Router LL
network into two
security domains
Firewall  Proxy/AAA Server
Bastion Host provides additional
Internal Network security layer
Triple Homed Configuration
 Firewall with two
Internet
interface cards
 Segregates the
Internet Router LL
network into two
security domains
Web/AAA/Mail Servers
 Public Servers like
Firewall
Web/Mail/AAA Server
are connected to
Internal Network
another interface of
Firewall
Q&A
Thank You!