Upload
ron
View
56
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Firewalls : usage. Data encryption Access control : usage restriction on some protocols/ports/services Authentication : only authorized users and hosts (machines) Monitoring for further auditing Packet filtering Compliance with the specified protocols Virus detection - PowerPoint PPT Presentation
Citation preview
Firewalls : usage
• Data encryption• Access control : usage restriction on some protocols/ports/services• Authentication : only authorized users and hosts (machines)• Monitoring for further auditing• Packet filtering• Compliance with the specified protocols• Virus detection• Isolation of the internal network from the Internet• Connection proxies (masking of the internal network)• Application proxies (masking of the « real » software)
Firewalls : basics
• All packets exchanged between the internal and the external domains go through the FW that acts as a gatekeeper
– external hosts « see » the FW only
– internal and external hosts do not communicate directly
– the FW can take very sophisticated decisions based on the protocol implemented by the messages
– the FW is the single access point => authentication + monitoring site
– a set of “flow rules” allows decision taking
Firewalls : architecture (I)
Outside worldExterior router
Firewall
Interior router Internal network
servers
DMZ(DeMilitarized Zone)
Firewalls : architecture (II) : merging exterior and interior
FW
Outside worldExterior/InteriorFirewall
Internal network
servers
DMZ
Firewalls : architecture (III) : merging exterior FW and
servers
Outside world
External Firewall+servers
Internal FirewallInternal network
DMZBof…
Firewalls : architecture (IV) : managing multiple subnetworks
Outside worldExterior/InteriorFirewall
Internal subnetwork B
servers
DMZ
Backbone
Internal subnetwork A
Firewall
Firewall
Firewalls : architecture (V) : managing multiple exterior FW
Internet
ExteriorFirewall A
Interior Firewall
Internal network
servers
DMZ
ExteriorFirewall B
E.g. supplier network
Sub-DMZ A
Sub-DMZ B
Firewalls : architecture (VI) : managing multiple DMZ
Internet
Exterior/InteriorFirewall A
Internalnetwork
Servers A
DMZ A
E.g. supplier network
DMZ B
Exterior/InteriorFirewall B
Servers B
Firewalls : architecture (VII) : internal FW
Outside worldExterior/InteriorFirewall
Internal network
servers
DMZ
Sensitivearea Firewall
Sensitivearea
Firewalls : some recommendations
• Bastion hosts
– better to put the bastions in a DMZ than in an internal network– disable non-required services– do not allow user accounts– fix all OS bugs– safeguard the logs– run a security audit– do secure backups
• Avoid to put in the same area entities which have very different security requirements
Using proxies (I)
• Proxies can be used to « hide » the real servers
• Interior => Exterior traffic– Give the internal user the illusion that she/he accesses to the exterior
server – But intercept the traffic to/from the server, analyze the packets (check
the compliance with the protocol, search for keywords, etc.), log the requests
• Exterior => Interior traffic– Give the external user the illusion that she/he accesses to the interior
server – But intercept the traffic to the server, analyze the packets (check the
compliance with the protocol, search for keywords, etc.), log the requests
Using proxies (II)
• Advantage– knowledge of the service/protocol => efficiency and « intelligent »
filtering
– Ex : session tracking, stateful connection
• Disadvantages– one proxy per service !
– may require modifications of the client
– do not exist for all services
Static Network Address Translation (NAT) (I)
From Arkoon Inc. tutorial
xxx.xxx.xxx.xxx
Internal network
yyy.yyy.yyy.yyy
yyy.yyy.yyy.yyy
xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxx
Static Network Address Translation (NAT) (II)
xxx.xxx.xxx.xxx
Internal network
yyy.yyy.yyy.yyyyyy.yyy.yyy.yyy
Internal network
xxx.xxx.xxx.xxxyyy.yyy.yyy.yyyxxx.xxx.xxx.xxx
• The FW maintains an address translation table
• The FW transforms address xxx.xxx.xxx.xxx into yyy.yyy.yyy.yyy in the field « source address »
• The FW transforms address yyy.yyy.yyy.yyy into address xxx.xxx.xxx.xxx in the field « destination address »
• This operation is transparent for both the exterior and the interior hosts
Applications
• Non TCP/UDP based protocols
• Pre-defined partnership addresses
• Web server, mail….(traffic to Internet)
• Application server (hidden behind a FW)
• Host known/authenticated outside with a specific address
• …
PAT : Port Address Translation (I)
Port 80
Port 2033
From Arkoon Inc. tutorial
Internal network
• Connections are open from an exterior host
• Translation table
• Use of lesser public addresses• Flexible management of server ports
PAT : Port Address Translation (II)
Web server
user, @IP'U'
U→P:80U → IP1:80
IP1:80 → UP:80 → U
U → P:81U → IP2:80
IP2:80 → UP:8 → U
Translation Table @IP « P »port 80 → @IP1 : port 80port 81 → @IP2 : port 80
@IP2, port 80
Web server
@IP1, port 80
FW, @IP 'P'
PAT : Port Address Translation (III)
From Arkoon Inc. tutorial
Web server
Internal network
Masking (I)
From Arkoon Inc. tutorial
Internal network
• Connections are open by internal hosts
• Dynamic connection table (IP address + source port number)
• One single address is known outside (the FW address)• Spare IP addresses
Masking (II)
Arkoon, @IP 'M'
Web server@IP'W'
user@IP1
user@IP2
Web server@IP 'W2'
1:1025->W M:10000->W
W->1:1025
2:1025->W
M:10001->W
W->M:10001
W->2:1025M:10000->W2
W2->M:10000W2->2:1026
W->M:10000
Translation table @IP « M »1:1025(10000)->W2:1025(10001)->W2:1026(10000)->W2
@IP2
FW, @IP 'M'
From Arkoon Inc. tutorial
Internal network
2:1026->W2