SlideShare a Scribd company logo

Presentation, Firewalls

Download as PPT, PDF
K
kkkseld

The document discusses firewall implementation for a company called Acme. It describes how Acme can set up firewalls to restrict access between internal and external networks and between different internal departments. Packet filtering, proxy servers, and demilitarized zones are implemented to enforce access controls and monitor network traffic flow while protecting sensitive data. The completed Acme intranet design includes multiple firewalls configured in screened subnets and dual-homed gateways to secure remote access and internal information flows.

Economy & FinanceTechnology
1 of 41
Downloaded 156 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
"And of knowledge, you (mankind) have been given only a little." Surah Al-Isra‘, verse 85.
By: Khalid El-darymli FIREWALLS
Introduction The vastness of the internet, along with the differences among its visitors, creates a most unique melting pot. It also contains a great potential for misuse, abuse and criminal activity. A number of organizations have been attacked or probed by intruders, resulting in heavy production losses and embarrassment. On 1996 the US Department of Defense announced that its computer systems were attacked 250,000 times in the preceding year and most of these attacks went undetected. The web site of the United States Information Agency which was broken by internet vandals. But all is not lost: the F IREWALL still stands as the biggest and the best weapon for keeping the evil forces lurking along the miles of the information superhighway at bay.
Data Transmission in TCP/IP Networks: The internet is like a railroad, sort of. TCP/IP and the OSI reference model.
What Are F IREWALLs ?? A firewall A F IREWALL is a system ( either software or hardware or both ) that enforces an access control policy between two networks.
What can F IREWALL protect against, and what they cannot? They Can: F irewalls are excellent at enforcing the corporate security policy . F irewalls are used to restrict access to specific services . F irewalls are singular in purpose. F irewalls are excellent auditors . F irewalls are very good at alerting appropriate people of events. They Cannot: Firewalls cannot protect against what is authorized. Firewalls are only as effective as the rules they are configured to enforce . Firewalls cannot stop social engineers or an authorized user intentionally using their access malicious purposes. Firewalls cannot fix poor administrative practices or poorly designed security policy. Firewalls cannot stop attacks in which traffic does not pass through them .
Firewall Technology Application Level e.g. Proxy Servers Network Level e.g. packet filtering Both categories together .
F IREWALL Architectures F IREWALL primarily functions using four fundamental methods: Packet Filters. Application Gateways. Circuit-level Gateways. Stateful Packet Inspection.
1- Packet Filters: A packet is like a letter. TCP/IP Packet structure.
How Packet filtering works: Creating a Rule Set: In order to provide an example of packet filtering we need to create a rule set. The rule set contains the following criteria: 1- Type of protocol. 2- Source address. 3- Destination address. 4- Source port. 5- Destination port. 6- The action the firewall should take when the rule set is not matched. (Example) Network topology for the packet filtering. (Example) Network topology for the packet filtering.
Sample packet filtering rule set. The flow of the packet filtering example. DENY
Advantages and disadvantages: Advantages: It creates little overhead, so the performance of the screening device is less impacted. It’s relatively inexpensive or even free. It provides good traffic management. Disadvantages : It allows direct connections to internal host from external clients. It leaves many holes in the network perimeter. That’s because it can only examine the traffic at the transport layer (TCP or UDP) or at the network layer (ICMP or IP protocol type). It’s difficult to manage and scale in complex environments. Because in multilayered security environment, all packet filters in both network traffic directions must be synchronized. It’s vulnerable to attacks that “spoof “ source addresses that match internal IP addressing schemes, unless it’s especially configured to prevent this issue. It offers no user authentication.
2- Application Gateways (also, proxy gateway ) Application level gateway ? DENY
How it works: Overview of application gateway virtual connections. ALLOWED ONLY SSH
Advantages and Disadvantages of Application Gateways Advantages : Application level gateways tend to be more secure than packet filters. Rather than trying to deal with the numerous possible combinations that are to be allowed and forbidden at the TCP and IP level, the application level gateway need only scrutinize a few allowable applications. In addition it’s easy to log and audit all incoming traffic at the application level. Disadvantages : Prime disadvantage of the application level gateway is the additional processing overhead on each connection. In effect there are two spliced connections between the end users, with the gate way at the splice point, and the gateway must examine and forward all traffic in both directions.
3- Circuit Level Gateways: (e.g. Proxy and Socks servers) Circuit-Level gateway. www.companyName.com www.companyName.com
Disadvantages: Most circuit level gateways are configurable on a TCP port basis. This does have disadvantage in that the circuit level gateway may not examine each packet at the application layer. This allows applications to utilize TCP ports that were opened for other, legitimate applications, several peer to peer applications can be configured to run on arbitrary ports, such as TCP 80 and TCP 443 (commonly opened for web browsing). This opens the possibility for misuse and exposes potential vulnerabilities inherent in these applications. There are several other disadvantages to using circuit level gateway as a sole meaning of protecting a network. Inbound connection, are in general, not allowed, unless the functionality is built into the gateway as a separate application. Some client applications cannot be modified to support SOCKS or proxying. This would prevent them from accessing external resources through a gateway.
Bastion Host: It is a computer that is the central component in a network security architecture, often the main entrance to the network, intended to protect. It’s running a proxy software. It’s usually the most critical, and therefore the best secured, system in the network. An other kind of bastion host called a victim machine ( also called a sacrificial lamb). Bastion hosts are used in all arrangements that use a proxy server.
3- Stateful Packet Inspection: How it works: T he logic flow of stateful packet inspection.
Advantages and Disadvantages of SPI: Advantages: The connection table greatly reduces the chance that a packet will be spoofed to appear as it were part of an existing connection. The ability to look into the data of certain packet types. Disadvantages: It does not protect the internal hosts to the same degree as an application layer firewall. it does not act as proxy or setup a separate connection on behalf of the source.
Firewall Configurations 1- Screened Network (Packet Filtering Only): A simple firewall that uses a screening router
2- Dual-Homed Gateway: A dual homed host has two IP addresses.
3- Screened Host: The screened-host configuration.
Benefits & Disadvantages: Benefits : More flexible than a dual-homed gateway firewall. The rules for packet filter can be less a complex than for a screened network configuration because most or all the traffic will be directed to the application gateway. If either component fails in an “open” condition, so that it no longer blocks anything, the other component still affords some measure of protection. Disadvantages: The two components of the firewall need to be configured carefully to work together correctly. The flexibility of the system can lead to the temptation to take shortcuts that can subvert security.
4- Screened Subnet: The screened-host configuration. Demilitarized Zone
Benefits & Disadvantages: Benefits : The chief benefit is an other layer of protection. To gain access to the protected network, an attacker would have to go through two routers and the application gateway-not impossible, but more difficult than with a screened-host firewall. Disadvantages: It’s the most expensive configuration (of those described here). With three machines. Including two routers with their rule tables, configuration of the overall system can become quite complicated.
Other firewall Configuration: You can come up with variations of the configurations described here to suit your security policy. You might want to use more bastion hosts to separate traffic for different services. You could add more layers of screened subnets to deal with traffic to and from networks with varying degrees of trustworthiness.
The point: There are no hard and fast rules for how a F irewall should be set up. Just remember a couple of guidelines: Avoid the temptation to take shortcuts around more burdensome aspects of the security policy. Effective security sometimes means inconvenience. Keep it as simple as possible. More is not necessarily better, especially if adding more elements to your firewall makes it impossibly complex to set up and administer, or so difficult to use that users resort to unauthorized shortcuts.
Practical F IREWALL Implementation Acme’s organizational chart shows a simple management structure with function consolidated in three main departments: production, sales/marketing, and finance. New Orleans
S ecurity I ssue: Defining the internet connection : S olutions: The system could be created so that no information flows out of Acme via the channel. Other data that the Web provider might need for the home page, such as announcements of new products, updates on product availability, special promotions, and so on, could likewise be transferred via some secure method - e.g., a one way email service on the company’s intranet-such that no files need to be transferred via the internet for this service. Information about ACME’s products. Web users will have the ability to send Email messages to any of Acme’s regional sales offices, generating a call back from the appropriate salesperson.
S ecurity I ssue: Determining Who Need Access: S olutions: This table shows where various information inside Acme is created and how it’s shared.
S ecurity I ssue: Identifying Weak Spots in Information Flow: Limiting access to servers with remote (that is, dial up) access capabilities. Securing sensitive design data. Preventing employees who should not have access to certain information from getting that information. The beginnings of the Acme intranet with a server for each department. I N T R A N E T
First, sales reps take the orders from the customers and input the information into computer order forms on their notebook computers. They compile the orders into single data files for transfer to the regional sales office. Next, sales representatives begin the process of uploading the sales onto the company’s FTP order sites, located at each of the regional sales offices. This is accomplished by using communications software on the notebook computer to dial into the regional office’s “modem center” via a cellular phone built into the notebook computer. Anywhere an organization uses a standard telephone line for remote access; a danger exists that the number, and thus the line, may be attacked by a hacker. S ecurity I ssue: Managing Remote Access:
S olutions: Acme decides to use a two-stage firewall at this point in its system. Acme decides to use the Modem Security Enforcer , that requires users to call in, and pass a two-step password test, then hangs up the system and calls the user back at a pre-established telephone number . After the salesperson successfully passes through the modem security, the salesperson encounters the second firewall located on the Sales/Marketing Web server. the second firewall located on the Sales/Marketing Web server. Acme uses a proxy server such Borderware Firewall Server which accepts the data from the salesperson's notebook-generated order file and passes it through to the FTP site on the intranet. Any data that comes back to the notebook during this process is protected by means of a Network Address Translation (also provided by Borderware's Firewall Server), which changes the actual internal addressing on information sent out to the remote computer. Here is the Sales/Marketing part of the Acme intranet with the firewalls added.
A process similar to that described here is used for transferring the data from the three sales offices to the main office. That is, the sales orders are combined into a single, larger format order and transferred to the various offices and the appropriate shipping points. Here, however, no public telephone lines are used . Rather, dedicated " T l" telephone lines are used to move the data from the sales offices to the shipping point and main office internal FTP sites, respectively. This diagram shows a typical sales order as it travels from the point of sale to the production and shipping facilities.
the regional (and central) sales offices must make available to the sales force the latest information concerning changes to product lines, pricing information, shipping delays, and so on. As with previous tasks, Acme is not only concerned that this information be made available but also that the process of making it available be as secure as possible. Also, as noted previously in the Table, all offices (sales, market­ing, and finance) must be able to access production figures and shipping times from the main production facility. S ecurity I ssue: Managing Remote Access: These tasks can be accomplished using a secure e-mail system. Thus, the Acme intranet design team decides that, due to the need to pass queries and other short messages among various employees, the primary intranet system will be supplemented with a dedicated mail server system to handle only internal e-mail. S olutions:
S ecurity I ssue: Managing Internal Access to Sensitive Information Acme's Finance Department presents some unique challenges in that all of the other departments must have access to some of the data (for example, budgeting information) but should not be allowed access to other data (for example, the president's expense account) in that department.
S olutions: Acme's Secure Server Net approach to controlling data in the Finance Department. (One such product is Borderware’s Secure Server Net system) Tri Homed Gateway
Additional Security Needs: A similar approach could be used in any department that has both information that should be available company-wide and data that should be used within that department only. In addition to the firewall placement matters mentioned here, Acme will also employ other, more traditional, computer security measures. For example, all users will have unique user names and passwords, providing an additional level of security inside the firewalls. These passwords will have relatively short expiration dates and will be changed approximately every 60 days.
S ecurity I ssue: Security Issue: Virus Detection & Removal Virus detection and removal software will be used on all Acme computers (desktop and notebooks) Acme's Future: Acme will begin to automate the flow of essential data around the company. At the same time, the company will ensure with each new phase of automation that sensitive and proprietary information is protected and, as important, that the company's intranet is guarded from outside attacks by unscrupulous hackers.
The completed Acme intranet, included the firewalls described in the chapter.

More Related Content

PDF
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
Kathirvel Ayyaswamy
 
PPT
Secure Socket Layer
Naveen Kumar
 
PPT
firewall.ppt
ssuser530a07
 
PPTX
Firewall and Types of firewall
Coder Tech
 
PPTX
Firewall
Saurabh Chauhan
 
PPTX
Intrusion Prevention System
Vishwanath Badiger
 
PDF
Zafiyet tespiti ve sizma yöntemleri
EPICROUTERS
 
PPTX
Firewall
reddivarihareesh
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
Kathirvel Ayyaswamy
 
Secure Socket Layer
Naveen Kumar
 
firewall.ppt
ssuser530a07
 
Firewall and Types of firewall
Coder Tech
 
Firewall
Saurabh Chauhan
 
Intrusion Prevention System
Vishwanath Badiger
 
Zafiyet tespiti ve sizma yöntemleri
EPICROUTERS
 
Firewall
reddivarihareesh
 

What's hot (20)

PPTX
IPSec and VPN
Abdullaziz Tagawy
 
PPT
Firewall
Amuthavalli Nachiyar
 
PDF
Ceh v5 module 04 enumeration
Vi Tính Hoàng Nam
 
PDF
IPSec (Internet Protocol Security) - PART 1
Shobhit Sharma
 
PPTX
Intrusion detection system
AAKASH S
 
PPTX
Firewall & Proxy Server
LakshyaArora12
 
PPTX
Wireshark
Sourav Roy
 
PPT
Ip Sec
Ram Dutt Shukla
 
PPTX
Firewall ( Cyber Security)
Jainam Shah
 
DOCX
WEB ve MOBİL SIZMA TESTLERİ
BGA Cyber Security
 
PPTX
Cyber kill chain
Ankita Ganguly
 
PPTX
Cisco ASA Firewalls
Bryley Systems Inc.
 
PPTX
IPSec VPN & IPSec Protocols
NetProtocol Xpert
 
PPTX
Network defenses
Prachi Gulihar
 
PPTX
Types Of Firewall Security
iberrywifisecurity
 
PPT
Intro to Web Application Security
Rob Ragan
 
PDF
Hacking SIP Like a Boss!
Fatih Ozavci
 
PDF
Presentation f5 – beyond load balancer
xKinAnx
 
PDF
SSH - Secure Shell
Peter R. Egli
 
PDF
SSL intro
Three Lee
 
IPSec and VPN
Abdullaziz Tagawy
 
Firewall
Amuthavalli Nachiyar
 
Ceh v5 module 04 enumeration
Vi Tính Hoàng Nam
 
IPSec (Internet Protocol Security) - PART 1
Shobhit Sharma
 
Intrusion detection system
AAKASH S
 
Firewall & Proxy Server
LakshyaArora12
 
Wireshark
Sourav Roy
 
Ip Sec
Ram Dutt Shukla
 
Firewall ( Cyber Security)
Jainam Shah
 
WEB ve MOBİL SIZMA TESTLERİ
BGA Cyber Security
 
Cyber kill chain
Ankita Ganguly
 
Cisco ASA Firewalls
Bryley Systems Inc.
 
IPSec VPN & IPSec Protocols
NetProtocol Xpert
 
Network defenses
Prachi Gulihar
 
Types Of Firewall Security
iberrywifisecurity
 
Intro to Web Application Security
Rob Ragan
 
Hacking SIP Like a Boss!
Fatih Ozavci
 
Presentation f5 – beyond load balancer
xKinAnx
 
SSH - Secure Shell
Peter R. Egli
 
SSL intro
Three Lee
 
Ad

Viewers also liked (20)

PPTX
Firewall presentation
Amandeep Kaur
 
PPTX
Introduction of firewall slides
rahul kundu
 
PPT
Firewall
lmbriscoe
 
DOCX
Firewall
syeda zoya mehdi
 
PPT
Firewalls
Shreya Singireddy
 
PPT
Firewall
Manikyala Rao
 
PDF
Coderfaire Data Networking for Developers
Jason Myers
 
PPT
Firewalls
junaid15bsse
 
DOCX
Firewalls
Sonali Parab
 
PPTX
Firewall
lyndyv
 
PPT
4. system models
AbDul ThaYyal
 
PPTX
Gateway Networking
Abhishek Kumar Ravi
 
PPTX
Gateways ppt
California STEM Learning Network
 
PDF
CCNAv5 - S2: Chapter 9 Access Control Lists
Vuz Dở Hơi
 
PPT
data mining for security application
bharatsvnit
 
PPT
Cisco ACL
faust0
 
PPTX
Data Mining with Splunk
David Carasso
 
PPT
Bridges and gateways 52
myrajendra
 
PPT
Network security
Gichelle Amon
 
PPTX
Internet security powerpoint
Arifa Ali
 
Firewall presentation
Amandeep Kaur
 
Introduction of firewall slides
rahul kundu
 
Firewall
lmbriscoe
 
Firewall
syeda zoya mehdi
 
Firewalls
Shreya Singireddy
 
Firewall
Manikyala Rao
 
Coderfaire Data Networking for Developers
Jason Myers
 
Firewalls
junaid15bsse
 
Firewalls
Sonali Parab
 
Firewall
lyndyv
 
4. system models
AbDul ThaYyal
 
Gateway Networking
Abhishek Kumar Ravi
 
Gateways ppt
California STEM Learning Network
 
CCNAv5 - S2: Chapter 9 Access Control Lists
Vuz Dở Hơi
 
data mining for security application
bharatsvnit
 
Cisco ACL
faust0
 
Data Mining with Splunk
David Carasso
 
Bridges and gateways 52
myrajendra
 
Network security
Gichelle Amon
 
Internet security powerpoint
Arifa Ali
 
Ad

Similar to Presentation, Firewalls (20)

PPT
Presentation, Firewalls
kkkseld
 
PPT
Firewall protection
VC Infotech
 
PDF
internet-firewalls
Miftakhul Hijriyah
 
PPTX
FIREWALL PROJECT.pptx BY SAKSHI SOLAPURE
SakshiSolapure1
 
PPTX
Firewall presentation
gaurav96raj
 
PPT
Firewalls
University of Central Punjab
 
PPTX
Firewalls
vaishnavi
 
PPTX
Firewalls by Puneet Bawa
Puneet Bawa
 
PPTX
Firewall Design and Implementation
ajeet singh
 
PPTX
Firewall Design and Implementation
ajeet singh
 
PPTX
Firewall
Idris Shah
 
PPT
Lecture 4 firewalls
rajakhurram
 
PDF
BAIT1103 Chapter 8
limsh
 
PDF
[9] Firewall.pdf
lamtran367679
 
PPTX
UNIT-4 network information security ID system
agasyabutolia
 
PDF
Firewalls
Jyoti Akhter
 
PPTX
firewall as a security measure (1)-1.pptx
ShreyaBanerjee52
 
PPT
Firewall
thinkahead.net
 
PPT
Firewall
Apo
 
PPTX
Firewall
Naga Dinesh
 
Presentation, Firewalls
kkkseld
 
Firewall protection
VC Infotech
 
internet-firewalls
Miftakhul Hijriyah
 
FIREWALL PROJECT.pptx BY SAKSHI SOLAPURE
SakshiSolapure1
 
Firewall presentation
gaurav96raj
 
Firewalls
University of Central Punjab
 
Firewalls
vaishnavi
 
Firewalls by Puneet Bawa
Puneet Bawa
 
Firewall Design and Implementation
ajeet singh
 
Firewall Design and Implementation
ajeet singh
 
Firewall
Idris Shah
 
Lecture 4 firewalls
rajakhurram
 
BAIT1103 Chapter 8
limsh
 
[9] Firewall.pdf
lamtran367679
 
UNIT-4 network information security ID system
agasyabutolia
 
Firewalls
Jyoti Akhter
 
firewall as a security measure (1)-1.pptx
ShreyaBanerjee52
 
Firewall
thinkahead.net
 
Firewall
Apo
 
Firewall
Naga Dinesh
 

More from kkkseld (13)

PDF
H E A D S C A R F D E A D L O C K I N T U R K E Y A S A C A S E S T U D Y
kkkseld
 
PDF
Microsoft Word Mobile Multi Media Applications
kkkseld
 
PDF
Microsoft Word Project, Firewalls
kkkseld
 
PDF
Microsoft Word Hw#2
kkkseld
 
PDF
Microsoft Word Hw#3
kkkseld
 
PDF
Microsoft Word Hw#1
kkkseld
 
PPT
Asr
kkkseld
 
PDF
Microsoft Word The Project, Islam And Science
kkkseld
 
PPT
Speech To Sign Language Interpreter System
kkkseld
 
PPT
Sslis
kkkseld
 
PPT
Mobile Multi Media Applications
kkkseld
 
PPT
Kerie2006 Poster Template 01
kkkseld
 
PPT
Asr
kkkseld
 
H E A D S C A R F D E A D L O C K I N T U R K E Y A S A C A S E S T U D Y
kkkseld
 
Microsoft Word Mobile Multi Media Applications
kkkseld
 
Microsoft Word Project, Firewalls
kkkseld
 
Microsoft Word Hw#2
kkkseld
 
Microsoft Word Hw#3
kkkseld
 
Microsoft Word Hw#1
kkkseld
 
Asr
kkkseld
 
Microsoft Word The Project, Islam And Science
kkkseld
 
Speech To Sign Language Interpreter System
kkkseld
 
Sslis
kkkseld
 
Mobile Multi Media Applications
kkkseld
 
Kerie2006 Poster Template 01
kkkseld
 
Asr
kkkseld
 

Recently uploaded (20)

PDF
1a In Search of the Numbers ssrn 1488130 Oct 2009.pdf
Better Financial Education
 
PDF
Dr Tran Quoc Bao the first Vietnamese speaker at GITEX DigiHealth Conference ...
Gorman Bain Capital
 
PDF
CLIMATE CHANGE AS A THREAT MULTIPLIER: ASSESSING ITS IMPACT ON RESOURCE SCARC...
Igor Britchenko
 
PPTX
Antihypertensive_Drugs_Presentation_Poonam_Painkra.pptx
marrow02abhishek
 
PPTX
Unilever_Financial_Analysis_Presentation.pptx
HarisKaimKhani
 
PDF
how_to_earn_50k_monthly_investment_guide.pdf
Grip Invest
 
PDF
Q2 2025 :Lundin Gold Conference Call Presentation_Final.pdf
Adnet Communications
 
PDF
Corporate Finance Fundamentals - Course Presentation.pdf
christygathoni
 
PDF
ECONOMICS AND ENTREPRENEURS LESSONSS AND
ClarenceKennethCasta2
 
PDF
Why Ignoring Passive Income for Retirees Could Cost You Big.pdf
Enterprise world
 
PPTX
kyc aml guideline a detailed pt onthat.pptx
Sanjaysaini308877
 
PDF
5a An Age-Based, Three-Dimensional Distribution Model Incorporating Sequence ...
Better Financial Education
 
PDF
caregiving tools.pdf...........................
cyrilbotor
 
PPTX
EABDM Slides for Indifference curve.pptx
deeksha8770
 
PDF
NAPF_RESPONSE_TO_THE_PENSIONS_COMMISSION_8 _2_.pdf
Henry Tapper
 
PPTX
introuction to banking- Types of Payment Methods
KhushiPeriwal
 
PDF
Predicting Customer Bankruptcy Using Machine Learning Algorithm research pape...
Razan Shahwan
 
PDF
Mathematical Economics 23lec03slides.pdf
drmabdelnaby2060
 
PDF
financing insitute rbi nabard adb imf world bank insurance and credit gurantee
robertclive1690
 
PPTX
FL INTRODUCTION TO AGRIBUSINESS CHAPTER 1
raquipoarthea
 
1a In Search of the Numbers ssrn 1488130 Oct 2009.pdf
Better Financial Education
 
Dr Tran Quoc Bao the first Vietnamese speaker at GITEX DigiHealth Conference ...
Gorman Bain Capital
 
CLIMATE CHANGE AS A THREAT MULTIPLIER: ASSESSING ITS IMPACT ON RESOURCE SCARC...
Igor Britchenko
 
Antihypertensive_Drugs_Presentation_Poonam_Painkra.pptx
marrow02abhishek
 
Unilever_Financial_Analysis_Presentation.pptx
HarisKaimKhani
 
how_to_earn_50k_monthly_investment_guide.pdf
Grip Invest
 
Q2 2025 :Lundin Gold Conference Call Presentation_Final.pdf
Adnet Communications
 
Corporate Finance Fundamentals - Course Presentation.pdf
christygathoni
 
ECONOMICS AND ENTREPRENEURS LESSONSS AND
ClarenceKennethCasta2
 
Why Ignoring Passive Income for Retirees Could Cost You Big.pdf
Enterprise world
 
kyc aml guideline a detailed pt onthat.pptx
Sanjaysaini308877
 
5a An Age-Based, Three-Dimensional Distribution Model Incorporating Sequence ...
Better Financial Education
 
caregiving tools.pdf...........................
cyrilbotor
 
EABDM Slides for Indifference curve.pptx
deeksha8770
 
NAPF_RESPONSE_TO_THE_PENSIONS_COMMISSION_8 _2_.pdf
Henry Tapper
 
introuction to banking- Types of Payment Methods
KhushiPeriwal
 
Predicting Customer Bankruptcy Using Machine Learning Algorithm research pape...
Razan Shahwan
 
Mathematical Economics 23lec03slides.pdf
drmabdelnaby2060
 
financing insitute rbi nabard adb imf world bank insurance and credit gurantee
robertclive1690
 
FL INTRODUCTION TO AGRIBUSINESS CHAPTER 1
raquipoarthea
 

Presentation, Firewalls

  • 1. "And of knowledge, you (mankind) have been given only a little." Surah Al-Isra‘, verse 85.
  • 3. Introduction The vastness of the internet, along with the differences among its visitors, creates a most unique melting pot. It also contains a great potential for misuse, abuse and criminal activity. A number of organizations have been attacked or probed by intruders, resulting in heavy production losses and embarrassment. On 1996 the US Department of Defense announced that its computer systems were attacked 250,000 times in the preceding year and most of these attacks went undetected. The web site of the United States Information Agency which was broken by internet vandals. But all is not lost: the F IREWALL still stands as the biggest and the best weapon for keeping the evil forces lurking along the miles of the information superhighway at bay.
  • 4. Data Transmission in TCP/IP Networks: The internet is like a railroad, sort of. TCP/IP and the OSI reference model.
  • 5. What Are F IREWALLs ?? A firewall A F IREWALL is a system ( either software or hardware or both ) that enforces an access control policy between two networks.
  • 6. What can F IREWALL protect against, and what they cannot? They Can: F irewalls are excellent at enforcing the corporate security policy . F irewalls are used to restrict access to specific services . F irewalls are singular in purpose. F irewalls are excellent auditors . F irewalls are very good at alerting appropriate people of events. They Cannot: Firewalls cannot protect against what is authorized. Firewalls are only as effective as the rules they are configured to enforce . Firewalls cannot stop social engineers or an authorized user intentionally using their access malicious purposes. Firewalls cannot fix poor administrative practices or poorly designed security policy. Firewalls cannot stop attacks in which traffic does not pass through them .
  • 7. Firewall Technology Application Level e.g. Proxy Servers Network Level e.g. packet filtering Both categories together .
  • 8. F IREWALL Architectures F IREWALL primarily functions using four fundamental methods: Packet Filters. Application Gateways. Circuit-level Gateways. Stateful Packet Inspection.
  • 9. 1- Packet Filters: A packet is like a letter. TCP/IP Packet structure.
  • 10. How Packet filtering works: Creating a Rule Set: In order to provide an example of packet filtering we need to create a rule set. The rule set contains the following criteria: 1- Type of protocol. 2- Source address. 3- Destination address. 4- Source port. 5- Destination port. 6- The action the firewall should take when the rule set is not matched. (Example) Network topology for the packet filtering. (Example) Network topology for the packet filtering.
  • 11. Sample packet filtering rule set. The flow of the packet filtering example. DENY
  • 12. Advantages and disadvantages: Advantages: It creates little overhead, so the performance of the screening device is less impacted. It’s relatively inexpensive or even free. It provides good traffic management. Disadvantages : It allows direct connections to internal host from external clients. It leaves many holes in the network perimeter. That’s because it can only examine the traffic at the transport layer (TCP or UDP) or at the network layer (ICMP or IP protocol type). It’s difficult to manage and scale in complex environments. Because in multilayered security environment, all packet filters in both network traffic directions must be synchronized. It’s vulnerable to attacks that “spoof “ source addresses that match internal IP addressing schemes, unless it’s especially configured to prevent this issue. It offers no user authentication.
  • 13. 2- Application Gateways (also, proxy gateway ) Application level gateway ? DENY
  • 14. How it works: Overview of application gateway virtual connections. ALLOWED ONLY SSH
  • 15. Advantages and Disadvantages of Application Gateways Advantages : Application level gateways tend to be more secure than packet filters. Rather than trying to deal with the numerous possible combinations that are to be allowed and forbidden at the TCP and IP level, the application level gateway need only scrutinize a few allowable applications. In addition it’s easy to log and audit all incoming traffic at the application level. Disadvantages : Prime disadvantage of the application level gateway is the additional processing overhead on each connection. In effect there are two spliced connections between the end users, with the gate way at the splice point, and the gateway must examine and forward all traffic in both directions.
  • 16. 3- Circuit Level Gateways: (e.g. Proxy and Socks servers) Circuit-Level gateway. www.companyName.com www.companyName.com
  • 17. Disadvantages: Most circuit level gateways are configurable on a TCP port basis. This does have disadvantage in that the circuit level gateway may not examine each packet at the application layer. This allows applications to utilize TCP ports that were opened for other, legitimate applications, several peer to peer applications can be configured to run on arbitrary ports, such as TCP 80 and TCP 443 (commonly opened for web browsing). This opens the possibility for misuse and exposes potential vulnerabilities inherent in these applications. There are several other disadvantages to using circuit level gateway as a sole meaning of protecting a network. Inbound connection, are in general, not allowed, unless the functionality is built into the gateway as a separate application. Some client applications cannot be modified to support SOCKS or proxying. This would prevent them from accessing external resources through a gateway.
  • 18. Bastion Host: It is a computer that is the central component in a network security architecture, often the main entrance to the network, intended to protect. It’s running a proxy software. It’s usually the most critical, and therefore the best secured, system in the network. An other kind of bastion host called a victim machine ( also called a sacrificial lamb). Bastion hosts are used in all arrangements that use a proxy server.
  • 19. 3- Stateful Packet Inspection: How it works: T he logic flow of stateful packet inspection.
  • 20. Advantages and Disadvantages of SPI: Advantages: The connection table greatly reduces the chance that a packet will be spoofed to appear as it were part of an existing connection. The ability to look into the data of certain packet types. Disadvantages: It does not protect the internal hosts to the same degree as an application layer firewall. it does not act as proxy or setup a separate connection on behalf of the source.
  • 21. Firewall Configurations 1- Screened Network (Packet Filtering Only): A simple firewall that uses a screening router
  • 22. 2- Dual-Homed Gateway: A dual homed host has two IP addresses.
  • 23. 3- Screened Host: The screened-host configuration.
  • 24. Benefits & Disadvantages: Benefits : More flexible than a dual-homed gateway firewall. The rules for packet filter can be less a complex than for a screened network configuration because most or all the traffic will be directed to the application gateway. If either component fails in an “open” condition, so that it no longer blocks anything, the other component still affords some measure of protection. Disadvantages: The two components of the firewall need to be configured carefully to work together correctly. The flexibility of the system can lead to the temptation to take shortcuts that can subvert security.
  • 25. 4- Screened Subnet: The screened-host configuration. Demilitarized Zone
  • 26. Benefits & Disadvantages: Benefits : The chief benefit is an other layer of protection. To gain access to the protected network, an attacker would have to go through two routers and the application gateway-not impossible, but more difficult than with a screened-host firewall. Disadvantages: It’s the most expensive configuration (of those described here). With three machines. Including two routers with their rule tables, configuration of the overall system can become quite complicated.
  • 27. Other firewall Configuration: You can come up with variations of the configurations described here to suit your security policy. You might want to use more bastion hosts to separate traffic for different services. You could add more layers of screened subnets to deal with traffic to and from networks with varying degrees of trustworthiness.
  • 28. The point: There are no hard and fast rules for how a F irewall should be set up. Just remember a couple of guidelines: Avoid the temptation to take shortcuts around more burdensome aspects of the security policy. Effective security sometimes means inconvenience. Keep it as simple as possible. More is not necessarily better, especially if adding more elements to your firewall makes it impossibly complex to set up and administer, or so difficult to use that users resort to unauthorized shortcuts.
  • 29. Practical F IREWALL Implementation Acme’s organizational chart shows a simple management structure with function consolidated in three main departments: production, sales/marketing, and finance. New Orleans
  • 30. S ecurity I ssue: Defining the internet connection : S olutions: The system could be created so that no information flows out of Acme via the channel. Other data that the Web provider might need for the home page, such as announcements of new products, updates on product availability, special promotions, and so on, could likewise be transferred via some secure method - e.g., a one way email service on the company’s intranet-such that no files need to be transferred via the internet for this service. Information about ACME’s products. Web users will have the ability to send Email messages to any of Acme’s regional sales offices, generating a call back from the appropriate salesperson.
  • 31. S ecurity I ssue: Determining Who Need Access: S olutions: This table shows where various information inside Acme is created and how it’s shared.
  • 32. S ecurity I ssue: Identifying Weak Spots in Information Flow: Limiting access to servers with remote (that is, dial up) access capabilities. Securing sensitive design data. Preventing employees who should not have access to certain information from getting that information. The beginnings of the Acme intranet with a server for each department. I N T R A N E T
  • 33. First, sales reps take the orders from the customers and input the information into computer order forms on their notebook computers. They compile the orders into single data files for transfer to the regional sales office. Next, sales representatives begin the process of uploading the sales onto the company’s FTP order sites, located at each of the regional sales offices. This is accomplished by using communications software on the notebook computer to dial into the regional office’s “modem center” via a cellular phone built into the notebook computer. Anywhere an organization uses a standard telephone line for remote access; a danger exists that the number, and thus the line, may be attacked by a hacker. S ecurity I ssue: Managing Remote Access:
  • 34. S olutions: Acme decides to use a two-stage firewall at this point in its system. Acme decides to use the Modem Security Enforcer , that requires users to call in, and pass a two-step password test, then hangs up the system and calls the user back at a pre-established telephone number . After the salesperson successfully passes through the modem security, the salesperson encounters the second firewall located on the Sales/Marketing Web server. the second firewall located on the Sales/Marketing Web server. Acme uses a proxy server such Borderware Firewall Server which accepts the data from the salesperson's notebook-generated order file and passes it through to the FTP site on the intranet. Any data that comes back to the notebook during this process is protected by means of a Network Address Translation (also provided by Borderware's Firewall Server), which changes the actual internal addressing on information sent out to the remote computer. Here is the Sales/Marketing part of the Acme intranet with the firewalls added.
  • 35. A process similar to that described here is used for transferring the data from the three sales offices to the main office. That is, the sales orders are combined into a single, larger format order and transferred to the various offices and the appropriate shipping points. Here, however, no public telephone lines are used . Rather, dedicated " T l" telephone lines are used to move the data from the sales offices to the shipping point and main office internal FTP sites, respectively. This diagram shows a typical sales order as it travels from the point of sale to the production and shipping facilities.
  • 36. the regional (and central) sales offices must make available to the sales force the latest information concerning changes to product lines, pricing information, shipping delays, and so on. As with previous tasks, Acme is not only concerned that this information be made available but also that the process of making it available be as secure as possible. Also, as noted previously in the Table, all offices (sales, market­ing, and finance) must be able to access production figures and shipping times from the main production facility. S ecurity I ssue: Managing Remote Access: These tasks can be accomplished using a secure e-mail system. Thus, the Acme intranet design team decides that, due to the need to pass queries and other short messages among various employees, the primary intranet system will be supplemented with a dedicated mail server system to handle only internal e-mail. S olutions:
  • 37. S ecurity I ssue: Managing Internal Access to Sensitive Information Acme's Finance Department presents some unique challenges in that all of the other departments must have access to some of the data (for example, budgeting information) but should not be allowed access to other data (for example, the president's expense account) in that department.
  • 38. S olutions: Acme's Secure Server Net approach to controlling data in the Finance Department. (One such product is Borderware’s Secure Server Net system) Tri Homed Gateway
  • 39. Additional Security Needs: A similar approach could be used in any department that has both information that should be available company-wide and data that should be used within that department only. In addition to the firewall placement matters mentioned here, Acme will also employ other, more traditional, computer security measures. For example, all users will have unique user names and passwords, providing an additional level of security inside the firewalls. These passwords will have relatively short expiration dates and will be changed approximately every 60 days.
  • 40. S ecurity I ssue: Security Issue: Virus Detection & Removal Virus detection and removal software will be used on all Acme computers (desktop and notebooks) Acme's Future: Acme will begin to automate the flow of essential data around the company. At the same time, the company will ensure with each new phase of automation that sensitive and proprietary information is protected and, as important, that the company's intranet is guarded from outside attacks by unscrupulous hackers.
  • 41. The completed Acme intranet, included the firewalls described in the chapter.