Professional Documents
Culture Documents
3
Perimeter Defense
A firewall is said to provide “perimeter security” because
it sits on the outer boundary, or perimeter, of a network.
The network boundary is the point at which one network
connects to another.
4
Firewall
5
What is a Firewall ?
A firewall : Internet
Acts as a security
gateway between two
networks Corporate Network Gateway
Usually between
trusted and untrusted
networks (such as
between a corporate
network and the
Internet)
Corporate
Site
6
What is a Firewall ?
A firewall :
Internet
Acts as a security
gateway between two
networks
“Allow traffic
“Block Traffic
Tracks and controls to Internet”
from Internet”
network
communications
Decides whether to
pass, reject,
encrypt, or log
communications
(Access Control) Corporate
Site
7
Need for Firewall
Centralized data processing system, with a central
mainframe supporting a number of directly connected
terminals
LANs interconnecting PCs and terminals to each
other and the mainframe
Enterprise-wide network, consisting of multiple,
geographically distributed networks interconnected
by wide area network (WAN)
Internet connectivity, in which the various premises
networks all hook into the Internet and may or may
not also be connected by a private WAN
8
Need for Firewall
Prevent attacks from untrusted networks
Protect data integrity of critical information
Preserve customer and partner confidence
9
Design Principle
In organization users needs internet access.
Internet access enables outside world to
connect & interact with local n/w assets.
This creates threat to organization.
Firewall is inserted between the n/w location
& the internet to establish a controlled link.
The aim of this boundary is to protect the
location of n/w from internet based attacks.
10
Design Goals
All traffic must pass through the firewall
either from inside to outside or vice versa.
This is achieved by physically blocking all
access to the local network except via the
firewall.
Only authorized traffic that is defined by the
local security policy will be allowed to pass.
The firewall itself is immune to penetration.
11
Techniques that firewalls use to control
access
13
Firewalls must have following
attributes
14
Limitations
Firewall cannot protect against attacks that bypass
the firewall.
Firewall does not protect against internal threat.
A laptop, PDA, or portable storage device may be
used and infected outside the corporate network,
and then attached and used internally.
Firewall cannot protect against the transfer of virus
infected programs or files
Cannot guard against wireless communications
15
Types of Firewall
Software firewall
Hardware firewall
Packet filtering firewall
Proxy Server
Hybrid
Application Level Gateway
Circuit Level Gateway
16
Software firewall
S/W firewall is a (set) program(s) which is installed
on a computer
A host-based firewall is a software module used to
secure an individual host.
A common location for such firewalls is a Server
It runs on a single computer. (Personal firewall)
Prevents unauthorized access to computer through
network.
Allows configuration of trusted zones
S/W firewalls depend on users decision
17
Hardware firewall
H/W firewall is a device which stands between
trusted and untrusted networks
More complex than software firewall
Contains software(OS) run on hardware
OS for H/W firewall is small in size but very
difficult to attack.
It can handle/filter more traffic.
It can act as router, VPN
18
Packet Filtering Firewall
Simplest, fastest firewall component
Examine each IP packet (no context) and permit
or deny according to rules
Restrict access to services (ports)
The router is typically configured to filter packets
going to and from internal N/w.
Filtering rules are based on information contained
in a packet.
Works on network layer
19
Packet Filtering Firewall
Source IP address: the systems IP address that
originates the IP packet.
Destination IP address: the IP address of the
another system the IP packet is trying to reach.
Source & Dest. Transport level address:
Transport level port number. e.g TCP, UDP, etc.
IP protocol Fields: Defines the transport
protocol
Interface: which interface of the router packet
came from or packet is destined for
20
Packet Filtering Firewall
Packets examined at the network layer
Useful “first line” of defense - commonly deployed on
routers
Simple accept or reject decision model
No awareness of higher protocol layers
21
Packet
Private
Filtering
Internet Network
Router
Advantages
Simplicity
Packet Filtering Firewall
Transparency to the users
High speed
Disadvantage
Lack of authentication
Difficulty of setting up packet filtering rules.
22
Proxy Server
Important part of web architecture
Reduce loads on servers
Act as a gateway to and from the Internet.
An intermediary program that acts as both a
server and a client for the purpose of making
requests on behalf of other clients.
Two forms of proxy servers
Nontransparent and Transparent
A nontransparent server is visible to a user –
User configures a browser to contact proxy
instead original. 23
Proxy Server
A transparent proxy no need to change configure
Examines all TCP connection that pass through it
Requests are serviced internally or by passing
them, with possible translation, on to other servers.
A proxy must interpret and, if necessary, rewrite a
request message before forwarding it.
Proxies are often used as client-side portals
through network Firewalls.
Clients connect to Proxy Server when they make a
request for resources located on the Internet
Also known as application gateway
24
Proxy Server
Server gets the resource and returns it to the client.
Since you are only presenting one IP address to the
Internet, Proxy Server effectively hides your
internal network.
The Proxy Server is the only computer in the
network attached to both internal and external
networks. W
MSBTE
MSBTE E
B
You
You
Tube S
Tube E
Client R
Proxy V
111.222.3.4 FB
222.111.123.234 FB E
25
R
S
Application Level Gateway
Also known as proxy server.
It acts like proxy & decides about the flow of
application level traffic.
User contacts application level gateway using a
TCP/IP application, such as FTP or HTTP.
Application level gateway asks the user about
the remote host with which user wants to set up
connection for comm.
26
Application Level Gateway
When user responds & provides valid user ID &
authentication information, gateway contacts the
application on remote host,
If the gateway does not implement the proxy code
for a specific application, The service is not
supported & can not be forwarded across firewall.
The gateway can also be configured to support only
specific features of an application.
Application level gateways tend to be more secure
than packet filtering.
27
Firewalls - Application
Level Gateway (or Proxy)
Have application specific gateway / proxy
Has full access to protocol
User requests service from proxy
Proxy validates request as legal
Then actions request and returns result to user
Can log / audit traffic at application level
Need separate proxies for each service
28
Application Gateway or
Proxy
Packets examined at the application layer
Application/Content filtering possible - prevent FTP
“put” commands, for example
Modest performance
Scalability limited
Applications Applications Applications
29
Advantage
Higher Security than packet Filtering
Only need to scrutinized a few allowable application.
Easy to log & audit all incoming traffic.
Disadvantage
Additional overhead on each connection.
30
Circuit Level Gateway
A stand-alone system or a specialized function
performed by application level gateway.
Does not permit an end-to-end TCP connection;
The gateway sets up two TCP connections,
One between itself and a TCP user on an inner host
and
One between itself and a TCP user on an outside
host.
Imposes security by limiting which such
connections are allowed
31
Circuit Level Gateways
32
Circuit Level Gateway
Once created usually relays traffic without
examining contents
Typically used when trust internal users by
allowing general outbound connections
SOCKS (a protocol) commonly used for this
33
Implementing Firewall
Three types of firewall configuration
34
Bastion Host
Highly secure host system that serves as a
platform for an application-level or circuit-level
gateway.
Host hardware platform executes a secure version
of it’s operating system, making it a trusted
system.
Only services that the network administrator
considers essential are installed on the bastion
host (e.g. Telnet, DNS, FTP, and user
authentication)
35
Single-Homed Bastion
Consists of two systems: a packet-filtering router and
a bastion host. The router is configured so that
For traffic from the Internet, only IP packets destined
for the bastion host are allowed in.
For the traffic from the internal network, only IP
packets from the bastion host are allowed to out.
The bastion host performs authentication and proxy
functions.
36
Single-Homed Bastion
37
Dual-Homed Bastion Host
Direct connection between internal hosts and
the packet filter are avoided.
Packet filter connects only to the application
gateway
Application gateway has a separate connection
with internal host
38
Dual-Homed Bastion Host
39
Screened Subnet Firewall
There are now three levels of defense to thwart
intruders.
The outside router advertises only the existence of
the screened subnet to the Internet; therefore, the
internal network is invisible to the Internet.
Similarly, the inside router advertises only the
existence of the screened subnet to the internal
network; therefore, the systems on the inside
network cannot construct direct routes to the
Internet.
40
Screened Subnet Firewall
41
Network Address
Translation (NAT)
192.172.1.1-192.172.1.254
Internal 219.22.165.1 Public
IP Addresses Internet IP Address(es)
Corporate LAN
42
Firewall Deployment
DMZ
•Corporate Network Gateway
–Protect internal network from Internet
Demilitarized Zone
attack (DMZ)
Public Servers
–Most common deployment
point Corporate Network
Gateway
Corporate
Site
43
Firewall Deployment
•Corporate Network Gateway
•Internal Segment Gateway Internet
Public Servers
–Protect sensitive segments
(Finance, HR, Product
Development) Demilitarized Zone
(Publicly-accessible
–Provide second layer of servers)
defense
–Ensure protection against Human Resources Network
internal attacks and misuse
Internal Segment Gateway
Corporate
Site
44
Firewall Deployment
•Corporate Network
Gateway Internet
Public Servers
DMZ
•Internal Segment
Gateway
•Server-Based Firewall
–Protect individual Human Resources Network
application servers
–Files protect Server-Based
Firewall
Corporate
Site
SAP
Server 45
Summary
Firewall
Limitation
Firewall Types
Packet Filtering Firewall
Application Level Gateway
Circuit Level Gateway
Firewall Configuration
46
Virtual Private Network
Virtual Private Network
(VPN)
Uses public telecommunication infrastructure to
provide remote offices with secure access to their
org. n/w.
VPN is a mechanism of employing encryption,
authentication & integrity protection.
Public n/w can use as private n/w
VPN can connects distant n/w of an org.
VPN is a mechanism to create a private n/w over
a public n/w.
48
Virtual Private Network
(VPN)
49
VPN between two private networks
VPN
Tunnel
Firewall 1 Firewall 2
Internet
Network 1 Network 2
50
Suppose an org. has 2 N/W, N/W 1 & N/W 2,
which are physically separate, users needs to
set up two firewalls for encryption &
decryption purpose.
Fig show N/W 1 connects to internet through
firewall1 & network 2 via firewall 2
Two firewalls are virtually connected to each
other via internet with help of VPN tunnel
between firewall.
51
• The transmission between two networks takes
following steps:
Let us assume that network’s host X wants to send a
packet to network’s host Y.
2. Then host X creates packet, insert its own IP address as
source address & IP address of host Y as destination
address.
Source Address Destination Address
52
Then this packet reaches firewall 1; firewall 1 add new IP
headers to packet. It changes source IP address of
packet to its own IP address. It also changes the dest.
IP address of packet to IP address of firewall 2
• Also performs encryption & authentication.
53
Packet reaches at firewall 2 over internet. Here firewall 2
will discard the outer header & performs appropriate
decryption. This gives original packet that was created
by host X. and it delivers the packet to host Y.
54
VPN Protocols
PPTP (Point to Point Tunneling Protocol)
Used on windows NT systems
It mainly supports the VPN connectivity between a
single user & a LAN, rather than between two
LANS
55
PPTP
Access
Concentrator
RAS
56
PPTP
PPTP Operation
User dials into local PPTP access concentrator host
User sends the access concentrator a PPP frame
within an IP packet
Access
Concentrator RAS
57
Packet
PPTP
PPTP Operation
Access concentrator places incoming IP packet within
another IP packet
Sends packet to the distant RAS
Access
Concentrator RAS
Encapsulated Packet
58
PPTP
PPTP Operation
Distant RAS removes the original packet
Treats the packet as if it came in over a local
telephone line
Deals with the PPP frame within the packet
RAS
Original IP Packet
59
PPTP
PPTP Encapsulation
Access concentrator receives the original IP packet,
which has the destination IP address of the access
concentrator
Adds a new IP header with the IP address of the RAS
Adds an enhanced general routing encapsulation
(GRE) header for security
Enhanced New
Original IP Packet
GRE Header IP Header
60
PPTP
PPTP Tunneling
Encapsulating an IP packet within another packet to
send it through a network is called tunneling
This is how tunneling mode works in IPsec (discussed
earlier in the module)
RAS
Access Tunnel
Concentrator
61
VPN Protocols
L2TP (Layer 2 Tunneling protocol)
Developed by IETF
Improvement over PPTP.
L2TP is considered as secure open standard for
VPN.
It works for both combinations : user-to-LAN &
LAN-to-LAN.
62
VPN Protocols
• IPSec
• Designed to provide a secure communication
channel between two devices
• It provides confidentiality, data authentication, data
integrity & protection from replay.
63
Kerberos
Kerberos
Kerberos is authentication service developed at MIT.
Kerberos addresses problem
Servers to be able to restrict access to authorized users
and authenticate requests.
Workstation cannot be trusted to identify its users.
Threats
User access to particular workstation and pretend to be
another user operating from that workstation
User may alter workstations address
User may eavesdrop on exchanges and use a reply attack
65
Kerberos
Kerberos is a network authentication protocol.
It is designed to provide strong authentication for
client server appln using secret key cryptography.
Provides centralized authentication server whose
function is to authenticate users to servers and
servers to users.
66
Kerberos
Characteristics
It is secure. Never sends a password unless it is
encrypted.
Only single login is required per session.
Credentials defined at login are passed between resources
without the need for additional logins
Uses KDC. KDC is aware of all systems in the
network and is trusted by all of them
It performs mutual authentication
67
Kerberos
Kerberos introduces concept of Ticket Granting (TGS).
A client has to receive a ticket to use service.
Ticket is a time limited cryptographic message, which
gives access to server.
Kerberos requires an Authentication Server AS to
verify clients.
Client authenticates itself to AS, which forwards
username to KDC.
KDC issues TGT which is time stamped, encrypted
using users password and sent to users workstation.
68
Kerberos Key Distribution Center
Authentication
Server (AS)
_R EQ 2
_A S
B
User KR R E P
A S_ Ticket Granting
Workstation KR
B _
EQ Server (TGS)
_ R
1 _ T GS
KRB _R EP 4
_ T GS
3 KRB
Server
Once per 6
service
session
69
1. Workstation sends a message to the authentication
server requesting a ticket granting ticket (TGT)
2. The AS verifies users access rights and creates a TGT
and session key. AS encrypts result using a key
derived from users password and send encrypted
result to user workstation.
– User decrypt using password.
3. Workstation send a request to TG Server containing
the client name, realm name (domain), and a
timestamp.
• User proves his identity by sending
authenticator encrypted with session key
70
4. TGS decrypts the ticket and authenticator, verifies
request, and creates ticket for requested server.
• The ticket contains client name, and optionally
IP addr, realm name and ticket timestamp
• The TGS returns ticket to workstation.
5. Client application sends a service request to server
containing ticket.
• The service authenticates the request by
decrypting session key. The server verifies ticket and
authenticator match and then grant access to the
service.
• 6. If mutual authentication is required, then server
will reply with server authentication message. 71
Security Topologies
Security Topology
Is a logical map that depicts interconnectivity
between security devices, networks
That are protected by security devices, and
security domains that host these networks.
Security topologies serve as a foundation to create
IPsec VPNs on network
And to configure firewall policies on security
devices.
73
Security Zones
Is a way to classify websites into different security
categories.
Internet explorer includes five predefined zone:
Internet, local Intranet, trusted sites, restricted sites &
my computer
Trusted Sites : This zone is for sites that you trust.
Unclassified sites : This zone is for sites that you
haven’t classified or you are not sure of it.
Restricted Sites : This zone is for sites that you don’t
trust and want to restrict them.
74
Key aspects of Creating &
Designing Security zone
• Internet Zone
Contains websites that are not on your
computer or on local intranet.
The default security level is medium.
75
Local Intranet Zone
Contains all network connections that were
established by Universal Naming Convention
(UNC) path
Websites that bypass the proxy server or have
names that do not include periods.
Not assigned to either Restricted/Trusted sites.
The default security level for Local Intranet zone
is set to medium or medium low.
76
Trusted sites zone
Contains websites that you trust as safe
Websites in trusted zone believe that files you
download or you run from the web site will not
damage your computer or data.
By default, there are no web sites are assigned to
the Trusted zone.
Security level is set to low.
77
Restricted sites zone
Contains websites that you do not trust.
Websites in restricted zone believe that files you
download or run from web site may damage your
computer or data.
By default, there are no websites in Restricted
zone
Security level is set to High.
Default security level is Medium.
78
DMZ (Demilitarized zone)
Is a computer host or small network inserted as
‘neutral zone’ Between a company’s private n/w
& outside public n/w
Prevents outside users from getting direct access
to a server.
DMZ is an optional & more secure approach to
firewall
Effectively act as a proxy server as well.
79
Internet
80
81
DMZ
A separate computer in n/w receives request from
users within the private n/w for access to websites
or other companies public n/w.
It can only forward the packets that have already
been requested.
Users of public n/w outside the company can
access only DMZ host.
82
Internet
Is a n/w that can be used to transfer emails, files,
financial records remote access etc.
Internet is not a single n/w.
It is series of interconnected n/w
Such a large mesh allows the user infinite ability to
communicate between diff. systems.
Everyone can have access to this n/w
It is difficult to impose security policies, it is
considered as un trusted system.
83
Intranet
Is a private network that is contained within
enterprise.
It may consist of many interlinked LANs & also
use leased lines in WAN
An intranet includes connections through one or
more gateway computes to internet.
Main purpose is to share company information &
computing resources among employees.
84
Intranet
Uses TCP/IP, HTTP, and other Internet protocol
looks like private version of internet.
With tunneling, companies can send private message
through public networks.
Users within their intranet access the public internet
through firewall servers.
When part of intranet is made accessible to
customers, partners, outside the company, then it
becomes part of extranet.
85
Virtual LAN (VLAN)
In traditional LAN workstations are connected to each
other by using hub.
These devices propagates incoming data throughout
network.
Problem of collision
Preventing collision bridges and switches can be used
because they do not forward collision
and allow to broadcast every users in network
They are within which broadcast and multicast are
confined is called as broadcast domain or LAN. 86
Virtual LAN (VLAN)
VLAN allow to locally segment a LAN into different
broadcast domain.
i.e single switch forms multiple broadcast domain.
This is logical segmentation not a physical one.
All VLAN’s over a single switch operate in parallel
87
VLAN 1 VLAN 2
Switch/
Bridge
VLAN 3 VLAN 4
Fig. VLAN
88
Advantages of VLAN
1. Performance
• In network high percentage of traffic is of
broadcast and multicast
• VLAN reduce need to send traffic to
unnecessary dest.
2. Formation of virtual workgroup
3. Simplified Administration
4. Security
89
Types of VLAN
• Layer 1 VLAN : Membership by port
Membership in VLAN can be based on the ports
that belongs to the VLAN.
Disadvantage of this is that it does not allow user
mobility.
Port 1 2 3 4 5 6 7 8
VLAN 1 1 3 3 2 2 4 4
90
Types of VLAN
• Layer 2 VLAN: Membership by MAC addresses
Membership is based on MAC address of
workstation
Switch tracks MAC addresses belongs to which
VLAN.
If workstation is moved or port is changed then no
need to reconfigure VLAN.
Disadvantage is membership is assigned initially. In
n/w with thousand of users this is not a easy task.
91
VLAN Types
• Layer 2 VLAN: Membership by protocol
This method is based on protocol field.
Protocols are assigned to different port
Ex. IP protocol traffic is assigned to port 1
And other traffic on some another port.
92
VLAN Types
• Layer 2 VLAN: Membership by IP address
subnet
This method is based on IP address subnet
IP Address Subnet
192.168.1.100 255.255.255.128
192.168.1.100 255.255.255.128
117.240.248.129 255.255.255.240
93
Summary
VPN a way to create private network over public
VPN protocols PPTP, L2TP, IPSec
Kerberos
Security Topologies
Security Zones
Internet, Intranet, Trusted sites and Restricted Sites
DMZ
Virtual LAN
94