Download Final presentation

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
Document related concepts

Security-focused operating system wikipedia , lookup

Computer security wikipedia , lookup

Mobile security wikipedia , lookup

Proxy server wikipedia , lookup

Access control wikipedia , lookup

Denial-of-service attack wikipedia , lookup

Authentication wikipedia , lookup

Wireless security wikipedia , lookup

Electronic authentication wikipedia , lookup

Computer and network surveillance wikipedia , lookup

3-D Secure wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Deep packet inspection wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Unix security wikipedia , lookup

Distributed firewall wikipedia , lookup

Transcript 
Compare Firewall products
Yan xie
2001825
Term Project of Network Security
Introduction
 Why do we need a Firewall
 The definition of Firewall
 Some benefits and disadvantages of Firewalls
 Types of Firewall
 Compare features of some Firewall products
2
Why do we need a Firewall

•
•
•
•
•
•
•
•
Security Vulnerability on the Internet and local
network area
Venerable TCP/IP service
Lack of Security policy
Complexity of configuration
Weak authentication
Ease if spying and monitoring
Ease of spoofing
Flawed LAN Service and Mutually Trusting
Host-based security does not scale
3
The definition of Firewall
 What is Firewall
A firewall is any one of several ways of protecting one
network from another untrusted network. in principle, the
firewall can be thought of a pair of mechanisms one
exists to block traffic, and the other exist to permit traffic.
Some firewall place a great emphasis on blocking traffic,
while others emphasize permitting traffic.
4
The definition of Firewall
 Firewall Components
1. Network policy includes service access policy and firewall desig
n policy
•
A service access policy that define those service that will be
allowed or denied from the restricted network
•
Firewall design policy describe how the firewall will actually
restrict and filter the service defined in network access
policy
Permit any service unless it is expressly denied
Deny any service unless it is expressly permitted
5
Firewall components (cont)
2.
Advanced authentication mechanisms (smart card,
authentication token)
3.
Packet filtering (source address, destination address,
TCP/UDP source port, TCP/UDP destination port)
4.
Application gateways




Information hiding
Robust authentication and logging
Cost-effective
Less-complex filtering rules
6
Benefits of a Firewall
 Protection from vulnerable service
 Control access to site systems
 privacy
 Logging and statistics on network
 Enhance concentrate security
7
Disadvantages of Firewall
•
•
•
•
•
•
Restricted access to desirable services
Large potential for back doors
Little protection from inside attacks
Potential threat from Multicast IP transmissions
Restriction of configuration
Do not against virus
8
Types of Firewall
 Packet Filter Firewall
 The most common and easiest firewall to apply for
small, uncomplicated sites
 allow selective access to systems and services depen
ding on source address, destination address, TCP/UD
P source port, TCP/UDP destination port.
 inherent dangerous services such as NIS, NFS and
X Windows are blocked.
9
Packet Filtering Firewall
Internet
IP Packet Filtering Router
System
Figure: Packet Filtering Firewall
10
Packet Filter Firewall




Little or no logging capability
It is difficult to test and find out the vulnerability of
system
The filtering router will became unmanageable, if
complex filtering rule are required
The least lever of firewall, because of no application
awareness
11
Types of Firewall
 Dual-homed Gateway Firewall
 implement the second design policy, deny all services unless they are
specially permitted
 a complete block to IP traffic between the Internet and protected site.
Proxy servers on the gateway provide services and access
 Provide proxy service for Telnet and Ftp as well as e-mail service which f
irewall can accept all site mails and forward to system.
 Log access and log attempts or find intruder activity.
 Segregating traffic concerned with an information server from
other traffic to and from the site. Any intruder penetration of the
information server would be prevented by dual-homed gateway.
 If any vulnerabilities or a technique on the host is compromised,
an intruder could subvert the firewall and do some harmful activities.
12
Dual-home Gateway Firewall
Info Server
Internet
Application Gateway
IP Filtering
Figure: Dual-home Gateway Firewall with Router
13
Screen Host Firewall

Screen Host Firewall



combines a packet-filtering with an application gateway located on the
protected subnet side of the router
the router filters or screens dangerous protocol from reaching the applic
ation gateway and system
The rejections of the application traffic depend on:

Application traffic from Internet sites to the application gateway gets routed.
all other traffic from Internet sites gets rejects.

The router rejects any application traffic originating from the inside unless it
came from the application gateway.
14
Screened Host Firewall
 Since the router just limits the application traffic to the application gat
eway, so the configuration is not as complex as a packet filtering fire
wall.
 gateway needs only one network interface and doesn’t required a
separate subnet between the application gate and the router, It may
let firewall more flexible.
 the router may get the permission to pass some trusted services and
directly to system. So the firewall should use two design policies to
restrict how many and what types of services are routed directly to
site system.
15
Screen Host Firewall
Info Server
Internet
IP Filtering
Application Gateway
Figure: Screen Host Firewall
16
Screen Subnet Firewall
 Screen Subnet Firewall


Screened subnet firewall can be used to locate each component
of the firewall on a separate system
The outer router will rout traffic according to the follow rules:






Application traffic from the application gateway to Internet systems
gets routed.
E-mail traffic from the E-mail server to Internet sites gets routed.
Application traffic from the E-mail server to the application gateway
gets routed.
E-mail traffic from Internet sites to the E-mail server gets routed.
Ftp, Gopher, etc, traffic from Internet sites to the information server g
ets routed.
All other traffic gets rejected.
17
Screened Subnet Firewall
 The inner passer traffic to and from on the screened
according the follow rules
 Application traffic from the application gateway to system gets





routed.
E-mail traffic from the E-mail server to system gets routed.
Application traffic to the application gateway from site gets routed.
E-mail traffic from system to the E-mail server gets routed.
Ftp, Gopher, etc, traffic from system to the information server gets
routed.
All other traffic gets rejected.
18
Screened Subnet Firewall
 Advantages of screened subnet firewall




The two routed is more difficult to intruders to attack, because he
should subvert both of routers to access system.
Only application gateway, E-mail server, and information server
would be known as system by Internet, no other system name
would be known in DNS database, which would be accessible to
outside systems.
Application gateway can use authentication software to
authenticate all inbound connection.
More flexible by permitting certain trusted services to pass
between Internet and system.
19
Screened Subnet Firewall
Info Server
Internet
E-mail Server
Application Gateway
Figure: Screened Subnet Firewall
20
Firewall Products
 Interlock of ANS Communication
 an application gateway based firewalls designed to secure
access between IP networks.
 The Access Control Rule Base is the facility used to define the
Interlock’s access control
 ensure Intra-network protection by control access between segm
ents for an internal TCP/IP network
 Modified source code, deleted the function of resending of IP,
redirection of ICMP, and source router
21
Interlock
 Authentication
 Standard Password
 SecurID and PINPAD
 Non-authentication service can not be required authentication
 Access control
 first check to see if there is a specific rule for the user
 application checks for rules associated with Group containing the
user
 the user get access
 Do not support
 Confidentiality
 Integrity
 Serial-line protection
22
Nov*IX for NetWare
 Nov*IX of Firefox
 Nov*IX for NetWare is a packet filter firewall
 enable you to connect a Novell NetWare network to TCP/IP host
system over TCP/IP networks
 Authentication




NetWare-based password facility for authorizing all outgoing
connection through the server
For incoming connection user authentication can be implemented for
remote clients by using login and password in to bindery or directory
services,
For specific authentication FTP user require a user name and
password that are verified in the NetWare Bindery to be authorized
for connection the FTP server
detect and prevent IP spoofing
23
Nov*IX for NetWare
 Access Control



extracts the data from the packet and puts the data in an IP packet
for transmission onto the Internet
For incoming Internet traffic, data is remove from IP packets and
put into IPX packets before entering the NetWare network
Network managers can specify the port addresses that are
acceptable or those that are unacceptable.
 Do not support
 Confidentiality
 Integrity
 Protection against “back door”
24
CyberGuard Firewall
 CyberGuard Firewall
 CyberGuard Firewall is a combination of packet-filter gateway,
proxy gateway, and a bastion host
 Authentication
 Using password in user authentication
 a dynamically generated password from a hand-held token card plus
personal identification of SecurID user authentication
 Host authentication has the ability to detect IP spoofing.
 Access Control


hide internal host names and addresses, interface with standard
client and servers
allows and blocks the router of specific network services base on a
dynamic return path based on service type, protocol, source and
destination names or addresses, sub-network mask, direction of
transfer, and established connection
25
CyberGuard Firewall
Enhanced Security
 Mandatory Access
 Multilevel Directories
 Secure Device Handing
 Privileges
 Confidentiality
 private network packet is encrypted and placed into the data
portion of the packet that is sent out by firewall
 The internal host source and destination address, the private
network information, and the original data are encrypted
 Integrity
 enables a counter that prevent replay attacks
 By using MAC within encryption process, it can detect and
prevent modification of any data in the packet, including the
address

26
Firewall-1 Check Point
 Firewall-1




Locate in the kernel of OS , below the Network layer
Check the IP addresses and Ports number at the same time
Store and refresh the state and context in a dynamic state table
Authentication





Password
Internal Firewall-1 Password
SecurID
S/key
Cryptography-based authentication
27
Firewall-1
 Access Control


Stateful Inspection
 extracts the state-related information required for security
decisions from all application layers
 maintains this information in dynamic state tables for evaluating
subsequent connection attempts
Rule Based
 Confidentiality & Integrity




Session Key: DES, encrypt the message
Encryption Key: Diffe-hellman generate secret key for each gateway
Certificate Authority key: RSA authenticating the encryption key
Support encryption speed greater than 10Mbps
28
Compare Firewall Products
company
authentication
Access Control
Confidential
Integrity
Protocol/service
Interlock
ANS
√
√
FTP,Telnet,Login,SMTP,
NNTP,X windows, WWW,
Gopher, Http,Real Audio
LPD, NTP
Nov*IX
FireFox
√
√
Packet filtering
TCP,UDP,NNTP,HTTP
CyberGuard
CyberGuard
√
√
√
√
FTP,Telnet,Login,SMTP,
NNTP,HTTP,Gopher, x11,
Socks, Enhanced pass
through Proxy
Firewall-1
Check Point
√
√
√
√
Complete TCP/IP protocols
29
Suggestion
 Firewall with Modem Pool
 Firewall can not defend “back door”
 Collect modems connect to a terminal server
 Terminal server is a computer design for connecting modem to a
network
 Terminal server provides restriction to connect some system
 Packet Filtering prevent insider system directly connecting to the modem
pool
 Application gateway’s authentication will be used to authentication user
either from modem or from Internet
30
Suggestion

Multicast IP Transmission



Minimize the unnecessary exposure of hosts to traffic
Transmission be passed only the request come from insider user
Allow the packet sent to ports designed by requesting host and Firewall
kernel as unused
31
Conclusion





Choosing a firewall provide confidentiality and integrity
A updatable firewall should be consider
Suitable service access policy and design policy
Proper configuration and implementation depends on
specific application
Using more device to improve security such as Intrusion
detection and anti-virus software
32
Reference
Firewalls: A complete Guide by Marcus Goncalves
The Firewall Report
by OUTLINK Market Research
Firewalls: An Expert Roundtable by a panel of distinguish experts 1997IEEE
Keeping your site comfortably secure: An Introduction to Internet Firewalls
by National Institute of Standards and technology
Establish Firewall Policy by Cobb, Director of Special Projects
33
Related documents
Firewall Configuration
Firewall Configuration
Cisco Discovery 1 Module 08 Quiz Picture Descriptions
Cisco Discovery 1 Module 08 Quiz Picture Descriptions
Read more
Read more
homework 8
homework 8
Assignment # 3 - UNT Class Server
Assignment # 3 - UNT Class Server
Network Security
Network Security
Microsoft Word - Firewall change request form1
Microsoft Word - Firewall change request form1
CS572: Computer Security
CS572: Computer Security
Document 62752
Document 62752
Understanding and Installing Firewalls
Understanding and Installing Firewalls