Firewalls: Security Technologies
Firewalls: Security Technologies
Firewalls: Security Technologies
Security Technologies
Firewalls
Supervised By:
Dr. Lo’ai Tawalbeh
Done by :
SHADI SAMARA
ALA` AL_SAYYED
Aims and Objectives
Understand what a Firewall is and why
it is needed
Advantages and Disadvantages of a
Firewall
Different types of Firewall
Authentication techniques used by
Firewalls
Different Configurations of Firewalls
What is Security?
The quality or state of being secure—to be free from danger”
A successful organization should have multiple layers of
security in place:
Physical security
Personal security
Operations security
Communications security
Network security
Information security
Characteristics of Information
The value of information comes from the characteristics it
possesses:
Availability
Accuracy
Authenticity
Confidentiality
Integrity
Utility
Possession
Physical Design
Physical design of an information security program is made
up of two parts:
1.Security technologies
2.Physical security
• FTP
• SMTP, POP3
• Telnet
• DNS
• Http
Application/Proxy Servers…cont
Advantages:
Extensive logging capability
Allow security enforcement
of user authentication .
less vulnerable to address
spoofing attacks.
Disadvantages:
Complex Configuration.
limited in terms of support for
new
network applications and
protocols.
Speed!!.
3- circuit gateways:
Stateful firewall
Stateless firewall
Types of Firewalls ..cont
Stateful firewall
NAT-types
– Dynamic
• For connections from inside to outside
• There may be fewer outside addresses than internal addresses
– Static
• For connections from outside to specific servers inside
• One-to-one address mapping (fixed)
Network Address Translation ..cont
Firewall Configurations or
(Architecture)
Packet Filtering Router
Dual Homed Gateway
Screened Host Gateway (bastion host )
Screened Subnet Gateway or Demilitarized Zone (DMZ)
Firewall Appliance
Packet Filtering Router
A packet filtering router is a router configured to screen packets
between two networks. It routes traffic between the two networks
and uses packet filtering rules to permit or deny traffic.
Implementing security with a router is usually not that easy. Most
routers were designed to route traffic, not to provide firewall
functionality, so the command interface used for configuring rules
and filters is neither simple nor intuitive.
Dual Homed Gateway
This is a secure firewall design comprising an application gateway and a packet
filtering router. It is called “dual homed” because the gateway has two network
interfaces, one attached to the Internet, the other to the organization's network. Only
applications with proxy services on the application gateway are able to operate
through the firewall. Since IP forwarding is disabled in the host, IP packets must be
directed to one of the proxy servers on the host, or be rejected. Some manufacturers
build the packet filtering capability and the application proxies into one box,
thereby simplifying the design (but removing the possibility of having an optional
info server and modems attached to the screened subnet,
disadvantages of the dual homed gateway are that it may be a bottleneck to
performance, and it may be too secure for some sites (!) since it is not possible to let
trusted applications bypass the firewall and communicate directly with peers on the
Internet. They must have a proxy service in the firewall.
Dual Homed Gateway ..cont
A dual-homed gateway typically sits behind the gateway (usually a
router) to the untrusted network and most often is a host system
with two network interfaces. Traffic forwarding on this system is
disabled, thereby forcing all traffic between the two networks to
pass through some kind of application gateway or proxy. Only
gateways or proxies for the services that are considered essential
are installed on the system. This particular architecture will usually
require user authentication before access to the gateway/proxy is
allowed. Each proxy is independent of all other proxies on the host
system.
Screened Host Gateway (bastion host )
The screened host gateway is similar to the above, but more flexible and less secure,
since trusted traffic may pass directly from the Internet into the private network,
thereby bypassing the application gateway. In this design the application gateway
only needs a single network connection.
The IP router will normally be configured to pass Internet traffic to the application
gateway or to reject it. Traffic from the corporate network to the Internet will also
be rejected, unless it originates from the application gateway. The only exception to
these rules will be for trusted traffic that will be allowed straight through.
Screened Host Gateway ..cont
The screened host, or bastion host, is typically located on the
trusted network, protected from the untrusted network by a packet
filtering router. All traffic coming in through the packet filtering
router is directed to the screened host. Outbound traffic may or
may not be directed to the screened host. This type of firewall is
most often software based and runs on a general-purpose computer
that is running a secure version of the operating system. Security is
usually implemented at the application level.
Screened Host Gateway ..cont
highly secure host system
potentially exposed to "hostile" elements
hence is secured to withstand this
may support 2 or more net connections
may be trusted to enforce trusted separation between network
connections
runs circuit / application level gateways
or provides externally accessible services
Screened Subnet Gateway
This configuration creates a small isolated network between the Internet and the
corporate network, which is sometimes referred to as the demilitarised zone (DMZ),
The advantages of this configuration is that multiple hosts and
gateways can be stationed in the DMZ, thereby achieving a much greater throughput
to the Internet than the other configurations; plus the configuration is very secure as
two packet filtering routers are there to protect the corporate network.
The IP router on the Internet side will only let through Internet traffic that is
destined for a host in the DMZ (and vice versa). The IP router on the corporate
network side will only let site traffic pass to a host in the DMZ (and vice versa).
This system is as secure as the dual homed gateway, but it is also possible to allow
trusted traffic to pass straight through the DMZ if required. This configuration is of
course more expensive to implement!
Screened Subnet Gateway ..cont
A screened subnet or DMZ is typically created between two
packet filtering routers. When using this architecture, the
firewall solution is housed on this screened subnet segment
along with any other services available to the untrusted
network. Conceptually, this architecture is similar to that of a
screened host, except that an entire network rather than a
single host is reachable from the outside
Firewall Appliance
A firewall appliance typically sits behind the gateway
(usually a router) to the untrusted network. This architecture
resembles the packet filtering router and dual-homed
Gateway architectures in that all traffic must pass through the
appliance. In most instances these appliances come pre-
configured on their own box. They may also have other
services built in, such as Web servers and e-mail servers.
Because they usually don't need the extensive configuration
that other firewalls often require, they are touted as being
much simpler and faster to use. Some manufacturers market
them as "plug-and-play" firewall solutions
Firewall Appliance ..cont
For some networks, implementing more than one firewall solution may be
a more effective option. For example, implement a packet filtering router
at the entrance to the network for perimeter security and then configure an
application gateway for a specific department or building. This type of
solution would not only protect the trusted network from the outside, but
would also protect a specific department or building from unauthorized
users on the trusted network
Network Configuration Examples
Protected Private Network
Semi-Militarised Zone
Private LAN stays secure
Protected Private Network
Allow all access from private network to the
Internet.
Deny all access from the Internet to the private
network.
Semi-Militarised Zone
Private LAN stays secure
Advantages of a Firewall
Stop incoming calls to insecure services
such as rlogin and NFS
Control access to other services
Cost Effective
system
Disadvantages of a Firewall
Central point of attack
Restrict legitimate use of the Internet
Bottleneck for performance
Does not protect the ‘back door’
Cannot always protect against
smuggling
Cannot prevent insider attacks
Firewalls have weaknesses
Some security hackers boast there is
not a single firewall that they cannot
Penetrate
They cannot keep out data carried inside
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies: