This document discusses network defense tools, specifically firewall basics. It provides information on different types of firewalls including: packet filtering, circuit-level gateways, stateful inspection, proxy, application-level, next-generation, software, hardware, and cloud firewalls. It describes the primary functions and characteristics of each type of firewall, such as deep packet inspection, TCP handshake verification, and application-level filtering. The document also distinguishes between firewalls and packet filters, noting that firewalls use proxies while packet filters use rules to filter network traffic.
This document discusses network defense tools, specifically firewall basics. It provides information on different types of firewalls including: packet filtering, circuit-level gateways, stateful inspection, proxy, application-level, next-generation, software, hardware, and cloud firewalls. It describes the primary functions and characteristics of each type of firewall, such as deep packet inspection, TCP handshake verification, and application-level filtering. The document also distinguishes between firewalls and packet filters, noting that firewalls use proxies while packet filters use rules to filter network traffic.
This document discusses network defense tools, specifically firewall basics. It provides information on different types of firewalls including: packet filtering, circuit-level gateways, stateful inspection, proxy, application-level, next-generation, software, hardware, and cloud firewalls. It describes the primary functions and characteristics of each type of firewall, such as deep packet inspection, TCP handshake verification, and application-level filtering. The document also distinguishes between firewalls and packet filters, noting that firewalls use proxies while packet filters use rules to filter network traffic.
This document discusses network defense tools, specifically firewall basics. It provides information on different types of firewalls including: packet filtering, circuit-level gateways, stateful inspection, proxy, application-level, next-generation, software, hardware, and cloud firewalls. It describes the primary functions and characteristics of each type of firewall, such as deep packet inspection, TCP handshake verification, and application-level filtering. The document also distinguishes between firewalls and packet filters, noting that firewalls use proxies while packet filters use rules to filter network traffic.
Download as PPTX, PDF, TXT or read online from Scribd
Download as pptx, pdf, or txt
You are on page 1of 24
Unit-2
Network Defense Tools
Firewall Basics A firewall is a device which is used to control the flow of traffic into and out-of network. In other words, it is a security device which installed between two networks, internal network to outside network (more often the internet). Based on the rule define in the firewall data will be passed to one network to other network. The primary job of a firewall is to secure the inside network from the internet. Systems on one side of the firewall are protected from systems on the other side. Firewall Basics For example: Consider LAN is corporate or our campus network and WAN is internet. If we place firewall between the two networks then it will control the flow of the whole traffic and based on rule define into firewall. It will allow or deny the traffic. Firewalls generally filter traffic based on two methodologies: 1. A firewall can allow any traffic except what is specified as restricted part. It depends on the type of firewall used, the source, the destination addresses, and the ports. 2. A firewall can deny any traffic that does not meet the specific criteria based on the network layer on which the firewall operates. Firewall Types Firewall is the first destination for the traffic coming to your internal network. So, anything which comes to your internal network passes through the firewall and any outgoing traffic will also pass through the firewall before leaving your network completely. This is the reason that sometimes this type of firewall filter is also called screening routers. Firewall types the way a firewall provides greater protection relies on the firewall itself, and on the policies that are configured on it. The Following types of firewall are:
1. Packet-Filter Firewall 1. Next-Gen firewalls
2. Circuit-Level Gateways 2. Software Firewall 3. Stateful Packet-Inspection (SPI) 3. Hardware Firewall 4. Proxy Firewall 4. Cloud Firewall 5. Application Gateways Packet Filtering Firewall As the most “basic” and oldest type of firewall architecture, Packet-filtering firewalls basically create a checkpoint at a traffic router or switch. The firewall performs a simple check of the data packets coming through the router— inspecting information such as the destination and origination IP address, packet type, port number, and other surface-level information without opening up the packet to inspect its contents. If the information packet doesn’t pass the inspection, it is dropped. The good thing about these firewalls is that they aren’t very resource-intensive. This means they don’t have a huge impact on system performance and are relatively simple. However, they’re also relatively easy to bypass compared to firewalls with more robust inspection capabilities. Circuit-Level Gateways As another simplistic firewall type that is meant to quickly and easily approve or deny traffic without consuming significant computing resources. Circuit-level gateways work by verifying the transmission control protocol (TCP) handshake. This TCP handshake check is designed to make sure that the session the packet is from legitimate. While extremely resource-efficient, these firewalls does not check the packet itself. So, if a packet held malware, but had the right TCP handshake, it would pass right through. This is why circuit-level gateways are not enough to protect your business by themselves. Stateful Inspection Firewalls These firewalls combine both packet inspection technology and TCP handshake verification to create a level of protection greater than either of the previous two architectures could provide alone. However, these firewalls do put more of a strain on computing resources as well. This may slow down the transfer of legitimate packets compared to the other solutions. Proxy Firewalls Proxy firewalls operate at the application layer to filter incoming traffic between your network and the traffic source—hence, the name “application-level gateway.” Rather than letting traffic connect directly, the proxy firewall first establishes a connection to the source of the traffic and inspects the incoming data packet. This check is similar to the stateful inspection firewall in that it looks at both the packet and at the TCP handshake protocol. However, proxy firewalls may also perform deep-layer packet inspections, checking the actual contents of the information packet to verify that it contains no malware. Once the check is complete, and the packet is approved to connect to the destination, the proxy sends it off. This creates an extra layer of separation between the “client” (the system where the packet originated) and the individual devices on your network—obscuring them to create additional anonymity and protection for your network. It’s that they can create significant slowdown because of the extra steps. Application Level Firewall These firewalls operate at the application level. In other words, they filter the traffic only with regards to the application (or service) for which they are intended. For example, a firewall for monitoring traffic to all the web applications your network uses. Next-Generation Firewalls Many of the most recently-released firewall products are being advertised as “next- generation” architectures. Some common features of next-generation firewall architectures include deep-packet inspection (checking the actual contents of the data packet), TCP handshake checks, and surface-level packet inspection. Next-generation firewalls may include other technologies as well, such as intrusion prevention systems (IPSs) that work to automatically stop attacks against your network. The issue is that there is no one definition of a next-generation firewall, so it’s important to verify what specific capabilities such firewalls have before any conclusion. Software Firewalls Software firewalls include any type of firewall that is installed on a local device rather than a separate piece of hardware. The big benefit of a software firewall is that it's highly useful for creating defense in depth by isolating individual network endpoints from one another. However, maintaining individual software firewalls on different devices can be difficult and time-consuming. Furthermore, not every device on a network may be compatible with a single software firewall, which may mean having to use several different software firewalls to cover every asset. Hardware Firewalls Hardware firewalls use a physical appliance that acts in a manner similar to a traffic router to intercept data packets and traffic requests before they're connected to the network's servers. Physical appliance-based firewalls like this excel at perimeter security by making sure malicious traffic from outside the network is stopped before the company's network endpoints are exposed to risk. The actual capabilities of a hardware firewall may vary depending on the manufacturer—some may have a more limited capacity to handle simultaneous connections than others. Cloud Firewalls Whenever a cloud solution is used to deliver a firewall, it can be called a cloud firewall, or firewall-as-a-service (FaaS). Cloud firewalls are considered synonymous with proxy firewalls by many, since a cloud server is often used in a proxy firewall setup. The big benefit of having cloud-based firewalls is that they are very easy to scale with your organization. As your needs grow, you can add additional capacity to the cloud server to filter larger traffic loads. Cloud firewalls, like hardware firewalls, excel at perimeter security. Firewall vs Packet Filters A firewall is a computer connected to both a private (protected) network and a public (unprotected) network, which receives and resubmits specific kinds of network requests on behalf of network clients on either the private or public network. Firewalls involve proxies. A proxy acts as a middle-man in a network transaction. Rather than allowing a client to speak directly to a server, the proxy server receives the request from the client, and then resubmits the request, on behalf of the client, to the target server. Each protocol or type of network transaction typically requires its own proxy program, and an administrator enables or installs specific proxies to determine what kinds of services will be allowed between the two networks. Firewalls are not routers or address translators. The internal network uses private address space. Neither side of the firewall knows about the address space on the other side of the firewall, and does not know how to route data to the other side of the firewall. Firewall vs Packet Filters A packet filter is a set of rules, applied to a stream of data packets, which is used to decide whether to permit or deny the forwarding of each packet. These rules are usually on a router or in the routing layer of a computer's network protocol stack. Using a packet filter, an administrator can dictate what types of packets are allowed into or out of a network or computer. Prevents the outside network from having knowledge of the address space on the protected network. However, aside from translating the addresses of the internal network, packets are forwarded as received through the unit, and no proxies are involved. Any good firewall will also employ packet filtering. This is done to protect the firewall itself from intrusion and to isolate intruders from the internal network. Packet Characteristic to Filter By using Packet filtering, firewall will create rule and based on rule it will allow or block incoming packet. Most firewalls and packet filters have the ability to examine the following characteristics of network traffic: Type of protocol (IP, TCP, UDP, ICMP, IPsec, etc.) Source IP address and port Destination IP addresses and port ICMP message type TCP flags (ACK, FIN, SYN, etc.) Network interface on which the packet arrives Packet Characteristic to Filter For example, if you wanted to block incoming ping packets (ICMP echo requests) to your home network of 192.168.1.0/24, you could write something like the following rule. The important components of the rule are the action (deny), the packet attributes (ICMP protocol, specifically “ping” types), the direction of the rule (packets “from” one source “to” another), and the type of source (a network address range like 192.168.1.0/24). deny proto icmp type 8:0 from any to 192.168.1.0/24 Other way that is if you wanted to allow incoming web traffic to 192.168.1.50 but deny everything else, you would create two rules. The first one would specify the direction of web traffic to a specific TCP port on a specific host. The second one would make sure all other traffic is denied. Those rules would look like the following: For allow: allow proto tcp from any to 192.168.1.50:80 For block: deny proto all from any to 192.168.1.0/24 Stateless Firewalls If the information about the passing packets is not remembered by the firewall, then this type of filtering is called stateless packet filtering. These types of firewalls are not smart enough and can be fooled very easily by the hackers. These are especially dangerous for UDP type of data packets. The reason is that, the allow/deny decisions are taken on packet by packet basis and these are not related to the previous allowed/denied packets Stateful Firewalls If the firewall remembers the information about the previously passed packets, then that type of filtering is Stateful packet filtering. These can be termed as smart firewalls. This type of filtering is also known as Dynamic packet filtering. Network Address Translation (NAT) Network Address Translation (NAT) is designed for IP address conservation. Network Address Translation (NAT) is method of connecting multiple computers to the Internet using one IP address. It enables private IP networks that use unregistered IP addresses to connect to the Internet. NAT operates on a router, usually connecting two networks together, and translates the private addresses in the internal network into legal addresses, before packets are forwarded to another network. Here in figure we see that NAT router operate between internal networks to Public network. By using NAT router when traffic come from the private network after that NAT router convert private network IP to other IP before transfer packet to another network. Network Address Translation (NAT) Here in below figure, we can easily understand flow of each step one by one. Here we see that Firewall that work as NAT device for IP converting and transfer packet to other network. Port Forwarding Port forwarding or port mapping is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are crossing a network gateway, such as a router or firewall. Port forwarding allows computers of different network (Internet) to connect to a specific computer or service within a private local-area network (LAN). Ports can be "opened" and "closed" in the firewall, which determines which types of traffic are allowed in or out. TCP/IP Ports and Sockets On a TCP/IP network every device must have an IP address. The IP address identifies the device e.g. computer. However an IP address alone is not sufficient for running network applications, as a computer can run multiple applications and/or services. Just as the IP address identifies the computer, The network port identifies the application or service running on the computer. The diagram below shows a computer to computer connection and identifies the IP addresses and ports. A socket is the combination of IP address + port A connection between two computers uses a socket. Snort : Intrusion Prevention System (IPS) Snort is an open source network Intrusion Prevention System (IPS) and Intrusion Detection System (IDS). It can perform real time traffic analysis and packet-logging on IP networks. Also perform protocol analysis, content searching/matching. It can be used to detect a variety of attacks, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort can be configured to run in three modes: Sniffer mode, which simply reads the packets off of the network and displays them on the screen. Packet Logger mode, which logs the packets to disk. Network Intrusion Detection System (NIDS) mode, Performs detection and analysis on network traffic. The program will monitor network traffic and analyze it against a rule set defined by the user. The program will then perform a specific action based on what has been identified. With increasing in the growth of internet, it is important task to manage security of network. For this purpose Snort is very useful in term of security.