Building Your Own Firewall

Chapter 10

Learning Objectives

List and define the two categories of firewalls

Explain why desktop firewalls are used

Explain how enterprise firewalls work

Enterprise versus Desktop Firewalls

Enterprise firewall Protects entire network or a network segment Can be a separate hardware appliance or

software-only

Desktop firewall Software-only firewall intended to be installed

on one client computer on the network and provide protection only to that device

Also known as a personal firewall

Enterprise Firewall

Desktop Firewalls

Have generally replaced hardware firewalls for protection of a single deviceIntercept and inspect all data that enters or leaves the computerTraffic can generally be blocked by IP address, port address, or applicationProtects against rogue access points and worms

Desktop Firewalls

Rogue Access Point

Desktop Firewalls

Help protect network by providing additional level of security at each network deviceRecent increase in popularityPopular desktop firewalls Tiny Personal Firewall Sygate Personal Firewall ZoneAlarm

Tiny Personal Firewall

Unique for advanced security featuresBased on a technology certified by ICSAMade up of several different “engines”Includes an Intrusion Detection System (IDS) engineUses sandbox technology to create a closed environment around an application and restrict access to resources

Firewall Engine

Performs stateful packet inspectionFilters network activity based on TCP/IP protocolSupports rules that link to specific applications (Application Filter)Ensures that an application program on the computer is the real program and not a Trojan horse Creates and checks MD5 signatures (checksums) of

application programs

Tiny Personal Firewall Engine

Checksums

IDS Engine Report

Sandbox Technology

Protects resources Device drivers Registry database that contains all

configurations of the computer File system

Shields and constantly monitors application programs to protect privacy and integrity of the computer system

continued

Sandbox Technology

Protects against active content programs being used to perform: Theft of information and data Remote access via Internet Manipulation of communication Deletion of files Denial of service

Tiny Personal Firewall Sandbox

Sandbox Objects

Sygate Firewalls

Protect corporate networks and desktop systems from intrusion

Prevent malicious attackers from gaining control of corporate information network

Range in design from enterprise-based security systems to personal firewall systems Secure Enterprise Personal Firewall Pro

Sygate Secure Enterprise

Top-of-the-line product that combines protection with centralized management

Made up of Sygate Management Server (SMS) and Sygate Security Server SMS enables security managers to create a global

security policy that applies to all users and groups Subgroups can be created within the global group

Can produce detailed reports of firewall’s actions

Sygate Management Server

Sygate Personal Firewall Pro

Designed for business users but lacks centralized management features

Provides in-depth low-level tools for protecting computers from a variety of attacks

Sygate Personal Firewall Pro

Sygate Personal Firewall Pro

Blocks or allows specific services and applications instead of restricting specific TCP network ports

Fingerprinting system ensures that an application program is the real program and not a Trojan horse

Sygate Personal Firewall Pro

Sygate Personal Firewall Pro

Provides flexibility over rules that govern the firewall

Contains other features not commonly found on most desktop firewall products (eg, testing and connection)

Protects against MAC and IP spoofing

Sygate Personal Firewall Pro

ZoneAlarm Firewalls

Bi-directional; provide protection from incoming and outgoing traffic

Pop-up windows alert users to intrusion attempts

Four interlocking security services Firewall Application Control Internet Lock Zones

ZoneAlarm Firewall

ZoneAlarm Firewall

ZoneAlarm Firewall

Uses fingerprints to identify components of a program as well as the program itself Prevents malicious

code from gaining control of computer

Stops potentially malicious active content

ZoneAlarm Firewall

Application Control Allows users to decide which applications can or

cannot use the Internet

Internet Lock Blocks all Internet traffic while computer is unattended

or while Internet is not being used

Zones Monitors all activities on the computer; sends an alert

when a new application tries to access the Internet

Internet Lock Settings

Zone Security

ZoneAlarm Logging Options

Enterprise Firewalls

Still perform bulk of the work in protecting a network

First line of defense in a security management plan

Provide “perimeter security”

Allow security managers to log attacks that strike the network

Popular Enterprise Firewall Products

Linksys firewall/router

Microsoft Internet Security and Acceleration (ISA) server

Linksys

Offers a wide variety of routers, hubs, wireless access points, firewalls, and other networking hardware

Produces solid products that provide strong security and are easy to set up and use

Linksys Firewall/Router

Comes in a variety of configurations

Good solutions for connecting a group of computers to a high-speed broadband Internet connection or to a 10/100 Ethernet backbone and also support VPN

Linksys Firewall/Router

Features an advanced stateful packet inspection firewall

Does not block transmissions based on the application

Supports system traffic logging and event logging

Linksys Firewall/Router Features

Web filter

Block WAN request

Multicast pass through

IPSec pass through

PPTP pass through

Remote management

Microsoft ISA Server 2000

Enterprise firewall that integrates with Microsoft Windows 2000 operating system for policy-based security and management

Provides control over security, directory, virtual private networking (VPN), and bandwidth

Available in two product versions ISA Server Standard Edition ISA Server Enterprise Edition

Microsoft ISA Server 2000

Provides two tightly integrated modes Multilayer firewall Web cache server

Software uses a multihomed server

Firewall protection is based on rules which are processed in a certain order

Multihomed Server

Order of Processing ISA Server Rules

Incoming requests1. Packet filters

2. Web publishing rules

3. Routing rules

4. Bandwidth rules

Outgoing requests1. Bandwidth rules

2. Protocol rules

3. Site and content rules

4. Routing rules

5. Packet filters

Microsoft ISA Server Policy Elements

Schedules

Bandwidth priorities

Destination sets

Client Address sets

Content groups

Chapter Summary

Types of firewalls currently available for enterprise, small office home office (SOHO), and single computer protection

Features of these firewalls that provide the necessary protection to help keep a network or computer secure