firewall & its services
TRANSCRIPT
NAVD EEP S INGH
Firewall & its Services
What is a Firewall ?
Firewall is a device or a software feature designed to control the flow of trafic into and out-of a network.
Firewall interconnects networks with different trust.
Firewall implements and enforces a security policy between networks.
Firewall Zones
Trusted ZoneUntrusted ZoneDemilitarized Zone(DMZ)
Firewall Zones
Trusted ZoneBy default the LAN is trusted.Trusted zone contains a numerical value of
100 which means highest level of trust.Untrusted Zone
Untrusted zone contains a numerical value of 0 which means lowest level of trust.
A WAN port can only be mapped to an Untrusted Zone.
Firewall Zones
Demilitarized ZoneDMZs are less trusted zonesPublic Zone is demilitarized zone and has a
trust value of 50
Types of Firewalls
Software Based FirewallsRun as additional program on Personal
ComputersKnown as Personal FirewallsMost of the SBFs get automatically
configured and updated after installation. Examples of SBFs are:- Windows Firewall,
Kaspersky Firewall, Zone Alarm Pro FirewallAlso there are some open source firewall
available. Exa:- OpenWRT, PfSense, Untangle Gateway, IPcop.
Types of Firewalls
Hardware Based Firewalls Hardware based firewalls are the first line of defense against
the cyber attacks. HBFs are more expensive as compared to SBFs. Traditionally HBFs were only used to carry out Packet Filtering. Today HBFs have built-in Intrusion Prevention System and
Intrusion Detection System IPS/IDPS When IDPS detects a malicious activity it sends a signal, drops
the packet, blocks the IP and resets the connection. Some Hardware Based Firewall providers are:
CISCO ProSafe D-Link SonicWall Netgear
Cisco Firewalls
Cisco Firepower 9300 (Latest Series-9000 & 4100)1.2 Tbps clustered throughput57 million concurrent connections, with application
control500,000 new connections per secondHigh-end Next Gen. Firewall (NGFW)
Firewall Services
The following services are provided by Firewalls:Packet FilteringStateful packet InspectionProxying
Authentication Logging Content Filtering
Network Address Translation
Packet Filtering
Each incoming data packet is examined by the firewall.The header of the each packet is compared to the pre-
configured set of rules.An allow or deny decision is made based on the results.Rules of packet filtering are:
Protocol Type (TCP,IP,UDP,ICMP,ESP,etc) Source Address Source Port Destination Address Destination Port
Packet Filtering
Packet Filtering Firewalls works on the Network Layer (layer 3) and Transport Layer (layer 4) of the OSI model of reference.
Stateful Packet Inspection
All packets are examined and the header information is stored in dynamic state session table.
State table is used verify the data packets from the same connection.
The rules of stateful packet inspection are: Protocol Type (TCP,IP,UDP,ICMP,ESP,etc) Source Address Source Port Destination Address Destination Port Connection State
Stateful Packet Inspection
In Stateful Packet Inspection technique the firewall examines the headers of all incoming data packets from the level of network layer to the application layer of the OSI Model of reference.
Proxy Services
Proxy/Application gateway acts as an intermediate between the connections.
Each connection can only communicate with other by going through the proxy/application gateway.
Proxy/Application gateway operates at the Application layer (Layer 7) of the OSI Model of reference.
When a client issues a request from an untrusted network, a connection is established between the client and proxy/gateway. The proxy/gateway compares the request to the set of rules, if finds the request valid, it sends a connection request to the destination on the behalf of the client.
Proxy Services
Proxy Servers also provide some other services:Logging:-Proxy servers makes log of the each
communication.Content FilteringAuthentication
NAT(Network Address Translation)
NAT is a method that enables hosts on private networks to communicate with hosts on the Internet.
NAT is mostly used to translate between public address and private address.
NAT can be also used for Public to Public Address Translation and Private to Private Address Translation.
NAT hides the IP address and IP address structure of the internal network.
In NAT the actual IP address/port used in an internal network is translated to the outside IP address/outside port.
This is done by replacing the local IP address from the header of the data packet with the outside IP address.
Types of NAT
Static NATStatic NAT performs one to one translation between
two addresses or between a port on one address to a port on another address.
Types of NAT
Static NATStatic NAT maps a block on external IP addresses
to the same size block of internal IP addresses.NAT maps a specific port to come through the
firewall rather than all ports. Static NAT allows the internal client to maintain
their set-up information.Multiple ISP’s can be enlisted to provide a degree
of fault-tolerant access to the system. If network performance or quality degrades, connections can be swapped to another supplier.
Dynamic NAT
Dynamic does not perform one to one translation but instead maps a group on internal IP addresses to a pool of external IP addresses.
Dynamic NAT
These mappings can be set to expire if they are not used within a programmable period of time.
Dynamic NAT works as firewall between internal network and the outside network or internet.
Dynamic NAT only allows the connections that originate inside the internal domain.
A computer on an external network can not connect to one of the internal servers unless the internal node has initiated the contact.
Load Sharing NAT
Load Sharing NAT(LSNAT) distributes a session load across a pool of servers.
LSNAT is most often used in embedded server farms where a single blade server is unable to handle the increasing number of clients or sessions.
References
Intro_firewalls by Aaron Balchunas (routeralely.com)University of Cambridge-University Information
Services (Academic & Infrastructure)-” Firewalls and Network Address Translation”.
CISCO-Security Guide, Cisco ACE Application Control Engine-”Configuring Network Address Translation”
University of Virginia-Department of Computer Science-”module17-nat”
CISCO NGFW-product guide-Firepower 9300 -“at-a-glance-c45-734810.pdf”, Title “Threat-Centric Security for Service Providers “
Thank You