firewalls prepared by: hilal torgay uğurcan soylu
TRANSCRIPT
FIREWALLS
Prepared By:Hilal TORGAYUğurcan SOYLU
Scope
This presentation is prepared to cover; A brief decription of Network Firewalls What a firewall can and cannot do Main types of firewall architectures Advantages and Disadvantages Performance & security analysis
Introduction
What Is a Firewall?
There is no single definition for the term firewall.
Many definitions have been used up to date.
Here are some of the definitions;
What Is a Firewall?
“Gateway that limits access between networks in accordance with local security policy.”
“A firewall is either the program or the computer it runs on, usually an Internet gateway server, which protects the resources of one network from users from other networks.”
What Is a Firewall?
“A Network Firewall is a system or group of systems used to control access between two networks - a trusted network and an untrusted network - using pre-configured rules or filters.
“In computing, a firewall is a piece of hardware and/or software which functions in a networked environment to prevent some communications forbidden by the security policy, analogous to the function of firewalls in building construction.”
What Is a Firewall?
The term firewall was originally used to define a barrier which prevents the fire from one part of a structure to another. Network firewalls provide a barrier between networks that prevent or deny unwanted access.
What Do Firewalls Do?
control all communications of a network can be configured to allow, deny or encrypt
communications can keep external users away to access the
system and also blocks unauthorized activities which try to access outside networks
can work with user authentication services, so the network administrators can track and control access to services by users
What Do Firewalls Do?
check the internet or network activity in order to log them, and later, logged information is examined by the network administrators.
can separate a network into sub networks. defend the system against various network
attacks
Network Attacks
Cracking (Hack): Breaking into a computer with common fault of computer security.
IP Spoofing: A technique which the package header is redesigned by finding trusted IP addresses of the host.
Denial of Service Attack: Sending more traffic than the network can handle.
Complications
Traffic bottlenecks: Sometimes, all network traffic pass through the firewall and it causes traffic bottlenecks.
Single Point of Failure: Each firewall device is a single point of failure for the traffic it serves. If it fails, network communication can also fail.
User Frustration: Based on user faults. If users do not know how to use the firewall, they can get frustrated easily.
What Firewalls cannot do?
What Firewalls cannot do?
Firewalls can not guarantee 100% security. Even if firewalls use the other network security systems together, success is not certain.
Threats can enter the network from inside and the firewalls can not do anything about this situation.
Also firewalls can not protect the networks from the viruses and some other harmful softwares or scripts.
History of Firewall
Not an old technology but a quick growing one.
Mid 80s – the first generation of firewalls had been developed by Cisco’s IOS software division; Packet filter firewalls.
Begining of 90s - second generation of firewall technology implemented by AT&T Bell Laboratories; circuit level firewalls. Also they started to develop the third generation of firewall architecture; application layer firewalls
History of Firewall
Around 1991, dynamic packet filtering development started but this product was never released.
In 1992, research of dynamic packet filtering has begun by USC’s Information Sciences Institute and was called “Visas”.
In 1994, fourth generation firewall which, was first commercial product, was released.
Fifth generation firewall architecture which was released around 1996 called as the Kernel proxy architecture. In 1997, Cisco Centri firewall was produced.
Hardware & Software Firewalls
Software firewalls
home or small office
easy customization
ex: zonealarm
Hardware & Software Firewalls
Hardware Firewalls(router)
for businesses and large networks
More complex
Firewall Architecture Timeline
WINDOWS FIREWALL
Types of Firewalls
Packet Filter FirewallsStateful Inspection Firewalls Application Gateways/Proxies Circuit Level Firewalls
Packet Filter Firewalls
filtering processes are done at the network layer or the transport layer of the OSI reference model.
Packet Filter Firewalls
Firstly, the packet will be allowed, rejected, or dropped.
If the packet is rejected by firewall, firewall sends a message to the sender so sender knows that the packet was rejected.
If the packet was dropped, the firewall simply does not respond to the packet. Therefore, the sender must wait time out for the communications.
Due to this, dropping packets greatly increases the time for scanning your network.
Packet Filter Firewalls
Packet filter firewalls do not understand the application layer protocols used in the communication packets.
They work in a rule set which is existed in the TCP/IP kernel. This rule set includes some action in order to match some criteria in the packets.
There are two lists, the permit list and the deny list, in the kernel. In order to route network packet to its exact destination, firstly, network packet must be checked in both the permit and deny lists. That is, the packet has to be permitted to pass this check.
Stateful Inspection Firewalls
Stateful packet inspection firewalls use the same packet screening technique like packet filter firewalls. In addition, it investigates the packet header information from the network layer to the application layer in order to verify that the packet is part of a agreeable connection and the protocols are behaving as expected.
Stateful Inspection Firewalls
While packets pass through the firewall, first packet header information is examined and then goes into a dynamic state table. The data in the state table is used to evaluate fallowing packets for verifying that they are part of the same connection or not.
Application Gateways/Proxies
Application layer firewalls evaluate network packets for valid data at the application layer before allowing a connection. It investigates the data in all network packets at the application layer and provides complete connection state. And also, an application layer firewall can validate other security items such as user passwords and service requests.
Proxy services are used for special purpose in order to manage traffic such as FTP or HTTP. Proxy services can provide increased access control, detailed checks for valid data, and they can generate audit records about the traffic to identify and track traffic.
Application Gateways/Proxies
Application proxy gateway firewalls have more advantages than packet filter firewalls and stateful inspection firewalls. First, application proxy gateway firewalls have more comprehensive logging capabilities because they are able to examine the entire network packet rather than just the network addresses and ports.
Circuit Level Firewalls
Circuit level Firewalls do not simply allow or disallow packets, they also determine whether the connection between both ends is valid according to configurable rules, and then they open a session and permit traffic only from the allowed source.
Every session of data change is validated and monitored and if a session is not open, all traffic is disallowed.
The firewall provides a table of valid connections and when network packet information matches an entry in the virtual circuit table, network packets pass through. In order to close virtual circuit between the two peer transport layers, once a connection is terminated and then its table entry is removed.
Advantages & Disadvantages
Packet Filters FirewallsAdvantages
faster than other technologies easy implementation can protect the internal IP addresses.
Disadvantages can not understand application layer protocols less secure than application layer and Circuit level firewalls. do not keep session data may change information in a packet do not recognize the protocols such as HTTP and URL no alert and logging tools in the Packet filters firewalls
Advantages & Disadvantages
Circuit Level Firewalls Advantages
faster than application layer firewalls can block connections can protect the internal IP addresses.
Disadvantages can not block TCP protocol do not have good log mechanism. do not recognize the protocols such as HTTP and
URL
Advantages & Disadvantages
Stateful Inspection FirewallsAdvantages
Stateful Packet Inspection firewall is secured than packet filtering firewall.
Stateful packet inspection has Logging and Tracking facilities.
Disadvantages There is no client and server model. Packet screening is complex and hard to manage.
Advantages & Disadvantages
Application Gateways/ProxiesAdvantages
recognize the protocols such as HTTP and URL has event and logging mechanism can do processing and manipulating on packet data shield internal IP addresses do not allow a direct connection between endpoints. more control over traffic passing through the firewall applications or specific features of an application can be permitted or
deniedDisadvantages
Slower than packet filtering and stateful packet inspection Some protocols such as SMTP or HTTP require own gateway proxy Require extra client configuration High Costs
Performance & Security
Security level analysis is done at the protocol layers. So application layer firewall is more secure than Gateways packet filter, which is more secure than circuit level firewall. Also, Circuit level Firewall is more secure than the packet filter firewall.
Conclusion
Stronger Defense: Slower network performance Expensive Difficult to manage
Before Selecting a Firewall
Anyone who has a workstation that is connected to a public network or Internet should use a firewall system. However network administrators should consider following before installing and using a firewall:
Performance of the firewall Reliability of the firewall Traffic capacity of the network and its workstations Structure of the network Extra administration tools