module 07 - firewalls

Network Security Administrator

Module VII:

Firewalls

EC-CouncilCopyright © by EC-Council

All Rights reserved. Reproduction is strictly prohibited

Introduction

Defining Firewall Security Features

Components involved in Firewall

Handling Threats and Security Tasks

How to protection against hacking?

Introduction to Packet Filtering

Limitations of Firewalls

Evaluating firewall packages

Different firewall configurations

Reverse and Specialty Firewalls

Module Objectives



Module Flow

Introduction Security Features

Multiple components

Handling threats and security tasks

Protection against hacking

Packet Filtering

Limitations of firewalls

Evaluating firewall packages

Different firewall configurations

Reverse firewalls

Specialty firewalls



Firewall: Introduction

Combination of hardware and software that monitors the transmission of packets over the network

Performs two basic security functions:•Packet filtering:

–Allows or denies transfer of packets based on security policy rules

•Application proxy gateway:–Provides network services to users within the

firewall



Firewalls: Security Features

Logs access (authorized/unauthorized) in and out of a network

Establishes a Virtual Private Network (VPN ) link to another computer

Secures host within the network to prevent attackers intrusions

Filters inappropriate content such as executable mail attachments

Securing Individual Users:

• Provides anti-virus programs that alerts users on detecting e-mail attachment or file containing virus



Firewalls: Perimeter Security for Networks

Firewall resides on the outer boundary (perimeter) of a network providing security

Network boundary connects one network to another

VPN owns its own perimeter firewall

Benefits:

• Blocks viruses and infected e-mail messages prior intrusion

• Logs passing traffic and protects the entire network

• ‘subnet’ minimizes the damage incurred from an attack



Firewall: Multiple Components

Packet Filters:

• Controls access to a network by analyzing

the incoming and outgoing packets

Proxy Server:

• Intercepts all requests to real server and tries processing the request

Authentication System:

• Identifies users based on usernames and passwords

Network Address Translation (NAT):

• Segregates IP addresses into two sets and enables LAN to use the addresses for internal and external traffic respectively



Firewalls: Handling Threats and Security Tasks

Restricting access form outside the network:

• Inspect each packet against the required authorized criteria (protocols/IP addresses/approved list)

• Packet filtering scans for network addresses and open ports

• Port scanning determines the type of service running

• netstat.exe displays the number of connections opened on the current system

• HTTP is one of the commonly exploited services

• Other services include:

– SNMP: Port 25

– POP3: Port 110




Restricting unauthorized access from inside the network:

• Prevent users inserting virus infected floppy disks into the system

• Prevent users accessing computers via remote access software

• Never ooze out confidential information (social engineering attacks)

• Train firewall administrators to filter IP packets

• Scan e-mail messages with executable attachments




Restricting client’s access to external host:• Installing a proxy server software that

makes high level application connections on behalf of internal hosts

• Single firewall product provides outbound packet filtering and proxy services

• Application proxies prevents unauthorized access to the Internet




Securing critical resources from:

• Worms: Intrudes and replicates via e-mail attachment or downloaded file

• Viruses: Intrudes into the systems and consumes all memory and brings the system to a halt

• Trojan Horses: Programs that contain malicious code

• Distributed Denial Of Service Attacks: Occurs when server is inundated with requests causing the server to shut down



Firewalls: Protection Against Hacking

Loss of data:• Personal and financial information

must be protected against loss

Loss of time:• Time spent in recovering files,

rebuilding servers and dealing with security breaches

Staff resources: • Time taken away from regular

business activities to recover data files

Confidentiality:• Stores confidential information of

users across the network



Firewalls: Centralization and Documentation

Centralization:• Simplifies the network administrator

activities• Network perimeter allows security

measures • Manages the network traffic

Documentation:• Log files record intentional and

unintentional break-ins,identifying weak points for strengthening the system

• Recognizing intruders and apprehending them for theft or damage



Multilayer Firewall Protection

Firewalls work at different stages of the OSI model

Application Application-level gateway

Presentation EncryptionSession SOCKS proxy serverTransport Packet filteringNetwork NATPhysical N/AData Link N/A



Packet Filtering

Key function of any firewall

Packet Filters:

• Valuable elements in perimeter security

• Advantage:

– Do not take up bandwidth

Packet consists of two types of information:

• Header

• Data

Packet headers decide whether to block or permit the packet through a firewall



Stateful Packet Filtering

In te rn e t

R o u t e r

E t h e r n e t

1 . H o s t a t t e m p t s t o c o n n e c t w w w .c o u r s e .c o m

2 . R o u t e r c h e c k s fo r s t a t e t a b le a n d s e e s t h a t n o c o n e e c t io n

e x is t s , s t a t e e n t r y c r e a t e d a n d r e q u e s t p a s s e d t o r u le b a s e

3 . R u le t h a t in t e r n a l h o s t s a c c e s s T C P / 8 0 e x is t s ; p a c k e t s a r e

a llo w e d t o p a s s t h r o u g h

4 . P a c k e t s r e c e iv e d b y c o u r s e .c o m W e b s e r v e r ; S Y N / A C K

r e p ly s e n t t o f ir e w a ll

5 . P a c k e t s r e c e iv e d s t a t e t a b le e n t r y r e f e r e n c e d

6 . P a c k e ts a llo w e d to p a s s

S ta te T a b leS o u rc e I P : w w w .c o u rs e .c o m

S o u rc e p o rt: 7 0D e s tin a tio n I P : 1 0 .0 .0 .6D e s t in a t io n p o rt: 1 0 8 7

T ra n s p o rt: T C P



Screening Router

Placed between the client computer and Internet to perform packet-filtering

Two interfaces:

• External

• Internal

ACL (access control list) specifies the rules applied to block packet flow

Stateful Packet-Filtering:

• Only if a secured router sends data outbound can it receive data inbound



Screening Router

192.168.2.2 192.168.2.3 192.168.2.4 192.168.2.5 192.168.2.6

Router

InternetRouter is set to routeonly to 192.168.2.2

through 192.168.2.5

External Interface192.168.1.200/24

Traffic from Internetcannot reach here

Router

Internal Interface192.168.2.1/24



Dual-Homed Host

PC connecting to the Internet that has two NICs and secured by a firewall

By default it disables packet flow through the network

Limitation:

• Passwords can be cracked

• Single protection layer



Types of Firewall Configurations

ICMP Type Description

Screening router Packet filtering router located between client computer and the Internet

Dual-homed host Client computer, which is firewall of the Internet host

Screened host Host computer with firewall that is dedicated to security functions

Two routers with one firewall

Routers that perform packet filtering and are located on the internal and external interfaces of the firewall

DMZ screened subnet Network of public access servers that is external to the secured internal network

Multi-firewall DMZ DMZ with added security by two firewalls

Reverse firewalls Firewalls that inspect outgoing traffic, not incoming traffic

Specialty firewalls Firewalls to specifically secure certain communications like the e-mail



Screened Host

Also known as dual-homed gateway or bastion host

Requires two network interfaces

Resides on the perimeter of the network

Places a router that performs packet filtering between the screened host and the Internet

Differs from bastion hosts and dual-homed hosts on the basis of strong security services



Screened Host

Internet

2. Firew all equipped w ith proxy server

softw are functions in place of host

and m akes request

Applicationgatew ay1. H ost m akes request

to connect to Internet

3. Proxy server connects to Internet

Router



Two Routers With One Firewall

Routers are located on both sides of screened host

• Packet filtering is performed by external router:

– Initial

– Static

• Internal router:

– Routes traffic to computers in secured LANs

– Performs stateful packet filtering



Two Routers With One Firewall

Internet

RouterLAN Gateway

WWW.Server 10.1.1.43

E-mail Server 10.1.1.29

FTP Server10.1.1.33

IP Address10.1.1.1/44

Firewall

Router

IP Address192.168.1.2/44



DMZ Screened Subnet

Network exposed to external network but partially secured with firewall

Service network or perimeter network:

• Subnet in the DMZ that is attached to a firewall

Three-pronged firewall is the firewall in a DMZ that connects to three distinct networks:

• External network

• DMZ screened subnet

• LAN



DMZ Screened Subnet

E-mail server WWW

Server

Firewall

DMZ

Internet

RouterLAN Gateway

IP Address10.1.1.1/44

Router

IP Address192.168.1.2/44

192.168.2.1/44

172.30.1.1/44 192.168..2. 29192.168..2. 43

192.168..2.33FTP Server



Multi-firewall DMZ

Additional firewalls increase the security of organization’s network

Performance decreases with increased security

Two or more firewalls enhances security using:

• Internal network

• One DMZ

• Two DMZ



Multiple-Firewalls DMZs: Two Firewalls, One DMZ

Two firewalls set up a three-pronged (tri-homed) firewall:• Internal protected network (behind DMZ)

• External private network or service network (within DMZ)

• External network (outside DMZ)

Advantage:• Controls traffic in three networks



Multiple-Firewalls Dmzs: Two Firewalls, One DMZ

Router

LAN Gateway

Active directory

Internal network

E-mail server

WWWServer

FTP server

Router

Firewall

Internet

External network

Firewall

DMZ



Multiple-firewall DMZS: Two Firewalls, Two DMZS

Different parts of organization can employ different DMZs to balance traffic load

Tunnel server grants off-site access to tunneling client ignoring access to other servers in the internal LAN

Stateful failover firewall:• A second firewall used in case the first firewall fails



Multiple-firewall DMZS: Two Firewalls, Two DMZS

IP Address

Email -server

LAN Gateway

Router

Firewall

Hub

Hub

Router

DMZ

www server FTP

server

Fail over Firewall

Accounting

DMZ

Tunnel Server

Tunneling ClientInternet

IP Address



Specialty Firewalls and Reverse Firewalls

Specialty Firewalls:• Designed to secure specific network

communication• Supervises and restrains specific traffic flowing

through the network• Examples:

– OpenReach consists of packet-filtering firewall for its VPN

– VOISS Proxy firewall– Speedware Corporation’s Autobahn Application

Firewall

Reverse Firewalls:• Device that inspects the outgoing traffic from the

network• Does not block the traffic• Identifies DDoS (Distributed Denial of Service)

attacks



Summary

Firewall is a hardware/software monitoring the transmission of packets bypassing the perimeter of a network

Resides on the perimeter of a network restricting unauthorized access

Several components exists that enables protecting against hacking

Operates at various stages of the OSI model

Monitors and limits specific traffic flowing through the network

module 07 - firewalls

Documents

network addresses

network boundary

firewall security features

network services

eccouncilall rights

perimeter security

perimeter firewall

security tasksprotection