5-Firewalls-v1.1.pptx

Full Transcript

Firewalls
DR ADNAN HAIDER
Firewall

 A firewall is a network security system that monitors and takes actions
on the ingoing or outgoing packets based on the defined rules.
 It can be a hardware device or software.
Zones

 A zone is a logical area in which the devices having the same trust
levels reside.
 After creating a zone, an interface is assigned to a zone.
 By default, traffic is not allowed from one zone to another.
 Some common Zone names:
 Inside
 Outside
 DMZ (Demilitarized Zone - public zone)
DMZ

 It is a physical or logical subnetwork that contains and exposes an
organization's external-facing services to an untrusted, usually larger,
network such as the Internet
Security Levels

 Security Level number defines the trustiness of an interface/zone.
 Traffic from higher to lower security level interface/zone is allowed.
 Traffic from lower to higher security level interface/zone is Denyied.
 Security Level defaults (Cisco ASA firewall)
 Outside: 0
 Inside: 100
 DMZ: 50 (commonly used value)
Filtering Types

 Stateless
 Statefull
Stateless Firewall

 Treat each packet in isolation
 Has no memory of previous packets
 For each packet, check firewall rules again
 Easy to implement
 Very efficient
 Issue: Can not easily handle protocols that use random ports
 Example: FTP, SIP, etc.
Statefull Firewall

 Maintain tables containing Active connections
 IP addresses
 Ports
 Sequence numbers
 Using these tables, stateful firewalls can allow only inbound TCP
packets that are in response to the internal network initiated
connections
 Where to Place

 Firewalls generally control traffic between:
 External networks (the Internet) and your internal networks.
 External networks (the Internet) and DMZ (demilitarized zone) networks.
 Between internal networks (including DMZs).

https://www.cisco.com/c/en/us/solutions/small-business/resource-center/security/how-to-setup-a-firewall.html#~configuration-guide
ACL

 Firewalls allow us to
 apply ACL to specific interfaces
 Apply ACL on specific direction of traffic.
 Inbound traffic
 Outbound traffic
 Zone based Firewalls support applying ACL between zones
FIREWALL POLICIES: APPROACHES

 Blacklist approach (default-allow)
 All packets are allowed except those that satisfy rules defined specifically in a
blacklist
 Pros: Flexible in ensuring that service to the internal network is not disrupted by the
firewall
 Cons: Unexpected forms of malicious traffic could go through
 Whitelist approach (default-deny)
 Packets are dropped or rejected unless they are specifically allowed by the firewall
 Pros: A safer approach to defining a firewall rule-set
 Cons: Must consider all possible legitimate traffic in rule-sets
FIREWALL POLICIES: Actions

 Allow
 Deny
 Logs
 bypass
Firewall Types

 Software based
 Hardware based
Firewall Types based on Protocol
Level

 Network level
 Source/Destination IP address/L4 protocol
 Transport level
 Source/Destination Port number, Flags (SYN, ACK)
 Application level
 Inspect contents of packets
Firewall Types

Types of firewalls based on their traffic filtering methods, structure, and
functionality
 operates at the network layer
Packet-filtering firewalls
 Statefull inspection firewall
 Application-level gateways
 Circuit-level gateways
 NGFW
 ZBFW
Firewall Types

Types of firewalls based on their traffic filtering methods, structure, and
functionality
 Packet-filtering
 Statefull Inspection Firewall
 Application-level gateways  Additionally, records information about TCP connections.
 Circuit-level gateways  May also keep track of TCP sequence numbers to
prevent attacks that depend on the sequence number,
 NGFW such as session hijacking.
 ZBFW  Might even inspect limited amounts of application data
for some well-known protocols like FTP and SIP
commands, in order to identify and track related
connections.
Firewall Types

Types of firewalls based on their traffic filtering methods, structure, and
functionality
 Packet-filtering
 Statefull Inspection Firewall
  Also known as a Proxy Server – URL filters, HTTP proxies,
Application-level gateways
 Circuit-level gateways etc.
 ALG Is a security device/software that protects
 NGFW
application servers by acting as a proxy and
 ZBFW blocking malicious traffic
 Recognize application-specific commands and offering
granular security controls over them
 It uses Deep Packet Inspection to detect and block
attacks before initiating an application session or
Firewall Types

Types of firewalls based on their traffic filtering methods, structure, and
functionality
 Packet-filtering
 Statefull Inspection Firewall
 Application-level gateways  Relay TCP connections.
  Verifies TCP handshakes
Circuit-level gateways
 Should be used with other firewall technologies
 NGFW
 ZBFW
Firewall Types

Types of firewalls based on their traffic filtering methods, structure, and
functionality
 Packet-filtering
 Statefull Inspection Firewall
 Application-level gateways
 Circuit-level gateways
 NGFW  Next Generation Firewall
 merges the traditional filtering function of a firewall with additional
 ZBFW
network security features.
 Additional network security features includes deep packet inspection
(DPI), IDS/IPS, antivirus, anti-spam, application control, etc.
Firewall Types

Types of firewalls based on their traffic filtering methods, structure, and
functionality
 Packet-filtering
 Statefull Inspection Firewall
 Application-level gateways
 Circuit-level gateways
 NGFW  Zone-based Firewall
 Divide the networks into zones and sit in between (connect between them)
 ZBFW  Applies policies between zones.
SSL Inspection
Firewall Functions

Most common firewall functions:
 Filtering traffics
 DHCP server
 NATing
 VPN
Questions

 List all Firewall types based on state knowledge, and explain each one?
 What does we mean by ZBFW?
 list all popular zones?
 what do we use DMZ for?
 Explain the difference between stateless and stateful firewall?
 Write the ACL entries to allow someone to browse web sites for both
stateless and stateful ACL?
 Where do you apply policies?
 what are the functions that can be configured on a firewall?
 What do we mean by WAF?
Questions

 What does we mean by NGFW?
 What type of Firewall technologies (Packet filtering, Stateful inspection or ALG)
doesn't allow the user to connect directly to the server?
 Can ALG perform SPAM filtering?
 Define default allowed and denied traffics in a firewall that is using security level
zone labeling feature?
 Which type of firewalls can contain URL filtering?
 Can we inspect https web content? How?
 What do we mean by URL filtering?
 Which security features of NGFW require continuous update?
 Can firewalls support time/date as an ACL entries?