ch4.pdf
Transcript
JTO Phase-II IT Firewall 4 FIREWALL CONCEPT AND CONFIGURATION OF FIREWALL 4.1 OBJECTIVES After completion of this module you will be able to know: What is Firewall Basics of Firewall How...
JTO Phase-II IT Firewall 4 FIREWALL CONCEPT AND CONFIGURATION OF FIREWALL 4.1 OBJECTIVES After completion of this module you will be able to know: What is Firewall Basics of Firewall How Firewall Works What is UTM Firewall Configuration of Firewall 4.2 FIREWALL INTRODUCTION All those who have Windows XP/Vista/7 installed in their machine, would have seen the adjoiningicon.This is the icon of FIREWALL. We all listen this term quite often, but actually what is Firewall? Is it hardware or software? Do we need it in personal computer/laptop or is it only needed in organizations? Is it different from anti-virus? So let us have a closer and deeper look at this very essential needed thing. BUSTING THE MYTHS First of all we need to have an open mind and clear certain myths we have regarding Firewall. Myth 1: Firewall is software Answer: No, it can be software as well as hardware. In large business organizations the functionality is met by hardware and software Firewall. But in small scale organizations or Personal computers/laptops software solves the functionality. Myth 2: Personal Computers/Laptops don‟t need Firewall Answer: If you are connected to a network, it might be local or internet; then you definitely need a firewall. What is need of the firewall will be discussed later. Myth 3: Antivirus and firewall are same Answer: The answer is BIG NO. They both are entirely different thing. Firewall is for protection from threats from network, whereas anti-virus works against virus on the local machine where it is installed by scanning everything which is installed or running. But these days firewall is integrated inside Antivirus (these days antivirus provides real time scanning which solve purpose of firewall as well), so the need of having a firewall separately on personal computer/laptop is optional. But in organizations they are quite essential. We will explore it further later. 4.3 BASICS Before taking a leap into world of firewall, we need to have little knowledge about network. JTO Phase –II DNIT Version 1.0 Sep 2021 Page 42 of 167 For Restricted Circulation JTO Phase-II IT Firewall Whenever a person clicks on a link or a website then he or she asks the server associated with the website to send the data to his or her computer. In a organization there is router whose task is traffic directing. In simple terms whenever a computer asks for resources from a network, router looks at the address and sends the needed data. The data might be from internet or from local network of the organization. If data/resources are needed from internet it goes to modem (modulator demodulator). For sake of simplicity just consider that modem is a device needed to transmit and receive the digital data easily. This modem then connects to internet or any other network (which is not local to system) and fetches the data needed and sends back. It should be noted that we have considered that data is needed by system, it might be the case that data is sent by system example attachment in mail or uploaded file. We also need to understand one more thing. How router/modem does knows that from where data should be fetched/sent. There needs to be some kind of address. And that is defined by IP address and port number. IP address is the address of the machine on internet; this means all the machines connected to internet have IP address which is their address. A server has a static address. The port number is 16 bit binary number (hence range is 0-65535) and is part of addressing information. They are type of doors and they are divided into: Well Known ports. (0-1024; example 20 for FTP data, 80 for HTTP) Registered Ports. ( 1024-49151; can be used for proprietary server processors or client process) Dynamic Ports/Ephemeral ports( 49152-65535; can be frequently used, are used by clients temporarily) JTO Phase –II DNIT Version 1.0 Sep 2021 Page 43 of 167 For Restricted Circulation JTO Phase-II IT Firewall So consider an example that if a machine is running FTP server then most probably it will be on port 20. So if any client wants to connect to it then it will do so at specific IP address and on a port. So now we have learnt how connection is established and how data is sent or fetched from a network, we can now understand the concept of firewall. A firewall is a hardware device or software that lies between computer and a network and its task is to analyze the data entering the exiting the network based on the configuration (set of rules defined to firewall). A firewall acts as a barrier between the computer and Big Bad World. 4.4 ANALOGY: In simpler terms consider that internet ports are doors, just like the door to houses; and the data needed to be present in a house. So now we can say that there are 65535 doors in the world of internet. Suppose a user wants to download a song say iloveu.mp3. A website has a link which says that the song is at present at this link. The link is just like signboard on a road telling the direction of the house we are looking for. JTO Phase –II DNIT Version 1.0 Sep 2021 Page 44 of 167 For Restricted Circulation JTO Phase-II IT Firewall Now when a user clicks on a link then it means it knocks on the door of the house. A user doesn‟t know what is beside the door. It might be house of iloveu.mp3 or it might be house of virus with nameplate of iloveu.mp3. So the firewall job is to check the rules defined and see if the data from that house/door is allowed or not permitted to enter the system. So if not permitted then firewall job is to block the door; that is it will lock the door to that link and will not allow the process. This is just one the task performed by firewall. In business organizations firewall is not only used to prevent intrusions by a hacker/virus/ malware but also to restrict the members of the organization from accessing the unwanted websites. For example if I want that people of my company should not be able to use torrents (obviously because it will burden the network) or facebook (nobody pays for doing facebook) then I will define certain rules in firewall which will prevent the users from accessing the restricted sites. 4.5 WHAT HAPPENS BEHIND THE SCENES? Now we understand what is the role of firewall, but how does is work. So let us find the missing piece. Firewalls use one or more of three methods to control traffic flowing in and out of the network: Packet Filtering: Whenever data is sent through internet then it is first broken into small chunks known as packets, then this packet is sent. Every packet is having a header which contains the information associated with packet eg. Its source and destination etc. We know in firewall (whether hardware or software) the super-user defines some rules/guidelines which should be followed. So whenever the packet enters or leaves the filter checks whether it meets the rules defined. If it meets then it passes otherwise deny it the permission. JTO Phase –II DNIT Version 1.0 Sep 2021 Page 45 of 167 For Restricted Circulation JTO Phase-II IT Firewall Proxy Service: One can think of this as a intermediate stage between the network and computer. They are specialized application or programs (servers) which run on firewall. They disallow a connection between internet/network and a computer directly. These programs take user request for services (services might be downloading, sending mail etc.) and forward them to actual server which connects to internet. They forward the request only if it meets the rules and regulations defined to firewall. So we can say they act as a Gateway to services. It should be noted that they are different from filters because they provide an additional layer which forwards request to actual server, whereas it checks the package receive or sent and not the request. JTO Phase –II DNIT Version 1.0 Sep 2021 Page 46 of 167 For Restricted Circulation JTO Phase-II IT Firewall Stateful inspection: The two methods described above are being replaced by this method which increases protection and also reduces the overhead. It doesn‟t examine the content of each packet (because it consumes time and also header information is can‟t be the basis for verification always) but contains certain important integral parts of the packet to a database of trusted information. Whenever a request is made either for sending or receiving, information associated with the request is monitored. So when the incoming information comes, the characteristics of information associated with request are compared. If it matches it allows otherwise disallows. Application Gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose a performance degradation. Circuit-level Gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking. BUT… So simply we can say that a firewall prevents users of a organization to access few websites (torrents, social networking etc.) and keep anonymous users away from the resources/data associated with a system connected to a network; but we still need ANTIVIRUS because at time virus may enter as an attachment from email – which might be a trusted source. So be safe and keep safe… 4.6 WHAT ARE IDS? An IDS is an Intrusion Detection System. An Intrusion Detection System sends alarms due to unexpected behaviors of network traffic and standard protocol behavior. The change of behavior of determined protocol activates an alarm and an action is taken by the JTO Phase –II DNIT Version 1.0 Sep 2021 Page 47 of 167 For Restricted Circulation JTO Phase-II IT Firewall IDS. As an example, the arrival of a packet with FYN flag activated with a source IP that does not have an initiated connection could cause an alarm, as consequence of an unexpected behavior of the TCP protocol, as well as in the capacity of recognize determined type of attacks, analyzing the traffic and comparing it with different attack types that are stored in a database2. Now we have an idea about what are an IDS, I will explain now how the Netscreen firewall 5xp Elite can help us in an easily and shortly manner, because it is a firewall and also has a basic IDS characteristics. 4.7 NEXT GENERATION FIREWALL (NGFW) Firewalls called next generation firewalls (NGFW), work by filtering network and Internet traffic based upon the applications or traffic types using specific ports. Next Generation Firewalls (NGFWs) blend the features of a standard firewall with quality of service (QoS) functionalities in order to provide smarter and deeper inspection. 4.8 UNIFIED THREAT MANAGEMENT (UTM) Unified threat management (UTM) or unified security management (USM), is the evolution of the traditional firewall into an all-inclusive security product able to perform multiple security functions within one single system: Features of UTM Firewall network firewalling network intrusion detection/prevention (IDS/IPS) gateway antivirus (AV) gateway anti-spam VPN content filtering load balancing data loss prevention, Hot Spot Management Logging and reporting. 4.9 HOW THE COMPANY WORKS AND HOW THE PROBLEM BEGAN The “Developer” company has as primary function to develop computer programs for educational purpose. They advertise their developed applications through Internet using their own web server; their communication to Internet is through a 1Mb link. The company has public IPs for their 3 servers and the 20 workers that develop the educational software. This company never took in consideration the security of its data until they started to realize strange activities in their servers and desktop computers. The first thing that we have to do is plan a proposal to start securing the company network, so I choose to cover the proposal en 3 steps. JTO Phase –II DNIT Version 1.0 Sep 2021 Page 48 of 167 For Restricted Circulation JTO Phase-II IT Firewall Figure 22: Company Network Unsecured 1st Change of IPs to private type It is important to hide the private network of the company, servers and desktop computers to avoid their complete access from the Internet. At first instance, our data such as our fileserver will only be accessed by the company personal integrated at the same LAN. We also have to publish our web and mail server just with 80, 110, 443 and 25 ports open, and in our servers we have to check if there are some other ports opened by a default installation. 2nd Firewall Installation For the firewall installation, we will take in consideration the following; first it will be placed physically between the ISP router and the internal switch of the company. This will have the NAT services configured to avoid external users to access directly the internal computers and secure the firewall with an implicit policy, which establishes that all that is not expressively authorized, is prohibited. So if we do not define a policy of access from the exterior to the interior, no packet will be allowed to enter our internal network. However, we have to establish a policy to publish our web services and mail services. It is also necessary for the traffic that travels from the interior to the exterior of the company to be allowed only the strictly and necessary services. By doing this, we will avoid the use of programs that can expose our internal network. This rule will deny the use of messaging programs, transference of files with peer-to-peer programs, use of IRC programs, etc. This will only allow the use of http, mail, DNS and FTP. It is important to notice that allowing the strictly necessary services we will avoid the productivity decrease 3 rd Services Publication JTO Phase –II DNIT Version 1.0 Sep 2021 Page 49 of 167 For Restricted Circulation JTO Phase-II IT Firewall The only configured services published will be the web server, which means that the only services published are the web and mail. Having our server with a private IP, we will need to configure the mapping of public IP to the private IP in the untrust interface of the firewall so that it can redirect all the http and mail request to the private IP of our server. Figure 23: Company Secured Network 4.10 SUMMARY It is important to hide the private network of the company, servers and desktop computers to avoid their complete access from the internet. at first instance, our data such as our fileserver will only be accessed by the company personal integrated at the same LAN. JTO Phase –II DNIT Version 1.0 Sep 2021 Page 50 of 167 For Restricted Circulation
