8/3/2019 Firewall Types and Conf
1/45
Firewalls&Intrusion Detection Systems
Communications, Networking& Computer Security
Himanshu Sharmahttp://ethicalhackingtutorials1.blogspot.com/
http://ethicalhackingtutorials1.blogspot.com/http://ethicalhackingtutorials1.blogspot.com/8/3/2019 Firewall Types and Conf
2/45
Firewall
Definition
Types
Configuration
Lab Exercise (Kerio Personal Firewall) IDS
Definition
Operation
Lab Exercises
Outline
8/3/2019 Firewall Types and Conf
3/45
A firewallis any device used to preventoutsiders from gaining access to yournetwork.
It checks each packet against a list of rules topermit or deny its transmission
Firewalls commonly implement exclusionaryschemes or rules that sort out wanted and
unwanted addresses. They filter all traffic between a protected (inside) network
and a less trustworthy (outside) network
FirewallWhat is a Firewall?
8/3/2019 Firewall Types and Conf
4/45
Firewalls can be composed of software,hardware, or, most commonly, both.
The software components can be eitherproprietary, shareware, or freeware.
The hardware is typically any hardware thatsupports the firewall software.
FirewallComposition?
8/3/2019 Firewall Types and Conf
5/45
All traffic in both direction must pass throughthe firewall
Only authorized traffic should be allowed topass
Firewall should itself be immune to penetration
Compromised firewall can completely undermine thenetwork security
Tradeoff between security and productivity Internal network could be completely secure, but
employees may not be able to communicate
FirewallDesign Goals
8/3/2019 Firewall Types and Conf
6/45
There are different kinds of firewalls,and each type has its advantages &disadvantages.
Firewalls can be classified in two broadcategories
Network Level Firewalls
Personal Firewalls
FirewallTypes
8/3/2019 Firewall Types and Conf
7/45
Network-level firewalls are usually router based. Rules of who & what can access your network is applied at
router level.
Scheme is applied through a technique called packetfiltering
Network Level Firewalls can be classified as
Packet-Filtering Firewalls
The simplest and most effective type of firewalls
Stateful Inspection Firewalls Maintain state info from a packet to another in the input
stream
Application-Level Firewalls (Proxies)
Proxy server, a relay of application-level traffic
FirewallNetwork Level Firewalls
8/3/2019 Firewall Types and Conf
8/45
Packet Filtering is the process of examiningthe packets that come to the router from theoutside world.
Packet headers are inspected by a firewall or
router to make a decision to block the packetor allow access
Two Approaches:
Stateless (a.k.a. static) Stateful
FirewallPacket Filtering
8/3/2019 Firewall Types and Conf
9/45
Ignores the state of the connection Each packet header is examined
individually and compared to a rule
base Packet data is ignored
Common criteria to filter on:
Protocol Type IP address
Port Number
Message Type 9
FirewallStateless Packet Filtering
8/3/2019 Firewall Types and Conf
10/45
Maintains a record of the state of theconnection (referred to as state table)
Packet is compared against both rule
base and state table Some stateful filters can examine both
packet header and content
Called stateful because it permitsoutgoing sessions while denyingincoming sessions
10
FirewallStateful Packet Filtering
8/3/2019 Firewall Types and Conf
11/45
When a remote user contacts a networkrunning an application gateway, the gatewayblocks the remote connection.
Instead of passing the connection along, thegateway examines various fields in therequest.
If these meet a set of predefined rules, the
gateway creates a bridge between the remotehost and the internal host.
FirewallApplication Gateway Firewall
8/3/2019 Firewall Types and Conf
12/45
A list of rules describing which packetsare to be forwarded
Each packet is compared against this list
The longer the list the greater the latency(delay)
Examples:
From any to any port 80 permit From any to any PORT any deny
From *.albany.edu to any PORT any DENY
FirewallAccess Policy
8/3/2019 Firewall Types and Conf
13/45
Firewalls are not a complete solution toall computer security problems,limitations:
The firewall cannot protect against attacks thatbypass the firewall
The firewall does not protect against internalthreats
The firewall cannot protect against the transfer ofvirus-infected programs or files
13
FirewallLimitations
8/3/2019 Firewall Types and Conf
14/45
Internet
Router
External Interface10.1.1.200 /24
Internal Interface192.168.2.1 /24
192.168.2.2 192.168.2.3 192.168.2.4 192.168.2.5 192.168.2.6
14
FirewallConfiguration Strategies
Screening Router Simple
Filters traffic to
internal computers
Provides minimal
security
Source: Guide To Firewalls and Network Security
8/3/2019 Firewall Types and Conf
15/45
Internet
Router
192.168.2.2 192.168.2.3 192.168.2.4 192.168.2.5 192.168.2.6
ApplicationGateway
15
FirewallConfiguration Strategies
Screening HostHost makes Internet request Gateway receives clientrequest and makes a request on
behalf of the client
Host IP address neverdisplayed to public
Source: Guide To Firewalls and Network Security
8/3/2019 Firewall Types and Conf
16/45
Internet
Router
192.168.2.2 192.168.2.3 192.168.2.4 192.168.2.5 192.168.2.6
Router
Firewall
LAN Gateway
16
FirewallConfiguration Strategies
Two Routers, One Firewall External router can performinitial static packet filtering
Internal router can perform
stateful packet filtering
Multiple internal routers candirect traffic to different subnets
Source: Guide To Firewalls and Network Security
8/3/2019 Firewall Types and Conf
17/45
Internet
Router
192.168.2.2 192.168.2.3 192.168.2.4 192.168.2.5 192.168.2.6
Router
Firewall
LAN Gateway
DMZ
Web Server Email Server FTP Server
10.1.1.2 10.1.1.3 10.1.1.4
10.1.1.1 /24
192.168.1.1 /24
17
FirewallConfiguration Strategies
DMZ Screened Subnet
DMZ sits outside internal
network but is connected
to the firewall
Public can access serversresiding in DMZ, but
cannot connect to internal
LAN
Source: Guide To Firewalls and Network Security
8/3/2019 Firewall Types and Conf
18/45
Internet
192.168.2.2 192.168.2.3 192.168.2.4 192.168.2.5 192.168.2.6
Router
Firewall
LAN Gateway
DMZ
Web Server Email Server FTP Server
10.1.1.2 10.1.1.3 10.1.1.4
10.1.1.1 /24
192.168.1.1 /24
Router
18
FirewallConfiguration Strategies
Two Firewalls, One
DMZ
First firewall controls
traffic between the
Internet and DMZ
Second firewall controls
traffic between the internal
network and DMZ
Second firewall can also
be a failover firewall
8/3/2019 Firewall Types and Conf
19/45
Whats KPF?A software agent builds a barrier between PC and the Internet, to
protect PC against hacker attacks and data leaks.
Why KPF?
KPF is designed to protect PC against attacks from both theInternet, and other computers in the local network.
KPF controls all data flow in both directions from the Internet toyour computer and vice versa
KPF can block all attempted communication allowing only whatyou choose to permit.
FirewallKerio Personal Firewall (KPF)
8/3/2019 Firewall Types and Conf
20/45
Lab Exercise
Configure Kerio Personal Firewall
20
8/3/2019 Firewall Types and Conf
21/45
KPFHow does it work?
8/3/2019 Firewall Types and Conf
22/45
Blocks all externally originated IP traffic
Three security settings for easy configuration
MD5 signature verification protects the
computer from Trojan horses
Protecting from Denial of Service (DOS) attacksto applications or services
Connections dialog clearly displays eachapplication's activity at any given moment
KPFFeatures
8/3/2019 Firewall Types and Conf
23/45
Availability (KPF version 4.1.3): Available for trial for home use (limited free
version) http://www.kerio.com/kpf_download.html
Manualisavailableatthefollowingsite
http://download.kerio.com/dwn/kpf/kpf41-en-v3.pdf
Business and institutional customers areencouraged to download this software forevaluation purposes.
Platform: For Windows 98, Me, NT, 2000 and XP
(Win 95 not available any more)
KPFFeatures Contd.
8/3/2019 Firewall Types and Conf
24/45
System requirements: CPU Intel Pentium or 100% compatible
64 MB RAM
8 MB hard drive space (for installation only; at least 10 MB
of additional space is recommended for logging)
Installation:
Executing the installation archive (kerio-pf-201-en-win.exe)
Choose the directory KPF be installed, or leave the default
setting (C:\Program Files\Kerio\Personal Firewall)
Restart system after installation in order for the low-leverdriver to be loaded
KPFInstallation
8/3/2019 Firewall Types and Conf
25/45
Overviewlistofactiveandopenports,statistics,userpreferences.
NetworkSecurityrulesfornetworkcommunicationofindividualapplications,Packetfiltering,trustedareadefinitions
SystemSecurityrulesforstartupofindividualapplications
Intrusionsconfigurationofparameterswhichwillbeusedfor
detectionofknownintrusiontypes
Web-webcontentrules(URLfilter,pop-upsblocking,controloversentdata)
Logs&Alters--logsviewingandsettings
KPFConfiguration
8/3/2019 Firewall Types and Conf
26/45
The Firewall Enginetakes care of all KPFfunctions
It runs as a backgroundapplication
It is represented by anicon in the System Tray
Right click the icon:
Stop All Traffic
Firewall Status
Administration
KPFFirewall Engine
8/3/2019 Firewall Types and Conf
27/45
KPFConfiguration Window
8/3/2019 Firewall Types and Conf
28/45
Test
KPFAdministration
8/3/2019 Firewall Types and Conf
29/45
KPFStatus Window
8/3/2019 Firewall Types and Conf
30/45
Level of Security: (KPF allows 3 securitylevels)
Permit Unknown: minimum security
Ask Me First: all communication is deniedimplicitly at this level
Deny Unknown: all communication is deniedwhich is not explicitly permitted by the existingfilter rules
KPFSecurity Settings
8/3/2019 Firewall Types and Conf
31/45
Test
KPFSecurity Settings Contd.
8/3/2019 Firewall Types and Conf
32/45
KPFInteraction with Users (Incoming)
8/3/2019 Firewall Types and Conf
33/45
KPFInteraction with Users (Outgoing)
8/3/2019 Firewall Types and Conf
34/45
Comments
KPFPacket Filtering Rules
K
8/3/2019 Firewall Types and Conf
35/45
KPFApplication MD5 Signature
KPF
8/3/2019 Firewall Types and Conf
36/45
The filter.log file is used for logging KPFactions on a local computer
Filter.log is a text file where each record is
placed on a new line. It has the followingformat:
1,[08/Jun/2001 16:52:09] Rule 'Internet InformationServices': Blocked: In TCP, richard.kerio.cz
[192.168.2.38:3772]->localhost:25, Owner:G:\WINNT\SYSTEM32\INETSRV\INETINFO.EXE
How to read this log file?
KPFFilter.log File
8/3/2019 Firewall Types and Conf
37/45
Intrusion Detection Systems
37
8/3/2019 Firewall Types and Conf
38/45
An intrusion detection system (IDS) monitorssystems and analyzes network traffic to detectsigns of intrusion.
An IDS can detect a variety of attacks in
progress as well as well as attempts to scan anetwork for weaknesses.
An IDS can be a dedicated network applianceor a software solution installed on a host
computer. Two kinds of IDS Systems
Client Based (On a single node)
Network Based (Protecting the entire network)
IDSWhat Does it Do?
IDS
8/3/2019 Firewall Types and Conf
39/45
If configured correctly, a networkintrusion detection system (NIDS) canmonitor all traffic on a network segment.
A NIDS is most effective when used inconjunction with a firewall solution, andhaving all of its dependent componentsbeing properly connected andfunctioning.
IDSHow does it work?
IDS
8/3/2019 Firewall Types and Conf
40/45
NIDS can be installed on the externalrouters, the internal routers, or both.
Placing NIDS on external routers
enables detection of attacks from theInternet
Placing NIDS on internal routers
enables detection of internal hostsattempting to access the Internet onsuspicious ports.
40
IDSConfiguration
IDS
8/3/2019 Firewall Types and Conf
41/45
A NIDS/IDS mainly use anomaly or pattern detectionto identify an intrusion or intrusion attempt.
An anomaly example: This involves monitoringresource use, network traffic, user behavior and
comparing it against normal levels. If a user that normally only accesses the system
between 9 am 5pm, suddenly logs on at 3 am thenthis may indicate that an intruder has compromised the
users account. A NIDS/IDS would then alertadministrators to this suspicious activity.
A NIDS/IDS can detect hacker attempts to scan yournetwork for intelligence gathering purposes.
IDSMethods of Detection
IDS
8/3/2019 Firewall Types and Conf
42/45
Sits On Network location and checkspackets that travel across the network.
If a packet contains a certain footprint, then
it triggers an alert
Audit logs are generated and kept as recordsof alerts.
IDSNetwork Packet Checking
IDS
8/3/2019 Firewall Types and Conf
43/45
ISS Internet Security Systems (Black IceGuardian)
Used by individuals and small business networks.
Looks for common algorithms concealed or
wrapped in wrappers i.e. TCP Wrapper.
Can be configured as an IDS and a Firewall.
Can track unauthorized traffic and block the ports
the intruding script/software is using.
IDSCommonly Used IDS Systems (Windows)
IDS
8/3/2019 Firewall Types and Conf
44/45
Axent: Raptor v6.5 Checkpoint: FW1 v4.1
Cisco: PIX v525
MS: Proxy v2.0
IDSVendor Firewalls & Versions (Hardware Based)
8/3/2019 Firewall Types and Conf
45/45
Zone Alarm Pro!
View Demo
http://download.zonelabs.com/bin/media/flash/zap31demo/final083002_01.swfhttp://download.zonelabs.com/bin/media/flash/zap31demo/final083002_01.swf