Firewall Types and Conf

8/3/2019 Firewall Types and Conf

1/45

Firewalls&Intrusion Detection Systems

Communications, Networking& Computer Security

Himanshu Sharmahttp://ethicalhackingtutorials1.blogspot.com/
http://ethicalhackingtutorials1.blogspot.com/http://ethicalhackingtutorials1.blogspot.com/


2/45

Firewall

Definition

Types

Configuration

Lab Exercise (Kerio Personal Firewall) IDS

Definition

Operation

Lab Exercises

Outline


3/45

A firewallis any device used to preventoutsiders from gaining access to yournetwork.

It checks each packet against a list of rules topermit or deny its transmission

Firewalls commonly implement exclusionaryschemes or rules that sort out wanted and

unwanted addresses. They filter all traffic between a protected (inside) network

and a less trustworthy (outside) network

FirewallWhat is a Firewall?


4/45

Firewalls can be composed of software,hardware, or, most commonly, both.

The software components can be eitherproprietary, shareware, or freeware.

The hardware is typically any hardware thatsupports the firewall software.

FirewallComposition?


5/45

All traffic in both direction must pass throughthe firewall

Only authorized traffic should be allowed topass

Firewall should itself be immune to penetration

Compromised firewall can completely undermine thenetwork security

Tradeoff between security and productivity Internal network could be completely secure, but

employees may not be able to communicate

FirewallDesign Goals


6/45

There are different kinds of firewalls,and each type has its advantages &disadvantages.

Firewalls can be classified in two broadcategories

Network Level Firewalls

Personal Firewalls

FirewallTypes


7/45

Network-level firewalls are usually router based. Rules of who & what can access your network is applied at

router level.

Scheme is applied through a technique called packetfiltering

Network Level Firewalls can be classified as

Packet-Filtering Firewalls

The simplest and most effective type of firewalls

Stateful Inspection Firewalls Maintain state info from a packet to another in the input

stream

Application-Level Firewalls (Proxies)

Proxy server, a relay of application-level traffic

FirewallNetwork Level Firewalls


8/45

Packet Filtering is the process of examiningthe packets that come to the router from theoutside world.

Packet headers are inspected by a firewall or

router to make a decision to block the packetor allow access

Two Approaches:

Stateless (a.k.a. static) Stateful

FirewallPacket Filtering


9/45

Ignores the state of the connection Each packet header is examined

individually and compared to a rule

base Packet data is ignored

Common criteria to filter on:

Protocol Type IP address

Port Number

Message Type 9

FirewallStateless Packet Filtering


10/45

Maintains a record of the state of theconnection (referred to as state table)

Packet is compared against both rule

base and state table Some stateful filters can examine both

packet header and content

Called stateful because it permitsoutgoing sessions while denyingincoming sessions

10

FirewallStateful Packet Filtering


11/45

When a remote user contacts a networkrunning an application gateway, the gatewayblocks the remote connection.

Instead of passing the connection along, thegateway examines various fields in therequest.

If these meet a set of predefined rules, the

gateway creates a bridge between the remotehost and the internal host.

FirewallApplication Gateway Firewall


12/45

A list of rules describing which packetsare to be forwarded

Each packet is compared against this list

The longer the list the greater the latency(delay)

Examples:

From any to any port 80 permit From any to any PORT any deny

From *.albany.edu to any PORT any DENY

FirewallAccess Policy


13/45

Firewalls are not a complete solution toall computer security problems,limitations:

The firewall cannot protect against attacks thatbypass the firewall

The firewall does not protect against internalthreats

The firewall cannot protect against the transfer ofvirus-infected programs or files

13

FirewallLimitations


14/45

Internet

Router

External Interface10.1.1.200 /24

Internal Interface192.168.2.1 /24

192.168.2.2 192.168.2.3 192.168.2.4 192.168.2.5 192.168.2.6

14

FirewallConfiguration Strategies

Screening Router Simple

Filters traffic to

internal computers

Provides minimal

security

Source: Guide To Firewalls and Network Security


15/45

Internet

Router

192.168.2.2 192.168.2.3 192.168.2.4 192.168.2.5 192.168.2.6

ApplicationGateway

15


Screening HostHost makes Internet request Gateway receives clientrequest and makes a request on

behalf of the client

Host IP address neverdisplayed to public



16/45

Internet

Router

192.168.2.2 192.168.2.3 192.168.2.4 192.168.2.5 192.168.2.6

Router

Firewall

LAN Gateway

16


Two Routers, One Firewall External router can performinitial static packet filtering

Internal router can perform

stateful packet filtering

Multiple internal routers candirect traffic to different subnets



17/45

Internet

Router

192.168.2.2 192.168.2.3 192.168.2.4 192.168.2.5 192.168.2.6

Router

Firewall

LAN Gateway

DMZ

Web Server Email Server FTP Server

10.1.1.2 10.1.1.3 10.1.1.4

10.1.1.1 /24

192.168.1.1 /24

17


DMZ Screened Subnet

DMZ sits outside internal

network but is connected

to the firewall

Public can access serversresiding in DMZ, but

cannot connect to internal

LAN



18/45

Internet

192.168.2.2 192.168.2.3 192.168.2.4 192.168.2.5 192.168.2.6

Router

Firewall

LAN Gateway

DMZ

Web Server Email Server FTP Server

10.1.1.2 10.1.1.3 10.1.1.4

10.1.1.1 /24

192.168.1.1 /24

Router

18


Two Firewalls, One

DMZ

First firewall controls

traffic between the

Internet and DMZ

Second firewall controls

traffic between the internal

network and DMZ

Second firewall can also

be a failover firewall


19/45

Whats KPF?A software agent builds a barrier between PC and the Internet, to

protect PC against hacker attacks and data leaks.

Why KPF?

KPF is designed to protect PC against attacks from both theInternet, and other computers in the local network.

KPF controls all data flow in both directions from the Internet toyour computer and vice versa

KPF can block all attempted communication allowing only whatyou choose to permit.

FirewallKerio Personal Firewall (KPF)


20/45

Lab Exercise

Configure Kerio Personal Firewall

20


21/45

KPFHow does it work?


22/45

Blocks all externally originated IP traffic

Three security settings for easy configuration

MD5 signature verification protects the

computer from Trojan horses

Protecting from Denial of Service (DOS) attacksto applications or services

Connections dialog clearly displays eachapplication's activity at any given moment

KPFFeatures


23/45

Availability (KPF version 4.1.3): Available for trial for home use (limited free

version) http://www.kerio.com/kpf_download.html

Manualisavailableatthefollowingsite

http://download.kerio.com/dwn/kpf/kpf41-en-v3.pdf

Business and institutional customers areencouraged to download this software forevaluation purposes.

Platform: For Windows 98, Me, NT, 2000 and XP

(Win 95 not available any more)

KPFFeatures Contd.


24/45

System requirements: CPU Intel Pentium or 100% compatible

64 MB RAM

8 MB hard drive space (for installation only; at least 10 MB

of additional space is recommended for logging)

Installation:

Executing the installation archive (kerio-pf-201-en-win.exe)

Choose the directory KPF be installed, or leave the default

setting (C:\Program Files\Kerio\Personal Firewall)

Restart system after installation in order for the low-leverdriver to be loaded

KPFInstallation


25/45

Overviewlistofactiveandopenports,statistics,userpreferences.

NetworkSecurityrulesfornetworkcommunicationofindividualapplications,Packetfiltering,trustedareadefinitions

SystemSecurityrulesforstartupofindividualapplications

Intrusionsconfigurationofparameterswhichwillbeusedfor

detectionofknownintrusiontypes

Web-webcontentrules(URLfilter,pop-upsblocking,controloversentdata)

Logs&Alters--logsviewingandsettings

KPFConfiguration


26/45

The Firewall Enginetakes care of all KPFfunctions

It runs as a backgroundapplication

It is represented by anicon in the System Tray

Right click the icon:

Stop All Traffic

Firewall Status

Administration

KPFFirewall Engine


27/45

KPFConfiguration Window


28/45

Test

KPFAdministration


29/45

KPFStatus Window


30/45

Level of Security: (KPF allows 3 securitylevels)

Permit Unknown: minimum security

Ask Me First: all communication is deniedimplicitly at this level

Deny Unknown: all communication is deniedwhich is not explicitly permitted by the existingfilter rules

KPFSecurity Settings


31/45

Test

KPFSecurity Settings Contd.


32/45

KPFInteraction with Users (Incoming)


33/45

KPFInteraction with Users (Outgoing)


34/45

Comments

KPFPacket Filtering Rules

K


35/45

KPFApplication MD5 Signature

KPF


36/45

The filter.log file is used for logging KPFactions on a local computer

Filter.log is a text file where each record is

placed on a new line. It has the followingformat:

1,[08/Jun/2001 16:52:09] Rule 'Internet InformationServices': Blocked: In TCP, richard.kerio.cz

[192.168.2.38:3772]->localhost:25, Owner:G:\WINNT\SYSTEM32\INETSRV\INETINFO.EXE

How to read this log file?

KPFFilter.log File


37/45

Intrusion Detection Systems

37


38/45

An intrusion detection system (IDS) monitorssystems and analyzes network traffic to detectsigns of intrusion.

An IDS can detect a variety of attacks in

progress as well as well as attempts to scan anetwork for weaknesses.

An IDS can be a dedicated network applianceor a software solution installed on a host

computer. Two kinds of IDS Systems

Client Based (On a single node)

Network Based (Protecting the entire network)

IDSWhat Does it Do?

IDS


39/45

If configured correctly, a networkintrusion detection system (NIDS) canmonitor all traffic on a network segment.

A NIDS is most effective when used inconjunction with a firewall solution, andhaving all of its dependent componentsbeing properly connected andfunctioning.

IDSHow does it work?

IDS


40/45

NIDS can be installed on the externalrouters, the internal routers, or both.

Placing NIDS on external routers

enables detection of attacks from theInternet

Placing NIDS on internal routers

enables detection of internal hostsattempting to access the Internet onsuspicious ports.

40

IDSConfiguration

IDS


41/45

A NIDS/IDS mainly use anomaly or pattern detectionto identify an intrusion or intrusion attempt.

An anomaly example: This involves monitoringresource use, network traffic, user behavior and

comparing it against normal levels. If a user that normally only accesses the system

between 9 am 5pm, suddenly logs on at 3 am thenthis may indicate that an intruder has compromised the

users account. A NIDS/IDS would then alertadministrators to this suspicious activity.

A NIDS/IDS can detect hacker attempts to scan yournetwork for intelligence gathering purposes.

IDSMethods of Detection

IDS


42/45

Sits On Network location and checkspackets that travel across the network.

If a packet contains a certain footprint, then

it triggers an alert

Audit logs are generated and kept as recordsof alerts.

IDSNetwork Packet Checking

IDS


43/45

ISS Internet Security Systems (Black IceGuardian)

Used by individuals and small business networks.

Looks for common algorithms concealed or

wrapped in wrappers i.e. TCP Wrapper.

Can be configured as an IDS and a Firewall.

Can track unauthorized traffic and block the ports

the intruding script/software is using.

IDSCommonly Used IDS Systems (Windows)

IDS


44/45

Axent: Raptor v6.5 Checkpoint: FW1 v4.1

Cisco: PIX v525

MS: Proxy v2.0

IDSVendor Firewalls & Versions (Hardware Based)


45/45

Zone Alarm Pro!

View Demo
http://download.zonelabs.com/bin/media/flash/zap31demo/final083002_01.swfhttp://download.zonelabs.com/bin/media/flash/zap31demo/final083002_01.swf

Firewall Types and Conf

Documents