Slide 1: FIREWALL Arif (01) What is a Firewall?: What is a Firewall? “A firewall is hardware, software, or a combination of both that is used to prevent unauthorized programs or Internet users from accessing a private network and/or a single computer” What is a Firewall? ..: What is a Firewall? .. The primary job of a firewall is to secure the inside network from the outside A firewall guards a corporate network by standing between the network and the outside world. All traffic between the network and the internet in either direction must pass through the firewall. The firewall decides if the traffic can be allowed to flow , or whether it must be stopped from proceeding further Firewall Rules:: Firewall Rules : Allow – traffic that flows automatically because it has been deemed as “safe” (Ex. Meeting Maker, Eudora, etc.) Block – traffic that is blocked because it has been deemed dangerous to your computer Ask – asks the user whether or not the traffic is allowed to pass through CHARACTERISTICS OF FIREWALL: CHARACTERISTICS OF FIREWALL All traffic from inside to outside , and vice versa must pass through the firewall Only the traffic authorized as per the local security policy should be allowed to pass through Strong enough , so as to render attacks on it useless User control Behavior control Firewall: Protection Method: Firewall: Protection Method Packet Filtering Network Address Translation (NAT) Proxy Services What a personal firewall can do ?: What a personal firewall can do ? Stop hackers from accessing your computer Protects your personal information Blocks “pop up” ads and certain cookies Determines which programs can access the Internet What a personal firewall cannot do ?: What a personal firewall cannot do ? Cannot prevent e-mail viruses Only an antivirus product with updated definitions can prevent e-mail viruses After setting it initially, you can forget about it The firewall will require periodic updates to the rulesets and the software itself Limitations of firewalls : Limitations of firewalls Insider’s intrusion Direct Internet traffic Virus attacks Common Firewall Services:: Common Firewall Services: Encrypted Authentication Allows users on the external network to authenticate to the Firewall to gain access to the private network Virtual Private Networking Establishes a secure connection between two private networks over a public network Considerations when using personal firewall software: Considerations when using personal firewall software If you did not initialize an action and your firewall picks up something, you should most likely deny it and investigate it If you notice you cannot do something you did prior to the installation, there is a good chance it might be because of your firewall Examples of personal firewall software ZoneAlarm <www.zonelabs.com> BlackICE Defender <http://blackice.iss.net> Tiny Personal Firewall <www.tinysoftware.com> Norton Personal Firewall <www.symantec.com> Note : Please be sure to read the license agreement carefully to verify that the firewall can be legally used at home and/or the office. Types of Firewall (based on level): Types of Firewall (based on level) Network level firewalls : These are standalone boxes & are much more sophisticated with loads of features. Application level firewalls : Software firewalls, application level proxies come under this category. Apart from the regular huff & puff they offer a few nifty features such as content filtering, blocking unwanted hosts. Software Vs Hardware Firewall : Software Vs Hardware Firewall A software firewall has to be installed on each host on the network & if the number of hosts are more then it becomes a cumbersome job. Even having a proxy server software installed to be a gateway has much to do, for example having a policy such as tunneling HTTP traffic through the proxy demands the network administrator to configure each clients browser settings. A hardware firewall acts as a gateway to all the computers inside the LAN. Configuring & making changes applies to the gateway only. For example: say the policy is to block all inbound connections to port 21,simply blocking port 21 at the firewall gateway will block all inbound traffic that is directed to the ftp port 21 inside the LAN. Types of Firewall :: Types of Firewall : Packet-filtering Router Also called as screening router/filter . Applies a set of rules to each incoming IP packet and then forwards or discards the packet Filter packets going in both directions The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header Two default policies (discard or forward) Packet-filtering Router..: Packet-filtering Router.. Advantages: Simplicity Transparency to users High speed Disadvantages: Difficulty of setting up packet filter rules Lack of Authentication Possible attacks and appropriate countermeasures IP address spoofing Source routing attacks Tiny fragment attacks Types of Firewall :: Types of Firewall : Application-level Gateway Also called proxy server Acts as a relay of application-level traffic Application-level Gateway..: Application-level Gateway .. Advantages: Higher security than packet filters Only need to scrutinize a few allowable applications Easy to log and audit all incoming traffic Disadvantages: Additional processing overhead on each connection (gateway as splice point) Types of Firewall :: Types of Firewall : Circuit-level Gateway Stand-alone system or Specialized function performed by an Application-level Gateway Sets up two TCP connections The gateway typically relays TCP segments from one connection to the other without examining the contents Circuit-level Gateway..: Circuit-level Gateway.. The security function consists of determining which connections will be allowed Typically use is a situation in which the system administrator trusts the internal users An example is the SOCKS package Types of Firewall :: Types of Firewall : Bastion Host A system identified by the firewall administrator as a critical strong point in the network´s security The bastion host serves as a platform for an application-level or circuit-level gateway The bastion host performs authentication and proxy functions Screened host firewall system (single-homed bastion host) Types of Firewall :: Types of Firewall : Network Address Translation Single host makes requests on behalf of all internal users hides the internal users behind the NAT’s IP address internal users can have any IP address should use the reserved ranges of 192.168.n.m or 10.n.m.p to avoid possible conflicts with duplicate external addresses Only works at the TCP/IP level doesn’t do anything for addresses in the payloads of the packets Firewall Controls: Firewall Controls The simplest network ‘firewall’ is not to have a network connection at all . This gives good protection against hazards, but unfortunately it also prevents all legitimate use of the network. A practical firewall must therefore establish connection, but must also have rules to enable it to distinguish ‘good’ network traffic from ‘bad’ . Of course no computer can truly understand the intent of a traffic flow, so most make simple decisions based on where the traffic is coming from and going to, and what service it appears to be requesting. A firewall might be set up to allow nothing but e-mail traffic to pass from the outside in, but allow both e-mail and web requests by local users to pass out. The rules that govern the firewall define what to do with some of the traffic, but this leaves the question of what to do with the rest. Firewall Controls..: Firewall Controls.. Firewalls can be set up either to let all undefined traffic through, a strategy known as default-permit , or block all undefined traffic, default-deny. If an event is unexpected it is clearly safer to assume that it is hazardous, at least until it has been investigated. Firewalls should therefore use default deny to block all traffic that they are not explicitly told to permit. Inevitably this will occasionally stop new, legitimate, traffic but this inconvenience is much less painful to resolve than the alternative of allowing in new, unknown traffic that later proves to be hostile. Security Policy : Security Policy Before implementing a firewall, an organization must have a defined security policy. The firewall may then be used to enforce some aspects of that security policy. By implementing an appropriate policy, vulnerable assets can be protected against attack from outside the firewall. A default-deny firewall can also protect against forms of attack that are as yet unknown, since only predefined traffic is accepted. Without a policy, a firewall is unlikely to be effective since there is no agreed basis for making decisions about which traffic should be permitted. Other Consideration: Other Consideration Firewall cannot protect against attackers who can place themselves, or their tools, inside the firewall. A common method of attack , which a firewall cannot prevent, is to persuade a local user to run a hostile program inside the firewall. This may be as simple as persuading the local user to click on an attractive e-mail attachment (viruses using this technique are still extremely successful) or to run a program that promises to be one thing (such as an attractive screen saver, or a new game) but conceals another, which has a hostile purpose. Insecure dial-in modems and wireless networks can bypass firewalls, leaving the network nearly as vulnerable as if the firewall were not there. Official access points must be set up securely: unofficial ones should be prohibited and disconnected as a serious risk when they are found. How Firewalls are Implemented ?: How Firewalls are Implemented ? Firewall configuration: Firewall set up consists of : 1. Packet filtering router 2. An application gateway Greater security than single configurations because of two reasons: This configuration implements both packet-level and application-level filtering (allowing for flexibility in defining security policy) An intruder must generally penetrate two separate systems This configuration also affords flexibility in providing direct Internet access (public information server, e.g. Web server) Firewall configuration ..: Firewall configuration .. Advantage: Increased security of the network by performing checks at both packet and application levels. More flexible Disadvantage: if the packet filter is attacked then the whole internal network is exposed to the attacker. Types of Firewall Configuration Systems: Types of Firewall Configuration Systems Screened host firewall system (dual-homed bastion host) If packet-filtering router is not completely compromised Traffic between the Internet and other hosts on the private network has to flow through the bastion host The packet filter connects only to the application gateway which in turn connects with the internal hosts. If the packet filter is attacked, the internal hosts are protected. Types of Firewall Configuration Systems ..: Types of Firewall Configuration Systems .. Screened subnet firewall configuration Most secure configuration of the three Two packet-filtering routers are used : , one between the internet and the application gateway and the another one between the application gateway and the internal network Creation of an isolated sub-network Parameters for Firewall configuration : Parameters for Firewall configuration Firewalls are customizable. This means that you can add or remove filters based on several conditions. Some of these are: IP addresses - Each machine on the Internet is assigned a unique address called an IP address . IP addresses are 32-bit numbers, normally expressed as four "octets" in a "dotted decimal number." A typical IP address looks like this: 126.96.36.199. For example, if a certain IP address outside the company is reading too many files from a server, the firewall can block all traffic to or from that IP address. Domain names - Because it is hard to remember the string of numbers that make up an IP address, and because IP addresses sometimes need to change, all servers on the Internet also have human-readable names, called domain names . For example, it is easier for most of us to remember www.howstuffworks.com than it is to remember 188.8.131.52. A company might block all access to certain domain names, or allow access only to specific domain names. Parameters for Firewall configuration ..: Parameters for Firewall configuration .. Protocols The protocol is the pre-defined way that someone who wants to use a service talks with that service. The "someone" could be a person, but more often it is a computer program like a Web browser. Protocols are often text, and simply describe how the client and server will have their conversation. The http in the Web's protocol. Some common protocols that you can set firewall filters for include: IP (Internet Protocol) - the main delivery system for information over the Internet TCP (Transmission Control Protocol) - used to break apart and rebuild information that travels over the Internet HTTP (Hyper Text Transfer Protocol) - used for Web pages FTP (File Transfer Protocol) - used to download and upload files UDP (User Datagram Protocol) - used for information that requires no response, such as streaming audio and video SMTP (Simple Mail Transport Protocol) - used to send text-based information (e-mail) Telnet - used to perform commands on a remote computer Parameters for Firewall configuration ..: Parameters for Firewall configuration .. Ports - Any server machine makes its services available to the Internet using numbered ports , one for each service that is available on the server . For example, if a server machine is running a Web (HTTP) server and an FTP server, the Web server would typically be available on port 80, and the FTP server would be available on port 21. A company might block port 21 access on all machines but one inside the company. Specific words and phrases - This can be anything. The firewall will sniff (search through) each packet of information for an exact match of the text listed in the filter. For example, you could instruct the firewall to block any packet with the word "X-rated" in it. The key here is that it has to be an exact match. The "X-rated" filter would not catch "X rated" (no hyphen). But you can include as many words, phrases and variations of them as you need. Configuration Advantages:: Configuration Advantages: Three levels of defense to thwart intruders The outside router advertises only the existence of the screened subnet to the Internet (internal network is invisible to the Internet) The inside router advertises only the existence of the screened subnet to the internal network (the systems on the inside network cannot construct direct routes to the Internet) Why firewall ?: Why firewall ? There are many creative ways that unscrupulous people use to access or abuse unprotected computers: Remote login - When someone is able to connect to your computer and control it in some form. This can range from being able to view or access your files to actually running programs on your computer. Application backdoors - Some programs have special features that allow for remote access. Others contain bugs that provide a backdoor, or hidden access, that provides some level of control of the program. Why firewall ? ..: Why firewall ? .. Operating system bugs - Like applications, some operating systems have backdoors. Others provide remote access with insufficient security controls or have bugs that an experienced hacker can take advantage of. Denial of service - You have probably heard this phrase used in news reports on the attacks on major Web sites. This type of attack is nearly impossible to counter. What happens is that the hacker sends a request to the server to connect to it. When the server responds with an acknowledgement and tries to establish a session, it cannot find the system that made the request. By inundating a server with these unanswerable session requests, a hacker causes the server to slow to a crawl or eventually crash. E-mail bombs - An e-mail bomb is usually a personal attack. Someone sends you the same e-mail hundreds or thousands of times until your e-mail system cannot accept any more messages. Why firewall ? ..: Why firewall ? .. Macros - To simplify complicated procedures, many applications allow you to create a script of commands that the application can run. This script is known as a macro. Hackers have taken advantage of this to create their own macros that, depending on the application, can destroy your data or crash your computer. Viruses - Probably the most well-known threat is computer viruses. A virus is a small program that can copy itself to other computers. This way it can spread quickly from one system to the next. Viruses range from harmless messages to erasing all of your data. Spam - Typically harmless but always annoying, spam is the electronic equivalent of junk mail. Spam can be dangerous though. Quite often it contains links to Web sites. Be careful of clicking on these because you may accidentally accept a cookie that provides a backdoor to your computer. Redirect bombs - Hackers can use ICMP to change (redirect) the path information takes by sending it to a different router. This is one of the ways that a denial of service attack is set up. Source routing - In most cases, the path a packet travels over the Internet (or any other network) is determined by the routers along that path. But the source providing the packet can arbitrarily specify the route that the packet should travel. Hackers sometimes take advantage of this to make information appear to come from a trusted source or even from inside the network! Most firewall products disable source routing by default. What is Windows Firewall ?: What is Windows Firewall ? In 2003, Sasser worm and blaster worm attacked a large number of Windows machines, taking advantage of flaws in the RPC Windows service. Adding to that, Microsoft was criticized for not being active in protecting customers from threats. Therefore, Microsoft decided to improve both functionality and the interface of Windows XP’s built-in firewall, and rebrand it as: “Windows Firewall”. Windows Firewall helps protecting your computer by preventing unauthorized users from gaining access to your computer through a network or internet. ?? What does Windows Firewall do ?: What does Windows Firewall do ? Help block computer viruses and worms from reaching your computer. Ask for your permission to block or unblock certain connection requests. Create a record (a security log) How to enable Windows XP Firewall ?: How to enable Windows XP Firewall ? Currently *not* enabled by default Enable under Start -> Settings -> Control Panel Select Local Area Connection Select the Properties button Click the “Advanced” tab Under “Window Firewall” ->click Settings Updates to Windows XP Firewall: Updates to Windows XP Firewall *Will* be enabled in default installations of Windows XP Service Pack 2 Ports will be closed except when they are in use Improved user interface for easier configuration Improved application compatibility when firewall is enabled Mac OS X firewall *Not* enabled by default Enable under System Preferences Select Sharing Click “Firewall” tab Click “Start” button Free Firewall Software Packages:: Free Firewall Software Packages: IP Chains & IP Tables comes with most linux distributions SELinux (Security Enabled Linux – NSA) comes with some Linux distributions Fedora, RedHat IPCop – specialized linux distribution Home & Personal Routers Provide configurable packet filtering NAT/DHCP Linksys – single board RISC based linux computer D-Link Enterprise Firewalls Check Point FireWall-1 Cisco PIX (product family) MS Internet Security & Acceleration Server GAI Gauntlet Top Firewall Solutions :: Top Firewall Solutions : ZoneAlarm Internet Security Suite -- The Most Complete Internet Security Solution ZoneAlarm does not need introduction. Without any doubt this is best desktop firewall available. Computer Associates Firewall provide Industrial Strength Personal Firewall. They are Industry's #1 supplier of eBusiness security solutions. The CA security solutions secure a vast range of platform types, ranging from hand held computing devices, through desktops and servers, all the way up to IBM mainframe systems. BitDefender Internet Security 2008 integrates antivirus, antispyware, firewall and antispam into one comprehensive security package. It is One of the most famous security solution around there. Kaspersky Labs also provides Firewall solution for Small and Medium Businesses . Conclusion:: Conclusion: Firewalls can be a valuable component of an organization’s security plan. When implementing appropriate policies, both at the perimeter and within the organization, they can protect against existing and new forms of attack. However, there are attacks that a firewall alone cannot prevent, in particular those performed or assisted by insiders. Indeed local users may deliberately circumvent a firewall, and thereby endanger the whole network, if they do not see it as beneficial. It is therefore important that local users understand and endorse the measures that are implemented and recognize that they are an important part of the organization’s overall security policy. Firewalls alone are not a solution to the problem of securing a network. Users need to be informed and educated to see security as a vital part of their computer use; systems need to be configured securely and maintained to address new security problems and requirements; policies and guideline sneed to be introduced and supported so that secure working becomes easier and more acceptable than insecure. Any reliable system will have multiple layers of protection so the failure of any single component does not result in loss of control of the whole network. Security is a culture, not a black box. DEMO: DEMO COMODO FIREWALL Slide 46: Thank YOU !!