SlideShare uma empresa Scribd logo

Firewall notes

N
netlabacademy
Educação
1 de 9
Baixar para ler offline
Notes on Firewall – asokanak@hotmail.com (Skype: asokanchennai) FIREWALL Notes by A.K.Asokan, CCNA, MBA(IT) (asokanak@hotmail.com) What is a firewall? This is the question which welcomed me, whenever I read something on Firewall! And I understood the question perfectly but not the rest of the text, most of the time, unfortunately! You must have read that a firewall is placed in between your LAN and the Internet to allow, deny or filter the packets which are traveling from the LAN behind it, to the Internet and from the Internet to the LAN through the firewall. True. What else a firewall can do? How a firewall identify the packets? Can a firewall understand what services the packet in question is destined? (whether it is for http traffic or ftp traffic?). If so, what are the parameters which tell the firewall that such is the service the packet is destined to? Is it a software? Or hardware? Or a combination of both! I am a 'hacker' (excuse me hackers, to use this beautiful word in a different perspective which was also stolen by the so called 'crackers' long ago! I do not use the word hacker because a hacker is a respectable person who has tremendous technical knowledge. But unfortunately, it has been misunderstood that a hacker is a bad person with malicious intention!) and I inserted a virus or a malicious script with the data (the payload) and then send the packet to the LAN through the firewall. Of course, the firewall can read the header information. But will it be able to go into the packet and check whether there is any virus or malicious script present? If so what the firewall can do on such scripts? I am the Managing Director of “Asokan Company” and I do not want my employees in the packing section to access the internet. Secondly, I permit the accounts department personnel to access the Internet only for http traffic (only to browse the net) and not for any other services like ftp or telnet. Can I implement this requirement in the firewall? So that when someone from the packing section tries to access the internet, the firewall tells him, sorry yaar you can’t access the internet! How it can be implemented on a firewall? Are there various types of firewalls? What is the difference between packet
Notes on Firewall – asokanak@hotmail.com (Skype: asokanchennai) filtering firewalls and Application gateway firewalls? Let us discuss these fundamental issues one by one. Well. There are firewalls which are based on Graphical User Interface (GUI) (example Checkpoint Firewall) and there are Firewalls where the Administrator configures the policies at the Console (Example PIX firewall from Cisco systems). Checkpoint firewall has large installation base in the world and since it is based on GUI, it is considered less difficult for anyone to configure, provided he/she understands as to what are the various parameters which provide Network Security. When you learn driving, you need a car to practice. Though we say in general that I practiced driving, we seldom say that I practiced driving in a Toyota car, though you might have used a Toyota car when you practice. The reason for this (unnecessary!) intro is that though we say 'firewall' in general, when we discuss certain in-depth concepts, we need to refer certain components of a specific firewall. I use the checkpoint firewall to explain the following concepts but I have no other intention by referring the name except to make the point, what I am describing, clearer to the target readers. Let us discuss as to how a firewall identify the packets. Most firewalls identify the packets by something called the packet parameters. What are packet parameters? They are the header information. The source and destination IP addresses, the destination port numbers and transport layer parameters from the packet etc. You might have heard terms like policy, rules etc. What is a policy? A policy can be a decision taken by the Management. Remembering the Managing Director of “Asokan company” has taken a decision not to allow the packing section personnel to access the internet? This can be one policy. The same can be implemented in the firewall by writing a rule. See the following table carefully.
Notes on Firewall – asokanak@hotmail.com (Skype: asokanchennai) Example of a rule base. Source Destination Service Action 10.0.0.10 (packing section system) any Any Drop 10.0.0.20 (Accounts department system) any http accept In the above example, when someone from the packing section (IP address 10.0.0.10) trying to access 'any' destination in the internet for 'any' service, the action is that the packets are dropped by the Firewall. Means that he will never be allowed to access the internet. (The IP address of the Corporate is in the Private addressing scheme and it is not routable beyond the firewall. Hence it is assumed that in the firewall, we did the necessary NATing. For understanding NAT concepts, please read my notes on Network Address Translation (NAT). In the second instance, when someone from the Accounts Department (IP address 10.0.0.20) is trying to access 'any' destination in the internet for 'http' traffic (only for browsing) the action is 'accept'ed means the firewall will allow the connectivity to be established. But, for any other service other than http, the packets will get automatically dropped. If you need to allow them to access http as well as ftp, then you have to add 'ftp' service also in the service column like the one in the following example. Source Destination Service Action 10.0.0.20 (Accounts department system) any http accept ftp A firewall can do lot of functions like, authentication, create a VPN tunnel between the head office and branch offices, Can set up secure remote connections, filter, allow or deny access to incoming or outgoing packets, integrate with third party softwares (antivirus etc.) URL filtering, FTP, HTTP and SMTP Content Security, Load balancing…..waav, host of such services. The firewall can also authenticate users, computers (clients) and a session (from login till you log out).
Notes on Firewall – asokanak@hotmail.com (Skype: asokanchennai) If we want a firewall to authenticate a user, the user profile must have created. Where will you create the user profile? You have choices. You can create the same in the firewall system itself, in any Active Directory, in TACACS server, in RADIUS server or in the Exchange Server or in the Operating system. Wherever you create the user profile, the firewall has to be configured in such a way so that when the user is asking for authentication, the firewall can look into the appropriate place to check the user profile for the required permissions to either authenticate him or otherwise. Example, there are two employees, Asokan and Steve. Asokan's profile is created in the operating system, and Steve's profile is created in the Firewall itself. If we configure correctly, then both the employees can be authenticated by the firewall and the firewall is referring the respective user profiles to check for the credentials of the respective employees. Why there are many types of authentication like user authentication, client authentication, session authentication etc? The reason is that in certain firewalls, the user authentication is not available for all the services. It is available only for certain services say http, ftp, telnet, and rlogin. Apart from these four services (these are known as authenticated services), if someone wants to access other services like remote desktop, or a netbios session, then user authentication cannot be used. For this purpose, the firewall can authenticate a client (a system in the LAN) so that a user using the client is authenticated to access the services. (There are lot of configurations and sign on methods in client authentication like, manual sign on, partially automatic sign on, fully automatic sign on etc. which are not described here since the idea of this note is to give an overview of firewall). The next concept is the LDAP integration. LDAP stands for Light Weight Directory Access Protocol. If the users are created in the Active Directory, the user profiles created there can be integrated into the firewall so that the firewall can provide them authentication to access services outside the Corporate LAN. Suppose two new employees joined the organization, and the system administrator created user profiles for them in the Active Directory, then it will automatically reflect in the firewall once you did the LDAP integration.
Notes on Firewall – asokanak@hotmail.com (Skype: asokanchennai) Thirdly, the content security. The Firewall provides content security. It can provide content security for FTP, HTTP and SMTP traffic. Ftp is for transferring files from either client to server or/and server to client. Suppose I have an ftp server and I posted lot of computer security notes there and I wish to share the notes between anyone who wish to read the same. In that case, I can give the username and password to anyone or (anonymous login) to my ftp server so that those who wish to download the files can enter the ftp server and can see those files and download the same. Good. However, I pose a threat that if, someone out there coming to my ftp server is a cracker, and then he may put some virus or any malicious coding into my ftp server so that he can destroy it! How can I protect the situation? Simple, I should instruct my firewall that people can access the ftp server only for downloading the permitted contents and not 'write' or upload anything to ftp server. ftp has 'get' command and 'put' command. 'ftp get' means enabling download from ftp server, 'ftp put' means uploading files TO ftp server, which I do not allow in order to protect the server. Likewise for http traffic also. Recall the above example, the M.D of 'Asokan Company' does not permit packing section employees to access the internet at all. But he permits the accounts personnel to access the http traffic. But he often sees that employees in the accounts department is browsing naukri.com and post their resume in search of other jobs! Now he impose one more restriction on them that employees can browse naukri.com but should not be able to go to the specific page where they can upload their resume! Yes. If you configure a URI resource (Uniform Resource Identifier) in the firewall, you can prevent your employees from visiting specific pages in a website, or you can even block a specific web site. If you prefer a list of websites to be blocked, you can type all the URLs in a file in a specific format and import into the firewall configuration so that none of the websites mentioned in the file will be accessed by their employees! The firewall can be configured in such a way that it can rip into the payload (data portion) and see whether the webpage or the ftp content contain a virus or malicious scripts. If so, the firewall can remove such malicious codes and then send the original content alone into the LAN. (However, the firewall may require third party software for providing content security).
Notes on Firewall – asokanak@hotmail.com (Skype: asokanchennai) Asokan Company has 300 employees in various departments. More over it has one branch office elsewhere in the country. The main medium of communication is through e-mail. In order to have better security control, the M.D has installed an Exchange Server in a De-militarized zone (DMZ) for the SMTP traffic. SMTP stands for Simple Mail Transfer Protocol. Now that the mails are going out from the corporate office to branch office and people out there in the public internet also write mail to the officers inside the LAN. When mails are coming from untrusted network, there is a vulnerability that it may contain a virus or someone may try to launch an attack towards the server to bring it down! To prevent this, the firewall can be suitably instructed to check the contents of the SMTP traffic also whether the mails have any attachment of virus files, scripts, active X contents, or java coding. If it present, the firewall can be instructed to remove the same. Thereby we can provide content security for SMTP traffic also. As we discussed above, the company has a branch office also. All the systems in the head office as well as branch office are in the private IP family and both the network is behind the firewall gateway. The head office belongs to 10.0.0.0 network and the branch office belongs to 172.16.0.0 network. In order to communicate securely, one of the possibilities is to set up a Virtual Private Network (VPN). To set up a VPN tunnel. Tunneling encrypts the entire original packet including the headers. Imagine you write a letter to your friend and put it in an envelope and the to address and the from address are written on the cover. Then, if you enclose the cover into another cover, how can the postman read the to address and from address? Similarly, when a packet in tunneled, it means that the entire packet (including the header and the payload) are enclosed in a packet. If so, how will it get routed? In order to understand how it is getting routed, we need to understand the following concept. VPN when established, the firewall establishes two phases between the participating gateways (HO and BO). Phase 1 and Phase 2. Phase 1 is for the key installation and Phase 2 is for the data exchange. Phase 1 is handled by Internet Key Exchange (IKE) protocol and Phase 2 is handled by IPSec. Here something known as SA negotiation takes place. What is SA? SA stands for Security Association. Once an SA is
Notes on Firewall – asokanak@hotmail.com (Skype: asokanchennai) established, it means what keys to use, what algorithm to use for data encryption and also for data integrity, all such details will be agreed upon by the two participating gateways. That is what is known as Security Association (SA). What is the basis in which the firewalls (bo and ho) authenticate each other? How it is identifying whether really the peer firewall is contacting or someone is impersonating? Well. It can be ascertained in two ways. VPN can be established by using either a ‘shared secret key’ or a ‘certificate’. The shared secret key is, that you set a secret word (like password) in one of the participating gateways and the same secret word should be set in the other participating gateway as well while the VPN is being configured. This single secret word is shared between the participating gateways to identify the peer firewall. What is happening behind the scene? Let us see. Phase 1 exchange the public keys and it use the Diffie-Hellman key calculation to generate the shared secret key. This is accomplished by hashing and encrypting the firewall’s identity with the shared secret key and exchanged between the firewalls. From there onwards, they identify each other. That is how each firewall identifies its peer. Phase 1 negotiation for key exchange is asymmetric and takes much computational power whereas Phase 2 negotiation is symmetric and hence it takes less computational power and the re-negotiation interval between phase 1 and phase 2 is also varies accordingly. The other method is based on “Certificate”. You can create a certificate (The firewall acts as a Certifying Authority - CA) and the certificates can be exchanged between the participating Gateways. From the certificate, each firewall can identify its peer. Phase 2, uses the IKE SA negotiated in Phase 1, to negotiate an IPSec SA for encrypting the data traffic. In other words, the data transmission between the firewalls is encrypted and sent by IPSec protocol. Phase 1 lays the road and phase 2 runs the car on the road.
Notes on Firewall – asokanak@hotmail.com (Skype: asokanchennai) At the outset, the phase 2 negotiates the IPSec protocol combination that will be used. What is a protocol combination? What are the combinations? IPSec protocol? Yes. IPSec is a protocol stack like TCP/IP. We discuss two important headers of IPSec here briefly, the AH and ESP. AH stands for Authentication Header and ESP stands for Encapsulating Security Payload. (I understand that I am going a bit deep into the subject but unless you know something about these two headers, the VPN tunneling concepts will not be clear to you. Read on….) These can be used as a combination i.e. AH+ESP or AH alone or ESP alone. AH provides authentication and message integrity. Not Confidentiality. When confidentiality is not there, it means that, if someone catches the data while in transit, he will be able to read the data! However if the data is tampered while reaching the destination, it can be found as AH provides data integrity. For this purpose AH uses a message digest (Read my cryptography notes to understand message digest). If you feel that, if someone sees the data in between, it is ok with you, then you can use AH as an authentication header of the IPSec protocol. In other words, AH does not encrypt the data hence it cannot provide confidentiality. ESP, Encapsulating Security Payload provides, Authentication, Data integrity as well as Confidentiality. The latest version of some firewalls does not support AH at all. They support ESP. What is happening behind the scene? There are two modes of transport to understand here 1) Transport mode and 2) Tunnel mode. Imagine an IP packet. It has data as well as headers. If the data alone is encrypted without the header part, it is known as Transport mode encryption. If the entire IP packet is encrypted including the header (put it into another cover as discussed above) it is known as Tunnel mode. That’s what we discussed above. Now the problem is since the IP header itself is inside the tunnel, how a tunnel mode encrypted packet getting routed. It is simple, that the ESP adds its own IP header onto the tunneled packet.
Notes on Firewall – asokanak@hotmail.com (Skype: asokanchennai) Look at the figure above. Imagine that a packet is going from head office to branch office. At the ho, when a packet goes out, the source IP will be 10.0.0.10. Its target IP is 172.16.0.10. When it reach the ho Firewall, since VPN is configured on the firewall for secured communication between ho and bo, the ESP takes the packets (with source IP 10.0.0.10 and destination IP 172.16.0.10) and put it into a cover. This is known as Tunneling. The ESP also creates another IP header, with source IP, the outbound interface of the ho firewall (20.0.0.1) and destination IP, the outbound interface of the bo firewall (30.0.0.1). Now the secured tunnel communication will be between ho firewall and bo firewall (between 20.0.0.1 and 30.0.0.1). When the data reached the destination i.e. at 30.0.0.1 (the bo firewall), it decrypts the encrypted tunnel and pass the data to the system 172.16.0.10 located in the branch office local network. Please note that the data in the head office till the ho firewall and the same data from the branch office firewall to the bo LAN is NOT encrypted. Another important thing to remember is that when you set up VPN, there is NO need to provide NAT as there is no Address Translation taking place either at the ho firewall or at the bo firewall. This is how VPN works. (Lot of configuration details have been omitted as it is beyond the scope of this simple note.) Hope this note was useful to you. I would appreciate if you could just mail me asokanak@hotmail.com your opinion as to how well you were able to understand the topics, the way it is explained and whether any changes in the narration have to be incorporated and your valuable suggestions. It will enable me to write future notes incorporating all your suggestion. – with love. Asokan (skype discussion: asokanchennai). ___________________________________

Recomendados

Firewall presentation
Firewall presentationFirewall presentation
Firewall presentationAmandeep Kaur
 
Windows 7 firewall & its configuration
Windows 7 firewall & its configurationWindows 7 firewall & its configuration
Windows 7 firewall & its configurationSoban Ahmad
 
Firewall Security Definition
Firewall Security DefinitionFirewall Security Definition
Firewall Security DefinitionPatten John
 
Firewall presentation m. emin özgünsür
Firewall presentation m. emin özgünsürFirewall presentation m. emin özgünsür
Firewall presentation m. emin özgünsüremin_oz
 
Firewall security in computer network
Firewall security in computer networkFirewall security in computer network
Firewall security in computer networkpoorvavyas4
 
Firewall vpn proxy
Firewall vpn proxyFirewall vpn proxy
Firewall vpn proxySANKET SENAPATI
 
Firewall
FirewallFirewall
FirewallManikyala Rao
 
Firewall
FirewallFirewall
Firewallnayakslideshare
 

Recomendados

Firewall presentation
Firewall presentationFirewall presentation
Firewall presentationAmandeep Kaur
 
Windows 7 firewall & its configuration
Windows 7 firewall & its configurationWindows 7 firewall & its configuration
Windows 7 firewall & its configurationSoban Ahmad
 
Firewall Security Definition
Firewall Security DefinitionFirewall Security Definition
Firewall Security DefinitionPatten John
 
Firewall presentation m. emin özgünsür
Firewall presentation m. emin özgünsürFirewall presentation m. emin özgünsür
Firewall presentation m. emin özgünsüremin_oz
 
Firewall security in computer network
Firewall security in computer networkFirewall security in computer network
Firewall security in computer networkpoorvavyas4
 
Firewall vpn proxy
Firewall vpn proxyFirewall vpn proxy
Firewall vpn proxySANKET SENAPATI
 
Firewall
FirewallFirewall
FirewallManikyala Rao
 
Firewall
FirewallFirewall
Firewallnayakslideshare
 
Firewall
Firewall Firewall
Firewall Amuthavalli Nachiyar
 
Firewall protection
Firewall protectionFirewall protection
Firewall protectionVC Infotech
 
Firewalls
FirewallsFirewalls
Firewallsjunaid15bsse
 
Firewall
FirewallFirewall
FirewallMudasser Afzal
 
Presentation, Firewalls
Presentation, FirewallsPresentation, Firewalls
Presentation, Firewallskkkseld
 
Firewall & its Services
Firewall & its ServicesFirewall & its Services
Firewall & its ServicesNavdeep Dhingra
 
Firewall ( Cyber Security)
Firewall ( Cyber Security)Firewall ( Cyber Security)
Firewall ( Cyber Security)Jainam Shah
 
Dmz
Dmz Dmz
Dmz أحلام انصارى
 
Firewall
FirewallFirewall
Firewallthinkahead.net
 
Data security in local network using distributed firewall ppt
Data security in local network using distributed firewall ppt Data security in local network using distributed firewall ppt
Data security in local network using distributed firewall ppt Sabreen Irfana
 
Firewall
FirewallFirewall
Firewalllmbriscoe
 
Data Security in Local Area Network Using Distributed Firewall
Data Security in Local Area Network Using Distributed FirewallData Security in Local Area Network Using Distributed Firewall
Data Security in Local Area Network Using Distributed FirewallManish Kumar
 
network security, group policy and firewalls
network security, group policy and firewallsnetwork security, group policy and firewalls
network security, group policy and firewallsSapna Kumari
 
Firewall
FirewallFirewall
Firewallsyeda zoya mehdi
 
Firewall
FirewallFirewall
FirewallShivank Shah
 
FIREWALL
FIREWALL FIREWALL
FIREWALL Akash R
 
Network firewall function & benefits
Network firewall function & benefitsNetwork firewall function & benefits
Network firewall function & benefitsAnthony Daniel
 
Windows firewall
Windows firewallWindows firewall
Windows firewallVC Infotech
 
All about Firewalls ,IPS IDS and the era of UTM in a nutshell
All about Firewalls ,IPS IDS and the era of UTM in a nutshellAll about Firewalls ,IPS IDS and the era of UTM in a nutshell
All about Firewalls ,IPS IDS and the era of UTM in a nutshellHishan Shouketh
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewallCoder Tech
 
Firewall, Trusted Systems,IP Security ,ESP Encryption and Authentication
Firewall, Trusted Systems,IP Security ,ESP Encryption and AuthenticationFirewall, Trusted Systems,IP Security ,ESP Encryption and Authentication
Firewall, Trusted Systems,IP Security ,ESP Encryption and AuthenticationGopal Sakarkar
 
Access Control List 1
Access Control List 1Access Control List 1
Access Control List 1Kishore Kumar
 

Mais conteúdo relacionado

Mais procurados

Firewall protection
Firewall protectionFirewall protection
Firewall protectionVC Infotech
 
Presentation, Firewalls
Presentation, FirewallsPresentation, Firewalls
Presentation, Firewallskkkseld
 
Firewall ( Cyber Security)
Firewall ( Cyber Security)Firewall ( Cyber Security)
Firewall ( Cyber Security)Jainam Shah
 
Data security in local network using distributed firewall ppt
Data security in local network using distributed firewall ppt Data security in local network using distributed firewall ppt
Data security in local network using distributed firewall ppt Sabreen Irfana
 
Data Security in Local Area Network Using Distributed Firewall
Data Security in Local Area Network Using Distributed FirewallData Security in Local Area Network Using Distributed Firewall
Data Security in Local Area Network Using Distributed FirewallManish Kumar
 
network security, group policy and firewalls
network security, group policy and firewallsnetwork security, group policy and firewalls
network security, group policy and firewallsSapna Kumari
 
FIREWALL
FIREWALL FIREWALL
FIREWALL Akash R
 
Network firewall function & benefits
Network firewall function & benefitsNetwork firewall function & benefits
Network firewall function & benefitsAnthony Daniel
 
Windows firewall
Windows firewallWindows firewall
Windows firewallVC Infotech
 
All about Firewalls ,IPS IDS and the era of UTM in a nutshell
All about Firewalls ,IPS IDS and the era of UTM in a nutshellAll about Firewalls ,IPS IDS and the era of UTM in a nutshell
All about Firewalls ,IPS IDS and the era of UTM in a nutshellHishan Shouketh
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewallCoder Tech
 

Mais procurados (20)

Firewall
Firewall Firewall
Firewall
 
Firewall protection
Firewall protectionFirewall protection
Firewall protection
 
Firewalls
FirewallsFirewalls
Firewalls
 
Firewall
FirewallFirewall
Firewall
 
Presentation, Firewalls
Presentation, FirewallsPresentation, Firewalls
Presentation, Firewalls
 
Firewall & its Services
Firewall & its ServicesFirewall & its Services
Firewall & its Services
 
Firewall ( Cyber Security)
Firewall ( Cyber Security)Firewall ( Cyber Security)
Firewall ( Cyber Security)
 
Dmz
Dmz Dmz
Dmz
 
Firewall
FirewallFirewall
Firewall
 
Data security in local network using distributed firewall ppt
Data security in local network using distributed firewall ppt Data security in local network using distributed firewall ppt
Data security in local network using distributed firewall ppt
 
Firewall
FirewallFirewall
Firewall
 
Data Security in Local Area Network Using Distributed Firewall
Data Security in Local Area Network Using Distributed FirewallData Security in Local Area Network Using Distributed Firewall
Data Security in Local Area Network Using Distributed Firewall
 
network security, group policy and firewalls
network security, group policy and firewallsnetwork security, group policy and firewalls
network security, group policy and firewalls
 
Firewall
FirewallFirewall
Firewall
 
Firewall
FirewallFirewall
Firewall
 
FIREWALL
FIREWALL FIREWALL
FIREWALL
 
Network firewall function & benefits
Network firewall function & benefitsNetwork firewall function & benefits
Network firewall function & benefits
 
Windows firewall
Windows firewallWindows firewall
Windows firewall
 
All about Firewalls ,IPS IDS and the era of UTM in a nutshell
All about Firewalls ,IPS IDS and the era of UTM in a nutshellAll about Firewalls ,IPS IDS and the era of UTM in a nutshell
All about Firewalls ,IPS IDS and the era of UTM in a nutshell
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewall
 

Destaque

Firewall, Trusted Systems,IP Security ,ESP Encryption and Authentication
Firewall, Trusted Systems,IP Security ,ESP Encryption and AuthenticationFirewall, Trusted Systems,IP Security ,ESP Encryption and Authentication
Firewall, Trusted Systems,IP Security ,ESP Encryption and AuthenticationGopal Sakarkar
 
Access Control List 1
Access Control List 1Access Control List 1
Access Control List 1Kishore Kumar
 
CCNAv5 - S2: Chapter 9 Access Control Lists
CCNAv5 - S2: Chapter 9 Access Control ListsCCNAv5 - S2: Chapter 9 Access Control Lists
CCNAv5 - S2: Chapter 9 Access Control ListsVuz Dở Hơi
 
Types of firewall
Types of firewallTypes of firewall
Types of firewallPina Parmar
 
Kerberos case study
Kerberos case studyKerberos case study
Kerberos case studyMayuri Patil
 
Cisco ACL
Cisco ACLCisco ACL
Cisco ACLfaust0
 
Lecture 4 firewalls
Lecture 4 firewallsLecture 4 firewalls
Lecture 4 firewallsrajakhurram
 
Access Control List & its Types
Access Control List & its TypesAccess Control List & its Types
Access Control List & its TypesNetwax Lab
 
Kerberos : An Authentication Application
Kerberos : An Authentication ApplicationKerberos : An Authentication Application
Kerberos : An Authentication ApplicationVidulatiwari
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAparna Bhadran
 
Digital signatures
Digital signaturesDigital signatures
Digital signaturesIshwar Dayal
 
Intrusion Detection System(IDS)
Intrusion Detection System(IDS)Intrusion Detection System(IDS)
Intrusion Detection System(IDS)shraddha_b
 
E commerce full notes for mba
E commerce full notes for mba E commerce full notes for mba
E commerce full notes for mba karishma
 
IMPROVED SECURE CLOUD TRANSMISSION PROTOCOL
IMPROVED SECURE CLOUD TRANSMISSION PROTOCOLIMPROVED SECURE CLOUD TRANSMISSION PROTOCOL
IMPROVED SECURE CLOUD TRANSMISSION PROTOCOLhiij
 

Destaque (20)

Firewall, Trusted Systems,IP Security ,ESP Encryption and Authentication
Firewall, Trusted Systems,IP Security ,ESP Encryption and AuthenticationFirewall, Trusted Systems,IP Security ,ESP Encryption and Authentication
Firewall, Trusted Systems,IP Security ,ESP Encryption and Authentication
 
Access Control List 1
Access Control List 1Access Control List 1
Access Control List 1
 
Access control list
Access control listAccess control list
Access control list
 
CCNA part 7 acl
CCNA part 7 aclCCNA part 7 acl
CCNA part 7 acl
 
CCNAv5 - S2: Chapter 9 Access Control Lists
CCNAv5 - S2: Chapter 9 Access Control ListsCCNAv5 - S2: Chapter 9 Access Control Lists
CCNAv5 - S2: Chapter 9 Access Control Lists
 
Types of firewall
Types of firewallTypes of firewall
Types of firewall
 
Kerberos case study
Kerberos case studyKerberos case study
Kerberos case study
 
Cisco ACL
Cisco ACLCisco ACL
Cisco ACL
 
Lecture 4 firewalls
Lecture 4 firewallsLecture 4 firewalls
Lecture 4 firewalls
 
Access Control List & its Types
Access Control List & its TypesAccess Control List & its Types
Access Control List & its Types
 
Digital certificates
Digital certificatesDigital certificates
Digital certificates
 
Kerberos protocol
Kerberos protocolKerberos protocol
Kerberos protocol
 
Kerberos
KerberosKerberos
Kerberos
 
Kerberos : An Authentication Application
Kerberos : An Authentication ApplicationKerberos : An Authentication Application
Kerberos : An Authentication Application
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
Digital signatures
Digital signaturesDigital signatures
Digital signatures
 
Intrusion Detection System(IDS)
Intrusion Detection System(IDS)Intrusion Detection System(IDS)
Intrusion Detection System(IDS)
 
3g & 4g technology
3g & 4g technology3g & 4g technology
3g & 4g technology
 
E commerce full notes for mba
E commerce full notes for mba E commerce full notes for mba
E commerce full notes for mba
 
IMPROVED SECURE CLOUD TRANSMISSION PROTOCOL
IMPROVED SECURE CLOUD TRANSMISSION PROTOCOLIMPROVED SECURE CLOUD TRANSMISSION PROTOCOL
IMPROVED SECURE CLOUD TRANSMISSION PROTOCOL
 

Semelhante a Firewall notes

Wifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkWifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkSecurityTube.Net
 
Placing backdoors-through-firewalls
Placing backdoors-through-firewallsPlacing backdoors-through-firewalls
Placing backdoors-through-firewallsAkapo Damilola
 
Using aphace-as-proxy-server
Using aphace-as-proxy-serverUsing aphace-as-proxy-server
Using aphace-as-proxy-serverHARRY CHAN PUTRA
 
Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWallwebhostingguy
 
Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWallwebhostingguy
 
Pre Week13
Pre Week13Pre Week13
Pre Week13Ryosuke
 
Pre Week14
Pre Week14Pre Week14
Pre Week14Ryosuke
 
Routers Firewalls And Proxies - OH MY!
Routers Firewalls And Proxies - OH MY!Routers Firewalls And Proxies - OH MY!
Routers Firewalls And Proxies - OH MY!Jon Spriggs
 
Deployment websese
Deployment webseseDeployment websese
Deployment websesethanglx
 
Freeware Security Tools You Need
Freeware Security Tools You NeedFreeware Security Tools You Need
Freeware Security Tools You Needamiable_indian
 
Web application security
Web application securityWeb application security
Web application securityRavi Raj
 
The Complete Questionnaires About Firewall
The Complete Questionnaires About FirewallThe Complete Questionnaires About Firewall
The Complete Questionnaires About FirewallVishal Kumar
 
Nsauditor NetBios Auditor
Nsauditor NetBios AuditorNsauditor NetBios Auditor
Nsauditor NetBios AuditorNsasoft
 
Advanced internetfinal
Advanced internetfinalAdvanced internetfinal
Advanced internetfinalmordannon
 
Advanced Internet Final
Advanced Internet FinalAdvanced Internet Final
Advanced Internet Finalmordannon
 
Network Security
Network SecurityNetwork Security
Network SecurityJaya sudha
 
Firewall ,Its types and Working.pptx
Firewall ,Its types and Working.pptxFirewall ,Its types and Working.pptx
Firewall ,Its types and Working.pptxShrayamManandhar
 

Semelhante a Firewall notes (20)

Wifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkWifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and Drink
 
Placing backdoors-through-firewalls
Placing backdoors-through-firewallsPlacing backdoors-through-firewalls
Placing backdoors-through-firewalls
 
Using aphace-as-proxy-server
Using aphace-as-proxy-serverUsing aphace-as-proxy-server
Using aphace-as-proxy-server
 
Squid server
Squid serverSquid server
Squid server
 
Firewall
FirewallFirewall
Firewall
 
WHONIX OS
WHONIX OSWHONIX OS
WHONIX OS
 
Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWall
 
Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWall
 
Pre Week13
Pre Week13Pre Week13
Pre Week13
 
Pre Week14
Pre Week14Pre Week14
Pre Week14
 
Routers Firewalls And Proxies - OH MY!
Routers Firewalls And Proxies - OH MY!Routers Firewalls And Proxies - OH MY!
Routers Firewalls And Proxies - OH MY!
 
Deployment websese
Deployment webseseDeployment websese
Deployment websese
 
Freeware Security Tools You Need
Freeware Security Tools You NeedFreeware Security Tools You Need
Freeware Security Tools You Need
 
Web application security
Web application securityWeb application security
Web application security
 
The Complete Questionnaires About Firewall
The Complete Questionnaires About FirewallThe Complete Questionnaires About Firewall
The Complete Questionnaires About Firewall
 
Nsauditor NetBios Auditor
Nsauditor NetBios AuditorNsauditor NetBios Auditor
Nsauditor NetBios Auditor
 
Advanced internetfinal
Advanced internetfinalAdvanced internetfinal
Advanced internetfinal
 
Advanced Internet Final
Advanced Internet FinalAdvanced Internet Final
Advanced Internet Final
 
Network Security
Network SecurityNetwork Security
Network Security
 
Firewall ,Its types and Working.pptx
Firewall ,Its types and Working.pptxFirewall ,Its types and Working.pptx
Firewall ,Its types and Working.pptx
 

Último

AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxiammrhaywood
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management systemChristalin Nelson
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatYousafMalik24
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4JOYLYNSAMANIEGO
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSJoshuaGantuangco2
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfErwinPantujan2
 
Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)cama23
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Celine George
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...Postal Advocate Inc.
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4MiaBumagat1
 
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptxMusic 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptxleah joy valeriano
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptxmary850239
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17Celine George
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersSabitha Banu
 
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...JojoEDelaCruz
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPCeline George
 

Último (20)

AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
 
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptxFINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management system
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice great
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
 
Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4
 
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptxMusic 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17
 
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptxLEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for Beginners
 
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
 
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptxYOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERP
 

Firewall notes

  • 1. Notes on Firewall – asokanak@hotmail.com (Skype: asokanchennai) FIREWALL Notes by A.K.Asokan, CCNA, MBA(IT) (asokanak@hotmail.com) What is a firewall? This is the question which welcomed me, whenever I read something on Firewall! And I understood the question perfectly but not the rest of the text, most of the time, unfortunately! You must have read that a firewall is placed in between your LAN and the Internet to allow, deny or filter the packets which are traveling from the LAN behind it, to the Internet and from the Internet to the LAN through the firewall. True. What else a firewall can do? How a firewall identify the packets? Can a firewall understand what services the packet in question is destined? (whether it is for http traffic or ftp traffic?). If so, what are the parameters which tell the firewall that such is the service the packet is destined to? Is it a software? Or hardware? Or a combination of both! I am a 'hacker' (excuse me hackers, to use this beautiful word in a different perspective which was also stolen by the so called 'crackers' long ago! I do not use the word hacker because a hacker is a respectable person who has tremendous technical knowledge. But unfortunately, it has been misunderstood that a hacker is a bad person with malicious intention!) and I inserted a virus or a malicious script with the data (the payload) and then send the packet to the LAN through the firewall. Of course, the firewall can read the header information. But will it be able to go into the packet and check whether there is any virus or malicious script present? If so what the firewall can do on such scripts? I am the Managing Director of “Asokan Company” and I do not want my employees in the packing section to access the internet. Secondly, I permit the accounts department personnel to access the Internet only for http traffic (only to browse the net) and not for any other services like ftp or telnet. Can I implement this requirement in the firewall? So that when someone from the packing section tries to access the internet, the firewall tells him, sorry yaar you can’t access the internet! How it can be implemented on a firewall? Are there various types of firewalls? What is the difference between packet
  • 2. Notes on Firewall – asokanak@hotmail.com (Skype: asokanchennai) filtering firewalls and Application gateway firewalls? Let us discuss these fundamental issues one by one. Well. There are firewalls which are based on Graphical User Interface (GUI) (example Checkpoint Firewall) and there are Firewalls where the Administrator configures the policies at the Console (Example PIX firewall from Cisco systems). Checkpoint firewall has large installation base in the world and since it is based on GUI, it is considered less difficult for anyone to configure, provided he/she understands as to what are the various parameters which provide Network Security. When you learn driving, you need a car to practice. Though we say in general that I practiced driving, we seldom say that I practiced driving in a Toyota car, though you might have used a Toyota car when you practice. The reason for this (unnecessary!) intro is that though we say 'firewall' in general, when we discuss certain in-depth concepts, we need to refer certain components of a specific firewall. I use the checkpoint firewall to explain the following concepts but I have no other intention by referring the name except to make the point, what I am describing, clearer to the target readers. Let us discuss as to how a firewall identify the packets. Most firewalls identify the packets by something called the packet parameters. What are packet parameters? They are the header information. The source and destination IP addresses, the destination port numbers and transport layer parameters from the packet etc. You might have heard terms like policy, rules etc. What is a policy? A policy can be a decision taken by the Management. Remembering the Managing Director of “Asokan company” has taken a decision not to allow the packing section personnel to access the internet? This can be one policy. The same can be implemented in the firewall by writing a rule. See the following table carefully.
  • 3. Notes on Firewall – asokanak@hotmail.com (Skype: asokanchennai) Example of a rule base. Source Destination Service Action 10.0.0.10 (packing section system) any Any Drop 10.0.0.20 (Accounts department system) any http accept In the above example, when someone from the packing section (IP address 10.0.0.10) trying to access 'any' destination in the internet for 'any' service, the action is that the packets are dropped by the Firewall. Means that he will never be allowed to access the internet. (The IP address of the Corporate is in the Private addressing scheme and it is not routable beyond the firewall. Hence it is assumed that in the firewall, we did the necessary NATing. For understanding NAT concepts, please read my notes on Network Address Translation (NAT). In the second instance, when someone from the Accounts Department (IP address 10.0.0.20) is trying to access 'any' destination in the internet for 'http' traffic (only for browsing) the action is 'accept'ed means the firewall will allow the connectivity to be established. But, for any other service other than http, the packets will get automatically dropped. If you need to allow them to access http as well as ftp, then you have to add 'ftp' service also in the service column like the one in the following example. Source Destination Service Action 10.0.0.20 (Accounts department system) any http accept ftp A firewall can do lot of functions like, authentication, create a VPN tunnel between the head office and branch offices, Can set up secure remote connections, filter, allow or deny access to incoming or outgoing packets, integrate with third party softwares (antivirus etc.) URL filtering, FTP, HTTP and SMTP Content Security, Load balancing…..waav, host of such services. The firewall can also authenticate users, computers (clients) and a session (from login till you log out).
  • 4. Notes on Firewall – asokanak@hotmail.com (Skype: asokanchennai) If we want a firewall to authenticate a user, the user profile must have created. Where will you create the user profile? You have choices. You can create the same in the firewall system itself, in any Active Directory, in TACACS server, in RADIUS server or in the Exchange Server or in the Operating system. Wherever you create the user profile, the firewall has to be configured in such a way so that when the user is asking for authentication, the firewall can look into the appropriate place to check the user profile for the required permissions to either authenticate him or otherwise. Example, there are two employees, Asokan and Steve. Asokan's profile is created in the operating system, and Steve's profile is created in the Firewall itself. If we configure correctly, then both the employees can be authenticated by the firewall and the firewall is referring the respective user profiles to check for the credentials of the respective employees. Why there are many types of authentication like user authentication, client authentication, session authentication etc? The reason is that in certain firewalls, the user authentication is not available for all the services. It is available only for certain services say http, ftp, telnet, and rlogin. Apart from these four services (these are known as authenticated services), if someone wants to access other services like remote desktop, or a netbios session, then user authentication cannot be used. For this purpose, the firewall can authenticate a client (a system in the LAN) so that a user using the client is authenticated to access the services. (There are lot of configurations and sign on methods in client authentication like, manual sign on, partially automatic sign on, fully automatic sign on etc. which are not described here since the idea of this note is to give an overview of firewall). The next concept is the LDAP integration. LDAP stands for Light Weight Directory Access Protocol. If the users are created in the Active Directory, the user profiles created there can be integrated into the firewall so that the firewall can provide them authentication to access services outside the Corporate LAN. Suppose two new employees joined the organization, and the system administrator created user profiles for them in the Active Directory, then it will automatically reflect in the firewall once you did the LDAP integration.
  • 5. Notes on Firewall – asokanak@hotmail.com (Skype: asokanchennai) Thirdly, the content security. The Firewall provides content security. It can provide content security for FTP, HTTP and SMTP traffic. Ftp is for transferring files from either client to server or/and server to client. Suppose I have an ftp server and I posted lot of computer security notes there and I wish to share the notes between anyone who wish to read the same. In that case, I can give the username and password to anyone or (anonymous login) to my ftp server so that those who wish to download the files can enter the ftp server and can see those files and download the same. Good. However, I pose a threat that if, someone out there coming to my ftp server is a cracker, and then he may put some virus or any malicious coding into my ftp server so that he can destroy it! How can I protect the situation? Simple, I should instruct my firewall that people can access the ftp server only for downloading the permitted contents and not 'write' or upload anything to ftp server. ftp has 'get' command and 'put' command. 'ftp get' means enabling download from ftp server, 'ftp put' means uploading files TO ftp server, which I do not allow in order to protect the server. Likewise for http traffic also. Recall the above example, the M.D of 'Asokan Company' does not permit packing section employees to access the internet at all. But he permits the accounts personnel to access the http traffic. But he often sees that employees in the accounts department is browsing naukri.com and post their resume in search of other jobs! Now he impose one more restriction on them that employees can browse naukri.com but should not be able to go to the specific page where they can upload their resume! Yes. If you configure a URI resource (Uniform Resource Identifier) in the firewall, you can prevent your employees from visiting specific pages in a website, or you can even block a specific web site. If you prefer a list of websites to be blocked, you can type all the URLs in a file in a specific format and import into the firewall configuration so that none of the websites mentioned in the file will be accessed by their employees! The firewall can be configured in such a way that it can rip into the payload (data portion) and see whether the webpage or the ftp content contain a virus or malicious scripts. If so, the firewall can remove such malicious codes and then send the original content alone into the LAN. (However, the firewall may require third party software for providing content security).
  • 6. Notes on Firewall – asokanak@hotmail.com (Skype: asokanchennai) Asokan Company has 300 employees in various departments. More over it has one branch office elsewhere in the country. The main medium of communication is through e-mail. In order to have better security control, the M.D has installed an Exchange Server in a De-militarized zone (DMZ) for the SMTP traffic. SMTP stands for Simple Mail Transfer Protocol. Now that the mails are going out from the corporate office to branch office and people out there in the public internet also write mail to the officers inside the LAN. When mails are coming from untrusted network, there is a vulnerability that it may contain a virus or someone may try to launch an attack towards the server to bring it down! To prevent this, the firewall can be suitably instructed to check the contents of the SMTP traffic also whether the mails have any attachment of virus files, scripts, active X contents, or java coding. If it present, the firewall can be instructed to remove the same. Thereby we can provide content security for SMTP traffic also. As we discussed above, the company has a branch office also. All the systems in the head office as well as branch office are in the private IP family and both the network is behind the firewall gateway. The head office belongs to 10.0.0.0 network and the branch office belongs to 172.16.0.0 network. In order to communicate securely, one of the possibilities is to set up a Virtual Private Network (VPN). To set up a VPN tunnel. Tunneling encrypts the entire original packet including the headers. Imagine you write a letter to your friend and put it in an envelope and the to address and the from address are written on the cover. Then, if you enclose the cover into another cover, how can the postman read the to address and from address? Similarly, when a packet in tunneled, it means that the entire packet (including the header and the payload) are enclosed in a packet. If so, how will it get routed? In order to understand how it is getting routed, we need to understand the following concept. VPN when established, the firewall establishes two phases between the participating gateways (HO and BO). Phase 1 and Phase 2. Phase 1 is for the key installation and Phase 2 is for the data exchange. Phase 1 is handled by Internet Key Exchange (IKE) protocol and Phase 2 is handled by IPSec. Here something known as SA negotiation takes place. What is SA? SA stands for Security Association. Once an SA is
  • 7. Notes on Firewall – asokanak@hotmail.com (Skype: asokanchennai) established, it means what keys to use, what algorithm to use for data encryption and also for data integrity, all such details will be agreed upon by the two participating gateways. That is what is known as Security Association (SA). What is the basis in which the firewalls (bo and ho) authenticate each other? How it is identifying whether really the peer firewall is contacting or someone is impersonating? Well. It can be ascertained in two ways. VPN can be established by using either a ‘shared secret key’ or a ‘certificate’. The shared secret key is, that you set a secret word (like password) in one of the participating gateways and the same secret word should be set in the other participating gateway as well while the VPN is being configured. This single secret word is shared between the participating gateways to identify the peer firewall. What is happening behind the scene? Let us see. Phase 1 exchange the public keys and it use the Diffie-Hellman key calculation to generate the shared secret key. This is accomplished by hashing and encrypting the firewall’s identity with the shared secret key and exchanged between the firewalls. From there onwards, they identify each other. That is how each firewall identifies its peer. Phase 1 negotiation for key exchange is asymmetric and takes much computational power whereas Phase 2 negotiation is symmetric and hence it takes less computational power and the re-negotiation interval between phase 1 and phase 2 is also varies accordingly. The other method is based on “Certificate”. You can create a certificate (The firewall acts as a Certifying Authority - CA) and the certificates can be exchanged between the participating Gateways. From the certificate, each firewall can identify its peer. Phase 2, uses the IKE SA negotiated in Phase 1, to negotiate an IPSec SA for encrypting the data traffic. In other words, the data transmission between the firewalls is encrypted and sent by IPSec protocol. Phase 1 lays the road and phase 2 runs the car on the road.
  • 8. Notes on Firewall – asokanak@hotmail.com (Skype: asokanchennai) At the outset, the phase 2 negotiates the IPSec protocol combination that will be used. What is a protocol combination? What are the combinations? IPSec protocol? Yes. IPSec is a protocol stack like TCP/IP. We discuss two important headers of IPSec here briefly, the AH and ESP. AH stands for Authentication Header and ESP stands for Encapsulating Security Payload. (I understand that I am going a bit deep into the subject but unless you know something about these two headers, the VPN tunneling concepts will not be clear to you. Read on….) These can be used as a combination i.e. AH+ESP or AH alone or ESP alone. AH provides authentication and message integrity. Not Confidentiality. When confidentiality is not there, it means that, if someone catches the data while in transit, he will be able to read the data! However if the data is tampered while reaching the destination, it can be found as AH provides data integrity. For this purpose AH uses a message digest (Read my cryptography notes to understand message digest). If you feel that, if someone sees the data in between, it is ok with you, then you can use AH as an authentication header of the IPSec protocol. In other words, AH does not encrypt the data hence it cannot provide confidentiality. ESP, Encapsulating Security Payload provides, Authentication, Data integrity as well as Confidentiality. The latest version of some firewalls does not support AH at all. They support ESP. What is happening behind the scene? There are two modes of transport to understand here 1) Transport mode and 2) Tunnel mode. Imagine an IP packet. It has data as well as headers. If the data alone is encrypted without the header part, it is known as Transport mode encryption. If the entire IP packet is encrypted including the header (put it into another cover as discussed above) it is known as Tunnel mode. That’s what we discussed above. Now the problem is since the IP header itself is inside the tunnel, how a tunnel mode encrypted packet getting routed. It is simple, that the ESP adds its own IP header onto the tunneled packet.
  • 9. Notes on Firewall – asokanak@hotmail.com (Skype: asokanchennai) Look at the figure above. Imagine that a packet is going from head office to branch office. At the ho, when a packet goes out, the source IP will be 10.0.0.10. Its target IP is 172.16.0.10. When it reach the ho Firewall, since VPN is configured on the firewall for secured communication between ho and bo, the ESP takes the packets (with source IP 10.0.0.10 and destination IP 172.16.0.10) and put it into a cover. This is known as Tunneling. The ESP also creates another IP header, with source IP, the outbound interface of the ho firewall (20.0.0.1) and destination IP, the outbound interface of the bo firewall (30.0.0.1). Now the secured tunnel communication will be between ho firewall and bo firewall (between 20.0.0.1 and 30.0.0.1). When the data reached the destination i.e. at 30.0.0.1 (the bo firewall), it decrypts the encrypted tunnel and pass the data to the system 172.16.0.10 located in the branch office local network. Please note that the data in the head office till the ho firewall and the same data from the branch office firewall to the bo LAN is NOT encrypted. Another important thing to remember is that when you set up VPN, there is NO need to provide NAT as there is no Address Translation taking place either at the ho firewall or at the bo firewall. This is how VPN works. (Lot of configuration details have been omitted as it is beyond the scope of this simple note.) Hope this note was useful to you. I would appreciate if you could just mail me asokanak@hotmail.com your opinion as to how well you were able to understand the topics, the way it is explained and whether any changes in the narration have to be incorporated and your valuable suggestions. It will enable me to write future notes incorporating all your suggestion. – with love. Asokan (skype discussion: asokanchennai). ___________________________________