Transcript Application Layer Firewalls

Lesson 10-Firewalls
Overview
 Defining the types of firewalls.
 Developing a firewall configuration.
 Designing a firewall rule set.
Overview
 A firewall is a network access control device.
 It can perform a centralized security management function.
 It denies all traffic except that which is explicitly allowed.
 It can be configured based on services, source or
destination IP address, and the user ID.
Defining the Types of
Firewalls
 Application layer firewalls.
 Packet filtering firewalls.
 Hybrids.
Application Layer Firewalls
 Application layer firewalls (proxy firewalls) are software
packages that reside on operating systems or on firewall
appliances.
 Firewalls have multiple interfaces.
 All connections terminate on the firewall.
 They use proxies for inbound connections.
Application Layer Firewalls
 A set of policy rules defines how traffic from one network is
transported to any other.
 If no rule exists, firewalls deny or drop the data packets.
 Policy rules are enforced through the use of proxies.
 Each protocol on a firewall must have its own proxy.
Application Layer Firewalls
Application layer firewall proxy connections
Packet Filtering Firewalls
 Policy rules are enforced using packet inspection filters.
 If a protocol runs over UDP, the packet filtering firewall
tracks the state of the UDP traffic.
 Connections do not terminate on the firewall.
 They do not rely on proxies for each protocol.
 They support network address translation.
Packet Filtering Firewalls
Traffic through a packet filtering firewall
Hybrids
 Hybrid firewalls provide a way for handling protocols for
which specific proxies do not exist.
 The generic services proxy (GSP) allows application layer
proxies to handle other protocols.
 In a hybrid system, the GSP behaves like packet filtering
firewalls.
Developing a Firewall
Configuration
 Organization’s Internet policy allows users to use services
such as HTTP, HTTPS, FTP, Telnet, and SSH.
 Based on the Internet policy, a set of policy rules for
various architectures can be constructed.
Developing a Firewall
Configuration
 Architecture 1: Internet accessible systems outside the
firewall.
 Architecture 2: Single firewall.
 Architecture 3: Dual Firewall.
Internet Accessible Systems
Architecture #1: Internet systems accessible to outside the firewall.
Internet Accessible Systems
Firewall Rules for Internet Systems
Accessible Outside the Firewall.
Single Firewall
Architecture #2: Single firewall.
Single Firewall
Firewall Rules for the Single Firewall
Architecture.
Dual Firewalls
Architecture #3: Dual Firewalls.
Dual Firewalls
Firewall Rules for Firewall #1 in the Dual
Firewall Architecture.
Dual Firewalls
Firewall Rules for Firewall #2 in the Dual
Firewall Architecture.
Designing a Firewall Rule Set
When designing a firewall rule set, the first match algorithm
dictates:
 The most specific rules to be placed at the top of the rule
set.
 The least specific rules to be placed at the bottom of the
rule set.
Designing a Firewall Rule Set
To define a general rule set, examine:
 The expected traffic load of the firewall.
 Rank the traffic types in order. The Internet service with the
largest traffic at the top of the rule set.
 Place any deny rules pertaining to the protocol.
Summary
 A firewall is a network access control device, available as
application layer and packet filtering firewalls.
 A combination of these firewalls can also be used.
 Application layer or proxy firewalls use proxies for
connections.
 In this setup, all connections terminate on the firewall.
Summary
 Unlike the application layer, the packet filtering firewalls
enforce policy rules using packet inspection filters.
 A firewall can be configured as single, dual or placing
Internet accessible systems outside the firewall.
 In a firewall rule set, place the specific rules on top and the
least specific rules at the bottom.