Firewalls - Eastern Michigan University
Download
Report
Transcript Firewalls - Eastern Michigan University
Firewalls
Screen packets coming into the Privet
Networks from external, Untrusted Networks
(Internet)
Ingress Packet Filtering
Firewall examine incoming packet and either pass or
drop (deny) the packet
Egress Packet Filtering
Firewall examine the packet when the packet is leaving
the internal network
Border Firewall
Internal
Corporate
Network
(Trusted)
PC
Switch
Egress
Passed
Packet
Ingress
Passed
Packet
Attacker
Border Firewall
Dropped
Packet
Logs
Server
Internal
Corporate
Network
(Trusted)
Internet
(Not Trusted)
Firewalls – Type of Protection
Packet Inspection
IP, TCP, UDP, ICMP
Static packet filtering (Stateless filtering)
Stateful filtering
Application Inspection
Application Layer messages
Stop malicious executable attachment
Network Address Translation (NAT)
Spoofs the IP addresses of outgoing packets
Firewalls – Type of Protection
Denial-of-Services Inspection
SYN Flood
Cisco PIX – TCP intercept
Authentication
Only allow the packets from authenticated user
Not common
Virtual Private Networking
Usually work with authentication
Provide confidentiality
Firewall Hardware and Software
Screening Router Firewall
High Cost
Good place for Egress Filtering
Computer-based Firewalls
Lower Cost
Ease of use
Higher risk on Operating System part
Firewall Hardware and Software
Firewall Appliances
Like your toaster
Provide rules update
Host Firewalls
Individual client or server host
Defense in depth
Hard to manage
Static Packet Filter Firewalls
The Internet
Corporate Network
Arriving Packets
| IP-H | TCP-H | Application Message |
| IP-H | UDP-H | Application Message |
| IP-H | ICMP Message
|
| All Permitted Packets |
Denied Packets
Static Packet Filter
Log File
Access Control Lists (ACLs)
The way to organize the filtering rules
Use If-then Format
Sequential Rule Evaluation
Deny All
Access Control Lists (ACLs)
The way to organize the filtering rules
Use If-then Format
Sequential Rule Evaluation
Deny All
Sensitivity to Misordering
GUI Firewall Rule Maker