Transcript PowerPoint - The Open Group

Firewall Technology and InterCell
Communication
Peter T. Dinsmore
Trusted Information Systems
Network Associates Inc
3060 Washington Rd (Rt. 97)
Glenwood, MD 21738
[email protected]
301-854-5706
Overview
• Firewall Background
–
–
–
–
network architecture
firewall technologies
other features
policies
• DCE Communications
• Solutions?
What is a Firewall?
• Implements a communication policy between two
networks
• Funnels communications to controlled point
– incoming
– outgoing
• Used to
–
–
–
–
–
protect
separate
restrict
log
control
Firewall Architectures
Dual Homed Host
Network A
Network B
Firewall
• firewall typically has addresses for interfaces
• may be multi-homed
Firewall Architectures
Perimeter Network/DMZ
Network A
Perimeter Net/DMZ
Firewall
Network B
Firewall
Server
• server may provide DCE services
• server may use DCE services to reach info on Net B
Firewall Technologies
• Packet Filtering
– based on IP headers, TCP/UDP headers, stateful (or not), appl info
• Circuit Gateway
– terminates connection
• Application Gateway
– application knowledge
•
•
•
•
•
verifies format
follows protocol
authentication
access control of application functions
logging
Firewall Features
•
•
•
•
Network Address Translation (NAT)
Address hiding
Virtual Private Networks (VPN)
Content Scanning
– virus scanning
– integrity
– proof of origin
Firewall Policies
•
•
•
•
“that which is not expressly permitted is denied”
“that which is not expressly denied is permitted”
“all incoming connections are authenticated”
“all incoming traffic is authenticated”
DCE Communications
•
•
•
•
•
•
UDP - no state
Dynamic port allocation
Encrypted traffic
Intrinsic authentication mechanism
Network addresses in protocol messages
Assumption of full network connectivity
Solutions?
•
•
•
•
•
•
Restrict DCE to TCP
Limit port range
VPN
DCE servers on firewall
DCE servers in DMZ
DCE knowledgeable proxies
–
–
–
–
handle message NAT
listen to ports dynamically
authentication
other access control