Discussion on Firewall implementation options

Syed salman

Lecture6-netsec_ppt08_l06.pdf

Home >Computer Science homework help >Discussion on Firewall implementation options

Network Security, Firewalls, and VPNs

Lesson 6 Firewall Implementation Options

Ethernet Color Standards

URL of above graphics: https://www.joncamfield.com/oss/schooltools/Reference/EthernetCabling.htm

T-568A Standard T-568B Standard

Crossover Cable Diagram of Wiring

Network Topologies

§ Network topology: is the name given to the way in which the devices (called nodes) are physically connected in a network.

§ The network topology chosen typically dictates: • the type of cabling used in the network • The scalability of the network

Bus Topology

Nodes are connected to a main (bus) cable. If data is being sent sent between nodes then other nodes cannot transmit. If too many nodes are connected then the transfer of data slows dramatically as the nodes have to wait longer for the bus to be clear.

Bus Topology (cont)

Advantages: • The simplest and cheapest to install

and extend. • Well suited for temporary networks

with not many nodes. • Very flexible as nodes can be

attached or detached without disturbing the rest of the network.

• Failure of one node does not affect the rest of the bus network.

• Simpler than a ring topology to troubleshoot if there is a cable failure because sections can be isolated and tested independently.

Disadvantages: • If the bus cable fails then the whole

network will fail. • Performance of the network slows

down rapidly with more nodes or heavy network traffic.

• The bus cable has a limited length and must be terminated properly at both ends to prevent reflected signals.

• Slower than a ring network as data cannot be transmitted while the bus is in use by other nodes.

Ring Topology

In a ring topology, the nodes are connected in a ring and data travels in one direction using a control signal called a 'token'.

Ring Topology (cont)

Advantages: • Not greatly affected by adding further

nodes or heavy network traffic as only the node with the 'token' can transmit data so there are no data collisions.

• Relatively cheap to install and expand.

Disadvantages: • Slower than a star topology under

normal load. • If the cable fails anywhere in the ring

then the whole network will fail. • If any node fails then the token cannot

be passed around the ring any longer so the whole network fails..

• The hardest topology to troubleshoot because it can be hard to track down where in the ring the failure has occurred.

• Harder to modify or expand because to add or remove a node you must shut down the network temporarily.

• In order for the nodes to communicate with each other they must all be switched on.

Star Topology

In this type of network, a central computer (server) usually forms the main node and the subsidiary nodes are connected to it and to each other through a switch or hub.

Star Topology (cont)

Advantages: § The most reliable because the failure

of a node or a node cable does not affect other nodes.

§ Simple to troubleshoot because only one node is affected by a cable break between the switch and the node.

§ Adding further nodes does not greatly affect performance because the data does not pass through unnecessary nodes.

§ Easily upgraded from a hub to a switch for higher performance. Easy to install and to expand with extra nodes.

Disadvantages: § Uses the most cable which makes it

more expensive to install than the other two topologies.

§ The extra hardware required such as hubs or switches further increases the cost.

§ As the central computer controls the whole system, the whole system will be affected if it breaks down or if the cable link between it and the switch fails.

§ If the switch, the link to the server or the server itself fails then the whole network fails.

Network Topologies Summary

IEEE

§ IEEE stands for the "Institute of Electrical and Electronics Engineers". • composed of computer scientists, software developers, information technology

professionals, physicists, and medical doctors, in addition to IEEE's electrical and electronics engineering core.

- For this reason the organization no longer goes by the full name, except on legal business documents, and is referred to simply as IEEE.

§ The IEEE is dedicated to advancing technological innovation and excellence. It has about 425,000 members in about 160 countries.

§ The IEEE is one of the leading bodies to produce standards relating to networking.

www.jblearning.com

IEEE 802 Standards

§ IEEE 802 refers to a family of standards dealing with local area networks (LAN), wide-area networks (WAN) and metropolitan area networks (MAN).

§ The 802 number is the name of the IEEE committee that deals with networking standards

• Various subcommittees have been created to deal with specific standards. They are denoted by 802.x where x is the number of the subcommittee.

- For instance, 802.11 deals with WiFi.

§ 802 typically deals with OSI layers 2 and 1.

802.1

§ 802.1 Bridging and Network Management • 802.1q Virtual Local Area Networks (VLAN)

- In computer networking, a single layer-2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them via one or more routers.

- Traffic is marked (or tagged) to be a part of a specific VLAN

- Traffic stays within its own VLAN and must be routed to other VLANs.

802.1x

• 802.1x Port Based Security - It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. - defines the encapsulation of the Extensible Authentication Protocol (EAP) over IEEE 802 - 802.1X authentication involves three parties: a supplicant, an authenticator, and an

authentication server. › The supplicant is a client device (such as a laptop) that wishes to attach to the LAN › The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is

not allowed access through the authenticator to the protected side of the network until the supplicant’s identity has been validated and authorized.

› The authentication server determines if the supplicants credentials provided to the authenticator are valid. If they are valid, the supplicant (client device) is allowed to access resources located on the protected side of the network.

802.1x (cont)

802.1x Process 1. On detection of a new supplicant, the port on the switch (authenticator) is enabled

and set to the "unauthorized" state. In this state, only 802.1X traffic is allowed; other traffic, such as the Internet Protocol (and with that TCP and UDP), is dropped.

2. To initiate authentication the authenticator will periodically transmit EAP-Request Identity frames to a special Layer 2 address on the local network segment. The supplicant listens on this address, and on receipt of the EAP-Request Identity frame it responds with an EAP-Response Identity frame containing an identifier for the supplicant such as a User ID. The authenticator then encapsulates this Identity response in a RADIUS Access-Request packet and forwards it on to the authentication server. The supplicant may also initiate or restart authentication by sending an EAPOL-Start frame to the authenticator, which will then reply with an EAP-Request Identity frame.

3. The authentication server sends a reply (encapsulated in a RADIUS Access- Challenge packet) to the authenticator, containing an EAP Request specifying the EAP Method (The type of EAP based authentication it wishes the supplicant to perform). The authenticator encapsulates the EAP Request in an EAPOL frame and transmits it to the supplicant. At this point the supplicant can start using the requested EAP Method, or do an NAK ("Negative Acknowledgement") and respond with the EAP Methods it is willing to perform.

4. If the authentication server and supplicant agree on an EAP Method, EAP Requests and Responses are sent between the supplicant and the authentication server (translated by the authenticator) until the authentication server responds with either an EAP-Success message (encapsulated in a RADIUS Access-Accept packet), or an EAP-Failure message (encapsulated in a RADIUS Access-Reject packet). If authentication is successful, the authenticator sets the port to the "authorized" state and normal traffic is allowed, if it is unsuccessful the port remains in the "unauthorized" state. When the supplicant logs off, it sends an EAPOL-logoff message to the authenticator, the authenticator then sets the port to the "unauthorized" state, once again blocking all non-EAP traffic.

802.2 Logical Link Control

§ Defines Logical Link Control (LLC), which is the upper portion of the data link layer of the OSI Model.

§ The LLC sublayer presents a uniform interface to the user of the data link service, usually the network layer.

§ Beneath the LLC sublayer is the Media Access Control (MAC) sublayer, which is dependent on the particular medium being used (Ethernet, token ring, FDDI, 802.11, etc.).

802.3 Ethernet

§ A group of standards that define the physical network media and bandwidth of the network. • Bandwidth: The amount of data that can be transmitted over a given period of

time. Examples: 100Mbps or 1Gbps • Type of cable supported: Twisted Pair Cabling (Cat5,6), Fiber optic cable

(multimode and single mode) and coax. - Cat 6:1Gbps at 100M, 10Gbps at 33M

• Implements Carrier Sense Multiple Access with Collision Detection (CSMA/CD)

802.4 Token Bus

§ Network implementing the token ring protocol over a "virtual ring" on a coaxial cable.

§ Disbanded and standard withdrawn

802.5 Token Ring

§ Defines the MAC layer for token ring networks.

§ Initially token ring was a proprietary technology of IBM

§ Maximum bandwidth 15Mbps.

§ No current research being conducted.

802.6 MAN

§ A Metropolitan Area Network (MAN) is computer network larger than a local area network, covering an area of a few city blocks to the area of an entire city. • MAN links between local area networks have been built with wireless links using

either microwave, radio, or infra-red laser transmission. • Most companies rent or lease circuits from common carriers because laying long

stretches of cable is expensive. • Some wired technologies used in MANs include

- Fiber Distributed (FDDI): provides a 100 Mbit/s optical standard for data transmission in local area network that can extend in range up to 200 kilometers (120 mi). Although FDDI logical topology is a ring-based token network, it did not use the IEEE 802.5 token ring protocol as its basis; instead, its protocol was derived from the IEEE 802.4 token bus timed token protocol.

- Asynchronous Transfer Mode (ATM):developed to meet the needs of the Broadband Integrated Services Digital Network, as defined in the late 1980s, and designed to unify telecommunication and computer networks.

802.11 WiFi

§ Standards relating to communication via radio frequency. Standard Bandwidth Frequency Distance 802.11a 54Mbps 5Ghz 30M 802.11b 10Mbps 2.4Ghz 100M 802.11g 54Mbps 2.4Ghz 100M 802.11n 600Mbps 2.4/5Ghz 250M 802.11ac 6.77Gbps 2.4/5Ghz 250M

802.11 Privacy

§ Wired Equivalent Privacy (WEP) § Designed to approximate wired hub-based Ethernet environment. § Key entered into both the access point and the clients.

• All participants in the WiFi LAN. § Uses a stream cipher to protect data

• Key length is the initialization vector (IV) plus the WEP key • 128 bit WEP = 104b key + 24 bit IV • 64 bit WEP = 40b key + 24b IV

- Because RC4 is a stream cipher, the same traffic key must never be used twice. The purpose of an IV, which is transmitted as plain text, is to prevent any repetition, but a 24- bit IV is not long enough to ensure this on a busy network. The way the IV was used also opened WEP to a related key attack. For a 24-bit IV, there is a 50% probability the same IV will repeat after 5000 packets.

- Depending on the amount of network traffic, and thus the number of packets available for inspection, a successful key recovery could take as little as one minute.

802.11 Privacy (Cont)

§ WiFi Protected Access (WPA) replaced WEP. • Firmware upgrade • Improved implementation of RC4 • Improved implementation of Ivs. (TKIP)

- TKIP employs a per-packet key, meaning that it dynamically generates a new 128-bit key for each packet and thus prevents the types of attacks that compromised WEP.

§ WPA2 replaced WPA • Uses AES encryption instead of RC4 • WPA2 is mandatory for a device to bear the WiFi trademark.

802.15 Bluetooth

§ Bluetooth • Low power, short distances • Operates at the ISM (Industry, Scientific, Medical) band at 2.45Ghz • 10Meter range • 721Kbps bandwidth

Wireless Radio Technologies

§ Direct Sequence Spread Spectrum (DSSS): Spreads transmissions over a larger frequency band. • The signal is less susceptible to interference at any specific frequency • A pseudo-random noise code is modulated with the signal during transmission. • The resulting signal resembles white noise. • The receiver filters out the noise. • Uses

- 802.11b - US GPS - Bluetooth

Wireless Radio Technologies

§ Frequency Hopping Spread Spectrum (FHSS): a method of transmitting radio signals by rapidly switching a carrier among many frequency channels, using a pseudorandom sequence known to both transmitter and receiver.

§ Uses • Military communication • Federal Aviation Administration (FAA)

Wireless Radio Technologies

§ Orthogonal Frequency Division Multiplexing (OFDM): a signal that is subdivided into frequency sub bands. • Each of these sub bands can be broadcast together without interference. • The basic idea of OFDM is to split a high bandwidth transmission into several

lower bandwidth transmissions. • Uses

- Digital TV broadcasts - 802.11a, 802.11g, 802.11n, 802.11ac - ADSL - LTE, LTE Advanced

Wireless Radio Technologies

§ Frequency Division Multiple Access: Subdivides a frequency band and assigns an analog conversation to each sub-band.

• Only used in analog cellular

Wireless Radio Technologies

§ Code Division Multiple Access (CDMA) • Similar to DSSS

• It spreads each call over a wide spectrum and and is tagged with pseudo-random noise code to differentiate the calls

• CDMA2000 Is a family of 3G access that uses CDMA channel access (typically, far east)

Wireless Radio Technologies

§ Universal Mobile Telecommunications System Time0Dvision Duplexing (UMTS TDD): a third generation mobile cellular system • data transfer rates of 2 Mbps at 5Mhz • data transfer rates of 42 Mbps for HSPA+

Data Center

• Data center is a facility used to house computer systems and associated components, such as telecommunications and storage systems.

• Hot Sites: “proactive” hot site allows you to keep servers and a live backup site up and running in the event of a disaster

• Warm Sites: A “preventative” warm site allows you to pre-install your hardware and pre-configure your bandwidth needs. Then, if disaster strikes, all you have to do is load your software and data to restore your business systems.

• Cold Sites: A “recovery” cold site is essentially just data center space, power, and network connectivity that’s ready and waiting for whenever you might need it.

Different Types of Networks

§ Local Area Networks (LAN) = room/building § Campus Area Network (CAN) = a complex of adjacent buildings § Metropolitan Area Networks (MAN) = a city § Wide Area Networks (WAN) = a large geographic area (across metropolitan,

regional, national or international boundaries)

Local Area Networks

§ Usually in one building and uses twisted pair cable. § Usually use some form of a star topology. Sometimes a tree topology if

the building is large. • Tree topology: Linking together 2 or more star networks via fiber.

Campus Area Network

§ LANs within each facility § Connect LANs together with fiber optic cable in a tree topology § Backbone fiber optic cable cable is either ran in a ring or star. § One or more buildings will house the data center(s).

Wide Area Networks

§ Typically uses some form of leased connection § Dedicated Links: Establishes a constant network between endpoints.

• Hardware: Channel Service Unit Data Service Unit (CSU/DSU) • The endpoints have exclusive use of the circuit and bandwidth • Integrated Services Digital Network (ISDN): Two varieties

› Basic Rate Interface (BRI): The 144 kbit/s payload rate is broken down into two 64 kbit/s bearer channels ('B' channels) and one 16 kbit/s signaling channel ('D' channel or data channel). This is sometimes referred to as 2B+D.

› Primary Rate Interface (PRI):A PRI has 23 'B' channels and 1 'D' channel for signaling.

• T-Carriers - T1: 24x64Kbps = 1.54Mbps - T3: 672x64kbps = 44.7Mbps

Wide Area Networks

§ Optical Carrier (OC) Connections • OC1: 51.84Mbps • OC3: 155.52Mbps • OC12: 622.08Mbps • OC48: 2.488Gbps • OC96: 4.977Gbps • OC192: 9.953Gbps • OC3072: 160Gbps

Wide Area Networks

§ Metropolitan Ethernet Circuit (Metro E): Provides a cheap Ethernet (802.3) handoff to the customer. • Speeds up to 10Gbps • Very simple to implement • The current industry standard for dedicated circuits.

Wide Area Network Packet Switched Networks

§ Packet Switching: Devices transport packets via a shared single point-to-point or point-to-multipoint link across a carrier internetwork. • X.25: One of the first WAN protocols

- Basis for many WAN protocols that followed - Based on rigorous error correction. - Not really used today.

• Frame relay is a standardized wide area network technology that specifies the physical and logical link layers of digital telecommunications channels using a packet switching methodology. Originally designed for transport across Integrated Services Digital Network (ISDN) infrastructure, it may be used today in the context of many other network interfaces

- Began as a stripped-down version of the X.25 protocol, releasing itself from the error- correcting burden most commonly associated with X.25. When frame relay detects an error, it simply drops the offending packet.

Commercial vs. Open Source Firewalls

• Available for purchase • Installs onto your own hardware or

operating system • Provides network-level security services

Commercial

• Free • Source code available for review • Not always reliable or trustworthy

Open Source

Appliance/Hardware Firewalls

§ Dedicated hardware device specifically built and hardened to support firewall software

§ Does not require additional hardware or software for deployment

§ Needs network connections and a power connection

§ Has dedicated hardware resources not shared with other services

§ Can protect a single system or an entire network

Appliance/Hardware Firewall Examples

§ Barracuda § Cisco § D-Link § Fortinet § Juniper Networks

§ Linksys (owned by Cisco)

§ NetGear § SonicWALL § WatchGuard § ZyXEL

Virtual Firewalls

§ Includes: • Virtualized software firewalls provide filtering

services for a standard physical network • Firewalls running between virtualized client and

server operating systems § Benefits: Rapid development, quick prototyping,

isolation, traffic management, quick recoveries, testing

Firewall Design and Implementation Guidelines § Suitability: Can the firewall implement the policy? § Flexibility: Is it easily reconfigurable? § Training: Is training required? What is the cost? § Need: Make a list of traffic you want to allow, filter,

or block (see organization’s security policy). § Risk: Make a separate list of all the risks in the

network based on the traffic allowed. § Cost: How much will everything cost?

Firewall Topology: Simple Solution

Firewall Topology: DMZ

Firewall Topology: Multi-homed Firewall for Perimeter

Personal/SOHO Firewall Options

§ Native firewall built in to operating system § Third-party software firewall

• Commercial or open source § Router/wireless access point firewall settings § Hardware/appliance firewall § Virtual firewall

Selecting a Firewall: Desirable Characteristics

Security Assurance

Privilege Control Authentication

Auditing Flexibility Performance

Scalability

SmoothWall Features

§ Open source, Linux-based § Highly compatible (hardware and systems) § Remote access, POP3 e-mail antivirus proxy,

Web proxy, Snort IDS § Inline proxy support for instant messaging and

VoIP with logging capabilities § Bandwidth management § Outbound traffic blocking with time-based

controls

Additional Features of SmoothWall

§ Port forwarding § External service access § DMZ pinhole § PPP settings § IP block

Installing SmoothWall: Network Zones

Color Zone Description Green Trusted Client local network

Orange Filtered/Special Purpose

DMZ, other

Purple Wireless Wireless client

Red Internet External

Hardware Requirements for SmoothWall § Processor running 166 MHZ or greater § 512 MB PC133 synchronous dynamic random

access memory (SDRAM) § 20 GB hard drive § Two NICs

SmoothWall Topology

A typical SmoothWall network interface setup.

SmoothWall Topology

A typical SmoothWall setup with a switch.

Managing the Firewall on an ISP Connection Device 1. Enter IP address of device into a Web browser 2. If wireless router, change the Service Set

Identifier (SSID) 3. Limit the number of connections 4. Block unnecessary ports 5. Test configuration at http://www.grc.com

• Free ShieldsUP! port scanning tool

Ports to Permit § Port 25—SMTP (outbound mail) § Port 53—DNS § Port 80—http § Port 110—POP (initiate request for inbound mail) § Port 443—https § Ports 465 and 995—SMTP and POP § Port 1024–1035—DCOM ports for downloading

files

Ports to Forward § Ports 20 and 21—ftp-data and ftp § Port 23—telnet § Port 53—DNS § Port 80—http § Ports 81 and 82—“overflow” for port 80 § Ports 137, 138, 139—netbios § Port 443—https § Port 445—netbios for Windows 2000 and later § Port 3074—Xbox game port

Configuring SmoothWall

Create rules

Configure QoS

Testing SmoothWall

Run attacks

Check Internet access

Check client access

Check client access to firewall

Troubleshooting SmoothWall

§ Ensure that SSH is enabled and that port 22 or 222 is open

§ Use ping, traceroute, and tcpdump § Check whether crossover cable is needed

• Green interface may or may not need to be a crossover cable

Windows Firewall with Advanced Security § Available in Windows 7

§ Configuration settings for Work, Home, and Public connections

§ Password-protected homegroup or workgroup

§ More granular control and configuration management interface

§ More extensive logging

§ May be managed from a command line

What Kind of Firewall Is Right for an Organization?

§ Small organization: proxy implementation • Packet filtering or application-level firewall

§ Big organization: hybrid system • Application-level firewall and package filtering

§ Big organization with subnets • Packet filtering through routers

Windows Firewall with Advanced Security

Choosing a Personal/SOHO Firewall

§ Windows: Consider native operating system firewall first

• Free

• Built-in

§ Linux: Consider free, open source options first

• Ipchains, iptables, PF, Netfilter, Vyatta

Tips for Choosing a Personal/SOHO Firewall § Consider firewalls hosted by ISP connection

devices or wireless access point

§ Explore commercial firewalls and appliances if other options:

• Fail to provide required security

• Present management difficulties as complexity of network grows

What to Protect and Why

Servers Clients

Information/ Data

Other Resources

Network

Virtual Lab § Attacking a Virtual Private Network

§ Chapters 10 & 13

Required Reading