Discussion -6

profileNicholas_9097
Lecture6-netsec_ppt08_l06.pptx

Network Security, Firewalls,

and VPNs

Lesson 6

Firewall Implementation Options

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1

Ethernet Color Standards

URL of above graphics: https://www.joncamfield.com/oss/schooltools/Reference/EthernetCabling.htm

T-568A Standard

T-568B Standard

Crossover Cable

Diagram of Wiring

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Network Topologies

Network topology: is the name given to the way in which the devices (called nodes) are physically connected in a network.

The network topology chosen typically dictates:

the type of cabling used in the network

The scalability of the network

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Bus Topology

Nodes are connected to a main (bus) cable. If data is being sent sent between nodes then other nodes cannot transmit.  If too many nodes are connected then the transfer of data slows dramatically as the nodes have to wait longer for the bus to be clear.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Bus Topology (cont)

Advantages:

The simplest and cheapest to install and extend.

Well suited for temporary networks with not many nodes.

Very flexible as nodes can be attached or detached without disturbing the rest of the network.

Failure of one node does not affect the rest of the bus network.

Simpler than a ring topology to troubleshoot if there is a cable failure because sections can be isolated and tested independently.

Disadvantages:

If the bus cable fails then the whole network will fail.

Performance of the network slows down rapidly with more nodes or heavy network traffic.

The bus cable has a limited length and must be terminated properly at both ends to prevent reflected signals.

Slower than a ring network as data cannot be transmitted while the bus is in use by other nodes.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Ring Topology

In a ring topology, the nodes are connected in a ring and data travels in one direction using a control signal called a 'token'.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Ring Topology (cont)

Advantages:

Not greatly affected by adding further nodes or heavy network traffic as only the node with the 'token' can transmit data so there are no data collisions.

Relatively cheap to install and expand.

Disadvantages:

Slower than a star topology under normal load.

If the cable fails anywhere in the ring then the whole network will fail.

If any node fails then the token cannot be passed around the ring any longer so the whole network fails..

The hardest topology to troubleshoot because it can be hard to track down where in the ring the failure has occurred.

Harder to modify or expand because to add or remove a node you must shut down the network temporarily.

In order for the nodes to communicate with each other they must all be switched on.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Star Topology

In this type of network, a central computer (server) usually forms the main node and the subsidiary nodes are connected to it and to each other through a switch or hub.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Star Topology (cont)

Advantages:

The most reliable because the failure of a node or a node cable does not affect other nodes.

Simple to troubleshoot because only one node is affected by a cable break between the switch and the node.

Adding further nodes does not greatly affect performance because the data does not pass through unnecessary nodes.

Easily upgraded from a hub to a switch for higher performance. Easy to install and to expand with extra nodes.

Disadvantages:

Uses the most cable which makes it more expensive to install than the other two topologies.

The extra hardware required such as hubs or switches further increases the cost.

As the central computer controls the whole system, the whole system will be affected if it breaks down or if the cable link between it and the switch fails.

If the switch, the link to the server or the server itself fails then the whole network fails.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Network Topologies Summary

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

IEEE

IEEE stands for the "Institute of Electrical and Electronics Engineers".

composed of computer scientists, software developers, information technology professionals, physicists, and medical doctors, in addition to IEEE's electrical and electronics engineering core.

For this reason the organization no longer goes by the full name, except on legal business documents, and is referred to simply as IEEE.

The IEEE is dedicated to advancing technological innovation and excellence. It has about 425,000 members in about 160 countries.

The IEEE is one of the leading bodies to produce standards relating to networking.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

IEEE 802 Standards

IEEE 802 refers to a family of standards dealing with local area networks (LAN), wide-area networks (WAN) and metropolitan area networks (MAN).

The 802 number is the name of the IEEE committee that deals with networking standards

Various subcommittees have been created to deal with specific standards. They are denoted by 802.x where x is the number of the subcommittee.

For instance, 802.11 deals with WiFi.

802 typically deals with OSI layers 2 and 1.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

802.1

802.1 Bridging and Network Management

802.1q Virtual Local Area Networks (VLAN)

In computer networking, a single layer-2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them via one or more routers.

Traffic is marked (or tagged) to be a part of a specific VLAN

Traffic stays within its own VLAN and must be routed to other VLANs.

In computer networking, a single layer-2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them via one or more routers

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

802.1x

802.1x Port Based Security

It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.

defines the encapsulation of the Extensible Authentication Protocol (EAP) over IEEE 802

802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server.

The supplicant is a client device (such as a laptop) that wishes to attach to the LAN

The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant’s identity has been validated and authorized.

The authentication server determines if the supplicants credentials provided to the authenticator are valid. If they are valid, the supplicant (client device) is allowed to access resources located on the protected side of the network.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

802.1x (cont)

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

802.1x Process

On detection of a new supplicant, the port on the switch (authenticator) is enabled and set to the "unauthorized" state. In this state, only 802.1X traffic is allowed; other traffic, such as the Internet Protocol (and with that TCP and UDP), is dropped.

To initiate authentication the authenticator will periodically transmit EAP-Request Identity frames to a special Layer 2 address on the local network segment. The supplicant listens on this address, and on receipt of the EAP-Request Identity frame it responds with an EAP-Response Identity frame containing an identifier for the supplicant such as a User ID. The authenticator then encapsulates this Identity response in a RADIUS Access-Request packet and forwards it on to the authentication server. The supplicant may also initiate or restart authentication by sending an EAPOL-Start frame to the authenticator, which will then reply with an EAP-Request Identity frame.

The authentication server sends a reply (encapsulated in a RADIUS Access-Challenge packet) to the authenticator, containing an EAP Request specifying the EAP Method (The type of EAP based authentication it wishes the supplicant to perform). The authenticator encapsulates the EAP Request in an EAPOL frame and transmits it to the supplicant. At this point the supplicant can start using the requested EAP Method, or do an NAK ("Negative Acknowledgement") and respond with the EAP Methods it is willing to perform.

If the authentication server and supplicant agree on an EAP Method, EAP Requests and Responses are sent between the supplicant and the authentication server (translated by the authenticator) until the authentication server responds with either an EAP-Success message (encapsulated in a RADIUS Access-Accept packet), or an EAP-Failure message (encapsulated in a RADIUS Access-Reject packet). If authentication is successful, the authenticator sets the port to the "authorized" state and normal traffic is allowed, if it is unsuccessful the port remains in the "unauthorized" state. When the supplicant logs off, it sends an EAPOL-logoff message to the authenticator, the authenticator then sets the port to the "unauthorized" state, once again blocking all non-EAP traffic.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

802.2 Logical Link Control

Defines Logical Link Control (LLC), which is the upper portion of the data link layer of the OSI Model.

The LLC sublayer presents a uniform interface to the user of the data link service, usually the network layer.

Beneath the LLC sublayer is the Media Access Control (MAC) sublayer, which is dependent on the particular medium being used (Ethernet, token ring, FDDI, 802.11, etc.).

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

802.3 Ethernet

A group of standards that define the physical network media and bandwidth of the network.

Bandwidth: The amount of data that can be transmitted over a given period of time. Examples: 100Mbps or 1Gbps

Type of cable supported: Twisted Pair Cabling (Cat5,6), Fiber optic cable (multimode and single mode) and coax.

Cat 6:1Gbps at 100M, 10Gbps at 33M

Implements Carrier Sense Multiple Access with Collision Detection (CSMA/CD)

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

802.4 Token Bus

Network implementing the token ring protocol over a "virtual ring" on a coaxial cable.

Disbanded and standard withdrawn

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

802.5 Token Ring

Defines the MAC layer for token ring networks.

Initially token ring was a proprietary technology of IBM

Maximum bandwidth 15Mbps.

No current research being conducted.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

802.6 MAN

A Metropolitan Area Network (MAN) is computer network larger than a local area network, covering an area of a few city blocks to the area of an entire city.

MAN links between local area networks have been built with wireless links using either microwave, radio, or infra-red laser transmission.

Most companies rent or lease circuits from common carriers because laying long stretches of cable is expensive.

Some wired technologies used in MANs include

Fiber Distributed (FDDI): provides a 100 Mbit/s optical standard for data transmission in local area network that can extend in range up to 200 kilometers (120 mi). Although FDDI logical topology is a ring-based token network, it did not use the IEEE 802.5 token ring protocol as its basis; instead, its protocol was derived from the IEEE 802.4 token bus timed token protocol.

Asynchronous Transfer Mode (ATM):developed to meet the needs of the Broadband Integrated Services Digital Network, as defined in the late 1980s, and designed to unify telecommunication and computer networks.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

802.11 WiFi

Standards relating to communication via radio frequency.

Standard Bandwidth Frequency Distance

802.11a 54Mbps 5Ghz 30M

802.11b 10Mbps 2.4Ghz 100M

802.11g 54Mbps 2.4Ghz 100M

802.11n 600Mbps 2.4/5Ghz 250M

802.11ac 6.77Gbps 2.4/5Ghz 250M

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

802.11 Privacy

Wired Equivalent Privacy (WEP)

Designed to approximate wired hub-based Ethernet environment.

Key entered into both the access point and the clients.

All participants in the WiFi LAN.

Uses a stream cipher to protect data

Key length is the initialization vector (IV) plus the WEP key

128 bit WEP = 104b key + 24 bit IV

64 bit WEP = 40b key + 24b IV

Because RC4 is a stream cipher, the same traffic key must never be used twice. The purpose of an IV, which is transmitted as plain text, is to prevent any repetition, but a 24-bit IV is not long enough to ensure this on a busy network. The way the IV was used also opened WEP to a related key attack. For a 24-bit IV, there is a 50% probability the same IV will repeat after 5000 packets.

Depending on the amount of network traffic, and thus the number of packets available for inspection, a successful key recovery could take as little as one minute.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

802.11 Privacy (Cont)

WiFi Protected Access (WPA) replaced WEP.

Firmware upgrade

Improved implementation of RC4

Improved implementation of Ivs. (TKIP)

TKIP employs a per-packet key, meaning that it dynamically generates a new 128-bit key for each packet and thus prevents the types of attacks that compromised WEP.

WPA2 replaced WPA

Uses AES encryption instead of RC4

WPA2 is mandatory for a device to bear the WiFi trademark.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

802.15 Bluetooth

Bluetooth

Low power, short distances

Operates at the ISM (Industry, Scientific, Medical) band at 2.45Ghz

10Meter range

721Kbps bandwidth

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Wireless Radio Technologies

Direct Sequence Spread Spectrum (DSSS): Spreads transmissions over a larger frequency band.

The signal is less susceptible to interference at any specific frequency

A pseudo-random noise code is modulated with the signal during transmission.

The resulting signal resembles white noise.

The receiver filters out the noise.

Uses

802.11b

US GPS

Bluetooth

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Wireless Radio Technologies

Frequency Hopping Spread Spectrum (FHSS): a method of transmitting radio signals by rapidly switching a carrier among many frequency channels, using a pseudorandom sequence known to both transmitter and receiver.

Uses

Military communication

Federal Aviation Administration (FAA)

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Wireless Radio Technologies

Orthogonal Frequency Division Multiplexing (OFDM): a signal that is subdivided into frequency sub bands.

Each of these sub bands can be broadcast together without interference.

The basic idea of OFDM is to split a high bandwidth transmission into several lower bandwidth transmissions.

Uses

Digital TV broadcasts

802.11a, 802.11g, 802.11n, 802.11ac

ADSL

LTE, LTE Advanced

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Wireless Radio Technologies

Frequency Division Multiple Access: Subdivides a frequency band and assigns an analog conversation to each sub-band.

Only used in analog cellular

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Wireless Radio Technologies

Code Division Multiple Access (CDMA)

Similar to DSSS

It spreads each call over a wide spectrum and and is tagged with pseudo-random noise code to differentiate the calls

CDMA2000 Is a family of 3G access that uses CDMA channel access (typically, far east)

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Wireless Radio Technologies

Universal Mobile Telecommunications System Time0Dvision Duplexing (UMTS TDD): a third generation mobile cellular system

data transfer rates of 2 Mbps at 5Mhz

data transfer rates of 42 Mbps for HSPA+

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Data Center

Data center is a facility used to house computer systems and associated components, such as telecommunications and storage systems.

Hot Sites: “proactive” hot site allows you to keep servers and a live backup site up and running in the event of a disaster

Warm Sites: A “preventative” warm site allows you to pre-install your hardware and pre-configure your bandwidth needs. Then, if disaster strikes, all you have to do is load your software and data to restore your business systems.

Cold Sites: A “recovery” cold site is essentially just data center space, power, and network connectivity that’s ready and waiting for whenever you might need it.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Different Types of Networks

Local Area Networks (LAN) = room/building

Campus Area Network (CAN) = a complex of adjacent buildings

Metropolitan Area Networks (MAN) = a city

Wide Area Networks (WAN) = a large geographic area (across metropolitan, regional, national or international boundaries)

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Local Area Networks

Usually in one building and uses twisted pair cable.

Usually use some form of a star topology. Sometimes a tree topology if the building is large.

Tree topology: Linking together 2 or more star networks via fiber.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Campus Area Network

LANs within each facility

Connect LANs together with fiber optic cable in a tree topology

Backbone fiber optic cable cable is either ran in a ring or star.

One or more buildings will house the data center(s).

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Wide Area Networks

Typically uses some form of leased connection

Dedicated Links: Establishes a constant network between endpoints.

Hardware: Channel Service Unit Data Service Unit (CSU/DSU)

The endpoints have exclusive use of the circuit and bandwidth

Integrated Services Digital Network (ISDN): Two varieties

Basic Rate Interface (BRI): The 144 kbit/s payload rate is broken down into two 64 kbit/s bearer channels ('B' channels) and one 16 kbit/s signaling channel ('D' channel or data channel). This is sometimes referred to as 2B+D.

Primary Rate Interface (PRI):A PRI has 23 'B' channels and 1 'D' channel for signaling.

T-Carriers

T1: 24x64Kbps = 1.54Mbps

T3: 672x64kbps = 44.7Mbps

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Wide Area Networks

Optical Carrier (OC) Connections

OC1: 51.84Mbps

OC3: 155.52Mbps

OC12: 622.08Mbps

OC48: 2.488Gbps

OC96: 4.977Gbps

OC192: 9.953Gbps

OC3072: 160Gbps

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Wide Area Networks

Metropolitan Ethernet Circuit (Metro E): Provides a cheap Ethernet (802.3) handoff to the customer.

Speeds up to 10Gbps

Very simple to implement

The current industry standard for dedicated circuits.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Wide Area Network Packet Switched Networks

Packet Switching: Devices transport packets via a shared single point-to-point or point-to-multipoint link across a carrier internetwork.

X.25: One of the first WAN protocols

Basis for many WAN protocols that followed

Based on rigorous error correction.

Not really used today.

Frame relay is a standardized wide area network technology that specifies the physical and logical link layers of digital telecommunications channels using a packet switching methodology. Originally designed for transport across Integrated Services Digital Network (ISDN) infrastructure, it may be used today in the context of many other network interfaces

Began as a stripped-down version of the X.25 protocol, releasing itself from the error-correcting burden most commonly associated with X.25. When frame relay detects an error, it simply drops the offending packet.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Commercial vs. Open Source Firewalls

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

3/22/18

40

Commercial

Available for purchase

Open Source

Free

Installs onto your own hardware or operating system

Provides network-level security services

Source code available for review

Not always reliable or trustworthy

Appliance/Hardware Firewalls

Dedicated hardware device specifically built and hardened to support firewall software

Does not require additional hardware or software for deployment

Needs network connections and a power connection

Has dedicated hardware resources not shared with other services

Can protect a single system or an entire network

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

3/22/18

41

Appliance/Hardware Firewall Examples

Barracuda

Cisco

D-Link

Fortinet

Juniper Networks

Linksys (owned by Cisco)

NetGear

SonicWALL

WatchGuard

ZyXEL

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

3/22/18

42

Virtual Firewalls

Includes:

Virtualized software firewalls provide filtering services for a standard physical network

Firewalls running between virtualized client and server operating systems

Benefits: Rapid development, quick prototyping, isolation, traffic management, quick recoveries, testing

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

3/22/18

43

Firewall Design and Implementation Guidelines

Suitability: Can the firewall implement the policy?

Flexibility: Is it easily reconfigurable?

Training: Is training required? What is the cost?

Need: Make a list of traffic you want to allow, filter, or block (see organization’s security policy).

Risk: Make a separate list of all the risks in the network based on the traffic allowed.

Cost: How much will everything cost?

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

These are examples only. Every organization’s needs differ.

3/22/18

44

Firewall Topology: Simple Solution

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

3/22/18

45

Firewall Topology: DMZ

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

3/22/18

46

Firewall Topology: Multi-homed Firewall for Perimeter

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

3/22/18

47

Personal/SOHO Firewall Options

Native firewall built in to operating system

Third-party software firewall

Commercial or open source

Router/wireless access point firewall settings

Hardware/appliance firewall

Virtual firewall

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

3/22/18

48

Selecting a Firewall: Desirable Characteristics

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

3/22/18

49

Security Assurance

Privilege Control

Authentication

Auditing

Flexibility

Performance

Scalability

SmoothWall Features

Open source, Linux-based

Highly compatible (hardware and systems)

Remote access, POP3 e-mail antivirus proxy, Web proxy, Snort IDS

Inline proxy support for instant messaging and VoIP with logging capabilities

Bandwidth management

Outbound traffic blocking with time-based controls

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

3/22/18

50

Additional Features of SmoothWall

Port forwarding

External service access

DMZ pinhole

PPP settings

IP block

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Port forwarding—Forward ports from firewall to a machine inside the green or orange zones. Hides Web servers behind a single IP address.

External service access—Access any services running on the SmoothWall machine by opening the ports you need.

DMZ pinholes—Opens a pinhole from the DMZ to the green zone. Useful if external servers need to communicate with servers inside the green zone.

PPP settings—Allows you to set up profiles, configure modems, use dial on demand.

IP block—Bans specific IP addresses or ranges.

3/22/18

51

Installing SmoothWall: Network Zones

Color Zone Description
Green Trusted Client local network
Orange Filtered/Special Purpose DMZ, other
Purple Wireless Wireless client
Red Internet External

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

3/22/18

52

Hardware Requirements for SmoothWall

Processor running 166 MHZ or greater

512 MB PC133 synchronous dynamic random access memory (SDRAM)

20 GB hard drive

Two NICs

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

3/22/18

53

SmoothWall Topology

A typical SmoothWall

network interface setup.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

3/22/18

54

SmoothWall Topology

A typical SmoothWall setup with a switch.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

3/22/18

55

Managing the Firewall on an ISP Connection Device

Enter IP address of device into a Web browser

If wireless router, change the Service Set Identifier (SSID)

Limit the number of connections

Block unnecessary ports

Test configuration at http://www.grc.com

Free ShieldsUP! port scanning tool

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

3/22/18

56

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

3/22/18

57

Ports to Permit

Port 25—SMTP (outbound mail)

Port 53—DNS

Port 80—http

Port 110—POP (initiate request for inbound mail)

Port 443—https

Ports 465 and 995—SMTP and POP

Port 1024–1035—DCOM ports for downloading files

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

3/22/18

58

Ports to Forward

Ports 20 and 21—ftp-data and ftp

Port 23—telnet

Port 53—DNS

Port 80—http

Ports 81 and 82—“overflow” for port 80

Ports 137, 138, 139—netbios

Port 443—https

Port 445—netbios for Windows 2000 and later

Port 3074—Xbox game port

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

3/22/18

59

Configuring SmoothWall

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Log in to management interface

Update software

Enable additional services, if necessary

Create inbound and outbound rules

Configure QoS

3/22/18

60

Log in

Update

Enable services

Create rules

Configure QoS

Testing SmoothWall

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1. Enable Snort IDS and run a few attacks against the firewall over the red interface

- Can use Nmap, the Metasploit framework, or other port scanning and attacking tools

- Check Snort and firewall logs; SmoothWall IP Lookup for origin of attacker

2. Test firewall's ability to access Internet resources

3. Test client access with ping command

4. Test client’s ability to traverse the firewall

3/22/18

61

Run attacks

Check Internet access

Check client access

Check client access to firewall

Troubleshooting SmoothWall

Ensure that SSH is enabled and that port 22 or 222 is open

Use ping, traceroute, and tcpdump

Check whether crossover cable is needed

Green interface may or may not need to be a crossover cable

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

3/22/18

62

Windows Firewall with Advanced Security

Available in Windows 7

Configuration settings for Work, Home, and Public connections

Password-protected homegroup or workgroup

More granular control and configuration management interface

More extensive logging

May be managed from a command line

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

3/22/18

63

What Kind of Firewall Is Right for an Organization?

Small organization: proxy implementation

Packet filtering or application-level firewall

Big organization: hybrid system

Application-level firewall and package filtering

Big organization with subnets

Packet filtering through routers

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

These are examples only. Every organization’s needs differ.

3/22/18

64

Windows Firewall with Advanced Security

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

3/22/18

65

Choosing a Personal/SOHO Firewall

Windows: Consider native operating system firewall first

Free

Built-in

Linux: Consider free, open source options first

Ipchains, iptables, PF, Netfilter, Vyatta

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

3/22/18

66

Tips for Choosing a Personal/SOHO Firewall

Consider firewalls hosted by ISP connection devices or wireless access point

Explore commercial firewalls and appliances if other options:

Fail to provide required security

Present management difficulties as complexity of network grows

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

3/22/18

67

What to Protect and Why

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

3/22/18

68

Network

Servers

Clients

Information/ Data

Other Resources

Virtual Lab

Attacking a Virtual Private Network

Chapters 10 & 13

Required Reading

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

3/22/18

69