Firewalls
Packet filter between proxy server and Interne
Helps shield internal users from external hosts Prevents direct connections between internal network and Internet Good for small networks
Hide-Mode Mapping
Hiding private IP addresses behind one public address
Bastion host:
: computer on perimeter that is hardened with OS patches, authentication, and encryption Provides additional network security and other services Honeypot: draws attackers' away from critical systems
Hardware Firewalls
Runs on unconventional OS Example: Cisco hardware firewalls may run on Cisco's Internetwork Operating System (IOS)
why use a Proxy server
Speed up network communications Reduce load on Web server Provide security at application layer Shield hosts on internal network Control Web sites users are allowed to access Can configure to disable services users do not need Default settings can open security holes
Approaches to Packet Filtering
Stateless Stateful
proxy servers can perform stateful packet filtering on their own
Places more demands on host computer
Packet-filtering devices placed at either end of the demilitarized zone (DMZ)
Filter on DMZ's external interface allows Internet users to access DMZ servers but not internal LAN Filter on internal interface allows internal users to access DMZ servers but not connect to Internet Good for large companies with public Web servers
All firewalls handle these core functions
Filtering Proxying Logging Extra features Caching Address translation Content filtering Antivirus Intrusion detection
What Firewalls Are Not
Firewalls are not a standalone solution Integrated security system should include: Strong security policy and employee education Antivirus software Intrusion detection systems (IDSs) Access control Auditing
Proxy server and what it does
Forwards packets to and from network Caches Web pages to speed up network performance May be only firewall except router in some networks Provide effective protection because they work at OSI's application layer Firewalls work at lower levels and mainly interpret TCP/IP header information
Free firewall programs adavantages and disadvantages
Good for small businesses/networks Advantages Convenience and simplicity Unbeatable cost Disadvantages Not robust Difficult to configure Might not have full monitoring capabilities Examples: Netfilter, ZoneAlarm (free version)
Proxy server advantages and disadvantages
advantages examines contents of packets and filters on content Shields internal host ip Caches Web pages for faster access provide a single point of logging Disadvantages Can be weak Can slow down network access Might require configuration of client programs to use the proxy server Provide single point of failure
Network Address Translation (NAT):
conceals IP addresses of internal hosts from external systems Private IP addressing conserves public IP addresses Hide-mode: maps multiple IP addresses to one address Static: maps one internal IP address to one public address
what is a proxy server
forwards packets to and from network Caches Web pages to speed up performance Prevents direct connections between internal hosts and Internet Work at OSI application layer level
Choosing a proxy server and their basic types
freeware proxy servers commrecial proxy sever Firewall with proxy server fucntion
what is firewall
hardware or software to block unauthorized access to a network
Software-Based Firewalls advantages and disadvantages
Advantages Cost-effective Can be used in several locations Disadvantages Requires skill for configuration Requires regular maintenance and updates
what are the disadvantages and advantages of using stateful firewalls
Advantages Inexpensive or free Disadvantages Cumbersome to maintain Vulnerable to IP spoofing attacks: ports above 1023 Packets handled separately No form of authentication
One packet filter between Internet and a host
All inbound and outbound traffic must be accounted for in packet filter's rule base Good for simple home network
Firewall with proxy server functions
All-in-one program Consider using coordinated network defense layer to provide backup: ISA and Cisco PIX
Commercial proxy servers
Caching, translation, traditional firewall functions Example: Microsoft ISA Server
Hybrid Firewalls
Combines aspects of software and hardware firewalls into one package
Bastion host
Computer on network perimeter that has been specially protected with OS patches, authentication, and encryption Protects computers that host security software Should be hardened by: Eliminating unnecessary software and services Closing potential openings Protecting information with encryption and authentication
honeypots
Computer placed on network perimeter to attract attackers so that they stay away from critical servers
Stateless Packet Filtering
Determine whether to allow or block packets based on information in protocol headers IP address, ports and sockets, ACK bits
what are the disadvantages of hide-mode mapping
Disadvantages Performance may degrade as connections increase Does not work with some types of VPNs Cannot provide other services with same address
what are the advantages of hide-mode mapping
Enables multiple computers to connect to Internet with one public address Sets up firewall for internal network
Explain what firewalls cannot do
Hardware or software that can be configured to block unauthorized access to a network Cannot protect against employees sending proprietary information out of the organization Use strong security policy and access controls Cannot protect against connections that bypass it, such as remote dial-up connections Use VPN
what two ways is NAT implemented in
Implemented in two ways Hide-mode mapping Static mapping
static mapping
Internal IP addresses are mapped to external routable IP addresses on a one-to-one basis Internal addresses are still hidden Computers appear to have public IP addresses Both addresses are static
how web servers work
Interprets source as proxy server's IP address Sends response to proxy server
Stateful Packet Filtering
Keeps record of connections with state table Allows packets only from connected external hosts listed in table If connection is not found in table, packet is dropped
NAT
Network Address Translation (NAT) Shields IP addresses of internal hosts Only NAT-enabled router or firewall has public IP address More difficult for attackers to exploit computers Implemented in two ways
Freeware proxy servers
Offer a specific function; provide content filters Example: Squid Proxy for Linux
Hardening the Bastion Host
Only keep minimum number of services and open ports available Disable IP forwarding unless bastion host is functioning as a router Do not disable dependency services Services system needs to function correctly Stop services one at a time to determine effect Incorporate change management Document each change and reaction to change Delete or disable all user accounts from bastion host Rename Administrator account and use passwords of at least six to eight alphanumeric characters Bastion host most likely system to be attacked Tale proactive steps to secure it
Proxy server
Processes response and replaces IP header sent by Web server Sends requested Web page to user computer
How Proxy Servers Work
Receives request from user's Web browser Strips off packet header, replaces it with own public source IP address, and sends it
General steps for creating a bastion host
Select machine with adequate memory and processing speed Choose and install OS and any patches and updates Place bastion host in appropriate network environment Install or modify services Remove unnecessary services and accounts Back up system, data, and log files Conduct a security audit Connect system to network
what are the types of firewall that exist
Software: freeware, shareware, commercial Hardware: more expensive, but can handle more traffic Hybrid: combine scalability of hardware with content filtering of software
hardware firewalls Compared to software firewalls
Usually more scalable Can handle more data with faster throughput More expensive