AN INTRODUCTION TO

FIREWALL
TECHNOLOGY
A LEADING TECHNOLOGY

By,
MOHAMMAD MAAZ
CS-3RD YEAR
1128410032(27)

AGENDA
What is a firewall
Why an organization needs a firewall
Features of firewall
Types of firewalls and technologies
Deploying a firewall
Disavantage of firewall

WHAT IS A FIREWALL ?
Internet

A firewall :

Corporate Network
Gateway

Acts as a security gateway

between two networks
Usually between trusted and
untrusted networks (such as
between a corporate network
and the Internet)
Corporate
Site

WHAT IS A FIREWALL ?
Internet

A firewall :

Allow Traffic
to Internet

Acts as a security gateway

between two networks

Block traffic
from Internet

Tracks and controls network

communications

Decides whether to
pass, reject, encrypt,
or log communications
(Access Control)

Corporate
Site

WHY FIREWALLS ARE NEEDED

Prevent attacks from untrusted networks

Protect data integrity of critical information
Preserve customer and partner confidence

GENERAL FIREWALL FEATURES

Port Control
Network Address Translation
Application Monitoring (Program Control)
Packet Filtering

ADDITIONAL FIREWALL FEATURES

Data encryption
Hiding presence
Reporting/logging
e-mail virus protection
Pop-up ad blocking
Cookie digestion
Spy ware protection etc.

EVOLUTION OF FIREWALLS
Stateful
Inspection

Application
Proxy

Packet
Filter

Stage of Evolution

PACKET FILTER

Packets examined at the network layer

Useful first line of defense - commonly
deployed on routers
Simple accept or reject decision model
No awareness of higher protocol layers
Applications

Applications

Applications

Presentations

Presentations

Presentations

Sessions

Sessions

Sessions

Transport

Transport

Transport

Network

Network

Network

Data Link

Data Link

Data Link

Physical

Physical

Physical

APPLICATION GATEWAY OR PROXY

Packets examined at the application layer

Application/Content filtering possible prevent FTP put commands, for example
Modest performance
Scalability limited
Applications

Applications

Applications

Presentations

Presentations

Presentations

Sessions

Sessions

Sessions

Transport

Transport

Transport

Network

Network

Network

Data Link

Data Link

Data Link

Physical

Physical

Physical

STATEFUL INSPECTION
Packets Inspected between data link layer and network
layer in the OS kernel
State tables are created to maintain connection context
Invented by Check Point

Applications

Applications

Presentations

Applications

Presentations

Sessions

Presentations

Sessions

Transport

Sessions

Transport

Network

Transport
Network

Network
Data Link

Data Link

Data Link

Physical

Physical

Physical

INSPECT Engine
Dynamic
State Tables

NETWORK ADDRESS TRANSLATION (NAT)

192.172.1.1-192.172.1.254

Internal
IP Addresses
Corporate LAN

219.22.165.1
Internet

Public
IP Address(es)

Converts a networks illegal IP addresses

to legal or public IP addresses
Hides the true addresses of individual hosts,
protecting them from attack
Allows more devices to be connected to the
network

PORT ADDRESS TRANSLATIONHIDING

PATGlobal
192.168.0.15

10.0.0.2

10.0.0.2

192.168.0.15

172.30.0.50

172.30.0.50

49090

2000

23

23

10.0.0.3

192.168.0.15

172.30.0.50
49090
10.0.0.3

23

172.30.0.50
2001
23

PERSONAL FIREWALLS

Need arises from always on connections

Your PC is not protected enough by your OS
Intrusion detection facilities
Different levels of security
Templates

FIREWALL DEPLOYMENT
DMZ

Internet
Demilitarized Zone
(DMZ)
Public Servers

Corporate Network Gateway

Corporate Network
Gateway

Protect internal network from

attack

Human Resources
Network

Most common deployment point

Corporate
Site

FIREWALL DEPLOYMENT
Corporate Network Gateway
Internal Segment Gateway

Internet
Public Servers

Protect sensitive segments

(Finance, HR, Product
Development)

Demilitarized Zone
(Publicly-accessible
servers)

Provide second layer of defense

Human Resources
Network

Ensure protection against

internal attacks and misuse

Internal Segment Gateway

Corporate
Site

FIREWALL DEPLOYMENT
Corporate Network
Gateway

Internet
Public Servers
DMZ

Internal Segment
Gateway
Server-Based Firewall

Human Resources
Network

Protect individual
application servers
Files protect

Server-Based
Firewall
Corporate
Site

SAP
Server

FIREWALL DEPLOYMENT
Hardware appliance based firewall

Single platform, software pre-installed

Can be used to support small organizations or branch offices with

little IT support

Software based firewall

Flexible platform deployment options

Can scale as organization grows

DISADVANTAGE OF FIREWALL:
slow down network access dramatically
more susceptible to distributed denial of service
(DDOS) attacks.
not transparent to end users
require manual configuration of each client computer

SUMMARY

Firewalls foundation of an enterprise security policy

Stateful Inspection is the leading firewall technology

RESOURCES
http://www.tlc.discovery.com/converg
ence/hackers/hackers.html
http://www.tuxedo.org/~esr/faqs/hack
er-howto.html
http://www.iss.net/security_center/ad
vice/Underground/Hacking/Methods/Tech
nical/
http://www.infosecuritymag.com/articl
es/march01/features4_battle_plans.sht
ml
http://www.nmrc.org/faqs/www/wsec09
.html
http://www.microsoft.com/
www.Google.com
www.Wikipedia.com

ANY QUESTIONS????????