Firewalls , VLANs
& proxy servers
By
Neelam choudhary
IT(c-2)
2907322
Firewalls
• Sits between two networks
– Used to protect one network from the other
– It may be a hardware device or a software
program running on a secure host computer
Computer with Firewall Software
Computer running firewall software to provide
protection
What does a firewall do?
• A firewall examines all traffic routed between the two
networks to see if it meets certain criteria
• A firewall filters both inbound and outbound traffic.
• Firewalls can filter packets based on their source and
destination addresses and port numbers.
How does a firewall work?
What are the OSI and TCP/IP
Network models?
• Firewalls operate at different layers to use different criteria to
restrict traffic.
• The lowest layer at which a firewall can work is layer 3
• In the OSI model this is the network layer.
• In TCP/IP it is the Internet Protocol layer.
• At this layer a firewall can determine whether a packet is
from a trusted source or not
• Firewalls that operate at the transport layer know a little
more about a packet, and are able to grant or deny access
depending on more sophisticated criteria.
• At the application level, firewalls know a great deal about
what is going on and can be very selective in granting
access.
Professional Firewalls Have Their
Own IP Layer
What different types of firewalls
are there?
Packet Filtering Firewall
Packet filtering firewalls work at the network level of the OSI model, or
the IP layer of TCP/IP .
They are usually part of a router
In a packet filtering firewall each packet is compared to a set of criteria
before it is forwarded.
The advantage of packet filtering firewalls is their low cost and low
impact on network performance
Circuit level Gateway
• Circuit level gateways work at the session layer of the OSI model, or the
TCP layer of TCP/IP.
• This is useful for hiding information about protected networks.
• Circuit level gateways are relatively inexpensive
• They have the advantage of hiding information about the private network
they protect.
• On the other hand, they do not filter individual packets
Circuit level Gateway
Application level Gateway
• They also called proxies, are similar to circuit-level gateways
except that they are application specific
• They can filter packets at the application layer of the OSI
model.
• They offer a high level of security, but have a significant
impact on network performance.
• They are not transparent to end users and require manual
configuration of each client computer.
Stateful Multilayer Inspection
Firewall
• Stateful multilayer inspection firewalls combine the aspects of the other
three types of firewalls
• They filter packets at the network layer, determine whether session
packets are legitimate and evaluate contents of packets at the application
layer.
• They rely on algorithms to recognize and process application layer data
instead of running application specific proxies.
• Stateful multilayer inspection firewalls offer a high level of security, good
performance and transparency to end users
• They are expensive however, and due to their complexity are potentially
less secure than simpler types of firewalls if not administered by highly
competent personnel.
Firewall related problems
• Information security involves constraints, and users don't like
this.
• Firewalls restrict access to certain services
• Firewalls can also constitute a traffic bottleneck.
• They concentrate security in one spot, aggravating the
single point of failure phenomenon
Benefits of a firewall
• Firewalls protect private local area networks from hostile
intrusion from the Internet.
• Firewalls allow network administrators to offer access to
specific types of Internet services to selected LAN users.
• Privileges can be granted according to job description and
need rather than on an all-or-nothing basis.
Other common Firewall Services
• Encrypted Authentication
– Allows users on the external network to authenticate to the Firewall to
gain access to the private network
• Virtual Private Networking
– Establishes a secure connection between two private networks over a
public network
Additional services sometimes
provided
• Virus Scanning
– Searches incoming data streams for virus signatures so they may be
blocked
• Content Filtering
– Allows the blocking of internal users from various types of content.
Enterprise Firewalls
• Check Point FireWall-1
• Cisco PIX (product family)
• MS Internet Security & Acceleration Server
• GAI Gauntlet
• Personal firewall
• Black ICE
Sygate® Personal Firewall PRO
Virtual
Local area
network
General Description of LAN
covering a small geographic area
Home
Office
Group of Buildings
What are VLAN's?
• Commonly known as VLAN
• group of hosts(ports) on the switch with a common set of
requirements
• Group of hosts communicate as if they were attached to the
same wire
Definition of Virtual Local Area
Network
VLAN has the same attributes as a physical LAN
VLAN allows grouping to the end stations, services and devices
End stations do not need to locate on the same LAN segment
Broadcast domain created by one or more switches
Differences b/w LAN & VLANs
VLAN Membership
Broadcast Domains
A switch creates a broadcast domain
VLAN helps manage broadcast domains
VLANS can be defined on ports groups, users or protocols
LAN switches and network management software provide a mechanism
to create VLANs
VLAN Operations
VLAN has a switched network that is logically segmented
Each switch port can be assigned to a VLAN
Ports assigned to the same VLAN share broadcasts.
Ports that do not belong to that VLAN do not share these broadcasts
This improves network performance because unnecessary broadcasts
are reduced
How does it work?
• Bridge receives data from a workstation, it tags the data with a VLAN
identifier (This is called explicit tagging)
• In implicit tagging the data is not tagged, VLAN determine the port on
which the data arrived
• Tagging can be based on
– The port from which it came
– The source Media Access Control (MAC) field
– The source network address
– Or some other field or combination of fields
Types of VLAN
Static VLAN Membership
Static membership VLANs are called port-based and port- centric
membership VLANs
Static VLANs are ports on a switch that are manually assigned to a
VLAN
All moves are controlled and managed.
Dynamic VLAN Membership
Dynamic membership VLANs are created through network management
software
CiscoWorks 2000
Membership is based on the MAC address of the device connected to
the switch port
Network administrator gets all the device’s MAC addresses and put it into
a database .
Types of VLAN
• Three basic VLAN memberships for determining and controlling how a
packet entering a switch gets assigned to a VLAN.
Port driven VLANs cont’d.
User assigned port association ???
•For example, in a bridge with four ports, ports 1, 2, and 4 belong to VLAN 1
and port 3 belongs to VLAN 2
Port VLAN
1 1
2 1
Disadvantage:
3 2 •Does not allow for user mobility
4 1
Assignment of ports to
MAC address driven VLANs
User assigned based on MAC addresses
Offers flexibility
For Example:Since MAC addresses form a part of the
workstation's network interface card, when a workstation is moved,
no reconfiguration is needed to allow the workstation to remain in
the same VLAN
Impacts performance, scability, and administration
MAC address driven VLANs cont’d
MAC Address VLAN
1212354145121 1
2389234873743 2
3045834758445 2
5483579475843 1
Assignment of MAC addresses to different VLAN's
Network address driven VLANs
•The network IP subnet address can be used to classify
VLAN membership
IP Subnet VLAN
23.2.24 1
26.21.35 2
Network address driven VLANs cont’d
IP addresses are used only as a mapping to determine
membership in VLAN's.
In Layer 3 VLAN's, users can move their workstations
without reconfiguring their network addresses. The only
problem is that it generally takes longer to forward packets
using Layer 3 information than using MAC addresses.
Selecting VLANs
•The number of VLANs in a switch vary based on
several factors
•Traffic patterns
•Types of applications
•Network management needs
•Group commonality
Benefits of VLAN
Why use VLAN instead of LAN ?
Performance
Formation of Virtual Workgroups
Simplified Administration
Reduces Cost
Security
Proxy servers
What are the proxy
servers ?
• In computer networks, a proxy server is a server
that acts as an intermediary for requests from
clients seeking resources from other servers.
• A client connects to the proxy server, requesting
some service, such as a file, connection, web page,
or other resource, available from a different server.
• The proxy server evaluates the request according to
its filtering rules like IP address & protocols
Why we used proxy servers ?
• To keep machines behind it anonymous (mainly for security)
• To speed up access to resources (using caching).
• To apply access policy to network services or content, e.g. to
block undesired sites.
• To bypass security/ parental controls.
• To scan transmitted content for malware before delivery.
Catching proxy
• Caching proxies keep local copies of frequently requested
resources,
• Some poorly-implemented caching proxies have had
downsides (e.g., an inability to use user authentication).
Web proxy
A proxy that focuses on World Wide Web traffic is called a"
web proxy".
The most common use of a web proxy is to serve as a web
cache.
It provide content filtering
This is often used in a corporate, educational or library
environment, and anywhere else where content filtering is
desired.
Some web proxies reformat web pages for a specific
purpose or audience,
Content-filtering web proxy
A content-filtering web proxy server provides administrative
control over the content that may be relayed through the
proxy
It is commonly used in both commercial and non-commercial
organizations
Some common methods used for content filtering include:
URL or DNS blacklists, URL regex filtering, MIME filtering, or
content keyword filtering
A content filtering proxy will often support user
authentication, to control web access
Anonymzing proxy server
An anonymous proxy server (sometimes called a web
proxy) generally attempts to anonymize web surfing.
anonymous proxy is a tool that attempts to make activity on
the Internet untraceable.
]It accesses the Internet on the user's behalf, protecting
personal information by hiding the source computer's
identifying information
Anonymizers help minimize risk.
Hostile proxy
Proxies can also be installed in order to eavesdrop upon the
dataflow between client machines and the web
Suffix proxy
A suffix proxy server allows a user to access web content
by appending the name of the proxy server to the URL of the
requested content (e.g. "en.wikipedia.org.6a.nl").
Suffix proxy servers are easier to use than regular proxy
servers
Reverse proxy server
A reverse proxy is a proxy server that is installed in the
neighborhood of one or more web servers
Reasons of using reverse proxy server
Encryption
Load balancing:
Compression
security:
Content filter
Many work places, schools, and colleges restrict the web
sites and online services that are made available in their
buildings using content filter
Requests made to the open internet must first pass through
an outbound proxy filter.
The administrator instructs the web filter to ban broad
classes of content (such as sports, pornography, online
shopping, gambling, or social networking). Requests that
match a banned URL pattern are rejected immediately.
Tunneling proxy server
Tunneling proxy servers are used by people who have been
blocked from viewing a particular web site.
A tunneling proxy server is a web-based page that takes a
site that is blocked and "tunnels" it, allowing the user to view
blocked pages.
A famous example is elgooG, which allowed users in China
to use Google after it had been blocked there. elgooG