Docstoc

firewall

Document Sample
firewall Powered By Docstoc
					An Introduction to Firewall
Technology

           凌群電腦
        報告人:潘志豪
   E-Mail : Jason_Pan@tc.syscom.com.tw
   TEL : 04-2202-1221
Agenda
 What is a firewall
 Why an organization needs a firewall
 Types of firewalls and technologies
 Deploying a firewall
 What is a VPN



凌群電腦
What is a Firewall ?
  A firewall :                       Internet

     Acts as a security
      gateway between two
      networks                                  Corporate Network
        Usually between trusted                Gateway

         and untrusted networks
         (such as between a
         corporate network and
         the Internet)



                                   Corporate
                                   Site


 凌群電腦
What is a Firewall ?
  A firewall :                   Internet

     Acts as a security
      gateway between two
                                            “Allow Traffic
                                            “Block traffic
      networks
                                              to Internet”
                                            fromInternet”
     Tracks and controls
      network communications
        Decides whether
         to pass, reject,
         encrypt, or log
         communications        Corporate
         (Access Control)      Site


 凌群電腦
Why Firewalls are Needed
  Prevent attacks from untrusted
  networks
  Protect data integrity of critical
  information
  Preserve customer and partner
  confidence


 凌群電腦
Evolution of Firewalls
                                    Stateful
                                  Inspection

             Application
               Proxy



   Packet
    Filter


             Stage of Evolution
 凌群電腦
Packet Filter
 Packets examined at the network layer
 Useful “first line” of defense - commonly
 deployed on routers
 Simple accept or reject decision model
 No awareness of higher protocol layers
     Applications    Applications    Applications
     Presentations   Presentations   Presentations
       Sessions        Sessions        Sessions
      Transport       Transport       Transport

        Network        Network          Network
       Data Link       Data Link       Data Link
       Physical        Physical        Physical


 凌群電腦
Application Gateway or Proxy
 Packets examined at the application layer
 Application/Content filtering possible -
 prevent FTP “put” commands, for example
 Modest performance
 Scalability limited
     Applications    Applications    Applications

     Presentations   Presentations   Presentations

       Sessions        Sessions        Sessions

      Transport       Transport       Transport
       Network         Network         Network

       Data Link       Data Link       Data Link

       Physical        Physical        Physical

 凌群電腦
Stateful Inspection
 Packets Inspected between data link layer and network
 layer in the OS kernel
 State tables are created to maintain connection context
 Invented by Check Point
                        Applications

      Applications     Presentations        Applications

     Presentations       Sessions          Presentations
       Sessions          Transport            Sessions

       Transport         Network             Transport

        Network                              Network

       Data Link         Data Link           Data Link

       Physical           Physical            Physical



     INSPECT Engine                     Dynamic
                                           Dynamic
                                       State Tables
                                              Dynamic
                                          State Tables
 凌群電腦                                        State Tables
Network Address Translation
(NAT)
  192.172.1.1-192.172.1.254
    Internal                   219.22.165.1
                                                  Public
 IP Addresses                 Internet        IP Address(es)
              Corporate LAN


  Converts a network’s illegal IP addresses to
  legal or public IP addresses
      Hides the true addresses of individual hosts,
       protecting them from attack
      Allows more devices to be connected to the
       network

 凌群電腦
Port Address Translation—
Hiding
                               PATGlobal
                               192.168.0.15


                  10.0.0.2                    192.168.0.15
   10.0.0.2
                 172.30.0.50                  172.30.0.50

                   49090                         2000

                     23                           23



                  10.0.0.3                    192.168.0.15

                 172.30.0.50                  172.30.0.50

                   49090                         2001
      10.0.0.3
                     23                           23

 凌群電腦
Personal Firewalls
  Need arises from always on
  connections
  Your PC is not protected enough by
  your OS
  Intrusion detection facilities
  Different levels of security
     Templates
 凌群電腦
Firewall Deployment
                                                     DMZ


  Corporate Network                Internet
  Gateway                                                  Demilitarized Zone
                                                                 (DMZ)
     Protect internal network                              Public Servers
      from attack
                                              Corporate Network
     Most common                             Gateway
      deployment point
                                               Human Resources
                                               Network




                                 Corporate
                                 Site

 凌群電腦
Firewall Deployment
  Corporate Network                 Internet
  Gateway                                                 Public Servers

  Internal Segment
  Gateway                                           Demilitarized Zone
                                                   (Publicly-accessible
     Protect sensitive                                  servers)
      segments (Finance, HR,
      Product Development)
                                               Human Resources
     Provide second layer of                  Network
      defense
     Ensure protection against                   Internal Segment Gateway
      internal attacks and
      misuse
                                  Corporate
                                  Site

 凌群電腦
Firewall Deployment
  Corporate Network           Internet
  Gateway
                                                        Public Servers
                                    DMZ

  Internal Segment
  Gateway
  Server-Based                            Human Resources
  Firewall                                Network

     Protect individual                      Server-Based
      application servers                     Firewall

     Files protect         Corporate
                            Site
                                               SAP
 凌群電腦                                          Server
Firewall Deployment
  Hardware appliance based firewall
     Single platform, software pre-installed
     Can be used to support small organizations
      or branch offices with little IT support
  Software based firewall
     Flexible platform deployment options
     Can scale as organization grows


 凌群電腦
Summary
 Firewalls foundation of an enterprise
 security policy
 Stateful Inspection is the leading
 firewall technology




凌群電腦
選擇防火牆參考依據
防火牆必須允許/拒絕的網路協定或應用
層網路傳輸 ?
防火牆在控制網路傳輸時是否需要作使
用者身份認證 ?
如何建立規則?
是否可隱藏網址?
是否有一個以上的網址,能夠保護網路
上數個 web 和 email 伺服器不受攻擊?

凌群電腦
選擇防火牆參考依據 續
 是否可過濾 Java 和 ActiveX?
 它如何強化作業系統安全?
 是否在不影響安全性的情況下處理所有的網路
 傳輸活動?
 是否提供事件紀錄和警告?
 是否簡單易用?
 是否支援附加其他的事件報告軟體?
 是否提供內容阻擋功能?

凌群電腦
選擇防火牆參考依據 續
 是否具擴充性,以符合未來的需求?
 是否易於加入遠端的防火牆和行動使用
 者?
 是否和市面上其他產品互通?




凌群電腦
What is a VPN?                          Acme Corp
                                        Acme Corp
                                          Site 1
 A VPN is a private
 connection over an
 open network                     VPN


 A VPN includes
 authentication and               Internet
 encryption to
 protect data
 integrity and                    VPN
 confidentiality
                      Acme Corp
                        Site 2
 凌群電腦
Why Use Virtual Private
Networks?
  More flexibility
     Leverage ISP point of presence
     Use multiple connection types (cable, DSL,
      T1, T3)

     Most attacks originate within an
      organization


 凌群電腦
Why Use Virtual Private
Networks?
  More flexibility
  More scalability
     Add new sites, users quickly
     Scale bandwidth to demand




 凌群電腦
Why Use Virtual Private
Networks?
  More flexibility
  More scalability
  Lower costs
     Reduced frame relay/leased line costs
     Reduced long distance
     Reduced equipment costs (modem
      banks,CSU/DSUs)
     Reduced technical support

 凌群電腦
Types of VPNs
                                  Corporate
 Remote Access VPN                  Site
     Provides access to
      internal corporate
      network over the
      Internet
     Reduces long distance,
      modem bank, and
      technical support costs   Internet
     PAP,CHAP,RADIUS




 凌群電腦
Types of VPNs                     Corporate
                                    Site


  Remote Access VPN
  Site-to-Site VPN
     Connects multiple offices
      over Internet
     Reduces dependencies
                                          Internet
      on frame relay and
      leased lines




                     Branch
                     Office
 凌群電腦
Types of VPNs
                                                 Corporate
                                                   Site
  Remote Access VPN
  Site-to-Site VPN
  Extranet VPN
     Provides business
      partners access to              Internet
      critical information
      (leads, sales tools, etc)
     Reduces transaction
      and operational costs
                                                 Partner #2

 凌群電腦                    Partner #1
Types of VPNs
                                Database
  Remote Access VPN              Server


  Site-to-Site VPN
  Extranet VPN              LAN
                           clients            Internet
  Client/Server VPN
     Protects sensitive
      internal
      communications
                           LAN clients with
                            sensitive data




 凌群電腦
Components of a VPN
  Encryption
  Key management
  Message authentication
  Entity authentication




 凌群電腦
Encryption
                  Joe’s PC to HR Server
                       Encrypted


  Joe’s PC                                 HR Server


                     All Other Traffic
 Mary’s PC               Cleartext        E-Mail Server

  Current standards: DES and Triple-DES
      Over 20 years in the field
  AES beginning deployment
      New standard
      More computationally efficient
      Longer keys = more secure
 凌群電腦
Key Management
 Public key cryptosystems
 enable secure exchange of
 private crypto keys across
 open networks
 Re-keying at appropriate intervals
 IKE = Internet Key Exchange protocols
     Incorporates ISAKMP/Oakley


凌群電腦
Authentication
  IPsec standards focus on authentication of two
  network devices to each other
     IP address/preshared key
     Digital certificates
  User authentication is added on top if required
     RADIUS and TACACS+ are the standard protocols for
      authentication servers
  XAUTH is being added to the standards to address
  user authentication




 凌群電腦
   Point-to-Point Tunneling
   Protocol
         Layer 2 remote access VPN distributed with Windows product
         family
             Addition to Point-to-Point Protocol (PPP)
             Allows multiple Layer 3 Protocols
         Uses proprietary authentication and encryption
         Limited user management and scalability
         Known security vulnerabilities                               Corporate Network

                                                    PPTP RAS Server



Remote PPTP Client
                                         Internet




      凌群電腦 ISP Remote Access
                 Switch
Layer 2 Tunneling Protocol
(L2TP)
      Layer 2 remote access VPN protocol
           Combines and extends PPTP and L2F (Cisco supported
            protocol)
           Weak authentication and encryption
           Does not include packet authentication, data integrity, or
            key management
           Must be combined with IPSec for enterprise-level security
                                                            Corporate Network
Remote L2TP Client

                                              L2TP Server


                                   Internet



   凌群電腦 L2TP Concentrator
       ISP
Internet Protocol Security
(IPSec)
  Layer 3 protocol for remote access,
  intranet, and extranet VPNs
     Internet standard for VPNs
     Provides flexible encryption and message
      authentication/integrity
     Includes key management




 凌群電腦
Components of an IPSec VPN
  Encryption                  DES, 3DES, and more
  Message                     HMAC-MD5, HMAC-
  Authentication              SHA-1, or others
  Entity                      Digital Certificates,
                              Shared Secrets,Hybrid
  Authentication              Mode IKE
  Key                         Internet Key Exchange
  Management                  (IKE), Public Key
                              Infrastructure (PKI)


   All managed by security associations (SAs)
 凌群電腦
Encryption Explained
  Used to convert data to a secret code
  for transmission over an untrusted
  network
     Clear Text                  Encrypted Text
  “The cow jumped   Encryption   “4hsd4e3mjvd3sd
   over the moon”   Algorithm     a1d38esdf2w4d”




 凌群電腦
Symmetric Encryption
 Same key used to encrypt and decrypt
 message
 Faster than asymmetric encryption
 Examples: DES, 3DES, RC5, Rijndael




           Shared Secret Key
 凌群電腦
Asymmetric Encryption
  Different keys used to encrypt and decrypt
  message (One public, one private)
  Examples include RSA, DSA, SHA-1, MD-5
Bob                                            Alice




        Alice Public Key   Alice Private Key
            Encrypt             Decrypt
 凌群電腦
目前Internet上使用的加密系統比較表
      系統           主要用途             使用的演算法         提供的保障


PGP         用來對電子郵件進行加密的程式        IDEA、RSA、MD5   保密性、認證性、整
                                                 體性、不可否認性

S/MIME      用來對電子郵件進行加密的程式        使用者指定          保密性、認證性、整
                                                 體性、不可否認性

SSL         用來對TCP/IP傳輸進行加密的程     RSA、RC2、RC4、   保密性、認證性、整
            式                     MD5、3-DES、其它   體性、不可否認性

PCT         用來對TCP/IP傳輸進行加密的程     RSA、RC2、RC4、   保密性、認證性、整
            式                     MD5、其它         體性、不可否認性

S-HTTP      用來對HTTP請求及回應進行加密      RSA、DES、其它     保密性、認證性、整
            的程式                                  體性、不可否認性

SET&        在Internet上安全傳送付款指示的   RSA、MD5、RC2    祗有信用卡號碼得到
CyberCash   協定                                   保密


凌群電腦
目前Internet上使用的加密系統比較表
DNSSEC     安全的網域名稱系統        RSA、MD5           認證性、整體性


IPSec      對IP封包進行加密的低階協定   Diffie-Hellman、   保密性、認證性、整
                            DES 、3DES、RC4、    體性
                            IDEA
Kerberos   高階程式的網路安全服務      DES               保密性、認證性

SSH        具加密功能的遠端終端機      RSA、Diffie-Hellman、 保密性、認證性
                            DES、3-DES、
                            Blowfish、其它




凌群電腦
破解 DES Keys 的成本時間參
考
攻擊型    花費預      40-Bit   56-Bit 168-Bit
 態      算                        3-DES
個人駭    美金 400   5 小時     38 年    無法預計
客
專業駭    美金 1萬    12 分鐘    556 日   1019 年
客
智慧型    美金1千     0.02 秒   21 分鐘   1017 年
組織      萬

凌群電腦
 Secure Virtual Network Architecture
              RSA                                      RSA
          Advanced PKI                               ACE/Server
                                                                                          Trend InterScan ,
                                                                                        WebManager , eManager      IPSec-compliant
                                                                                            & StoneBeat            Gateway
Corporate                                                                                  Security Cluster
Network                                                                                                                                     Extranet
                                                     FireWall-1                                                                            Partner Site

                                                                                                                                             VPN-1
                                                                                                                                          SecuRemote
                         LDAP
                                                                                                                                         & RSA SecurID
                         Directory
                                                    VPN-1/FireWall-1
                                                      Gateway &                                                             Dial-up
                                                  StoneBeat FullCluster
                                                                                   FloodGate-1
                                                                                       QoS
     VPN-1                                                                                                                                   VPN-1
  SecureServer                                                                                                                            SecureClient
                                                                                                                                         & RSA SecurID
                                            VPN-1
                                                                                     RSA
                                       Accelerator Card
                                                                                   ACE/Agent

                                                                                                                                   Broadband

                                        ConnectControl                        ISS
                                                                          RealSecure                                                     Remote Users
                                         Server Load
                                          Balancing                        Intrusion
                                                                           Detection
                                                                                           Router

Extranet
Application Server

                                                                   Enterprise Management Console
                                                                   • Policy-based Management                    VPN-1/FireWall-1
                     Web Server Pool                               • Reporting                                  Nokia Appliance          Remote Office
                凌群電腦                                               • Account Management
                                                                   • Open Security Extension
       Thank You!




凌群電腦

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:3
posted:5/22/2013
language:English
pages:44
tang shuming tang shuming
About