session7 firewalls and vpn

1PalGov © 2011

أكاديمية الحكومة اإللكترونية الفلسطينية

The Palestinian eGovernment Academy

www.egovacademy.ps

Security Tutorial

Sessions 7

2PalGov © 2011

About

This tutorial is part of the PalGov project, funded by the TEMPUS IV program of the

Commission of the European Communities, grant agreement 511159-TEMPUS-1-

2010-1-PS-TEMPUS-JPHES. The project website: www.egovacademy.ps

University of Trento, Italy

University of Namur, Belgium

Vrije Universiteit Brussel, Belgium

TrueTrust, UK

Birzeit University, Palestine

(Coordinator )

Palestine Polytechnic University, Palestine

Palestine Technical University, PalestineUniversité de Savoie, France

Ministry of Local Government, Palestine

Ministry of Telecom and IT, Palestine

Ministry of Interior, Palestine

Project Consortium:

Coordinator:

Dr. Mustafa Jarrar

Birzeit University, P.O.Box 14- Birzeit, Palestine

Telfax:+972 2 2982935 mjarrar@birzeit.edu

3PalGov © 2011

© Copyright Notes

Everyone is encouraged to use this material, or part of it, but should properly

cite the project (logo and website), and the author of that part.

No part of this tutorial may be reproduced or modified in any form or by any

means, without prior written permission from the project, who have the full

copyrights on the material.

Attribution-NonCommercial-ShareAlike

CC-BY-NC-SA

This license lets others remix, tweak, and build upon your work non-

commercially, as long as they credit you and license their new creations

under the identical terms.

4PalGov © 2011

Tutorial 5:

Information Security

Session 7: Firewalls and VPN

Session 7 Outline:

• Session 7 ILO’s.

• Firewalls

• VPNs

5PalGov © 2011

Tutorial 5:

Session 7: Firewalls and VPN

After completing this session you will be able

to:

• B: Intellectual Skills• b3: Design end-to-end secure and available systems.

• b4: Design integral and confidentiality services.

6PalGov © 2011

Tutorial 5:

Information Security

Session 7: Firewalls and VPN

Session 7 Outline:

• Session 7 ILO’s.

• Firewalls

• VPNs

7PalGov © 2011

Firewalls

• A firewall is an effective means of protecting a

local system or network of systems from

network-based security threats by restricting

network services only to authorized access.

Firewalls are themselves immune to being

penetrated by intruders.

• A firewall can be hardware or it can be software

or it can of both hardware and software.

8PalGov © 2011

Firewall Design Principles

• Wide spread of use of computer networks as

Information systems undergo a steady evolution

(from small LAN`s to Internet connectivity)

• Strong security features for all workstations and

servers not established.

• Privacy of information is highly deemed.

9PalGov © 2011

Firewall Design Principles

• The firewall is inserted between a private

network and the Internet or other networks.

• Aims:

– Establish a controlled link.

– Protect a private network from attacks from users or

programs.

– Provide a single point through which the traffic is

monitored.

10PalGov © 2011

Firewall Characteristics

• Design goals:

– All traffic from inside to outside must pass through

the firewall (physically blocking all access to the

local network except via the firewall)

– Only authorized traffic (defined by the local security

policy) will be allowed to pass

– The firewall itself is immune to penetration (use of

trusted system with a secure operating system)

11PalGov © 2011

Firewall Characteristics

There are four general techniques for applying

firewalls to networks :

• Service control

– Determines the types of services that can be accessed

through the Internet.

• Direction control

– It determines flow direction of services.

12PalGov © 2011

Firewall Characteristics

• User control

– Controls which user(s) can have access to which

services.

• Behavior control

– Controls how particular services are used (e.g. filter

e-mail)

13PalGov © 2011

Types of Firewalls

There are four common types of Firewalls:

– Packet-filtering routers

– State-full Inspection Firewall

– Application-level gateways

– Circuit-level gateways

14PalGov © 2011

Types of Firewalls

15PalGov © 2011

Types of Firewalls

16PalGov © 2011

Packet-Filtering Router (1)

17PalGov © 2011

Packet-filtering Router (2)

– Applies a set of rules to each incoming IP packet

and then forwards or discards the packet

– Filter packets going in both directions

– The packet filter is typically set up as a list of rules

based on matches to fields in the IP or TCP header

– Two default policies (discard or forward)

18PalGov © 2011

Packet-filtering Router (3)

• Advantages:

– Simplicity

– Transparency to users

– High speed

• Disadvantages:

– Difficulty of setting up packet filter rules

– Lack of Authentication

• Possible attacks and appropriate countermeasures

– IP address spoofing

– Source routing attacks

– Tiny fragment attacks

19PalGov © 2011

Application / Content Filtering -

level Gateway (1)

20PalGov © 2011

Application-level Gateway (2)

• Application-level Gateway– Also called proxy server

– Acts as a relay of application-level traffic

– Can work as content filtering FW.

• Advantages:– Higher security than packet filters

– Only need to scrutinize a few allowable applications

– Easy to log and audit all incoming traffic

• Disadvantages:– Additional processing overhead on each connection (gateway

as splice point)

21PalGov © 2011

Circuit-level Gateway (1)

22PalGov © 2011

Circuit-level Gateway (2)

– Stand-alone system or

– Specialized function performed by an Application-

level Gateway

– Sets up two TCP connections

– The gateway typically relays TCP segments from

one connection to the other without examining the

contents

23PalGov © 2011

Circuit-level Gateway (3)

– The security function consists of determining which

connections will be allowed

– Typically use is a situation in which the system

administrator trusts the internal users

– An example is the SOCKS package

24PalGov © 2011

Types of Firewalls

• Bastion Host

– A system identified by the firewall administrator as

a critical strong point in the network´s security

– The bastion host serves as a platform for an

application-level or circuit-level gateway

25PalGov © 2011

Firewall Basing

• several options for locating firewall:

• bastion host

• individual host-based firewall

• personal firewall

26PalGov © 2011

Firewall Locations

27PalGov © 2011

Firewall Configurations

• In addition to the use of simple configuration of

a single system (single packet filtering router or

single gateway), more complex configurations

are possible

28PalGov © 2011

Distributed Firewalls

29PalGov © 2011

Firewall Configurations

• Screened host firewall system (single-homed bastion

host)

30PalGov © 2011

Firewall Configurations

• Screened host firewall system (dual-homed bastion host)

31PalGov © 2011

Firewall Configurations

• Screened-subnet firewall system

32PalGov © 2011

Unified Threat Management Products

33PalGov © 2011

Tutorial 5:

Information Security

Session 7: Firewalls and VPN

Session 7 Outline:

• Session 7 ILO’s.

• Firewalls

• SOCKS Protocols

• VPN

34PalGov © 2011

Socks Protocols

• Communication between clinets and

servers behind firewalls can be done using

SOCKS protocol.

• SOCKS uses to primitive operations:

BIND/CONNECT

• Used by many applications including

browsers...( ex. Dropbox)

• SOCKS4 / SOCKS5

35PalGov © 2011

SOCKS CONNECT

Socks proxy

Host A

server S

1. CONNECT

2. connect()

1.Host A connects to

the SOCKS proxy and

asks to establish a

connection with

Server S.

2. The proxy

connects to S.

From now on the

traffic flows from

host A to server S

in both directions

36PalGov © 2011

Binding process

1.The client A connects to the SOCKS proxy

and asks to bind a public port mapped to the

local port 4445 allowing incoming connection

from server S

2. The socks proxy reply with the public port (i.e.

33102) really used to accept incoming sockets

3. When S connects to the port 33102 of the

proxy, the host A is warned and traffic can flow

from S to A and viceversa conveyed by the

proxy

37PalGov © 2011

Comparing SOCKS4 and SOCKS5

• SOCKS4 doesn't support authentication while SOCKS5

has the built-in mechanism to support a variety of

authentications methods.

• SOCKS4 doesn't support UDP proxy while SOCKS5

does.

• SOCKS4 clients require full support of DNS while

SOCKS5 clients can rely on SOCKS5 server to perform

the DNS lookup.

38PalGov © 2011

Firewall Examples

• MS Windows firewalls

• Cisco firewalls

• Other firewalls….

39PalGov © 2011

Windows Firewall

• New layered security model.

• Provides:

– host-based,

– two-way network traffic filtering

– Blocks unauthorized network traffic

• Integrated with Internet Protocol Security

(IPsec)

• Important part of network’s isolation strategy.

40PalGov © 2011

Windows Firewall Key Scenarios

You can use Windows Firewall with Advanced

Security to help implement the following key

technologies and scenarios:

• Network Location-Aware Host Firewall

• Server and Domain Isolation

• Network Access Protection

• DirectAccess

• Refer to [6] for more details

41PalGov © 2011

Cisco ASA firewall

• LAB session 8.

42PalGov © 2011

Tutorial 5:

Information Security

Session 7: Firewalls and VPN

Session 7 Outline:

• Session 7 ILO’s.

• Firewalls

• SOCKS Protocols

• VPN

43PalGov © 2011

Virtual Private Networks (VPN)

• VPNs are set of tools used to securely

connect networks at different locations

using public network as the transport

layer.

• Cryptography (including CIA/AAA) is

used to implement VPNs to protect

against eavesdropping and active

attacks.

44PalGov © 2011

VPN Usage

• VPNs are most commonly used

today for telecommuting and linking

branch offices via secure WANs.

• IPSEC VPN (refer to session 5)

• MS VPN

45PalGov © 2011

VPN Protocols for Secure Network

Communications

Other VPN protocols that encrypt communications

include:

•Internet Protocol Security (IPSec)—an

architecture, protocol, and related Internet Key

Exchange (IKE) protocol.

•Layer 2 Forwarding (L2F)—created by Cisco

Systems.

•Layer 2 Tunneling Protocol (L2TP)— PPTP

and L2F

•Point-to-Point Tunneling Protocol (PPTP)—

3Com, Ascend, Microsoft, and ECI Telematics).

46PalGov © 2011

Virtual Private Networks (using IPSEC)

47PalGov © 2011

IPSec problems

• Slow progress resulted in a splintering of efforts during the mid-90s

• SSL was one such offshoot, developed to provide application-level security rather than network level security.

• Traditional IPSec implementations required a great deal of kernel code, complicating cross-platform porting efforts.

• IPSec is a complex production with a relatively steep learning curve for new users.

• See session 5 for more details

48PalGov © 2011

VPN using (L2TP)

•L2TP is a mature IETF standards track

•L2TP encapsulates Point-to-Point Protocol

(PPP) frames to be sent over IP, X.25, frame

relay, or asynchronous transfer mode (ATM)

networks.

•When configured to use IP as its transport,

L2TP can be used as a VPN tunneling protocol

over the Internet.

49PalGov © 2011

VPN using (L2TP)

• L2TP with PPP provides a wide range

of user authentication options:

• CHAP,

• MS-CHAP,

• MS-CHAPv2

• and Extensible Authentication

Protocol (EAP)

• L2TP/IPSec provides well-defined and

interoperable tunneling, with the strong

security.

50PalGov © 2011

VPN using PPTP

•PPTP provides authenticated and encrypted

communications between a client and a

gateway or between two gateways

•No need for a public key infrastructure

•Uses a user ID and password.

•Simple, multiprotocol support, and ability to

traverse a broad range of IP networks.

•The use of PPP provides ability to negotiate

authentication, encryption, and IP address

assignment services

51PalGov © 2011

References

1. William Stallings and Lawrie Brown

2. Lecture Notes by David Chadwick 2011, True-Trust

3. Cryptography and Network Security, Behrouz A. Forouzan.

4. SOCKS5 IETF RFC http://www.ietf.org/rfc/rfc1928.txt

5. SOCKS4 http://archive.socks.permeo.com/protocol/socks4.protocol

6. Introduction to Windows Firewall with Advanced Security, Microsoft Corporation,Updated: December 2009

7. Microsoft Privacy Protected Network Access: Virtual Private Networking and Intranet Security, White Paper

52PalGov © 2011

Summary

• In this session we discussed the following:

– Introduced need for & purpose of firewalls

– Types of firewalls

• Packet filter, state-full inspection, application and circuit

gateways

– VPNs

53PalGov © 2011

Thanks

Dr. Nael Salman