session7 firewalls and vpn
Post on 05-Dec-2014
1.187 Views
Preview:
DESCRIPTION
TRANSCRIPT
1PalGov © 2011
أكاديمية الحكومة اإللكترونية الفلسطينية
The Palestinian eGovernment Academy
www.egovacademy.ps
Security Tutorial
Sessions 7
2PalGov © 2011
About
This tutorial is part of the PalGov project, funded by the TEMPUS IV program of the
Commission of the European Communities, grant agreement 511159-TEMPUS-1-
2010-1-PS-TEMPUS-JPHES. The project website: www.egovacademy.ps
University of Trento, Italy
University of Namur, Belgium
Vrije Universiteit Brussel, Belgium
TrueTrust, UK
Birzeit University, Palestine
(Coordinator )
Palestine Polytechnic University, Palestine
Palestine Technical University, PalestineUniversité de Savoie, France
Ministry of Local Government, Palestine
Ministry of Telecom and IT, Palestine
Ministry of Interior, Palestine
Project Consortium:
Coordinator:
Dr. Mustafa Jarrar
Birzeit University, P.O.Box 14- Birzeit, Palestine
Telfax:+972 2 2982935 mjarrar@birzeit.edu
3PalGov © 2011
© Copyright Notes
Everyone is encouraged to use this material, or part of it, but should properly
cite the project (logo and website), and the author of that part.
No part of this tutorial may be reproduced or modified in any form or by any
means, without prior written permission from the project, who have the full
copyrights on the material.
Attribution-NonCommercial-ShareAlike
CC-BY-NC-SA
This license lets others remix, tweak, and build upon your work non-
commercially, as long as they credit you and license their new creations
under the identical terms.
4PalGov © 2011
Tutorial 5:
Information Security
Session 7: Firewalls and VPN
Session 7 Outline:
• Session 7 ILO’s.
• Firewalls
• VPNs
5PalGov © 2011
Tutorial 5:
Session 7: Firewalls and VPN
After completing this session you will be able
to:
• B: Intellectual Skills• b3: Design end-to-end secure and available systems.
• b4: Design integral and confidentiality services.
6PalGov © 2011
Tutorial 5:
Information Security
Session 7: Firewalls and VPN
Session 7 Outline:
• Session 7 ILO’s.
• Firewalls
• VPNs
7PalGov © 2011
Firewalls
• A firewall is an effective means of protecting a
local system or network of systems from
network-based security threats by restricting
network services only to authorized access.
Firewalls are themselves immune to being
penetrated by intruders.
• A firewall can be hardware or it can be software
or it can of both hardware and software.
8PalGov © 2011
Firewall Design Principles
• Wide spread of use of computer networks as
Information systems undergo a steady evolution
(from small LAN`s to Internet connectivity)
• Strong security features for all workstations and
servers not established.
• Privacy of information is highly deemed.
9PalGov © 2011
Firewall Design Principles
• The firewall is inserted between a private
network and the Internet or other networks.
• Aims:
– Establish a controlled link.
– Protect a private network from attacks from users or
programs.
– Provide a single point through which the traffic is
monitored.
10PalGov © 2011
Firewall Characteristics
• Design goals:
– All traffic from inside to outside must pass through
the firewall (physically blocking all access to the
local network except via the firewall)
– Only authorized traffic (defined by the local security
policy) will be allowed to pass
– The firewall itself is immune to penetration (use of
trusted system with a secure operating system)
11PalGov © 2011
Firewall Characteristics
There are four general techniques for applying
firewalls to networks :
• Service control
– Determines the types of services that can be accessed
through the Internet.
• Direction control
– It determines flow direction of services.
12PalGov © 2011
Firewall Characteristics
• User control
– Controls which user(s) can have access to which
services.
• Behavior control
– Controls how particular services are used (e.g. filter
e-mail)
13PalGov © 2011
Types of Firewalls
There are four common types of Firewalls:
– Packet-filtering routers
– State-full Inspection Firewall
– Application-level gateways
– Circuit-level gateways
14PalGov © 2011
Types of Firewalls
15PalGov © 2011
Types of Firewalls
16PalGov © 2011
Packet-Filtering Router (1)
17PalGov © 2011
Packet-filtering Router (2)
– Applies a set of rules to each incoming IP packet
and then forwards or discards the packet
– Filter packets going in both directions
– The packet filter is typically set up as a list of rules
based on matches to fields in the IP or TCP header
– Two default policies (discard or forward)
18PalGov © 2011
Packet-filtering Router (3)
• Advantages:
– Simplicity
– Transparency to users
– High speed
• Disadvantages:
– Difficulty of setting up packet filter rules
– Lack of Authentication
• Possible attacks and appropriate countermeasures
– IP address spoofing
– Source routing attacks
– Tiny fragment attacks
19PalGov © 2011
Application / Content Filtering -
level Gateway (1)
20PalGov © 2011
Application-level Gateway (2)
• Application-level Gateway– Also called proxy server
– Acts as a relay of application-level traffic
– Can work as content filtering FW.
• Advantages:– Higher security than packet filters
– Only need to scrutinize a few allowable applications
– Easy to log and audit all incoming traffic
• Disadvantages:– Additional processing overhead on each connection (gateway
as splice point)
21PalGov © 2011
Circuit-level Gateway (1)
22PalGov © 2011
Circuit-level Gateway (2)
– Stand-alone system or
– Specialized function performed by an Application-
level Gateway
– Sets up two TCP connections
– The gateway typically relays TCP segments from
one connection to the other without examining the
contents
23PalGov © 2011
Circuit-level Gateway (3)
– The security function consists of determining which
connections will be allowed
– Typically use is a situation in which the system
administrator trusts the internal users
– An example is the SOCKS package
24PalGov © 2011
Types of Firewalls
• Bastion Host
– A system identified by the firewall administrator as
a critical strong point in the network´s security
– The bastion host serves as a platform for an
application-level or circuit-level gateway
25PalGov © 2011
Firewall Basing
• several options for locating firewall:
• bastion host
• individual host-based firewall
• personal firewall
26PalGov © 2011
Firewall Locations
27PalGov © 2011
Firewall Configurations
• In addition to the use of simple configuration of
a single system (single packet filtering router or
single gateway), more complex configurations
are possible
28PalGov © 2011
Distributed Firewalls
29PalGov © 2011
Firewall Configurations
• Screened host firewall system (single-homed bastion
host)
30PalGov © 2011
Firewall Configurations
• Screened host firewall system (dual-homed bastion host)
31PalGov © 2011
Firewall Configurations
• Screened-subnet firewall system
32PalGov © 2011
Unified Threat Management Products
33PalGov © 2011
Tutorial 5:
Information Security
Session 7: Firewalls and VPN
Session 7 Outline:
• Session 7 ILO’s.
• Firewalls
• SOCKS Protocols
• VPN
34PalGov © 2011
Socks Protocols
• Communication between clinets and
servers behind firewalls can be done using
SOCKS protocol.
• SOCKS uses to primitive operations:
BIND/CONNECT
• Used by many applications including
browsers...( ex. Dropbox)
• SOCKS4 / SOCKS5
35PalGov © 2011
SOCKS CONNECT
Socks proxy
Host A
server S
1. CONNECT
2. connect()
1.Host A connects to
the SOCKS proxy and
asks to establish a
connection with
Server S.
2. The proxy
connects to S.
From now on the
traffic flows from
host A to server S
in both directions
36PalGov © 2011
Binding process
1.The client A connects to the SOCKS proxy
and asks to bind a public port mapped to the
local port 4445 allowing incoming connection
from server S
2. The socks proxy reply with the public port (i.e.
33102) really used to accept incoming sockets
3. When S connects to the port 33102 of the
proxy, the host A is warned and traffic can flow
from S to A and viceversa conveyed by the
proxy
37PalGov © 2011
Comparing SOCKS4 and SOCKS5
• SOCKS4 doesn't support authentication while SOCKS5
has the built-in mechanism to support a variety of
authentications methods.
• SOCKS4 doesn't support UDP proxy while SOCKS5
does.
• SOCKS4 clients require full support of DNS while
SOCKS5 clients can rely on SOCKS5 server to perform
the DNS lookup.
38PalGov © 2011
Firewall Examples
• MS Windows firewalls
• Cisco firewalls
• Other firewalls….
39PalGov © 2011
Windows Firewall
• New layered security model.
• Provides:
– host-based,
– two-way network traffic filtering
– Blocks unauthorized network traffic
• Integrated with Internet Protocol Security
(IPsec)
• Important part of network’s isolation strategy.
40PalGov © 2011
Windows Firewall Key Scenarios
You can use Windows Firewall with Advanced
Security to help implement the following key
technologies and scenarios:
• Network Location-Aware Host Firewall
• Server and Domain Isolation
• Network Access Protection
• DirectAccess
• Refer to [6] for more details
41PalGov © 2011
Cisco ASA firewall
• LAB session 8.
42PalGov © 2011
Tutorial 5:
Information Security
Session 7: Firewalls and VPN
Session 7 Outline:
• Session 7 ILO’s.
• Firewalls
• SOCKS Protocols
• VPN
43PalGov © 2011
Virtual Private Networks (VPN)
• VPNs are set of tools used to securely
connect networks at different locations
using public network as the transport
layer.
• Cryptography (including CIA/AAA) is
used to implement VPNs to protect
against eavesdropping and active
attacks.
44PalGov © 2011
VPN Usage
• VPNs are most commonly used
today for telecommuting and linking
branch offices via secure WANs.
• IPSEC VPN (refer to session 5)
• MS VPN
45PalGov © 2011
VPN Protocols for Secure Network
Communications
Other VPN protocols that encrypt communications
include:
•Internet Protocol Security (IPSec)—an
architecture, protocol, and related Internet Key
Exchange (IKE) protocol.
•Layer 2 Forwarding (L2F)—created by Cisco
Systems.
•Layer 2 Tunneling Protocol (L2TP)— PPTP
and L2F
•Point-to-Point Tunneling Protocol (PPTP)—
3Com, Ascend, Microsoft, and ECI Telematics).
46PalGov © 2011
Virtual Private Networks (using IPSEC)
47PalGov © 2011
IPSec problems
• Slow progress resulted in a splintering of efforts during the mid-90s
• SSL was one such offshoot, developed to provide application-level security rather than network level security.
• Traditional IPSec implementations required a great deal of kernel code, complicating cross-platform porting efforts.
• IPSec is a complex production with a relatively steep learning curve for new users.
• See session 5 for more details
48PalGov © 2011
VPN using (L2TP)
•L2TP is a mature IETF standards track
•L2TP encapsulates Point-to-Point Protocol
(PPP) frames to be sent over IP, X.25, frame
relay, or asynchronous transfer mode (ATM)
networks.
•When configured to use IP as its transport,
L2TP can be used as a VPN tunneling protocol
over the Internet.
49PalGov © 2011
VPN using (L2TP)
• L2TP with PPP provides a wide range
of user authentication options:
• CHAP,
• MS-CHAP,
• MS-CHAPv2
• and Extensible Authentication
Protocol (EAP)
• L2TP/IPSec provides well-defined and
interoperable tunneling, with the strong
security.
50PalGov © 2011
VPN using PPTP
•PPTP provides authenticated and encrypted
communications between a client and a
gateway or between two gateways
•No need for a public key infrastructure
•Uses a user ID and password.
•Simple, multiprotocol support, and ability to
traverse a broad range of IP networks.
•The use of PPP provides ability to negotiate
authentication, encryption, and IP address
assignment services
51PalGov © 2011
References
1. William Stallings and Lawrie Brown
2. Lecture Notes by David Chadwick 2011, True-Trust
3. Cryptography and Network Security, Behrouz A. Forouzan.
4. SOCKS5 IETF RFC http://www.ietf.org/rfc/rfc1928.txt
5. SOCKS4 http://archive.socks.permeo.com/protocol/socks4.protocol
6. Introduction to Windows Firewall with Advanced Security, Microsoft Corporation,Updated: December 2009
7. Microsoft Privacy Protected Network Access: Virtual Private Networking and Intranet Security, White Paper
52PalGov © 2011
Summary
• In this session we discussed the following:
– Introduced need for & purpose of firewalls
– Types of firewalls
• Packet filter, state-full inspection, application and circuit
gateways
– VPNs
53PalGov © 2011
Thanks
Dr. Nael Salman
top related