01 firewalls
TRANSCRIPT
![Page 1: 01 Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022051018/55cf9764550346d0339161a4/html5/thumbnails/1.jpg)
Seguridad Perimetral en redes de área local
Ing. Enrique Javier Santiago ChinchillaPh.D(c) Ingeniería en Telecomunicaciones (Uvigo – España).
Master Ingeniería Telemática (Uvigo – España).Esp. Redes de Computadoras.
Esp. Sistemas de Telecomunicaciones.Certified Ethical Hacker – Eccouncil.
![Page 2: 01 Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022051018/55cf9764550346d0339161a4/html5/thumbnails/2.jpg)
2
Firewalls
Internet Sucursales Socios comerciales Usuarios remotos Redes inalámbricas Aplicaciones de Internet
Los perímetros de redincluyen conexiones a:
Socio comercial
LAN
Oficina principal
LAN
Sucursal
LAN
Redinalámbrica
Usuario remoto
Internet
![Page 3: 01 Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022051018/55cf9764550346d0339161a4/html5/thumbnails/3.jpg)
3
Equipos de Filtrado (Firewalls)
• Clasificación según la arquitectura:– Screening Router– Dual-Homed Gateway Firewall (Bastión)– Screend Host Firewall (Bastión + router)– Screened Subnet Firewall (DMZ)
![Page 4: 01 Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022051018/55cf9764550346d0339161a4/html5/thumbnails/4.jpg)
4
Screening router
![Page 5: 01 Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022051018/55cf9764550346d0339161a4/html5/thumbnails/5.jpg)
5
Dual-Homed Gateway Firewall
![Page 6: 01 Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022051018/55cf9764550346d0339161a4/html5/thumbnails/6.jpg)
6
Screened Host Firewall
![Page 7: 01 Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022051018/55cf9764550346d0339161a4/html5/thumbnails/7.jpg)
7
Screened Subnet Firewall
![Page 8: 01 Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022051018/55cf9764550346d0339161a4/html5/thumbnails/8.jpg)
8
Equipos de Filtrado (Firewalls)
• Clasificación según la Tecnologia:
– Packet Filtering Firewall (L3,L4)– Application Level gateway (L5)– Statefull Inspection Firewall (L3,L4,L5)
![Page 9: 01 Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022051018/55cf9764550346d0339161a4/html5/thumbnails/9.jpg)
9
Packet Filtering Firewalls
![Page 10: 01 Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022051018/55cf9764550346d0339161a4/html5/thumbnails/10.jpg)
10
Application Level gateway
![Page 11: 01 Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022051018/55cf9764550346d0339161a4/html5/thumbnails/11.jpg)
11
Statefull Inspection Firewall
Internet
![Page 12: 01 Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022051018/55cf9764550346d0339161a4/html5/thumbnails/12.jpg)
12
Reglas de Firewall (host-iptables)iptables -P INPUT DROPiptables -P OUTPUT DROP iptables -P FORWARD DROP#------------------ acepte paquetes icmp ----------iptables -A INPUT -s 192.168.1.129 -p icmp -j ACCEPT# --------------- acepte solicitudes dns-------------------------iptables -A INPUT -p tcp --syn -j ACCEPTiptables -A INPUT -m state --state ESTABLISHED -j ACCEPTiptables -A INPUT -p udp --sport 53 --dport 53 -j ACCEPTiptables -A INPUT -j LOG --log-prefix "trafico Aceptado" #------------------filtrado de los puertos de servicios broadcast de windows---#----si no se tubiese la politica de deny all al inicio del scriptiptables -t filter -A INPUT -s 0.0.0.0 -i eth0 -p tcp --dport 135 --syn -j DROP iptables -t filter -A INPUT -s 0.0.0.0 -i eth0 -p tcp --dport 137 --syn -j DROPiptables -t filter -A INPUT -s 0.0.0.0 -i eth0 -p tcp --dport 139 --syn -j DROPiptables -t filter -A INPUT -s 0.0.0.0 -i eth0 -p tcp --dport 443 --syn -j DROP
![Page 13: 01 Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022051018/55cf9764550346d0339161a4/html5/thumbnails/13.jpg)
13
Equipos de Filtrado (Firewalls)
![Page 14: 01 Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022051018/55cf9764550346d0339161a4/html5/thumbnails/14.jpg)
14
Equipos de Filtrado (Firewalls)
![Page 15: 01 Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022051018/55cf9764550346d0339161a4/html5/thumbnails/15.jpg)
15
Equipos de Filtrado (Firewalls)
![Page 16: 01 Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022051018/55cf9764550346d0339161a4/html5/thumbnails/16.jpg)
16
Equipos de Filtrado (Firewalls)
![Page 17: 01 Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022051018/55cf9764550346d0339161a4/html5/thumbnails/17.jpg)
17
Equipos de Filtrado (Firewalls)
![Page 18: 01 Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022051018/55cf9764550346d0339161a4/html5/thumbnails/18.jpg)
18
Sistemas de Filtrado( proxy)
• Generalmente son productos de software• Se instalan sobre hosts• Hacen proxy por servicio (no global).• Son capaces de hacer “Full Inspection” • Se basan en listas de control de acceso• Junto con otros productos, permiten
generar bitácoras del comportamiento del trafico que gestionan
![Page 19: 01 Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022051018/55cf9764550346d0339161a4/html5/thumbnails/19.jpg)
19
Reglas Proxy (squid)acl pc1 src 192.168.1.89/255.255.255.255acl pc2 src 192.168.1.89/255.255.255.255http_access deny pc1http_access allow pc2
acl uac dst www.uac.edu.coacl uac dst web.uautonoma.edu.coacl pc3 src 192.168.1.20/255.255.255.255http_access allow pc3 uac
![Page 20: 01 Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022051018/55cf9764550346d0339161a4/html5/thumbnails/20.jpg)
20
Equipos de Filtrado (Proxy)
![Page 21: 01 Firewalls](https://reader034.vdocuments.net/reader034/viewer/2022051018/55cf9764550346d0339161a4/html5/thumbnails/21.jpg)
21
¿Preguntas ?