firewalls used in different networks

7/31/2019 Firewalls Used in Different Networks

1/58

VIKRAM PATIL

AKSHAY YADAV

ABHINANDAN SHEKOKAR

SURESH DODEJA


2/58

A firewall is a device or set of devices

designed to permit or deny network

transmission based upon a set of rules

and is frequently used to protect

networks from unauthorised access whilepermitting legitimate communications to

pass.


3/58

We will explain briefly the firewall

which is used in different networks likeNAT, DMZ, VPN and wireless networks and

what are the different applications of

it.


4/58

Packet filtering.Ports blocking and scanning.Web filtering.URL Screening.Web caching.

User blocking.Domain blocking.Antivirus.Spam Filtering.Email Scanning.

Network Access Rules.Network Address Translation (NAT).User Authentication.Intrusion Protection.Network Activity Monitoring.


5/58

Software Firewall

Hardware Firewall

Different Firewalls architectures:-

Network Architecture

Dual-Homed Host Architecture

Screened Host Architecture

Screened Subnet Architecture Perimeter network

Bastion host

Interior router

Exterior router


6/58

NAT is built into all the most common

Internet Connection sharing technologies

around. Microsoft has built their ICS

around it and every Cable/DSL Broad and

Router on the market accomplishes itsjob with NAT.


7/58

Static NAT

Dynamic NAT

Overloading

Overlapping


8/58

NAT acts as an interpreter between two

networks. IT sits between internet and

your network as illustrated in the

diagram above. The internet is

considered the public internet sideand your network is considered the

private LAN side.


9/58

Interface : The Firebox will apply 1-to-

1 NAT for packets sent in to, and out

of, the interface.


10/58

NAT base: When you configure a 1-to-1

NAT rule, you configure the rule with a

from and a to range of IP addresses.

The NAT base is the first available IP

address in the to range of addresses.The NAT base IP address is the address

that the real base IP addresses changes

to when the 1-to-1 NAT is applied.


11/58

Real base: The Real base is the first

available IP address in the from range

of addresses. It is the IP address

assigned to the physical Ethernet

interface of the computer to which youwill apply the 1-to-1 NAT policy.


12/58

Number of hosts to NAT (for ranges

only):

The first real base IP address is

translated to the first NAT Base IP

address when 1-to-1 NAT is applied. The

second real base IP address in the range

is translated to the second NAT base IP

address when 1-to-1 NAT is applied. This

is repeated until the Number of hoststo NAT is reached


13/58

When using iChat with NAT routers and

firewalls, certain ports must be open to

allow video and audio conferencing

behind a firewall. Some devices have

these ports open by default, whileothers require configuration. A list of

individual port functions can be found

in "'Well known' TCP and UDP ports used

by Apple software products.


14/58

Ports to open for Mac OS X firewall:

When using the built-in Mac OS X

firewall, you only need to open these

ports: 5060, 5190, 5297, 5298, 5678,

16384 through 16403. If using jabber in

Mac OS X 10.4 or later, open 5220, 5222,

5223 as well.


15/58

A computer or small subnetwork that sits

between a trusted

internal network and an untrusted external

network.

Common setups used for small and medium

networks include a firewall that processes all

the requests from the internalnetwork (LAN) to the Internet and from the

Internet to the LAN


16/58

To secure the internal network from

external access.

It does so by isolating the publicservices (requiring any entity from the

Internet to connect to your servers)

from the local, private LAN machines in

your network


17/58

Web Server-Web servers that communicate

with an internal database require access

to a database server which may not be

publicly accessible and may contain

sensitive information


18/58

Mail server-

1. E-mail messages and particularly

the user database are confidentialinformation, so they are typically

stored on servers that cannot be

accessed from the Internet

2. The mail server inside the DMZ

passes incoming mail to the

secured/internal mail servers. It also

handles outgoing mail.


19/58

FTP server-

File Transfer Protocol (FTP) is a

standard network protocol used to transfer

files from one hostto another host over a TCP-

based network, such as the Internet.


20/58

voIP server-

1.VoIP is an abbreviation for Voice OverIP.

2.the transmission of voice over theInternet.

3. A VoIP service in essence, consists ofa computer that can make phone calls toanywhere in the world.

4.It may be PC to PC or PC to phone,landline or mobile. The voice signalsare converted into data packets thattravel over the Internet using a VoIPplatform, and then converted back intothe recipient


21/58

Single firewall


22/58

A single firewall with at least 3 networkinterfaces can be used to create a network

architecture containing a DMZ.

The external network is formed from the ISP to

the firewall on the first network interface.


23/58

the internal network is formed from the

second network interface.

DMZ is formed from the third networkinterface.

The firewall becomes a single point of

failure for the network and must be ableto handle all of the traffic going to

the DMZ as well as the internal network


24/58

Dual firewall


25/58

A more secure approach is to use two firewalls

to create a DMZ.

The first firewall (also called the "front-

end" firewall) must be configured to allow

traffic destined to the DMZ only.


26/58

The second firewall (also called "back-

end" firewall) allows only traffic from

the DMZ to the internal network.

There is even more protection if the two

firewalls are provided by two different

vendors.


27/58

Disable all unnecessary services and

daemons

Run services chrooted whenever possible

Run services with unprivileged UIDs and

GIDs whenever possible


28/58

Delete or disable unnecessary user

accounty.

Configure logging and check logs

regularly

Use your firewall's security policy and

anti-IP-spoofing features


29/58

DMZ Secure Proxy Server for IBM


30/58


31/58

Virtual Private Network is a type of

private network that uses publictelecommunication, such as the Internet.

A VPNutilizes public telecommunications

networks to conduct private data

communications.


32/58

There are two approaches to using a

firewall with a VPN server:

VPN Server in Front of the Firewall

VPN Server behind the Firewall


33/58

Firewall attached tothe Internet via VPNserver.

Need to add packet

filters to theInternet interface.

It can lead togreater security .

Prevents the sharingof File TransferProtocol (FTP).


34/58

Firewall is directlyconnected to theInternet .

VPN server and Web

server are 2 intranetresource connected toa DMZ.

Firewall must be

configured with inputand output filters onits Internetinterface.


35/58

PPTP -- Point-to-Point Tunneling Protocol

L2TP -- Layer 2 Tunneling Protocol

IPsec -- Internet Protocol Security

SSL/TLS --(Secure Socket Layer/Transport Layer

Security)


36/58

Monitors traffic crossing network

parameters.

VPNs allow authorized users to pass through

the firewalls. Packet-level firewall checks source and

destination.

Application-level firewall acts as a host

computer between the organizations networkand the Internet.


37/58

Site-to-site VPN

o Links two or more networks

Client-to-site VPNo Makes a network accessible to remote users

who need dial-in access


38/58

REMOTE ACCESS VPN Remote access VPNs utilize a central site VPNconcentrator and a software VPN client.

The client is installed on the users desktop

or laptop computers and enables the users toestablish a secure, encrypted tunnel to the

office network.

Computers that gain access to a VPN canpotentially access all the resources of the

private network.


39/58

REMOTE ACCESS

VPN(CONT) Organizations maintaintheir own remote access

servers and allow

direct dial-up

connections.

Organizations rely on

Internet service

providers (ISPs) tomanage dialup.


40/58

Normally, wireless internet

connections can be easily shared

using ICS ie Internet Connection

Sharing or by making an Ad-hocnetwork connection.

While you can use a Wi-Fi router

for connecting an Android orSymbian phone to the internet,

your router might not be able to

support too many devices.


41/58

MyPublic WiFi is an application for

creating a free Wi-Fi hotspot that turns

your computer into a wireless router

with Firewall and URL trackingfunctionality.

Using the firewall, you can also

restrict certain types of services,which you may not want the shared users

to access.


42/58


43/58

The below screenshot demonstrates

how the Wi-Fi connect will become

available for numerous devices,

among available Wi-Fi connections.


44/58

To configure additional options, head

over to the Management tab. Here, you

can enable firewall, URL logging and

select MyPublicWiFi to start with system

start-up


45/58

Wi-Fi Alliance, in conjunctionwith the IEEE, has developedenhanced, interoperable securitystandards called Wi-Fi Protected

Access (WPA) and WPA2.

WPA and WPA2 use specificationsthat bring together standards-based, interoperable securitymechanisms that significantlyincrease the level of dataprotection and access control for

wireless LANs.


46/58

WPA and WPA2 provide wireless LAN users

with a high-level

assurance that their data remains

protected and only that authorized

network users can access the network.


47/58

A wireless network that uses WPA or WPA2

requires all

computers that access the wireless

network to have WPA or WPA2 support. WPA

provides a high level of data protection

and (when used in Enterprise mode)

requires user authentication.


48/58

The main standards-basedtechnologies that constitute WPAinclude Temporal Key IntegrityProtocol (TKIP), 802.1X, Message

Integrity Check (MIC), andExtensible Authentication Protocol(EAP).

TKIP provides enhanced dataencryption including the frequencywith which keys are used toencrypt the Wireless connection.


49/58

802.1X and EAP provide the ability to

authenticate a user on theWireless

network.

802.1X is a port-based network access

control method for wired as well aswireless networks

The Message Integrity Check (MIC) is

designed to prevent an attacker from

capturing


50/58

Personal mode, which relies on the

capabilities of TKIP without

requiring an authentication server

Enterprise mode, which uses a

separate server, such as a RADIUS

server, for user Authentication


51/58

WPA and WPA2 Personal

WPA and WPA2 runs in Personal mode,

taking into account that the typical

household or small office does

not have an authentication server.

Instead of authenticating with a RADIUS

server,

users manually enter a password to log

in to the wireless network. When a user

enters the password correctly, the

wireless device starts the encryption

process using


52/58

WPA and WPA2 Enterprise

WPA is a subset of the draft IEEE

802.11i standard and effectively

addresses the wireless

local area network (WLAN) security

requirements for the enterprise. In an

enterprise with IT resources.


53/58

Wi-Fi enabled BlackBerrysmartphonesJoining Wi-Fi andCellular in One Device

Wi-Fi enabled BlackBerry smartphonesbrings WLAN-Mobile Convergence (WMC) tothe enterprise, providing users withmore choices on how and where to usetheir devices. WMC combines the

strengths of both Wi-Fi and cellularnetworks to expand the Functionality ofBlackBerry smartphones. Wi-Fi offershigh-speed, low latency capabilities ofbroadband connectivity without cables


54/58

In the local area networks for the

enterprise, home, and public hotspots.

Mobile cellular networks provide wide

area coverage,

The BlackBerry smartphone leveragesconvergence as it brings broadband

connectivity and provides the

convenience of a single handset

resulting in lower management costs.


55/58


56/58

Quality of Service (QoS)

QoS enhances support for real-time

applications such as voice or othermultimedia, by making it possible to

prioritize traffic

from different applications.


57/58

Advanced power save mechanisms

Power save techniques

significantly extends the batterylife of Wi-Fi mobile devices and

paves the way for the mass

adoption of Wi-Fi in mobile phones

and other devices with multiplewireless interfaces.


58/58

Security

Security standards and certificationsfor enterprise and public access devicesbring advanced security to Wi-Fidevices.

Bringing the parity of security tomobile devices found in wired desktopsand laptops.

The BlackBerry Smartphone Capabilities

The First Converged BlackBerrysmartphone.

When in Wi-Fi coverage areas, theBlackBerry smartphone utilizes thebroadband connection to transmit and

firewalls used in different networks

Documents