An Toàn Mạng:
Tường lửa (Firewall)
Võ Viết Minh Nhật
Khoa CNTT – Trường ĐHKH

Nội dung trình bày

Các khái niệm cơ bản

Các kiểu firewall khác nhau

Packet filtering and stateless filtering

Stateful filtering

Deep packet layer inspection

Nâng cao khả năng cho firewall

Cơ chế chuyển đổi địa chỉ

Các dịch vụ proxy

Lọc nội dung

Phần mềm chống virus

Các khái niệm cơ bản

A firewall is defined as a gateway or access

server (hardware- or software-based) or
several gateways or access servers that are
designated as buffers between any
connected public network and a private
network.

A firewall is a device that separates a trusted
network from an untrusted network.

It may be a router, a PC running specialized
software, or a combination of devices.

Các khái niệm cơ bản

Các kiểu firewall khác nhau

A multitude of firewall is produced that are capable
of monitoring traffic using different techniques.

Some of firewalls can inspect data packets up to
Layer 4 and others can inspect all layers (deep
packet firewalls).

three types of inspection methodologies

Packet filtering and stateless filtering

Stateful filtering

Deep packet layer inspection


Packet filtering

Packet filters are now easy to break, hence the
introduction of proxy servers that limit attacks.

A proxy server is a server that sits between a client
application, such as a web browser, and a real
server.

It intercepts all requests to the real server to see if it
can fulfill the requests itself. If not, it forwards the
request to the real server.

Proxy servers are application based, slow, and
difficult to manage in large IP networks.

Stateless firewall

A stateless firewall permits only the receipt of
information packets that are based on the
source's address and port from networks that
are trusted.

It adds more flexibility and scalability to
network configuration

Packets are inspected up to Layer 3,
therefore, stateless firewalls are able to
inspect source and destination IP addresses

and protocol source and destination ports.

Stateless firewall

Stateful firewall

A stateful firewall limits network information
from a source to a destination based on the
destination IP address, source IP address,
source TCP/UDP port, and destination
TCP/UDP port.

Stateful firewalls can also inspect data
content and check for protocol anomalies.

Stateful firewall

Deep packet layer inspection

With deep packet layer inspection, the
firewall inspects network information from a
source to a destination based on the
destination IP address, source IP address,
source TCP/UDP port, and destination
TCP/UDP port.

It also inspects protocol conformance, checks
for application-based attacks, and ensures
integrity of the data flow between any TCP/IP
devices.


Deep packet layer inspection

Deep packet layer inspection

A deep packet layer device inspects packets
to

Ensure that the packets conform to the protocol

Ensure that the packets conform to specifications

Ensure that the packets are not application
attacks

Police integrity check failures

Hardware Firewalls: PIX &
NetScreen

The PIX is a dedicated hardware-based networking
device that is designed to ensure that only traffic
that matches a set of criteria is permitted to access
resources from networks defined with a secure
rating.

PIX Firewall prevents unauthorized connections
between two or more networks, perform security
functions such as authentication, authorization, and
accounting (AAA) services, access lists, VPN

configuration (IPSec), FTP logging

PIX Interfaces

PIX

Typically, the Internet connection is given the lowest
level of security, and a PIX ensures that only traffic
from internal networks is trusted to send data. The
biggest problem or issue with a PIX Firewall is
misconfiguration, which most crackers use to
compromise network functionality

A PIX Firewall permits a connection-based security
policy. For instance, you might allow Telnet sessions
to be initiated from within your network but not allow
them to be initiated into the network from outside the
network.

PIX Placement

NetScreen Firewall

The NetScreen firewalls are deep inspection
firewalls providing application-layer protection,
whereas the PIX can be configured as stateful or
stateless firewalls providing network- and transport-
layer protection.

The NetScreen firewall is a deep packet layer,

stateful inspection device. It bases all its verification
and decision making on a number of different
parameters, including source address, destination
address, source port, and destination port. The data
is checked for protocol conformities.

NetScreen Firewall Placement

Check Point Software Firewalls

As most, hardware firewalls provide effective
access control, many are not designed to
detect and thwart attacks specifically targeted
at the application level. Tackling these types
of attacks is most effective with software
firewalls.

Software firewalls allow networks and, more
specifically, network applications to be
protected from untrusted sources such as the
Internet.

Check Point Software Firewalls

Check Point can provide the following
services:

Firewall services

VPN


Account management

Real-time monitoring

Secure updates over the Internet

User-friendly management interface

Enhancements for Firewalls

NAT (Network Address Translation)

Proxy services

Content filtering

Antivirus software

Network Address Translation

NAT is a router or firewall function whose
main objective is to translate the addresses
of hosts behind a firewall or router.

NAT can also be used to overcome the IP
address shortage that users currently
experience with IPv4.

Network Address Translation


NAT is typically used for internal IP networks
that have unregistered (not globally unique)
IP addresses. NAT translates these
unregistered addresses into the legal
addresses of the outside (public) network.
This allows unregistered IP address space
connectivity to the web and also provides
added security.

Port Address Translation - PAT

PAT provides additional address expansion
but is less flexible than NAT.

With PAT, one IP address can be used for up
to 64,000 hosts by mapping several IP port
numbers to one IP address.

PAT is secure because the source IP address
of the inside hosts is hidden from the outside
world.