An Toàn Mạng:
Tường lửa (Firewall)
Võ Viết Minh Nhật
Khoa CNTT – Trường ĐHKH
Nội dung trình bày
Các khái niệm cơ bản
Các kiểu firewall khác nhau
Packet filtering and stateless filtering
Stateful filtering
Deep packet layer inspection
Nâng cao khả năng cho firewall
Cơ chế chuyển đổi địa chỉ
Các dịch vụ proxy
Lọc nội dung
Phần mềm chống virus
Các khái niệm cơ bản
A firewall is defined as a gateway or access
server (hardware- or software-based) or
several gateways or access servers that are
designated as buffers between any
connected public network and a private
network.
A firewall is a device that separates a trusted
network from an untrusted network.
It may be a router, a PC running specialized
software, or a combination of devices.
Các khái niệm cơ bản
Các kiểu firewall khác nhau
A multitude of firewall is produced that are capable
of monitoring traffic using different techniques.
Some of firewalls can inspect data packets up to
Layer 4 and others can inspect all layers (deep
packet firewalls).
three types of inspection methodologies
Packet filtering and stateless filtering
Stateful filtering
Deep packet layer inspection
Packet filtering
Packet filters are now easy to break, hence the
introduction of proxy servers that limit attacks.
A proxy server is a server that sits between a client
application, such as a web browser, and a real
server.
It intercepts all requests to the real server to see if it
can fulfill the requests itself. If not, it forwards the
request to the real server.
Proxy servers are application based, slow, and
difficult to manage in large IP networks.
Stateless firewall
A stateless firewall permits only the receipt of
information packets that are based on the
source's address and port from networks that
are trusted.
It adds more flexibility and scalability to
network configuration
Packets are inspected up to Layer 3,
therefore, stateless firewalls are able to
inspect source and destination IP addresses
and protocol source and destination ports.
Stateless firewall
Stateful firewall
A stateful firewall limits network information
from a source to a destination based on the
destination IP address, source IP address,
source TCP/UDP port, and destination
TCP/UDP port.
Stateful firewalls can also inspect data
content and check for protocol anomalies.
Stateful firewall
Deep packet layer inspection
With deep packet layer inspection, the
firewall inspects network information from a
source to a destination based on the
destination IP address, source IP address,
source TCP/UDP port, and destination
TCP/UDP port.
It also inspects protocol conformance, checks
for application-based attacks, and ensures
integrity of the data flow between any TCP/IP
devices.
Deep packet layer inspection
Deep packet layer inspection
A deep packet layer device inspects packets
to
Ensure that the packets conform to the protocol
Ensure that the packets conform to specifications
Ensure that the packets are not application
attacks
Police integrity check failures
Hardware Firewalls: PIX &
NetScreen
The PIX is a dedicated hardware-based networking
device that is designed to ensure that only traffic
that matches a set of criteria is permitted to access
resources from networks defined with a secure
rating.
PIX Firewall prevents unauthorized connections
between two or more networks, perform security
functions such as authentication, authorization, and
accounting (AAA) services, access lists, VPN
configuration (IPSec), FTP logging
PIX Interfaces
PIX
Typically, the Internet connection is given the lowest
level of security, and a PIX ensures that only traffic
from internal networks is trusted to send data. The
biggest problem or issue with a PIX Firewall is
misconfiguration, which most crackers use to
compromise network functionality
A PIX Firewall permits a connection-based security
policy. For instance, you might allow Telnet sessions
to be initiated from within your network but not allow
them to be initiated into the network from outside the
network.
PIX Placement
NetScreen Firewall
The NetScreen firewalls are deep inspection
firewalls providing application-layer protection,
whereas the PIX can be configured as stateful or
stateless firewalls providing network- and transport-
layer protection.
The NetScreen firewall is a deep packet layer,
stateful inspection device. It bases all its verification
and decision making on a number of different
parameters, including source address, destination
address, source port, and destination port. The data
is checked for protocol conformities.
NetScreen Firewall Placement
Check Point Software Firewalls
As most, hardware firewalls provide effective
access control, many are not designed to
detect and thwart attacks specifically targeted
at the application level. Tackling these types
of attacks is most effective with software
firewalls.
Software firewalls allow networks and, more
specifically, network applications to be
protected from untrusted sources such as the
Internet.
Check Point Software Firewalls
Check Point can provide the following
services:
Firewall services
VPN
Account management
Real-time monitoring
Secure updates over the Internet
User-friendly management interface
Enhancements for Firewalls
NAT (Network Address Translation)
Proxy services
Content filtering
Antivirus software
Network Address Translation
NAT is a router or firewall function whose
main objective is to translate the addresses
of hosts behind a firewall or router.
NAT can also be used to overcome the IP
address shortage that users currently
experience with IPv4.
Network Address Translation
NAT is typically used for internal IP networks
that have unregistered (not globally unique)
IP addresses. NAT translates these
unregistered addresses into the legal
addresses of the outside (public) network.
This allows unregistered IP address space
connectivity to the web and also provides
added security.
Port Address Translation - PAT
PAT provides additional address expansion
but is less flexible than NAT.
With PAT, one IP address can be used for up
to 64,000 hosts by mapping several IP port
numbers to one IP address.
PAT is secure because the source IP address
of the inside hosts is hidden from the outside
world.