Firewalls

&
Intrusion Detection
Systems
Communications, Networking
& Computer Security
 Outline
• Firewall
– Definition
– Types
– Configuration
– Lab Exercise (Kerio Personal Firewall)
• IDS
– Definition
– Operation
– Lab Exercises
Firewall
What is a Firewall?

• A firewall is any device used to prevent

outsiders from gaining access to your
network.
• Firewalls commonly implement
exclusionary schemes or rules that sort
out wanted and unwanted addresses.
– They filter all traffic between a protected
(“inside”) network and a less trustworthy
(“outside”) network
Firewall
Composition?

• Firewalls can be composed of

software, hardware, or, most
commonly, both.
– The software components can be
either proprietary, shareware, or
freeware.
– The hardware is typically any
hardware that supports the firewall
software.
Firewall
Design Goals

• All traffic in both direction must pass

through the firewall
• Only authorized traffic should be allowed to
pass
• Firewall should itself be immune to
penetration
– Compromised firewall can completely undermine
the network security
• Tradeoff between security and productivity
– Internal network could be completely secure, but
employees may not be able to communicate
Firewall
Types

• There are different kinds of

firewalls, and each type has its
advantages & disadvantages.
• Firewalls can be classified in two
broad categories
– Network Level Firewalls
– Personal Firewalls
Firewall
Network Level Firewalls
• Network-level firewalls are usually router based.
– The rules of who and what can access your network is
applied at the router level.
• This scheme is applied through a technique called
packet filtering
• Network Level Firewalls can be classified as
– Packet-Filtering Gateways
• The simplest and most effective type of firewalls
– Stateful Inspection Firewalls
• Maintain state info from a packet to another in the
input stream
– Application-Level Gateways (Proxies)
• Proxy server, a relay of application-level traffic
Firewall
Packet Filtering
• Packet Filtering is the process of
examining the packets that come to the
router from the outside world.
• Packet headers are inspected by a
firewall or router to make a decision to
block the packet or allow access
• Two Approaches:
– Stateless (a.k.a. static)
– Stateful
Firewall
Stateless Packet Filtering
• Ignores the “state” of the connection
• Each packet header is examined
individually and compared to a “rule
base”
– Packet data is ignored
• Common criteria to filter on:
– Protocol Type
– IP address
– Port Number
– Message Type
9
Firewall
Stateful Packet Filtering

• Maintains a record of the state of

the connection (referred to as state
table)
• Packet is compared against both
rule base and state table
• Some stateful filters can examine
both packet header and content

10
Firewall
Application Gateway Firewall

• When a remote user contacts a network

running an application gateway, the
gateway blocks the remote connection.
• Instead of passing the connection along,
the gateway examines various fields in
the request.
• If these meet a set of predefined rules,
the gateway creates a bridge between
the remote host and the internal host.
Firewall
Limitations

• Firewalls are not complete

solutions to all computer
security problems, limitations:
– The firewall cannot protect against
attacks that bypass the firewall
– The firewall does not protect against
internal threats
– The firewall cannot protect against
the transfer of virus-infected
programs or files
 Firewall
Configuration Strategies
Screening
Router Internet

• Simple External Interface

[Link] /24

• Filters traffic
to internal Internal Interface
Router
computers [Link] /24

• Provides
minimal security

[Link] [Link] [Link] [Link] [Link]

Source: Guide To Firewalls and Network Security

13
 Firewall
Configuration Strategies
Screening Host Internet

• Host makes Internet

request
Router
• Gateway receives
client request and Application
makes a request on Gateway

behalf of the client

• Host IP address never
displayed to public

[Link] [Link] [Link] [Link] [Link]

Source: Guide To Firewalls and Network Security

14
 Firewall
Configuration Strategies
Internet

Two Routers, One

Firewall
Router
• External router can
perform initial static Firewall
packet filtering
• Internal router can Router

perform stateful packet LAN Gateway

filtering
• Multiple internal
routers can direct traffic
to different subnets [Link] [Link] [Link] [Link] [Link]

Source: Guide To Firewalls and Network Security

15
 Firewall
Configuration Strategies
Internet
DMZ Screened Web Server Email Server FTP Server
[Link] [Link] [Link]
Subnet
Router
• DMZ sits outside
internal network but
is connected to the Firewall
[Link] /24
firewall
DMZ
Router
• Public can access
servers residing in LAN Gateway
DMZ, but cannot [Link] /24

connect to internal
LAN

[Link] [Link] [Link] [Link] [Link]

Source: Guide To Firewalls and Network Security

16
Firewall
Configuration Strategies

Two Firewalls, One Internet

DMZ Web Server

[Link]
Email Server
[Link]
FTP Server
[Link]

• First firewall
controls traffic Firewall
[Link] /24

between the
Internet and DMZ Router
DMZ
• Second firewall
Router
controls traffic LAN Gateway
between the internal [Link] /24

network and DMZ

• Second firewall
can also be a [Link] [Link] [Link] [Link] [Link]

failover firewall

17
Firewall
Kerio Personal Firewall (KPF)

• What’s KPF?
A software agent builds a barrier between PC and the
Internet, to protect PC against hacker attacks and data
leaks.

• Why KPF?
– KPF is designed to protect PC against attacks from both
the Internet, and other computers in the local network.
– KPF controls all data flow in both directions – from the
Internet to your computer and vice versa
– KPF can block all attempted communication allowing only
what you choose to permit.
Intrusion Detection
Systems

19
IDS
What Does it Do?
• An intrusion detection system (IDS)
monitors systems and analyzes network
traffic to detect signs of intrusion.
• An IDS can detect a variety of attacks in
progress as well as well as attempts to
scan a network for weaknesses.
• An IDS can be a dedicated network
appliance or a software solution installed
on a host computer.
• Two kinds of IDS Systems
– Client Based (On a single node)
– Network Based (Protecting the entire network)
IDS
How does it work?
• If configured correctly, a network
intrusion detection system (NIDS) can
monitor all traffic on a network
segment.
• A NIDS is most effective when used in
conjunction with a firewall solution,
and having all of its dependent
components being properly connected
and functioning.
IDS
Configuration
• NIDS can be installed on the external
routers, the internal routers, or both.
• Placing NIDS on external routers
enables detection of attacks from the
Internet
• Placing NIDS on internal routers
enables detection of internal hosts
attempting to access the Internet on
suspicious ports.

22
IDS
Methods of Detection

• A NIDS/IDS mainly use anomaly or pattern

detection to identify an intrusion or intrusion
attempt.
• An anomaly example: This involves monitoring
resource use, network traffic, user behavior and
comparing it against normal levels.
• If a user that normally only accesses the system
between 9 am – 5pm, suddenly logs on at 3 am then
this may indicate that an intruder has compromised
the user’s account. A NIDS/IDS would then alert
administrators to this suspicious activity.
• A NIDS/IDS can detect hacker attempts to scan
your network for intelligence gathering purposes.
IDS
Network Packet Checking

• Sits On Network location and “checks”

packets that travel across the network.
• If a packet contains a certain
“footprint”, then it triggers an alert
• Audit logs are generated and kept as
records of alerts.
IDS
Commonly Used IDS Systems (Windows)

• ISS Internet Security Systems (Black

Ice Guardian)
– Used by individuals and small business
networks.
– Looks for common algorithms concealed or
“wrapped” in wrappers i.e. TCP Wrapper.
– Can be configured as an IDS and a Firewall.
– Can track unauthorized traffic and block the
ports the intruding script/software is using.
IDS
Vendor Firewalls & Versions (Hardware Based)

• Axent: Raptor v6.5

• Checkpoint: FW1 v4.1
• Cisco: PIX v525
• MS: Proxy v2.0