1 / 30

Firewall Technology Planning and Implementation

Firewall Technology Planning and Implementation. Mr. Simon Kwan GPSS company PolyU AIT course trainer

KeelyKia
Download Presentation

Firewall Technology Planning and Implementation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Firewall Technology Planning and Implementation • Mr. Simon Kwan • GPSS company • PolyU AIT course trainer • Portion of this presentation was adapted from AIT course notes, with kind permission from Dr. C K Leung of the Hong Kong Polytechnic University. Our greatest thanks shall be with Dr. C K Li of EIE, PolyU/HKIE for his kind assistance and technical advises. Our ultimate thanks goes to HKIE for hosting this section of the seminar. AIT Module D

  2. Background • The Internet was designed without much security consideration • The IP header information, TCP header information, routing information … etc. are usually accepted “as is” AIT Module D

  3. CERT Information • CERT: www.cert.org, Computer Emergency Response Team (an USA official organization): • Security is a major concern of organizations connected to the Internet • The FBI estimates annual losses of US$7.5 billion due to electronic attack • US DoD: 88% of their computers can be penetrated • 96% of hacker attacks are undetected AIT Module D

  4. What is a Firewall? A ‘Security Guard’ standing at out front door Servers Firewall Internet Workstations AIT Module D

  5. What does a Firewall do? • A firewall consists of the following components or capabilities: • Packet filtering • VPN (Virtual Private network) • Traffic Shaping (bandwidth management) • Content Filtering and Broadband Access sharing • Automatic intrusion detection, logging and reporting AIT Module D

  6. Acquiring a Firewall • Old PC running Linux • Little hardware cost • Need in-house Linux expertise • As part of a new Linux file server • Nowadays 240G Bytes Linux server can be setup cheaply • Standalone hardware firewalls can offer more functionalities and security AIT Module D

  7. Management of Firewalls • Firewalls need to be setup properly • A simple firewall can take 5 seconds to setup • Proper setup by a properly trained professional may take many hours • There are Firewall training courses that take several weeks, full-time AIT Module D

  8. Packet Filtering Firewall • An important countermeasure to guard against hacking of school servers Packet filter Good packet Internet Pass Bad packet drop AIT Module D

  9. Packet Filtering Principle • Packets are inspected as they arrive at the firewall • The final result on the packet will be: • Accept • Deny / Reject AIT Module D

  10. Firewall Policy ---Easy or Hard • There can be two default policies for packet filtering • Accept All • Deny / Reject All AIT Module D

  11. Accept By Default Satisfy Rule 1? Packet Enters yes Accept or Deny packet no Satisfy Rule 2? yes Accept or Deny packet Accept or Deny packet Satisfy Rule n? yes Accept or Deny packet Accept Packet AIT Module D

  12. Deny By Default Satisfy Rule 1? Packet Enters yes Accept or Deny packet no Satisfy Rule 2? yes Accept or Deny packet Accept or Deny packet Satisfy Rule n? yes Accept or Deny packet Deny Packet AIT Module D

  13. Packet Information • The most common information to be inspected about a packet are: • IP Header – Source and Destination addresses; protocol • TCP/UDP Header – Source and destination ports • ICMP - type AIT Module D

  14. Direction of Packet Movement • Individual Accept/Deny rules for data moving into and leaving the computer Accept from any SA, TCP:80 Deny all other Internet Firewall Send to any DA, TCP<>80 Deny all other AIT Module D

  15. Web Server Service AIT Module D

  16. Stateful Packet Filter • Basic filters only inspect individual packet • Advanced Stateful packet filter will be able to “remember” what has happened before and is capable of performing more complex operations • Operations are checked to see if they are happening in sequences AIT Module D

  17. VPN (Virtual Private Network) Building a ‘Secured Tunnel’ between your school server and teachers’ home PCs VPN Server (included with firewall) Windows VPN Client software (free of charge) Server Home PC Internet AIT Module D

  18. VPN (Virtual Private Network) Building a ‘Secured Tunnel’ between remote servers (of the same administration group) Server VPN Server VPN Server Server Internet AIT Module D

  19. Traffic Shaping • Different priority can be assigned to different network services • WEB browsing can be given a higher priority than FTP • WEB browsing will not be slowed down by FTP AIT Module D

  20. Content Management Sharing of broadband access • By ‘black listing’ the IP address of a particular site, all forms of communication with our network are prohibited • Many firewalls also have facilities that help the sharing of a broadband access • NAT DHCP PPPoE PAP/CHAP/MS CHAP V2 IPSec ESP MD5 SHA1 DES 3DES IKE AIT Module D

  21. Maintenance of Firewalls • The world is constantly changing • Firewalls need to be kept up-to-date over their life time • Some companies provides subscription management services similar to that of anti-virus services AIT Module D

  22. Setting up of a standalone Firewall AIT Module D

  23. AIT Module D

  24. AIT Module D

  25. Setting up of Linux Firewall AIT Module D

  26. Setting up of Windows VPN AIT Module D

  27. Setting up if IPSec VPN AIT Module D

  28. Seek Professional Help • “Just buying a lock” will not help to reduce crime rate --- good security requires: • Evaluation • Planning • Implementation • REMEMBER FIREWALLS NEED TO BE SETUP PROPERLY BEFORE THEY CAN BE HELPFUL AIT Module D

  29. Firewall Technology Planning and Implementation • Mr. Simon Kwan • GPSS company • PolyU AIT course trainer AIT Module D

  30. Many Thanks AIT Module D

More Related