1 / 12

Firewalls

Firewalls. Types of Firewalls Inspection Methods Static Packet Inspection Stateful Packet Inspection NAT Application Firewalls Firewall Architecture Configuring, Testing, and Maintenance. Figure 5-8: Stateful Inspection Firewalls. State of Connection: Open or Closed

tadhg
Télécharger la présentation

Firewalls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Firewalls • Types of Firewalls • Inspection Methods • Static Packet Inspection • Stateful Packet Inspection • NAT • Application Firewalls • Firewall Architecture • Configuring, Testing, and Maintenance

  2. Figure 5-8: Stateful Inspection Firewalls • State of Connection: Open or Closed • State: Order of packet within a dialog • Often simply whether the packet is part of an open connection

  3. Figure 5-8: Stateful Inspection Firewalls • Stateful Firewall Operation • For TCP, record two IP addresses and port numbers in state table as OK (open) (Figure 5-9) • By default, permit connections from internal clients (on trusted network) to external servers (on untrusted network) • This default behavior can be changed with an ACL • Accept future packets between these hosts and ports with little or no inspection

  4. External Webserver 123.80.5.34 Figure 5-9: Stateful Inspection Firewall Operation I 2. Establish Connection 1. TCP SYN Segment From: 60.55.33.12:62600 To: 123.80.5.34:80 3. TCP SYN Segment From: 60.55.33.12:62600 To: 123.80.5.34:80 Note: Outgoing Connections Allowed By Default Stateful Firewall Internal Client PC 60.55.33.12 Connection Table Type Internal IP Internal Port External IP External Port Status TCP 60.55.33.12 62600 123.80.5.34 80 OK

  5. External Webserver 123.80.5.34 Figure 5-9: Stateful Inspection Firewall Operation I 6. TCP SYN/ACK Segment From: 123.80.5.34:80 To: 60.55.33.12:62600 Stateful Firewall 4. TCP SYN/ACK Segment From: 123.80.5.34:80 To: 60.55.33.12:62600 Internal Client PC 60.55.33.12 5. Check Connection OK Connection Table Type Internal IP Internal Port External IP External Port Status TCP 60.55.33.12 62600 123.80.5.34 80 OK

  6. Figure 5-8: Stateful Inspection Firewalls • Stateful Firewall Operation • For UDP, also record two IP addresses in port numbers in the state table Connection Table Type Internal IP Internal Port External IP External Port Status TCP 60.55.33.12 62600 123.80.5.34 80 OK UDP 60.55.33.12 63206 1.8.33.4 69 OK

  7. Figure 5-8: Stateful Inspection Firewalls • Static Packet Filter Firewalls are Stateless • Filter one packet at a time, in isolation • If a TCP SYN/ACK segment is sent, cannot tell if there was a previous SYN to open a connection • But stateful firewalls can (Figure 5-10)

  8. Attacker Spoofing External Webserver 10.5.3.4 Figure 5-10: Stateful Firewall Operation II Stateful Firewall 1. Spoofed TCP SYN/ACK Segment From: 10.5.3.4.:80 To: 60.55.33.12:64640 2. Check Connection Table: No Connection Match: Drop Internal Client PC 60.55.33.12 Connection Table Type Internal IP Internal Port External IP External Port Status TCP 60.55.33.12 62600 123.80.5.34 80 OK UDP 60.55.33.12 63206 222.8.33.4 69 OK

  9. Figure 5-8: Stateful Inspection Firewalls • Static Packet Filter Firewalls are Stateless • Filter one packet at a time, in isolation • Cannot deal with port-switching applications • But stateful firewalls can (Figure 5-11)

  10. External FTP Server 123.80.5.34 Figure 5-11: Port-Switching Applications with Stateful Firewalls 2. To Establish Connection 1. TCP SYN Segment From: 60.55.33.12:62600 To: 123.80.5.34:21 3. TCP SYN Segment From: 60.55.33.12:62600 To: 123.80.5.34:21 Stateful Firewall Internal Client PC 60.55.33.12 State Table Type Internal IP Internal Port External IP External Port Status Step 2 TCP 60.55.33.12 62600 123.80.5.34 21 OK

  11. External FTP Server 123.80.5.34 Figure 5-11: Port-Switching Applications with Stateful Firewalls 6. TCP SYN/ACK Segment From: 123.80.5.34:21 To: 60.55.33.12:62600 Use Ports 20 and 55336 for Data Transfers 4. TCP SYN/ACK Segment From: 123.80.5.34:21 To: 60.55.33.12:62600 Use Ports 20 and 55336 for Data Transfers Stateful Firewall Internal Client PC 60.55.33.12 5. To Allow, Establish Second Connection State Table Type Internal IP Internal Port External IP External Port Status Step 2 TCP 60.55.33.12 62600 123.80.5.34 21 OK TCP 60.55.33.12 55336 123.80.5.34 20 OK Step 5

  12. Figure 5-8: Stateful Inspection Firewalls • Stateful Inspection Access Control Lists (ACLs) • Primary allow or deny applications • Simple because probing attacks that are not part of conversations do not need specific rules because they are dropped automatically • In integrated firewalls, ACL rules can specify that messages using a particular application protocol or server be authenticated or passed to an application firewall for inspection

More Related