Chapter 5 firewall

Phân loại tường lửa Checkpoint, Cisco ASA, Astaro, Cyberoam,… cài trên máy tính  ISA Server, IPCop, Smoothwall, Pfsense,…  SOPHOS, Palo Alto,…....  Là loại Firewall có độ phức tạm ca

CHƯƠNG 5

TƯỜNG LỬA

Nội dung

Nội dung

Tường lửa là gì

bị, ảo hóa hay phần mềm bảo mật được sử dụng

để quản lý luồng gói tin qua nó : cho phép (permit) hay cấm (deny).

Nội dung

Phân loại tường lửa

 Checkpoint, Cisco ASA, Astaro, Cyberoam,…

cài trên máy tính

 ISA Server, IPCop, Smoothwall, Pfsense,…

 SOPHOS, Palo Alto,…

Phân loại tường lửa

hình OSI ???

Phân loại tường lửa

được chia làm 3 loại chính :

 Simple Packet Filter Firewalls

 Stateful Packet Filter Firewalls

 Application Level Firewalls

Phân loại tường lửa

 Kiểm tra gói tin qua firewall bằng cách so sánh nó với những nguyên tắc (Rule) đã được đặt ra, để quyết định gói tin đó được cho phép hay bị từ chối.

 Những thông tin sẽ được kiểm tra :

Phân loại tường lửa

Phân loại tường lửa

Phân loại tường lửa

 Hoạt động ở Layer 2, Layer 3 và Layer 4

Firewalls :

 Lower Attack Footprint

 Less Susceptible to Spoofing

 Easy Black hole configuration

 Less Resource Intensive

Phân loại tường lửa

 Còn được gọi Application-Proxy Gateways.

 Là loại Firewall có độ phức tạm cao nhất do có khả năng điểu khiển truy cập từ Layer 2 đến Layer 7

 Deep Packet Inspection : kiểm tra chi tiết gói tin nên có khả ngăn chặn các ứng dụng Instant Message, Peer to Peer,…

 Hoạt động ở Layer 7

Phân loại tường lửa

 Less Susceptible to TCP/IP Vulnerabilities

 Có khả năng tạo rule ngăn cản gói tin đã mã hóa

Nội dung

Nội dung

Next Generation Firewall

SECURITY

APPLICATION AWARENESS

Next Generation Firewall

Version | Service | Total Length

ID | Flags | Fragment TTL | Protocol | IP Checksum

Source IP Address Destination IP Address

IP Options

Source UDP Port

Destination UDP Port Checksum

Source212.56.32.49

Destination65.26.42.17Source Port

823747

Dest Port80Sequence

28474

Sequence2821Syn state

SYN

IP Optionnone

Stateful Packet Inspection

Stateful Packet Inspection

Stateful is limited inspection that can only block on ports

No Data Inspection!

Firewall Traffic Path

INSPECT

Version | Service | Total Length

ID | Flags | Fragment TTL | Protocol | IP Checksum

Source IP Address Destination IP Address

IP Options

Source UDP Port

Destination UDP Port Checksum

Signature Database

ATTACK-RESPONSES 14BACKDOOR 58BAD-TRAFFIC 15DDOS 33DNS 19DOS 18EXPLOIT >35FINGER 13FTP 50ICMP 115Instant Messenger 25IMAP 16INFO 7Miscellaneous44MS-SQL 24MS-SQL/SMB 19MULTIMEDIA 6MYSQL 2NETBIOS 25NNTP 2ORACLE 25P2P 51POLICY 21POP2 4POP3 18RPC 124RSERVICES 13SCAN 25SMTP 23SNMP 17TELNET 14TFTP 9VIRUS 3WEB-ATTACKS 47WEB-CGI 312WEB-CLIENT

INSPECT

Stateful Packet Inspection

Deep Packet Inspection

Deep Packet Inspection

Deep Packet Inspection inspects all traffic moving through a

device

Stateful Packet Inspection

Version | Service | Total Length

ID | Flags | Fragment TTL | Protocol | IP Checksum

Source IP Address Destination IP Address

IP Options

Source UDP Port

Destination UDP Port

UDP Length

UDP Checksum

DATA

Version | Service | Total Length

ID | Flags | Fragment TTL | Protocol | IP Checksum

Source IP Address Destination IP Address

IP Options

Source UDP Port

Destination

UDP Port Checksum

Version | Service | Total Length

ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address

Version | Service | Total Length

ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address Version | Service | Total Length

ID | Flags | Fragment TTL | Protocol | IP Checksum Source IP Address Destination IP Address

Signature Database

ATTACK-RESPONSES 14BACKDOOR 58BAD-TRAFFIC 15DDOS 33DNS 19DOS 18EXPLOIT >35FINGER 13FTP 50ICMP 115Instant Messenger 25IMAP 16INFO 7Miscellaneous44MS-SQL 24MS-SQL/SMB 19MULTIMEDIA 6MYSQL 2NETBIOS 25NNTP 2ORACLE 25P2P 51POLICY 21POP2 4POP3 18RPC 124RSERVICES 13SCAN 25SMTP 23SNMP 17TELNET 14TFTP 9VIRUS 3WEB-ATTACKS 47WEB-CGI 312WEB-CLIENT

Comparing…

Application Attack, Worm or Trojan Found!

Deep Packet Inspection

Deep Packet Inspection / Prevention

Deep Packet Inspection with Intrusion Prevention can find and block, application vulnerabilities,

Firewall Traffic Path

Stateful Packet Inspection

Version | Service | Total Length

ID | Flags | Fragment TTL | Protocol | IP Checksum

Source IP Address Destination IP Address

IP Options

Source UDP Port

Destination

UDP Port Checksum

Version | Service | Total Length

ID | Flags | Fragment TTL | Protocol | IP Checksum

Source IP Address Destination IP Address

IP Options

Source UDP Port

Destination

UDP Port Checksum

Signature Database

ATTACK-RESPONSES 14BACKDOOR 58BAD-TRAFFIC 15DDOS 33DNS 19DOS 18EXPLOIT >35FINGER 13FTP 50ICMP 115Instant Messenger 25IMAP 16INFO 7Miscellaneous44MS-SQL 24MS-SQL/SMB 19MULTIMEDIA 6MYSQL 2NETBIOS 25NNTP 2ORACLE 25P2P 51POLICY 21POP2 4POP3 18RPC 124RSERVICES 13SCAN 25SMTP 23SNMP 17TELNET 14TFTP 9VIRUS 3WEB-ATTACKS 47WEB-CGI 312WEB-CLIENT

Deep Packet Inspection

Virus File!

AuctionSite

Gateway Anti-Virus Anti-Spyware

Content Inspection Gateway Anti-Virus and Content Control

Deep Packet Inspection

AV Database IPS Database Spy Database

Content Filtering Database

Gateway Anti-Virus Anti-Spyware

Content Inspection Security Must Be Updated

Next Generation Firewall

Application Traffic Visualization

Network Analysis Tools

Do I have P2P on my Network?

Network Analysis Tools

Immediate Application Control

Network Analysis Tools

“Who’s watching YouTube?”

Network Analysis Tools

“Who’s watching YouTube?”

Identify Top Bandwidth Users

Connection Tracking by Country

Trace & Identify Network Connections

Next Generation Firewall

SECURITY APPLICATION AWARENESS

• HIGH THROUGHPUT

• NO LATENCY

PERFORMANCE

Nội dung

Cyberoam in Gateway Mode

Network:192.168.0.x/24

Router IP:61.0.5.1/29

Switch

Switch Console

WAN Zone

LAN Zone

DMZ Zone Local Zone

Gateway mode have Four default zone

LAN Zone: Network connected to LAN interface of Cyberoam WAN Zone: Network connected to WAN interface of Cyberoam DMZ Zone: Network connected to DMZ interface of Cyberoam Local Zone: IP Addresses assigned on Cyberoam interfaces falls

under Local Zone

Zone information when Cyberoam is in Gateway mode

Cyberoam in Bridge Mode

192.168 0 5 255.255.255 0

IP address of the Default Gateway _. _. _. _ DNS IP Address 202 54 1 30

System Time Zone System Date and Time Email ID of the administrator

192.168 0 1

Zone information when Cyberoam is in Transparent mode

LOCAL Zone WAN Zone

LAN Zone

v

Cyberoam in transparent mode have three default zone

LAN Zone: Network connected

to LAN interface of Cyberoam

WAN Zone: Network connected

to WAN interface of Cyberoam

Local Zone: IP Address assigned

on the Bridge Interface falls under Local Zone

41