Scribd Logo
Upload

Welcome to Scribd!

  • Firewall2

    Uploaded by

    Pugalu Butto
    17 views30 pages
    1) Firewalls act as a barrier that allows or restricts access between internal networks and external networks based on configured rules. They operate at layers 3-4 and sometimes 5 of the TCP/IP model. 2) There are two main types of firewalls - packet filtering firewalls which block ports and addresses, and proxy firewalls which accept requests on behalf of users and can filter based on content. 3) Proper firewall configuration is important for security. Techniques like DMZs, intrusion detection, and VPNs can further harden firewall defenses and management. Firewalls enforce policy but require ongoing maintenance to remain effective.

    Original Description:

    Original Title

    20100326_Firewall2

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    1) Firewalls act as a barrier that allows or restricts access between internal networks and external networks based on configured rules. They operate at layers 3-4 and sometimes 5 of the TCP/IP model. 2) There are two main types of firewalls - packet filtering firewalls which block ports and addresses, and proxy firewalls which accept requests on behalf of users and can filter based on content. 3) Proper firewall configuration is important for security. Techniques like DMZs, intrusion detection, and VPNs can further harden firewall defenses and management. Firewalls enforce policy but require ongoing maintenance to remain effective.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    17 views30 pages

    Firewall2

    Uploaded by

    Pugalu Butto
    1) Firewalls act as a barrier that allows or restricts access between internal networks and external networks based on configured rules. They operate at layers 3-4 and sometimes 5 of the TCP/IP model. 2) There are two main types of firewalls - packet filtering firewalls which block ports and addresses, and proxy firewalls which accept requests on behalf of users and can filter based on content. 3) Proper firewall configuration is important for security. Techniques like DMZs, intrusion detection, and VPNs can further harden firewall defenses and management. Firewalls enforce policy but require ongoing maintenance to remain effective.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 30

    POS

    SATPAM
    Fi r ewal l
    Fi r ewal l
    Apaitufirewall
    Firewalladalahsuatumekanisme,sehinggasuatu
    clientdariluardilarang/dibolehkanmengakseske
    dalamjaringan(atauclientyangberadadidalam
    dilarang/dibolehkanmengakseskeluarjaringan)
    berdasarkanaturanaturanyangditetapkan.
    Sepertipossatpamdisuatuinstansi/perumahan
    Bekerjadilayer:antara3dan4(bahkan5)diTCP/IP
    Model
    Istilahistilah
    Masquerading
    Allowsmanymachinestousetheappeartocomefromthe
    sameIPaddress
    Connectionscanonlybeinitiatedbyinternalhost
    NAT NetworkAddressTranslation
    ThetermNATcanmeanmanydifferentthings,see
    RFC2663fordetails
    Generallysomerouterlevelmappingandconversion
    betweenasetofprivateIPaddressesandasinglepublicIP
    address(IPMasq)orsetofpublicIPaddresses.
    Mengapabutuh
    Toimplementyourpolicy!
    Tomanagetherisksofprovidingyourservices.
    Tosegregatenetworkswithdifferentpolicies.
    Toprovideaccountabilityofnetworkresources.
    Firewallsmitigate/reducerisk
    BlockingMOSTthreats
    Theyhavevulnerabilitiesaswell
    Improperconfigurationisthelargestthreat
    Carakerja
    Denganmenelitipaketpaketyanglewatfirewallitudan
    mencocokkannyadenganmelihatdaftar/aturanyangdiberikan
    kepadanya.
    Firewallsblockcertaintraffic,whileallowingothertraffictopass.
    Differenttypesoffirewallspasstrafficusingdifferentmethods
    PacketFiltering
    Proxy
    ConnectionStateAnalysis
    Fi r ewal l
    Boleh lewat
    mbak ? Nih
    surat-suratnya
    Anak kecil ga
    boleh keluar..
    sudah malam
    Adaduatipeutama
    Firewallsrulesarecreatedtomatchpolicy
    Rulesarebasedon:
    Routingbasedfilters(Who siapa)
    SenderandDestination
    berasaldarimana?
    Maukemana?
    Tidakpedulimaungapaindisana
    Contentbasedfilters(What mauapa)
    TCP/IPPortnumbersandServices
    Apayangakankamulakukandisana?
    Tidaksemudahyangnomer1,sebabkadangkadangbisaditipu
    seorangclient
    Duapendekatanaturan
    Defaultallow
    Mengijinkansemualewatkecualiyangterdaftar
    Placeroadblocks/watchgatesalongawideopen
    road.
    Defaultdeny
    Semuadilaranglewatkecualiyangterdaftar
    Buildawallandcarvepathsforeveryoneyoulike.
    PacketFiltering
    Simplestformoffirewalling
    Canoftenbeimplementedonnetwork
    equipment(routers,switches)
    BlockscertainTCP/IPPorts,protocols,and/or
    addresses.
    Rulesareappliedtotheheadersofthe
    packets
    Contoh:iptables,ipchains(Linux)
    PacketFiltering
    AdvantagesofPacketFiltering
    HighPerformance
    Canusuallybeappliedtocurrentrouters/switches(No
    additionalequipment!)
    Effective
    DisadvantagesofPacketFiltering
    Canquicklybecomeaverycomplexconfiguration
    Easytomisconfigure
    Difficulttoconfigurefordynamicprotocols(likeDHCP/FTP)
    Cantdoanycontentbasedfiltering(removeemail
    attachments,javascript,ActiveX)
    ProcessingPower
    ContohPacketFiltering
    Anabbreviatedpacket
    Source SrcPort Destination DestPort
    204.210.251.1 8104 128.146.2.205 31337
    ACiscopacketfilter
    access-list 2640 deny any 128.146.2.0 0.0.0.255 gt
    1023
    Proxy
    Firewallacceptsrequests,andexecutesthem
    inbehalfoftheuser
    Iwanttoseehttp://www.osu.edu
    Firewallgetshttp://www.osu.edu content
    Firewallsendscontenttorequester
    Contoh:Squid
    Proxy
    AdvantagesofProxyFirewall
    Theydontallowdirectconnectionsbetween
    internalandexternalhosts
    Cansupportauthentication,classesofusers
    Canallow/denyaccessbasedoncontent
    Cankeepverydetailedlogsofactivity(including
    thedataportionsofpackets)
    Caching/effectivebandwidth
    Proxy
    DisdvantagesofProxyFirewall
    Slowerthanpacketfilterfirewalls
    Requireadditionalhardware
    morehardwareformoreusers
    slowhardware=slowservice
    Somefirewallsrequirespecialclientconfigurationsonthe
    workstations.
    Someprotocolsmaynotbesupported(AIM,RealAudio,
    Napster,H.323)Variesbyvendor.
    Configurationcanbecomplex
    Mustconfigureproxyforeachprotocol
    ConnectionStateAnalysis
    Similartopacketfiltering,butanalyzes
    packetstomakesureconnectionrequests
    occurinthepropersequence.
    Example:
    ICMPEchoRepliesarenotacceptedthroughthe
    firewallunlessthereisanoutstandingICMPEcho
    Request.
    ConnectionStateAnalysis
    Advantages
    Caching
    ContentMonitoring
    Disadvantages
    Performance
    Overheadrequiresmoreexpensivesystem
    Topologi
    Bridgetypefirewall
    Invisibletousers
    Easytoinstallforalreadyexistingnetworks
    Routertypefirewalls
    HasIPAddress,visibletousers
    Topologi
    AdvantagesofBridgetype
    firewall
    Invisibletousers
    Easytoinstallforalready
    existingnetworks
    DisadvantagesofBridge
    typefirewall
    Requiresmoreequipment
    thanpacketfiltering
    Rulesmaybemoreconfusing
    toconfigure
    Advantages of Router-
    type firewall
    Rule configuration
    slightly better than
    bridge
    Disadvantages of
    Router-type firewall
    System is visible to
    users and outsiders
    Problems
    Firewallsasfilterscanbeconsideredformostparttobe
    infallible...butasasecuritymeasure?Theycanonly
    enforcerules(generallystatic)
    internet
    Fi r ewal l
    Problems
    Crunchyontheoutside,butsoftandchewy
    ontheinside.
    internet
    J aringan kita
    J aringan terpercaya
    Fi r ewal l
    SettingFirewall
    UsingtheDMZ(DeMilitarizedzone)toyour
    advantage
    FirewallsasIntrusionDetectiondevices
    ConfigureVPNsformanagement
    DMZConfiguration
    Separateareaoffthefirewall
    Differentnetworksegmentsmayhavedifferentpolicies
    Departments
    Serviceareas
    PublicServices
    InternalServices
    Usuallyadifferentsubnet
    CommonlyusedtohouseInternetfacingmachines(i.e.Web
    Servers)
    Hasitsownfirewallpolicy
    DMZConfiguration
    PlacewebserversintheDMZnetwork
    Onlyallowwebports(TCPports80and443)
    internet
    Fi r ewal l
    Web Server
    DMZConfiguration
    Dontallowwebserversaccesstoyournetwork
    Allowlocalnetworktomanagewebservers(SSH)
    DontallowserverstoconnecttotheInternet
    Patchingisnotconvenient
    Fi r ewal l
    Web Server
    internet
    Mas ..yang
    merah gak
    boleh lewat
    lho
    DMZConfiguration
    Fi r ewal l
    Web Server
    Jaringan Lokal:
    Semua boleh
    menghubungi web-
    server (port 80/443
    PC-PC tertentu boleh
    menghubungi server
    lewat SSH (port 22)
    Server tidak boleh
    menghubungi
    jaringan lokal
    Internet:
    Semua boleh
    menghubungi web-
    server (port 80/443
    Selain layanan web
    tidak diperkenankan
    Server tidak boleh
    jalan-jalan di internet
    FirewallsebagaiIDS
    IDS=IntrusionDetectionSystem
    Collectloginformationfromthedenyrules
    FindPortscanning,hackingattempts,etc
    Isolatetrafficwithdenyruleshelpscutdown
    theinformationoverload
    FirewallsebagaiIDS
    WhattodowithALLthatdata..GraphIt!
    Showstrends,whatpeoplearelookingfor
    Helpsprioritizesecuritytasks
    Occasionallyyoumaywanttoblockportscans
    FirewallsebagaiIDS
    PaycloseattentiontotrafficleavingDMZ
    Oftenthefirstsignofacompromise
    Lowtrafficrules,sologsarentasenormous
    Emailisnice,providedyouretheonlyone
    readingit
    VPN
    VPN=VirtualPrivateNetwork
    VPNisfarmoresecurethanother
    managementmethods:
    SSLandSSHarevulnerabletoManInTheMiddle
    Attacks
    TelnetandSNMParecleartext
    TherearenoknownMIMattacksagainstIPSEC
    (Yet)
    VPN
    VPNclientsaresupportedonmostplatforms
    Mostfirewallswillworkwithmostclients
    NetscreennowofficiallysupportsFreeSwan
    MacOSXisnowsupportingVPN
    Conclusions
    Peopledontjustputupathickfrontdoorfor
    theirsensitivebelongings,youshouldntfor
    yournetworkeither.
    Firewallsareaneffectivestart tosecuringa
    network.Notafinish.
    Caremustbetakentoconstructan
    appropriatesetofrulesthatwillenforceyour
    policy.

    You might also like