An Toàn Mạng: Tường lửa (Firewall) Võ Viết Minh Nhật Khoa CNTT – Trường ĐHKH Nội dung trình bày  Các khái niệm cơ bản  Các kiểu firewall khác nhau  Packet filtering and stateless filtering  Stateful filtering  Deep packet layer inspection  Nâng cao khả năng cho firewall  Cơ chế chuyển đổi địa chỉ  Các dịch vụ proxy  Lọc nội dung  Phần mềm chống virus Các khái niệm cơ bản  A firewall is defined as a gateway or access server (hardware- or software-based) or several gateways or access servers that are designated as buffers between any connected public network and a private network.  A firewall is a device that separates a trusted network from an untrusted network.  It may be a router, a PC running specialized software, or a combination of devices. Các khái niệm cơ bản Các kiểu firewall khác nhau  A multitude of firewall is produced that are capable of monitoring traffic using different techniques.  Some of firewalls can inspect data packets up to Layer 4 and others can inspect all layers (deep packet firewalls).  three types of inspection methodologies  Packet filtering and stateless filtering  Stateful filtering  Deep packet layer inspection Packet filtering  Packet filters are now easy to break, hence the introduction of proxy servers that limit attacks.  A proxy server is a server that sits between a client application, such as a web browser, and a real server.  It intercepts all requests to the real server to see if it can fulfill the requests itself. If not, it forwards the request to the real server.  Proxy servers are application based, slow, and difficult to manage in large IP networks. Stateless firewall  A stateless firewall permits only the receipt of information packets that are based on the source's address and port from networks that are trusted.  It adds more flexibility and scalability to network configuration  Packets are inspected up to Layer 3, therefore, stateless firewalls are able to inspect source and destination IP addresses and protocol source and destination ports. Stateless firewall Stateful firewall  A stateful firewall limits network information from a source to a destination based on the destination IP address, source IP address, source TCP/UDP port, and destination TCP/UDP port.  Stateful firewalls can also inspect data content and check for protocol anomalies. Stateful firewall [...]... can monitor, manage, and provide restricted access to the Internet Cisco provides a number of content-filtering engines that can perform the functions:    Deny access to URLs specified in a list Permit access only to URLs specified in a list Use an authentication server in conjunction with a URL filtering scheme Content Filtering Scenario Antivirus Software   Antivirus software applications scan... globally unique) IP addresses NAT translates these unregistered addresses into the legal addresses of the outside (public) network This allows unregistered IP address space connectivity to the web and also provides added security Port Address Translation - PAT    PAT provides additional address expansion but is less flexible than NAT With PAT, one IP address can be used for up to 64,000 hosts by... networks and, more specifically, network applications to be protected from untrusted sources such as the Internet Check Point Software Firewalls  Check Point can provide the following services:       Firewall services VPN Account management Real-time monitoring Secure updates over the Internet User-friendly management interface Enhancements for Firewalls     NAT (Network Address Translation)... hidden from the outside world Typical PAT Scenario NAT/PAT The advantages of using NAT    Hiding the Class A address space 10.10.10.0/24 Internet access provided to all protected users without IP address changes The disadvantages of NAT/PAT     They are CPU processing power intensive The Layer 3 header and source address changes Voice over IP is not yet supported Proxy Services  The use of... Address Translation) Proxy services Content filtering Antivirus software Network Address Translation   NAT is a router or firewall function whose main objective is to translate the addresses of hosts behind a firewall or router NAT can also be used to overcome the IP address shortage that users currently experience with IPv4 Network Address Translation  NAT is typically used for internal IP networks... It bases all its verification and decision making on a number of different parameters, including source address, destination address, source port, and destination port The data is checked for protocol conformities NetScreen Firewall Placement Check Point Software Firewalls   As most, hardware firewalls provide effective access control, many are not designed to detect and thwart attacks specifically... network information from a source to a destination based on the destination IP address, source IP address, source TCP/UDP port, and destination TCP/UDP port It also inspects protocol conformance, checks for application-based attacks, and ensures integrity of the data flow between any TCP/IP devices Deep packet layer inspection Deep packet layer inspection  A deep packet layer device inspects packets... policy For instance, you might allow Telnet sessions to be initiated from within your network but not allow them to be initiated into the network from outside the network PIX Placement NetScreen Firewall   The NetScreen firewalls are deep inspection firewalls providing application-layer protection, whereas the PIX can be configured as stateful or stateless firewalls providing network- and transportlayer... scheme Content Filtering Scenario Antivirus Software   Antivirus software applications scan the memory and hard disks of hosts for known viruses If the application finds a virus (using a reference database with virus definitions), it informs the user The user can decide what needs to happen next Antivirus softwares are becoming integrated features of newer software firewalls Conclusion ... unauthorized connections between two or more networks, perform security functions such as authentication, authorization, and accounting (AAA) services, access lists, VPN configuration (IPSec), FTP logging PIX Interfaces PIX   Typically, the Internet connection is given the lowest level of security, and a PIX ensures that only traffic from internal networks is trusted to send data The biggest problem or issue . An Toàn Mạng: Tường lửa (Firewall) Võ Viết Minh Nhật Khoa CNTT – Trường ĐHKH Nội dung trình bày  Các khái niệm cơ bản  Các kiểu firewall khác nhau  Packet filtering and stateless. of firewalls can inspect data packets up to Layer 4 and others can inspect all layers (deep packet firewalls).  three types of inspection methodologies  Packet filtering and stateless filtering  Stateful. address, source IP address, source TCP/UDP port, and destination TCP/UDP port.  Stateful firewalls can also inspect data content and check for protocol anomalies. Stateful firewall Deep packet