Overview

Different Firewall Technologies

Packet Filtering

• Works at the Network Layer
• Only examines the packet header
• Two choices with regard to outbound, passive FTP connections.

1. Leave the entire range of upper ports (port number > 1023) open to allow a session to take place over the dynamically allocated port, which exposes the internal network
2. Shut down the entire upper range of ports thus securing the internal network but blocking other services

(This is the trade off between application support and security.)

Pros: low cost; low overhead; application transparency; quicker than application gateways

Cons: low security; access limited to a small part of the packet header; screening limited above network layer; information manipulation very limited; difficult to configure, manage and monitor; inadequate logging and alerting mechanisms; subject to IP spoofing

Application Layer Gateway

• Works at the Application Layer
• Uses complicated application logic to determine intruder attempts

Pros: good security; full Application-layer awareness

Cons: application level implementation is detrimental to performance; cannot provide RPC and other services; most proxies are non-transparent; vulnerable to OS and application level bugs; poor scalability (each service requires its own application layer gateway); overlooks information in other layers; expensive performance costs

Note: Every client server communication requires two connections:

1. One from client to FireWall
2. One from FireWall to server

Stateful Inspection

• Communication information from top 5 packet layers
• State derived from previous communications (Outgoing Port etc.)
• Application derived state such that a previously authenticated user would be allowed access for authorised services only
• Evaluation of flexible expressions based on communication information, application derived state and communication-derived state
• Benefits: good security, full application awareness, high performance, scalability, extensibility and transparency

Note:

• The Inspect Engine is located in the Kernel Module
• It can Accept, Reject or Drop packets
• It saves system processing time

Firewall-1 Products

Checkpoint uses OPSEC Open Platform for Secure Enterprise Connectivity architecture, which provides a scalable framework for security implementation by means of separating the firewall product into different modules.

Enterprise Product

• Management Module – Centralised graphical security management for either one or unlimited security enforcement points
• Inspection Module – Access Control; client and session authentication; network address translation; auditing
• Firewall Module – Includes inspection module; user authentication; multiple firewall synchronisation; content security
• Encryption Module – Provides DES and FWZ1 Encryption
• Router Security Management – Security management for router ACL’s across one or more routers
• Open Security Manager – Centralised security management for 3Com, Cisco and Microsoft NT Server routers, and Cisco Pix firewalls

Single Gateway Product

• Management Module – Centralised graphical security management for either one or unlimited security enforcement points
• Inspection Module – Access Control; client and session authentication; network address translation; auditing
• Firewall Module – Includes inspection module; user authentication; multiple firewall synchronisation; content security

Enterprise Management Product

Connect Control Module – Automatic application server load balancing across multiple servers (deployed with Firewall-1)

Firewall-1 Firewall Module

Inspection Module – Access Control; client and session authentication; network address translation; auditing User Authentication; multiple firewall synchronisation; content security

Firewall-1 Inspect Module

Access control; client and session authentication; network address translation; auditing

The Encryption Module

• DES Encryption Module for use in North America
• FWZ1 Module for worldwide export

Firewall-1 Architecture

• A 3-tier architecture: there can be many different firewall modules running in different locations (security enforcement points) controlled by a central Management Console. Administrators can administer the security system either directly via the console, or by running GUI clients connected to the Management Console through the network from another desktop
• For Single Gateway Product, there is only one Firewall Module controlled by one Management Console, and both must be installed on the same machine, which means that there is only one security enforcement point. However, you can still run the GUI client form another desktop. Firewall Internet Gateway/25 is a Firewall Internet Gateway (including one firewall module and management server) that protects 25 nodes or IP addresses. The number included with the product name pertains to the number of IP addresses a user needs to protect: e.g., 25/50/100/250/Unlimited.
• GUI is available only for Win95/98/NT and Motif. The exam focuses on the GUI, not the command line. The three different GUIs are: Security Policy Editor for setting up the security settings, Log Viewer for viewing the logs, and System Status tool for viewing the current statistics of different firewall components. Network Object Manager is a function within the Policy Editor, which is for creating objects so that we can place the objects in the rule base and set up corresponding security rules.
• FWD Firewall Daemon is the process responsible for moving data between the components.
• When the server is started and the Firewall-1 services have not finished loading, the server’s IP forwarding function can provide hackers with security holes to get in. This is the specific vulnerable time we need to pay attention to. The best way is to let Firewall-1 control the server’s IP forwarding function.

Firewall-1 as a service in Control Panel – Services

                                                                                  Back     Home