Firewalls - they are network devices that control the flow of traffric between two or more networks - Routers with enhanced security functionality - they contain rulebased that define all of the traffic that is allowed to enter a network - anything not explicitly allowed is denied (implicit deny) Firewall Topologies - bastion Host - screened subnet/DMZ - Dual Firewalls -Bastion Host - lies between outside world (Internet) and Intranet. - Screened Screened Subnet/DMZ - similar to bastion host but 3rd network is added (DMZ) which is a secure location requireing public access (like web server, Email servers etc). -Dual Firewalls - similar to DMZ but 2 firewalls will be placed between Intranet and Intranet. DMZ is placed in the area betwen two firewalls. Firewall Methodologies - Packet Filtering - Statefull Inspection - application Proxy - Packet Filtering - Intercepts all packets and evaluates each one against the rules - Each packet is an independent decision - same basic functionality as router ACLs -Stateful inspection - adds an advanced degree of analysis - firewall is aware of the three-way TCP handshake and knows the current state - packets that are part of a previously allowed connection can pass through without checking the rulebase - Application Proxying - firewall intercepts all inbound/outbound connections and acts as a proxy between client and server - allow for detailed, application layer, inspection of network traffic. Firewall rulebases - Packets matched based upon one or more criteria: - source address - destination address - destination port - time/date - content - action taken for each packet that matches a rule Rulebase structure - rules processed in top-down order - first matching rule is exec uted, all other rules ignored - last rule is always the 'deny all' rule, enforces implicit deny. Common firewall rulebase Errors - orphand rules - typographical errors - misplaced rules - exceptions before general cases Firewall rulebase management - Monitor firewall logs on a regular basis looking for - configuration errors - signs of malicious activity - users will be quick to tell you when something doesn't work - not so fast to inform you when they can do things that aren't allowed.