VIKRAM PATIL AKSHAY YADAV ABHINANDAN SHEKOKAR SURESH DODEJA

A firewall is a device or set of devices designed to permit or deny network transmission based upon a set of rules and is frequently used to protect networks from unauthorised access while permitting legitimate communications to pass.

We will explain briefly the firewall which is used in different networks like NAT, DMZ, VPN and wireless networks and what are the different applications of it.

Packet filtering. Ports blocking and scanning. Web filtering. URL Screening. Web caching. User blocking. Domain blocking. Antivirus. Spam Filtering. Email Scanning. Network Access Rules. Network Address Translation (NAT). User Authentication. Intrusion Protection. Network Activity Monitoring.

Software Firewall Hardware Firewall

Different Firewalls architectures:Network Architecture Dual-Homed Host Architecture Screened Host Architecture Screened Subnet Architecture Perimeter network Bastion host Interior router Exterior router

NAT is built into all the most common Internet Connection sharing technologies around. Microsoft has built their ICS around it and every Cable/DSL Broad and Router on the market accomplishes its job with NAT.

Static NAT Dynamic NAT Overloading Overlapping

NAT acts as an interpreter between two networks. IT sits between internet and your network as illustrated in the diagram above. The internet is considered the public internet side and your network is considered the private LAN side.

Interface : The Firebox will apply 1-to1 NAT for packets sent in to, and out of, the interface.

NAT base: When you configure a 1-to-1 NAT rule, you configure the rule with a from and a to range of IP addresses. The NAT base is the first available IP address in the to range of addresses. The NAT base IP address is the address that the real base IP addresses changes to when the 1-to-1 NAT is applied.

Real base: The Real base is the first available IP address in the from range of addresses. It is the IP address assigned to the physical Ethernet interface of the computer to which you will apply the 1-to-1 NAT policy.

Number of hosts to NAT (for ranges only): The first real base IP address is translated to the first NAT Base IP address when 1-to-1 NAT is applied. The second real base IP address in the range is translated to the second NAT base IP address when 1-to-1 NAT is applied. This is repeated until the Number of hosts to NAT is reached

When using iChat with NAT routers and firewalls, certain ports must be open to allow video and audio conferencing behind a firewall. Some devices have these ports open by default, while others require configuration. A list of individual port functions can be found in "'Well known' TCP and UDP ports used by Apple software products.

Ports to open for Mac OS X firewall: When using the built-in Mac OS X firewall, you only need to open these ports: 5060, 5190, 5297, 5298, 5678, 16384 through 16403. If using jabber in Mac OS X 10.4 or later, open 5220, 5222, 5223 as well.

computer or small subnetwork that sits between a trusted internal network and an untrusted external network. Common setups used for small and medium networks include a firewall that processes all the requests from the internal network (LAN) to the Internet and from the Internet to the LAN

To secure the internal network from external access.

It does so by isolating the public services (requiring any entity from the Internet to connect to your servers) from the local, private LAN machines in your network

Web Server-Web servers that communicate with an internal database require access to a database server which may not be publicly accessible and may contain sensitive information

Mail server1. E-mail messages and particularly the user database are confidential information, so they are typically stored on servers that cannot be accessed from the Internet 2. The mail server inside the DMZ passes incoming mail to the secured/internal mail servers. It also handles outgoing mail.

FTP serverFile Transfer Protocol (FTP) is a standard network protocol used to transfer files from one hostto another host over a TCPbased network, such as the Internet.

voIP server1.VoIP is an abbreviation for Voice Over IP. 2.the transmission of voice over the Internet. 3. A VoIP service in essence, consists of a computer that can make phone calls to anywhere in the world. 4.It may be PC to PC or PC to phone, landline or mobile. The voice signals are converted into data packets that travel over the Internet using a VoIP platform, and then converted back into the recipient

 Single

firewall

 A single firewall with at least 3 network

interfaces can be used to create a network architecture containing a DMZ.

The external network is formed from the ISP to the firewall on the first network interface.

the internal network is formed from the second network interface.

DMZ is formed from the third network interface. The firewall becomes a single point of failure for the network and must be able to handle all of the traffic going to the DMZ as well as the internal network

 Dual

firewall

A more secure approach is to use two firewalls to create a DMZ.

The first firewall (also called the "frontend" firewall) must be configured to allow traffic destined to the DMZ only.

The second firewall (also called "backend" firewall) allows only traffic from the DMZ to the internal network. There is even more protection if the two firewalls are provided by two different vendors.

Disable all unnecessary services and daemons

Run services chrooted whenever possible Run services with unprivileged UIDs and GIDs whenever possible

Delete or disable unnecessary user accounty.

Configure logging and check logs regularly Use your firewall's security policy and anti-IP-spoofing features

 DMZ

Secure Proxy Server for IBM

Virtual Private Network is a type of private network that uses public telecommunication, such as the Internet. A VPN utilizes public telecommunications networks to conduct private data communications.

There are two approaches to using a firewall with a VPN server:

VPN Server in Front of the Firewall VPN Server behind the Firewall

 Firewall

attached to the Internet via VPN server. Need to add packet filters to the Internet interface. It can lead to greater security . Prevents the sharing of File Transfer Protocol (FTP).

 Firewall

is directly connected to the Internet . VPN server and Web server are 2 intranet resource connected to a DMZ. Firewall must be configured with input and output filters on its Internet interface.

 PPTP -- Point-to-Point Tunneling Protocol

L2TP -- Layer 2 Tunneling Protocol

IPsec --

Internet Protocol Security

SSL/TLS --(Secure Socket Layer/Transport Layer

Security)

 Monitors traffic crossing network parameters. VPNs allow authorized users to pass through the firewalls. Packet-level firewall checks source and destination. Application-level firewall acts as a host computer between the organizations network and the Internet.

Site-to-site VPN o Links two or more networks Client-to-site VPN o Makes a network accessible to remote users who need dial-in access

REMOTE ACCESS VPN

Remote access VPNs utilize a central site VPN concentrator and a software VPN client. The client is installed on the users desktop or laptop computers and enables the users to establish a secure, encrypted tunnel to the office network. Computers that gain access to a VPN can potentially access all the resources of the private network.

REMOTE ACCESS VPN(CONT)

Organizations maintain their own remote access servers and allow direct dial-up connections. Organizations rely on Internet service providers (ISPs) to manage dialup.

Normally, wireless internet connections can be easily shared using ICS ie Internet Connection Sharing or by making an Ad-hoc network connection.
While you can use a Wi-Fi router for connecting an Android or Symbian phone to the internet, your router might not be able to support too many devices.

MyPublic WiFi is an application for creating a free Wi-Fi hotspot that turns your computer into a wireless router with Firewall and URL tracking functionality. Using the firewall, you can also restrict certain types of services, which you may not want the shared users to access.

 The

below screenshot demonstrates how the Wi-Fi connect will become available for numerous devices, among available Wi-Fi connections.

To configure additional options, head over to the Management tab. Here, you can enable firewall, URL logging and select MyPublicWiFi to start with system start-up

Wi-Fi Alliance, in conjunction with the IEEE, has developed enhanced, interoperable security standards called Wi-Fi Protected Access (WPA) and WPA2.
WPA and WPA2 use specifications that bring together standardsbased, interoperable security mechanisms that significantly increase the level of data protection and access control for wireless LANs.

WPA and WPA2 provide wireless LAN users with a high-level assurance that their data remains protected and only that authorized network users can access the network.

A wireless network that uses WPA or WPA2 requires all computers that access the wireless network to have WPA or WPA2 support. WPA provides a high level of data protection and (when used in Enterprise mode) requires user authentication.

 The

main standards-based technologies that constitute WPA include Temporal Key Integrity Protocol (TKIP), 802.1X, Message Integrity Check (MIC), and Extensible Authentication Protocol (EAP).
provides enhanced data encryption including the frequency with which keys are used to encrypt the Wireless connection.

TKIP

802.1X and EAP provide the ability to authenticate a user on theWireless network. 802.1X is a port-based network access control method for wired as well as wireless networks The Message Integrity Check (MIC) is designed to prevent an attacker from capturing

 Personal

mode, which relies on the capabilities of TKIP without requiring an authentication server
mode, which uses a separate server, such as a RADIUS server, for user Authentication

Enterprise

WPA and WPA2 Personal

WPA and WPA2 runs in Personal mode, taking into account that the typical household or small office does not have an authentication server. Instead of authenticating with a RADIUS server, users manually enter a password to log in to the wireless network. When a user enters the password correctly, the wireless device starts the encryption process using

WPA and WPA2 Enterprise WPA is a subset of the draft IEEE 802.11i standard and effectively addresses the wireless local area network (WLAN) security requirements for the enterprise. In an enterprise with IT resources.

 Wi-Fi

enabled BlackBerry smartphonesJoining Wi-Fi and Cellular in One Device

Wi-Fi enabled BlackBerry smartphones brings WLAN-Mobile Convergence (WMC) to the enterprise, providing users with more choices on how and where to use their devices. WMC combines the strengths of both Wi-Fi and cellular networks to expand the Functionality of BlackBerry smartphones. Wi-Fi offers high-speed, low latency capabilities of broadband connectivity without cables

In the local area networks for the enterprise, home, and public hotspots. Mobile cellular networks provide wide area coverage, The BlackBerry smartphone leverages convergence as it brings broadband connectivity and provides the convenience of a single handset resulting in lower management costs.

Quality of Service (QoS) QoS enhances support for real-time applications such as voice or other multimedia, by making it possible to prioritize traffic from different applications.

 Advanced power save mechanisms

Power save techniques significantly extends the battery life of Wi-Fi mobile devices and paves the way for the mass adoption of Wi-Fi in mobile phones and other devices with multiple wireless interfaces.

 Security
Security standards and certifications for enterprise and public access devices bring advanced security to Wi-Fi devices. Bringing the parity of security to mobile devices found in wired desktops and laptops. The BlackBerry Smartphone Capabilities The First Converged BlackBerry smartphone. When in Wi-Fi coverage areas, the BlackBerry smartphone utilizes the broadband connection to transmit and receive the data