Firewall is the security system to protect network by controlling the access such as a private corporate network. The network will be protected from an unexpected public network like the Internet environment. As a result, firewall will be located which every request from public network must pass through the firewall, taking out the needs for individual preservation of every server and host in the protected network.
A firewall is typically situated the position the network connects to the Internet. This position allows the firewall to give authentication and other security services to remote users in order to avoid unauthorized users from logging in to the network. Figure 9.1 illustrates a firewall-controlled access to the corporate network from the Internet.(put picture in there).
For a firewall to be useful, school district of Bangalore first needs to define their network security policy. A network security policy recognizes the resources that need preservation and the intimidation against them. It then describes how they can be used and who can use them, and specifies the actions to be taken when the policies are encroached.
Types of firewalls
Get your grade
or your money back
using our Essay Writing Service!
Firewalls can be divided into three basic categories: packet filters, proxy servers (which include application gateways and circuit-level gateways), and stateful packet filters.
A packet filter is a firewall that verifies each packet for user-defined filtering rules to decide which to pass or block it.
Packet filters are fast and can be easily implemented in existing routers. However, they are the least secure in all of the types of firewalls. One disadvantage of packet filters is that they have no logging capacity that can be used to identify when a break-in has happened. Also, a packet filtering firewall grants or denies access to the network according to the source and target addresses and the source and destination ports. Unfortunately, these ports can be spoofed. As a result, anyone can access network resources once admission has been approved to an authorized user.
A proxy server is an application that forwards users' requests to the authentic services based on an organization's security rule. All communication between a user and the actual server happens through the proxy server. Therefore, a proxy server works as a communications broker between users and the actual application servers. Because it proceeds as a checkpoint where requests are validated against particular applications, a proxy server is usually processing concentrated and can become a block under heavy traffic conditions.
Proxy servers can control at either the application layer or the transport layer. In consequence, there are two classes of proxy servers: application gateways, which manage at the application layer; and circuit-level gateways, which operate at the transport layer.
An application gateway is a proxy server that gives access control at the application layer. It works as an application-layer gateway between the defended network and the unauthenticated network. Because it runs at the application layer, it is able to observe traffic in detail and so is reflected on the most secure type of firewall. It can avoid certain applications, such as FTP, from entering the preserved network. It can also record all network activities according to applications for both accounting and security review intentions. Application gateways can also cover information. Since all requests for services in the preserved network pass through the application gateway, it can afford network address translation (or IP address hiding) functionality and hide IP addresses in the protected network from the Internet by changing the IP address of every packet with its own IP address.
Circuit level gateways
The main function of the circuit gateway is validation the TCP and UDP before the grant of connection all over firewall. It is very useful for connection establishment and avoids the conduction the packets until access control rules has been met.
Firewall architecture is the best way to come close to where firewall elements have been arranged to against the concurrence of the unauthorized users. It will be set up after the network security policy is defined. There are three common firewall architectures.
1.3.1. Dual Home Host
Always on Time
Marked to Standard
In this design, the function of dual homed host must be put out of action to avoid form external IP to inside.
To communicate with each other, inside and outside system must have to go thorough Dual Homed Host. They cannot call or connect directly with others.
Proxy server will provide the service to Dual Home host or login directly to Dual Homed host.
1.3.2. Screened Subnet
This firewall is relating for school district system because of its security.
There are perimeter network called DMZ (Demilitarized Zone) is added to isolate the internal network and internet environment. When hacker attacked and withhold the bastion host, they still one barrier which is called interior router to defeat. Besides that, network traffic in details are safe even thought the bastion host is being full.
Bastion host is a connection from the internet to internal network with services such as SMTP, FTP and DNS. The clients can connect to servers and it will be monitored by the following steps:
We can install the packet filtering on both the internal and external router to permit clients can connect external server from the directly internet.
We also can set up the proxy server on the bastion host to allow clients can connect to internal server indirectly.
1.3.3. Screened Host:
In this architecture, security functions are provided by the package filtering function in screening router.
Packet filtering on the screening router setup for bastion host to be distinctive in internal network that other host from the internet can access.
Packet Filtering often do the follow function:
Permits internal host release connection to host from the internet with some services is allowed.
Exclude all connection form internal hosts.
When hacker attacks to bastion host, there is no barrier existing for the all of internal hosts.
Virtual private network (VPN)
VPN places for Virtual Private Network; it is an addition of a private network that holds links across shared or public networks like the Internet. VPN allocates data can be sent between computers across a shared or public internetwork in a method that follows the properties of a point-to-point private link.
To imitate point to point link, the data is encapsulated with a header which will present the routing information and allow it across the shared or public transportation internetwork to reach the end points. To emulate a private link, the data will be sent with the encrypted in private. Packets which are intercepted on the shared or public network are hard to decode without the encryption keys.
The part of the connection where the private data is covered or wrapped is known as the tunnel. Besides that, the portion in which the data is encrypted is known as the virtual network connection.
VPN technologies have long been used and nowadays, it is being more become popular in most of the solution in almost company in the world because of the connectivity.
The illustration for the Virtual private network connection
The advantages of VPN
The connection among schools can be created easy and quickly via internet
Some of particular application can make up its security.
The communication and synchronous data among school will be done easy and quickly.
The price for share ability will be decreased if we use VPN which replace for traditional routed network over the contributed facility.
VPN can help system to increase using of IP private address.
Remote Access over the Internet
VPNs provide the remote access to gather all resource over the public internet while it also keeps up the privacy of information. The outline will show a VPN connection used to remote access to corporate intranet.
The illustration for VPN connection to connect 2 remote site.
Connecting networks via the Internet
Two ways will be used to connect local area networks at the remote side:
Using the granted lines to connect a branches office to LAN corporate.
Using a dial up lines to connect a branches office to LAN corporate.
This Essay is
a Student's Work
This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.Examples of our work
Connecting Computer via a Intranet
In some profitable internetworks, the departmental data is so perceptive that the department's LAN is physically disconnected from the rest of the corporate internetwork. Although this protects the department's private information, it creates information convenience problems for those users not physically connected to the split LAN.
Tunneling is a method which is used an internetwork infrastructure to transmit data for one network over one network. The data is transferred may be a frame or packets of another protocol. In preference to sending a frame or packets by using the original node, in the tunneling method, the frames or packets will be enveloped or covered by the additional header. These additional headers will provide the routing information so that the encapsulated payload can cross the intermediate internetwork.
Then, all encapsulated frames will be routed over the tunnel endpoints over the internetwork. The encapsulated packets will pass through the internetwork by the logical path it is called a tunnel. Once the frames reach their destination, they will be decapsulated and after that, they will be sent to its final destination.
This figure will be an illustration for tunneling protocol.
Tunneling technologies have been presented for some time. These established technologies will be showed in the following list.
SNA tunneling over IP internetworks.
IPX tunneling for Novel Netware over IP internetwork.
Point to Point tunneling protocol (PPTP).
Layer two tunneling protocol (L2TP)
IPSec tunnel mode.
In this assignment, we will discuss for Point to Point tunneling protocol (PPTP), Layer two tunneling protocol and IPSec tunnel mode.
Point to Point tunneling protocol
Point to Point tunneling protocol is a layer 2 of protocol which covered frames of Point to Point protocol (PPP) in IP datagram and it used for transmission purpose over an IP internetwork such as internet.
In generally, Point to Point tunneling protocol uses a TCP connection for kept tunnel to encapsulated PPP frames for tunneled data.
The figure will be an illustration for structure of PPTP packet containing user data.
Layer two tunneling protocol (L2TP)
Layer two tunneling protocol is an organization among Point to Point tunneling protocol and Layer 2 forwarding. This is a technology which was launched by Cisco System.
L2TP uses UDP and a series of L2TP messages for tunneling preservation. Besides that, layer 2 tunneling protocol also uses UDP to send L2TP encapsulated frames as the tunneled data. The payloads of encapsulated PPP frames can be encrypted and/or compressed.
This figure will explain the structure of L2TP packet containing user data.
This figure will be an encryption of an L2TP packet.
Internet protocol security tunnel model (IPSec)
Internet protocol security tunnel model is a layer 3 of standard protocol that maintains the secured shift of information across the IP internetwork. IPSec recommend two security headers
The encapsulated security payload.
ïƒ According to the theory of transmitted information between school district and head quarter, the cable can be used to connect them but geography condition and budget is not allow to be installed. The school district has connected its 264 schools with a basic frame relay network so VPN is a good resolution to settle this problem with reasonable cost and secured transport information.
2.2 Security VPN with Cisco
VPN uses encryption tunnel to send the authentication and expectation message to get the confidentiality so it can decrease scratch from packet sniffing and block identity spoofing. When VPN is set up, it will increase the level of security of our network.
Cisco 3825 and VPN
Group Encrypted Transport VPN
Offers IPSec encryption via Internet without the use of tunnels, this security model use for common security and only use for "trusted" group. This feature is adapted for full network.
Dynamic Multipoint VPN (DMVPN)
DMVPN presents a good way to organize virtual full meshed IPSec tunnels from site to site. No need to built up when adding new section.
Easy VPN (support for remote site)
Support to create a new policy for new remote site. Support manage and control point to point VPNs
MPLS (Multiprotocol Label Switching) VPN support
This characteristic is used for branch office, it permit to expand customers' MPLS VPN networks out to the customer edge with Multi-Virtual Route Forwarding (VRF)
Multi-VRF and MPLS secure contexts
Supports multiple free contexts (interfaces, routing, and addressing). Use for branch office to divide the department. All departments can use a single link, while still make sure the security of each department
Voice and Video Enabled VPN
V3PN allow transport voice, video and data over VPN
Virtual Tunnel Interface (VTI)
VTI make the pattern of VPN more easier
Provide data integrity over Internet
Beside configuration of VPN, Cisco 3800 series also have other benefits:
Cisco IOS Intrusion Prevention (IPS)
Inline intrusion prevention system (IPS)
This characteristic use to trim down the harm if the unauthorized intrusions access the network. This system can drop the traffic and sent the warning message or reset the connection, instantly to respond the possible threat for protected network.
Flexible Packet matching (FPM)
The system can recognize the potential harmful for network before the antivirus can update and identify this kind of virus
Cisco Network Foundation Protection (NFP)
Control Plane Policing
This feature use to prevent DoS attack by control the incoming rate of traffic, it make the network still available even under attack
Automatic configured the secure component "Just one click"
CPU or memory threshold
Increate the capability processing of router even under attack
Is the set of application that show the network traffic to end user so they can easily to observe. Depend on the information received; user can examine the status of network.
Role-based command-line interface (CLI) access
The feature permits user to connect to CLI commands, and give high secure. In addition, it separate logically router with others like end users, security operation groups and network operations groups
Secure Shell (SSH) Protocol Version 2
This characteristic provide more powerful, authentication and encryption with addition tunneling options via encrypted connection (include file copy and email protocol.
Simple Network Management Protocol Version 3 (SNMPv3)
The protocol is used to access to the device through the network. The accessing to device is secured by authentication and packet encryption
Cisco Network Admission Control (NAC): This feature will supply the list of devices that network consider it is "trust devices". Only devices belonging to this list can entrance to network so it prevent the extend of virus and worm inside system.
Cisco IOS Firewall: the firewall project JKL Toy Company's network infrastructure from viruses, Trojans, and hacker. It is certified by ICSA and is deployed broadly. The main purpose of the firewall is to control traffic in details from outside to inside and vice of versa. There are list of benefits when the Cisco Firewall is used.
Protect the network system.
Cost expenditure is low.
Easy to deployment in LAN, WLAN and WAN.
Addition security feature
AAA (Authentication, authorization, accounting): allow dynamic configuration of authentication and authorization follow requirement of network.
Standard 802.1x support on integrated switching: This feature only allow the valid access (authentication) to access information resource and prevent unsecure wireless access (make wireless access more difficult to access the resource).
Cisco IOS contend filtering: The router will rate the level of threat protect again malicious code, malware, fishing website, spyware. It also blocks URL and keyword to ensure that the employees are using Internet productivity.
Back-up and restore:
Our SDB cannot afford data loss so the reliable access to data is one of important key to take the advantage in business competitive. Loss data mean you loss the information, your business went wrong. Back up is the resolution for this problem, as the administrator we need to ensure that all the business information is always available whenever it is needed.
The backup process has revolved around manual application that copies the important file to copy to the other storage. This process is recreating again and again in the particular time. In SDB, backing up data occurred weekly and at the weekend when the traffic of network is low, and almost no data update. At that time, the backup processes are quickest and minimize the percentage of loss data.
The backup file will be stored in backup server DellTM Power EdgeTM R200 in head quarter and DellTM Power EdgeTM T100 in the branches, whenever something happen with network, backup file can be retrieved. To keep away from the unauthorized access to use the backup file, this file must be set the policy that allocate suitable person can access or use.