|
|
|
|
|
Layer 7
Application Layer |
|
Layer 6 Presentation Layer |
|
Layer 5 Session Layer |
|
Layer 4 Transport Layer |
|
Layer 3 Network Layer |
|
Layer 2 Datalink Layer |
|
Layer 1 Physical Layer |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Traditional packet filters |
|
Stateful packet filters |
|
Proxy-based firewalls |
|
|
|
|
|
Implemented on routers or firewalls |
|
Packet forwarding criteria |
|
Source IP address |
|
Destination IP address |
|
Source TCP/UDP port |
|
Destination TCP/UDP port |
|
TCP code bits eg. SYN, ACK |
|
Protocol eg. UDP, TCP |
|
Direction eg. Inbound, outbound |
|
Network interface |
|
|
|
|
|
Keep tracks of each active connection via a
state table |
|
Monitoring of SYN code bits |
|
Content of state table (source &
destination IP address and port# ,
timeout) |
|
Basis of packet forwarding decision |
|
State table |
|
rule set |
|
ACK packets may be dropped if there was no
associated SYN packet in state table |
|
May remember outgoing UDP packets to restrict
incoming UDP packets to replies |
|
More intelligent but slower than traditional
packet filters |
|
|
|
|
Client interacts with proxy |
|
Proxy interacts with server on behalf of client |
|
Proxy can authenticate users via userid/password |
|
Web, telnet, ftp proxies |
|
Can allow or deny application-level
functions eg. ftp put/get |
|
Caching capability in web proxies |
|
Slower than packet-filter firewalls |
|
|
|
|
|
|
Installed on personal computers |
|
Eg. Zone Alarm, Black Ice |
|
Filter traffic going in and out of a machine |
|
Usually cannot detect viruses or malicious
programs |
|
|
|
|
|
|
|
|
Application-Layer Security |
|
Secure Sockets Layer (SSL) |
|
Internet Protocol Security (IPSec) |
|
|
|
|
|
Pretty Good Privacy (PGP) , Gnu Privacy Guard
(GnuPG) |
|
used to encrypt and digitally sign files for
file transfer and email |
|
Secure/Multipurpose Internet Mail Extension
(S/MIME) |
|
Used to secure email at the application level |
|
Supported by email clients such as MS Outlook
and Netscape Messenger |
|
Secure Shell (SSH) |
|
Provides remote access to a command prompt
across a secure, encrypted session |
|
|
|
|
|
|
Specification for providing security to TCP/IP
applications at the socket layer. |
|
Allows an application to have authenticated,
encrypted communications across a network |
|
Uses digital certificates to authenticate
systems and distribute encryption keys |
|
Supports one-way authentication of server to
client and two-way authentication |
|
Used by web browsers and web servers running
HTTPS |
|
Layer 7 applications such as ftp and telnet can
be modified to support SSL |
|
|
|
|
|
|
|
Defined in RFCs 2401 to 2412 |
|
Runs at IP layer software version 4 & 6 |
|
Offers authentication of data source,
confidentiality, data integrity, and protection against replays. |
|
Comprised of Authentication Header (AH) and
Encapsulating Security Payload(ESP), which can be used together or
separately |
|
Client/server must run compatible versions of
IPSec |
|