CMPT 471 Networking II

Size: px
Start display at page:

Download "CMPT 471 Networking II"

Transcription

1 CMPT 471 Networking II Firewalls Janice Regan, Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access One component of keeping a computer secure can be a firewall This is not an all encompassing solution Not all problems come from outside, you must keep in mind that an comprehensive internal security policy is also part of the solution Janice Regan, Firewalls: why Provide a single protected access from your machine or network to the internet Create a single choke point Concentrate attention on protecting that choke point A network behind a firewall can spend less (not none) effort on host based security not all attacks or security problems come from outside Still need a second line of defense in many cases Janice Regan,

2 Firewalls: why not Firewalls don t protect against malicious insiders: May prevent sending data out through the internet but cannot protect against removing the data on physical media Firewall don t protect you from connections that bypass them: dial in or network access to internal machines can not be monitored unless they pass through the firewall Janice Regan, Firewalls: why not Protect against known threats new threats occur regularly and counters to them must be added just as regularly Viruses and malware can penetrate firewalls under some circumstances Firewalls often interfere with expected behaviors of internet applications, or slow down interaction with the internet Janice Regan, Firewalls Different Firewall architectures are appropriate for different types of applications A firewall is a combination of hardware software and policies Look at some architectures and examples Single machine with firewall (filtering) Screening router Dual homed host Screened host Screened network Janice Regan,

3 GIVEN TODAY S INTERNET ENVIRONMENT NO COMPUTER WITH INTERNET CONNECTIVITY SHOULD BE UNPROTECTED BY A FIREWALL TO Protect any private data or information Protect the machine so it is available for your use To prevent others from hijacking your machine for their own purposes Janice Regan, Security strategies Least privilege: any object (user, program, system, ) should have the least amount of privilege necessary to accomplish its own purpose Depth of Defense: Layer security mechanisms so that if one is compromised another still protects you This protects against not only attacks but possible failures of any single layer in your defense Janice Regan, Security strategies Choke point: Be sure that there is no way to circumvent the choke point Put protections at the choke point Weakest link: Be aware of the weak points of your defense, this is where attacks will most likely occur Failures Try to make the system fail in a way that denies the attacker access, not opens access. Janice Regan,

4 Firewall Default Strategies Default Deny Policy No traffic is passed through the firewall unless is it specifically allowed Any traffic or service not specifically permitted to pass the firewall will be permitted into the protected machine or network Default Permit Policy All traffic will be permitted to pass through the firewall unless it is specifically forbidden Janice Regan, Which Default Strategy? To maximize security use default deny OK if you do not need to provide internet services Limited flexibility To maximize flexibility use default permit More difficult to maintain Must specifically deny sources and protocols Janice Regan, Some types of low level attacks Half open port scan or SYN scan: send SYN (or packet with other combination of flags) to each port, watch for ACK or RST to determine if port is open. Do not reply and complete connection (send RST). Denial of service: exploit known weaknesses of stack to cause crashes IP spoofing: Make the packet look like it comes from somewhere else. Smurf: use forged source address (A) to make third party attack A Land: send a packet with source and destination addresses the same. May cause failure of receiving machine. Janice Regan,

5 A single computer Many computers (probably most) have a continuous internet connection For a user with a single computer connected to their continuous connection Simplest approach is a packet filtering firewall For Windows can use the built in firewall or many other proprietary products that provide more complete protection including virus and spy-ware protection For Linux can use iptables/netfilter to directly implement or other public domain or proprietary products Janice Regan, A home network It is becoming increasingly common for a household to have more than one computer. Probably the user of each computer wants it to be directly connected to the continuous Internet connection/s for the household This means that out of the box solutions that implement basic network protection are becoming common For a technically savvy user these solutions may also be easy but other simple options exist Remember that out of the box solutions need configuration to optimize their effectiveness Janice Regan, Screening Router This is a common, inexpensive, out of the box solution that can be made more robust You probably need the router to connect your local machines anyway. Be sure to configure, don t just use the defaults Router usually includes a mechanism for implementing packet filtering (default deny or default permit strategies are usually both supported) Janice Regan,

6 Screening Router This is a common, inexpensive, out of the box solution that can be made more robust Can implement the level of security appropriate for the network being protected you will likely also need host level security The router will run a proprietary or reduced version of the operating system, providing fewer points of attack Janice Regan, Using a screening router The network needs an adequate level of host protection If data on any of the machines is private, need host security to protect that data Only a limited number of simple protocols and services can be supported efficiently using a screening router Can permit or deny protocols by port number Harder to permit or deny parts of a protocol Difficult to be sure what is arriving on a port is really the expected protocol Router is a single point of failure Janice Regan, When to use a screening router When performance is important minimize added load on hosts by using router to filter maximize throughput by basing security on simple filtering When the protected network also has an adequate level of host security The number of protocols being allowed (default deny) or blocked (default accept) is small and those protocols are simple and amenable to filtering Most useful for networks providing services to the internet (like those of internet providers) and for internal firewalls Janice Regan,

7 Simple Firewall: Dual Homed Use a dual homed host to access the internet. Your network attaches to one or more interfaces, the internet to the another Disable forwarding: create a default deny policy All access to the Internet from internal hosts is by proxy application running on the dual homed host Each application you run/proxy on the dual homed host provides another point of attack and increases load Avoid user accounts on the dual homed host. This provides extra protection Monitor activity of each user Janice Regan, Dual Home INTERNET Dual-homed host (no-forwarding) Janice Regan, Dual homed s: user accounts Users should not be able to log into the dual homed host. prevents a hacker from breaking in through a user account Makes use of vulnerable services necessary to support user accounts unnecessary (printing, local mail delivery ) Prevents inadvertent damage to the dual homed hosts security by users (poor password ) Easier to detect attacks if types of traffic are limited Janice Regan,

8 Dual Homed : Limitations (1) Need an additional machine to use as dual homed host (should not be a machine used directly by users) For a small network with modest traffic levels can even use an older less powerful machine (bonus is this is the only machine seen from outside, less attractive to hackers) As the network size, number of services proxied, or traffic load grows more power is needed. Janice Regan, Dual Homed : Limitations (2) Provides services by proxy Each service supported provides addition points of attack Not all services can be proxied Not all services that can be proxied will have appropriate proxies available Better at supporting outbound services (local users using services on the external network) than inbound services Janice Regan, Dual Homed : Limitations (3) More overhead than an equivalent packet filtering system, proxies are more compute intensive than simple filters Dual homed host is a single point of failure A hacker who crashed your dual homed host cuts you off from the internet A hacker who comprises your dual homed host has access to your local network Janice Regan,

9 When to use a dual homed host Internet traffic is limited Remember load is larger than comparable packet filter Network protected does not contain critical data Can be mitigated by host level protections, but there are better solutions Janice Regan, When to use a dual homed host No (very limited) services being provided to the internet Each service provided adds points of attack for those trying to break in Continuous connection to the internet is not essential, traffic to the internet is not critical to your business Attacks may cause single choke point to fail or crash Janice Regan, Variations Many consumer routers, support NAT (network address translation). Allowing one IP address to be shared between multiple machines. Local IP addresses are used for your network Using the gateway (router) to packet forward on behalf of the other computers on your intranet Good way to hide network from external eyes Can packet filter and provide some proxy services, often provides MAC address filtering Janice Regan,

10 Screened Architecture All communication between hosts on the local network and the internet (both directions) passes though proxies on a bastion host which communicates with the internet though a packet filtering router Less secure versions may allow some direct communication from network hosts to the internet (definitely not initiated from the internet to network hosts) host is the only host on the network to which hosts on the internet can make connections Janice Regan, Screened Architecture Packet filtering router protects internal hosts from direct internet attack (allowing only certain services/ protocols). This is the primary security for the network This prevents users from directly accessing the Internet host provides services and runs proxies connecting to the outside world, it should not be a trusted member of the local network Not appropriate for public web servers Janice Regan, Screened INTERNET Router Janice Regan,

11 Should run a minimum configuration to minimize points of attack Should have all services not needed by the site disabled Should not be trusted by hosts on the network Should not run booting services Must maintain a high level of host security on the bastion host Janice Regan, and user accounts Should not support user accounts May know about users (i.e. to allow access from outside the network to machines inside the network) Users should not be able to log into the bastion host. Administrators should be able to log into the bastion host with individual accounts, remote login is a high security risk Janice Regan, s and user accounts Users should not be able to log into the bastion host. prevents a hacker from breaking in through a user account Makes use of vulnerable services necessary to support user accounts unnecessary (printing, local mail delivery ) Prevents inadvertent damage to the bastion hosts security by users (poor password ) Easier to detect attacks if types of traffic are limited Janice Regan,

12 Provides the services your site needs to access the internet Runs proxies for services your site provides to the internet all services or just services that cannot be adequately protected using filtering in the router alone (FTP, TELNET, DNS SMTP HTTP) Janice Regan, Screening router May allow hosts to open connections to selected servers on the internet May disallow services forcing them to be proxied by the bastion host (or hosts) Janice Regan, Use a Screened When Few connections to the network originate from outside the network When host security is relatively high If you allow non bastion hosts to connect to the internet you are compromising the design, since outside users have access to IP addresses of protected hosts Janice Regan,

13 Comparison Router easier to secure than multi-homed host (simpler OS fewer points of attack, fewer services running, than a multi-homed host) Multi-homed host provides no way for packets to go directly to hosts, screened host does (can be security hole) Multi-homed host more prone to failure (type of failure more difficult to predict) On balance router may be more secure and simpler to administer Janice Regan, Comparison You can get some extra protection by isolating your bastion host and your screen hosts so most local network traffic from your screened hosts is not visible to the bastion host (broadcast traffic will still be visible) This is part of what a screened subnet does (next topic of discussion) Can get this part of the protection by isolating your bastion host using an appropriately secured Ethernet switch or switching hub. Janice Regan, Screened Subnet Place the bastion host (hosts) on a separate subnet connected to the Internet with a router. This separate subnet is known as a perimeter network. That subnet in turn connects to your internal network through a second router (with packet filtering). Removes the difficulties caused by a single point of failure (as in multi-homed hosts, and to a lesser extent screened hosts) Now a hacker must break though two levels of packet filters and compromise a bastion host to reach your internal network Janice Regan,

14 Screened Subnet Router INTERNET Perimeter network Interior Router Janice Regan, Screened subnet No longer a single point of failure Adds an extra layer of security by adding a perimeter network to further isolate the hosts in the screened subnet from the internet Multiple failures are needed to reach the screened subnet If the router s firewall is breached the hacker can only reach the bastion hosts If the bastion host is compromised, sensitive internal information is still protected. The screened network still has the protection of the interior router Janice Regan, /s on separate net Locating the bastion hosts on a separate network from the protected hosts has many benefits Sees only packets to and from bastion hosts and to and from the internet Does not see traffic on the internal network Accesses to sensitive files Confidential local Remote logins, FTP or TELNET packets that could provide passwords Janice Regan,

15 /s on separate net s are primary point of contact for incoming connections for any supported protocols (local servers for SMTP, FTP, DNS ) Outbound services (from our network to severs on the internet) have access controlled by Filtering on exterior or interior router Proxy services on the bastion hosts If traffic is high and or multiple services are proxied on the bastion host, multiple bastion hosts may be used to distribute the load and partition risk Services may be divided between multiple bastions hosts. Services may be grouped by Importance, audience, security level, access level Janice Regan, Interior router Primary packet filtering system (choke router) May be more restrictive than the packet filters in the exterior router Want to assure sensitive information does not leave screened network May allow a smaller set of services to reach interior network than can reach the exterior network May target services from outside the screened networks to designated servers (e.g. a mail server on one on the internal hosts) Allows services to the internet to be isolated from the screened internal network (on the perimeter network) Protects your screened interior network from the Internet and the perimeter network Janice Regan, Exterior Router Exterior Router may be called the access router Sometimes the external router is provided by another group (like an ISP) Your access will be limited Filter rules will not be customized to your needs s on the perimeter net must be protected by strong host security Makes exterior filtering less critical If you do control the exterior router you may want to duplicate a subset of the rules on your interior router Janice Regan,

16 Exterior Router Should block incoming packets whose source addresses may be forged, particularly addresses that indicate packets are coming from inside the network (screened network or perimeter network) Should block outgoing packets that do not come from one of your networks IP addresses Prevents your users sending inappropriate packets More importantly: prevents any hijacker using one of your machines to send packets with inappropriate IP addresses Janice Regan, Variants Use multiple bastion hosts Distribute load, partition services, add redundancy Merge interior router and exterior router Need router that allows separate filter specifications on each interface. Disadvantage: creates a single point of failure if router is compromised Janice Regan, Multiple hosts INTERNET Router Perimeter network Interior Router Janice Regan,

17 Merged /Exterior routers INTERNET Interior /exterior Router Perimeter network Janice Regan, Variants Use multiple independent perimeter networks Provide redundancy and bandwidth Assure networks connect to different physical connections (different providers and different cables) Both interior routers must enforce the same policies Also used to separate incoming and outgoing services Janice Regan, Multiple perimeter networks Exterior Router Perimeter network INTERNET Exterior Router Perimeter network Interior Router Interior Router Janice Regan,

18 Variants Use multiple exterior routers (one exterior router with multiple interfaces) Multiple internet connections (i.e. multiple providers, for redundancy or bandwidth) Internet connection plus direct connections to other sites (though internal firewall) Minor security compromise because of two attack points into perimeter network Janice Regan, Multiple Exterior routers Router INTERNET Router Interior Router Perimeter network Janice Regan, Variants Merge bastion host and exterior router Use a single dual-homed host for both Limits performance, less efficient for routing than router Depending on operating system may not have flexible filtering available Need better protections on the dual homed host Appropriate only for serving a very small number of low bandwidth services Janice Regan,

19 Merge host/exterior router INTERNET host And exterior Router Perimeter network Interior Router Janice Regan, Dangerous Variants Do not merge bastion host and interior router Do not use multiple interior routers Do not use both screened subnets and screened hosts Janice Regan,

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA Firewalls Securing Networks Chapter 3 Part 1 of 4 CA M S Mehta, FCA 1 Firewalls Learning Objectives Task Statements 1.3 Recognise function of Telecommunications and Network security including firewalls,..

More information

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall. Firewalls 1 Firewalls Idea: separate local network from the Internet Trusted hosts and networks Firewall Intranet Router DMZ Demilitarized Zone: publicly accessible servers and networks 2 1 Castle and

More information

Internet Security Firewalls

Internet Security Firewalls Internet Security Firewalls Ozalp Babaoglu ALMA MATER STUDIORUM UNIVERSITA DI BOLOGNA Overview Exo-structures Firewalls Virtual Private Networks Cryptography-based technologies IPSec Secure Socket Layer

More information

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues CS 155 May 20, 2004 Firewalls Basic Firewall Concept Separate local area net from internet Firewall John Mitchell Credit: some text, illustrations from Simon Cooper Router All packets between LAN and internet

More information

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network. Architecture The policy discussed suggests that the network be partitioned into several parts with guards between the various parts to prevent information from leaking from one part to another. One part

More information

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall Chapter 10 Firewall Firewalls are devices used to protect a local network from network based security threats while at the same time affording access to the wide area network and the internet. Basically,

More information

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall Chapter 2: Security Techniques Background Chapter 3: Security on Network and Transport Layer Chapter 4: Security on the Application Layer Chapter 5: Security Concepts for Networks Firewalls Intrusion Detection

More information

Proxy Server, Network Address Translator, Firewall. Proxy Server

Proxy Server, Network Address Translator, Firewall. Proxy Server Proxy Server, Network Address Translator, Firewall 1 Proxy Server 2 1 Introduction What is a proxy server? Acts on behalf of other clients, and presents requests from other clients to a server. Acts as

More information

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services Firewalls What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services only authorized traffic is allowed Auditing and

More information

Internet infrastructure. Prof. dr. ir. André Mariën

Internet infrastructure. Prof. dr. ir. André Mariën Internet infrastructure Prof. dr. ir. André Mariën (c) A. Mariën 31/01/2006 Topic Firewalls (c) A. Mariën 31/01/2006 Firewalls Only a short introduction See for instance: Building Internet Firewalls, second

More information

Distributed Systems. Firewalls: Defending the Network. Paul Krzyzanowski pxk@cs.rutgers.edu

Distributed Systems. Firewalls: Defending the Network. Paul Krzyzanowski pxk@cs.rutgers.edu Distributed Systems Firewalls: Defending the Network Paul Krzyzanowski pxk@cs.rutgers.edu Except as otherwise noted, the content of this presentation is licensed under the Creative Commons Attribution

More information

Guideline on Firewall

Guideline on Firewall CMSGu2014-02 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Firewall National Computer Board Mauritius Version 1.0 June

More information

Multi-Homing Dual WAN Firewall Router

Multi-Homing Dual WAN Firewall Router Multi-Homing Dual WAN Firewall Router Quick Installation Guide M73-APO09-400 Multi-Homing Dual WAN Firewall Router Overview The Multi-Homing Dual WAN Firewall Router provides three 10/100Mbit Ethernet

More information

Firewalls. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Firewall Design Principles

Firewalls. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Firewall Design Principles Firewalls Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49 1 Firewall Design Principles Firewall Characteristics Types of Firewalls Firewall Configurations

More information

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015) s (March 4, 2015) Abdou Illia Spring 2015 Test your knowledge Which of the following is true about firewalls? a) A firewall is a hardware device b) A firewall is a software program c) s could be hardware

More information

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls CEN 448 Security and Internet Protocols Chapter 20 Firewalls Dr. Mostafa Hassan Dahshan Computer Engineering Department College of Computer and Information Sciences King Saud University mdahshan@ccis.ksu.edu.sa

More information

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY IT FIREWALL POLICY TABLE OF CONTENT 1. INTRODUCTION... 3 2. TERMS AND DEFINITION... 3 3. PURPOSE... 5 4. SCOPE... 5 5. POLICY STATEMENT... 5 6. REQUIREMENTS... 5 7. OPERATIONS... 6 8. CONFIGURATION...

More information

Firewalls and System Protection

Firewalls and System Protection Firewalls and System Protection Firewalls Distributed Systems Paul Krzyzanowski 1 Firewalls: Defending the network inetd Most UNIX systems ran a large number of tcp services as dæmons e.g., rlogin, rsh,

More information

allow all such packets? While outgoing communications request information from a

allow all such packets? While outgoing communications request information from a FIREWALL RULES Firewalls operate by examining a data packet and performing a comparison with some predetermined logical rules. The logic is based on a set of guidelines programmed in by a firewall administrator,

More information

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall Firewall Introduction Several Types of Firewall. Cisco PIX Firewall What is a Firewall? Non-computer industries: a wall that controls the spreading of a fire. Networks: a designed device that controls

More information

Security Technology: Firewalls and VPNs

Security Technology: Firewalls and VPNs Security Technology: Firewalls and VPNs 1 Learning Objectives Understand firewall technology and the various approaches to firewall implementation Identify the various approaches to remote and dial-up

More information

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls. Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls. 1 Information systems in corporations,government agencies,and other organizations

More information

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006 CSE331: Introduction to Networks and Security Lecture 12 Fall 2006 Announcements Midterm I will be held Friday, Oct. 6th. True/False Multiple Choice Calculation Short answer Short essay Project 2 is on

More information

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Module 8. Network Security. Version 2 CSE IIT, Kharagpur Module 8 Network Security Lesson 3 Firewalls Specific Instructional Objectives On completion of this lesson, the students will be able to answer: What a firewall is? What are the design goals of Firewalls

More information

Internet Security Firewalls

Internet Security Firewalls Overview Internet Security Firewalls Ozalp Babaoglu! Exo-structures " Firewalls " Virtual Private Networks! Cryptography-based technologies " IPSec " Secure Socket Layer ALMA MATER STUDIORUM UNIVERSITA

More information

Cryptography and network security

Cryptography and network security Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network from the Internet Trusted hosts and networks Firewall Intranet Router DMZ Demilitarized Zone: publicly accessible

More information

Firewalls. Chapter 3

Firewalls. Chapter 3 Firewalls Chapter 3 1 Border Firewall Passed Packet (Ingress) Passed Packet (Egress) Attack Packet Hardened Client PC Internet (Not Trusted) Hardened Server Dropped Packet (Ingress) Log File Internet Border

More information

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT Roopa K. Panduranga Rao MV Dept of CS and Engg., Dept of IS and Engg., J.N.N College of Engineering, J.N.N College of Engineering,

More information

Proxy Server, Network Address Translator, Firewall

Proxy Server, Network Address Translator, Firewall For Summer Training on Computer Networking visit Proxy Server, Network Address Translator, Firewall Prepared by : Swapan Purkait Director Nettech Private Limited swapan@nettech.in + 91 93315 90003 Proxy

More information

CS155 - Firewalls. Simon Cooper CS155 Firewalls 22 May 2003

CS155 - Firewalls. Simon Cooper <sc@sgi.com> CS155 Firewalls 22 May 2003 CS155 - Firewalls Simon Cooper CS155 Firewalls 22 May 2003 1 Why Firewalls? Need for the exchange of information; education, business, recreation, social and political Need to do something

More information

Maruleng Local Municipality

Maruleng Local Municipality Maruleng Local Municipality. 22 November 2011 1 Version Control Version Date Author(s) Details 1.1 23/03/2012 Masilo Modiba New Policy 2 Contents ICT Firewall Policy 1 Version Control.2 1. Introduction.....4

More information

Firewall Design Principles Firewall Characteristics Types of Firewalls

Firewall Design Principles Firewall Characteristics Types of Firewalls Firewall Design Principles Firewall Characteristics Types of Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for these slides. Fall 2008

More information

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Firewall VPN Router. Quick Installation Guide M73-APO09-380 Firewall VPN Router Quick Installation Guide M73-APO09-380 Firewall VPN Router Overview The Firewall VPN Router provides three 10/100Mbit Ethernet network interface ports which are the Internal/LAN, External/WAN,

More information

Overview. Firewall Security. Perimeter Security Devices. Routers

Overview. Firewall Security. Perimeter Security Devices. Routers Overview Firewall Security Chapter 8 Perimeter Security Devices H/W vs. S/W Packet Filtering vs. Stateful Inspection Firewall Topologies Firewall Rulebases Lecturer: Pei-yih Ting 1 2 Perimeter Security

More information

Firewalls, IDS and IPS

Firewalls, IDS and IPS Session 9 Firewalls, IDS and IPS Prepared By: Dr. Mohamed Abd-Eldayem Ref.: Corporate Computer and Network Security By: Raymond Panko Basic Firewall Operation 2. Internet Border Firewall 1. Internet (Not

More information

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design Learning Objectives Identify common misconceptions about firewalls Explain why a firewall

More information

Firewalls Overview and Best Practices. White Paper

Firewalls Overview and Best Practices. White Paper Firewalls Overview and Best Practices White Paper Copyright Decipher Information Systems, 2005. All rights reserved. The information in this publication is furnished for information use only, does not

More information

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls CS426 Fall 2010/Lecture 36 1 Announcements There will be a quiz on Wed There will be a guest lecture on Friday, by Prof. Chris Clifton

More information

Basics of Internet Security

Basics of Internet Security Basics of Internet Security Premraj Jeyaprakash About Technowave, Inc. Technowave is a strategic and technical consulting group focused on bringing processes and technology into line with organizational

More information

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013 CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access

More information

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane SE 4C03 Winter 2005 Firewall Design Principles By: Kirk Crane Firewall Design Principles By: Kirk Crane 9810533 Introduction Every network has a security policy that will specify what traffic is allowed

More information

Firewall Security. Presented by: Daminda Perera

Firewall Security. Presented by: Daminda Perera Firewall Security Presented by: Daminda Perera 1 Firewalls Improve network security Cannot completely eliminate threats and a=acks Responsible for screening traffic entering and/or leaving a computer network

More information

Network Security. Internet Firewalls. Chapter 13. Network Security (WS 2002): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

Network Security. Internet Firewalls. Chapter 13. Network Security (WS 2002): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer Network Security Chapter 13 Internet Firewalls Network Security (WS 2002): 13 Internet Firewalls 1 Introduction to Network Firewalls (1)! In building construction, a firewall is designed to keep a fire

More information

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM Okumoku-Evroro Oniovosa Lecturer, Department of Computer Science Delta State University, Abraka, Nigeria Email: victorkleo@live.com ABSTRACT Internet security

More information

Firewall Architecture

Firewall Architecture NEXTEP Broadband White Paper Firewall Architecture Understanding the purpose of a firewall when connecting to ADSL network services. A Nextep Broadband White Paper June 2001 Firewall Architecture WHAT

More information

co Characterizing and Tracing Packet Floods Using Cisco R

co Characterizing and Tracing Packet Floods Using Cisco R co Characterizing and Tracing Packet Floods Using Cisco R Table of Contents Characterizing and Tracing Packet Floods Using Cisco Routers...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1

More information

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives List the different types of network security devices and explain how they can be used Define network

More information

Protecting and controlling Virtual LANs by Linux router-firewall

Protecting and controlling Virtual LANs by Linux router-firewall Protecting and controlling Virtual LANs by Linux router-firewall Tihomir Katić Mile Šikić Krešimir Šikić Faculty of Electrical Engineering and Computing University of Zagreb Unska 3, HR 10000 Zagreb, Croatia

More information

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Firewalls and VPNs. Principles of Information Security, 5th Edition 1 Firewalls and VPNs Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to: Understand firewall technology and the various approaches

More information

Chapter 9 Firewalls and Intrusion Prevention Systems

Chapter 9 Firewalls and Intrusion Prevention Systems Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish

More information

Content Distribution Networks (CDNs)

Content Distribution Networks (CDNs) 229 Content Distribution Networks (CDNs) A content distribution network can be viewed as a global web replication. main idea: each replica is located in a different geographic area, rather then in the

More information

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall Figure 5-1: Border s Chapter 5 Revised March 2004 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Border 1. (Not Trusted) Attacker 1 1. Corporate Network (Trusted) 2 Figure

More information

N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work

N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work How Firewalls Work By: Jeff Tyson If you have been using the internet for any length of time, and especially if

More information

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN Virtual private network Network security protocols COMP347 2006 Len Hamey Instead of a dedicated data link Packets securely sent over a shared network Internet VPN Public internet Security protocol encrypts

More information

CSCI 7000-001 Firewalls and Packet Filtering

CSCI 7000-001 Firewalls and Packet Filtering CSCI 7000-001 Firewalls and Packet Filtering November 1, 2001 Firewalls are the wrong approach. They don t solve the general problem, and they make it very difficult or impossible to do many things. On

More information

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall? What is a Firewall? Computer Security Firewalls fire wall 1 : a wall constructed to prevent the spread of fire 2 usually firewall : a computer or computer software that prevents unauthorized access to

More information

Intro to Firewalls. Summary

Intro to Firewalls. Summary Topic 3: Lesson 2 Intro to Firewalls Summary Basic questions What is a firewall? What can a firewall do? What is packet filtering? What is proxying? What is stateful packet filtering? Compare network layer

More information

What would you like to protect?

What would you like to protect? Network Security What would you like to protect? Your data The information stored in your computer Your resources The computers themselves Your reputation You risk to be blamed for intrusions or cyber

More information

CIT 480: Securing Computer Systems. Firewalls

CIT 480: Securing Computer Systems. Firewalls CIT 480: Securing Computer Systems Firewalls Topics 1. What is a firewall? 2. Types of Firewalls 1. Packet filters (stateless) 2. Stateful firewalls 3. Proxy servers 4. Application layer firewalls 3. Configuring

More information

Internet Firewall CSIS 3230. Internet Firewall. Spring 2012 CSIS 4222. net13 1. Firewalls. Stateless Packet Filtering

Internet Firewall CSIS 3230. Internet Firewall. Spring 2012 CSIS 4222. net13 1. Firewalls. Stateless Packet Filtering Internet Firewall CSIS 3230 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 8.8: Packet filtering, firewalls, intrusion detection Ch

More information

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks

More information

FIREWALL ARCHITECTURES

FIREWALL ARCHITECTURES FIREWALL ARCHITECTURES The configuration that works best for a particular organization depends on three factors: The objectives of the network, the organization s ability to develop and implement the architectures,

More information

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection. A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based

More information

In today s world the Internet has become a valuable resource for many people.

In today s world the Internet has become a valuable resource for many people. In today s world the Internet has become a valuable resource for many people. However with the benefits of being connected to the Internet there are certain risks that a user must take. In many cases people

More information

Firewalls (IPTABLES)

Firewalls (IPTABLES) Firewalls (IPTABLES) Objectives Understand the technical essentials of firewalls. Realize the limitations and capabilities of firewalls. To be familiar with iptables firewall. Introduction: In the context

More information

Firewalls. Ahmad Almulhem March 10, 2012

Firewalls. Ahmad Almulhem March 10, 2012 Firewalls Ahmad Almulhem March 10, 2012 1 Outline Firewalls The Need for Firewalls Firewall Characteristics Types of Firewalls Firewall Basing Firewall Configurations Firewall Policies and Anomalies 2

More information

20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7

20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7 20-CS-6053-00X Network Security Spring, 2014 An Introduction To Network Security Week 1 January 7 Attacks Criminal: fraud, scams, destruction; IP, ID, brand theft Privacy: surveillance, databases, traffic

More information

Chapter 20. Firewalls

Chapter 20. Firewalls Chapter 20. Firewalls [Page 621] 20.1 Firewall Design Principles Firewall Characteristics Types of Firewalls Firewall Configurations 20.2 Trusted Systems Data Access Control The Concept of Trusted Systems

More information

A typical router setup between WebSAMS and ITEd network is shown below for reference. DSU. Router

A typical router setup between WebSAMS and ITEd network is shown below for reference. DSU. Router 1. Installation and configuration guidelines for the router replacement This guideline served as a reference for schools which plan to replace the existing WebSAMS router by the recommended router, and

More information

8. Firewall Design & Implementation

8. Firewall Design & Implementation DMZ Networks The most common firewall environment implementation is known as a DMZ, or DeMilitarized Zone network. A DMZ network is created out of a network connecting two firewalls; i.e., when two or

More information

INTRODUCTION TO FIREWALL SECURITY

INTRODUCTION TO FIREWALL SECURITY INTRODUCTION TO FIREWALL SECURITY SESSION 1 Agenda Introduction to Firewalls Types of Firewalls Modes and Deployments Key Features in a Firewall Emerging Trends 2 Printed in USA. What Is a Firewall DMZ

More information

Network Security: From Firewalls to Internet Critters Some Issues for Discussion

Network Security: From Firewalls to Internet Critters Some Issues for Discussion Network Security: From Firewalls to Internet Critters Some Issues for Discussion Slide 1 Presentation Contents!Firewalls!Viruses!Worms and Trojan Horses!Securing Information Servers Slide 2 Section 1:

More information

Chapter 15. Firewalls, IDS and IPS

Chapter 15. Firewalls, IDS and IPS Chapter 15 Firewalls, IDS and IPS Basic Firewall Operation The firewall is a border firewall. It sits at the boundary between the corporate site and the external Internet. A firewall examines each packet

More information

University Convocation. IT 4823 Information Security Administration. Firewalls and Intrusion Prevention Systems. Firewall Capabilities and Limits DMZ

University Convocation. IT 4823 Information Security Administration. Firewalls and Intrusion Prevention Systems. Firewall Capabilities and Limits DMZ IT 4823 Information Security Administration Firewalls and Intrusion Prevention October 7 Notice: This session is being recorded. Lecture slides prepared by Dr Lawrie Brown for Computer Security: Principles

More information

Firewall: Getting started

Firewall: Getting started Firewall: Getting started Version 4 SC41-5424-02 Firewall: Getting started Version 4 SC41-5424-02 ii Firewall: Getting started Contents Part 1. Firewall: Getting started... 1 Chapter 1. Print this topic.......

More information

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute

More information

Network Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion

Network Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion Network Security Tampere Seminar 23rd October 2008 1 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. Contents Overview Switch Security Firewalls Conclusion 2 Copyright 2008 Hirschmann

More information

A1.1.1.11.1.1.2 1.1.1.3S B

A1.1.1.11.1.1.2 1.1.1.3S B CS Computer 640: Network AdityaAkella Lecture Introduction Networks Security 25 to Security DoS Firewalls and The D-DoS Vulnerabilities Road Ahead Security Attacks Protocol IP ICMP Routing TCP Security

More information

Ch.9 Firewalls and Intrusion Prevention Systems. Firewall Design Goals

Ch.9 Firewalls and Intrusion Prevention Systems. Firewall Design Goals Ch.9 Firewalls and Intrusion Prevention Systems Firewalls: effective means of protecting LANs Internet connectivity is essential for every organization and individuals introduces threats from the Internet

More information

ABSTRACT CHAPTER I. Preliminary. 1.1. Background

ABSTRACT CHAPTER I. Preliminary. 1.1. Background FIREWALL OPTIMIZATION ON BROAD SCALE NETWORK Nama Penulis : Jurnalis : Bobi Paisal Baraba Dosen Bahasa Indonesia : Bambang Dahrmaputra Pendidikan Teknik Informatika dan Komputer Fakultas Teknik Universitas

More information

Network Security. Chapter 13. Internet Firewalls. Network Security (WS 07/08): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

Network Security. Chapter 13. Internet Firewalls. Network Security (WS 07/08): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer Network Security Chapter 13 Internet Firewalls Network Security (WS 07/08): 13 Internet Firewalls 1 Introduction to Network Firewalls (1) In building construction, a firewall is designed to keep a fire

More information

Internet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering

Internet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering Internet Firewall CSIS 4222 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 27: Internet Routing Ch 30: Packet filtering & firewalls

More information

Firewalls and Intrusion Detection

Firewalls and Intrusion Detection Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall

More information

Net Integrator Firewall

Net Integrator Firewall Net Integration Technologies, Inc. http://www.net itech.com Net Integrator Firewall Technical Overview Version 1.00 TABLE OF CONTENTS 1 Introduction...1 2 Firewall Architecture...2 2.1 The Life of a Packet...2

More information

Packet filtering and other firewall functions

Packet filtering and other firewall functions Packet filtering and other firewall functions Martin Krammer mk@sbox.tugraz.at Martin Krammer Graz, May 25, 2007 1 Overview Firewalls Principles Architectures Security aspects Packet filtering Principles

More information

Chapter 4 Firewall Protection and Content Filtering

Chapter 4 Firewall Protection and Content Filtering Chapter 4 Firewall Protection and Content Filtering This chapter describes how to use the content filtering features of the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN to protect your network.

More information

What is Firewall? A system designed to prevent unauthorized access to or from a private network.

What is Firewall? A system designed to prevent unauthorized access to or from a private network. What is Firewall? A system designed to prevent unauthorized access to or from a private network. What is Firewall? (cont d) Firewall is a set of related programs, located at a network gateway server. Firewalls

More information

Network Security Policy

Network Security Policy Network Security Policy I. PURPOSE Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption of data or unauthorized disclosure of information on campus

More information

Chapter 11 Cloud Application Development

Chapter 11 Cloud Application Development Chapter 11 Cloud Application Development Contents Motivation. Connecting clients to instances through firewalls. Chapter 10 2 Motivation Some of the questions of interest to application developers: How

More information

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module CS 665: Computer System Security Network Security Bojan Cukic Lane Department of Computer Science and Electrical Engineering West Virginia University 1 Usage environment Anonymity Automation, minimal human

More information

Chapter 8 Security Pt 2

Chapter 8 Security Pt 2 Chapter 8 Security Pt 2 IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross,

More information

Chapter 20 Firewalls. Cryptography and Network Security Chapter 22. What is a Firewall? Introduction 4/19/2010

Chapter 20 Firewalls. Cryptography and Network Security Chapter 22. What is a Firewall? Introduction 4/19/2010 Cryptography and Network Security Chapter 22 Fifth Edition by William Stallings Chapter 20 Firewalls The function of a strong position is to make the forces holding it practically unassailable On O War,

More information

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped

More information

Network Security Topologies. Chapter 11

Network Security Topologies. Chapter 11 Network Security Topologies Chapter 11 Learning Objectives Explain network perimeter s importance to an organization s security policies Identify place and role of the demilitarized zone in the network

More information

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc. Company Co. Inc. LLC Multiple Minds, Singular Results LAN Domain Network Security Best Practices An integrated approach to securing Company Co. Inc. LLC s network Written and Approved By: Geoff Lacy, Tim

More information

CIT 480: Securing Computer Systems. Firewalls

CIT 480: Securing Computer Systems. Firewalls CIT 480: Securing Computer Systems Firewalls Topics 1. What is a firewall? 2. Types of Firewalls 1. Packet filters (stateless) 2. Stateful firewalls 3. Proxy servers 4. Application layer firewalls 3. Configuring

More information

Network Instruments white paper

Network Instruments white paper Network Instruments white paper USING A NETWORK ANALYZER AS A SECURITY TOOL Network Analyzers are designed to watch the network, identify issues and alert administrators of problem scenarios. These features

More information

Firewalls. Network Security. Firewalls Defined. Firewalls

Firewalls. Network Security. Firewalls Defined. Firewalls Network Security Firewalls Firewalls Types of Firewalls Screening router firewalls Computer-based firewalls Firewall appliances Host firewalls (firewalls on clients and servers) Inspection Methods Firewall

More information

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT Network Security s Access lists Ingress filtering s Egress filtering NAT 2 Drivers of Performance RequirementsTraffic Volume and Complexity of Static IP Packet Filter Corporate Network The Complexity of

More information

Classification of Firewalls and Proxies

Classification of Firewalls and Proxies Classification of Firewalls and Proxies By Dhiraj Bhagchandka Advisor: Mohamed G. Gouda (gouda@cs.utexas.edu) Department of Computer Sciences The University of Texas at Austin Computer Science Research

More information