Network Security and Firewalls. A Summary
|
|
- Verity Harris
- 8 years ago
- Views:
Transcription
1 Network Security and Firewalls A Summary B.Sc. Degree in IT Management Institute of Technology, Carlow (Prepared by Paul Barry)
2 Network Security and Firewalls As the Internet becomes all-persuasive, the nature of the activities occurring on the Internet are increasingly becoming critical to the health of the organizations that connect their own networks to it. Gone are the days of connecting a network to the Internet, establish connectivity then moving onto others things. The Internet is not the safe, friendly, academic world it used to be. In addition to enabling improved business-to-business and business-tocustomer communications (among other things), connecting to the Internet opens up a network to an increasingly sophisticated community of computer crackers 1, viruses, electronic eavesdroppers and sundry other attacks. Once attached to the Internet, in addition to taking advantage of its many benefits, the connected organization needs to protect itself from electronic attack. Network security has, as a consequence, become an important discipline within the Internet-connected world, and within computing in general. In this essay, a survey of the network security techniques available to todays network manager are presented, with an emphasis toward the latter part of this essay on Firewall technologies. 1.1 A Taxonomy of Security Attacks There are four main categories of network security attack: Interruption - an attack on the availability of a network asset. Interception - an attack on the confidentiality of network data. Modification - an attack on the integrity of network resources. Fabrication - an attack on the authenticity of a network user. 1 Also known as script-kiddies. 1
3 2 Network attacks can further be categorized as being either passive or active. Passive attacks occur within a setting that makes in impossible (or impractical) to identify the occurrence of the attack. Traffic Analysis is an example of a passive attack - a copy of transmitted data is taken and analyzed in an attempt to determine some useful information. Active attacks are more blatant, in that they result in active changes to the transmitted data, making them easier to identify (usually after the fact, when it is far too late). Examples of this type of attack include masquerading, replay, modification and denial-of-service. 1.2 Dealing With Attacks: Security Services When it comes to protecting a network against attacks, a classification of security services has been defined: Confidentiality - protecting transmitted data against passive attacks and network analysis. Typically, cryptographic technologies are employed. Authentication - ensuring that the communication is indeed authentic. This service assures a recipient that any received data is from the source that it claims to be from (and vice-versa). Integrity - ensuring that messages are received in exactly the same form that they were sent, i.e. without any unauthorized changes. Non-repudiation - providing a means by which neither the sender nor the receiver can deny a transmitted message. Access Control - limiting and controlling an authenticated users access to network resources. Typically, access control is tailored to an individual s access rights. Availability - implementing countermeasures to guard against the loss or reduction of a network service. 1.3 Network Security Models Two broad models have been defined for discussing Network Security. In the first, there is one insecure communications channel and four participants. The participants are:
4 3 Sender - one of the two principals in the transaction, this participant wishes to use the insecure channel to send data securely to the other principal. Receiver - the other principal in the transaction, this participant will receive data over the insecure channel from the other principal. Trusted Third Party - depending on the security services chosen and how they are implemented, a trusted third party may be required to enable secure communications between the two principals. Opponent - the bad guy (or girl), intent on capturing and interpreting the data being transmitted between the principals, and - if this is not possible - disruption of the insecure channel may also be a goal (resulting in a denial-of-service attack). The other model relates to network access. In this model, there is a collection of (hopefully) protected information systems. A mechanism is implemented to protect these systems from unwanted access from an insecure network. This mechanism is essentially a gatekeeper function and is typically manifested in some type of firewall system. The single participant in this model is the Opponent, who is intent in achieving unauthorized access to the information systems on some protected internal network. On the Internet, the Opponent is typically a human, however, a growing collection of automated software tools (and, in some cases, computer viruses) would also be classed as a participant in this model. 1.4 The Role of Cryptography In order to provide the security services identified above, security managers and implementors rely heavily on the Science of Cryptography. The ability to securely encrypt data prior to transmission and then decrypt it upon receipt are key techniques within the Network Security world. This section briefly describes these important techniques Conventional Symmetric Encryption Conventional encryption technologies are thousands of years old, and they all operate in a common way. A shared secret key is used to encrypt the data
5 4 to be transmitted using a published algorithm. The data is then transmitted over the insecure channel by the Sender, then the Receiver decrypts the data using the shared secret key and another published algorithm. Typically, conventional encryption technologies are strong at ensuring confidentiality within an insecure network. The strength of any particular conventional encryption technology is directly related to the size of the shared secret key. Due to the mathematics involved, it becomes computationally infeasible to break a conventional encryption technology by brute-force techniques. A small key-size, say 56 bits, is easily breakable by brute-force. For example, DES (the Data Encryption Standard), which uses 56 bit keys, was publicly broken in 1998 by the Electronic Frontier Foundation. However, it is relatively easy to prove that a key of 128 bits or greater is all but impossible to break by brute-force, which explains why most modern conventional encryption technologies use a key-size of 128 bits or more. Triple-DEA (the successor to DES) uses 168 bits. Of course, if the algorithm is compromised, it does not matter how large the key-size is. And, it is a case of pack-up and go home if the shared secret key becomes public. The practice of secure shared secret-key distribution is an important aspect of conventional encryption technology Public-key Cryptography Like conventional encryption technologies, public-key cryptography uses a published encryption and decryption algorithm. Unlike conventional encryption technologies, public-key cryptography has two keys, one private (which is kept secret) and one public (which is widely published, in fact, essentially given away). Data that is to be transmitted can be encrypted with either the public-key or the private-key. Typically, public-key cryptography is strong at providing authentication security services. Key-size again plays an important role in public-key cryptography, the longer the key, the stronger the encryption. With the public-key being so widely distributed, a trusted third party is often employed to verify that the public-key does in fact belong to the Sender or Receiver claiming to own it. Public-key cryptography is also applied to the production of digital signatures.
6 5 1.5 Security Applications In response to the growing threat of Internet attack, a number of security applications and tools have been developed. Two common classifications can be identified: infrastructural and application-specific Infrastructural Security Tools This type of tool provides protection to an entire network, from an infrastructural point-of-view. Two network-based (application-layer) authentication technologies are popular, and these are the Kerberos system and the X.509 standard. At the network-layer, the IPsec enhancement to IPv4 provides an encryption service to all IP-bound network traffic. When it comes to managing a diverse, heterogeneous network, Release 3 of the Simple Network Management Protocol (SNMP) has been built to operate securely Application-Specific Security Tools This type of tool provides protection to one specific application domain. On the Internet, tools to assist in the protection of electronic mail messages and web-based transactions have recently come to prominence. Electronic mail security technologies include Pretty Good Privacy (PGP) and the security extensions to MIME, called S/MIME. Web-based transactions can be protected by Secure Sockets Layer (SSL) technologies (built into most modern web browsers and web servers), whereas credit-card transactions (and all of the participants in the transaction) can be protected by conformance to the Secure Electronic Transaction (SET) standard. 1.6 Firewalls Taking their name from the construction industry, the network firewall is a network device that is positioned between a network to be protected and the Internet. In effect, a firewall is a manifestation of an organization s security policies as they relate to in-bound network traffic arriving from the Internet, and out-bound network traffic going to the Internet, from a protected internal network.
7 Firewall Design Goals Modern firewall technology has a number of design goals, as follows: Checking All Traffic - network traffic to and from the Internet must be passed through the firewall so that it can be checked against the organizations security policies. This checking is referred to as filtering. Forwarding Authorized Traffic Only - network traffic that satisfies the organizations security policies may pass. All other network traffic is logged, then discarded, as it is treated as suspect. Better to be safe than sorry. Avoiding Being Compromised - the firewall itself needs to be developed in such a way that it itself is immune to penetration. Under no circumstances should a faulty firewall allow any network traffic to bypass the security policies 2. When it comes to using a firewall to control access, four types of control (or filters) can be identified, thus: Service - based on the protocol port-number associated with a particular Internet service, application-layer network traffic is either blocked or allowed to pass. Additionally, traffic can be filtered by IP address (or IP address range), both for inbound and outbound network traffic. Direction - network traffic can be filtered on inbound connections, outbound connections, or both inbound and outbound connections. User - based on the identity of a user, network traffic can flow through the firewall assuming the user is authorized to generate network traffic of an approved type. Generally, this control filter is applied to users on the protected network side of the firewall. Behaviour - filters are applied to control how a particular service is used. For example, web pages may be scanned for Java applets (and the applets discarded), or incoming may be scanned for known viruses, while outgoing s may be scanned for inappropriate use of language. 2 Although this seems like an unlikely occurrence, the website recently highlighted security problems with firewalls based upon the Gauntlet technology, which forms the basis of many commercial firewall products. For more details see:
8 7 In providing these filter and control services, a firewall can be thought of as a single choke-point on a network, though which all inbound and outbound network traffic passes. As such, it is the ideal location within which to implement a site-wide auditing and logging facility Firewall Types As firewall technology has developed, a number of distinct types of implementation have come to prominence. Each type will now be discussed. The Packet-Filtering Router/Firewall Adding packet-filtering rules to an appropriately sophisticated router is one of the most effective means of implementing a network firewall (and most modern routers support such setting of rules). In essence, the router is configured to inspect every chunk of inbound and outbound network traffic. The chunk of network traffic is then checked against each of the rules, looking for a match. If a match is not found, the default policy configured on the router is enacted, with a default policy of discard being the most conservative and safest option. If a match is found, the router then examines the policy associated with the rule to decide what to do with the chunk of network traffic, either discard the chunk or forward the chunk. When processing IP datagrams, UDP datagrams or TCP segments, the packet-filtering router is primarily interested in examining the header fields of the datagram or segment. The actual data (or application protocol data) is of lesser interest to the packet-filtering router. (As is the case with most routers - they typically do not concern themselves with application-layer data, as they are designed to route Internet datagrams as quickly as possible, without delay). A few example rules should help clarify how packet-filtering routers are typically configured. A rule may look like this: block;payroll;*; which blocks (discards) network traffic from the internal system called payroll
9 8 using any protocol port-number (the * wild-card) to the Internet server using any protocol port-number (the * wild-card, again) 3. Here is another example rule: allow;mailsys;25;*;*; which allows (forwards) network traffic to the internal system called mailsys using protocol port-number 25 (the well-known protocol port-number for SMTP, the Simple Mail Transfer Protocol, which is used by all Internetbased systems). Network traffic is allowed from any Internet server (the * wild-card) using any protocol port-number (the * wild-card, again). A final example is: block;*;*;*;>1023; which blocks (discards) all network traffic from any internal system (the * wild-card) using any protocol port-number (the * wild-card, again) to any system (the * wild-card, yet again) using a protocol port-number that is greater that 1023 (that is, a protocol port-number outside the range of the well-known protocol port-number assignments). Packet-filtering routers have a number of advantages: Simplicity - it is relatively straightforward to configure packet-filtering on modern routers (and the recent move toward web-based router configuration tools makes this even easier). Transparency - as the firewall mechanism is centralized in the router (at the edge of the organization s network), users are generally unaware of its existence. That is, it is transparent to them, and this is a good thing. Good Performance - routers are designed and optimized to process chunks of network data as quickly as possible and, as long as the packet-filtering rule-set is kept to a relatively small size, implementing packet-filtering does not add significantly to the router s processing overhead. 3 Remember that each end of an Internet connection (when using TCP) has its own individual protocol-port number, which explains the double use of the * wild-card in this and subsequent examples.
10 9 Packet-filtering routers also have some disadvantages: Incorrectly Specified Rules - getting the rule-set right can be difficult, and sometimes strange combinations of seemingly correct rules can be easily compromised. Lack of Authentication - network traffic either passes through the packet-filtering router or it does not. There s no real notion of the network traffic being authenticated. Despite these disadvantages, deploying a packet-filtering router as a firewall is very popular due mainly to the importance placed on the advantages. Packet-filtering routers are also open to a number of attacks. The IP Spoofing attack attempts to send network traffic from the Internet through the firewall by tinkering with the Source IP Address of the sending IP datagram. By changing the source IP address to an IP address on the protected side of the firewall (that is, an IP address of an internal network device), a packet-filtering router that has been configured to allow all traffic with a source IP address on the protected network to pass through the firewall may allow the spoofed network traffic onto the protected network. This can be easily dealt with by arranging that the packet-filtering router only allow network traffic through if the IP datagram claiming to be from the protected internal network is in fact arriving on the protected internal network s router interface. The Source Route attack exploits a mechanism built into IPv4 which allows a network device to explicitly direct an IP datagram to follow a specified route into or out of the protected internal network. This can sometimes result in the packet-filtering router allowing such traffic through. The solution to this attack is to disallow the use of this option with any IP datagram, whether the network traffic is inbound or outbound. The Small Fragment attack creates IP datagrams that are two things: fragmented and very small. So small in-fact that the TCP header information will not fit into a single IP datagram, but is instead fragmented into a collection of IP datagram fragments. If the packet-filtering router is not configured to watch for datagrams like this, some traffic may pass through the packet-filtering router that ought not to. The solution is to inspect all IP datagrams and discard any that indicate that fragmentation has occurred and that also indicate that TCP header information is in the IP datagram
11 10 fragment. A further precaution would be to automatically treat as suspicious any IP datagrams that are very small and part of a larger, fragmented original. The Application-Level Gateway/Firewall Unlike firewalls that are based on packet-filtering technology, and which operate at the Network and Transport Layer, the Application-Level Gateway acts as a proxy on behalf of users on the protected side of the internal network, and on behalf of unknown users on the Internet. In effect, the applicationlevel gateway pretends to be the internal network user when communicating with the insecure Internet for inbound and outbound network traffic. For example, if a HTTP application-level gateway in installed on the protected internal network, a user on the network that starts a web-browser and then requests a connection to a website on the Internet, would have the request relayed to the application-level gateway (the proxy). If the applicationlevel gateway has been configured to allow such a request to succeed, it (that is, the proxy) contacts the website in question and requests the resource requested by the user s web-browser on behalf of the user. Once received, the resource is then transferred to the user s web-browser. In addition to providing a mechanism whereby the request can be checked prior to it being fulfilled, the application-level gateway can log and audit the entire communication. This is seen as a prime advantage of this approach. It is also generally regarded as easier to configure an application-level gateway than it is to configure a packet-filtering router, as anything not covered by the Application Layer rule-set configured on the application-level gateway is discarded. By operating at a higher, more abstract level, the configuration is regarded by many to be easier and less prone to error. The prime disadvantage is the additional overhead introduced to all the communications that pass through the application-level gateway. The Circuit-Level Gateway/Firewall The Circuit-Level Gateway does not allow TCP connections between two endpoints (one internal and the other external) to come into existence. Instead, the circuit-level gateway establishes two TCP connections: one between the circuit-level gateway and a user of the internal protected network, and another between the circuit-level gateway and an external network device on
12 11 the Internet. These connections are only established if they are determined to be allowed, and if they are, and once they are established, all network traffic flows from the internal user to the external network device without further checking. What constitutes an allowed connection is determined by the local network manager and his/her level of trust of the users of the internal protected network The Role of the Bastion Host The term Bastion Host is used to refer to a networked system that plays a central role in enabling the implementation of a firewall on a protected internal network. In effect, the bastion host runs the application-level gateway or the circuit-level gateway. The bastion host has a number of characteristics. It typically runs on a secure operating system (often referred to as a trusted system). Only those services required are installed as proxies on the bastion host, and they are usually configured to allow a restricted set of functionality, in addition to running within chrooted sand-boxes. Each proxy is designed to operate in isolation: if a proxy is compromised or goes off-line, the other proxies installed on the bastion will not be affected by this. 1.7 Selected Firewall Configurations Of course, it is far from the case that only one of the types of firewall system discussed in the last section are deployed in an attempt to secure a protected internal network. Typically, sites implement a combination of firewall mechanisms. Three popular configurations are described in the subsections which follow Bastion/Packet-Filtering Combo In this setup, a single packet-filtering router connects the organization s protected internal network to the Internet. On the internal side of the packetfiltering router, a single bastion host is deployed. The packet-filtering router is configured to accept (that is, forward) inbound network traffic that contains an IP destination address of the bastion host, as well as accept outbound network traffic with a source IP address of the bastion host. All other net-
13 12 work traffic is blocked (that is, discarded). Note that, with this configuration, both network-level and application-level filtering is occurring (as the bastion host is acting a the sole proxy to services on the Internet and services on the protected internal network). This is seen as this configurations greatest advantage, coupled with the fact that an intruder needs to compromise two firewall systems in order to attack the protected internal network. Note that the bastion host is connected to the protected internal network with a single connection (that is, the bastion host is single-homed). This can, under extreme circumstances, cause security problems. Specifically, if the packet-filtering router is compromised, network traffic will no longer be forced to travel through the bastion host, but could instead travel to any network-attached device which shares the bastion host s LAN segment Dual-Homed Bastion/Packet-Filtering Combo This firewall configuration is essentially the same as the previous configuration, but for the fact that the bastion host now has two separate network connections (that is, the bastion host is dual-homed). On a standard PC, this configuration can easily be implemented by installing two network interface cards (NICs) into the bastion host. One network interface is connection to a small LAN segment that contains the packet-filtering router that connects to the Internet. The other network interface connects to the protected internal network. As before, the packet-filtering router is configured to accept inbound network traffic that contains an IP destination address of the bastion host, as well as accept outbound network traffic with a source IP address of the bastion host. All other network traffic is blocked (that is, discarded). If, with this configuration, the packet-filtering router is compromised, the only physical path the network traffic can take is to still go through the bastion host, where it would (presumably) be filtered, determined to be suspect, and subsequently discarded (as well as logged and audited) Dual Bastion/Dual Packet-Filtering Combo The most paranoid of all firewall configurations involves adding a second packet-filtering router to the previous setup. The second packet-filtering router is installed on between the bastion host and the protected internal network, and in configured to only accept outbound and inbound network
14 13 traffic to and from the bastion host from the protected internal network. There are now three levels of protection: a packet-filtering router connected to the Internet, a packet-filtering router connected to the protected internal network and the dual-homed bastion host on its own LAN segment in the middle 4. Critically, the protected internal network is effectively invisible to the Internet, and the Internet is effectively invisible to the protected internal network. The key point is this: if an internal network cannot be seen from the Internet, how can it possibly be attacked? 1.8 Conclusion Network security is a complicated business. As more advanced and sophisticated mechanisms are developed to protect Internet-attached network resources, equally determined efforts are made to compromise the security mechanisms in place. A healthy dose of security paranoia should fester inside all network managers responsible for network security, as complacency will inevitably lead to disaster. No network can claim to be totally secure (as such a notion is folly). However, a network can claim to be as protected as is humanly possible. Security policies need to be constantly reviewed and revised. Hardware and software firewall systems need to be kept up-to-date. It is a case of it s only a matter of time for the network manager that fails to develop the skills and practices that keep them one step ahead of the Internet crackers and script-kiddies. If you are a network manager, be afraid, be very afraid. Foster paranoia, and trust no one. 4 Such as LAN segment is often referred to as a demilitarized zone or DMZ.
15 Bibliography [1] Simon Singh, The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography, Fourth Estate Ltd., ISBN: (This is a book on cryptography that is written for those of us that do not have a third-level qualification in Mathematics but still need to understand this important technology). [2] William Stallings, Network Security Essentials: Applications and Standards, Prentice-Hall Inc., ISBN: (An excellent overview of the entire field). 14
We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall
Chapter 10 Firewall Firewalls are devices used to protect a local network from network based security threats while at the same time affording access to the wide area network and the internet. Basically,
More informationCornerstones of Security
Internet Security Cornerstones of Security Authenticity the sender (either client or server) of a message is who he, she or it claims to be Privacy the contents of a message are secret and only known to
More informationProxy Server, Network Address Translator, Firewall. Proxy Server
Proxy Server, Network Address Translator, Firewall 1 Proxy Server 2 1 Introduction What is a proxy server? Acts on behalf of other clients, and presents requests from other clients to a server. Acts as
More informationFirewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls
CEN 448 Security and Internet Protocols Chapter 20 Firewalls Dr. Mostafa Hassan Dahshan Computer Engineering Department College of Computer and Information Sciences King Saud University mdahshan@ccis.ksu.edu.sa
More informationFirewall Design Principles Firewall Characteristics Types of Firewalls
Firewall Design Principles Firewall Characteristics Types of Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for these slides. Fall 2008
More informationModule 8. Network Security. Version 2 CSE IIT, Kharagpur
Module 8 Network Security Lesson 3 Firewalls Specific Instructional Objectives On completion of this lesson, the students will be able to answer: What a firewall is? What are the design goals of Firewalls
More informationWhat would you like to protect?
Network Security What would you like to protect? Your data The information stored in your computer Your resources The computers themselves Your reputation You risk to be blamed for intrusions or cyber
More informationLecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.
Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls. 1 Information systems in corporations,government agencies,and other organizations
More informationFirewalls. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Firewall Design Principles
Firewalls Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49 1 Firewall Design Principles Firewall Characteristics Types of Firewalls Firewall Configurations
More informationChapter 10. Network Security
Chapter 10 Network Security 10.1. Chapter 10: Outline 10.1 INTRODUCTION 10.2 CONFIDENTIALITY 10.3 OTHER ASPECTS OF SECURITY 10.4 INTERNET SECURITY 10.5 FIREWALLS 10.2 Chapter 10: Objective We introduce
More informationIntranet, Extranet, Firewall
Indian Institute of Technology Kharagpur Intranet, Extranet, Firewall Prof. Indranil Sen Gupta Dept. of Computer Science & Engg. I.I.T. Kharagpur, INDIA Lecture 31: Intranet, Extranet, Firewall On completion,
More informationWhat is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?
What is a Firewall? Computer Security Firewalls fire wall 1 : a wall constructed to prevent the spread of fire 2 usually firewall : a computer or computer software that prevents unauthorized access to
More informationSFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab 9940313 March 04, 2004
SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab 9940313 March 04, 2004 Introduction: A computer firewall protects computer networks from unwanted intrusions which could compromise confidentiality
More informationFirewalls (IPTABLES)
Firewalls (IPTABLES) Objectives Understand the technical essentials of firewalls. Realize the limitations and capabilities of firewalls. To be familiar with iptables firewall. Introduction: In the context
More informationA host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.
A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based
More informationCS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013
CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access
More informationChapter 20. Firewalls
Chapter 20. Firewalls [Page 621] 20.1 Firewall Design Principles Firewall Characteristics Types of Firewalls Firewall Configurations 20.2 Trusted Systems Data Access Control The Concept of Trusted Systems
More informationChapter 9 Firewalls and Intrusion Prevention Systems
Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish
More informationModule 8. Network Security. Version 2 CSE IIT, Kharagpur
Module 8 Network Security Lesson 2 Secured Communication Specific Instructional Objectives On completion of this lesson, the student will be able to: State various services needed for secured communication
More informationINTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli 4-25-2002
INTERNET SECURITY: FIREWALLS AND BEYOND Mehernosh H. Amroli 4-25-2002 Preview History of Internet Firewall Technology Internet Layer Security Transport Layer Security Application Layer Security Before
More informationContent Teaching Academy at James Madison University
Content Teaching Academy at James Madison University 1 2 The Battle Field: Computers, LANs & Internetworks 3 Definitions Computer Security - generic name for the collection of tools designed to protect
More informationSecurity Technology: Firewalls and VPNs
Security Technology: Firewalls and VPNs 1 Learning Objectives Understand firewall technology and the various approaches to firewall implementation Identify the various approaches to remote and dial-up
More informationFirewalls CSCI 454/554
Firewalls CSCI 454/554 Why Firewall? 1 Why Firewall (cont d) w now everyone want to be on the Internet w and to interconnect networks w has persistent security concerns n can t easily secure every system
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 9 Firewalls and Intrusion Prevention Systems First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Firewalls and Intrusion
More informationHow To Protect Your Firewall From Attack From A Malicious Computer Or Network Device
Ch.9 Firewalls and Intrusion Prevention Systems Firewalls: effective means of protecting LANs Internet connectivity is essential for every organization and individuals introduces threats from the Internet
More informationNetwork Security and Firewall 1
Department/program: Networking Course Code: CPT 224 Contact Hours: 96 Subject/Course WEB Access & Network Security: Theoretical: 2 Hours/week Year Two Semester: Two Prerequisite: NET304 Practical: 4 Hours/week
More informationE-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications
Learning objectives E-commerce Security Threats and Protection Mechanisms. This lecture covers internet security issues and discusses their impact on an e-commerce. Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html
More information12. Firewalls Content
Content 1 / 17 12.1 Definition 12.2 Packet Filtering & Proxy Servers 12.3 Architectures - Dual-Homed Host Firewall 12.4 Architectures - Screened Host Firewall 12.5 Architectures - Screened Subnet Firewall
More informationFirewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA
Firewalls Securing Networks Chapter 3 Part 1 of 4 CA M S Mehta, FCA 1 Firewalls Learning Objectives Task Statements 1.3 Recognise function of Telecommunications and Network security including firewalls,..
More informationNETWORK SECURITY. Farooq Ashraf. Department of Computer Engineering King Fahd University of Petroleum and Minerals Dhahran 31261, Saudi Arabia
NETWORK SECURITY Farooq Ashraf Department of Computer Engineering King Fahd University of Petroleum and Minerals Dhahran 31261, Saudi Arabia O u t l i n e o f t h e P r e s e n t a t i o n What is Security
More informationΕΠΛ 674: Εργαστήριο 5 Firewalls
ΕΠΛ 674: Εργαστήριο 5 Firewalls Παύλος Αντωνίου Εαρινό Εξάμηνο 2011 Department of Computer Science Firewalls A firewall is hardware, software, or a combination of both that is used to prevent unauthorized
More informationFirewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.
Firewalls 1 Firewalls Idea: separate local network from the Internet Trusted hosts and networks Firewall Intranet Router DMZ Demilitarized Zone: publicly accessible servers and networks 2 1 Castle and
More informationFirewalls. Ahmad Almulhem March 10, 2012
Firewalls Ahmad Almulhem March 10, 2012 1 Outline Firewalls The Need for Firewalls Firewall Characteristics Types of Firewalls Firewall Basing Firewall Configurations Firewall Policies and Anomalies 2
More informationINTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM
INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM Okumoku-Evroro Oniovosa Lecturer, Department of Computer Science Delta State University, Abraka, Nigeria Email: victorkleo@live.com ABSTRACT Internet security
More informationComputer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/dd2395/dasakh10/
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/dd2395/dasakh10/ Fall 2010 Sonja Buchegger buc@kth.se Lecture 6, Nov. 10, 2010 Firewalls, Intrusion Prevention, Intrusion Detection
More informationFirewall Introduction Several Types of Firewall. Cisco PIX Firewall
Firewall Introduction Several Types of Firewall. Cisco PIX Firewall What is a Firewall? Non-computer industries: a wall that controls the spreading of a fire. Networks: a designed device that controls
More informationChap. 1: Introduction
Chap. 1: Introduction Introduction Services, Mechanisms, and Attacks The OSI Security Architecture Cryptography 1 1 Introduction Computer Security the generic name for the collection of tools designed
More informationFirewalls and VPNs. Principles of Information Security, 5th Edition 1
Firewalls and VPNs Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to: Understand firewall technology and the various approaches
More informationWhat is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services
Firewalls What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services only authorized traffic is allowed Auditing and
More informationFirewall Configuration. Firewall Configuration. Solution 9-314 1. Firewall Principles
Configuration Configuration Principles Characteristics Types of s Deployments Principles connectivity is a common component of today s s networks Benefits: Access to wide variety of resources Exposure
More informationCryptography and network security
Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network from the Internet Trusted hosts and networks Firewall Intranet Router DMZ Demilitarized Zone: publicly accessible
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls
More informationΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science
ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας Department of Computer Science Firewalls A firewall is hardware, software, or a combination of both that is used to prevent unauthorized Internet users
More informationFirewall Architecture
NEXTEP Broadband White Paper Firewall Architecture Understanding the purpose of a firewall when connecting to ADSL network services. A Nextep Broadband White Paper June 2001 Firewall Architecture WHAT
More informationFirewall-Friendly VoIP Secure Gateway and VoIP Security Issues
Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues v Noriyuki Fukuyama v Shingo Fujimoto v Masahiko Takenaka (Manuscript received September 26, 2003) IP telephony services using VoIP (Voice
More informationLehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall
Chapter 2: Security Techniques Background Chapter 3: Security on Network and Transport Layer Chapter 4: Security on the Application Layer Chapter 5: Security Concepts for Networks Firewalls Intrusion Detection
More informationFirewalls. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Firewalls. Characteristics.
ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 25 October 2013 its335y13s2l08, Steve/Courses/2013/s2/its335/lectures/firewalls.tex,
More informationFirewalls. Contents. ITS335: IT Security. Firewall Characteristics. Types of Firewalls. Firewall Locations. Summary
2 : IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 25 October 2013 its335y13s2l08, Steve/Courses/2013/s2/its335/lectures/firewalls.tex, r2958
More informationHow To Protect Your Network From Attack
Department of Computer Science Institute for System Architecture, Chair for Computer Networks Internet Services & Protocols Internet (In)Security Dr.-Ing. Stephan Groß Room: INF 3099 E-Mail: stephan.gross@tu-dresden.de
More informationChapter 32 Internet Security
Chapter 32 Internet Security Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 32: Outline 32.1 NETWORK-LAYER SECURITY 32.2 TRANSPORT-LAYER SECURITY 32.3
More informationCompter Networks Chapter 9: Network Security
Goals of this chapter Compter Networks Chapter 9: Network Security Give a brief glimpse of security in communication networks Basic goals and mechanisms Holger Karl Slide set: Günter Schäfer, TU Ilmenau
More informationSecurity threats and network. Software firewall. Hardware firewall. Firewalls
Security threats and network As we have already discussed, many serious security threats come from the networks; Firewalls The firewalls implement hardware or software solutions based on the control of
More informationCS5008: Internet Computing
CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is
More informationFirewall Design Principles
Firewall Design Principles Software Engineering 4C03 Dr. Krishnan Stephen Woodall, April 6 th, 2004 Firewall Design Principles Stephen Woodall Introduction A network security domain is a contiguous region
More informationFirewalls, Tunnels, and Network Intrusion Detection. Firewalls
Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.
More informationFIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design Learning Objectives Identify common misconceptions about firewalls Explain why a firewall
More informationWhy you need secure email
Why you need secure email WHITE PAPER CONTENTS 1. Executive summary 2. How email works 3. Security threats to your email communications 4. Symmetric and asymmetric encryption 5. Securing your email with
More information83-10-41 Types of Firewalls E. Eugene Schultz Payoff
83-10-41 Types of Firewalls E. Eugene Schultz Payoff Firewalls are an excellent security mechanism to protect networks from intruders, and they can establish a relatively secure barrier between a system
More information7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?
7 Network Security 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework 7.4 Firewalls 7.5 Absolute Security? 7.1 Introduction Security of Communications data transport e.g. risk
More informationLecture 23: Firewalls
Lecture 23: Firewalls Introduce several types of firewalls Discuss their advantages and disadvantages Compare their performances Demonstrate their applications C. Ding -- COMP581 -- L23 What is a Digital
More informationCMPT 471 Networking II
CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access
More informationWhat is Firewall? A system designed to prevent unauthorized access to or from a private network.
What is Firewall? A system designed to prevent unauthorized access to or from a private network. What is Firewall? (cont d) Firewall is a set of related programs, located at a network gateway server. Firewalls
More informationPROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES
PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute
More informationA Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.
A Brief Overview of VoIP Security By John McCarron Voice of Internet Protocol is the next generation telecommunications method. It allows to phone calls to be route over a data network thus saving money
More informationNetwork Security. Raj Jain. The Ohio State University. Columbus, OH 43210 Jain@CIS.Ohio-State.Edu http://www.cis.ohio-state.edu/~jain/ Raj Jain 31-1
Network Security Columbus, OH 43210 Jain@CIS.Ohio-State.Edu http://www.cis.ohio-state.edu/~jain/ 31-1 Overview Security Aspects Secret Key and Public Key Encryption Firewalls: Packet Filter, Bastion Host,
More informationInternet Security Firewalls
Internet Security Firewalls Ozalp Babaoglu ALMA MATER STUDIORUM UNIVERSITA DI BOLOGNA Overview Exo-structures Firewalls Virtual Private Networks Cryptography-based technologies IPSec Secure Socket Layer
More informationArchitecture. The DMZ is a portion of a network that separates a purely internal network from an external network.
Architecture The policy discussed suggests that the network be partitioned into several parts with guards between the various parts to prevent information from leaking from one part to another. One part
More informationSOFTWARE ENGINEERING 4C03. Computer Networks & Computer Security. Network Firewall
SOFTWARE ENGINEERING 4C03 Computer Networks & Computer Security Network Firewall HAO WANG #0159386 Instructor: Dr. Kartik Krishnan Mar.29, 2004 Software Engineering Department of Computing and Software
More informationCS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module
CS 665: Computer System Security Network Security Bojan Cukic Lane Department of Computer Science and Electrical Engineering West Virginia University 1 Usage environment Anonymity Automation, minimal human
More informationHow To Protect Your Network From Attack From Outside From Inside And Outside
IT 4823 Information Security Administration Firewalls and Intrusion Prevention October 7 Notice: This session is being recorded. Lecture slides prepared by Dr Lawrie Brown for Computer Security: Principles
More informationFirewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues
CS 155 May 20, 2004 Firewalls Basic Firewall Concept Separate local area net from internet Firewall John Mitchell Credit: some text, illustrations from Simon Cooper Router All packets between LAN and internet
More informationSE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane
SE 4C03 Winter 2005 Firewall Design Principles By: Kirk Crane Firewall Design Principles By: Kirk Crane 9810533 Introduction Every network has a security policy that will specify what traffic is allowed
More informationFirewalls and Network Defence
Firewalls and Network Defence Harjinder Singh Lallie (September 12) 1 Lecture Goals Learn about traditional perimeter protection Understand the way in which firewalls are used to protect networks Understand
More informationClient Server Registration Protocol
Client Server Registration Protocol The Client-Server protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are
More informationFirewalls. Mahalingam Ramkumar
Firewalls Mahalingam Ramkumar Evolution of Networks Centralized data processing LANs Premises network interconnection of LANs and mainframes Enterprise-wide network interconnection of LANs in a private
More informationIMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT
IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT Roopa K. Panduranga Rao MV Dept of CS and Engg., Dept of IS and Engg., J.N.N College of Engineering, J.N.N College of Engineering,
More informationOverview. SSL Cryptography Overview CHAPTER 1
CHAPTER 1 Note The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise noted. The features in this chapter apply to IPv4 and IPv6 unless otherwise noted. Secure
More informationChapter 6: Network Access Control
Managing and Securing Computer Networks Guy Leduc Computer Networking: A Top Down Approach, 6 th edition. Jim Kurose, Keith Ross Addison-Wesley, March 2012. (section 8.9) Chapter 6: Network Access Control
More informationProxy firewalls. thm@informatik.uni-rostock.de http://wwwiuk.informatik.uni-rostock.de/
Proxy firewalls thm@informatik.uni-rostock.de http://wwwiuk.informatik.uni-rostock.de/ Content Proxy Firewalls How Proxy Firewalls Work Forward / Reverse Proxies Application-Level Proxies Gateways (Circuit-Level
More informationNetwork Defense Tools
Network Defense Tools Prepared by Vanjara Ravikant Thakkarbhai Engineering College, Godhra-Tuwa +91-94291-77234 www.cebirds.in, www.facebook.com/cebirds ravikantvanjara@gmail.com What is Firewall? A firewall
More informationELECTRONIC COMMERCE OBJECTIVE QUESTIONS
MODULE 13 ELECTRONIC COMMERCE OBJECTIVE QUESTIONS There are 4 alternative answers to each question. One of them is correct. Pick the correct answer. Do not guess. A key is given at the end of the module
More information: Network Security. Name of Staff: Anusha Linda Kostka Department : MSc SE/CT/IT
Subject Code Department Semester : Network Security : XCS593 : MSc SE : Nineth Name of Staff: Anusha Linda Kostka Department : MSc SE/CT/IT Part A (2 marks) 1. What are the various layers of an OSI reference
More informationChapter 20 Firewalls. Cryptography and Network Security Chapter 22. What is a Firewall? Introduction 4/19/2010
Cryptography and Network Security Chapter 22 Fifth Edition by William Stallings Chapter 20 Firewalls The function of a strong position is to make the forces holding it practically unassailable On O War,
More informationFirewalls, IDS and IPS
Session 9 Firewalls, IDS and IPS Prepared By: Dr. Mohamed Abd-Eldayem Ref.: Corporate Computer and Network Security By: Raymond Panko Basic Firewall Operation 2. Internet Border Firewall 1. Internet (Not
More informationLecture G1 Privacy, Security, and Cryptography. Computing and Art : Nature, Power, and Limits CC 3.12: Fall 2007
Lecture G1 Privacy, Security, and Cryptography Computing and Art : Nature, Power, and Limits CC 3.12: Fall 2007 Functionalia Instructor Chipp Jansen, chipp@sci.brooklyn.cuny.edu Course Web Page http://www.sci.brooklyn.cuny.edu/~chipp/cc3.12/
More informationModule 7 Security CS655! 7-1!
Module 7 Security CS655! 7-1! Issues Separation of! Security policies! Precise definition of which entities in the system can take what actions! Security mechanism! Means of enforcing that policy! Distributed
More informationFig. 4.2.1: Packet Filtering
4.2 Types of Firewalls /DKo98/ FIREWALL CHARACTERISTICS 1. All traffic from inside to outside, and vice versa, must pass through the firewall. This is achieved by physically blocking all access to the
More informationCSCI 4250/6250 Fall 2015 Computer and Networks Security
CSCI 4250/6250 Fall 2015 Computer and Networks Security Network Security Goodrich, Chapter 5-6 Tunnels } The contents of TCP packets are not normally encrypted, so if someone is eavesdropping on a TCP
More informationEvaluate the Usability of Security Audits in Electronic Commerce
Evaluate the Usability of Security Audits in Electronic Commerce K.A.D.C.P Kahandawaarachchi, M.C Adipola, D.Y.S Mahagederawatte and P Hewamallikage 3 rd Year Information Systems Undergraduates Sri Lanka
More informationSecurity+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security
Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives List the different types of network security devices and explain how they can be used Define network
More informationE-Commerce Security. The Client-Side Vulnerabilities. Securing the Data Transaction LECTURE 7 (SECURITY)
E-Commerce Security An e-commerce security system has four fronts: LECTURE 7 (SECURITY) Web Client Security Data Transport Security Web Server Security Operating System Security A safe e-commerce system
More informationNetwork Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide
Network Security [2] Public Key Encryption Also used in message authentication & key distribution Based on mathematical algorithms, not only on operations over bit patterns (as conventional) => much overhead
More informationPAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ
PAVING THE PATH TO THE ELIMINATION A RSACCESS WHITE PAPER 1 The Traditional Role of DMZ 2 The Challenges of today s DMZ deployments 2.1 Ensuring the Security of Application and Data Located in the DMZ
More informationComputer Security DD2395
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/dd2395/dasak12/ Fall 2012 Sonja Buchegger buc@kth.se Lecture 9 Firewalls (maybe start on Multilevel Security) DD2395 Sonja Buchegger
More informationGuideline on Firewall
CMSGu2014-02 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Firewall National Computer Board Mauritius Version 1.0 June
More informationISM/ISC Middleware Module
ISM/ISC Middleware Module Lecture 13: Security for Middleware Applications Dr Geoff Sharman Visiting Professor in Computer Science Birkbeck College Geoff Sharman Sept 07 Lecture 13 Aims to: 2 Show why
More informationApplication Firewalls
Application Moving Up the Stack Advantages Disadvantages Example: Protecting Email Email Threats Inbound Email Different Sublayers Combining Firewall Types Firewalling Email Enforcement Application Distributed
More informationFirewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)
s (March 4, 2015) Abdou Illia Spring 2015 Test your knowledge Which of the following is true about firewalls? a) A firewall is a hardware device b) A firewall is a software program c) s could be hardware
More information