CMPT 471 Networking II
|
|
- Jonas Jordan
- 8 years ago
- Views:
Transcription
1 CMPT 471 Networking II Firewalls Janice Regan, Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access One component of keeping a computer secure can be a firewall This is not an all encompassing solution Not all problems come from outside, you must keep in mind that an comprehensive internal security policy is also part of the solution Janice Regan, Firewalls: why Provide a single protected access from your machine or network to the internet Create a single choke point Concentrate attention on protecting that choke point A network behind a firewall can spend less (not none) effort on host based security not all attacks or security problems come from outside Still need a second line of defense in many cases Janice Regan,
2 Firewalls: why not Firewalls don t protect against malicious insiders: May prevent sending data out through the internet but cannot protect against removing the data on physical media Firewall don t protect you from connections that bypass them: dial in or network access to internal machines can not be monitored unless they pass through the firewall Janice Regan, Firewalls: why not Protect against known threats new threats occur regularly and counters to them must be added just as regularly Viruses and malware can penetrate firewalls under some circumstances Firewalls often interfere with expected behaviors of internet applications, or slow down interaction with the internet Janice Regan, Firewalls Different Firewall architectures are appropriate for different types of applications A firewall is a combination of hardware software and policies Look at some architectures and examples Single machine with firewall (filtering) Screening router Dual homed host Screened host Screened network Janice Regan,
3 GIVEN TODAY S INTERNET ENVIRONMENT NO COMPUTER WITH INTERNET CONNECTIVITY SHOULD BE UNPROTECTED BY A FIREWALL TO Protect any private data or information Protect the machine so it is available for your use To prevent others from hijacking your machine for their own purposes Janice Regan, Security strategies Least privilege: any object (user, program, system, ) should have the least amount of privilege necessary to accomplish its own purpose Depth of Defense: Layer security mechanisms so that if one is compromised another still protects you This protects against not only attacks but possible failures of any single layer in your defense Janice Regan, Security strategies Choke point: Be sure that there is no way to circumvent the choke point Put protections at the choke point Weakest link: Be aware of the weak points of your defense, this is where attacks will most likely occur Failures Try to make the system fail in a way that denies the attacker access, not opens access. Janice Regan,
4 Firewall Default Strategies Default Deny Policy No traffic is passed through the firewall unless is it specifically allowed Any traffic or service not specifically permitted to pass the firewall will be permitted into the protected machine or network Default Permit Policy All traffic will be permitted to pass through the firewall unless it is specifically forbidden Janice Regan, Which Default Strategy? To maximize security use default deny OK if you do not need to provide internet services Limited flexibility To maximize flexibility use default permit More difficult to maintain Must specifically deny sources and protocols Janice Regan, Some types of low level attacks Half open port scan or SYN scan: send SYN (or packet with other combination of flags) to each port, watch for ACK or RST to determine if port is open. Do not reply and complete connection (send RST). Denial of service: exploit known weaknesses of stack to cause crashes IP spoofing: Make the packet look like it comes from somewhere else. Smurf: use forged source address (A) to make third party attack A Land: send a packet with source and destination addresses the same. May cause failure of receiving machine. Janice Regan,
5 A single computer Many computers (probably most) have a continuous internet connection For a user with a single computer connected to their continuous connection Simplest approach is a packet filtering firewall For Windows can use the built in firewall or many other proprietary products that provide more complete protection including virus and spy-ware protection For Linux can use iptables/netfilter to directly implement or other public domain or proprietary products Janice Regan, A home network It is becoming increasingly common for a household to have more than one computer. Probably the user of each computer wants it to be directly connected to the continuous Internet connection/s for the household This means that out of the box solutions that implement basic network protection are becoming common For a technically savvy user these solutions may also be easy but other simple options exist Remember that out of the box solutions need configuration to optimize their effectiveness Janice Regan, Screening Router This is a common, inexpensive, out of the box solution that can be made more robust You probably need the router to connect your local machines anyway. Be sure to configure, don t just use the defaults Router usually includes a mechanism for implementing packet filtering (default deny or default permit strategies are usually both supported) Janice Regan,
6 Screening Router This is a common, inexpensive, out of the box solution that can be made more robust Can implement the level of security appropriate for the network being protected you will likely also need host level security The router will run a proprietary or reduced version of the operating system, providing fewer points of attack Janice Regan, Using a screening router The network needs an adequate level of host protection If data on any of the machines is private, need host security to protect that data Only a limited number of simple protocols and services can be supported efficiently using a screening router Can permit or deny protocols by port number Harder to permit or deny parts of a protocol Difficult to be sure what is arriving on a port is really the expected protocol Router is a single point of failure Janice Regan, When to use a screening router When performance is important minimize added load on hosts by using router to filter maximize throughput by basing security on simple filtering When the protected network also has an adequate level of host security The number of protocols being allowed (default deny) or blocked (default accept) is small and those protocols are simple and amenable to filtering Most useful for networks providing services to the internet (like those of internet providers) and for internal firewalls Janice Regan,
7 Simple Firewall: Dual Homed Use a dual homed host to access the internet. Your network attaches to one or more interfaces, the internet to the another Disable forwarding: create a default deny policy All access to the Internet from internal hosts is by proxy application running on the dual homed host Each application you run/proxy on the dual homed host provides another point of attack and increases load Avoid user accounts on the dual homed host. This provides extra protection Monitor activity of each user Janice Regan, Dual Home INTERNET Dual-homed host (no-forwarding) Janice Regan, Dual homed s: user accounts Users should not be able to log into the dual homed host. prevents a hacker from breaking in through a user account Makes use of vulnerable services necessary to support user accounts unnecessary (printing, local mail delivery ) Prevents inadvertent damage to the dual homed hosts security by users (poor password ) Easier to detect attacks if types of traffic are limited Janice Regan,
8 Dual Homed : Limitations (1) Need an additional machine to use as dual homed host (should not be a machine used directly by users) For a small network with modest traffic levels can even use an older less powerful machine (bonus is this is the only machine seen from outside, less attractive to hackers) As the network size, number of services proxied, or traffic load grows more power is needed. Janice Regan, Dual Homed : Limitations (2) Provides services by proxy Each service supported provides addition points of attack Not all services can be proxied Not all services that can be proxied will have appropriate proxies available Better at supporting outbound services (local users using services on the external network) than inbound services Janice Regan, Dual Homed : Limitations (3) More overhead than an equivalent packet filtering system, proxies are more compute intensive than simple filters Dual homed host is a single point of failure A hacker who crashed your dual homed host cuts you off from the internet A hacker who comprises your dual homed host has access to your local network Janice Regan,
9 When to use a dual homed host Internet traffic is limited Remember load is larger than comparable packet filter Network protected does not contain critical data Can be mitigated by host level protections, but there are better solutions Janice Regan, When to use a dual homed host No (very limited) services being provided to the internet Each service provided adds points of attack for those trying to break in Continuous connection to the internet is not essential, traffic to the internet is not critical to your business Attacks may cause single choke point to fail or crash Janice Regan, Variations Many consumer routers, support NAT (network address translation). Allowing one IP address to be shared between multiple machines. Local IP addresses are used for your network Using the gateway (router) to packet forward on behalf of the other computers on your intranet Good way to hide network from external eyes Can packet filter and provide some proxy services, often provides MAC address filtering Janice Regan,
10 Screened Architecture All communication between hosts on the local network and the internet (both directions) passes though proxies on a bastion host which communicates with the internet though a packet filtering router Less secure versions may allow some direct communication from network hosts to the internet (definitely not initiated from the internet to network hosts) host is the only host on the network to which hosts on the internet can make connections Janice Regan, Screened Architecture Packet filtering router protects internal hosts from direct internet attack (allowing only certain services/ protocols). This is the primary security for the network This prevents users from directly accessing the Internet host provides services and runs proxies connecting to the outside world, it should not be a trusted member of the local network Not appropriate for public web servers Janice Regan, Screened INTERNET Router Janice Regan,
11 Should run a minimum configuration to minimize points of attack Should have all services not needed by the site disabled Should not be trusted by hosts on the network Should not run booting services Must maintain a high level of host security on the bastion host Janice Regan, and user accounts Should not support user accounts May know about users (i.e. to allow access from outside the network to machines inside the network) Users should not be able to log into the bastion host. Administrators should be able to log into the bastion host with individual accounts, remote login is a high security risk Janice Regan, s and user accounts Users should not be able to log into the bastion host. prevents a hacker from breaking in through a user account Makes use of vulnerable services necessary to support user accounts unnecessary (printing, local mail delivery ) Prevents inadvertent damage to the bastion hosts security by users (poor password ) Easier to detect attacks if types of traffic are limited Janice Regan,
12 Provides the services your site needs to access the internet Runs proxies for services your site provides to the internet all services or just services that cannot be adequately protected using filtering in the router alone (FTP, TELNET, DNS SMTP HTTP) Janice Regan, Screening router May allow hosts to open connections to selected servers on the internet May disallow services forcing them to be proxied by the bastion host (or hosts) Janice Regan, Use a Screened When Few connections to the network originate from outside the network When host security is relatively high If you allow non bastion hosts to connect to the internet you are compromising the design, since outside users have access to IP addresses of protected hosts Janice Regan,
13 Comparison Router easier to secure than multi-homed host (simpler OS fewer points of attack, fewer services running, than a multi-homed host) Multi-homed host provides no way for packets to go directly to hosts, screened host does (can be security hole) Multi-homed host more prone to failure (type of failure more difficult to predict) On balance router may be more secure and simpler to administer Janice Regan, Comparison You can get some extra protection by isolating your bastion host and your screen hosts so most local network traffic from your screened hosts is not visible to the bastion host (broadcast traffic will still be visible) This is part of what a screened subnet does (next topic of discussion) Can get this part of the protection by isolating your bastion host using an appropriately secured Ethernet switch or switching hub. Janice Regan, Screened Subnet Place the bastion host (hosts) on a separate subnet connected to the Internet with a router. This separate subnet is known as a perimeter network. That subnet in turn connects to your internal network through a second router (with packet filtering). Removes the difficulties caused by a single point of failure (as in multi-homed hosts, and to a lesser extent screened hosts) Now a hacker must break though two levels of packet filters and compromise a bastion host to reach your internal network Janice Regan,
14 Screened Subnet Router INTERNET Perimeter network Interior Router Janice Regan, Screened subnet No longer a single point of failure Adds an extra layer of security by adding a perimeter network to further isolate the hosts in the screened subnet from the internet Multiple failures are needed to reach the screened subnet If the router s firewall is breached the hacker can only reach the bastion hosts If the bastion host is compromised, sensitive internal information is still protected. The screened network still has the protection of the interior router Janice Regan, /s on separate net Locating the bastion hosts on a separate network from the protected hosts has many benefits Sees only packets to and from bastion hosts and to and from the internet Does not see traffic on the internal network Accesses to sensitive files Confidential local Remote logins, FTP or TELNET packets that could provide passwords Janice Regan,
15 /s on separate net s are primary point of contact for incoming connections for any supported protocols (local servers for SMTP, FTP, DNS ) Outbound services (from our network to severs on the internet) have access controlled by Filtering on exterior or interior router Proxy services on the bastion hosts If traffic is high and or multiple services are proxied on the bastion host, multiple bastion hosts may be used to distribute the load and partition risk Services may be divided between multiple bastions hosts. Services may be grouped by Importance, audience, security level, access level Janice Regan, Interior router Primary packet filtering system (choke router) May be more restrictive than the packet filters in the exterior router Want to assure sensitive information does not leave screened network May allow a smaller set of services to reach interior network than can reach the exterior network May target services from outside the screened networks to designated servers (e.g. a mail server on one on the internal hosts) Allows services to the internet to be isolated from the screened internal network (on the perimeter network) Protects your screened interior network from the Internet and the perimeter network Janice Regan, Exterior Router Exterior Router may be called the access router Sometimes the external router is provided by another group (like an ISP) Your access will be limited Filter rules will not be customized to your needs s on the perimeter net must be protected by strong host security Makes exterior filtering less critical If you do control the exterior router you may want to duplicate a subset of the rules on your interior router Janice Regan,
16 Exterior Router Should block incoming packets whose source addresses may be forged, particularly addresses that indicate packets are coming from inside the network (screened network or perimeter network) Should block outgoing packets that do not come from one of your networks IP addresses Prevents your users sending inappropriate packets More importantly: prevents any hijacker using one of your machines to send packets with inappropriate IP addresses Janice Regan, Variants Use multiple bastion hosts Distribute load, partition services, add redundancy Merge interior router and exterior router Need router that allows separate filter specifications on each interface. Disadvantage: creates a single point of failure if router is compromised Janice Regan, Multiple hosts INTERNET Router Perimeter network Interior Router Janice Regan,
17 Merged /Exterior routers INTERNET Interior /exterior Router Perimeter network Janice Regan, Variants Use multiple independent perimeter networks Provide redundancy and bandwidth Assure networks connect to different physical connections (different providers and different cables) Both interior routers must enforce the same policies Also used to separate incoming and outgoing services Janice Regan, Multiple perimeter networks Exterior Router Perimeter network INTERNET Exterior Router Perimeter network Interior Router Interior Router Janice Regan,
18 Variants Use multiple exterior routers (one exterior router with multiple interfaces) Multiple internet connections (i.e. multiple providers, for redundancy or bandwidth) Internet connection plus direct connections to other sites (though internal firewall) Minor security compromise because of two attack points into perimeter network Janice Regan, Multiple Exterior routers Router INTERNET Router Interior Router Perimeter network Janice Regan, Variants Merge bastion host and exterior router Use a single dual-homed host for both Limits performance, less efficient for routing than router Depending on operating system may not have flexible filtering available Need better protections on the dual homed host Appropriate only for serving a very small number of low bandwidth services Janice Regan,
19 Merge host/exterior router INTERNET host And exterior Router Perimeter network Interior Router Janice Regan, Dangerous Variants Do not merge bastion host and interior router Do not use multiple interior routers Do not use both screened subnets and screened hosts Janice Regan,
Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA
Firewalls Securing Networks Chapter 3 Part 1 of 4 CA M S Mehta, FCA 1 Firewalls Learning Objectives Task Statements 1.3 Recognise function of Telecommunications and Network security including firewalls,..
More informationFirewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.
Firewalls 1 Firewalls Idea: separate local network from the Internet Trusted hosts and networks Firewall Intranet Router DMZ Demilitarized Zone: publicly accessible servers and networks 2 1 Castle and
More informationInternet Security Firewalls
Internet Security Firewalls Ozalp Babaoglu ALMA MATER STUDIORUM UNIVERSITA DI BOLOGNA Overview Exo-structures Firewalls Virtual Private Networks Cryptography-based technologies IPSec Secure Socket Layer
More informationProxy Server, Network Address Translator, Firewall. Proxy Server
Proxy Server, Network Address Translator, Firewall 1 Proxy Server 2 1 Introduction What is a proxy server? Acts on behalf of other clients, and presents requests from other clients to a server. Acts as
More informationWe will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall
Chapter 10 Firewall Firewalls are devices used to protect a local network from network based security threats while at the same time affording access to the wide area network and the internet. Basically,
More informationLehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall
Chapter 2: Security Techniques Background Chapter 3: Security on Network and Transport Layer Chapter 4: Security on the Application Layer Chapter 5: Security Concepts for Networks Firewalls Intrusion Detection
More informationFirewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues
CS 155 May 20, 2004 Firewalls Basic Firewall Concept Separate local area net from internet Firewall John Mitchell Credit: some text, illustrations from Simon Cooper Router All packets between LAN and internet
More informationArchitecture. The DMZ is a portion of a network that separates a purely internal network from an external network.
Architecture The policy discussed suggests that the network be partitioned into several parts with guards between the various parts to prevent information from leaking from one part to another. One part
More informationFirewalls. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Firewall Design Principles
Firewalls Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49 1 Firewall Design Principles Firewall Characteristics Types of Firewalls Firewall Configurations
More informationInternet infrastructure. Prof. dr. ir. André Mariën
Internet infrastructure Prof. dr. ir. André Mariën (c) A. Mariën 31/01/2006 Topic Firewalls (c) A. Mariën 31/01/2006 Firewalls Only a short introduction See for instance: Building Internet Firewalls, second
More informationWhat is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services
Firewalls What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services only authorized traffic is allowed Auditing and
More informationFirewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)
s (March 4, 2015) Abdou Illia Spring 2015 Test your knowledge Which of the following is true about firewalls? a) A firewall is a hardware device b) A firewall is a software program c) s could be hardware
More informationallow all such packets? While outgoing communications request information from a
FIREWALL RULES Firewalls operate by examining a data packet and performing a comparison with some predetermined logical rules. The logic is based on a set of guidelines programmed in by a firewall administrator,
More informationMulti-Homing Dual WAN Firewall Router
Multi-Homing Dual WAN Firewall Router Quick Installation Guide M73-APO09-400 Multi-Homing Dual WAN Firewall Router Overview The Multi-Homing Dual WAN Firewall Router provides three 10/100Mbit Ethernet
More informationDistributed Systems. Firewalls: Defending the Network. Paul Krzyzanowski pxk@cs.rutgers.edu
Distributed Systems Firewalls: Defending the Network Paul Krzyzanowski pxk@cs.rutgers.edu Except as otherwise noted, the content of this presentation is licensed under the Creative Commons Attribution
More informationSecurity Technology: Firewalls and VPNs
Security Technology: Firewalls and VPNs 1 Learning Objectives Understand firewall technology and the various approaches to firewall implementation Identify the various approaches to remote and dial-up
More informationFirewall Introduction Several Types of Firewall. Cisco PIX Firewall
Firewall Introduction Several Types of Firewall. Cisco PIX Firewall What is a Firewall? Non-computer industries: a wall that controls the spreading of a fire. Networks: a designed device that controls
More informationLecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.
Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls. 1 Information systems in corporations,government agencies,and other organizations
More informationFirewalls. Chapter 3
Firewalls Chapter 3 1 Border Firewall Passed Packet (Ingress) Passed Packet (Egress) Attack Packet Hardened Client PC Internet (Not Trusted) Hardened Server Dropped Packet (Ingress) Log File Internet Border
More informationInternet Security Firewalls
Overview Internet Security Firewalls Ozalp Babaoglu! Exo-structures " Firewalls " Virtual Private Networks! Cryptography-based technologies " IPSec " Secure Socket Layer ALMA MATER STUDIORUM UNIVERSITA
More informationModule 8. Network Security. Version 2 CSE IIT, Kharagpur
Module 8 Network Security Lesson 3 Firewalls Specific Instructional Objectives On completion of this lesson, the students will be able to answer: What a firewall is? What are the design goals of Firewalls
More informationFirewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls
CEN 448 Security and Internet Protocols Chapter 20 Firewalls Dr. Mostafa Hassan Dahshan Computer Engineering Department College of Computer and Information Sciences King Saud University mdahshan@ccis.ksu.edu.sa
More informationCryptography and network security
Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network from the Internet Trusted hosts and networks Firewall Intranet Router DMZ Demilitarized Zone: publicly accessible
More informationGuideline on Firewall
CMSGu2014-02 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Firewall National Computer Board Mauritius Version 1.0 June
More informationCSE331: Introduction to Networks and Security. Lecture 12 Fall 2006
CSE331: Introduction to Networks and Security Lecture 12 Fall 2006 Announcements Midterm I will be held Friday, Oct. 6th. True/False Multiple Choice Calculation Short answer Short essay Project 2 is on
More informationFirewalls and System Protection
Firewalls and System Protection Firewalls Distributed Systems Paul Krzyzanowski 1 Firewalls: Defending the network inetd Most UNIX systems ran a large number of tcp services as dæmons e.g., rlogin, rsh,
More informationTABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY
IT FIREWALL POLICY TABLE OF CONTENT 1. INTRODUCTION... 3 2. TERMS AND DEFINITION... 3 3. PURPOSE... 5 4. SCOPE... 5 5. POLICY STATEMENT... 5 6. REQUIREMENTS... 5 7. OPERATIONS... 6 8. CONFIGURATION...
More informationIMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT
IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT Roopa K. Panduranga Rao MV Dept of CS and Engg., Dept of IS and Engg., J.N.N College of Engineering, J.N.N College of Engineering,
More informationFirewalls, IDS and IPS
Session 9 Firewalls, IDS and IPS Prepared By: Dr. Mohamed Abd-Eldayem Ref.: Corporate Computer and Network Security By: Raymond Panko Basic Firewall Operation 2. Internet Border Firewall 1. Internet (Not
More informationComputer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1
Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls CS426 Fall 2010/Lecture 36 1 Announcements There will be a quiz on Wed There will be a guest lecture on Friday, by Prof. Chris Clifton
More informationFirewall VPN Router. Quick Installation Guide M73-APO09-380
Firewall VPN Router Quick Installation Guide M73-APO09-380 Firewall VPN Router Overview The Firewall VPN Router provides three 10/100Mbit Ethernet network interface ports which are the Internal/LAN, External/WAN,
More informationOverview. Firewall Security. Perimeter Security Devices. Routers
Overview Firewall Security Chapter 8 Perimeter Security Devices H/W vs. S/W Packet Filtering vs. Stateful Inspection Firewall Topologies Firewall Rulebases Lecturer: Pei-yih Ting 1 2 Perimeter Security
More informationNetwork Security. Internet Firewalls. Chapter 13. Network Security (WS 2002): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer
Network Security Chapter 13 Internet Firewalls Network Security (WS 2002): 13 Internet Firewalls 1 Introduction to Network Firewalls (1)! In building construction, a firewall is designed to keep a fire
More informationSecurity+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security
Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives List the different types of network security devices and explain how they can be used Define network
More informationFirewalls Overview and Best Practices. White Paper
Firewalls Overview and Best Practices White Paper Copyright Decipher Information Systems, 2005. All rights reserved. The information in this publication is furnished for information use only, does not
More informationFirewall Architecture
NEXTEP Broadband White Paper Firewall Architecture Understanding the purpose of a firewall when connecting to ADSL network services. A Nextep Broadband White Paper June 2001 Firewall Architecture WHAT
More informationFirewall Design Principles Firewall Characteristics Types of Firewalls
Firewall Design Principles Firewall Characteristics Types of Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for these slides. Fall 2008
More informationco Characterizing and Tracing Packet Floods Using Cisco R
co Characterizing and Tracing Packet Floods Using Cisco R Table of Contents Characterizing and Tracing Packet Floods Using Cisco Routers...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1
More informationFirewall Security. Presented by: Daminda Perera
Firewall Security Presented by: Daminda Perera 1 Firewalls Improve network security Cannot completely eliminate threats and a=acks Responsible for screening traffic entering and/or leaving a computer network
More informationCS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013
CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access
More informationMaruleng Local Municipality
Maruleng Local Municipality. 22 November 2011 1 Version Control Version Date Author(s) Details 1.1 23/03/2012 Masilo Modiba New Policy 2 Contents ICT Firewall Policy 1 Version Control.2 1. Introduction.....4
More informationOverview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs
Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks
More informationProtecting and controlling Virtual LANs by Linux router-firewall
Protecting and controlling Virtual LANs by Linux router-firewall Tihomir Katić Mile Šikić Krešimir Šikić Faculty of Electrical Engineering and Computing University of Zagreb Unska 3, HR 10000 Zagreb, Croatia
More informationCS155 - Firewalls. Simon Cooper <sc@sgi.com> CS155 Firewalls 22 May 2003
CS155 - Firewalls Simon Cooper CS155 Firewalls 22 May 2003 1 Why Firewalls? Need for the exchange of information; education, business, recreation, social and political Need to do something
More informationFirewalls and VPNs. Principles of Information Security, 5th Edition 1
Firewalls and VPNs Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to: Understand firewall technology and the various approaches
More informationSE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane
SE 4C03 Winter 2005 Firewall Design Principles By: Kirk Crane Firewall Design Principles By: Kirk Crane 9810533 Introduction Every network has a security policy that will specify what traffic is allowed
More informationFIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design Learning Objectives Identify common misconceptions about firewalls Explain why a firewall
More informationChapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall
Figure 5-1: Border s Chapter 5 Revised March 2004 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Border 1. (Not Trusted) Attacker 1 1. Corporate Network (Trusted) 2 Figure
More informationChapter 9 Firewalls and Intrusion Prevention Systems
Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish
More informationBasics of Internet Security
Basics of Internet Security Premraj Jeyaprakash About Technowave, Inc. Technowave is a strategic and technical consulting group focused on bringing processes and technology into line with organizational
More informationINTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM
INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM Okumoku-Evroro Oniovosa Lecturer, Department of Computer Science Delta State University, Abraka, Nigeria Email: victorkleo@live.com ABSTRACT Internet security
More informationWhat is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?
What is a Firewall? Computer Security Firewalls fire wall 1 : a wall constructed to prevent the spread of fire 2 usually firewall : a computer or computer software that prevents unauthorized access to
More information20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7
20-CS-6053-00X Network Security Spring, 2014 An Introduction To Network Security Week 1 January 7 Attacks Criminal: fraud, scams, destruction; IP, ID, brand theft Privacy: surveillance, databases, traffic
More informationWhat would you like to protect?
Network Security What would you like to protect? Your data The information stored in your computer Your resources The computers themselves Your reputation You risk to be blamed for intrusions or cyber
More informationVirtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN
Virtual private network Network security protocols COMP347 2006 Len Hamey Instead of a dedicated data link Packets securely sent over a shared network Internet VPN Public internet Security protocol encrypts
More informationCSCI 7000-001 Firewalls and Packet Filtering
CSCI 7000-001 Firewalls and Packet Filtering November 1, 2001 Firewalls are the wrong approach. They don t solve the general problem, and they make it very difficult or impossible to do many things. On
More informationINTRODUCTION TO FIREWALL SECURITY
INTRODUCTION TO FIREWALL SECURITY SESSION 1 Agenda Introduction to Firewalls Types of Firewalls Modes and Deployments Key Features in a Firewall Emerging Trends 2 Printed in USA. What Is a Firewall DMZ
More informationFirewalls. Ahmad Almulhem March 10, 2012
Firewalls Ahmad Almulhem March 10, 2012 1 Outline Firewalls The Need for Firewalls Firewall Characteristics Types of Firewalls Firewall Basing Firewall Configurations Firewall Policies and Anomalies 2
More informationA host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.
A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based
More informationHow To Protect Your Network From Attack From Outside From Inside And Outside
IT 4823 Information Security Administration Firewalls and Intrusion Prevention October 7 Notice: This session is being recorded. Lecture slides prepared by Dr Lawrie Brown for Computer Security: Principles
More informationContent Distribution Networks (CDN)
229 Content Distribution Networks (CDNs) A content distribution network can be viewed as a global web replication. main idea: each replica is located in a different geographic area, rather then in the
More informationChapter 15. Firewalls, IDS and IPS
Chapter 15 Firewalls, IDS and IPS Basic Firewall Operation The firewall is a border firewall. It sits at the boundary between the corporate site and the external Internet. A firewall examines each packet
More informationInternet Firewall CSIS 3230. Internet Firewall. Spring 2012 CSIS 4222. net13 1. Firewalls. Stateless Packet Filtering
Internet Firewall CSIS 3230 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 8.8: Packet filtering, firewalls, intrusion detection Ch
More informationChapter 11 Cloud Application Development
Chapter 11 Cloud Application Development Contents Motivation. Connecting clients to instances through firewalls. Chapter 10 2 Motivation Some of the questions of interest to application developers: How
More informationFirewalls (IPTABLES)
Firewalls (IPTABLES) Objectives Understand the technical essentials of firewalls. Realize the limitations and capabilities of firewalls. To be familiar with iptables firewall. Introduction: In the context
More informationCIT 480: Securing Computer Systems. Firewalls
CIT 480: Securing Computer Systems Firewalls Topics 1. What is a firewall? 2. Types of Firewalls 1. Packet filters (stateless) 2. Stateful firewalls 3. Proxy servers 4. Application layer firewalls 3. Configuring
More informationA1.1.1.11.1.1.2 1.1.1.3S B
CS Computer 640: Network AdityaAkella Lecture Introduction Networks Security 25 to Security DoS Firewalls and The D-DoS Vulnerabilities Road Ahead Security Attacks Protocol IP ICMP Routing TCP Security
More information8. Firewall Design & Implementation
DMZ Networks The most common firewall environment implementation is known as a DMZ, or DeMilitarized Zone network. A DMZ network is created out of a network connecting two firewalls; i.e., when two or
More informationN-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work
N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work How Firewalls Work By: Jeff Tyson If you have been using the internet for any length of time, and especially if
More informationChapter 20. Firewalls
Chapter 20. Firewalls [Page 621] 20.1 Firewall Design Principles Firewall Characteristics Types of Firewalls Firewall Configurations 20.2 Trusted Systems Data Access Control The Concept of Trusted Systems
More informationFIREWALL ARCHITECTURES
FIREWALL ARCHITECTURES The configuration that works best for a particular organization depends on three factors: The objectives of the network, the organization s ability to develop and implement the architectures,
More informationIntro to Firewalls. Summary
Topic 3: Lesson 2 Intro to Firewalls Summary Basic questions What is a firewall? What can a firewall do? What is packet filtering? What is proxying? What is stateful packet filtering? Compare network layer
More informationIn today s world the Internet has become a valuable resource for many people.
In today s world the Internet has become a valuable resource for many people. However with the benefits of being connected to the Internet there are certain risks that a user must take. In many cases people
More informationSY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.
system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped
More informationNetwork Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion
Network Security Tampere Seminar 23rd October 2008 1 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. Contents Overview Switch Security Firewalls Conclusion 2 Copyright 2008 Hirschmann
More informationHow To Protect Your Firewall From Attack From A Malicious Computer Or Network Device
Ch.9 Firewalls and Intrusion Prevention Systems Firewalls: effective means of protecting LANs Internet connectivity is essential for every organization and individuals introduces threats from the Internet
More informationNetwork Security: From Firewalls to Internet Critters Some Issues for Discussion
Network Security: From Firewalls to Internet Critters Some Issues for Discussion Slide 1 Presentation Contents!Firewalls!Viruses!Worms and Trojan Horses!Securing Information Servers Slide 2 Section 1:
More informationFirewall Firewall August, 2003
Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also
More informationABSTRACT CHAPTER I. Preliminary. 1.1. Background
FIREWALL OPTIMIZATION ON BROAD SCALE NETWORK Nama Penulis : Jurnalis : Bobi Paisal Baraba Dosen Bahasa Indonesia : Bambang Dahrmaputra Pendidikan Teknik Informatika dan Komputer Fakultas Teknik Universitas
More informationFirewalls. Network Security. Firewalls Defined. Firewalls
Network Security Firewalls Firewalls Types of Firewalls Screening router firewalls Computer-based firewalls Firewall appliances Host firewalls (firewalls on clients and servers) Inspection Methods Firewall
More informationChapter 4 Firewall Protection and Content Filtering
Chapter 4 Firewall Protection and Content Filtering This chapter describes how to use the content filtering features of the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN to protect your network.
More informationNetwork Security. Chapter 13. Internet Firewalls. Network Security (WS 07/08): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer
Network Security Chapter 13 Internet Firewalls Network Security (WS 07/08): 13 Internet Firewalls 1 Introduction to Network Firewalls (1) In building construction, a firewall is designed to keep a fire
More informationNetwork Instruments white paper
Network Instruments white paper USING A NETWORK ANALYZER AS A SECURITY TOOL Network Analyzers are designed to watch the network, identify issues and alert administrators of problem scenarios. These features
More informationFirewall: Getting started
Firewall: Getting started Version 4 SC41-5424-02 Firewall: Getting started Version 4 SC41-5424-02 ii Firewall: Getting started Contents Part 1. Firewall: Getting started... 1 Chapter 1. Print this topic.......
More informationFirewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT
Network Security s Access lists Ingress filtering s Egress filtering NAT 2 Drivers of Performance RequirementsTraffic Volume and Complexity of Static IP Packet Filter Corporate Network The Complexity of
More informationPacket filtering and other firewall functions
Packet filtering and other firewall functions Martin Krammer mk@sbox.tugraz.at Martin Krammer Graz, May 25, 2007 1 Overview Firewalls Principles Architectures Security aspects Packet filtering Principles
More informationChapter 8 Security Pt 2
Chapter 8 Security Pt 2 IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross,
More informationCS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module
CS 665: Computer System Security Network Security Bojan Cukic Lane Department of Computer Science and Electrical Engineering West Virginia University 1 Usage environment Anonymity Automation, minimal human
More informationWhat is Firewall? A system designed to prevent unauthorized access to or from a private network.
What is Firewall? A system designed to prevent unauthorized access to or from a private network. What is Firewall? (cont d) Firewall is a set of related programs, located at a network gateway server. Firewalls
More informationNetwork Security Topologies. Chapter 11
Network Security Topologies Chapter 11 Learning Objectives Explain network perimeter s importance to an organization s security policies Identify place and role of the demilitarized zone in the network
More informationNetwork Security Policy
Network Security Policy I. PURPOSE Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption of data or unauthorized disclosure of information on campus
More informationA typical router setup between WebSAMS and ITEd network is shown below for reference. DSU. Router
1. Installation and configuration guidelines for the router replacement This guideline served as a reference for schools which plan to replace the existing WebSAMS router by the recommended router, and
More informationChapter 20 Firewalls. Cryptography and Network Security Chapter 22. What is a Firewall? Introduction 4/19/2010
Cryptography and Network Security Chapter 22 Fifth Edition by William Stallings Chapter 20 Firewalls The function of a strong position is to make the forces holding it practically unassailable On O War,
More informationCS5008: Internet Computing
CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is
More informationPROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES
PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute
More informationFirewalls and Intrusion Detection
Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall
More informationInternet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering
Internet Firewall CSIS 4222 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 27: Internet Routing Ch 30: Packet filtering & firewalls
More informationClassification of Firewalls and Proxies
Classification of Firewalls and Proxies By Dhiraj Bhagchandka Advisor: Mohamed G. Gouda (gouda@cs.utexas.edu) Department of Computer Sciences The University of Texas at Austin Computer Science Research
More informationLecture 23: Firewalls
Lecture 23: Firewalls Introduce several types of firewalls Discuss their advantages and disadvantages Compare their performances Demonstrate their applications C. Ding -- COMP581 -- L23 What is a Digital
More information