Distributed Firewalls
|
|
- Gwendolyn Hancock
- 8 years ago
- Views:
Transcription
1 Distributed Firewalls Robert Stepanek, Abstract Distributed firewalls allow enforcement of security policies on a network without restricting its topology on an inside or outside point of view. Use of a policy language and centralized delegating its semantics to all members of the networks domain support application of firewall technology for organizations, which network devices communicate over insecure channels and still allow a logical separation of hosts in- and outside the trusted domain. We introduce the general concepts of such distributed firewalls, its requirements and implications and introduce its suitability to common threats on the Internet, as well as give a short discussion on contemporary implementations. 1 Introduction This paper discusses the use of distributed firewall technology, its application fields and current implementations. Firewall technology in general is of vital interest for any organization which deploys one or more machines connected to a network, which is regarded "as unsafe", meaning that the existence of malicious software or adversaries must be assumed and aims at preventing damage by deploying a certain security policy. Conventional firewall systems fulfill these requirements by the use of a collection of components which filter network traffic between two networks, usually regarded as a trusted network and an untrusted one. The notion of these systems relies on a certain topology of these networks, in a way that a specific, physical border between the trusted and untrusted domain can be singled out and security policies are enforced at the connecting components. With the advent of the concept of distributed firewalls the topological constraints are weakened and a decentralized use of traffic filters as well as components facilitating security requirements as authentication and integrity is favored over one using few special nodes in the overall network. While the security policies are deployed in a decentralized way their management is not, allowing system administrators to set policies from a central host and therefore still fulfill the requirements of efficient system and network administration. 1.1 Organization of the following sections In section 2 we will introduce the terminology which enables us to discuss the concept of distributed firewalls in a general way and aims to emphasize criteria for the evaluation 1
2 of certain implementations, however note that we will introduce the concept informally. Subsequently we will lay out the basic components which compromise a firewall of such kindandintroducedifferentmodelswhichmeetouroverallrequirementsinoneortheother way. Having introduced the concept generally we will present already available products which meet our requirements and introduce their peculiarities and additions to the overall concept in section 3. In section 4 we will discuss common threats encountered on computer networks and the suitability of distributed firewalls to provide protection. Finally we will give a brief summary over the paper in section 5. 2 The distributed approach 2.1 Basic definitions and terminology Discussing distributed firewalls in the following sections we will lay our argumentation on the general requirements which compose the basic notions of firewall technology: On any communication traffic entering or leaving a network policy domain, firewall technology enforces the network domain security policy. Any instance of these mechanisms is called a firewall system, or shortly firewall [24]. Moreover we will assume that for any host inside the network policy domain we can single out one or more identifiers, which are unique to this network component. Note that with this layout we have not made any assumptions about the actual topology of the network, more explicit we will not require that any network component can be seen as a single entry and exit point of communication traffic between the network policy domain and any other untrusted network. Setting a policy on external accesses, that is any access on components inside the network policy domain will be called policy control throughout the rest of this paper, the mechanism for deciding if a given item of communication traffic is legal will be called the policy verifier. 2.2 Components of a distributed firewall A distributed firewall is a mechanism to enforce a network domain security policy through the use of a policy language, a policy distribution scheme enabling policy control from a central point and certificates, enabling the identification of any member of the network policy domain [2]. Whereas conventional firewalls usually use the network components IP address as a unique identifier and enforcing policies on it is based on the decision if the component can be identified as being inside the trusted network or outside, we will use cryptographic certificates which detach the identifying mechanism from its reliance on any physical location of the component and minimize the danger of spoofed identities (however, as will be shown in section 2.3 use of cryptographic authentication schemes is not inherent in the general definition of a distributed firewall). The policy language defines which inbound and outbound connections on any component of the network policy domain are allowed, and can affect policy decisions on any layer of the network, being it at rejecting or passing certain packets or enforcing policies at the application layer. The requirements of such a language are more specifically to allow explicit definition of security or authentication schemes, which have to be met before allowing the 2
3 communication traffic to pass the enforcing mechanisms. The policy language in itself should therefore support credentials and it is expected to be as generous as possible, allowing definitions for an arbitrary number of applications as well as it should not enforce implicit policies and trust relations [4]. Usually such a language is compiled to an internal format, although this is not a general requirement [3]. Using a policy distribution scheme the chosen security policy is delegated to members of the network in question, according to one or more of the following distribution schemes [12]: Policies as well as credentials can be pushed to every single end point in the policy domain. This requires every member of the domain to be available to the delegating node, a criteria which most likely will not be met by mobile workstations and the like. Policies and credentials can be pulled from a trusted repository during initialization of the policy verifier and periodically during operation. This circumvents the requirement of enduring availability of every member of the network domain but as in the previous solution end points may be confronted with a potentially large amount of credentials which need to be stored. Additionally the repository and the network may be subject to excessive resource consumption due to simultaneous initializing nodes. Policies are pulled during initialization of the policy verifier whereas credentials for authentication mechanisms remain on a trusted repository and are requested whenever communication traffic is reaching a node from a yet unknown host. Although this scheme allows a more balanced distribution procedure it must be stated that reliance on the availability of the trusted repository leads to the threat of Denial of Service Attacks, a problem which will be discussed more in detail in section 4. Using certificates enables the policy verifier making decisions without knowledge of the physical location of the node which communication requests are subject to the examination. Public-key cryptography mechanisms are most often applied in contemporary implementations and were deployed in the reference model in [12] through the use of IPSEC [13], [16]. In general the credentials associated with a connection requesting node have to provide unambiguous information about its identity which enables the policy verifier to give a simple yes or no answer, given the encoded security policy. Most likely an encoding of the nodes network address in any of the policies is not desirable given the distributed grade of the networks organization. Combining the policy distribution scheme and the use of credentials furthermore enables transmission of certificates over insecure channels, assuming that evidence of the repositories integrity is given [5]. 2.3 Variations of distributed firewalls In practice the criteria mentioned in section 2.2 is not always met by organizations deploying distributed firewalls, different layouts and variations most often combine concepts 3
4 of conventional with distributed firewall mechanisms and lead to hybrid firewalls [2]. Although the possible variations are large in number we will focus on the most common combinations which can be found in available products as well Host-addresses as a credential Some hybrid firewalls do not make use of cryptographic credentials and the like as discussed and hence still rely on topological properties of the underlying network through inspection of the connecting nodes network address. This layout does not address spoofing attacks but is useful in combination with a router, discarding traffic from local addresses entering the network from the untrusted outside. Although policies are now enforced on the end-points of the network and allow distributed policy control the overall requirements of a distributed firewall are not met by the models dependence on the networks structure. Still this solution is supported by one provider of firewall technology and applies well in small or medium sized organizations where constraints on the networks layout to do not show up as a problem [19] Roadwarriors and conventional firewalls Another combination of conventional and distributed firewalls deploys both security enforcing mechanisms at the same time. The scenario includes one or more major sites, which are protected by conventional firewalls at the networks perimeter, additionally there are telecommuter machines, so called road warriors[10], in the untrusted outside. Communication traffic between machines in the trusted network domain is unencrypted, whereas connections from inside to the road warriors (and vice-versa) are protected through the use of cryptographic facilities. What makes the difference between this layout and a classical virtual private network solution is the fact, that roadwarriors are subject to policy control even when they are communicating within the untrusted network, thus centrally defined and delegated firewall policies are deployed on the telecommuter machine not only in respect to their communication with the organizations network but in their network activity in general Triangle Routing and distributed firewalls Although most of the communication traffic is handled in a distributed way by policy verifiers on the network domains end points, certain application still rely on a central application-level proxy unavailable locally on every node. In that case most of the traffic will be handled in a distributed manner, whereas policy enforcement for the specific applications will be done on the proxy and therefore applying a triangular way of routing for communication traffic involving these applications. Use of this concept in excess yields the same properties as conventional firewalls with encrypted communication traffic. 4
5 2.3.4 Personal Firewalls Increasing use of cable and DSL modems and other technologies which allow enduring connections to the internet by private customers and small companies has risen need for the deployment of firewall technology on single workstations[27]. Although this concept does lack the notion of protecting a network of hosts, that is the trusted network domain only has one or a few members policy enforcement is done in a way similar to the criteria discussed and can be seen as a special form of distributed firewalls. Additionally current implementations do not take encrypted communication with trusted hosts in respect but given a modular implementation such systems might be extended easily for networked environments and a harsher requirement on authentication mechanisms ([20], [18], [26]). 3 Related work and current implementations Ongoing development and research in the field of firewall technology have shown a continually addition of features and services to conventional firewall systems as well as applying the concepts of distributed firewalls from the bottom up in new products. Deployment of cryptographic mechanisms in gateway-to-gateway communication has become widely accepted in enterprise sized firewall technologies and lay the foundations of a desirable, authentication based enforcement of security policies when extended to the networks endpoints. Standards like IPSEC [13], promise a wide acceptance in the developer community, although implementations of virtual private network technology and the like still show deficiencies in compatibility which might prevent the appliance of their mechanisms in heavily heterogenous networks. In addition to the general layout which has been discussed in section 2.2 the problem of distributed logging of potentially attacking activity under a central examining mechanism has been addressed by some of the products discussed below and allows for proper response decisions using intrusion detection systems. Examples of implementations that illustrate the current availability of distributed firewalls can provide therefore deeper insight in problems which arise in everyday use of such systems, and have been chosen by the author of this document without any affiliation to the commercial vendors or developers of such products: 1. Reference implementations: In accordance with the concept of distributed firewalls introduced in [2], a reference implementation using IPSec, the KeyNote Policy language [6] and additions to the OpenBSD [21] has been worked out [12]. Using KeyNote and IPSec allows control of mixed-level policies (e.g. possibly malicious code transfers in s, java applets, etc.) whereas authentication mechanisms may be applied through the use of public-key cryptographic certificates but can be based on conventional network address authentication in the absence of it. Further changes in the operating systems network code have lead to implementation of a policy verifying mechanism which can be requested by inserting credentials and the packet or resource request in question into a special file /dev/policy. Based on the policy definitions available such a mechanism can return simple 5
6 yes,no answers but also allows finer granularity for choosing the appropriate action, depending on the application needs, which is implemented in the reference implementation as a policy daemon in the operating system s user space. 2. Commercial products: Employing host-based firewall systems in its CyberWall PLUS firewall product, Network-1 Security Solutions has shown up with a firewall solution which can be classified as a hybrid model of distributed firewalls as discussed in section In addition to the overall requirement of distributed policy control and enforcement on the network domain s end-points the product allows stateful inspection of network connections and single packets, facilitating in the handling of malicious single packets which appear to be part of a already agreed legitimate connection. Supported network protocols include TCP, UDP, SNMP, IPX, AppleTalk and others and show a variety of supported application level inspection mechanisms, as well as handling port-scans and allowing a central gathering of audit logs for later examination or statistics collection. The products validation mechanisms are operating in kernel mode and reside between the protocol binding mechanisms and the network device drivers [19]. As addition to its product line of virtual private network and policy distribution scheme implementations F-Secure provides a distributed firewall which meets, in combination with other tools available trough the vendor the requirements laid out before. Similar to CyberWall PLUS in addition to the mixed-level policy enforcement, multiple protocols are supported, as well as the processing of audit logs either locally or on a central host. Active responses to possible attacks however do not seem to be subject of their implementation, support of cryptographic file systems contents on the telecommuters harddrives as well as integration of malicious code detection systems allows fine granularity on content-based decisions [11]. Sygate Technologies, Inc. provides a distributed firewall through the combination of three interacting modules, combined under the bundle Sygate Secure Enterprise. The policy language allows definition of rules including parameters, such as user, device, application, protocol, time, and others, whereas organization of policy groups according to the corresponding end points in the network domain can be imported from NT Domains, LDAP or be defined from scratch. No information about the policy distribution scheme is given, but a pulling mechanism seems plausible. In combination with the policy enforcement entity, Sygate Security Agent, and an optional use of cryptography at the network layer, Sygate VPN Enforcer, the product meets the requirements of section 2.2, in addition centralized audit log management and intrusion detection capabilities are supported. Moreover policies can be controlled from several hosts, allowing a more distributed scheme of policy management in large networks [25]. 6
7 4 Protection from common threats 4.1 The reference model for further analysis Distributed firewalls both have their advantages and disadvantages over conventional firewall systems. To learn more about their deficiencies it is useful to inspect possible reactions to actual attacks from adversaries originating outside and inside the network policy domain. We will discuss a variety of common threats which network devices are exposed to probably quite heavily when there is no protection mechanism between them and an untrusted network. Furthermore, our observation is based on a special case of a distributed firewall, that is, although we make no restrictions on the networks topology in the general case, we can analyze our results more thoroughly when compared to conventional firewalls and discuss the case where each of these two firewall systems could be applied, that is, when the network topology allows for physical separation of the trusted and untrusted network domain. 4.2 Denial of Service Attacks There is a variety of DOS attacks, and not all can be handled by either concept of firewall systems [14]. Although there can be made no restrictive assumptions about the overall network topology it is most likely that a set of hosts inside the network policy domain will be located physically near to each other and thus use the same connection to the untrusted network. Neither a conventional firewall, nor a distributed one can prevent DOS attacks on the networks perimeter efficiently, although we could emphasize the intentional spread of mission critical hosts on physically separated networks to make such an attack more difficult to an adversary [7]. On the other side, distributed firewalls can behave quite well on DOS attacks which depend on IP spoofing mechanisms, given the assumption that the authorization mechanisms do not rely on IP addresses as credentials [8]. On contrary, with the use trusted repository for either credentials, policies or both, it should be clear that the network devices employing these mechanisms will be subject to extensive attacks, given the overall dependence of end points on its availability. 4.3 IP spoofing As discussed in section 2.2, reliance on network addresses is not a favored concept. Using cryptographic mechanisms most likely prevents attacks based on forged source addresses, under the assumption that the trusted repository containing all necessary credentials has not been subject to compromise in itself [9]. These problems can be solved by conventional firewalls with corresponding rules for discarding packets at the network perimeter but will not prevent such attacks originating from inside the network policy domain. 4.4 Malicious software With the spread use of distributed object-oriented systems like CORBA, client-side use of Java and weaknesses in mail readers and the like there is a wide variety of threats residing 7
8 in the application and intermediate level of communication traffic. Firewall mechanisms at the perimeter can come useful by inspecting incoming s for known malicious code fingerprints, but can be confronted with complex, thus resource-consuming situations when making decisions on other code, like Java [15]. Using the framework of a distributed firewall and especially considering a policy language which allows for policy decision on the application level can circumvent some of these problems, under the condition that contents of such communication packets can be interpreted semantically by the policy verifying mechanisms. Stateful inspection of packets shows up to be easily adapted to these requirements and allows for finer granularity in decision making [22]. Furthermore malicious code contents may be completely disguised to the screening unit at the network perimeter, given the use of virtual private networks and enciphered communication traffic in general and can completely disable such policy enforcement on conventional firewalls. 4.5 Malicious hosts "inside" Given the natural view of a conventional firewall on the networks topology as consisting of an inside and outside, problems can arise, once one or more members of the policy network domain have been compromised. Perimeter firewalls can only enforce policies between distinct networks and show no option to circumvent problems which arise in the situation discussed above. Given a distributed firewalls independence on topological constraints supports the enforcement of policies whether hosts are members or outsiders of the overall policy domain and base their decisions on authenticating mechanisms which are not inherent characteristics of the networks layout. Moreover, compromise of an endpoint either by an legitimate user or intruder will not weaken the overall network in a way that leads directly to compromise of other machines, given the fact that the deployment of virtual private networks prevents sniffing of communication traffic in which the attacked machine is not involved. On the other side, on the end-point itself nearly the same problems arise as in conventional firewalls: Assuming that a machine has been taken over by an adversary must lead to the conclusion that the policy enforcement mechanisms them self may be broken. The installation of backdoors on this machine can be done quite easily once the security mechanisms are flawed and in the lack of a perimeter firewall, there is no trusted entity anymore which might prevent arbitrary traffic entering or leaving the compromised host. Additionally use of tools like SSH and the like allow tunneling of other applications communication and can not be prevented without proper knowledge of the decrypting credentials, moreover given the fact that in case an attack has shown up successfully the verifying mechanisms in them self may not be trusted anymore. 5 Conclusions Distributed firewall can solve some known and thoroughly discussed problems which arise with the use of conventional firewalls residing at the networks perimeter. It s independence on topological constraints reflect the change in enterprise and other organizations network organization more accurately but demand fundamental changes in the network end-points operating systems. Given that fact the author of this paper sees most of the problems arising 8
9 with the employment of distributed firewall mechanisms in the fact, that standardization of integral properties of such systems, such as a policy language, cryptographic encryption of the communication traffic and verifying entities still lacks necessary research and leads to unsuitability for heavily heterogenous networks. The concept of distributed firewalls is rather new and few reference implementations are available ([1],[12]). Current implementations of such systems are rare at this point in time and show up the fact, that the overall concept of distributed firewalls in subject to quite different interpretation, moreover does not include requirements as central administration of audit logs and other properties which have been presented in section 3. Reflecting the outcomes of section 4, a combined version of conventional as well as distributed firewalls seems to fulfill most requirements of system administrators and network security engineers and most likely reflect the layout of networks found currently in practice, consisting of conglomerates of end-points at the same physical locations, connected via untrusted channels and accessed by telecommuters and mobile workstations. References [1] Y. Bartal & A. Mayer & K. Nissim & A. Wool. Firmato: A Novel Firewall Management Toolkit. In Proceedings of the IEEE Computer Society Symposium on Security and Privacy, [2] S.M.Bellovin. Distributed Firewalls.;login: magazine, special issue on security, November [3] M.Blaze & J.Feigenbaum & J.Lacy. Decentralized Trust Management. In Proc. of the 17th Symposium on Security and Privacy, pages IEEE Computer Society Press, Los Alamitos, [4] M. Blaze & J. Feigenbaum & J. Ioannidis & A.D. Keromytis. The Role of Trust Management in Distributed Systems Security. Secure Internet Programming: Issues in Distributed and Mobile Object Systems. Lecture Notes on Computer Science, Springer- Verlag, Berlin Heidelberg New York, [5] M. Blaze & J. Ioannidis & A. D. Keromytis. Trust Management for IPsec. In Proceedings of the Internet Society Symposium on Network and Distributed Systems Security (SNDSS) 2001, pages , San Diego, CA, February [6] M. Blaze & J. Feigenbaum & J. Ioannidis. The KeyNote Trust-Management System Version 2. Request for Comments (Proposed Standard) 2704, Internet Engineering Task Force, September 1999 [referred ] ( [7] CERT c Advisory CA Smurf IP Denial-of-Service Attacks. [referred ] ( [8] P. Ferguson & D. Senie. Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. Request for Comments (Best Current Practice) 2827, Internet Engineering Task Force, May 2000 [referred ] ( 9
10 [9] N. Ferguson & B. Schneier. A Cryptographic Evaluation of IPsec. Counterpane Labs, Counterpane Internet Security, [referred ] ( [10] FreeS/WAN Project [referred ] ( [11] F-Secure Distributed Firewall, F-Secure Corporation. [referred ] ( [12] S. Ioannidis & A.D. Keromytis & S.M. Bellovin & J.M. Smith. Implementing a Distributed Firewall. In Proceedings of Computer and Communications Security (CCS) 2000, November, [13] S. Kent & R. Atkinson. Security Architecture for the Internet Protocol. Request for Comments (Proposed Standard) 2401, Internet Engineering Task Force, November 1998 [referred ] ( [14] F. Lau & S. H. Rubin & M. H. Smith & Lj. Trajkovic. Distributed denial of service attacks. In Proceedings of the 2000 IEEE International Conference on Systems, Man, and Cybernetics, pages , Nashville, TN, October [15] D.M. Martin Jr. & S. Rajagopalan & A.D. Rubin. Blocking Java Applets at the Firewall. In Proceedings of the Symposium on Network and Distributed System Security, pages , Baltimore, MD, Summer [16] D. Maughan & M. Schertler & M. Schneider & J. Turner. Internet Security Association and Key Management Protocol (ISAKMP). Request for Comments (Proposed Standard) 2408, Internet Engineering Task Force, November 1998 [referred ] ( [17] PGPFire ASP, Networks Associates Technology, Inc. [referred ] ( [18] McAfee Firewall, McAfee Consumer Products, Network Associates, Inc. [referred ] ( [19] Network-1, Security Solutions, Inc. Host-Resident Firewalls: Defending Windows NT/2000 Servers and Desktops from Network Attacks. [referred ] ( [20] BlackICE Defender, Network ICE Corporation. [referred ] ( [21] The OpenBSD Project. [referred ] ( [22] U. Roedig & R. Ackermann & C. Rensing & R. Steinmetz. A Distributed Firewall for Multimedia Applications. In Proceedings of the Workshop "Sicherheit in Netzen und Medienströmen, pages 3-16, [23] C.L. Schuba & I.V. Krsul & M.G. Kuhn & E.H. Spafford & A. Sundaram & D. Zamboni. Analysis of a Denial of Service Attack on TCP. In Proceedings of the 1997 IEEE Symposium on Security and Privacy, pages , May
11 [24] C.L. Schuba & E.H. Spafford. A Reference Model for Firewall Technology. In Proceedings of the 13th Annual Computer Security Applications Conference (ACSAC), IEEE Computer Society, pages San Diego, California, December [25] Sygate Technologies, Inc. Sygate Secure Enterprise. [referred ] ( [26] Norton Personal Firewall, Symantec Corporation. [referred ] ( [27] Tina Zych. Personal Firewalls: What are they, how do they work?. Sans Institue, [referred ] ( 11
Smokey: A User-Based Distributed Firewall System
Smokey: A User-Based Distributed Firewall System Rachel Rubin Department of Computer Science University of California, Berkeley Berkeley, CA 94704 rrubin@cs.berkeley.edu Abstract Traditional intranets
More informationFirewalls and VPNs. Principles of Information Security, 5th Edition 1
Firewalls and VPNs Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to: Understand firewall technology and the various approaches
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls
More informationFirewalls and IDS. Sumitha Bhandarkar James Esslinger
Firewalls and IDS Sumitha Bhandarkar James Esslinger Outline Background What are firewalls and IDS? How are they different from each other? Firewalls Problems associated with conventional Firewalls Distributed
More informationCS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013
CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access
More informationChapter 9 Firewalls and Intrusion Prevention Systems
Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish
More informationFirewalls, Tunnels, and Network Intrusion Detection. Firewalls
Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.
More informationTrust Management and Network Layer Security Protocols Matt Blaze 1 and John Ioannidis 1 and Angelos D. Keromytis 2 1 AT&T Laboratories { Research fmab,jig@research.att.com 2 Distributed Systems Labs CIS
More informationREPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB
REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB Conducted: 29 th March 5 th April 2007 Prepared By: Pankaj Kohli (200607011) Chandan Kumar (200607003) Aamil Farooq (200505001) Network Audit Table of
More informationConsiderations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.
Considerations In Developing Firewall Selection Criteria Adeptech Systems, Inc. Table of Contents Introduction... 1 Firewall s Function...1 Firewall Selection Considerations... 1 Firewall Types... 2 Packet
More informationSecurity Technology: Firewalls and VPNs
Security Technology: Firewalls and VPNs 1 Learning Objectives Understand firewall technology and the various approaches to firewall implementation Identify the various approaches to remote and dial-up
More informationDistributed Firewalls
Distributed Firewalls Steven M. Bellovin smb@research.att.com Abstract Conventional firewalls rely on the notions of restricted topology and controlled entry points to function. More precisely, they rely
More informationOverview. Firewall Security. Perimeter Security Devices. Routers
Overview Firewall Security Chapter 8 Perimeter Security Devices H/W vs. S/W Packet Filtering vs. Stateful Inspection Firewall Topologies Firewall Rulebases Lecturer: Pei-yih Ting 1 2 Perimeter Security
More informationVPN. Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu
VPN Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu What is VPN? A VPN (virtual private network) is a private data network that uses public telecommunicating infrastructure (Internet), maintaining
More informationFirewalls and Intrusion Detection
Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall
More informationFinal exam review, Fall 2005 FSU (CIS-5357) Network Security
Final exam review, Fall 2005 FSU (CIS-5357) Network Security Instructor: Breno de Medeiros 1. What is an insertion attack against a NIDS? Answer: An insertion attack against a network intrusion detection
More informationApplication Firewalls
Application Moving Up the Stack Advantages Disadvantages Example: Protecting Email Email Threats Inbound Email Different Sublayers Combining Firewall Types Firewalling Email Enforcement Application Distributed
More informationHANDBOOK 8 NETWORK SECURITY Version 1.0
Australian Communications-Electronic Security Instruction 33 (ACSI 33) Point of Contact: Customer Services Team Phone: 02 6265 0197 Email: assist@dsd.gov.au HANDBOOK 8 NETWORK SECURITY Version 1.0 Objectives
More informationFIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design Learning Objectives Identify common misconceptions about firewalls Explain why a firewall
More informationIntroduction of Intrusion Detection Systems
Introduction of Intrusion Detection Systems Why IDS? Inspects all inbound and outbound network activity and identifies a network or system attack from someone attempting to compromise a system. Detection:
More informationHow To Protect Your Network From Attack
Department of Computer Science Institute for System Architecture, Chair for Computer Networks Internet Services & Protocols Internet (In)Security Dr.-Ing. Stephan Groß Room: INF 3099 E-Mail: stephan.gross@tu-dresden.de
More informationPROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES
PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute
More informationLecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.
Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls. 1 Information systems in corporations,government agencies,and other organizations
More informationIndustrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1
Industrial Network Security for SCADA, Automation, Process Control and PLC Systems Contents 1 An Introduction to Industrial Network Security 1 1.1 Course overview 1 1.2 The evolution of networking 1 1.3
More informationCS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module
CS 665: Computer System Security Network Security Bojan Cukic Lane Department of Computer Science and Electrical Engineering West Virginia University 1 Usage environment Anonymity Automation, minimal human
More informationSecond-generation (GenII) honeypots
Second-generation (GenII) honeypots Bojan Zdrnja CompSci 725, University of Auckland, Oct 2004. b.zdrnja@auckland.ac.nz Abstract Honeypots are security resources which trap malicious activities, so they
More informationBasics of Internet Security
Basics of Internet Security Premraj Jeyaprakash About Technowave, Inc. Technowave is a strategic and technical consulting group focused on bringing processes and technology into line with organizational
More informationBuilding A Secure Microsoft Exchange Continuity Appliance
Building A Secure Microsoft Exchange Continuity Appliance Teneros, Inc. 215 Castro Street, 3rd Floor Mountain View, California 94041-1203 USA p 650.641.7400 f 650.641.7401 ON AVAILABLE ACCESSIBLE Building
More informationCS5008: Internet Computing
CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is
More informationNetwork Security Administrator
Network Security Administrator Course ID ECC600 Course Description This course looks at the network security in defensive view. The ENSA program is designed to provide fundamental skills needed to analyze
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 9 Firewalls and Intrusion Prevention Systems First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Firewalls and Intrusion
More informationComputer Security DD2395
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/dd2395/dasak12/ Fall 2012 Sonja Buchegger buc@kth.se Lecture 9 Firewalls (maybe start on Multilevel Security) DD2395 Sonja Buchegger
More informationFirewalls. Chapter 3
Firewalls Chapter 3 1 Border Firewall Passed Packet (Ingress) Passed Packet (Egress) Attack Packet Hardened Client PC Internet (Not Trusted) Hardened Server Dropped Packet (Ingress) Log File Internet Border
More informationClient Server Registration Protocol
Client Server Registration Protocol The Client-Server protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are
More informationWhat is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?
What is a Firewall? Computer Security Firewalls fire wall 1 : a wall constructed to prevent the spread of fire 2 usually firewall : a computer or computer software that prevents unauthorized access to
More informationComputer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/dd2395/dasakh10/
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/dd2395/dasakh10/ Fall 2010 Sonja Buchegger buc@kth.se Lecture 6, Nov. 10, 2010 Firewalls, Intrusion Prevention, Intrusion Detection
More informationCSCI 4250/6250 Fall 2015 Computer and Networks Security
CSCI 4250/6250 Fall 2015 Computer and Networks Security Network Security Goodrich, Chapter 5-6 Tunnels } The contents of TCP packets are not normally encrypted, so if someone is eavesdropping on a TCP
More informationWhat would you like to protect?
Network Security What would you like to protect? Your data The information stored in your computer Your resources The computers themselves Your reputation You risk to be blamed for intrusions or cyber
More informationWhat is Firewall? A system designed to prevent unauthorized access to or from a private network.
What is Firewall? A system designed to prevent unauthorized access to or from a private network. What is Firewall? (cont d) Firewall is a set of related programs, located at a network gateway server. Firewalls
More informationSecure Software Programming and Vulnerability Analysis
Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Operations and Denial of Service Secure Software Programming 2 Overview
More informationFirewalls and Network Defence
Firewalls and Network Defence Harjinder Singh Lallie (September 12) 1 Lecture Goals Learn about traditional perimeter protection Understand the way in which firewalls are used to protect networks Understand
More informationWhat is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services
Firewalls What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services only authorized traffic is allowed Auditing and
More informationRSVP as Firewall Signalling Protocol
RSVP as Firewall Signalling Protocol Utz Roedig 1, Manuel Görtz 1, Martin Karsten 1, Ralf Steinmetz 1,2 1 Industrial Process and System Communications, Darmstadt University of Technology, Germany 1 German
More informationComputer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1
Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls CS426 Fall 2010/Lecture 36 1 Announcements There will be a quiz on Wed There will be a guest lecture on Friday, by Prof. Chris Clifton
More informationIPv6 SECURITY. May 2011. The Government of the Hong Kong Special Administrative Region
IPv6 SECURITY May 2011 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without the express
More informationInformation Technology Security Guideline. Network Security Zoning
Information Technology Security Guideline Network Security Zoning Design Considerations for Placement of s within Zones ITSG-38 This page intentionally left blank. Foreword The Network Security Zoning
More informationNetwork Security - ISA 656 Application Firewalls
Network Security - ISA 656 Application Angelos Stavrou August 20, 2008 Moving Up the Stack Application Moving Up the Stack Filtering levels Advantages Disadvantages Example: Protecting Email Email Threats
More informationSecurity vulnerabilities in the Internet and possible solutions
Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in
More informationWhy Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation www.lumeta.
Why Leaks Matter Leak Detection and Mitigation as a Critical Element of Network Assurance A publication of Lumeta Corporation www.lumeta.com Table of Contents Executive Summary Defining a Leak How Leaks
More information2. From a control perspective, the PRIMARY objective of classifying information assets is to:
MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected
More informationFirewall Architecture
NEXTEP Broadband White Paper Firewall Architecture Understanding the purpose of a firewall when connecting to ADSL network services. A Nextep Broadband White Paper June 2001 Firewall Architecture WHAT
More informationAchieving PCI-Compliance through Cyberoam
White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit
More informationManaging Access Control in Large Scale Heterogeneous Networks
Managing Access Control in Large Scale Heterogeneous Networks Angelos D. Keromytis, Kostas Anagnostakis, Sotiris Ioannidis, Michael B. Greenwald and Jonathan M. Smith Abstract The design principle of maximizing
More informationMicrosoft Systems Architecture 2.0 (MSA 2.0) Security Review An analysis by Foundstone, Inc.
Microsoft Systems Architecture 2.0 (MSA 2.0) Security Review An analysis by Foundstone, Inc. Foundstone Labs October, 2003 Table of Contents Table of Contents...2 Introduction...3 Scope and Approach...3
More informationNETWORK SECURITY (W/LAB) Course Syllabus
6111 E. Skelly Drive P. O. Box 477200 Tulsa, OK 74147-7200 NETWORK SECURITY (W/LAB) Course Syllabus Course Number: NTWK-0008 OHLAP Credit: Yes OCAS Code: 8131 Course Length: 130 Hours Career Cluster: Information
More informationFirewall Security. Presented by: Daminda Perera
Firewall Security Presented by: Daminda Perera 1 Firewalls Improve network security Cannot completely eliminate threats and a=acks Responsible for screening traffic entering and/or leaving a computer network
More informationFirewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA
Firewalls Securing Networks Chapter 3 Part 1 of 4 CA M S Mehta, FCA 1 Firewalls Learning Objectives Task Statements 1.3 Recognise function of Telecommunications and Network security including firewalls,..
More information83-10-41 Types of Firewalls E. Eugene Schultz Payoff
83-10-41 Types of Firewalls E. Eugene Schultz Payoff Firewalls are an excellent security mechanism to protect networks from intruders, and they can establish a relatively secure barrier between a system
More information7.1. Remote Access Connection
7.1. Remote Access Connection When a client uses a dial up connection, it connects to the remote access server across the telephone system. Windows client and server operating systems use the Point to
More informationNETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9
NETASQ & PCI DSS Is NETASQ compatible with PCI DSS? We have often been asked this question. Unfortunately, even the best firewall is but an element in the process of PCI DSS certification. This document
More informationFirewalls. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Firewall Design Principles
Firewalls Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49 1 Firewall Design Principles Firewall Characteristics Types of Firewalls Firewall Configurations
More informationFIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.
1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams
More informationSecurity Design. thm@informatik.uni-rostock.de http://wwwiuk.informatik.uni-rostock.de/
Security Design thm@informatik.uni-rostock.de http://wwwiuk.informatik.uni-rostock.de/ Content Security Design Analysing Design Requirements Resource Separation a Security Zones VLANs Tuning Load Balancing
More informationModule 8. Network Security. Version 2 CSE IIT, Kharagpur
Module 8 Network Security Lesson 3 Firewalls Specific Instructional Objectives On completion of this lesson, the students will be able to answer: What a firewall is? What are the design goals of Firewalls
More informationBypassing Firewalls: Tools and Techniques
Bypassing Firewalls: Tools and Techniques Jake Hill jah@alien.bt.co.uk March 23, 2000 Abstract This paper highlights a very important problem with network perimeter firewalls. The threat discussed is not
More informationBlackRidge Technology Transport Access Control: Overview
2011 BlackRidge Technology Transport Access Control: Overview 1 Introduction Enterprises and government agencies are under repeated cyber attack. Attacks range in scope from distributed denial of service
More informationSECURITY FLAWS IN INTERNET VOTING SYSTEM
SECURITY FLAWS IN INTERNET VOTING SYSTEM Sandeep Mudana Computer Science Department University of Auckland Email: smud022@ec.auckland.ac.nz Abstract With the rapid growth in computer networks and internet,
More informationLink Layer and Network Layer Security for Wireless Networks
Link Layer and Network Layer Security for Wireless Networks Interlink Networks, Inc. May 15, 2003 1 LINK LAYER AND NETWORK LAYER SECURITY FOR WIRELESS NETWORKS... 3 Abstract... 3 1. INTRODUCTION... 3 2.
More informationOverview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs
Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks
More informationMarch 2012 www.tufin.com
SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...
More informationSystem insecurity ± firewalls
Mayur S. Desai Assistant Professor, School of Business, Indiana University Kokomo, Kokomo, Indiana, USA Thomas C. Richards Professor, Business Computer Information Systems Department, The University of
More informationCompany Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.
Company Co. Inc. LLC Multiple Minds, Singular Results LAN Domain Network Security Best Practices An integrated approach to securing Company Co. Inc. LLC s network Written and Approved By: Geoff Lacy, Tim
More informationFirewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls
CEN 448 Security and Internet Protocols Chapter 20 Firewalls Dr. Mostafa Hassan Dahshan Computer Engineering Department College of Computer and Information Sciences King Saud University mdahshan@ccis.ksu.edu.sa
More informationSECURITY ADVISORY FROM PATTON ELECTRONICS
SECURITY ADVISORY FROM PATTON ELECTRONICS Potential Security Vulnerabilities Identified in Simple Network Management Protocol (SNMP) Revision 1.0 For Public Release March 7, 2002 Last Updated March 7,
More informationNetwork Security. Internet Firewalls. Chapter 13. Network Security (WS 2002): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer
Network Security Chapter 13 Internet Firewalls Network Security (WS 2002): 13 Internet Firewalls 1 Introduction to Network Firewalls (1)! In building construction, a firewall is designed to keep a fire
More informationImplementing Cisco IOS Network Security
Implementing Cisco IOS Network Security IINS v3.0; 5 Days, Instructor-led Course Description Implementing Cisco Network Security (IINS) v3.0 is a 5-day instructor-led course focusing on security principles
More informationWireless Security Overview. Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance 209-754-9130 ageyer@tunitas.com
Wireless Security Overview Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance 209-754-9130 ageyer@tunitas.com Ground Setting Three Basics Availability Authenticity Confidentiality Challenge
More informationTECHNICAL NOTE 01/02 PROTECTING YOUR COMPUTER NETWORK
TECHNICAL NOTE 01/02 PROTECTING YOUR COMPUTER NETWORK 2002 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation to the Centre
More informationA host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.
A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based
More informationCS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013
CS 356 Lecture 17 and 18 Intrusion Detection Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists
More informationNEW YORK INSTITUTE OF TECHNOLOGY School of Engineering and Technology Department of Computer Science Old Westbury Campus
NEW YORK INSTITUTE OF TECHNOLOGY School of Engineering and Technology Department of Computer Science Old Westbury Campus CSCI - 440 Network Security and Perimeter Protection 3-0-3 CATALOG DESCRIPTION This
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationSecuring VoIP Networks using graded Protection Levels
Securing VoIP Networks using graded Protection Levels Andreas C. Schmidt Bundesamt für Sicherheit in der Informationstechnik, Godesberger Allee 185-189, D-53175 Bonn Andreas.Schmidt@bsi.bund.de Abstract
More informationSecurity+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security
Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives List the different types of network security devices and explain how they can be used Define network
More informationAdditional Security Considerations and Controls for Virtual Private Networks
CYBER SECURITY OPERATIONS CENTRE APRIL 2013 (U) LEGAL NOTICE: THIS PUBLICATION HAS BEEN PRODUCED BY THE DEFENCE SIGNALS DIRECTORATE (DSD), ALSO KNOWN AS THE AUSTRALIAN SIGNALS DIRECTORATE (ASD). ALL REFERENCES
More informationFirewall Design Principles Firewall Characteristics Types of Firewalls
Firewall Design Principles Firewall Characteristics Types of Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for these slides. Fall 2008
More information8. Firewall Design & Implementation
DMZ Networks The most common firewall environment implementation is known as a DMZ, or DeMilitarized Zone network. A DMZ network is created out of a network connecting two firewalls; i.e., when two or
More informationPineApp TM Mail Encryption Solution TM
PineApp TM Mail Encryption Solution TM How to keep your outgoing messages fully secured. October 2008 Modern day challenges in E-Mail Security Throughout the years, E-Mail has evolved significantly, emerging
More informationCornerstones of Security
Internet Security Cornerstones of Security Authenticity the sender (either client or server) of a message is who he, she or it claims to be Privacy the contents of a message are secret and only known to
More informationIINS Implementing Cisco Network Security 3.0 (IINS)
IINS Implementing Cisco Network Security 3.0 (IINS) COURSE OVERVIEW: Implementing Cisco Network Security (IINS) v3.0 is a 5-day instructor-led course focusing on security principles and technologies, using
More informationFIREWALLS & CBAC. philip.heimer@hh.se
FIREWALLS & CBAC philip.heimer@hh.se Implementing a Firewall Personal software firewall a software that is installed on a single PC to protect only that PC All-in-one firewall can be a single device that
More informationFirewalls. Ahmad Almulhem March 10, 2012
Firewalls Ahmad Almulhem March 10, 2012 1 Outline Firewalls The Need for Firewalls Firewall Characteristics Types of Firewalls Firewall Basing Firewall Configurations Firewall Policies and Anomalies 2
More informationFirewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)
s (March 4, 2015) Abdou Illia Spring 2015 Test your knowledge Which of the following is true about firewalls? a) A firewall is a hardware device b) A firewall is a software program c) s could be hardware
More informationSonicWALL PCI 1.1 Implementation Guide
Compliance SonicWALL PCI 1.1 Implementation Guide A PCI Implementation Guide for SonicWALL SonicOS Standard In conjunction with ControlCase, LLC (PCI Council Approved Auditor) SonicWall SonicOS Standard
More informationGuideline on Firewall
CMSGu2014-02 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Firewall National Computer Board Mauritius Version 1.0 June
More informationNetwork Security Policy
Network Security Policy I. PURPOSE Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption of data or unauthorized disclosure of information on campus
More informationDid you know your security solution can help with PCI compliance too?
Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment
More informationSymantec Enterprise Firewalls. From the Internet Thomas Jerry Scott
Symantec Enterprise Firewalls From the Internet Thomas Symantec Firewalls Symantec offers a whole line of firewalls The Symantec Enterprise Firewall, which emerged from the older RAPTOR product We are
More informationCISCO IOS NETWORK SECURITY (IINS)
CISCO IOS NETWORK SECURITY (IINS) SEVENMENTOR TRAINING PVT.LTD [Type text] Exam Description The 640-553 Implementing Cisco IOS Network Security (IINS) exam is associated with the CCNA Security certification.
More informationNetwork Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion
Network Security Tampere Seminar 23rd October 2008 1 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. Contents Overview Switch Security Firewalls Conclusion 2 Copyright 2008 Hirschmann
More information