Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering
Size: px
Start display at page:

Download "Internet Firewall CSIS 3230. Internet Firewall. Spring 2012 CSIS 4222. net13 1. Firewalls. Stateless Packet Filtering"

Transcription

1 Internet Firewall CSIS 3230 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 8.8: Packet filtering, firewalls, intrusion detection Ch 8.6: VPNs Placing a firewall on each external network connection defines a secure perimeter. Internet Firewall Used by a network administrator to manage traffic flow in and out of the internal network Implements a security policy and rejects any traffic that doesn t adhere to it Primary means of accomplishing this is through packet filtering Firewalls Prevent denial of service attacks SYN flooding: attacker establishes many bogus TCP connections, no res left for real connections Prevent illegal modification/access of internal data e.g., attacker replaces CIA s homepage with something else Allow only authorized access to inside network (set of authenticated users/hosts) Three types of firewalls: Stateless packet filters Stateful packet filters Application gateways Stateless Packet Filtering Internal network connected to Internet via router firewall Router filters packet-by-packet, Decision to forward/drop packet based on: IP, ination IP TCP/UDP and ination numbers ICMP message type TCP SYN and ACK s Allow arriving packet in? Let departing packet out? Stateless Packet Filtering: Examples Example 1: Block incoming and outgoing datagrams with IP protocol field = 17 and with either or = 23 all incoming, outgoing UDP flows and telnet connections are blocked. Example 2: Block inbound TCP segments with ACK=0 prevents external clients from making TCP connections with internal clients, but s internal clients to connect to outside. net13 1

2 Stateless Packet Filtering: More Examples Access Control Lists Policy No outside Web access No incoming TCP connections, except those for institution s public Web server only Prevent Web-radios from eating up the available bandwidth Prevent your network from being used for a smurf DoS attack Prevent your network from being traceroute'd Firewall Setting Drop all outgoing packets to any IP, 80 Drop all incoming TCP SYN packets to any IP except , 80 Drop all incoming UDP packets - except DNS and router broadcasts Drop all ICMP packets going to a broadcast (e.g ) Drop all outgoing ICMP TTL expired traffic ACL: A table of rules, applied top to bottom to incoming packets: (, condition) pairs protocol TCP > any UDP > UDP 53 > deny all all all all all all Used by filtering routers Stateless Packet Filtering Stateless packet filter can admit packets that make no sense e.g., = 80, ACK set, even though no TCP connection established: protocol A stateful firewall s traffic from inside the network to exit but doesn t general traffic from outside to enter Outside packets can enter only if they match a request from within the network Keeps track of packet flow Maintains information about recent history of traffic on a connection Example: Host requests a page from a web server outside the network Firewall recognizes SYN packet from host and creates a state w/ and ination IP es Web server returns a SYN-ACK which the firewall s to pass through State is maintained until connection ends Are outside users ever ed access? Firewalls generally must open s for incoming traffic to web servers, DNS, Create demilitarized zones (DMZ) to isolate these servers from the rest of the network Internet Firewall Trusted internal network DMZ (http, dns, ) net13 2

3 Stateful Packet Filtering ACL augmented to indicate need to check connection state table before admitting packet proto TCP > any check conxion x UDP > UDP 53 > deny all all all all all all x Linux Packet Filtering The Linux iptables program acts as a packet filter Used to design a firewall to protect a single computer Filters traffic based on numbers, es, and s Organizes rules into groups called chains Input, output, and forward are built-in chains Rules are applied in order, first match is the one used A policy specifies how to handle packets that do not match any rules. Adding Filtering Rules: Examples Accept incoming TCP packets on interface eth0 from any IP ined for iptables -A INPUT -i eth0 -d p TCP -j ACCEPT Reject ping packets from iptables -A INPUT -s p icmp -j REJECT Iptables Stateful Rule: Example Establish a default policy to drop all incoming traffic: iptables --policy INPUT DROP Create a rule to accept incoming packets when a connection has already been ESTABLISHED: iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT Match packets which belongs to an existing connection (i.e., a reply packet, or outgoing packet on a connection which has seen replies). Application Gateways Filters packets on application data as well as on IP/TCP/UDP fields Example: select internal users to telnet outside host-to-gateway telnet session application gateway 1. Require all telnet to go through gateway. 2. For authorized users, gateway sets up telnet connection to host. Gateway relays data between 2 connections. 3. Router filter blocks all telnet connections not originating from gateway. gateway-to-remote host telnet session router and filter Intrusion Detection Systems (IDS) Monitors all arriving packets and notifies the site administrator if a security violation is detected Provides an extra layer of security awareness Can be configured to watch for specific types of attacks Examples: scanning, DoS attack net13 3

4 Content Scanning and Deep Packet Inspection A firewall only examines fields in a packet's TCP/IP header Cannot test the payload of a packet for viruses, etc. This requires content analysis: File scanning Deep Packet Inspection (DPI) Content Scanning Take a file as input and looks for suspicious byte patterns Many virus scanners look for strings of bytes known as a fingerprint Virus scanner software searches files for such sequences File scanning can make mistakes false positive false negative Deep Packet Inspection Virtual Private Networks (VPN) Operates on packets Examines the data in the packet payload Includes the header fields In many cases, the payload cannot be interpreted without examining fields in the packet header Disadvantage of DPI is computational overhead Two approaches to building corporate intranet for an organization with multiple sites: Private network connections (confidential) Public internet connections (low cost) Virtual Private Network Achieve both confidentiality and low cost Implemented in software Virtual Private Networks Virtual Private Network VPN software in router at each site gives appearance of a private network Choose router at each site to run VPN software Configure VPN software in each router to know about the VPN routers at other sites VPN software acts as a packet filter; next hop for outgoing datagram is another VPN router Each outgoing datagram is encrypted Provides network-layer confidentiality net13 4

5 Tunneling Want to encrypt entire datagram so and ination es are not visible on the Internet How can internet routers do proper forwarding? Solution: VPN software encrypts entire datagram and places inside another for transmission Called IP-in-IP tunneling (encapsulation) Tunneling Datagram from host X at site 1 to host Y at site 2 Router R 1 on site 1 encrypts, encapsulates in new datagram for transmission to router R 2 on site 2 Public Internet VPN: With Encapsulation Security Protocol (ESP) IP header IPsec header Secure payload laptop w/ IPsec salesperson in hotel Router w/ IPv4 and IPsec Router w/ IPv4 and IPsec headquarters branch office net13 5

Similar documents
2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback | Do Not Sell My Personal Information