Firewalls. Contents. ITS335: IT Security. Firewall Characteristics. Types of Firewalls. Firewall Locations. Summary



Similar documents
Firewalls. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Firewalls. Characteristics.

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Chapter 9 Firewalls and Intrusion Prevention Systems

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Computer Security: Principles and Practice

Firewalls (IPTABLES)

Security Technology: Firewalls and VPNs

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

IPv6 Firewalls. ITU/APNIC/MICT IPv6 Security Workshop 23 rd 27 th May 2016 Bangkok. Last updated 17 th May 2016

Computer Security DD2395

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

What would you like to protect?

Chapter 20 Firewalls. Cryptography and Network Security Chapter 22. What is a Firewall? Introduction 4/19/2010

Firewalls. Ahmad Almulhem March 10, 2012

Firewalls CSCI 454/554

Firewall Design Principles Firewall Characteristics Types of Firewalls

Computer Security DD2395

Lecture 23: Firewalls

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Firewall Configuration. Firewall Configuration. Solution Firewall Principles

Proxy Server, Network Address Translator, Firewall. Proxy Server

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Security threats and network. Software firewall. Hardware firewall. Firewalls

Chapter 20. Firewalls

Agenda. Understanding of Firewall s definition and Categorization. Understanding of Firewall s Deployment Architectures

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

CSCI Firewalls and Packet Filtering

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Network Defense Tools

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Firewalls. Chien-Chung Shen

Cryptography and network security

Firewall Design Principles

Fig : Packet Filtering

Firewalls. Mahalingam Ramkumar

How To Understand A Firewall

Intranet, Extranet, Firewall

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

CIT 480: Securing Computer Systems. Firewalls

CSE543 - Computer and Network Security Module: Firewalls

How To Protect Your Network From Attack From Outside From Inside And Outside

Introduction to Firewalls Open Source Security Tools for Information Technology Professionals

INTRODUCTION TO FIREWALL SECURITY

Polycom. RealPresence Ready Firewall Traversal Tips

Overview. Firewall Security. Perimeter Security Devices. Routers

12. Firewalls Content

FIREWALLS & CBAC. philip.heimer@hh.se

FIREWALL AND NAT Lecture 7a

CIT 480: Securing Computer Systems. Firewalls

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

CMPT 471 Networking II

Chapter 7. Firewalls

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

Guideline on Firewall

7. Firewall - Concept

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

CIS 433/533 - Computer and Network Security Firewalls

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

CSC574 - Computer and Network Security Module: Firewalls

Tech-Note Bridges Vs Routers Version /06/2009. Bridges Vs Routers

CSCE 465 Computer & Network Security

How To Build A Network Security Firewall

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

Firewalls, Tunnels, and Network Intrusion Detection

Internet Privacy Options

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Cisco PIX vs. Checkpoint Firewall

Firewall Environments. Name

Internet Security Firewalls

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

CS Computer and Network Security: Firewalls

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

Internet infrastructure. Prof. dr. ir. André Mariën

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Internet Security Firewalls

Module: Firewalls. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Distributed Systems. Firewalls: Defending the Network. Paul Krzyzanowski

Firewalls Overview and Best Practices. White Paper

8. Firewall Design & Implementation

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Chapter 11 Cloud Application Development

CS Computer and Network Security: Firewalls

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

Voice Over IP and Firewalls

Firewalls. Chapter 3

Chapter 4 Customizing Your Network Settings

ICANWK406A Install, configure and test network security

Transcription:

2 : IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 25 October 2013 its335y13s2l08, Steve/Courses/2013/s2/its335/lectures/firewalls.tex, r2958 1 Contents Firewall of Firewall

4 The Need for Internet connectivity is essential for organisations However it creates a threat are effective means of protecting LANs Protection at single point, rather on every computer within LAN Inserted between the premises network and the Internet to establish a controlled link Used as a perimeter defense Single choke point to impose security and auditing Insulates the internal systems from external networks Credit: Figure 9.1(a) in Stallings and Brown, Computer Security, 2nd Ed., Pearson 2012 3 Firewall Design Goals All traffic from inside to outside must pass through the firewall Only authorised traffic as defined by the local security policy will be allowed to pass The firewall itself is immune to penetration General Techniques Service control, e.g. filter based on IP address, port number Direction control, e.g. to internal LAN, to external Internet User control, e.g. student vs faculty Behaviour control, e.g. filter email with spam

6 Capabilities and Limitations Capabilities Defines a single choke point Provides a location for monitoring security events Convenient platform for several Internet functions that are not security related Can serve as platform for VPN end point Limitations Cannot protect against attacks bypassing firewall May not protect fully against internal threats Improperly secured wireless LAN can be accessed from outside the organisation Laptop, phone, or USB drive may be infected outside the corporate network then used internally 5 Contents Firewall of Firewall

of Packet Filtering accepts/rejects packets based on protocol headers Stateful Packet Inspection adds state information on want happened previously to packet filtering firewall Application Proxy relay for application traffic Circuit-level Proxy relay for transport connections Normally a firewall is implemented on a router That router may perform other (non-)security functions, e.g. VPN end-point, accounting, address and port translation (NAT) 7 Packet Filtering Firewall Security policy implemented by set of rules Rules define which packets can pass through the firewall inspects each arriving packet (in all directions), compares against rule set, and takes action based on matching rule Default policies: action for packets for which no rule matches Accept (allow, forward) Drop (reject, discard) - recommended Credit: Figure 9.1(b) in Stallings and Brown, Computer Security, 2nd Ed., Pearson 2012 8

10 Packet Filtering Rules Packet Information IP address: identifies host or network Port number: identifies server, e.g. web (80), email (25) Protocol number: identifies transport protocol, e.g. TCP or UDP Firewall interface: identifies immediate source/destination Other transport, network, data link packet header fields Rules Conditions defined using packet information, direction Wildcards (*) support to match multiple values Actions typically accept or drop List of rules processed in order 9 Example Packet Filtering Software In operating systems: iptables (Linux), ipfw (Mac OSX), pf (BSD), Windows Firewall Standalone software: Comodo, Kaspersky, Norton, ZoneAlarm, Check Point,... Appliances Firewall included in most consumer and enterprise routers Dedicated hardware: Cisco ASA/PIX, Dell SonicWALL, HP, Barracuda, Juniper,... Dedicated software distributions: pfsense, Monowall, Smoothwall, ClearOS, Untangle, IPCop,...

12 Issues with Packet Filtering Advantages Simplicity Transparent to users Very fast Disadvantages Cannot prevent attacks that employ application specific vulnerabilities or functions Limited logging functionality Do not support advanced user authentication Vulnerable to attacks on TCP/IP protocol bugs Improper configuration can lead to breaches 11 Stateful Packet Inspection Traditional packet filtering firewall makes decisions based on individual packets; don t consider past packets (stateless) Many applications establish a connection between client/server; group of packets belong to a connection Often easier to define rules for connections, rather than individual packets Need to store information about past behaviour (stateful) Stateful Packet Inspection (SPI) is extension of traditional packet filtering firewalls Issues: extra overhead required for maintaining state information

Stateful Packet Inspection For connections accepted by packet filtering firewall, record connection information src/dest IP address, src/dest port, sequence numbers, connection state (e.g. Established, Closing) Packets arriving that belong to existing connections can be accepted without processing by firewall rules Credit: Figure 9.1(c) in Stallings and Brown, Computer Security, 2nd Ed., Pearson 2012 13 Application Proxy Also called Application-level Gateway Acts as a relay of application-level traffic User contacts gateway using a TCP/IP application Gateway contacts application on remote host and relays TCP segments between server and user Must have proxy code for each application; may restrict application features supported Tend to be more secure than packet filters Disadvantage is the additional processing overhead on each connection Credit: Figure 9.1(e) in Stallings and Brown, Computer Security, 2nd Ed., Pearson 2012 14

16 Circuit-level Proxy Firewall Also called Circuit-level Gateway Sets up two TCP connections, one between itself and a TCP user on an inner host and one on an outside host Relays TCP segments from one connection to the other without examining contents Security function consists of determining which connections will be allowed Typically used when inside users are trusted May use application-level gateway inbound and circuit-level gateway outbound; lower overheads Credit: Figure 9.1(e) in Stallings and Brown, Computer Security, 2nd Ed., Pearson 2012 15 Contents Firewall of Firewall

18 Firewall can be located on hosts: end-users computers and servers With large number of users, firewalls located on network devices that interconnect internal and external networks Common to separate internal network into two zones: 1. Public-facing servers, e.g. web, email, DNS 2. End-user computers and internal servers, e.g. databases, development web servers Public-facing servers put in De-Militarised Zone (DMZ) 17 DMZ with 1 or 2 Credit: Pbroks13/Sangre Viento, Wikimedia Commons, Public Domain

20 Example DMZ with 2 Credit: Figure 9.3 in Stallings and Brown, Computer Security, 2nd Ed., Pearson 2012 19 Contents Firewall of Firewall

22 Key Points Firewall controls traffic into and out of a network (or computer) Control based on services, direction, user and behaviour Packet filtering: accept/reject packets based on headers Stateful packet inspection: keep track of past connections Proxy firewalls: relay application or connection traffic 21 Security Issues Complexity and human error: writing firewall rules that implement the security policy is difficult for large networks Bypassing security policies using tunnels Bypassing firewalls using other networks (WiFi, mobile) or devices (laptop, USB)

Areas To Explore Deep Packet Inspection 23

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information