CSCI 7000-001 Firewalls and Packet Filtering



Similar documents
Firewalls (IPTABLES)

Security Technology: Firewalls and VPNs

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Computer Security: Principles and Practice

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Computer Security DD2395

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Chapter 20. Firewalls

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

CSCE 465 Computer & Network Security

Cryptography and network security

Chapter 9 Firewalls and Intrusion Prevention Systems

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

Firewall Design Principles Firewall Characteristics Types of Firewalls

Firewalls CSCI 454/554

Firewalls. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Firewalls. Characteristics.

Firewalls. Contents. ITS335: IT Security. Firewall Characteristics. Types of Firewalls. Firewall Locations. Summary

Internet Security Firewalls

Proxy firewalls.

Firewall Configuration. Firewall Configuration. Solution Firewall Principles

IPv6 Firewalls. ITU/APNIC/MICT IPv6 Security Workshop 23 rd 27 th May 2016 Bangkok. Last updated 17 th May 2016

CMPT 471 Networking II

Internet Security Firewalls

12. Firewalls Content

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

Firewalls. Ahmad Almulhem March 10, 2012

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Overview. Firewall Security. Perimeter Security Devices. Routers

Security threats and network. Software firewall. Hardware firewall. Firewalls

Firewall Firewall August, 2003

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

IP Filter/Firewall Setup

How To Understand A Firewall

Distributed Systems. Firewalls: Defending the Network. Paul Krzyzanowski

Proxy Server, Network Address Translator, Firewall. Proxy Server

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

+ iptables. packet filtering && firewall

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

Firewalls and System Protection

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Lecture 23: Firewalls

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

Types of Firewalls E. Eugene Schultz Payoff

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Chapter 20 Firewalls. Cryptography and Network Security Chapter 22. What is a Firewall? Introduction 4/19/2010

Firewalls. Network Security. Firewalls Defined. Firewalls

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Firewall implementation and testing

Firewalls and Intrusion Detection

Firewalls. Chien-Chung Shen

allow all such packets? While outgoing communications request information from a

Network Security. Internet Firewalls. Chapter 13. Network Security (WS 2002): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

Cisco PIX vs. Checkpoint Firewall

Topics NS HS12 2 CINS/F1-01

Application Firewalls

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Chapter 8 Security Pt 2

SOFTWARE ENGINEERING 4C03. Computer Networks & Computer Security. Network Firewall

Chapter 6: Network Access Control

1. Firewall Configuration

Firewalls, Tunnels, and Network Intrusion Detection

CIT 480: Securing Computer Systems. Firewalls

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

Introduction of Intrusion Detection Systems

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Network Security - ISA 656 Application Firewalls

- Introduction to Firewalls -

IP Filtering for Patton RAS Products

Intranet, Extranet, Firewall

F-SECURE MESSAGING SECURITY GATEWAY

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Firewalls. Chapter 3

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Firewall Defaults and Some Basic Rules

CSE543 - Computer and Network Security Module: Firewalls

Packet filtering and other firewall functions

Computer Security DD2395

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Chapter 8 Network Security

Fig : Packet Filtering

CSCI 4250/6250 Fall 2015 Computer and Networks Security

CSC574 - Computer and Network Security Module: Firewalls

Maruleng Local Municipality

Transcription:

CSCI 7000-001 Firewalls and Packet Filtering November 1, 2001 Firewalls are the wrong approach. They don t solve the general problem, and they make it very difficult or impossible to do many things. On the other hand, if I were in charge of a corporate network, I d never consider hooking up to the Internet without one. And if I were looking for a likely financially successful security product to invest in, I d pick firewalls. Charlie Kaufmann 1 What is a Firewall? A firewall is a computer that: is topologically between a (inside) network and the (outside) rest of the Internet protects the inside network from attacks coming from the outside. inside Internet outside firewall 2 Firewall design principles and assumptions all traffic from the inside to the outside, and vice-versa, must go through the firewall the firewall filters (i.e., drops) network traffic according to some policy. The policy is expressed by a configurable set of rules. the firewall itself must be immune to penetration and denial-of-service attacks. 1

3 Why firewalls are needed/good? firewalls are not needed. In theory inside systems can implement very good security inside systems can be made just as secure as a firewall with good application management, system administration, and audit firewall security is actually very primitive. System-specific security can solve a lot more problems than the ones addressed by a firewall. firewalls are very convenient. In practice applications contain, and will always contain, an enormous amount of bugs, most of which translate into vulnerabilities it is a pain in the neck to design and implement secure applications. It does make sense to ignore security in many cases. A firewall allows you to ignore security to a large extent. application management, system administration, and audit are a cost a firewall is a single choke point, therefore it allows easier (cheaper) administration and audit a firewall performs a very simple function (it applies simple filtering rules), therefore it can be a simple piece of software, therefore it will contain less bugs than any other system inside a firewall is a good place to put other network-, but not necessarily securityrelated services (DNS, web cache, etc.) 4 Fundamental limitations of firewalls It is important to understand the fundamental limitations of firewalls often there are ways to bypass the firewall. That is, you can get to the inside network without going through the firewall. Examples: dial-in connections wireless networks reaching outside secure physical perimeter malicious or naive insiders viruses. A firewall can not possibly scan data at every level, therefore it is always possible for an attacker to send malicious code through some allowed data channel (e-mail, web, etc.) 2

5 Types of firewalls packet filter a packet filter applies a set of rules to each incoming and outgoing IP packet. Filter rules are typically based on values in the IP header field and/or values in higher-level headers (e.g., TCP or UDP). The only thing a packet filter can do is drop packets application-level gateway a.k.a. proxy circuit-level gateway this is what we would call a tunnel server. An example of a circuitlevel gateway is the SOCKS package. Note that SOCKS connections are not encrypted bastion host a platform for application-level or circuit-level gateways. 6 Combination of firewalls Different types of firewalls or multiple firewalls can work together: multiple firewalls can be used for the inside network, to create separate sub-domains with different levels of security protections. This is obviously a coarse-grained subdivision mechanism because it relies on topological separation. in most cases, application-level gateways are combined with packet filters 7 Defining policies with packet filters Packet filters allow the enforcement of policies based on filtering rules. The most typical form of rule uses source and destination (IP) address type of protocol the source and destination port (for TCP or UDP) IP or TCP flags 8 Packet filters: examples block * * inside 1023 TCP SYN This rule blocks all incoming TCP connections to non-privileged ports. 3

allow * * mailer.inside 25 TCP SYN block * * inside 25 TCP SYN This rule blocks all incoming TCP connections to port 25 for all hosts, except for the mailer host. allow * * mailer.inside 25 TCP block * * inside 25 TCP This rule blocks all incoming TCP traffic to port 25 for all hosts, except for the mailer host. block inside * outside 80 TCP SYN This rule blocks all outgoing TCP connections to port 80. block * * * * UDP This rule blocks all UDP traffic. 9 Methodology It is good to follow good software engineering practices when setting up a firewall or a set of firewalls specification: policy definition design testing configuration management, and maintenance 10 Examples using IP Filter 10.1 basic concepts block in all block out all 4

sets up defaults: block all traffic # pass packets from host firewall to any destination pass in from firewall to any The action is either block or pass. The direction is either in, packets entering this (firewall) host, or out for packets that this host is sending out. 10.2 rule processing and precedence Rules are stored in a configuration file, and are processed top to bottom. The last matched rule applies. The idea is to express rules starting from the most generic to the most specific. You can short-circuit the evaluation with the quick keyword, so for example: block in quick all block out all pass in from firewall to any would cause the evaluation of the rule set to terminate as soon as the first rule is matched. 10.3 specifying interfaces You can apply rules to specific interfaces: block in on eth0 from localhost to any drops all inbound packets from localhost coming from eth0. 10.4 specifying addresses and networks host and network addresses and specified in the intuitive way: block in on eth0 from mynet/26 to any blocks packets coming from a subnet defined by the address of mynet with a 26 bit mask. block in on eth0 from mynet/255.255.255.192 to any same effect, but this time we explicitly give a mask block in on eth0 from myhost to any the default mask is /32 or 255.255.255.255. Of course, you can specify destination addresses in the same way block out quick on eth0 from any to 192.168.0.0/16 block out quick on ppp0 from any to 172.16.0.0/12 block out quick on ppp0 from any to host.foo.bar 5

10.5 specifying protocols # block in on eth0 proto icmp all block all incoming ICMP packets pass in on eth0 proto 4 all allow all IP packets carrying protocol 4 (encapsulated IP) 10.6 options and ports block in on eth0 proto tcp/udp from nastyhost to any blocks UDP and TCP coming from nastyhost. pass in quick on eth0 proto icmp from any to any icmp-type 0 block in quick on eth0 proto icmp from any to any allows ICMP packets with ICMP type 0 (ECHO_REPLY) block out quick on eth1 proto tcp from any to any port = 23 the above rule blocks all outgoing TCP traffic to port 23 (Telnet). 10.7 logging packets block in log quick on ppp0 from 20.20.20.0/24 to any if matched, the above rule drops the packet and logs it. You can also log passed traffic: pass in log quick on eth0 from host.net.bla to any 11 Evaluation of Packet Filters does it filter inbound or outbound traffic, or both? what subset of attributes can you check? Protocol, source address, destination address, source port, destination port, etc. can you filter on established connections? how are other protocol handled? (protocols other than TCP and UDP?) For example, can you filter routing protocols? In which directions? 6

can you filter on arbitrary bit fields? evaluate the filter language. For example, can you control the order of application of filtering rules. what kind of auditing capabilities do you have? Can you log rejected packets? 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information