Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls



Similar documents
We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Chapter 20. Firewalls

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

Proxy Server, Network Address Translator, Firewall. Proxy Server

Firewall Design Principles Firewall Characteristics Types of Firewalls

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Intranet, Extranet, Firewall

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Security Technology: Firewalls and VPNs

Lecture 23: Firewalls

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Firewalls (IPTABLES)

Chapter 9 Firewalls and Intrusion Prevention Systems

Firewalls CSCI 454/554

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

What would you like to protect?

Firewalls. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Firewalls. Characteristics.

Firewalls. Contents. ITS335: IT Security. Firewall Characteristics. Types of Firewalls. Firewall Locations. Summary

Computer Security: Principles and Practice

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

Computer Security DD2395

Chapter 20 Firewalls. Cryptography and Network Security Chapter 22. What is a Firewall? Introduction 4/19/2010

Security threats and network. Software firewall. Hardware firewall. Firewalls

12. Firewalls Content

Cryptography and network security

Firewalls. Mahalingam Ramkumar

Firewall Configuration. Firewall Configuration. Solution Firewall Principles

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Topics NS HS12 2 CINS/F1-01

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Internet Security Firewalls

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

IPv6 Firewalls. ITU/APNIC/MICT IPv6 Security Workshop 23 rd 27 th May 2016 Bangkok. Last updated 17 th May 2016

Chapter 6: Network Access Control

Firewalls. Ahmad Almulhem March 10, 2012

Internet Security Firewalls

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

CMPT 471 Networking II

Overview. Firewall Security. Perimeter Security Devices. Routers

Computer Security DD2395

CSCI Firewalls and Packet Filtering

FIREWALLS CHAPTER The Need for Firewalls Firewall Characteristics Types of Firewalls

Cornerstones of Security

Network Security and Firewall 1

Firewall Architecture

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Fig : Packet Filtering

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Firewalls. CS 6v81 - Network Security. What is a firewall? Firewall capabilities. Firewall limitations. Firewall limitations, cont d

Chapter 15. Firewalls, IDS and IPS

Solution of Exercise Sheet 5

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

CSCE 465 Computer & Network Security

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Firewalls, IDS and IPS

Network Security. Internet Firewalls. Chapter 13. Network Security (WS 2002): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

Agenda. Understanding of Firewall s definition and Categorization. Understanding of Firewall s Deployment Architectures

Introduction of Intrusion Detection Systems

INTRODUCTION TO FIREWALL SECURITY

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

Internet Firewalls and Security. A Technology Overview

How To Protect Your Network From Attack

Firewalls. Chapter 3

Types of Firewalls E. Eugene Schultz Payoff

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

Firewall Security. Presented by: Daminda Perera

Distributed Systems. Firewalls: Defending the Network. Paul Krzyzanowski

Internet infrastructure. Prof. dr. ir. André Mariën

FIREWALL AND NAT Lecture 7a

How To Understand A Firewall

Firewalls, Tunnels, and Network Intrusion Detection

FIREWALLS & CBAC. philip.heimer@hh.se

Security perimeter white paper. Configuring a security perimeter around JEP(S) with IIS SMTP

SOFTWARE ENGINEERING 4C03. Computer Networks & Computer Security. Network Firewall

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Network Security and Firewalls. A Summary

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Securizarea Calculatoarelor și a Rețelelor 13. Implementarea tehnologiei firewall CBAC pentru protejarea rețelei

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Intro to Firewalls. Summary

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Firewalls and System Protection

Firewalls and Intrusion Detection

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Network Security CS 192

Firewall Design Principles

Transcription:

CEN 448 Security and Internet Protocols Chapter 20 Firewalls Dr. Mostafa Hassan Dahshan Computer Engineering Department College of Computer and Information Sciences King Saud University mdahshan@ccis.ksu.edu.sa Firewalls Internet connectivity essential to organization Internet provide benefits But enables outside to reach local resources Not practical to secure all workstations Alternative is firewalls Inserted between local network and Internet Single choke point to impose security, audit

Design Goals All traffic must pass thru firewall from inside to outside or outside to inside block all access to LAN except thru firewall Only authorized traffic is allowed to pass defined by security policy Firewall immune to penetration must be running secure operating system access control must be defined Capabilities Single choke point simplify security management provide protection from various attack types Monitoring security related events implement audits and alarms Can provide non-security related services DNS, network management Platform for IPSec using tunnel mode or implement VPN

What Firewalls Cannot Protect Attacks that bypass firewall dial-out or dial-in service inside LAN violates single choke point rule Internal threats disgruntled employee cooperate with attacker Transfer of virus-infected programs various types of operating systems impossible to scan all file types Types of Firewalls Packet-filtering router Stateful inspection firewalls Application-level gateway Circuit-level gateway

Packet-Filtering Routers Apply set of rules to each in or out IP packet Packet is then forwarded or discarded Filtering rules based on source IP address: e.g., 192.168.1.1 destination IP address: e.g. 192.168.1.2 transport protocol: TCP, UDP, DCCP, SCTP transport port number interface: inside, outside, or multiple interfaces

Packet-Filtering Routers Filter set up as list of rules Rules match fields in IP or TCP header If packet matches one of rules, role invoked If no match, apply default rule Default rule can either be deny: discard all packets except permitted by rule permit: forward all packets except denied by rule Packet Filtering Examples Inbound mail allowed, but only to gateway host Packets from SPIGOT host are blocked SPIGOT has history of sending massive email

Packet Filtering Examples Explicit statement of default policy Conservative approach, everything is blocked Services must be added on a case by case basis More secure, but inconvenient for users With default allow, admin must identify all threats Packet Filtering Examples Any inside host can send mail to outside TCP packets with remote port 25 are allowed Problems some SMTP may not use default port 25 attacker run have different service on port 25 attacker can send packets using source port 25

Packet Filtering Examples Solve problems with C Take advantage of TCP ACK flag sent in response to locally established connection Allow packets from local host with dest port 25 Allow incoming packets from port 25 with ACK only replies to local connections Packet Filtering Examples Allow packets originated internally reply packets to connection initiated internally packets destined to high-numbered port on internal host Most servers use low numbered ports < 1024 Most attack targets are in this range

Packet Filtering Firewalls Advantages simple: few variables fast: only check TCP/IP headers transparent to users Disadvantages cannot prevent application-level attacks vulnerable to attacks on problems within TCP/IP few variables: possible weak configurations Attacks on Packet-Filtering Routers IP address spoofing use fake source IP address (e.g. internal IP) goal: penetrate source address based security countermeasure: discard packets from external interface with internal IP address as source Source routing attacks source routing overwrites routing decision goal: allow packet get into private IP network countermeasure: discard packets with this option

Attacks on Packet-Filtering Routers Tiny fragments attacks use IP fragmentation option create very small fragments force transport header into separate fragments goal: circumvent transport header filtering rules countermeasure: enforce minimum fragment size to predefined min amount of transport header Stateful Inspection Firewalls Simple packet-filtering is only based on individual packets TCP sessions involve multiple connections Simple packet filter must allow all inbound traffic on ports 1024-65535 Can create vulnerability Stateful packet inspection (SPI) maintain directory for established connections only allow inbound packets with existing session

Stateful Inspection Firewalls Application-Level Gateway Also called proxy server Acts as relay of application-level traffic Local host contacts gateway provide authentication information provide remote host information Gateway contacts remote host application service must be supported by GW relay TCP segments between local, remote

Application-Level Gateway Advantages more secure than packet filter restrict to few allowable applications, services can protect on application level Disadvantage additional processing overhead maintain two spliced connections Circuit-Level Gateway Can be standalone or part of application GW Shim layer between application, transport No direct end-to-end TCP connection Two separate TCP connections one between inside host gateway one between gateway outside host Once setup, doesn t filter individual packets Security is which connections to allow

Bastion Host Also called demilitarized zone (DMZ) Computer host or network inserted between internal network and Internet Provides service interface to outside users (web, email, FTP) Prevents outside users from getting direct access to company s data Strong point in the security of network Platform for application, circuit-level gateway Bastion Host Source: en.wikipedia.org/wiki/demilitarized_zone_(computing) DMZ or Bastion Host

Bastion Host Characteristics Runs secure operating system Must not contain sensitive data Only essential services installed determined by admin e.g. SSH, DNS, FTP, SMTP, authentication May require auth, also for each proxy Each proxy allow access to specific hosts Proxy maintain audit info, log all connections Firewall Configurations Screened host firewall, single-homed bastion Screened host firewall, dual-homed bastion Screened-subnet firewall

Screened Host Firewall, Single-Homed Bastion Host Screened Host Firewall, Single-Homed Bastion Host Consists of two systems packet filtering router bastion host: proxy, authentication IP packets from Internet only allowed to BH IP packets to Internet only allowed from BH Advantages both packet, app level filtering: 2 layers security flexibility: public access for web/info server

Screened Host Firewall, Dual-Homed Bastion Host Screened Host Firewall, Dual-Homed Bastion Host Two separate subnets BH has two network interfaces Two levels of defense: router, BH Protect internal hosts if router compromised Also, same features of previous config

Screened-Subnet Firewall Screened-Subnet Firewall Two packet filtering routers Creates isolated subnet containing BH may also contain modems, public servers can be accessed from Internet or internal net through traffic is blocked Advantages three levels of defense: router, BH, router internal network is invisible to Internet Internet is invisible to internal network

Finally The most secure computer is a one which is disconnected from the network, AND TURNED OFF! Additional References Microsoft Security Bulletin (MS99-038), www.microsoft.com/technet/security/bulletin/fq99-038.mspx Stateful Inspection Firewall, www.juniper.net/products/integrated/stateful_inspection_fire wall.pdf Doug Lowe, Networking All-in-One Desk Reference For Dummies, ISBN 0764599399, books.google.com/books?id=gngdds-1oekc Home Computer Security Glossary, www.cert.org/homeusers/homecomputersecurity/glossary. html Syngress et al., The Best Da*n Firewall Book Period, ISBN 1931836906, books.google.com/books?id=q7rlxtilosec

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information