FIREWALL AND NAT Lecture 7a

Similar documents

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Firewalls P+S Linux Router & Firewall 2013

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Attack and Defense Techniques 2

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Introduction to Firewalls Open Source Security Tools for Information Technology Professionals

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Firewalls. Ahmad Almulhem March 10, 2012

Distributed Systems. Firewalls: Defending the Network. Paul Krzyzanowski

Solution of Exercise Sheet 5

Firewall Firewall August, 2003

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Firewalls 1 / 43. Firewalls

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

INTRODUCTION TO FIREWALL SECURITY

Firewalls, Tunnels, and Network Intrusion Detection

Chapter 8 Security Pt 2

Overview. Firewall Security. Perimeter Security Devices. Routers

Firewalls and System Protection

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Firewalls. configuring a sophisticated GNU/Linux firewall involves understanding

Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS)

allow all such packets? While outgoing communications request information from a

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

CIT 480: Securing Computer Systems. Firewalls

Packet Filtering using the ADTRAN OS firewall has two fundamental parts:

Chapter 15. Firewalls, IDS and IPS

Stateful Firewalls. Hank and Foo

Firewalls. Chapter 3

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

Network Security - ISA 656 Firewalls & NATs

Internet Ideal: Simple Network Model

Network Defense Tools

Network Security. Internet Firewalls. Chapter 13. Network Security (WS 2002): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

Chapter 11 Cloud Application Development

Firewalls, IDS and IPS

CSCE 465 Computer & Network Security

Lecture 23: Firewalls

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

CSE543 - Computer and Network Security Module: Firewalls

IPv6 Firewalls. ITU/APNIC/MICT IPv6 Security Workshop 23 rd 27 th May 2016 Bangkok. Last updated 17 th May 2016

Firewall. IPTables and its use in a realistic scenario. José Bateira ei10133 Pedro Cunha ei05064 Pedro Grilo ei09137 FEUP MIEIC SSIN

CMPT 471 Networking II

Firewalls. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Firewalls. Characteristics.

Firewalls. Contents. ITS335: IT Security. Firewall Characteristics. Types of Firewalls. Firewall Locations. Summary

Chapter 8 Network Security

CSC574 - Computer and Network Security Module: Firewalls

CS Computer and Network Security: Firewalls

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

Linux Routers and Community Networks

+ iptables. packet filtering && firewall

Network Security Management

Implementing Network Address Translation and Port Redirection in epipe

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Security Technology: Firewalls and VPNs

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

CIT 480: Securing Computer Systems. Firewalls

CS Computer and Network Security: Firewalls

VLAN und MPLS, Firewall und NAT,

A Study of Technology in Firewall System

FreeBSD Firewalls SS- E Kevin Chege ISOC

Vanguard Applications Ware IP and LAN Feature Protocols. Firewall

Cryptography and network security

Host Discovery with nmap

Firewall. Vyatta System. REFERENCE GUIDE IPv4 Firewall IPv6 Firewall Zone Based Firewall VYATTA, INC.

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Middleboxes. Firewalls. Internet Ideal: Simple Network Model. Internet Reality. Middleboxes. Firewalls. Globally unique idenpfiers

Protecting and controlling Virtual LANs by Linux router-firewall

Firewalls with IPTables. Jason Healy, Director of Networks and Systems

CIS 433/533 - Computer and Network Security Firewalls

Firewalls. Pehr Söderman KTH-CSC

Firewall Design Principles

Network Security. Chapter 13. Internet Firewalls. Network Security (WS 07/08): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

Introduction of Intrusion Detection Systems

- Introduction to Firewalls -

Firewalls Overview and Best Practices. White Paper

Linux Firewalls (Ubuntu IPTables) II

Definition of firewall

Firewall Tutorial. KAIST Dept. of EECS NC Lab.

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

Chapter 20 Firewalls. Cryptography and Network Security Chapter 22. What is a Firewall? Introduction 4/19/2010

Chapter 9 Firewalls and Intrusion Prevention Systems

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

Agenda. Understanding of Firewall s definition and Categorization. Understanding of Firewall s Deployment Architectures

Firewalls and Network Defence

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

How To Configure Virtual Host with Load Balancing and Health Checking

Firewall. Vyatta System. REFERENCE GUIDE IPv4 Firewall IPv6 Firewall Zone Based Firewall VYATTA, INC.

Module: Firewalls. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Transcription:

FIREWALL AND NAT Lecture 7a COMPSCI 726 Network Defence and Countermeasures Muhammad Rizwan Asghar August 3, 2015 Source of most of slides: University of Twente

FIREWALL An integrated collection of security measures designed to control the flow of traffic into and out of a network Similar to firewalls in building construction Both are intended to isolate one "network" or "compartment" from another Firewall protects from general probes and many attacks 2

FIREWALL POLICIES To protect private networks and individual devices from the dangers of the Internet, a firewall can be employed to filter incoming or outgoing traffic based on a predefined set of rules called firewall policies Firewall policies Trusted internal network Untrusted Internet 3

FIREWALL POLICIES: APPROACHES Two approaches to creating firewall policies Blacklist approach (default-allow) All packets are allowed through except those that fit the rules defined specifically in a blacklist Pros: flexible in ensuring that service to the internal network is not disrupted by the firewall Cons: unexpected forms of malicious traffic could go through Whitelist approach (default-deny) Packets are dropped or rejected unless they are specifically allowed by the firewall Pros: A safer approach to defining a firewall ruleset Cons: must consider all possible legitimate traffic in rulesets 4

FIREWALLS What system? Network Personal 5

NETWORK FIREWALLS Internet 25 80 445 25 80 6

PERSONAL FIREWALLS Runs on the computer of the user Same filtering capabilities as network firewall Filter may also distinguish between computer programs abcd.exe 7

FIREWALLS What protocol level? Network level Transport level Application level 8

NETWORK LEVEL FIREWALLS Filter on IP header fields Source IP address Destination IP address Type of transport protocol 9

TRANSPORT LEVEL FIREWALLS Filters additionally on TCP header fields Source Port Destination Port Flags (SYN, ACK) established 10

APPLICATION LEVEL FIREWALLS Inspects the contents of packets May filter certain websites Firewall may accept only trusted connections Logging of accepted connections is easy Performance may be problematic Since this type of firewall is quite complex, it may become a security risk itself 11

FIREWALLS What knowledge? Stateless Stateful 12

STATELESS FIREWALLS Treats each packet in isolation Has no memory of previous packets For each packet, check firewall rules again Easy to implement Very efficient Can not easily handle protocols that use random ports For instance, FTP 13

STATELESS FIREWALLS action src port dest port flags comment allow {our-host} * * 25 Our packets to their SMTP port allow * 25 * * ACK Their replies action src port dest port flags comment deny {ATTACK} * * * Deny traffic from this address action src port dest port flags comment allow {our-host} * * * Our outgoing calls allow * * * * ACK Replies to our calls allow * * * >1024 Traffic to non servers 14

STATEFUL FIREWALLS Can tell when packets are part of legitimate sessions originating within a trust network Maintain tables containing Active connections IP addresses Ports Sequence numbers Using these tables, stateful firewalls can allow only inbound TCP packets that are in response to the internal network initiated connections 15

STATEFUL FIREWALLS IF (packet belongs to an existing association ) THEN {accept packet} ELSE {check firewall rules; IF (packet may pass) THEN {store association in state table} ELSE {discard packet}} Time-out inactive connections Connections may send keep alive 16

STATEFUL FIREWALLS Associations may be TCP connections UDP flows ICMP request/response pairs Stateful firewalls can, for example, be configured to Allow associations initiated by internal systems Deny associations initiated by external systems Stateful firewalls can easily deal with protocols such as FTP 17

LOCATIONS OF FIREWALLS Internet Mail WEB DMZ Critical systems 18

NETWORK ADDRESS TRANSLATION (NAT) NAT is a router function where IP addresses are replaced at the boundary of a private network NAT is a method that enables hosts on private networks to communicate with hosts on the Internet A tool in conserving global address space allocations Devices inside a local network not explicitly addressable, visible by outside world A security plus 19

BASIC OPERATION OF NAT 20

TYPES OF NAT Four types of NAT exist Full cone NAT Restricted cone NAT Port restricted cone NAT Symmetric NAT 21

FULL CONE NAT Full cone NAT Port IP Private LAN Public Internet 22

FULL CONE NAT Full cone NAT Port IP Private LAN Public Internet 23

FULL CONE NAT Full cone NAT Port IP Private LAN Public Internet 24

FULL CONE NAT Full cone NAT Port IP Private LAN Public Internet 25

FULL CONE NAT Full cone NAT Port IP Private LAN Public Internet 26

FULL CONE NAT Accepts traffic from all ports from all Internet nodes Full cone NAT Port IP Private LAN Public Internet 27

RESTRICTED CONE NAT Restricted cone NAT Port IP Private LAN Public Internet 28

RESTRICTED CONE NAT Restricted cone NAT Port IP Private LAN Public Internet 29

RESTRICTED CONE NAT Restricted cone NAT Port IP Private LAN Public Internet 30

RESTRICTED CONE NAT Restricted cone NAT Port IP Private LAN Public Internet 31

RESTRICTED CONE NAT Restricted cone NAT Port IP Private LAN Public Internet 32

RESTRICTED CONE NAT Restricted cone NAT Port IP Private LAN Public Internet 33

RESTRICTED CONE NAT Restricted cone NAT Port IP Private LAN Public Internet 34

RESTRICTED CONE NAT Restricted cone NAT Port IP Private LAN Public Internet 35

RESTRICTED CONE NAT Accepts traffic from all ports, but only from previous Internet nodes Restricted cone NAT Port IP Private LAN Public Internet 36

PORT RESTRICTED CONE NAT Port restricted cone NAT Port IP Private LAN Public Internet 37

PORT RESTRICTED CONE NAT Port restricted cone NAT Port IP Private LAN Public Internet 38

PORT RESTRICTED CONE NAT Port restricted cone NAT Port IP Private LAN Public Internet 39

PORT RESTRICTED CONE NAT Port restricted cone NAT Port IP Private LAN Public Internet 40

PORT RESTRICTED CONE NAT Accepts traffic only from previous ports and nodes Port restricted cone NAT Port IP Private LAN Public Internet 41

SYMMETRIC NAT Symmetric NAT Port IP Private LAN Public Internet 42

SYMMETRIC NAT Symmetric NAT Port IP Private LAN Public Internet 43

SYMMETRIC NAT Symmetric NAT Port IP Private LAN Public Internet 44

SYMMETRIC NAT Symmetric NAT Port IP Private LAN Public Internet 45

SYMMETRIC NAT Symmetric NAT Port IP Private LAN Public Internet 46

SYMMETRIC NAT Symmetric NAT Port IP Private LAN Public Internet 47

SYMMETRIC NAT Symmetric NAT Port IP Private LAN Public Internet 48

SYMMETRIC NAT Accepts traffic only from one previous port and node Symmetric NAT Port IP Private LAN Public Internet 49

50

51

52

53

FIREWALLS VS NAT Origin of NATs is different from that of firewalls In general, NATs do not inspect application data NATs can be compared to transport level firewalls Like certain firewall configurations, certain type of NATs accept incoming data only after an external connection has been established 54

FIREWALL AND NAT TOOLS For *nix users (for both firewall and NAT) iptables For Windows users Firewall: http://windows.microsoft.com/en- US/windows-8/Windows-Firewall-from-start-tofinish NAT: http://windows.microsoft.com/en- US/windows-8/Windows-Firewall-from-start-tofinish 55

VIRTUALBOX A hypervisor It can be installed on a number of host operating systems including Linux, OS X, Windows, Solaris and OpenSolaris It supports creation and management of guest virtual machines running versions and derivations of Windows, Linux, BSD, OS/2, Solaris and others Download from: https://www.virtualbox.org/ 56

SUMMARY Firewall is software that blocks unauthorised network access Firewalls are not a standalone solution Combined with anti-virus software and IDS Firewalls are effective only if configured correctly Use several different firewall configurations to protect a network NAT conceals IP addresses of devices on the internal network from external locations NAT conserves IP addresses 57

RESOURCES Read Chapter 11 of Network Security Essentials Applications and Standards Fourth Edition William Stallings Prentice Hall ISBN 0-13-706792-5 Anatomy: A Look Inside Network Address Translators, available at: http://www.cisco.com/web/about/ac123/ac147/archived _issues/ipj_7-3/anatomy.html 58

Questions? Thanks for your attention! 59