What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?



Similar documents
Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Firewalls (IPTABLES)

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Chapter 20. Firewalls

Security Technology: Firewalls and VPNs

Proxy Server, Network Address Translator, Firewall. Proxy Server

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Computer Security: Principles and Practice

Security threats and network. Software firewall. Hardware firewall. Firewalls

Chapter 20 Firewalls. Cryptography and Network Security Chapter 22. What is a Firewall? Introduction 4/19/2010

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Computer Security DD2395

What would you like to protect?

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Firewalls. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Firewalls. Characteristics.

Firewalls. Contents. ITS335: IT Security. Firewall Characteristics. Types of Firewalls. Firewall Locations. Summary

Chapter 9 Firewalls and Intrusion Prevention Systems

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Firewalls CSCI 454/554

Computer Security DD2395

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

Lecture 23: Firewalls

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

12. Firewalls Content

Firewall Configuration. Firewall Configuration. Solution Firewall Principles

IPv6 Firewalls. ITU/APNIC/MICT IPv6 Security Workshop 23 rd 27 th May 2016 Bangkok. Last updated 17 th May 2016

Overview. Firewall Security. Perimeter Security Devices. Routers

Firewall Design Principles Firewall Characteristics Types of Firewalls

Types of Firewalls E. Eugene Schultz Payoff

Internet Security Firewalls

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Firewalls. Ahmad Almulhem March 10, 2012

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

Intranet, Extranet, Firewall

CSCI Firewalls and Packet Filtering

Firewalls. Mahalingam Ramkumar

8. Firewall Design & Implementation

Cornerstones of Security

SOFTWARE ENGINEERING 4C03. Computer Networks & Computer Security. Network Firewall

Firewalls, Tunnels, and Network Intrusion Detection

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

CSCE 465 Computer & Network Security

Fig : Packet Filtering

Internet infrastructure. Prof. dr. ir. André Mariën

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

Topics NS HS12 2 CINS/F1-01

Secure Network Design: Designing a DMZ & VPN

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

FIREWALLS CHAPTER The Need for Firewalls Firewall Characteristics Types of Firewalls

How To Protect Your Network From Attack

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

CIT 480: Securing Computer Systems. Firewalls

CS5008: Internet Computing

Network Security Topologies. Chapter 11

CMPT 471 Networking II

Internet Security Firewalls

Cryptography and network security

Chapter 15. Firewalls, IDS and IPS

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Firewall Architecture

CIT 480: Securing Computer Systems. Firewalls

Firewall Security. Presented by: Daminda Perera

Packet filtering and other firewall functions

SIP Security Controllers. Product Overview

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Network Security and Firewall 1

Firewalls. CS 6v81 - Network Security. What is a firewall? Firewall capabilities. Firewall limitations. Firewall limitations, cont d

Firewalls, IDS and IPS

How To Understand A Firewall

INTRODUCTION TO FIREWALL SECURITY

Chapter 6: Network Access Control

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

A Model Design of Network Security for Private and Public Data Transmission

NETWORK SECURITY (W/LAB) Course Syllabus

FIREWALLS & CBAC. philip.heimer@hh.se

Firewalls and Virtual Private Networks

What is Firewall? A system designed to prevent unauthorized access to or from a private network.

NEW YORK INSTITUTE OF TECHNOLOGY School of Engineering and Technology Department of Computer Science Old Westbury Campus

Internet Firewalls and Security. A Technology Overview

How To Protect Your Network From Attack From Outside From Inside And Outside

Introduction of Intrusion Detection Systems

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

Firewall Environments. Name

Intro to Firewalls. Summary

CS155 - Firewalls. Simon Cooper <sc@sgi.com> CS155 Firewalls 22 May 2003

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Transcription:

What is a Firewall? Computer Security Firewalls fire wall 1 : a wall constructed to prevent the spread of fire 2 usually firewall : a computer or computer software that prevents unauthorized access to private data (as on a company's local area network or intranet) by outside computer users (as of the Internet) April 13, 2005 2004, Bryan J. Higgs 1 2 What is a Firewall? A firewall is a kind of filter or barrier that affects the message traffic passed between two networks Often used as a perimeter defense Allows an organization to choose which protocols it will exchange with the outside world. Can also be used to block access to certain Internet sites To prevent employees from downloading from blacklisted servers To prevent employees from accessing porn sites, etc. Usually, blocks outsiders from accessing the internal network. Sometimes, protects against internal users connecting with the Internet. What is a Firewall? It is important to realize that a network firewall shares something in common with its physical cousin: A physical fire wall is designed to slow down the spread of a fire. It does not prevent the spread of a fire. A network firewall should be be viewed in the same way: It is not a complete solution Other measures must also be employed. 3 4

What Firewalls Can Do* Can be a single "choke point" to: keep unauthorized users out of the protected network prohibit potentially vulnerable services from entering or leaving the network provides protection from various kinds of IP spoofing and routing attacks simplify security management by consolidating onto a single system Provides a location for monitoring security-related events Audits and alarms can be implemented on the firewall Provides a convenient platform for several security-related Internet functions, including: Network address translator, to map local addresses to Internet addresses Network management to provide audits or logs of Internet usage Can serve as the platform for IPSec. Can be used to implement virtual private networks (VPNs) *Cryptography and Network Security, by William Stallings, published by Prentice-Hall. What Firewalls Cannot Do* Protect against attacks that bypass the firewall. Dial-out / dial-in systems for employees and telecommuters Protect against internal threats A disgruntled employee An unwitting employee cooperating with attacker Protect against the transfer of virus-infected programs or files. *Cryptography and Network Security, by William Stallings, published by Prentice-Hall. 5 6 Types of Firewalls Hardware-based Integrated "appliances" that include all of the hardware and software necessary to implement the firewall Typically have much better performance than software-based firewalls Vendors include Cisco, et. al. Separate host Operating System / Software combination Often a Unix box with perhaps additional software Local software Typically a personal firewall Vendors: Symantec, Zone Labs, etc. Types of Firewall Packet-Filtering Firewall a.k.a. Screening Firewall Stateful Inspection Firewall a.k.a. Stateful Packet Filter Firewall Application-Level Gateway a.k.a. Application Proxy or Application-level Proxy Circuit-Level Gateway 7 8

Packet Filtering Firewall Basically a router with a set of filters to determine which packets will are allowed to cross the boundary Operates at the Network Layer (Layer 3) and Transport Layer (Layer 4) Looks at the IP and TCP packet headers, and applies a set of configurable rules to either discard or forward the packet. Packet Filtering Firewall The rule configurations include: Source IP address Destination IP address Source and destination transport-level address IP protocol fields Router interface port (source or destination) 9 10 Packet Filtering Firewall Can be subject to the following attacks: IP address spoofing Falsifying the source IP address Source Routing attacks Attempts to bypass security measures that do not analyze the source routing information Tiny fragment attacks Uses the IP fragmentation option to create extremely small fragments and force TCP header information into a separate packet fragment. Attempts to circumvent filtering based on TCP header information. Stateful Inspection Firewalls Packet filtering firewalls analyze individual packets, and are not capable of maintaining connection state information. Stateful Inspection Firewalls maintain data about open connections to ensure that packets are part of a valid connection initiated by an authorized user. Tightens up the rules for TCP traffic by creating a directory of outbound TCP connections, one entry per connection. Once a connection is in the directory, the packet filter will allow incoming traffic to high-numbered ports only for those packages that fit the profile of one of the connections in the directory. 11 12

Application-Level Gateway An Application-Level Gateway, also called a Proxy Server Acts as a relay of application traffic Conversation looks like: The client contacts the gateway using a certain TCP/IP application protocol such as Telnet, FTP, etc. The gateway asks the client for the name of the remote host to be contacted. The user responds, and provides a valid user IT and authentication The gateway then contacts the application on the remote host, and relays TCP segments containing the application data between the two end points If the gateway does not implement the code for a specific protocol, then that protocol is not supported The gateway can also be configured to support only specified features of a protocol that are considered acceptable. Application-Level Gateway Pros: Tend to be more secure than packet filters User authentication allows for effective blocking of unwanted traffic Easy to log and audit all incoming traffic at the protocol level. Cons: Requires additional processing overhead for each connection Effectively two connections between end users Still susceptible to SYN floods and ping floods 13 14 Circuit-Level Gateway A Circuit-Level Gateway Can be: a stand-alone system, or a specialized function performed by an Application-Level Gateway for certain applications Does not permit an end-to-end TCP connection; instead, it sets up two TCP connections: Between itself and a TCP user on an inner host Between itself and a TCP user on an outside host Before the connections are set up, the user must be authenticated Once the connections have been established, TCP segments are conveyed between the two without examining the segment contents The security consists of determining which connections are allowed. Can be configured to support application-level services on inbound connections, and circuit-level functions for outbound connections Circuit-Level Gateway Pros: Relatively secure Cons: May not be appropriate for some public situations Typically does not support certain features, such as URL filtering Often only offer limited auditing features. 15 16

Bastion Host Firewall Topologies Screened Subnet a.k.a. Demilitarized Zone (DMZ) Dual Firewalls Bastion Host Places the firewall at the perimeter of the network The sole link between the protected network and the outside world All traffic flowing in and out of the network must pass through the firewall Easiest topology to implement, and the least expensive bas tion 1 : a projecting part of a fortification 2 : a fortified area or position 3 : something that is considered a stronghold 17 18 Screened Subnet (DMZ) Still uses a single firewall, but with three network interface cards: One connected to the external network One connected to the protected network One connected to a Screened Subnet A Screened Subnet: Provides a middle ground that serves as neutral territory between the external and protected networks (hence the term DMZ) Will contain servers that provide services to external users: Web servers, SMTP servers, etc. Allows servers to be compromised without compromising the protected network. Dual Firewalls Also provides a DMZ that may be used to house public services Replaces a single firewall having three NICs with two firewalls each with two NICs Provides similar security benefits as the Screened Subnet approach, plus minimizes the likelihood that an attacker could compromise the firewall itself. To enhance this, can use two very different firewalls: A hardware firewall + a software firewall Firewalls from two different vendors Firewalls with different levels of security certification 19 20

Other Firewall Features Two features that are commonly supported by firewalls are: Network Address Translation (NAT) Virtual Public Networks (VPNs) Network Address Translation (NAT) NAT is a kludge that has allowed the Internet to survive with only 32-bit addresses NAT allows you to allocate IP addresses to your own private network, and prevent the outside world from every seeing them In RFC 1918, IETF set aside some address ranges for creating private networks: 10.x.y.z 172.16.y.z 192.168.y.z These IP addresses are "unroutable", and will be dropped by any router on the Internet. 21 22 Network Address Translation (NAT) When you wish to communicate between a private network host, and the Internet, the internal IP address is translated to an IP address that is acceptable to the Internet, using a Network Address Translation (NAT) device Possibilities include: Mapping to a single external IP address All traffic appears to be coming from the NAT device's IP address Commonly used to connect a large network to the Internet when a limited number of IP addresses is available 1-to-1 mapping Each machine in the internal network could have its own unique external IP address Dynamically allocated address The NAT device could multiplex a large number of unroutable IP addresses to a smaller number of valid external IP addresses NAT Security Benefits Firewalls often implement NAT Helps to hide the internal network's internal IP address usage By itself, NAT offers few security benefits, so NAT must be combined with a secure firewall implementation to maintain adequate security 23 24

Virtual Public Networks (VPN) Many firewalls support Virtual Public Networks (VPNs) A VPN allows a user access from outside a firewall via a "tunnel", and as a result appear to actually be inside the internal network. A tunnel is a point-to-point connection where the actual communication occurs across a network. Used to allow users who work from home or on the road to access their work systems in a secure fashion. VPN typically uses IPSec to encrypt the communications, using a modern block cipher, and thereby make eavesdropping extremely difficult Summary We've discussed: The principles of firewalls, what they can do, and cannot do The different kinds of firewalls The various firewall topologies Additional functionality often supported by firewalls This was not a complete, comprehensive treatment of firewalls. To learn lots more detail about firewalls, see: Building Internet Firewalls (2nd Edition) by Elizabeth D. Zwicky, Simon Cooper, D. Brent Chapman Publisher: O'Reilly (January 15, 2000) ISBN: 1565928717 25 26

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information