Related Chapters. Firewalls: CHAPTER 29, Firewalls

Similar documents
Computer Networks: Domain Name System

CSCE 465 Computer & Network Security

CSCE 465 Computer & Network Security

Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

CS5008: Internet Computing

Network Security Fundamentals

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

Networking Basics and Network Security

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Chapter 8 Security Pt 2

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

How do I get to

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Firewalls. Ahmad Almulhem March 10, 2012

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Part 5 DNS Security. SAST01 An Introduction to Information Security Martin Hell Department of Electrical and Information Technology

A S B

Networks: IP and TCP. Internet Protocol

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Linux Network Security

Firewalls, IDS and IPS

Post-Class Quiz: Telecommunication & Network Security Domain

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Chapter 9. IP Secure

Network Security. Internet Firewalls. Chapter 13. Network Security (WS 2002): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

CMPT 471 Networking II

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Security Technology: Firewalls and VPNs

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Security vulnerabilities in the Internet and possible solutions

IP Network Layer. Datagram ID FLAG Fragment Offset. IP Datagrams. IP Addresses. IP Addresses. CSCE 515: Computer Network Programming TCP/IP

Content Distribution Networks (CDN)

IP - The Internet Protocol

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Firewalls. Chapter 3

Technical Support Information Belkin internal use only

INTRODUCTION TO FIREWALL SECURITY

First Workshop on Open Source and Internet Technology for Scientific Environment: with case studies from Environmental Monitoring

Chapter 4: Security of the architecture, and lower layer security (network security) 1

Firewalls, Tunnels, and Network Intrusion Detection

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Protocol Specification & Design. The Internet and its Protocols. Course Outline (trivia) Introduction to the Subject Teaching Methods

General Network Security

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Gary Hecht Computer Networking (IP Addressing, Subnet Masks, and Packets)

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

A Very Incomplete Diagram of Network Attacks

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Computer Networks/DV2 Lab

Introduction to IP networking

Proxy Server, Network Address Translator, Firewall. Proxy Server

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Chapter 8 Network Security

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Guideline for setting up a functional VPN

Transport and Network Layer

CIT 480: Securing Computer Systems. Firewalls

About Firewall Protection

TCP/IP Fundamentals. OSI Seven Layer Model & Seminar Outline

RARP: Reverse Address Resolution Protocol

Ethernet. Ethernet. Network Devices

Basic Network Configuration

Internet Security [1] VU Engin Kirda

Network Security TCP/IP Refresher

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

co Characterizing and Tracing Packet Floods Using Cisco R

Security of IPv6 and DNSSEC for penetration testers

N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work

Understanding TCP/IP. Introduction. What is an Architectural Model? APPENDIX

Overview of TCP/IP. TCP/IP and Internet

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Internetworking. Problem: There is more than one network (heterogeneity & scale)

Internet Security Firewalls

Firewalls. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Firewalls. Characteristics.

Firewalls. Contents. ITS335: IT Security. Firewall Characteristics. Types of Firewalls. Firewall Locations. Summary

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

Classification of Firewalls and Proxies

Internet Privacy Options

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

CS 356 Lecture 16 Denial of Service. Spring 2013

Cryptography and network security

Transcription:

Firewalls

Related Chapters Firewalls: CHAPTER 29, Firewalls 2

OSI Reference Model END USER A END USER B Application Layer Application Layer higher level protocols Presentation Layer Session Layer Transport Layer End user functions Presentation Layer Session Layer Transport Layer higher level protocols lower level protocols or network services Network Layer Data Link Layer Physical Layer Network functions PHYSICAL MEDIUM Network Layer Data Link Layer Physical Layer lower level protocols or network services 3

OSI Reference Model END USER A END USER B higher level protocols higher level protocols lower level protocols or network services SOURCE NODE INTERMEDIATE NETWORK NODE DESTINATION NODE lower level protocols or network services 4

Basic Protocols on TCP/IP Protocol Stack layer 5-7 TELNET FTP SMTP HTTP 4 TCP UDP 3 2 IP Ethernet Token-Ring ATM 5

Basic Protocols on TCP/IP Protocol Stack IP (Internet Protocol) connectionless routing of packets UDP (User Datagram Protocol) unreliable datagram protocol TCP (Transmission Control Protocol) connection-oriented, reliable, transport protocol 6

Basic Protocols on TCP/IP Protocol Stack TELNET: remote terminal FTP (File Transfer Protocol) TFTP (Trivial File Transfer Protocol) SMTP (Simple Mail Transfer Protocol) RPC (Remote Procedure Call) HTTP (Hyper Text Transfer Protocol) and others 7

Some Security related Protocols Apps S/MIME, Proxies, SET, PGP Application Layer TCP SOCKS Transport Layer IP Net driver Packet filtering Tunneling (L2TP, PPTP, L2F), CHAP (challenge handshake protocol) PAP (password auth. protocol), MS-CHAP Network Layer Data link Layer 8

More Security related Protocols layer 5-7 4 TELNET FTP SMTP HTTP DNS SSL RIP EGP TCP UDP BGP 3 ICMP IPSEC IP ARP RARP 2 Ethernet Token-Ring ATM 9

IP Packet header data carries a layer 4 protocol TCP, UDP or a layer 3 protocol ICMP, IPSEC, IP 10

TCP inside IP IP HEADER TCP HEADER 11

IP Header Format version: 4bit, currently v4 header length: 4 bit, length in 32 bit words TOS (type of service): unused total length: 16 bits, length in bytes identification, flags, fragment offset: total 16 bits used for packet fragmentation and reassembly TTL (time to live): 8 bits, used as hop count Protocol: 8 bit, protocol being carried in IP packet, usually TCP, UDP but also ICMP, IPSEC, IP header checksum: 16 bit checksum source address: 32 bit IP address destination address: 32 bit IP address 12

IP Header Format options source routing enables route of a packet and its response to be explicitly controlled route recording timestamping security labels 13

TCP Header Format source port number source IP address + source port number is a socket: uniquely identifies sender destination port number destination IP address + destination port number is a socket : uniquely identifies receiver SYN and ACK flags sequence number acknowledgement number 14

UDP Header Format source port number source IP address + source port number is a socket: uniquely identifies sender destination port number destination IP address + destination port number is a socket: uniquely identifies receiver 15

Basic TCP/IP Vulnerabilities many dangerous implementations of protocols sendmail many dangerous protocols NFS, X11, RPC many of these are UDP based 16

Basic TCP/IP Vulnerabilities solution allow a restricted set of protocols between selected external and internal machines otherwise known as firewalls 17

Ultimate Vulnerability IP packet carries no authentication of source address IP spoofing is possible IP spoofing is a real threat on the Internet IP spoofing occurs on other packet-switched networks also, such as Novell s IPX 18

Network Threat Examples - IP Spoofing A common first step to many threats. Source IP address cannot be trusted! SRC: source DST: destination IP Header SRC: 128.59.10.8 DST: 130.207.7.237 IP Payload Is it really from Columbia University? 19

Similar to US Mail (or E-mail) From: President White House To: John Smith UNCC US mail maybe better in that there is a stamp put on the envelope at the location (e.g., town) of collection... 20

Most Routers Only Care About Destination Address 140.247.60.xx Rtr src:140.247.60.24 dst:152.15.11.104 CS.Harvard.edu Rtr 152.15.xx.xx 36.190.0.xx Rtr UNCC Stanford src:140.247.60.24 dst:152.15.11.104 21

Router Filtering Decide whether this packet, with certain source IP address, should come from this side of network. Hey, you shouldn t be here! 36.190.0.xx Rtr Stanford src:140.247.60.24 dst:152.15.11.104 Not standard - local policy. 22

Router Filtering Very effective for some networks (ISP should always do that!) At least be sure that this packet is from some particular subnet Problems: Hard to handle frequent add/delete hosts/subnets or mobileip Upsets customers should legitimate packets get discarded Need to trust other routers 23

TCP Handshake client SYN seq=x server SYN seq=y, ACK x+1 ACK y+1 connection established 24

TCP Handshake 140.247.60.xx Rtr seq=y, ACK x+1 CS.Harvard.edu Rtr 152.15.xx.xx 36.190.0.xx Stanford Rtr src:140.247.60.24 dst:152.15.11.104 x UNCC The handshake prevents the attacker from establishing a TCP connection pretending to be 140.247.60.24 25

TCP Handshake Very effective for stopping most such attacks Problems: The attacker can succeed if y can be predicted Other DoS attacks are still possible (e.g., TCP SYN-flood) 26

Good References for Internetworking Dauglas Comer, Internetworking With TCP/IP Volume 1: Principles Protocols, and Architecture, 6th edition, 2013, Pearson. Kevin R. Fall & W. Richard Stevens, TCP/IP Illustrated, Volume 1: The Protocols, 2/E, 2012, Pearson. 27

DOMAIN NAME SERVICES (DNS) 28

Domain Name Services The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses http://www.example.com DNS www.example.com 208.77.188.166 http://208.77.188.166 My Example Blog Spot Vacation Savings 29

DNS DNS provides a distributed database over the internet that stores various resource records, including: Address (A) record: IP address associated with a host name Mail exchange(mx) record: mail server of a domain Name server (NS) record: authoritative server for a domain Example DNS entries from http://www.maradns.org/tutorial/recordtypes.html 30

Name Servers Name Servers Domain names: Two or more labels, separated by dots (e.g., cs166.net) Rightmost label is the top-level domain (TLD) Hierarchy of authoritative name servers Information about root domain Information about its subdomains (A records) or references to other name servers (NS records) The authoritative name server hierarchy matches the domain hierarchy: root servers point to DNS servers for TLDs, etc. Root servers, and servers for TLDs change infrequently DNS servers refer to other DNS servers by name, not by IP: sometimes must bootstrap by providing an IP along with a name, called a glue record 31

DNS Tree google.com A google.com 66.249.91.104 A xxx.google.com ########### A xxx.google.com ########### A xxx.google.com ########### A xxx.google.com ########### A xxx.google.com ########### A xxx.google.com ########### A xxx.google.com ########### A xxx.google.com ########### A xxx.google.com ########### A xxx.google.com ########### A xxx.google.com ########### A xxx.google.com ########### A xxx.google.com ########### A xxx.com ########### A xxx.com ########### A xxx.com ########### A xxx.com ########### A xxx.com ########### A xxx.com ########### A xxx.com ########### A xxx.com ########### A xxx.com ########### A xxx.com ########### A xxx.com ########### A xxx.com ########### A xxx.com ########### A xxx.com ########### A xxx.com ########### A xxx.com ########### A xxx.com ########### com microsoft.com Amicrosoft.com 207.46.232.182 A xxx.microsoft.com ########### A xxx.microsoft.com ########### A xxx.microsoft.com ########### A xxx.microsoft.com ########### A xxx.microsoft.com ########### A xxx.microsoft.com ########### A xxx.microsoft.com ########### A xxx.microsoft.com ########### A xxx.microsoft.com ########### A xxx.microsoft.com ########### A xxx.microsoft.com ########### A xxx.microsoft.com ########### A xxx.microsoft.com ########### A xxx.microsoft.com ########### A xxx.microsoft.com ########### edu...... xyz.edu abc.edu A stanford.edu 171.67.216.18 A xxx.stanford.edu 171.67.###.### A xxx.stanford.edu 171.67.###.### A xxx.stanford.edu 171.67.###.### A xxx.stanford.edu 171.67.###.### A xxx.stanford.edu 171.67.###.### A xxx.stanford.edu 171.67.###.### A xxx.stanford.edu 171.67.###.### A xxx.stanford.edu 171.67.###.### A xxx.stanford.edu 171.67.###.### A xxx.stanford.edu 171.67.###.### A xxx.stanford.edu 171.67.###.### A xxx.stanford.edu 171.67.###.### A xxx.stanford.edu 171.67.###.### resource records A brown.edu 128.148.128.180 A xxx.brown.edu 128.148.###.### A xxx.brown.edu 128.148.###.### A xxx.brown.edu 128.148.###.### A xxx.brown.edu 128.148.###.### A xxx.brown.edu 128.148.###.### A xxx.brown.edu 128.148.###.### A xxx.brown.edu 128.148.###.### A xxx.brown.edu 128.148.###.### A xxx.brown.edu 128.148.###.### A xxx.brown.edu 128.148.###.### A xxx.brown.edu 128.148.###.### A xxx.brown.edu 128.148.###.### A xxx.brown.edu 128.148.###.### A xxx.brown.edu 128.148.###.### A xxx.edu ########### A xxx.edu ########### A xxx.edu ########### A xxx.edu ########### A xxx.edu ########### A xxx.edu ########### A xxx.edu ########### A xxx.edu ########### A xxx.edu ########### A xxx.edu ########### A xxx.edu ########### A xxx.edu ########### A xxx.edu ########### A xxx.edu ###########... it.abc.edu A cs.brown.edu 128.148.32.110 A xxx.brown.edu 128.148.32.### A xxx.brown.edu 128.148.32.### A xxx.brown.edu 128.148.32.### A xxx.brown.edu 128.148.32.### A xxx.brown.edu 128.148.32.### A xxx.brown.edu 128.148.32.### A xxx.brown.edu 128.148.32.### A xxx.brown.edu 128.148.32.### A xxx.brown.edu 128.148.32.### 32

Namespace Management ICANN: Internet Corporation for Assigned Names and Numbers ICANN has the overall responsibility for managing DNS. It controls the root domain, delegating control over each top-level domain to a domain name registry Along with a small set of general TLDs, every country has its own TLD -- (ctlds) controlled by the government. ICANN is the governing body for all general TLDs Until 1999 all.com,.net and.org registries were handled by Network Solutions Incorporated. After November, 1999, ICANN and NSI had to allow for a shared registration system and there are currently over 500 registrars in the market 33

Top Level Domains Started in 1984 Originally supposed to be named by function.com for commercial websites,.mil for military Eventually agreed upon unrestricted TLDs for.com,.net,.org,.info In 1994 started allowing country TLDs such as.it,.us Tried to move back to hierarchy of purpose in 2000 with creation of.aero,.museum, etc. 34

Name Resolution Zone: collection of connected nodes with the same authoritative DNS server Resolution method when answer not in cache: Client Where is www.example.com? 208.77.188.166 ISP DNS Server Where is www.example.com? Try com nameserver Where is www.example.com? Try example.com nameserver Where is www.example.com? 208.77.188.166 root name server com name server example.com name server 35

Recursive Name Resolution Server B Resolver cache Local Machine Application Resolver cache Server A Resolver cache 36

Iterative Name Resolution. (root) Resolver 1 cache.com Local Name Server Application Resolver cache 2 google.com Resolver Resolver cache 3 cache 37

Authoritative Name Servers Control distributed among authoritative name servers (ANSs) Responsible for specific domains Can designate other ANS for subdomains ANS can be master or slave (M+S) Master contains original zone table Slaves are replicas, automatically updating M+S make DNS fault tolerant, automatically distributes load ANS must be installed as a NS in parents' zone 38

Dynamic Resolution Many large providers have more than one authoritative name server for a domain Problem: need to locate the instance of domain geographically closest to user Proposed solution: include first 3 octets of requester's IP in recursive requests to allow better service Content distribution networks already do adaptive DNS routing 39

DNS Caching There would be too much network traffic if a path in the DNS tree would be traversed for each query Root zone would be rapidly overloaded DNS servers cache results for a specified amount of time Specified by ANS reply's time-to-live field Operating systems and browsers also maintain resolvers and DNS caches View in Windows with command ipconfig /displaydns Associated privacy issues DNS queries are typically issued over UDP on port 53 16-bit request identifier in payload 40

DNS Caching Step 1: query yourdomain.org Local Machine Application Resolver cache query Local NS Resolver cache query Authoritative Name Server Step 2: receive reply and cache at local NS and host Local Machine Application Resolver cache answer Local NS Resolver cache answer Authoritative Name Server 41

DNS Caching (con'd) Step 3: use cached results rather than querying the ANS Local Machine 1 Application Resolver Local NS Resolver Local Machine 2 Application cache Resolver cache query answer cache Step 4: Evict cache entries upon ttl expiration 42

Pharming: DNS Hijacking Changing IP associated with a server maliciously: Normal DNS www.example.com 208.77.188.166 Pharming attack www.example.com 74.208.31.63 http://www.example.com My Premium Blog Spot http://www.example.com My Premium Blog Spot userid: password: Phishing: the different web sites look the same. userid: password: 43

DNS Cache Poisoning Basic idea: give DNS servers false records and get it cached DNS uses a 16-bit request identifier to pair queries with answers Cache may be poisoned when a name server: Disregards identifiers Has predictable ids Accepts unsolicited DNS records 44

DNS Prevention Cache of Poisoning DNS Cache Prevention Poisoning Use random identifiers for queries Always check identifiers Port randomization for DNS requests Deploy DNSSEC Challenging because it is still being deployed and requires reciprocity 45

DNSSEC (Signed DNS) Guarantees Authenticity of DNS answer origin Integrity of reply Authenticity of denial of existence Accomplishes this by digitally signing DNS replies at each step of the way Typically use trust anchors, entries in the OS to bootstrap the process 46

DNS Signing 47

Notes DNSSEC DNS replies are NOT encrypted --- no confidentiality DNSCrypt/DNSCurve encrypts all DNS traffic; but confidentiality evaporates millisecs later when visiting the returned IP address. Does the added cost worth it? Entries on DNS servers are signed offline; signing keys not loaded & no on-the-fly signing For fear of DoS attack For fear of the all-important signing keys being compromised 48

DNSSEC Deployment As the internet becomes regarded as critical infrastructure there is a push to secure DNS NIST is in the process of deploying it on root servers now May add considerable load to DNS servers with packet sizes considerably larger than 512 byte size of UDP packets There are political concerns with the US controlling the root level of DNS 49

DNS Tools dig dig domain_name dig www.uncc.edu Reverse lookup dig x ip_address host command host domain_name Reserver lookup host ip_address 50

MORE EXAMPLES OF ATTACKS 51

IP Spoofing & Sync Flooding X establishes a TCP connection with B assuming A s IP address A (4) SYN(seq=n)ACK(seq=m+1) (2) predict B s TCP seq. behavior B (1) SYN Flood (3) X 52

icmp echo request icmp echo reply ping icmp echo request to a broadcast address: from victim attacker victim icmp echo reply from all hosts to victim smurf 53

Smurf Attack Generate ping stream (ICMP echo request) to a network broadcast address with a spoofed source IP set to a victim host Every host on the ping target network will generate a ping reply (ICMP echo reply) stream, all towards the victim host Amplified ping reply stream can easily overwhelm the victim s network Fraggle and Pingpong exploit UDP in a similar way 54

Distributed DoS (DDoS) Attacks masters zombies attacker victim 55

Amplification Attack Public server (abused as amplifier) Attacker Compromised hosts Target 56

Examples of Amplification Attack 1. DNS Amplification Attack 2. NTP Amplification Attack Public server NTP (network time protocol) server Amplification factor REQ_MON_GETLIST 3660 REQ_MON_GETLIST_1 5500 http://www.corecom.com/external/livesecurity/dnsamplification.htm 57

The new attack Monday used a technique called NTP reflection that involves sending requests with spoofed source IP addresses to NTP servers with the intention of forcing those servers to return large responses to the spoofed addresses instead of the real senders. 58

FIREWALLS: TYPES & DEPLOYMENT 59

What Is a Firewall? External network Firewall internal network 60

Ultimate Firewall. Or Is it? External network Air Gap internal network 61

62

Firewall From Webster s Dictionary: a wall constructed to prevent the spread of fire Internet firewalls are more the moat around a castle than a building firewall Controlled access point 63

Firewalls A firewall is responsible for controlling access among devices, such as computers, networks, and servers. The most common deployment is between a secure and an insecure network (see next slide). The main functionality of a firewall is allow/block network traffic; however, advanced firewalls may provide other functions. 64

Firewall Deployment 65

Firewalls Can: Restrict incoming and outgoing traffic by IP address, ports, or users Block invalid packets 66

Firewall in action Device that provides secure connectivity between networks (internal/external; varying levels of trust) Used to implement and enforce a security policy for communication between networks Trusted Networks Intranet Router + Firewall Untrusted Networks & Servers Internet Untrusted Users DMZ Public Accessible Servers & Networks Trusted Users 67

Convenient Give insight into traffic mix via logging Network Address Translation Encryption Forms Software packages Dedicated firewall devices Part of comprehensive/unified security appliance Firewall, VPN, IDS, Email filter, router, etc 68

Firewalls Cannot Protect traffic that does not cross it routing around Internal traffic when misconfigured connections which bypass firewall services through the firewall introduce vulnerabilities insiders can exercise internal vulnerabilities 69

Access Control ALERT!! Internet Security Requirement Control access to network information and resources Protect the network from attacks 70

Firewall Types Types Firewalls can be categorized into three general classes: packet filters, stateful firewalls, and application layer firewalls Also called proxy firewalls, and application gateways Deployment locations Host Firewalls. typically protect only one computer. Host firewalls reside on the computer they are intended to protect and are implemented in software Network Firewalls. typically standalone devices. Located at the gateway(s) of a network (for example, the point at which a network is connected to the Internet), a network firewall is designed to protect all the computers in the internal network. 71

Packet Filters Basic firewall type. Filters at network and transport layers. Accepts or rejects based on policy Considers IP address, port numbers, and transport protocol type Only examines the packet header 72

Packet Filters Applications Presentations Sessions Transport Network DataLink Physical DataLink Physical Router Applications Presentations Sessions Transport Network DataLink Physical 73

Network layer simplified 74

Stateful Packet Firewalls Perform the same operations as packet filters but also maintain state about the packets that have arrived. Understand communication "sessions" or "protocols" Allow connection tracking Can associate arriving packets with an accepted departing connection. Can do "deep" packet and session inspection More powerful than packet filtering firewalls Require more resources 75

Application Layer Firewalls Application layer firewalls can filter traffic at the network, transport, and application layer. introduces new services, such as proxies. As a result of the proxy the firewall can potentially inspect the contents of the packets Firewalls can be combined with other devices Intrusion Prevention System = Firewall + Intrusion detection systems 76

Application Layer Firewalls A good "man-in-themiddle" proxy! Relay for connections Client Proxy Server Mainly used at Application level Understands specific applications Limited proxies available Proxy impersonates both sides of connection Resource intensive process per connection HTTP proxies may cache web pages 77

Application Gateways More appropriate to TCP ICMP difficult Block all unless specifically allowed Must write a new proxy application to support new protocols Not trivial! Clients may need to be configured for proxy communication Transparent Proxies 78

Application Layer GW/proxy Telnet FTP HTTP Applications Presentations Sessions Transport Network DataLink Physical Applications Presentations Sessions Transport Network DataLink Physical Application Gateway Applications Presentations Sessions Transport Network DataLink Physical 79

Choosing The Correct Firewall Which technology to choose: packet filter, stateful firewall, or application firewall host or network firewall software or hardware firewall One needs to understand the current/future security needs. Advanced firewalls are needed for complex tasks. Performance of the firewall must be considered. 80

NAT: NETWORK ADDRESS TRANSLATION 81

Advance Firewall Features Network Address Translation (NAT), which allows multiple computers to share a limited number of network addresses. Service Service differentiation (such as VoIP) Inspecting packet contents (data). 82

NAT IPV4 only Useful if organization does not have enough real IP addresses Extra security measure if internal hosts do not have valid IP addresses (harder to trick firewall) Can use a single fixed IP address for services which must be accessible from outside Dynamic IP address Ok too if external applications are informed of new IP address 83

NAT Many-to-1 (n-to-m) mapping 1-to-1 (n-to-n) mapping Proxies provide many-to-1 NAT not required on filtering firewalls 84

Encryption (VPNs) Allows trusted users to access sensitive information while traversing untrusted networks Useful for remote users/sites VPNs can be built on IPSec Fast, but require installation of dedicated VPN client on a remote machine SSL Slower, but generally no need to install VPN client 85

DMZ: DE-MILITARIZED ZONE 86

Network Topology A simple firewall typically separates two networks: one trusted (internal, the corporate network) and one untrusted (external, the Internet). Not all computers in the internal network have the same duties, we need different policies. Introduce Demilitarized Zones (DMZs) most webservers are located in the DMZ instead of the internal network. 87

DMZ De-Militarized Zone Usually, a firewall has three interfaces (internal, external, and DMZ). Each interface has a policy to be enforced. If an attacker compromised the DMZ, the internal network is still protected. Front yard = DMZ 88

Firewalls and DMZs 89

FIREWALL POLICIES AND RULES 90

Firewall Security Policies When a packet arrives at a firewall, a security policy is applied to determine the appropriate action. Firewall actions on a packet: Allow a packet. Deny/Drop a packet. Log information about a packet. Firewall policy is a set of ordered rules, each rule consists of a set of tuples and an action. 91

Firewall Policies filter incoming and/or outgoing traffic based on a predefined set of rules called firewall policies. Firewall policies Untrusted Internet Trusted internal network 92

Firewall Rules Each firewall rule consists of a set of tuples and an action. Each tuple corresponds to a field in the packet header, and there are five such fields for an Internet packet: Protocol, Source Address, Source Port, Destination Address, and Destination Port. Firewall rule tuples can be fully specified or contain wildcards (*) 93

Firewall Policy Example 94

Rule Matching Process As packets pass through a firewall, their header information is sequentially compared to the fields of a rule. If a packet s header information is a subset of a rule, it is said to be a match, and the associated action, to accept or reject, is performed. Otherwise, the packet is compared to the next sequential rule. This is considered a first-match policy since the action associated with the first rule that is matched is performed. 95

Set Theory A tuple can be modeled as a set. For example, assume the tuple for IP source addresses is 198.188.150.*. Then this tuple represents the set of 256 addresses that range from 198.188.150.0 to 198.180.150.255. Each tuple of a packet consists of a single value, which is expected, since a packet only has one source and one destination. 96

Set Theory The comprehensive sets of a firewall policy are: The set of all accepted packets A(R) The set of all dropped packets D(R) The set of all unmatched packets U(R) All sets are non-overlapping 97

Policy Optimization Rules reordering. More commonly matched rules appear earlier Benefits by reducing the number of rule comparisons, speeding processing Must maintain integrity (intent) of the policy. Reordering rules may change the semantic of the policy. Combining rules to form a smaller policy is better in terms of performance as well as management. 98

OPEN SOURCE FIREWALLS 99

Widely Used Firewalls Technology Linux IPtable OpenBSD PF FreeBSD PFSense For Debian/Ubuntu end users UFW Open Source Firewall Packages Endian Smoothwall Untangle IPCop IPFire Build your own firewall A used desktop computer + 2 network cards 100

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information