Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT



Similar documents
Firewalls. Chapter 3

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Firewalls. Network Security. Firewalls Defined. Firewalls

Firewalls, IDS and IPS

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Chapter 15. Firewalls, IDS and IPS

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

FIREWALLS & CBAC. philip.heimer@hh.se

Firewall VPN Router. Quick Installation Guide M73-APO09-380

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

Distributed Systems. Firewalls: Defending the Network. Paul Krzyzanowski

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Multi-Homing Dual WAN Firewall Router

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Firewalls. Ahmad Almulhem March 10, 2012

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

A S B

Firewalls and System Protection

Overview. Firewall Security. Perimeter Security Devices. Routers

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Security Technology: Firewalls and VPNs

UIP1868P User Interface Guide

Proxy Server, Network Address Translator, Firewall. Proxy Server

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

12. Firewalls Content

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Chapter 8 Security Pt 2

CIT 480: Securing Computer Systems. Firewalls

CSCE 465 Computer & Network Security

Lab Configuring Access Policies and DMZ Settings

CIT 480: Securing Computer Systems. Firewalls

Multi-Homing Security Gateway

Firewalls. Castle and Moat Analogy. Dr.Talal Alkharobi. Dr.Talal Alkharobi

Securing Networks with PIX and ASA

INTRODUCTION TO FIREWALL SECURITY

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Broadband Phone Gateway BPG510 Technical Users Guide

CMPT 471 Networking II

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Firewall Firewall August, 2003

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Chapter 8 Network Security

Internet Security Firewalls

Packet filtering and other firewall functions

Basic Network Configuration

Technical Support Information

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Definition of firewall

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Introduction to Firewalls

Internet Security Firewalls

Topics NS HS12 2 CINS/F1-01

Cryptography and network security

CSCI Firewalls and Packet Filtering

Internet infrastructure. Prof. dr. ir. André Mariën

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Chapter 7 Troubleshooting

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

Content Distribution Networks (CDN)

10 Configuring Packet Filtering and Routing Rules

Lab Configuring Access Policies and DMZ Settings

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

Security Technology White Paper

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

Firewalls and Intrusion Detection

8. Firewall Design & Implementation

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cisco Secure PIX Firewall with Two Routers Configuration Example

Chapter 4 Customizing Your Network Settings

Intro to Firewalls. Summary

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

HughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

TECHNICAL NOTE 01/02 PROTECTING YOUR COMPUTER NETWORK

CS5008: Internet Computing

Cisco Configuring Commonly Used IP ACLs

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Configuring Network Address Translation (NAT)

- Introduction to Firewalls -

Implementing Network Address Translation and Port Redirection in epipe

- Introduction to PIX/ASA Firewalls -

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Implementing Secure Converged Wide Area Networks (ISCW)

Firewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

Innominate mguard Version 6

About Firewall Protection

Load Balance Router R258V

Firewalls CSCI 454/554

Transcription:

Network Security s Access lists Ingress filtering s Egress filtering NAT 2 Drivers of Performance RequirementsTraffic Volume and Complexity of Static IP Packet Filter Corporate Network The Complexity of : Number of Rules, Complexity Of rules, etc. Performance Requirements Traffic Volume (Packets per Second) Log File Permit (Pass) Deny (Drop) Static Packet Filter IP-H IP-H IP-H TCP-H UDP-H Message Message ICMP Message Arriving Packets Examined One at a Time, in Isolation Only IP, TCP, UDP and ICMP Headers Examined 3 4 Ingress Prevent attack packets from entering the protected network Rules are applied in order See Figure 5.6 for generic rule format 5 Ingress Deny Known Fallacious Source Addresses Private addresses 10.*.*.* 172.16.*.* to 172.31.*.*, 192.168.*.* Internal Address Ranges Other obvious or known common addresses 1.2.3.4, 0.0.0.0, 0.0.0.1, etc. 6 1

Ingress Deny Known TCP Vulnerabilities Syn flood (TCP SYN=1 AND FIN=1) (TCP destination port = 20) Supervisory control connection (TCP destination port = 21) Telnet (TCP destination port = 23) NetBIOS (TCP destination port = 135 through 139) UNIX rlogin (TCP destination port = 513) UNIX rsh launch shell without login (TCP port 514) 7 Ingress 1. If UDP destination port=69, DENY [Trivial File Transfer Protocol; no login necessary] 2. If ICMP Type = 0, PASS [allow incoming echo reply messages] 3. DENY ALL 8 Egress Egress Deny Destinations private IP address range = 10.*.*.* 172.16.*.* to 172.31.*.* 192.168.*.* not in internal address range 60.47.*.* 9 Allow ICMP Type = 8, PASS [outgoing echo messages] Deny Protocol=ICMP [all other outgoing ICMP] Deny TCP RST=1[outgoing resets; used in host scanning] 10 Egress Deny Connections to Well-known ports TCP source port=0 through 49151 UDP source port=0 through 49151 Allow Outgoing Connections UDP source port = 49152 65,536 TCP source port =49152 through 65,536 11 s Types of s Inspection Methods Static Packet Inspection Stateful Packet Inspection NAT s Architecture Configuring, Testing, and Maintenance 12 2

Stateful Inspection s State of Connection Open or Closed State Order of packet within a dialog Often simply whether the packet is Stateful Inspection s By default, permit connections openings from internal clients to external servers By default, deny connection openings from the outside to inside servers Default behaviors can be changed with ACLs Accept future packets between hosts and ports in open connections with little or no more inspection 13 14 part of an open connection Stateful Inspection s Can prevent Syn flood Port switching Session hijacking Network Address Translation Hides the IP address of internal hosts to thwart sniffers Benignly spoofs source IP addresses in outgoing packets Etc. 15 16 192.168.5.7 Network Address Translation (NAT) From 192.168.5.7, Port 61000 From 60.5.9.8, 1 Port 55380 2 4 To 192.168.5.7, Port 61000 NAT Translation Table 3 To 60.5.9.8, Port 55380 Internal IP Addr Port 192.168.5.7 61000...... Sniffer Server Host IP Addr Port 60.5.9.8 55380...... 17 Operation 1. HTTP Request From 2. Browser HTTP 18 3

Operation Operation 3. Examined HTTP Request From 4. HTTP Browser HTTP Response to 5. on Post Out, Hostname, URL, MIME, etc. In 19 6. Examined Browser HTTP HTTP 5. Response To on Post Out, Hostname, URL, MIME, etc. In 20 13 Operation Browser HTTP Need one Program On the For Each Protocol Filtered Header Destruction With s Arriving Packet App MSG (HTTP) XOrig. Orig. TCP IP Hdr Hdr Header Removed App MSG (HTTP) App MSG (HTTP) New Packet New TCP Hdr New IP Hdr 21 Attacker 1.2.3.4 Strips Original Headers from Arriving Packets Creates New Packet with New Headers This Stops All Header-Based Packet Attacks 22 Protocol Spoofing Circuit Trojan Horse Internal 60.55.33.12 1. Trojan Transmits on Port 80 to Get Through Simple Packet Filter 2. Protocol is Not HTTP Stops The Transmission X Attacker 1.2.3.4 60.80.5.34 3. Passed TransmissionNo 4. Reply Circuit (SOCKS v5) 60.34.3.31 1. Authentication 2. Transmission 5. Passed ReplyNo 123.30.82.5 23 24 4

Single-Site Architecture for a Larger Firm with a Single Site 2. Main 3. Internal Last Rule=Deny All Traffic Between Subnets 4. Host Marketing on 172.18.5.x Subnet 172.18.9.x Subnet Accounting Server on 172.18.7.x Subnet DMZ 1. Screening Router 60.47.1.1 Last Rule=Permit All Public 60.47.3.9 Relay 60.47.3.10 DNS Server 60.47.3.4 HTTP Server 60.47.3.1 25 DMZ Demilitarized Zone For Servers That Must be Accessed From the Outside Public webservers (proxy) firewalls DNS server that only knows the IP addresses of hosts in the firewall Hosts must be specially hardened because they certainly will be attacked 26 Home SOHO Router Service Provider Always-On Connection Coaxial Cable Broadband Modem Cord PC Home PC Service Provider Ethernet Switch Broadband SOHO Modem Router (DSL or --- Cable) Router DHCP Sever, NAT, and Limited User PC User PC 27 Many Access Routers Combine the Router and Ethernet Switch in a Single Box User PC 28 SOHO: Small office or home owner Distributed Architecture Management Console Home PC 21Other Security Architecture Issues Host and Security (Chapters 6 and 9) Antivirus Protection (Chapter 4) Intrusion Detection Systems (Chapter 10) Virtual Private Networks (Chapter 8) Policy Enforcement System Site A Site B 29 30 5

22Configuring, Testing, and Maintaining s Misconfiguration is a Serious Problem ACL rules must be executed in series Easy to make misordering problems Easy to make syntax errors 22Configuring, Testing, and Maintaining s Create Policies Before ACLs Policies are easier to read than ACLs Can be reviewed by others more easily than ACLs Policies drive ACL development Policies also drive testing 31 32 22Configuring, Testing, and Maintaining s Must test s with Security Audits Only way to tell if policies are being supported Must be driven by policies Maintaining s New threats appear constantly ACLs must be updated constantly if firewall is Module (GUI) Create, Edit Policies 23FireWall-1 Modular Management Architecture Log Files Management Module Stores Policies Stores Log Files Module Module Enforces Policy (GUI) Sends Log Read Log Files Entries to be effective 33 34 Policy Log File Data Policy Log File Entry Module Enforces Policy Sends Log Entries Internal 24FireWall-1 Service Architecture 2. Statefully Filtered Packet 3. DoS Protection Optional Authentications FireWall-1 1. Arriving Packet 4. Content Vectoring Protocol Server 25Security Level-Based Stateful in PIX s Security Level Inside=100 Automatically Accept Connection Security Level Outside=0 Automatically Reject Connection Security Level=60 Router Internal Network 5. Statefully Filtered Packet Plus Inspection Third-Party Inspection 35 Connections Are Allowed from More Secure Networks to Less Secure Networks 36 6

Questions? 37 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information