Lecture 23: Firewalls

Similar documents
Firewalls (IPTABLES)

Security threats and network. Software firewall. Hardware firewall. Firewalls

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Chapter 20. Firewalls

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Security Technology: Firewalls and VPNs

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

What is Firewall? A system designed to prevent unauthorized access to or from a private network.

Firewalls CSCI 454/554

Firewall Design Principles Firewall Characteristics Types of Firewalls

Proxy Server, Network Address Translator, Firewall. Proxy Server

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Firewalls. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Firewalls. Characteristics.

Firewalls. Contents. ITS335: IT Security. Firewall Characteristics. Types of Firewalls. Firewall Locations. Summary

Fig : Packet Filtering

Solution of Exercise Sheet 5

Chapter 8 Security Pt 2

Firewall Design Principles

Chapter 9 Firewalls and Intrusion Prevention Systems

Firewall Configuration. Firewall Configuration. Solution Firewall Principles

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

Computer Security: Principles and Practice

Computer Security DD2395

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Chapter 8 Network Security

Chapter 20 Firewalls. Cryptography and Network Security Chapter 22. What is a Firewall? Introduction 4/19/2010

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Firewalls. Ahmad Almulhem March 10, 2012

12. Firewalls Content

Internet Security Firewalls

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

Firewalls. Network Security. Firewalls Defined. Firewalls

What would you like to protect?

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

SOFTWARE ENGINEERING 4C03. Computer Networks & Computer Security. Network Firewall

Types of Firewalls E. Eugene Schultz Payoff

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

CSCE 465 Computer & Network Security

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Computer Security DD2395

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Internet Security Firewalls

Network Security: From Firewalls to Internet Critters Some Issues for Discussion

Firewalls. Mahalingam Ramkumar

CMPT 471 Networking II

Overview. Firewall Security. Perimeter Security Devices. Routers

Intranet, Extranet, Firewall

Cornerstones of Security

Chapter 6: Network Access Control

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Firewalls. Chapter 3

Network Security. Internet Firewalls. Chapter 13. Network Security (WS 2002): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

FIREWALLS & CBAC. philip.heimer@hh.se

Role of Firewall in Network. Security. Syed S. Rizvi. CS 872: Computer Network Security. Fall 2005

Intro to Firewalls. Summary

INTRODUCTION TO FIREWALL SECURITY

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Classification of Firewalls and Proxies

CSCI Firewalls and Packet Filtering

Firewall Tutorial. KAIST Dept. of EECS NC Lab.

CS5008: Internet Computing

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Guideline on Firewall

Cisco Configuring Commonly Used IP ACLs

VLAN und MPLS, Firewall und NAT,

FIREWALLS IN NETWORK SECURITY

Cryptography and network security

IPv6 Firewalls. ITU/APNIC/MICT IPv6 Security Workshop 23 rd 27 th May 2016 Bangkok. Last updated 17 th May 2016

FIREWALL AND NAT Lecture 7a

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Introduction of Intrusion Detection Systems

COSC4377. Chapter 8 roadmap

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Cisco Secure PIX Firewall with Two Routers Configuration Example

Firewalls, Tunnels, and Network Intrusion Detection

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

FIREWALLS CHAPTER The Need for Firewalls Firewall Characteristics Types of Firewalls

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Content Distribution Networks (CDN)

Transcription:

Lecture 23: Firewalls Introduce several types of firewalls Discuss their advantages and disadvantages Compare their performances Demonstrate their applications C. Ding -- COMP581 -- L23

What is a Digital Firewall? A digital firewall is a system of hardware and software components designed to restrict access between or among networks, most often between the Internet and a private Internet. The firewall is part of an overall security policy that creates a perimeter defense designed to protect the information resources of the organization. C. Ding -- COMP581 -- L23

A Physical Firewall 1. What is the firewall composed of? 2. What are the hardware and software components of this firewall? 3. What is the defence perimeter? C. Ding -- COMP581 -- L23

What a Firewall can do Implement security policies at a single point Monitor security-related events (audit, log) Provide strong authentication for access control purpose C. Ding -- COMP581 -- L23

What a Firewall cannot do Protect against attacks that bypass the firewall Dial-out from internal host to an ISP Protect against internal threats disgruntled employee Insider cooperates with an external attacker Protect against the transfer of virusinfected programs or files C. Ding -- COMP581 -- L23

Firewall - Typical Layout A firewall denies or permits access based on policies and rules Protected Private Network Internet C. Ding -- COMP581 -- L23

Watching for Attacks Monitor Log Notify Protected Private Network Internet Attack C. Ding -- COMP581 -- L23

Firewall Technologies They may be classified into four categories: Packet filtering firewalls Circuit level gateways Application gateways (or proxy servers) Dynamic packet filtering firewalls a combination of the three above These technologies operate at different levels of detail, providing varying degrees of network access protection. C. Ding -- COMP581 -- L23

Filtering Types Packet filtering Packets are treated individually No state information is memorized Session filtering or dynamic packet filtering Packets are grouped into connections Packets in a connection are detected State information is memorized C. Ding -- COMP581 -- L23

Packet Filtering Decisions made on per-packet basis No state information saved Works at the network level of the OSI model Applies packet filters based on access rules defined by the following parameters: Source address Destination address Application or protocol/next header (TCP, UDP, etc) Source port number Destination port number

Packet Filtering Policy Example My host Other host action name port name port comments block microsoft.com Block everything from MS allow My-gateway Allow incoming mail

Packet Filtering Policy Example Rule Direction Source Address Destination Address Protocol # Source Port # Destin. Port Action 1 2 3 4 5 6 7 8 Out Out In In & Out In In Out In 10.56 10.122 201.32.4.76 10.56.199 10.122 10.56.199 10.56.199 10.56.199 TCP TCP TCP TCP TCP TCP 23 (Telnet) 23 (Telnet) 25 (Mail) 513 (rlogin) 20 (FTP) 20 (FTP) Drop Pass Pass Pass Drop Drop Pass Drop

Packet Filtering Firewalls Firewall/Router Output Filter Input Filter Access Rules Access Rules Internal Network Network Network Data Link Physical Router Data Link Physical Internet

Packet Filtering Firewalls Advantages: Simple, low cost, fast, transparent to user Disadvantages: They cannot prevent attacks that employ applicationspecific vulnerabilities or functions because they do not examine upper-layer data. Most packet filter firewalls do not support advanced authentication schemes due to the lack of upper-layer functionality It is easy to accidentally configure a packet filtering firewall to allow traffic types, sources, and destinations that should be denied based on an organization s policy due to the small number of variables used for decision

Session Filtering Traditional packet filters do not examine higher layer context ie matching return packets with outgoing flow Dynamic packet filtering examines data at all levels They examine each IP packet in context Keep track of client-server connection Check each packet validly belongs to one Hence are more able to detect bogus packets out of context

Session Filtering Packet decision made in the context of a connection If packet is a new connection, check again policy If packet is part of an existing connection, match it up in the state table and update table. A connection table is maintained

Example of Session Establishment Telnet Server Telnet Client 23 1234 Port 1234 Step 1 Step 2 ACK (1) The Client opens channel to the Server, tells its port number. The ACK bit is not set while establishing the connection but will be set on the remaining packets. (2) Server acknowledges.

Example of Connection State Table In general, when an application that uses TCP creates a session with a remote host, it creates a TCP connection in which the TCP port number for the remote (server) application is a number less than 1024 and the TCP port number for the local (client) application is a number between 1024 and 16383. The numbers less than 1024 are the well-known port numbers and are assigned permanently to particular applic.

Using ACK in Session Filtering The ACK signifies that the packet is part of an ongoing conversation Packets without the ACK are connection establishment messages

Dynamic Packet Filtering Firewalls Packets inspected between data link layer and application layer State tables are created to maintain connection context Applications Presentations Sessions Transport Network Data Link Physical Presentations Sessions Transport Network Data Link Physical Applications Presentations Sessions Transport Network Data Link Physical INSPECT Engine Dynamic State Tables

Dynamic Packet Filtering Firewalls Example

Dynamic Packet Filtering Implementation Firewall checks policy rules to validate sender Return traffic for validated web session is permitted and the state of the flow is monitored Protected private network Internet User initiates web session Firewall opens required port and allows traffic to pass to public network

Dynamic Packet Filtering Strengths Monitors the state of all data flows Transparent to users Low CPU overheads For the second and later packets belong to the same connection, no table look-up of the policy database is done.

Designing the Physical Firewall 1. How do you design it into a packet filtering firewall? 2. How do you design it into a session filtering firewall?

Circuit Level Gateways Circuit level gateways work at the session layer of the OSI model, or the TCP layer of TCP/IP Monitor TCP handshaking between packets to determine whether a requested session is legitimate. Do not permit an end-to-end TCP connection Rather, the gateway sets up two TCP connections, one between itself and a TCP user on an inner host and one between itself and a TCP user on an outside host. Once the two connections are established, the gateway typically relays TCP segments from one to the other without examining the contents

Circuit Level Gateway Example tcp user 1 tcp connection between two gateways tcp connection between remote gateway and visited host visited host 3 Internet 2 tcp connection between tcp user and local gateway

Circuit Level Gateways

Application Gateways Similar to circuit-level gateways except that they are application specific (i.e., tailored to a specific application program). Every connection between two networks is made via an application program called a proxy. Connection state is maintained and updated. Proxies are application or protocol specific Only protocols that have specific proxies configured are allowed through the firewall; all other traffic is rejected. E.g., a gateway that is configured to be a web proxy will not allow any ftp, gopher, telnet or other traffic through

Application Gateways It filters packets on application data as well as on IP/TCP/UDP fields. Example: It allows selected internal users to telnet outside. host-to-gateway telnet session application gateway gateway-to-remote host telnet session router and filter 1. Require all telnet users to telnet through gateway. 2. For authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections 3. Router filter blocks all telnet connections not originating from gateway.

Application Gateway Example FTP Server Application Level Gateway completes connection If connection is valid the state table is updated and connection to FTP Server established Access rules verified FTP connection initiated from public network

Application Gateways Firewall Application Proxies Internal Network Application Transport Network Application Transport Network Data Link Physical Data Link Physical Internet Router

Application Gateways

Application Gateway Strengths More secure than packet filtering firewalls Rather than trying to deal with the numerous possible combinations that are to be allowed and forbidden at the TCP and IP level, the application gateway need only scrutinize a few allowable applications. It is easy to log and audit all incoming traffic at the application level.

Application Gateway Weaknesses Very CPU intensive There are two spliced connections between the end users, with the gateway at the splice point, and the gateway must examine and forward all traffic in both directions. Requires high performance host computer Expensive

Network Configuration Examples

Protected Private Network Allow all access from private network to the Internet Deny all access from the Internet to the private network Protected private network Internet

Semi-Militarised Zone Protected private network All Private network for unauthorised corporate servers traffic is and users blocked Internet WEB Server Mail Server SMZ Semi Militarised Zone SMZ All other Firewall policy limits incoming incoming access to traffic WEB and mail server blocked from public network

Concluding Remarks All that a firewall can do is to control network activities between OSI levels 2 and 7. They cannot keep out data carried inside applications, such as viruses within email messages: there are just too many ways of encoding data to be able to filter out this kind of threat. Although firewalls provide a high level of security in today's private networks to the outside world we still need the assistance of other related security components in order to guarantee proper network security.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information