Firewalls. Ahmad Almulhem March 10, 2012

Similar documents
Computer Security: Principles and Practice

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

Computer Security DD2395

Chapter 9 Firewalls and Intrusion Prevention Systems

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Chapter 20 Firewalls. Cryptography and Network Security Chapter 22. What is a Firewall? Introduction 4/19/2010

Firewalls CSCI 454/554

Computer Security DD2395

Proxy Server, Network Address Translator, Firewall. Proxy Server

Internet Security Firewalls

Firewalls. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Firewalls. Characteristics.

Firewalls. Contents. ITS335: IT Security. Firewall Characteristics. Types of Firewalls. Firewall Locations. Summary

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

Chapter 8 Security Pt 2

Chapter 8 Network Security

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Agenda. Understanding of Firewall s definition and Categorization. Understanding of Firewall s Deployment Architectures

Security Technology: Firewalls and VPNs

FIREWALLS & CBAC. philip.heimer@hh.se

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

IPv6 Firewalls. ITU/APNIC/MICT IPv6 Security Workshop 23 rd 27 th May 2016 Bangkok. Last updated 17 th May 2016

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Firewalls. Chapter 3

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

ΕΠΛ 674: Εργαστήριο 5 Firewalls

FIREWALL AND NAT Lecture 7a

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Internet Security Firewalls

Lecture 23: Firewalls

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

CSCE 465 Computer & Network Security

INTRODUCTION TO FIREWALL SECURITY

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

Firewalls and Network Defence

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

CSCI Firewalls and Packet Filtering

CMPT 471 Networking II

A Study of Technology in Firewall System

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Introduction to Firewalls

VLAN und MPLS, Firewall und NAT,

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Chapter 20. Firewalls

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Cornerstones of Security

Firewalls P+S Linux Router & Firewall 2013

What would you like to protect?

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Firewall Design Principles Firewall Characteristics Types of Firewalls

How To Understand A Firewall

COSC4377. Chapter 8 roadmap

Chapter 6: Network Access Control

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

Overview. Firewall Security. Perimeter Security Devices. Routers

Chapter 7. Firewalls

CIT 480: Securing Computer Systems. Firewalls

Outline (Network Security Challenge)

Firewalls (IPTABLES)

CIT 480: Securing Computer Systems. Firewalls

A S B

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Internet infrastructure. Prof. dr. ir. André Mariën

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Overview - Using ADAMS With a Firewall

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Distributed Systems. Firewalls: Defending the Network. Paul Krzyzanowski

Securizarea Calculatoarelor și a Rețelelor 13. Implementarea tehnologiei firewall CBAC pentru protejarea rețelei

OS/390 Firewall Technology Overview

First Step Towards Automatic Correction of Firewall Policy Faults

Firewall Tutorial. KAIST Dept. of EECS NC Lab.

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Introduction to Firewalls Open Source Security Tools for Information Technology Professionals

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Firewalls, IDS and IPS

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Firewalls. Chien-Chung Shen

8. Firewall Design & Implementation

Introduction of Intrusion Detection Systems

Network Security in Practice

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Firewalls. Network Security. Firewalls Defined. Firewalls

Network Security. Internet Firewalls. Chapter 13. Network Security (WS 2002): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

Types of Firewalls E. Eugene Schultz Payoff

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

Solution of Exercise Sheet 5

Transcription:

Firewalls Ahmad Almulhem March 10, 2012 1

Outline Firewalls The Need for Firewalls Firewall Characteristics Types of Firewalls Firewall Basing Firewall Configurations Firewall Policies and Anomalies 2

Firewalls Term originated from physical firewall Designed to contain fires Slow down the spread of fires Computing firewalls work a bit differently Usually try to prevent external fires More like the Great Wall of China Does provide internal segmentation and protection can be implemented in either hardware or software, or a combination of both. 3

The Need For Firewalls Internet connectivity is essential however it creates a threat effective means of protecting a network while allowing Internet access inserted between the premises network and the Internet to establish a controlled link can be a single computer system or a set of two or more systems working together used as a perimeter defense single choke point to impose security and auditing insulates the internal systems from external networks 4

The Need For Firewalls Major firewall vendors: Checkpoint Cisco PIX src: CSI Computer Crime and Security Survey 2010/2011 5

Firewall Characteristics Design goals: all traffic from inside to outside must pass through the firewall only authorized traffic as defined by the local security policy will be allowed to pass the firewall itself is immune to penetration Techniques used by firewalls to control access and enforce the site s security policy are: service control direction control user control behavior control 6

Types of Firewalls firewall acts as a packet filter positive filter: allow only packets meeting certain criteria negative filter: reject any packet that meets certain criteria may examine one or more protocol headers in each packet payload sequence of packets 7

Types of Firewalls Traditional Packet filters (stateless) Stateful filters Application Gateway (proxy) 8

Traditional packet filters Analyzes each packet going through it; makes drop decision based on: source IP address destination IP address source port destination port TCP flag bits SYN bit set: datagram for connection initiation ACK bit set: part of established connection TCP or UDP or ICMP Firewalls often configured to block all UDP direction Is the datagram leaving or entering the internal network? router interface decisions can be different for different interfaces 9

Filtering Rules - Examples Policy No outside Web access. External connections to public Web server only. Prevent IPTV from eating up the available bandwidth. Prevent your network from being used for a Smurf DoS attack. Prevent your network from being tracerouted Firewall Setting Drop all outgoing packets to any IP address, port 80 Drop all incoming TCP SYN packets to any IP except 222.22.44.203, port 80 Drop all incoming UDP packets - except DNS and router broadcasts. Drop all ICMP packets going to a broadcast address (eg 222.22.255.255). Drop all outgoing ICMP 10

Access control lists Apply rules from top to bottom: action source address dest address protocol source port dest port flag bit allow 222.22/16 outside of 222.22/16 TCP > 1023 80 any allow outside of 222.22/16 222.22/16 TCP 80 > 1023 ACK allow 222.22/16 outside of 222.22/16 UDP > 1023 53 --- allow outside of 222.22/16 222.22/16 UDP 53 > 1023 ---- deny all all all all all all a packet may not match any rule (default) two default policies: discard drop packet more conservative, secure, visible to users forward pass packet easier to manage, friendlier to users, but less secure 11

Access control lists Each router/firewall interface can have its own ACL Most firewall vendors provide both commandline and graphical configuration interface 12

Advantages and disadvantages of traditional packet filters Advantages Simplicity: one firewall can protect entire network Can be efficient if filtering rules are kept simple Widely available. Almost any router, even Linux boxes Disadvantages Can possibly be penetrated IP address spoofing, fragmentation Cannot enforce some policies. For example, permit certain users. Rules can get complicated and difficult to test 13

Stateful Firewall considers a packet in series of packets (not individually) packet context keeps info about each TCP connection determines if a packet is a start of TCP connection, part of an existing connection, or invalid still has a set of static rules, but states of connection is part of matching a rule improve filtering based on TCP connections can be a target of DOS attack (how?) 14

Application Gateways Gateway (proxies) sits between user on inside and server on outside. Instead of talking directly, user and server talk through proxy. Allows more fine grained and sophisticated control than packet filtering. For example, ftp server may not allow files greater than a set size. can authenticates users host-to-gateway ftp session gateway-to-remote host ftp session application gateway 15

Advantages and disadvantages of application gateways Advantages Proxy can log all connections, activity in connections Proxy can provide caching Proxy can do intelligent filtering based on content Proxy can perform user-level authentication Disadvantages Not all services have proxied versions May need different proxy server for each service Requires modification of client Performance 16

SOCKS Proxy protocol Generic proxy protocol Don t have to redo all of the code when proxifying an application. Can be used by HTTP, FTP, telnet, SSL, Independent of application layer protocol Includes authentication, restricting which users/apps/ip addresses can pass through firewall. 17

SOCKS proxy protocol 1. For example, let s assume that browser requests a page 2. SOCKS Library is a collection of procedures. It translates requests into a specific format and sends them to SOCKS Daemon 3. The SOCKS Daemon 4. The server runs on the firewall host. receives requests as The daemon authenticates ordinary HTTP. It the user and forwards all does not need a the data to the server. SOCKS library. Firefox/Opera/ IE HTTP Firewall Application Apache/IIS HTTP SOCKS Library SOCKS Daemon TCP TCP TCP 18

Firewall Basing it is common to base a firewall on a standalone machine running a common operating system, such as UNIX or Linux also may be implemented as a software modules in a router or LAN switch additional basing options: bastion host individual host-based firewall personal firewall 19

Bastion Hosts a special purpose computer on a network specifically designed and configured to withstand attacks critical strongpoint in network fully exposed to attacks hosts application/circuit-level gateways common characteristics: runs secure O/S, only essential services (close all unneeded ports) disable/remove unneeded users accounts disable/remove any unneeded network protocols limited disk use, hence read-only code 20

Host-Based Firewalls a software module used to secure individual host available by default or as an add-on for many O/S filter packet flows often used on servers advantages: tailored filter rules for specific host needs protection from both internal / external attacks additional layer of protection to stand-alone firewalls 21

Personal Firewall controls traffic flow to/from PC/workstation e.g. Firewall in MS Windows used for both home or corporate use may be software module on PC or embedded in home cable/dsl router/gateway typically much less complex than stand-alone firewalls and server-based firewalls primary role to deny unauthorized access may also monitor outgoing traffic to detect/block worm/malware activity 22

Firewall Configurations A firewall is positioned to provide a protective barrier between Internet and internal network a security administrator must decide on the location and on the number of firewalls needed. there are several options; we look at some common options next 23

DMZ Network most common configuration DMZ short for demilitarized zone external firewall is placed at the edge of a local or enterprise network one or more internal firewalls protect the bulk of the enterprise network between the two types of firewalls is DMZ; contains server accessible from outside, like web server, DNS, e-mail servers external firewall provides protection of DMZ systems and basic protection for the whole enterprise internal firewall(s) provide more stringent filtering, and 2-way protection w.r.t. DMZ 24

Distributed Firewalls involves standalone firewall devices plus host-based firewalls working together under a central administrative control Administrators can configure host-based firewalls on hundreds of servers and workstation as well as configuring personal firewalls on local and remote user systems tools let the network administrator set policies and monitor security across the entire network may make sense to establish both an internal and an external DMZ advantage: strong, fine-grained monitoring 25

Virtual Private Networks virtual private network (VPN); set of networks interconnected through unsecure network (Internet) use encryption and special protocols to protect transmitted traffic VPN attractive solution; cheaper than real private networks IPSec is most common protocol used VPN functionality typically implemented in firewalls encryption/decryption (also compression) between end-points transparent to users 26

Firewall Policies A firewall policy is usually specified as a sequence of rules Each rule consists of a predicate and a decision. A predicate typically includes five fields: source IP, destination IP, source port, destination port, protocol type Typical decisions are accept and discard. Firewall Src IP Dst IP Src Port Dst Port Protocol Decision Policy r 1 1.2.3.* 192.168.1.1 * 25 TCP Accept Packet r 2 1.2.3.9 192.168.1.1 * 25 * Discard r 3 * * * * * Discard Src IP Dst IP Src Port Dst Port Protocol Payload 1.2.3.5 192.168.1.1 78 25 TCP Conflict Resolution: first-match 27

Firewall Policies Anomalies (1) Wrong order: the order of firewall rules is wrong. Src IP Dst IP Src Port Dst Port Protocol Decision r 1 1.2.3.* 192.168.1.1 * 25 TCP Accept r 2 1.2.3.9 192.168.1.1 * 25 * Discard (2) Missing rules: some rules are missed in the firewall policy. Src IP Dst IP Src Port Dst Port Protocol Decision r * r 1 1.2.3.* 192.168.1.1 * 25 TCP Accept r 2 1.2.3.9 192.168.1.1 * 25 * Discard (3) Wrong predicates: the predicates of some rules are wrong. Src IP Dst IP Src Port Dst Port Protocol Decision r 1 1.2.3.* 192.168.1.1 * 25 TCP Accept 28

Firewall Policies Anomalies (4) Wrong decisions: the decisions of some rules are wrong. Src IP Dst IP Src Port Dst Port Protocol Decision r 1 1.2.3.* 192.168.1.1 * 25 TCP Accept r 2 1.2.3.9 192.168.1.1 * 25 * Discard (5) Wrong extra rules: some rules are not needed in the policy. Src IP Dst IP Src Port Dst Port Protocol Decision r 1 1.2.3.* 192.168.1.1 * 25 TCP Accept r 2 1.2.3.9 192.168.1.1 * 25 * Discard r 3 * * * * * Discard 29

References William Stallings and Lawrie Brown, "Computer Security: Principles and Practice", Pearson Education, Prentice Hall, 2008. JeeHyun Hwang, Tao Xie, Fei Chen, and Alex X. Liu. Systematic Structural Testing of Firewall Policies, IEEE Transactions on Network and Service Management. 2012. 30

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information