Network Security CS 192



Similar documents
Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Guardian Digital WebTool Firewall HOWTO. by Pete O Hara

12. Firewalls Content

Device Log Export ENGLISH

Firewall Firewall August, 2003

Firewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005

DMZ Network Visibility with Wireshark June 15, 2010

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

Computer and Network Security Exercise no. 4

Security Provider Integration Kerberos Authentication

Firewall Design Principles

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Cisco Secure PIX Firewall with Two Routers Configuration Example

Firewall Piercing. Alon Altman Haifa Linux Club

Firewalls. Pehr Söderman KTH-CSC

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Source-Connect Network Configuration Last updated May 2009

Project 2: Firewall Design (Phase I)

Chapter 20 Firewalls. Cryptography and Network Security Chapter 22. What is a Firewall? Introduction 4/19/2010

Secure Web Appliance. Reverse Proxy

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Owner of the content within this article is Written by Marc Grote

Chapter 6 Virtual Private Networking Using SSL Connections

Solution of Exercise Sheet 5

Security Technology: Firewalls and VPNs

CSCE 465 Computer & Network Security

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Lab Objectives & Turn In

Lecture 23: Firewalls

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Bypassing PISA AGM Theme Seminar Presented by Ricky Lou Zecure Lab Limited

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

Multi-Homing Dual WAN Firewall Router

Linux firewall. Need of firewall Single connection between network Allows restricted traffic between networks Denies un authorized users

Guideline on Firewall

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Telematics. 14th Tutorial - Proxies, Firewalls, P2P

Distributed Systems. Firewalls: Defending the Network. Paul Krzyzanowski

Firewall Defaults and Some Basic Rules

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

F-SECURE MESSAGING SECURITY GATEWAY

Networking for Caribbean Development

FIREWALLS & CBAC. philip.heimer@hh.se

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

Virtual Server and DDNS. Virtual Server and DDNS. For BIPAC 741/743GE

Firewalls CSCI 454/554

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Implementing Network Address Translation and Port Redirection in epipe

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

GregSowell.com. Mikrotik Security

ΕΠΛ 674: Εργαστήριο 5 Firewalls

CS2107 Introduction to Information and System Security (Slid. (Slide set 8)

Unified Communications in RealPresence Access Director System Environments

Firewalls 1 / 43. Firewalls

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

Firewalls with IPTables. Jason Healy, Director of Networks and Systems

CSCI Firewalls and Packet Filtering

Web Application Firewall

Project 4: IP over DNS Due: 11:59 PM, Dec 14, 2015

Computer Networks. Secure Systems

enable: no, log: by-profile enable: no, log: by-profile enable: no, log: by-profile

- Basic Router Security -

Cornerstones of Security

How To Configure Multiburb Smt On A Sidewinder G2 In A Load Sharing Environment

REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER

allow all such packets? While outgoing communications request information from a

Network Defense Tools

Content Distribution Networks (CDN)

Firewalls and System Protection

FIREWALL AND NAT Lecture 7a

Innominate mguard Version 6

How to protect your home/office network?

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Network Security Topologies. Chapter 11

Computer Security: Principles and Practice

Focus on Security. Keeping the bad guys out

Inside-Out Attacks. Security Event April 28, 2004 Page 1. Responses to the following questions

Network Configuration Settings

EXPLORER. TFT Filter CONFIGURATION

Deployment for Network Proxy in Simpana Environment

Proxies. Chapter 4. Network & Security Gildas Avoine

Accelerator Control-System Network Diamond Light Source. Mike Leech, Controls Group Computer Systems Manager

Internetwork Expert s CCNA Security Bootcamp. IOS Firewall Feature Set. Firewall Design Overview

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Proxy Server, Network Address Translator, Firewall. Proxy Server

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP Edge Gateway for Layered Security and Acceleration Services

Use Domain Name System and IP Version 6

Lab 2. CS-335a. Fall 2012 Computer Science Department. Manolis Surligas

Technical Support Information

Inside-Out Attacks. Covert Channel Attacks Inside-out Attacks Seite 1 GLÄRNISCHSTRASSE 7 POSTFACH 1671 CH-8640 RAPPERSWIL

Transcription:

Network Security CS 192 Firewall Rules Department of Computer Science George Washington University Jonathan Stanton 1

Client Web Auth paper Today s topics Firewall Rules Jonathan Stanton 2

Required: Additional Resources FIS Chapter 10 Reference: Lots of examples on the web. Jonathan Stanton 3

Firewall Rulesets A Rule defines how a firewall should process a packet and what the final action taken on that packet should be. Potential Actions: Allow Block Filter Log Jonathan Stanton 4

Rule Chains To organize groups of rules, many firewalls allow you to define chains that consist of a set of rules in a particular order. The chains can be included in other chains leading to a hierarchical arrangement. Typically there are default chains corresponding to the 3 core paths of packets: INPUT, OUTPUT, FORWARD Chains allow coherent sets of rules to be grouped and shared. For example the rules for a FTP service could be grouped into a chain and then used on several different firewalls to apply the same policy to each. Jonathan Stanton 5

Rule structure The core pieces of any rule are: Action Source (IP, port, and state) Destination (IP, prot and state) So our notation will be (action, source, destination) {host net}:port for source or destination The order of rules matters, meaning the first rule that matches a particular packet will be the one that determines it s action (a few exceptions exist). Jonathan Stanton 6

Example Network Internet Firewall Corpnet DMZnet Jonathan Stanton 7

DNS DNS firewalls are complex because it is a required service that must access untrusted information and is relied on by many other services. Often two classes of DNS names: Internal network names (often trusted) External network names (must never be trusted) Security Modes for DNS: Proxy Split Internal/External DNS servers Jonathan Stanton 8

Simple DNS Simple setup (can leak dns info) One shared DNS server provides all information about corpdomain. It is located in the DMZ (dmz-dnsserver) Outgoing DNS Queries (allow, corpnet, any:dns) Incoming DNS requests (allow, any, dmz-dnsserver:dns) (deny, any, corpnet:dns) Jonathan Stanton 9

Split DNS Two DNS servers run, one internal with full data (called corp-dnsserver) and one external with minimal data (called dmz-dnsserver). Rules Outgoing DNS Queries (allow, corpnet, corp-dnsserver:dns) (allow, corp-dnsserver, dmz-dnsserver:dns) (deny, corpnet, any:dns) Incoming DNS requests (allow, any, dmz-dnsserver:dns) (allow, dmz-dnsserver, corp-dnsserver:dns) (deny, any, corpnet:dns) Jonathan Stanton 10

Split DNS issues More overhead then direct DNS queries Apps that require valid DNS entries for clients will fail without additional work The client will connect from an internal IP address which the external server cannot lookup (because dmz DNS server does not return detailed information about internal machines. Need to create fake entries in dmz DNS for any client. These entries need to match both forward and reverse lookups. *.3.2.127.in-addr.arpa IN PTR UNKNOWN.example.com 42.3.2.127.in-addr.arpa IN PTR pseudo-127-2-3-42.example.com Jonathan Stanton 11

WWW The core web protocols of HTTP and HTTPS are fairly well-behaved as they use TCP and have a wellstructured client-server model. Basic policy (allow, corpnet, any:http) (allow, any, dmz-webserver:http) (deny, any, any:http) If you use a web proxy you can replace the first rule: (allow, corpnet, corp-wwwproxy:http) (allow, corp-wwwproxy, any:http) (deny, corpnet, any:http) Jonathan Stanton 12

NTP NTP uses UDP packets and involves bi-directional communication. Luckily the ports used are constant so a straightforward rule works. If vulnerabilities in NTP client software exist, then firewall protection becomes difficult as unidirectional openings are not possible. Instead of allowing connection to any ntp server, you may restrict it to only a few approved servers by removing the any rules and adding 2 rules for each server you want. Rule: (allow, corpnet, any:ntp) (allow, any, corpnet:ntp) Jonathan Stanton 13

SSH Two models: Allow SSH directly to internal clients. Simple; Lets users connect to their machines directly; No additional servers/machines required; (allow, any, corpnet:ssh) Bastion Login gateway Allows centralized controls on external access; More secure as two machines must be broken through; Does not prevent ssh tunneling, but can remove some of ssh s flexibility by controlling how the second ssh connection is initiated. (allow, any, dmz-sshserver:ssh) (allow, dmz-sshserver, corpnet:ssh) (deny, any, any:ssh) Jonathan Stanton 14

Information Slide Lecture slides, course updates, and assignments can be obtained at the course web page http://www.seas.gwu.edu/~jstanton/courses/cs192 Jonathan Stanton 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information