Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Similar documents
12. Firewalls Content

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

What would you like to protect?

Chapter 15. Firewalls, IDS and IPS

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Cornerstones of Security

Security threats and network. Software firewall. Hardware firewall. Firewalls

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Firewall Configuration. Firewall Configuration. Solution Firewall Principles

CMPT 471 Networking II

Internet Security Firewalls

Security Technology: Firewalls and VPNs

Proxy Server, Network Address Translator, Firewall. Proxy Server

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Network Security Topologies. Chapter 11

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Firewalls, IDS and IPS

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

Internet infrastructure. Prof. dr. ir. André Mariën

Internet Security Firewalls

Firewall Architecture

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Cryptography and network security

Distributed Systems. Firewalls: Defending the Network. Paul Krzyzanowski

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

Overview. Firewall Security. Perimeter Security Devices. Routers

Fig : Packet Filtering

How To Protect Your Network From Attack

FIREWALL ARCHITECTURES

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Network Security. Internet Firewalls. Chapter 13. Network Security (WS 2002): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

Firewalls and System Protection

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

SOFTWARE ENGINEERING 4C03. Computer Networks & Computer Security. Network Firewall

FIREWALLS & CBAC. philip.heimer@hh.se

Lecture 23: Firewalls

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Chapter 6: Network Access Control

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

Lesson 5: Network perimeter security

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

Firewalls (IPTABLES)

Network Security. Chapter 13. Internet Firewalls. Network Security (WS 07/08): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

8. Firewall Design & Implementation

INTRODUCTION TO FIREWALL SECURITY

Chapter 9 Firewalls and Intrusion Prevention Systems

CSCI Firewalls and Packet Filtering

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Network Security. Outlines: Introduction to Network Security Dfii Defining Security Zones DMZ. July Network Security 08

Firewalls CSCI 454/554

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Intranet, Extranet, Firewall

Lab Configuring Access Policies and DMZ Settings

Chapter 12. Security Policy Life Cycle. Network Security 8/19/2010. Network Security

What is Firewall? A system designed to prevent unauthorized access to or from a private network.

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Firewall Design Principles

Network Security and Firewall 1

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Firewalls and Virtual Private Networks

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

allow all such packets? While outgoing communications request information from a

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Chapter 20. Firewalls

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Firewall Security. Presented by: Daminda Perera

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Content Distribution Networks (CDN)

Firewalls. Chapter 3

Firewall Environments. Name

Packet filtering and other firewall functions

N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work

Symantec Enterprise Firewalls. From the Internet Thomas Jerry Scott

Figure 41-1 IP Filter Rules

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Chapter 20 Firewalls. Cryptography and Network Security Chapter 22. What is a Firewall? Introduction 4/19/2010

How To Understand A Firewall

Firewall Design Principles Firewall Characteristics Types of Firewalls

Application Firewalls

Firewalls. Network Security. Firewalls Defined. Firewalls

Network Security. Raj Jain. The Ohio State University. Columbus, OH Raj Jain 31-1

CSCE 465 Computer & Network Security

Cisco PIX vs. Checkpoint Firewall

Chapter 11 Cloud Application Development

Firewall Audit Techniques. K.S.Narayanan HCL Technologies Limited

Transcription:

Chapter 2: Security Techniques Background Chapter 3: Security on Network and Transport Layer Chapter 4: Security on the Application Layer Chapter 5: Security Concepts for Networks Firewalls Intrusion Detection 5.1: Firewalls Firewall concepts: packet filter and proxy server Security architectures Page 1

Firewall A firewall is any security system protecting the boundary of an Intranet against the Internet Tasks of a firewall: Access control based on sender or receiver address or on addressed services Intranet (i.e. application layer protocol) Behavior control, e.g. virus checking on incoming files User control, i.e. authentication based on the source of traffic Hiding the internal network, e.g. topology, addresses, etc. Logging of passing traffic Two fundamental concepts implemented by firewalls are Packet filter Proxy server Firewall Internet Page 2

Types of Firewalls 1. Packet Filter Analyzing of network traffic and filtering due to certain rules on layer 3 and 4. A filtering can use one or a combination of the following information: source address, destination address, used protocol, connection If the firewall is realized in combination with a router, it is also called Screening Router Cheap and simple (all types of connections can be controlled), but filtering rules are hard to define (correctly) 2. Proxy Server (Gateway) Controlled access to a service: the firewall intercepts a requests up to layer 7 and decides, if to forward it to the receiver The proxy is the only computer known to the outer world An access control could be done basing on user identity, used protocol, and content More possibilities (Logging of detailed information, authentication,...), but for each application protocol (HTTP, SMTP, FTP, ) an own proxy is needed Page 3

Packet Filter Lehrstuhl für Informatik 4 Two possible principles: Everything that is not explicitly allowed, is denied Everything that is not explicitly denied, is allowed E.g. for your SMTP server with address 137.226.12.67 on port 25 you could define From (IP * ), (port *) To (IP 137.226.12.67), (port 25) DENY From (IP 137.226.12.67), (port 25) To (IP *), (port *) ALLOW (I.e.: your mail server can send mails to everybody, but nobody is allowed to send mails to your mail server) In the order of their entry, all rules are applied till a matching one is found Characteristics: Fast processing of packets, but only limited control on address level Static packet filter only has a fixed set of such rules Dynamic packet filter also considers a state: Deny all packets from outer world Only after a connection establishment from inside (set SYN flag), response packets coming from outside are accepted Page 4

Proxy Server Lehrstuhl für Informatik 4 Again two possible types: Circuit-Level Proxy Works on layer 3/4 only (e.g. port numbers) Proxy which can be used for each type of application The firewall intercepts all connections, thus the network structure is hidden Application-Level Proxy Also checks information on layer 7 An own proxy is needed for each application protocol (SMTP, FTP, HTTP,...) A user maybe has to authenticate before usage Most possibilities, but most expensive Connection establishment User authentication Connection establishment Data transfer Source Source Application Application Proxy Proxy Destination Destination Connection termination Page 5

Packet Filter vs. Proxy Server Packet Filter +Simple + Low cost implementation - Correctly specifying packet filters is a difficult and error-prone process - Reordering packet filter rules makes specifying rules correctly even more difficult Proxy Server + User authentication is possible + Application protocol control (e.g. virus detection) can be integrated + Logging of detailed information + Accounting - Proxy needed for each application protocol (expensive) - Circuit level proxies are cheaper than application level proxies, but not able to scan application data Page 6

Security Architectures Question: which firewall to install? Where and how to implement it due to the security requirements? Personal Firewall Dual-Homed Host Firewall Screened Hosts Firewall Screened Subnet Firewall (Demilitarized Zone) Honeypot Personal firewall Not an own component, but a software installed on a host to protect exactly this host Part of operating systems to protect a user s machine at home Learning filter which can interact with the user to define filtering rules Normally not necessary because even at home the usual DSL router today has an intergrated firewall Page 7

Dual-Homed Host Firewall Simplest implementation: realize packet filter or proxy server as an own machine: Machine with two network interfaces Routes packets and processes them according to its security rules All-in-one firewall: can provide packet filter and proxy server Clients in the internal network can access services on the Internet either by using a proxy server in the firewall or by logging on to the firewall directly Internet Dual-Homed Host Firewall Intranet Page 8

Screened Hosts Firewall Introduce another special machine: Consists of a screening router and a bastion host on the internal network Bastion host: a single machine which provides all publicly accessible servers (e.g. in principle a less protected machine because we need to allow accesses to it) Screening router performs packet filtering of incoming Internet traffic Screening router sends all permitted incoming traffic to the bastion host, where further access control decision can be made before packets are forwarded to other hosts Screening router accepts internal packets only from the bastion host Internet Screening router Intranet Bastion Host Page 9

Demilitarized Zone Mail server DMZ Web server Internet Screening Router Intranet Dynamic packet filter or proxy server Combination of the two former variants: All resources which have to be contacted from outside (without restrictions) are placed in an own network segment (DMZ Demilitarized Zone) instead on a bastion host This segment is protected against the Internet only by a simple firewall (usually a screening router for packet filtering of uncritical systems, e.g. web server) The private network is protected by a more powerful firewall (dynamic packet filter and/or application-level proxy) Page 10

Additional: Honeypot Screening Router Mail server DMZ Web server Internet Intranet Honeypot Dynamic packet filter or proxy server Although possible: provide a weak faked server in your DMZ to attract attackers The honeypot does heavy logging and provides alarm systems instead of the real application services Goal: get knowledge about the attackers Page 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information