CIT 480: Securing Computer Systems. Firewalls

Similar documents
CIT 480: Securing Computer Systems. Firewalls

Network Security Controls. CSC 482: Computer Security

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Firewalls (IPTABLES)

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Firewalls. Chapter 3

Firewalls. Chien-Chung Shen

CSC574 - Computer and Network Security Module: Firewalls

How To Understand A Firewall

CSE543 - Computer and Network Security Module: Firewalls

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

CS Computer and Network Security: Firewalls

CS Computer and Network Security: Firewalls

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Module: Firewalls. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

CIS 433/533 - Computer and Network Security Firewalls

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

+ iptables. packet filtering && firewall

Security Technology: Firewalls and VPNs

Distributed Systems. Firewalls: Defending the Network. Paul Krzyzanowski

Stateful Firewalls. Hank and Foo

A S B

Definition of firewall

Network Security Management

Chapter 7. Firewalls

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

FIREWALLS & CBAC. philip.heimer@hh.se

Firewall implementation and testing

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Internet Security Firewalls

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Intro to Firewalls. Summary

Firewalls, IDS and IPS

Computer Firewalls. The term firewall was originally used with forest fires, as a means to describe the

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

Overview. Firewall Security. Perimeter Security Devices. Routers

Firewalls. Ahmad Almulhem March 10, 2012

CMPT 471 Networking II

IPv6 Firewalls. ITU/APNIC/MICT IPv6 Security Workshop 23 rd 27 th May 2016 Bangkok. Last updated 17 th May 2016

Linux firewall. Need of firewall Single connection between network Allows restricted traffic between networks Denies un authorized users

Topics NS HS12 2 CINS/F1-01

Introduction to Firewalls Open Source Security Tools for Information Technology Professionals

Firewall. IPTables and its use in a realistic scenario. José Bateira ei10133 Pedro Cunha ei05064 Pedro Grilo ei09137 FEUP MIEIC SSIN

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Firewalls. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Firewalls. Characteristics.

Firewalls. Contents. ITS335: IT Security. Firewall Characteristics. Types of Firewalls. Firewall Locations. Summary

Protecting and controlling Virtual LANs by Linux router-firewall

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Firewalls and System Protection

Linux: 20 Iptables Examples For New SysAdmins

Firewalls, Tunnels, and Network Intrusion Detection

Firewall Firewall August, 2003

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

CS155 - Firewalls. Simon Cooper <sc@sgi.com> CS155 Firewalls 22 May 2003

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Linux Routers and Community Networks

Firewall Design Principles

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Proxy Server, Network Address Translator, Firewall. Proxy Server

Linux Firewall Wizardry. By Nemus

Firewalls. Firewall types. Packet filter. Proxy server. linux, iptables-based Windows XP s built-in router device built-ins single TCP conversation

Firewall Design Principles Firewall Characteristics Types of Firewalls

Computer Security: Principles and Practice

Internet Security Firewalls

Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS)

Internet infrastructure. Prof. dr. ir. André Mariën

Packet filtering and other firewall functions

CSCI Firewalls and Packet Filtering

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

Firewalls. configuring a sophisticated GNU/Linux firewall involves understanding

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Cryptography and network security

Introduction of Intrusion Detection Systems

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

How to Secure RHEL 6.2 Part 2

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Linux Networking: IP Packet Filter Firewalling

FIREWALL AND NAT Lecture 7a

Chapter 9 Firewalls and Intrusion Prevention Systems

Network Security. Routing and Firewalls. Radboud University Nijmegen, The Netherlands. Autumn 2014

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Computer Security DD2395

CSCI 4250/6250 Fall 2015 Computer and Networks Security

ELEN 689: Topics in Network Security: Firewalls. Ellen Mitchell Computing and Information Services 20 April 2006

What is Firewall? A system designed to prevent unauthorized access to or from a private network.

Chapter 8 Network Security

Transcription:

CIT 480: Securing Computer Systems Firewalls

Topics 1. What is a firewall? 2. Types of Firewalls 1. Packet filters (stateless) 2. Stateful firewalls 3. Proxy servers 4. Application layer firewalls 3. Configuring the Linux Firewall 4. Firewall Architectures and DMZs

What is a Firewall? A software or hardware component that restricts network communication between two computers or networks. In buildings, a firewall is a fireproof wall that restricts the spread of a fire. Network firewall prevents threats from spreading from one network to another.

What is a Firewall? (2) A security control to enforce network policy ACLs on a host/network level. Policy Decisions: What traffic should be allowed into network? Integrity: protect integrity of internal systems. Availability: protection from DoS attacks. What traffic should be allowed out? Confidentiality: protection from data leakage.

Network Perimeter A boundary between two networks. Most often, a boundary between a private locally controlled network (intranet, LAN) and a public network (Internet, WAN). A firewall is often deployed to enforce access control at the network perimeter.

Problems with Perimeters When firewalls were invented Organizations had a single link to the Internet. Devices on the intranet were mostly trusted. Devices on the intranet had many open ports. Protocols could be identified by port numbers. Wireless networks and NAT did not exist. In modern networks Organizations have multiple links to other networks. Employees bring their own devices to the intranet. Devices on the intranet have few open ports. Protocols are often built on top of HTTP. Wireless networks and NAT are ubiquitous.

Are firewalls still useful? Yes, but we deploy multiple firewalls on our internal network instead of relying on one perimeter firewall. Put firewalls in front of devices that still have many open ports, such as printers. Put firewalls in front of devices that cannot be patched because they only work with legacy software. Use a firewall to separate wireless network which allows employee devices from internal wired network. We also supplement firewalls with other security technologies like VPNs and NIDS.

Types of Firewalls Packet Filters (Stateless) Apply access rules to individual packets. Filters on network and transport layer data. Stateful Filters Apply access rules to network flows or sessions. Filters on network and transport layer data. Application Layer Firewalls A proxy server that relays byte streams from client to server and vice versa. Use deep packet inspection (DPI) to filter on application layer data.

Stateless Firewalls A stateless firewall doesn t maintain any remembered context (or state ) with respect to the packets it is processing. Instead, it treats each packet attempting to travel through it in isolation without considering packets that it has processed previously. SYN Seq = x Port=80 Client SYN-ACK Seq = y Ack = x + 1 Trusted internal network ACK Seq = x + 1 Ack = y + 1 Firewall Server Allow outbound SYN packets, destination port=80 Allow inbound SYN-ACK packets, source port=80

Stateless Restrictions Stateless firewalls may have to be fairly restrictive in order to prevent most attacks. Client (blocked) SYN Seq = y Port=80 Attacker Trusted internal network Firewall Allow outbound SYN packets, destination port=80 Drop inbound SYN packets, Allow inbound SYN-ACK packets, source port=80

Packet Filtering Information Forward or drop packets based on TCP/IP header information, most often: IP source and destination addresses Protocol (ICMP, TCP, or UDP) TCP/UDP source and destination ports TCP Flags, especially SYN and ACK ICMP message type Multi-homed hosts also make decisions based on: Network interface the packet arrived on. Network interface the packet will depart on.

Stateful Firewall Example 76.120.54.101 128.34.78.55 SYN Seq = x Port=80 Server Client SYN-ACK Seq = y Ack = x + 1 Trusted internal network ACK Seq = x + 1 Ack = y + 1 (blocked) SYN-ACK Seq = y Port=80 Attacker Allow outbound TCP sessions, destination port=80 Firewall Established TCP session: (128.34.78.55, 76.120.54.101) Firewall state table

Stateful Packet Filters Identify network flows by Protocol (TCP, UDP) Source IP address Source port Destination IP address Destination port Apply access rules on initial connection. Check if later packets are part of flow. Apply same decision to them.

Netfilter and IPtables Tables do specific tasks such as filtering or NAT. Each table consists of one or more chains of rules. Chains can be built-in or user defined.

Filter Table Built-In Chains # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination

Chains are Lists of Rules Packet traverses a chain sequentially until A rule matches the packet and makes a final decision to ACCEPT or REJECT it. A rule matches the packet and sends it to another chain. The end of the chain is reached. If the end is reached, the packet either Returns to being processed by the calling chain. Is processed by the default policy of the chain.

Chain Configuration Append a Rule to a Chain iptables A chain firewall-rule List Rules in a Chain iptables L chain Delete a Rule from a Chain iptables D chain rule-number Set Chain Default Policy iptables P chain DROP or append a rule that drops all packets to the end. iptables A chain j DROP

Packet Matching Options -i: incoming network interface (ex: lo0, eth0) -s: source IP address (ex: 10.0.0.1, 10.0.0.0/8) -d: destination IP address -p: protocol (tcp, udp, icmp, etc.) --icmp-type: ICMP type (if p icmp) --sport: source port (if p tcp or udp) --dport: destination port (if p tcp or udp) --tcp-flags: TCP flags (ex: ACK, SYN, etc.)

Stateful Matching Options -m state: enable stateful filtering module --state NEW: allow new connections Matches packets with TCP SYN flag set. Adds connection (IPs, ports) to state table. --state ESTABLISHED: allow established. Matches packet if ACK flag set and source IP, source port, destination IP, destination port found in state table.

Rule Targets (-j options) ACCEPT: let the packet through. DROP: do not let the packet through. REJECT: do not allow + send ICMP error. RETURN: stop processing on this chain and return to the next rule in the calling chain. chain: continue processing packet with the named chain.

Writing Firewall Rules Allow incoming SSH using stateful rules iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT Allow server to be pinged iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

Ingress/Egress Filtering Block spoofed IP addresses Ingress Filtering Drop packets arriving on external interface whose source IP addresses claims to be from internal network. Egress Filtering Drop packets arriving on internal interface whose source IP address is not from internal network.

Proxy Servers Proxy servers are servers that act as an intermediary between a client seeking resources from any server, typically used to protect clients. Reverse proxy servers are proxy servers that act as an intermediary between all clients and a dedicated set of servers, typically used to protect the servers.

Proxy Servers Proxy host relays connections Packet filter blocks direct connections. Client makes connection to proxy. Proxy forwards connection to server. Proxy can provide multiple security features: Access Control Authentication Logging Anonymity

Example: SOCKS v5 Socks Server Socks Client Library Clients must be linked against library. Library offers replacements for UNIX network TCP and UDP socket system calls. User Authentication Protocols Cleartext username/password. GSS-API authentication.

Forward Proxy Servers Advantages: User-level authentication possible. Efficient logging, as proxy deals with circuit connections instead of individual packets. Disadvantages: Clients have to be recompiled or reconfigured to use proxy service. Some services can t be proxied. Cannot protect you from all protocol weaknesses.

Application Layer Firewalls Reverse proxy servers that filter a single protocol HTTP: URLs, headers, etc. SMTP: spam statistics More complex Only 2 16 ports, but An infinite number of URLs, HTTP headers, bodies, etc.

Single Firewall Architecture One firewall deployed on gateway between two networks to protect network perimeter.

DMZ Firewall Architecture

Single Firewall DMZ

DMZ Isolate servers with external access requirements Compromise of a DMZ server doesn t directly compromise internal network. DMZ servers also can t sniff internal traffic, since they re on a different subnet. No single point of failure Attacker must compromise both exterior and interior routers to gain access to internal net. Advantages: greater security Disadvantages: higher cost and complexity

Firewall Limitations Cannot protect from internal attacks May be able to limit access with internal firewalls to a segment of your network. Cannot protect you from user error Users will still run Trojan horses that make it past your AV scanner. Users visiting malicious sites run malicious JavaScript inside the firewalls. Firewall mechanism may not precisely enforce your security policy.

Key Points 1. Firewall types 1. Packet filtering (stateless) 2. Stateful firewalls 3. Proxy servers (including application layer firewalls) 2. Netfilter and Iptables 1. Tables and chains 2. Rules and actions 3. Firewall Architectures 1. Single firewall 2. DMZ 3. Single firewall DMZ

References 1. William Cheswick, Steven Bellovin, and Avriel Rubin, Firewalls and Internet Security, 2 nd edition, 2003. 2. Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical UNIX and Internet Security, 3 rd edition, O Reilly & Associates, 2003. 3. Goodrich and Tammasia, Introduction to Computer Security, Pearson, 2011. 4. Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006. 5. Elizabeth Zwicky, Brent Chapman, Simon Cooper, Building Internet Firewalls, 2 nd edition, O Reilly & Associates, 2000.

Released under CC BY-SA 3.0 This presentation is released under the Creative Commons Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0) license You are free: to Share to copy and redistribute the material in any medium to Adapt to remix, build, and transform upon the material to use part or all of this presentation in your own classes Under the following conditions: Attribution You must attribute the work to James Walden, but cannot do so in a way that suggests that he endorses you or your use of these materials. Share Alike If you remix, transform, or build upon this material, you must distribute the resulting work under this or a similar open license. Details and full text of the license can be found at https://creativecommons.org/licenses/by-nc-sa/3.0/

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information