CS155 - Firewalls. Simon Cooper <sc@sgi.com> CS155 Firewalls 22 May 2003



Similar documents
Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

Network Security. Internet Firewalls. Chapter 13. Network Security (WS 2002): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Network Security. Chapter 13. Internet Firewalls. Network Security (WS 07/08): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

CMPT 471 Networking II

Internet infrastructure. Prof. dr. ir. André Mariën

SRM UNIVERSITY FACULTY OF ENGINEERING AND TECHNOLOGY SCHOOL OF COMPUTING DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING COURSE PLAN

Internet Security Firewalls

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

CIT 480: Securing Computer Systems. Firewalls

Packet filtering and other firewall functions

Internet Security Firewalls

CIT 480: Securing Computer Systems. Firewalls

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Chapter 9. IP Secure

Firewalls. Chapter 3

Cryptography and network security

Security Technology: Firewalls and VPNs

Proxy Server, Network Address Translator, Firewall. Proxy Server

Firewall Design Principles Firewall Characteristics Types of Firewalls

Firewall Firewall August, 2003

A S B

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Ethernet. Ethernet. Network Devices

Topics NS HS12 2 CINS/F1-01

Network Address Translation (NAT)

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Overview - Using ADAMS With a Firewall

CS5008: Internet Computing

Firewalls. Ahmad Almulhem March 10, 2012

IP address format: Dotted decimal notation:

Solution of Exercise Sheet 5

Introduction of Intrusion Detection Systems

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

PART OF THE PICTURE: The TCP/IP Communications Architecture

TCP/IP and the Internet

CSCE 465 Computer & Network Security

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

IPv6 Firewalls. ITU/APNIC/MICT IPv6 Security Workshop 23 rd 27 th May 2016 Bangkok. Last updated 17 th May 2016

CSCI Firewalls and Packet Filtering

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Linux Network Security

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

VLAN und MPLS, Firewall und NAT,

Firewalls and System Protection

IP Filter/Firewall Setup

Overview - Using ADAMS With a Firewall

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

allow all such packets? While outgoing communications request information from a

21.4 Network Address Translation (NAT) NAT concept

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Intranet, Extranet, Firewall

NetFlow/IPFIX Various Thoughts

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Network Security TCP/IP Refresher

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Distributed Systems. Firewalls: Defending the Network. Paul Krzyzanowski

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

INTRODUCTION TO FIREWALL SECURITY

Firewall Design Principles

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Understanding and Configuring NAT Tech Note PAN-OS 4.1

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Firewalls. Chien-Chung Shen

Chapter 15. Firewalls, IDS and IPS

Compter Networks Chapter 9: Network Security

How will the Migration from IPv4 to IPv6 Impact Voice and Visual Communication?

Chapter 11 Cloud Application Development

Insecure network services

Firewalls. configuring a sophisticated GNU/Linux firewall involves understanding

12. Firewalls Content

Introduction to Firewalls Open Source Security Tools for Information Technology Professionals

Perimeter and Internal Defenses. Network Defense Tools: Firewalls, Traffic shapers, and Intrusion Detection. This lecture. Basic Firewall Concept

Insecure network services. Firewalls. Two separable topics. Packet filtering. Example: blocking forgeries. Example: blocking outgoing mail

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Firewalls and Intrusion Detection

Transport Layer Protocols

Mobile IP Network Layer Lesson 02 TCP/IP Suite and IP Protocol

- Introduction to Firewalls -

Implementing Network Address Translation and Port Redirection in epipe

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

NETWORK SECURITY (W/LAB) Course Syllabus

Chapter 6: Network Access Control

Transcription:

CS155 - Firewalls Simon Cooper <sc@sgi.com> CS155 Firewalls 22 May 2003 1

Why Firewalls? Need for the exchange of information; education, business, recreation, social and political Need to do something useful with your computer Drawbacks; unsolicited attention and bugs 2

Why Firewalls? There are a lot of people on the Internet Millions of people together -> bad things happen True for cities; it is true for the Internet With the Internet... Everyone is in your backyard! You can be scoped out at any time from anywhere The community discourages neighborhood watch like activities (a hot potato!) 3

Bugs, Bugs, Bugs All programs contain bugs Larger programs contain more bugs! Network protocols contain; Design weaknesses (SSH CRC) Implementation flaws (SSL, NTP, FTP, SMTP...) Careful (defensive) programming & protocol design is hard 4

What is a Firewall? Literally? Prevents fire from spreading! The Castle & Moat Analogy Restricts access from the outside Prevents attackers from getting too close Restricts people from leaving <- Important!! 5

What is a Firewall? Logically A separator, a restrictor and an analyzer Rarely a single physical object! Practically any place where internal and external data can meet 6

Where do you put a Firewall? Between insecure systems & the Internet To separate test or lab networks For networks with more sensitive data; Financial records Student grades Secret projects Partner or joint venture networks 7

Firewall Design & Architecture Issues Least privilege Defense in depth (very important) Choke point Weakest links Fail-safe stance Universal participation Diversity of defense Simplicity 8

Firewall Architectures Using a Screening Router to do Packet Filtering 9

Packet Filtering: IPv4 Packet Header 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 Version IHL Type of Service Total Length Identification Flags Fragment Offset Time to Live Protocol Header Checksum Source Address Destination Address Options Padding http://www.faqs.org/rfcs/rfc760.html 10

Packet Filtering: UDP Packets 0 7 8 15 16 23 24 31 +--------+--------+--------+--------+ Source Destination Port Port +--------+--------+--------+--------+ Length Checksum +--------+--------+--------+--------+ data octets... +----------------... User Datagram Header Format http://www.faqs.org/rfcs/rfc768.html 11

Packet Filtering: TCP packet structure 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 Source Port Destination Port Sequence Number Acknowledgment Number Data U A E R S F Offset Reserved R C O S Y I Window G K L T N N Checksum Urgent Pointer Options Padding data TCP Header Format http://www.faqs.org/rfcs/rfc761.html 12

Packet Filtering: Ipv6 Packet Header Version Prio. Flow Label Payload Length Next Header Hop Limit + + + Source Address + + + + + + Destination Address + + + http://www.faqs.org/rfcs/rfc1883.html 13

Packet Filtering: Summary IP Source Address IP Destination Address Protocol/Next Header (TCP, UDP, ICMP, etc) TCP or UDP source & destination ports TCP Flags (SYN, ACK, FIN, RST, PSH, etc) ICMP message type Packet size Fragmentation 14

Router Knowledge Interface packet arrives on Interface a packet will go out Is the packet in response to another one? How many packets have been seen recently? Is the packet a duplicate? Is the packet an IP fragment? 15

Filtering Example: Inbound SMTP 16

Filtering Example: Outbound SMTP 17

Stateful or Dynamic Packet Filtering 18

Network Address Translation (NAT) Port & Address Translation (PAT) 19

Normal Fragmentation 20

Abnormal Fragmentation 21

Firewall Architectures Screened Host Architecture 22

Bastion Host A secured system (it will interact/accepts data from the Internet) Disable all non-required services; keep it simple Install/modify services you want Run security audit to establish baseline Connect system to network <- important Be prepared for the system to be compromised 23

Firewall Architectures Screened Subnet Architecture Using Two Routers 24

Firewall Architectures Source/Destination Address Forgery 25

Firewall Architectures Dual Homed Host Architecture 26

Proxies Application level; dedicated proxy (HTTP) Circuit level; generic proxy SOCKS WinSock almost generic proxy for Microsoft Some protocols are natural to proxy SMTP (E-Mail) NNTP (Net news) DNS (Domain Name System) NTP (Network Time Protocol) 27

Firewall Architectures A Complex Firewall Setup 28

Firewall Architectures A web server using a database on a perimeter network 29

Firewall Architectures A web server and database server on an internal network 30

Problems with Firewalls They interfere with the Internet They don't solve the real problems; Buggy software Bad protocols Generally cannot prevent Denial of Service Are becoming more complicated Many commercial firewalls permit very, very complex configurations 31

Elizabeth D. Zwicky, Simon Cooper D. Brent Chapman Questions? Simon Cooper <sc@sgi.com> 32

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information