CSCE 465 Computer & Network Security



Similar documents
Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Packet Filtering using the ADTRAN OS firewall has two fundamental parts:

12. Firewalls Content

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Internet Security Firewalls

Firewalls (IPTABLES)

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Security Technology: Firewalls and VPNs

Firewall Design Principles Firewall Characteristics Types of Firewalls

Computer Security: Principles and Practice

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

CSCI Firewalls and Packet Filtering

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

Computer Security DD2395

Cryptography and network security

Internet Security Firewalls

Firewalls. Chapter 3

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Overview - Using ADAMS With a Firewall

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

FIREWALLS & CBAC. philip.heimer@hh.se

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Chapter 9 Firewalls and Intrusion Prevention Systems

Firewalls. Ahmad Almulhem March 10, 2012

Overview - Using ADAMS With a Firewall

Introduction of Intrusion Detection Systems

Proxy Server, Network Address Translator, Firewall. Proxy Server

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Firewall Firewall August, 2003

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Chapter 20 Firewalls. Cryptography and Network Security Chapter 22. What is a Firewall? Introduction 4/19/2010

Firewalls CSCI 454/554

Proxies. Chapter 4. Network & Security Gildas Avoine

Stateful Inspection Technology

Polycom. RealPresence Ready Firewall Traversal Tips

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Firewall Design Principles

Lecture 23: Firewalls

Firewalls. Mahalingam Ramkumar

Computer Security DD2395

Introduction to Computer Security Benoit Donnet Academic Year

Firewall Configuration. Firewall Configuration. Solution Firewall Principles

What would you like to protect?

Firewall Defaults and Some Basic Rules

Chapter 11 Cloud Application Development

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Security threats and network. Software firewall. Hardware firewall. Firewalls

OS/390 Firewall Technology Overview

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Distributed Systems. Firewalls: Defending the Network. Paul Krzyzanowski

Firewalls P+S Linux Router & Firewall 2013

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Fig : Packet Filtering

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Firewalls, IDS and IPS

A S B

FTP e TFTP. File transfer protocols PSA1

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

SOFTWARE ENGINEERING 4C03. Computer Networks & Computer Security. Network Firewall

Chapter 6: Network Access Control

Networking Security IP packet security

CMPT 471 Networking II

21.4 Network Address Translation (NAT) NAT concept

INTRODUCTION TO FIREWALL SECURITY

FIREWALL AND NAT Lecture 7a

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

Network Security. Internet Firewalls. Chapter 13. Network Security (WS 2002): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

Source-Connect Network Configuration Last updated May 2009

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Firewalls and System Protection

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

IPv6 Firewalls. ITU/APNIC/MICT IPv6 Security Workshop 23 rd 27 th May 2016 Bangkok. Last updated 17 th May 2016

Solution of Exercise Sheet 5

- Introduction to Firewalls -

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

OS/390 Firewall Technology Overview

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Securing Networks with PIX and ASA

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Introduction to Firewalls

Chapter 15. Firewalls, IDS and IPS

DMZ Network Visibility with Wireshark June 15, 2010

CCNA Security 1.1 Instructional Resource

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Transcription:

CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Firewall 1

Basic firewall concept Roadmap Filtering firewall Proxy firewall Network Address Translation What is a firewall? Device that provides secure connectivity between networks (internal/external; varying levels of trust) Used to implement and enforce a security policy for communication between networks Trusted Networks Firewall Untrusted Networks & Servers Internet Untrusted Users Intranet Router DMZ Public Accessible Servers & Networks Trusted Users 2

Firewalls From Webster s Dictionary: a wall constructed to prevent the spread of fire Internet firewalls are more the moat around a castle than a building firewall Controlled access point Firewalls can: Restrict incoming and outgoing traffic by IP address, ports, or users Block invalid packets Convenient Give insight into traffic mix via logging Network Address Translation Encryption 3

Firewalls Cannot Protect Traffic that does not cross it routing around Internal traffic When misconfigured Access Control ALERT!! Internet Security Requirement Control access to network information and resources Protect the network from attacks 4

FILTERING FIREWALL Filtering Firewall Packets checked then passed Inbound & outbound affect when policy is checked 5

Packet filtering Access Control Lists Session filtering Filtering Dynamic Packet Filtering Stateful Inspection Context Based Access Control Packet Filtering Decisions made on a per-packet basis No state information saved Typical Configuration Ports > 1024 left open If dynamic protocols are in use, entire ranges of ports must be allowed for the protocol to work. Applications Applications Presentations Sessions Transport Network Router Presentations Sessions Transport Network 6

Session Filtering Packet decision made in the context of a connection If packet is a new connection, check against security policy If packet is part of an existing connection, match it up in the state table & update table Typical Configuration All denied unless specifically allowed Dynamic protocols (FTP, RealAudio, etc.) allowed only if supported Session Filtering Screens ALL attempts, Protects All applications Extracts & maintains state information Makes an intelligent security / traffic decision Applications Applications Presentations Sessions Transport Network Presentations Sessions Transport Network Applications Presentations Sessions Transport Network Dynamic Dynamic State Dynamic State Tables State Tables Tables 7

Example: FTP Protocol FTP Server FTP Client 20 Data 21 Command 5150 5151 u Client opens command channel to server; tells server second port number. v Server acknowleges. w v u w Server opens data channel to client s second port. x x Client Acknowledges. Format: Example FTP Packet Filter access-list <rule number> <permit deny> <protocol> <SOURCE host with IP address any IP address and mask> [<gt eq port number>] <DEST host with IP address any IP address and mask> [<gt eq port number>] The following allows a user to FTP (not passive FTP) from any IP address to the FTP server (172.168.10.12) : access-list 100 permit tcp any gt 1023 host 172.168.10.12 eq 21 access-list 100 permit tcp any gt 1023 host 172.168.10.12 eq 20! Allows packets from any client to the FTP control and data ports access-list 101 permit tcp host 172.168.10.12 eq 21 any gt 1023 access-list 101 permit tcp host 172.168.10.12 eq 20 any gt 1023! Allows the FTP server to send packets back to any IP address with TCP ports > 1023 interface Ethernet 0 access-list 100 in! Apply the first rule to inbound traffic access-list 101 out! Apply the second rule to outbound traffic! 8

FTP Passive Mode FTP Server FTP Client 20 Data 21 Command 5150 5151 u Client opens command channel to server; requests passive mode. v Server allocates port for data channel; tells client port number. w Client opens data channel to server s second port. x Server Acknowledges. x v u w Example FTP : Session Filter 9

PROXY FIREWALL Relay for connections Proxy Firewalls Client1 Proxy1 Server Two flavors Application level Circuit level 10

Application Gateways Understands specific applications Limited proxies available Proxy impersonates both sides of connection Resource intensive process per connection HTTP proxies may cache web pages Application Gateways More appropriate to TCP ICMP difficult Block all unless specifically allowed Must write a new proxy application to support new protocols Not trivial! 11

Application Gateways Clients configured for proxy communication Transparent Proxies Telnet FTP HTTP Applications Presentations Sessions Transport Network Applications Presentations Sessions Transport Network Application Gateway Applications Presentations Sessions Transport Network Circuit-Level Gateways Support more services than Application-level Gateway less control over data Hard to handle protocols like FTP Clients must be aware they are using a circuitlevel proxy Protect against fragmentation problem 12

Circuit level Gateway Support TCP Example: SOCKS SOCKS v5 supports UDP, earlier versions did not See http://www.socks.nec.com Comparison Service Support Performance Security Packet Filter 3 1 No dynamic w/o holes Session Filter 2 2 Dependent on vendor Circuit GW 2 3 for dynamic support App. GW 1 4 Typically < 20 Lower is better for security & performance 13

Comparison Modify Client Applications? Packet Filter Session Filter Circuit GW App. GW No No Typical, SOCKS-ify client applications Unless transparent, client application must be proxy-aware & configured Comparison Fragmentation ICMP Packet Filter Yes No Session Filter Yes Maybe Circuit GW (SOCKS v5) Yes App. GW No yes 14

Proxying UDP/ICMP Why isn t UDP or ICMP proxied as much as TCP? TCP s connection-oriented nature easier to proxy UDP & ICMP harder (but not impossible) since each packet is a separate transaction Session filters determine which packets appear to be replies Circuit Level GW Operate at user level in OS Have circuit program route packets between interfaces instead of OS routing code 15

NETWORK ADDRESS TRANSLATION NAT: Network Address Translation Useful if organization does not have enough real IP addresses Extra security measure if internal hosts do not have valid IP addresses (harder to trick firewall) Only really need real IP addresses for services outside networks will originate connections to 16

NAT Many-to-1 (n-to-m) mapping 1-to-1 (n-to-n) mapping Proxies provide many-to-1 NAT not required on filtering firewalls Encryption (VPNs) Allows trusted users to access sensitive information while traversing untrusted networks Useful for remote users/sites IPSec 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information