CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Similar documents
We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Firewall Firewall August, 2003

FIREWALL AND NAT Lecture 7a

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Solution of Exercise Sheet 5

CMPT 471 Networking II

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Distributed Systems. Firewalls: Defending the Network. Paul Krzyzanowski

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

Firewalls and System Protection

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Cisco Configuring Commonly Used IP ACLs

allow all such packets? While outgoing communications request information from a

Security Technology: Firewalls and VPNs

Chapter 11 Cloud Application Development

Firewalls. Pehr Söderman KTH-CSC

Firewalls. Network Security. Firewalls Defined. Firewalls

Firewalls. Chapter 3

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

CSCE 465 Computer & Network Security

INTRODUCTION TO FIREWALL SECURITY

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Firewalls, IDS and IPS

Implementing Network Address Translation and Port Redirection in epipe

Internet Security Firewalls

A S B

Linux MDS Firewall Supplement

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Chapter 8 Security Pt 2

Lecture 23: Firewalls

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Network Security CS 192

Firewalls P+S Linux Router & Firewall 2013

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

ΕΠΛ 674: Εργαστήριο 5 Firewalls

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

CS155 - Firewalls. Simon Cooper <sc@sgi.com> CS155 Firewalls 22 May 2003

GregSowell.com. Mikrotik Security

Chapter 15. Firewalls, IDS and IPS

- Introduction to Firewalls -

ECE 578 Term Paper Network Security through IP packet Filtering

Firewalls. Chien-Chung Shen

Firewalls 1 / 43. Firewalls

Linux MPS Firewall Supplement

How to Open HTTP or HTTPS traffic to a webserver behind the NetVanta 2000 Series unit (Enhanced OS)

Stateful Firewalls. Hank and Foo

Load Balancing and Sessions. C. Kopparapu, Load Balancing Servers, Firewalls and Caches. Wiley, 2002.

Securizarea Calculatoarelor și a Rețelelor 13. Implementarea tehnologiei firewall CBAC pentru protejarea rețelei

Internet Security Firewalls

+ iptables. packet filtering && firewall

Firewall Configuration. Firewall Configuration. Solution Firewall Principles

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

Security threats and network. Software firewall. Hardware firewall. Firewalls

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Guardian Digital WebTool Firewall HOWTO. by Pete O Hara

Network Security. Internet Firewalls. Chapter 13. Network Security (WS 2002): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

FIREWALLS & CBAC. philip.heimer@hh.se

Proxy Server, Network Address Translator, Firewall. Proxy Server

Overview. Firewall Security. Perimeter Security Devices. Routers

Chapter 8 Network Security

Firewall Design Principles

SOFTWARE ENGINEERING 4C03. Computer Networks & Computer Security. Network Firewall

Firewall Design Principles Firewall Characteristics Types of Firewalls

Internet infrastructure. Prof. dr. ir. André Mariën

Firewalls (IPTABLES)

CIT 480: Securing Computer Systems. Firewalls

CS5008: Internet Computing

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Cisco Secure PIX Firewall with Two Routers Configuration Example

DMZ Network Visibility with Wireshark June 15, 2010

Protecting and controlling Virtual LANs by Linux router-firewall

Chapter 20. Firewalls

Focus on Security. Keeping the bad guys out

Classification of Firewalls and Proxies

Linux Networking: IP Packet Filter Firewalling

Multi-Homing Dual WAN Firewall Router

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

How to protect your home/office network?

Packet filtering and other firewall functions

Network Security - ISA 656 Firewalls & NATs

CSCI Firewalls and Packet Filtering

VLAN und MPLS, Firewall und NAT,

Firewalls. Ahmad Almulhem March 10, 2012

Chapter 4 Firewall Protection and Content Filtering

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Firewall implementation and testing

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Transcription:

CSE331: Introduction to Networks and Security Lecture 12 Fall 2006

Announcements Midterm I will be held Friday, Oct. 6th. True/False Multiple Choice Calculation Short answer Short essay Project 2 is on the web If you have changed (or want to change) groups let us know CSE331 Fall 2004 2

Today: NATs and Firewalls Problem: Protecting or isolating one part of the network from other parts Need to filter or otherwise limit network traffic How to configure this information? Questions: What information do you use to filter? Where do you do the filtering? CSE331 Fall 2004 3

Kinds of Firewalls Personal firewalls Run at the end hosts e.g. Norton, Windows, etc. Benefit: has more application/user specific information Network Address Translators Rewrites packet address information Filter Based Operates by filtering based on packet headers Proxy based Operates at the level of the application e.g. HTTP web proxy CSE331 Fall 2004 4

Network Address Translation Idea: Break the invariant that IP addresses are globally unique 10.0.1.15 10.0.1.13 171.69.210.246 NAT Internet 10.0.1.12 10.0.1.14 NAT Port 10.0.1.14 CSE331 Fall 2004 5

NAT Behavior NAT maintains a table of the form: <client IP> <client port> <NAT ID> Outgoing packets (on non-nat port): Look for client IP address, client port in the mapping table If found, replace client port with previously allocated NAT ID (same size as PORT #) If not found, allocate a new unique NAT ID and replace source port with NAT ID Replace source address with NAT address CSE331 Fall 2004 6

NAT Behavior Incoming Packets (on NAT port) Look up destination port number as NAT ID in port mapping table If found, replace destination address and port with client entries from the mapping table If not found, the packet is not for us and should be rejected Table entries expire after 2-3 minutes to allow them to be garbage collected CSE331 Fall 2004 7

Benefits of NAT Only allows connections to the outside that are established from inside. Hosts from outside can only contact internal hosts that appear in the mapping table, and they re only added when they establish the connection Some NATs support firewall-like configurability Can simplify network administration Divide network into smaller chunks Consolidate configuration data Traffic logging CSE331 Fall 2004 8

Drawbacks of NAT Rewriting IP addresses isn t so easy: Must also look for IP addresses in other locations and rewrite them (may have to be protocol-aware) Potentially changes sequence number information Must validate/recalculate checksums Hinder throughput May not work with all protocols Clients may have to be aware that NAT translation is going on Slow the adoption of IPv6? Limited filtering of packets CSE331 Fall 2004 9

Firewalls Filter Filter Inside Gateway Outside Filters protect against bad packets. Protect services offered internally from outside access. Provide outside services to hosts located inside. CSE331 Fall 2004 10

Filtering Firewalls Filtering can take advantage of the following information from network and transport layer headers: Source Destination Source Port Destination Port Flags (e.g. ACK) Some firewalls keep state about open TCP connections Allows conditional filtering rules of the form if internal machine has established the TCP connection, permit inbound reply packets CSE331 Fall 2004 11

Three-Way Handshake CSE331 Fall 2004 12

Ports Ports are used to distinguish applications and services on a machine. Low numbered ports are often reserved for server listening. High numbered ports are often assigned for client requests. Port 7 (UDP,TCP): echo server Port 13 (UDP,TCP): daytime Port 20 (TCP): FTP data Port 21 (TCP): FTP control Port 23 (TCP): telnet Port 25 (TCP): SMTP Port 79 (TCP): finger Port 80 (TCP): HTTP Port 123 (UDP): NTP Port 2049 (UDP): NFS Ports 6000 to 6xxx (TCP): X11 CSE331 Fall 2004 13

Filter Example Action ourhost port theirhost port comment block * * BAD * untrusted host allow GW 25 * * allow our SMTP port Apply rules from top to bottom with assumed default entry: Action ourhost port theirhost port comment block * * * * default Bad entry intended to allow connections to SMTP from inside: Action ourhost port theirhost port comment allow * * * 25 connect to their SMTP This allows all connections from port 25, but an outside machine can run anything on its port 25! CSE331 Fall 2004 14

Filter Example Continued Permit outgoing calls to port 25. Action src port dest port flags comment allow 123.45.6.* * * 25 * their SMTP allow * 25 * * ACK their replies This filter doesn t protect against IP address spoofing. The bad hosts can pretend to be one of the hosts with addresses 123.45.6.*. CSE331 Fall 2004 15

When to Filter? Router Inside Outside CSE331 Fall 2004 16

On Input or Output Filtering on output can be more efficient since it can be combined with table lookup of the route. However, some information is lost at the output stage e.g. the physical input port on which the packet arrived. Can be useful information to prevent address spoofing. Filtering on input can protect the router itself. CSE331 Fall 2004 17

Recommend: Filter ASAP Action src port dest port comment block BAD * * * we don t trust them allow * * GW 25 connect to our SMTP allow GW 25 * * our reply packets Is preferred over: Action src port dest port comment block * * BAD * subtle difference allow * * GW 25 connect to our SMTP allow GW 25 * * our reply packets CSE331 Fall 2004 18

Example of a Pitfall Filter output to allow incoming and outgoing mail, but prohibit all else. Action dest port comment allow * 25 incoming mail allow * >= 1024 outgoing responses block * * nothing else Apply this output filter set to both interfaces of the router. Does it work? Unintended consequence: allows all communication on high numbered ports! CSE331 Fall 2004 19

Principles for Firewall Configuration Least Privileges: Turn off everything that is unnecessary (e.g. Web Servers should disable SMTP port 25) Failsafe Defaults: By default should reject (Note that this could cause usability problems ) Egress Filtering: Filter outgoing packets too! You know the valid IP addresses for machines internal to the network, so drop those that aren t valid. This can help prevent DoS attacks in the Internet. CSE331 Fall 2004 20

Example real firewall config script ############ # FreeBSD Firewall configuration. # Single-machine custom firewall setup. Protects somewhat # against the outside world. ############ # Set this to your ip address. ip="192.100.666.1" setup_loopback # Allow anything outbound from this address. ${fwcmd} add allow all from ${ip} to any out # Deny anything outbound from other addresses. ${fwcmd} add deny log all from any to any out # Allow inbound ftp, ssh, email, tcp-dns, http, https, imap, imaps, # pop3, pop3s. ${fwcmd} add allow tcp from any to ${ip} 21 setup ${fwcmd} add allow tcp from any to ${ip} 22 setup ${fwcmd} add allow tcp from any to ${ip} 25 setup ${fwcmd} add allow tcp from any to ${ip} 53 setup ${fwcmd} add allow tcp from any to ${ip} 80 setup ${fwcmd} add allow tcp from any to ${ip} 443 setup CSE331 Fall 2004 21

Proxy-based Firewalls External Client External TCP/HTTP connection Firewall Web Proxy Internal TCP/HTTP connection Local Web Server Proxy acts like both a client and a server. Able to filter using application-level info For example, permit some URLs to be visible outside and prevent others from being visible. Proxies can provide other services too Caching, load balancing, etc. FTP and Telnet proxies are common too CSE331 Fall 2004 22

Benefits of Firewalls Increased security for internal hosts. Reduced amount of effort required to counter break ins. Possible added convenience of operation within firewall (with some risk). Reduced legal and other costs associated with hacker activities. CSE331 Fall 2004 23

Drawbacks of Firewalls Costs: Hardware purchase and maintenance Software development or purchase, and update costs Administrative setup and training, and ongoing administrative costs and trouble-shooting Lost business or inconvenience from broken gateway Loss of some services that an open connection would supply. False sense of security Firewalls don t protect against viruses CSE331 Fall 2004 24

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information