Garantía y Seguridad en Sistemas y Redes

Similar documents
How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Computer Security: Principles and Practice

Computer Security DD2395

Chapter 9 Firewalls and Intrusion Prevention Systems

Chapter 20 Firewalls. Cryptography and Network Security Chapter 22. What is a Firewall? Introduction 4/19/2010

IPv6 Firewalls. ITU/APNIC/MICT IPv6 Security Workshop 23 rd 27 th May 2016 Bangkok. Last updated 17 th May 2016

Computer Security DD2395

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

Firewalls CSCI 454/554

Firewalls. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Firewalls. Characteristics.

Firewalls. Contents. ITS335: IT Security. Firewall Characteristics. Types of Firewalls. Firewall Locations. Summary

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

What would you like to protect?

Firewalls. Chien-Chung Shen

Proxy Server, Network Address Translator, Firewall. Proxy Server

Firewalls. Ahmad Almulhem March 10, 2012

Firewalls (IPTABLES)

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Agenda. Understanding of Firewall s definition and Categorization. Understanding of Firewall s Deployment Architectures

Security Technology: Firewalls and VPNs

Intranet, Extranet, Firewall

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Chapter 20. Firewalls

CMPT 471 Networking II

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

CSE543 - Computer and Network Security Module: Firewalls

Internet infrastructure. Prof. dr. ir. André Mariën

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

CS Computer and Network Security: Firewalls

CSC574 - Computer and Network Security Module: Firewalls

How To Understand A Firewall

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Firewall Design Principles Firewall Characteristics Types of Firewalls

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

CS Computer and Network Security: Firewalls

Firewalls. Chapter 3

Cryptography and network security

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Maruleng Local Municipality

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Firewall Architecture

Network Defense Tools

Firewall Configuration. Firewall Configuration. Solution Firewall Principles

Firewalls & Intrusion Detection

Chapter 7. Firewalls

CIS 433/533 - Computer and Network Security Firewalls

CIT 480: Securing Computer Systems. Firewalls

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

How To Protect Your Network From Attack From Outside From Inside And Outside

CSCI Firewalls and Packet Filtering

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Firewalls. Mahalingam Ramkumar

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Internet Security Firewalls

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

Network Security Topologies. Chapter 11

Module: Firewalls. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

Security threats and network. Software firewall. Hardware firewall. Firewalls

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

CSCE 465 Computer & Network Security

21.4 Network Address Translation (NAT) NAT concept

Lecture 23: Firewalls

INTRODUCTION TO FIREWALL SECURITY

Firewalls. Pehr Söderman KTH-CSC

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Guideline on Firewall

How to Secure RHEL 6.2 Part 2

Role of Firewall in Network. Security. Syed S. Rizvi. CS 872: Computer Network Security. Fall 2005

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

CIT 480: Securing Computer Systems. Firewalls

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

Firewall Security. Presented by: Daminda Perera

Networking for Caribbean Development

FIREWALL AND NAT Lecture 7a

Focus on Security. Keeping the bad guys out

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Firewalls Overview and Best Practices. White Paper

Packet Filtering using the ADTRAN OS firewall has two fundamental parts:

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Chapter 15. Firewalls, IDS and IPS

ACS-3921/ Computer Security And Privacy Lecture Note 8 October 28 th 2015 Chapter 9 Firewalls and Intrusion Prevention Systems

Firewalls, Tunnels, and Network Intrusion Detection

Overview. Firewall Security. Perimeter Security Devices. Routers

CS155 - Firewalls. Simon Cooper <sc@sgi.com> CS155 Firewalls 22 May 2003

Transcription:

Garantía y Seguridad en Sistemas y Redes Tema 10. Intrusion Preven3on Esteban Stafford Departamento de Ingeniería Informá2ca y Electrónica Este tema se publica bajo Licencia: Crea2ve Commons BY- NC- SA 4.0

Contents The Need for Firewalls Firewall Characteristics Types of Firewalls Firewall Basing Firewall Location and Configurations 2

Firewalls and Intrusion Prevention Systems Operating systems and applications are insecure. Internet connectivity is essential... for every organization and individuals. but it is a risky place. External threats. Firewalls set up a perimeter defense, giving: They vs. We ; Outside vs. Inside. Single choke point to impose security on a LAN. Auditing point for identifying problems afterwards. Firewalls are just another layer of defense. Military Doctrine: Defense in depth 3 Firewall Design Design Goals Firewall is the only way in or out the perimeter. Only authorized traffic is allowed to pass. The firewall itself is immune to penetration. Access control techniques Service control: which service is allowed (Port numbers...) Direction control: from outside/to inside access. User control: control access depending on user. Requires authentication. Behavior control: how particular services are used: spam filter on email or hide web for external users. 4

Firewalls and Intrusion Prevention Systems Operating systems and applications are insecure. Internet connectivity is essential... for every organization and individuals. but it is a risky place. External threats. Firewalls set up a perimeter defense, giving: They vs. We ; Outside vs. Inside. Single choke point to impose security on a LAN. Auditing point for identifying problems afterwards. Firewalls are just another layer of defense. Military Doctrine: Defense in depth 3 Firewall Design Design Goals Firewall is the only way in or out the perimeter. Only authorized traffic is allowed to pass. The firewall itself is immune to penetration. Access control techniques Service control: which service is allowed (Port numbers...) Direction control: from outside/to inside access. User control: control access depending on user. Requires authentication. Behavior control: how particular services are used: spam filter on email or hide web for external users. 4

Firewall Capabilities and Limits Capabilities Defines single entry point. Provides a location for monitoring security events. Convenient platform for some Internet functions Routing, NAT, usage monitoring, IPSEC VPNs... Limitations Cannot protect against attacks bypassing firewall Dial-out, mobile broadband, WiFi. May not protect against internal threats. Laptops, PDA, portable storage device infected outside then used inside. 5

Types of Firewalls Packet filters. Applies simple rules to allow or discard packets. Statefull packet filters. Rules might involve previous history. Application firewalls. Filters traffic attending to higher layer protocols. Proxies. Allow communication on a connection basis. 6

Packet Filtering Firewall Fast and transparent to users. Applies simple rules to traffic through firewall. Based on information in packet header: Src/dest IP addr and port, protocol, interface, TCP state... When a rule matches it applies an action: Accept, drop, reject, log... If no rule matches, the it applies default policy: Accept - permit unless expressly prohibited Drop - prohibit unless expressly permitted Source Destination Protocol Port Action 192.168.1.0/24 192.168.1.100 TCP 22 Accept any 192.168.1.101 TCP 80 Accept any any any any Drop 7

Packet Filter Weaknesses Weaknesses Cannot prevent application level exploits. Limited logging functionality. Do not support advanced user authentication. Vulnerable to attacks on TCP/IP protocol bugs. Improper configuration can lead to breaches. Complex configurations end up with too many rules. Attacks and countermeasures IP address spoofing: Discard external packets with internal addresses. Source-routing attacks: Discard packets with it. Tiny fragment attacks: Discard packets. 8

Stateful Inspection Firewall Motivation Packet filters have no memory (stateless). Complex protocols cannot be properly handled (TCP, FTP...) Based on past information better filters can be built. Capabilities Review packet header information But also keep track of connections and other information. Can be used to close unused inbound high ports (TCP). Can track sequence numbers (Prevent session hijacking). Can make simple checks on higher level protocols (FTP, IM). 9

iptables eth0 ppp input forward output accept/drop accept/drop accept/drop local process Input chain: Filters traffic that will be consumed by local processes. Forward chain: Filters traffic routed to other hosts. Output chain: Filters traffic comming from local processes. 10

iptables No rules + policy ACCEPT = no firewall $ iptables -L Chain INPUT ( policy ACCEPT ) target prot opt source destination Chain FORWARD ( policy ACCEPT ) target prot opt source destination Chain OUTPUT ( policy ACCEPT ) target prot opt source destination Change policy $ iptables -P INPUT DROP 11

iptables Add simple rule $ iptables -A INPUT -p tcp -- dport 80 -j ACCEPT Only accept HTTP Chain INPUT ( policy DROP ) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt : http 12

Application-Level Gateway Also known as Application Proxy. A proxy is a connection relay. Transform usr local connection prx remote connection www proxy protocol server protocol Recognizes application-specific commands and offers security controls. Can perform user authentication. May restrict application features supported. Deep packet-inspection: can make serious checks. Not always transparent. Applications need to know about the proxy. Impose a higher overhead on traffic management. 13

HTTP Proxy GET / HTTP/1.1 User-Agent: Wget/ 1.13.4 (linux-gnu) Accept: */* Host: www.google.es Connection: Keep-Alive GET http://www.google.com/ HTTP/1.1 User-Agent: Wget/1.13.4 (linux-gnu) Accept: */* Host: www.google.com Connection: Close Proxy-Connection: Keep-Alive 14

Circuit-Level Gateway Similar to a proxy, but for any tcp connection. C. Init + C. Request C. Initialization Authenticate usr C. Established gw C. Established srv Data Relay Data Relays TCP segments from one connection to the other without examining contents. Proxies translate between local and remote protocols. Hence independent of application logic. Just determines whether relay is permitted. Typically used when inside users trusted: May use application-level gateway inbound connections And circuit-level gateway outbound connections. Hence lower overheads. SOCKS (RFC1928) allow TCP/UDP applications to securely use firewall 15

Bastion Hosts Critical strongpoint in network. Usually hosts application/circuit-level gateways. Common characteristics: Runs secure O/S, only essential services (No login). May require user authentication to access a proxy. Each proxy can restrict features/hosts accessed. Each proxy small, simple, checked for security. Each proxy is independent, non-privileged (Jail). Limited disk use, hence read-only code. 16

Host-Based Firewalls A module to secure individual hosts. Available in many O/S: Linux iptables Or an add-on module. Similar to standard firewall to filter packet flows. Often used on servers Advantages: Tailored filter rules for the specific host needs. Protection from both internal/external attacks Another layer of protection, additional to network firewall. Another layer of complexity, really necessary? 17

Screening Router On home cable/dsl router/gateway For both home or corporate use Typically much less complex. Primary role to deny unauthorized access. May also monitor outgoing traffic to detect/block malware activity. Potential problems: Block some applications or services which are not sepecifically allowed by the firewall. 18

Firewall Topologies Host-resident firewall. Screening router (Home ADSL). Packet filtering. Single bastion inline firewall. Like screening router with more sofisticated firewalls. Single bastion T: Inside vs. outside vs. DMZ. Has a third network interface. Double bastion inline. DMZ Between two firewalls. Double bastion T: outside, internal servers, users. Distributed firewall configuration. 19

Distributed Firewalls Remote users Internet A central control + Standalone firewalls + host-based firewalls. Comprehensive controls allow finer granularity. Internal DMZ External DMZ Web server(s) External DMZ network Internal DMZ network Email server Web server(s) DNS server Internal protected network Application and database servers Boundary router External firewall LAN switch Internal firewall LAN switch host-resident firewall Workstations Figure 9.5 Example Distributed Firewall Configuration 20

Virtual Private Networks (VPNs) VPNs are a cheap way of implementing distributed internal network. IPsec: uses encryption and authentication in the network layer to provide a secure connection. User system with IPSec IP IPSec Header Header secure IP packet Secure IP Payload Public (Internet) or Private Network IP Header secure IP packet IPSec Header Secure IP Payload IP Header secure IP packet IPSec Header Secure IP Payload IP Header plain IP packet IP Payload Firewall with IPSec Firewall with IPSec IP Header plain IP packet IP Payload Figure 9.4 A VPN Security Scenario 21

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information