Internet Security Firewalls

Similar documents
Internet Security Firewalls

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

ΕΠΛ 674: Εργαστήριο 5 Firewalls

CMPT 471 Networking II

12. Firewalls Content

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Distributed Systems. Firewalls: Defending the Network. Paul Krzyzanowski

Firewalls and System Protection

Security Technology: Firewalls and VPNs

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Firewalls. Ahmad Almulhem March 10, 2012

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

FIREWALLS & CBAC. philip.heimer@hh.se

Internet infrastructure. Prof. dr. ir. André Mariën

Network Security. Internet Firewalls. Chapter 13. Network Security (WS 2002): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

Overview. Firewall Security. Perimeter Security Devices. Routers

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Firewall Design Principles Firewall Characteristics Types of Firewalls

Proxy Server, Network Address Translator, Firewall. Proxy Server

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Firewall Configuration. Firewall Configuration. Solution Firewall Principles

CSCE 465 Computer & Network Security

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Chapter 11 Cloud Application Development

Firewalls CSCI 454/554

CSCI Firewalls and Packet Filtering

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

Security threats and network. Software firewall. Hardware firewall. Firewalls

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

Chapter 9 Firewalls and Intrusion Prevention Systems

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Chapter 15. Firewalls, IDS and IPS

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

Network Security. Chapter 13. Internet Firewalls. Network Security (WS 07/08): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

What would you like to protect?

Intro to Firewalls. Summary

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Computer Security: Principles and Practice

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

Packet filtering and other firewall functions

Computer Security DD2395

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Firewall Design Principles

How To Protect Your Network From Attack

Firewalls, IDS and IPS

Cryptography and network security

Firewall Architecture

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Intranet, Extranet, Firewall

FIREWALL ARCHITECTURES

Chapter 20 Firewalls. Cryptography and Network Security Chapter 22. What is a Firewall? Introduction 4/19/2010

Lecture 23: Firewalls

Chapter 7. Firewalls

Cornerstones of Security

Network Security and Firewall 1

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

allow all such packets? While outgoing communications request information from a

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

- Introduction to Firewalls -

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Network Security. Raj Jain. The Ohio State University. Columbus, OH Raj Jain 31-1

Computer Security DD2395

NETWORK SECURITY (W/LAB) Course Syllabus

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

CS155 - Firewalls. Simon Cooper <sc@sgi.com> CS155 Firewalls 22 May 2003

IP Filter/Firewall Setup

Firewalls. Chapter 3

Proxies. Chapter 4. Network & Security Gildas Avoine

8. Firewall Design & Implementation

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

Firewalls (IPTABLES)

CIT 480: Securing Computer Systems. Firewalls

Compter Networks Chapter 9: Network Security

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Topics NS HS12 2 CINS/F1-01

Basics of Internet Security

CIT 480: Securing Computer Systems. Firewalls

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Guideline on Firewall

ABSTRACT CHAPTER I. Preliminary Background

Implementing Network Address Translation and Port Redirection in epipe

Transcription:

Internet Security Firewalls Ozalp Babaoglu ALMA MATER STUDIORUM UNIVERSITA DI BOLOGNA

Overview Exo-structures Firewalls Virtual Private Networks Cryptography-based technologies IPSec Secure Socket Layer Babaoglu 2001-2014 Sicurezza 2

Firewall Firewall of a car More like a moat around a medieval castle restricts entry to carefully controlled points prevents attackers from getting close to defenses restricts exits to carefully controlled points Babaoglu 2001-2014 Sicurezza 3

Firewall Combination of hardware and software to regulate traffic between an internal network and an external network (Internet) Benefits of being connected while minimizing the risks of threats Babaoglu 2001-2014 Sicurezza 4

Firewall What a firewall can do? Focus security decisions Enforce security policies Log Internet activity What a firewall can t do? Protect against malicious insiders Protect against connections that bypass it Protect against completely new threats Protect against viruses and worms Set itself up correctly Babaoglu 2001-2014 Sicurezza 5

Firewall Problems with firewalls Interfere with the Internet end-to-end communication model Create false sense of perfect security Increase inconvenience for users Babaoglu 2001-2014 Sicurezza 6

Firewall Technologies Packet filtering Proxy servers Network address translation Virtual Private Networks Babaoglu 2001-2014 Sicurezza 7

Packet Filtering Babaoglu 2001-2014 Sicurezza 8

Packet Filtering Implemented through a screening router Router: can the packet be routed to its destination? Screening router: should the packet be routed to its destination? Applies a set of rules to each inbound/outbound packet and then forwards or discards it Babaoglu 2001-2014 Sicurezza 9

Packet Filtering Decision based on information in the IP packet header IP source address IP destination address Protocol (TCP, UDP, ICMP) Source port number Destination port number Packet size Additional information Interface the packet arrives on Interface the packet will go out on Babaoglu 2001-2014 Sicurezza 10

Stateful Packet Filtering State information Is the packet a response to an earlier packet? Number of recent packets seen from the same host Is the packet identical to a recently seen packet? Is the packet a fragment? Babaoglu 2001-2014 Sicurezza 11

Packet Filtering Advantages One screening router can protect the entire network Extremely efficient Widely available Disadvantages Hard to configure Reduces router performance Limited in the range of policies that can be implemented Babaoglu 2001-2014 Sicurezza 12

Proxy Servers Specialized application programs for Internet services (HTTP, FTP, telnet, etc.) Proxy server Proxy client Need a mechanism to restrict direct communication between the internal and external networks Typically combined with caching for performance Effective only when used in conjunction with mechanisms that restrict direct communications between the internal and external hosts Babaoglu 2001-2014 Sicurezza 13

Dual-Homed Host Proxy Servers Babaoglu 2001-2014 Sicurezza 14

Proxy Servers Advantages Can perform user-level authentication Can do intelligent (application specific) filtering Can be combined with caching Can do good logging Disadvantages Require different servers for each service Require modifications to clients Babaoglu 2001-2014 Sicurezza 15

Network Address Translation Allows a network to use a set of addresses internally and a different set of addresses externally Invented not for security but for conserving IP addresses Typically implemented within a router Babaoglu 2001-2014 Sicurezza 16

Network Address Translation Babaoglu 2001-2014 Sicurezza 17

Network Address Translation with Port Forwarding Babaoglu 2001-2014 Sicurezza 18

Network Address Translation Advantages Enforces firewall control over outbound traffic Restricts incoming traffic (no spontaneous connections) Hides structure and details of internal network Disadvantages Interferes with some encryption-based techniques Dynamic allocation of addresses interferes with logging Internal network cannot host externally-visible services (requires port mapping) Babaoglu 2001-2014 Sicurezza 19

Firewall Architectures Host-based and personal Screening Router Dual-Homed Host Screened Host Screened Subnet Babaoglu 2001-2014 Sicurezza 20

Host-based Firewalls Secures an individual host Available in many operating systems Commonly used to protect servers Advantages Highly customizable Topology independent all (internal and external) attacks must go through the firewall Extensible new servers can be added to the network, with their own firewall, without the need of altering the network configuration Babaoglu 2001-2014 Sicurezza 21

Personal Firewalls (Incoming connections) Controls the traffic between a personal computer or workstation and a network (or Internet) Babaoglu 2001-2014 Sicurezza 22

Personal Firewalls (Outgoing connections) Babaoglu 2001-2014 Sicurezza 23

Screening Router Babaoglu 2001-2014 Sicurezza 24

Dual-Homed Host Babaoglu 2001-2014 Sicurezza 25

Screened Host Babaoglu 2001-2014 Sicurezza 26

Bastion Host A computer on a network specifically designed and configured to resist attacks Great exposure to attacks All traffic crosses the bastion host, that can control and block/forward it Generally runs only a few applications, mainly proxies Babaoglu 2001-2014 Sicurezza 27

Bastion Host Basic rules to set up a bastion host: No other hosts can be reached from outside Trusted operating system No unnecessary software (no compilers) Read-only file system (apart from strictly required write operations) Only strictly required services No user accounts Additional authentication mechanisms Extensive logging Babaoglu 2001-2014 Sicurezza 28

Screened Subnet DMZ DMZ Babaoglu 2001-2014 Sicurezza 29

Screened Subnet Exterior router (access router) protects DMZ (De-Militarized Zone) and internal network from Internet block incoming packets from Internet that have forged source addresses allow incoming traffic only for bastion hosts/services. Interior router (or choke router) protects internal network from Internet and DMZ does most of packet filtering for firewall allows selected outbound services from internal network limit services between bastion host and internal network Babaoglu 2001-2014 Sicurezza 30

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information