Overview. Firewall Security. Perimeter Security Devices. Routers



Similar documents
Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Firewall Security. Presented by: Daminda Perera

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

- Introduction to Firewalls -

Security Technology: Firewalls and VPNs

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Guideline on Firewall

Firewalls. Chapter 3

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

FIREWALLS & CBAC. philip.heimer@hh.se

12. Firewalls Content

Proxy Server, Network Address Translator, Firewall. Proxy Server

Internet Security Firewalls

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

CMPT 471 Networking II

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Packet filtering and other firewall functions

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

What is Firewall? A system designed to prevent unauthorized access to or from a private network.

Internet Security Firewalls

Chapter 15. Firewalls, IDS and IPS

allow all such packets? While outgoing communications request information from a

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Chapter 7. Firewalls

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

10 Configuring Packet Filtering and Routing Rules

CSCI Firewalls and Packet Filtering

FIREWALL AND NAT Lecture 7a

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Intro to Firewalls. Summary

Network Security. Internet Firewalls. Chapter 13. Network Security (WS 2002): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

Firewall Architecture

Firewalls, IDS and IPS

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

8. Firewall Design & Implementation

Firewalls & Intrusion Detection

Chapter 9 Firewalls and Intrusion Prevention Systems

FIREWALL ARCHITECTURES

- Introduction to PIX/ASA Firewalls -

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

Distributed Systems. Firewalls: Defending the Network. Paul Krzyzanowski

Firewalls and System Protection

Tutorial 3. June 8, 2015

Lecture 23: Firewalls

ΕΠΛ 674: Εργαστήριο 5 Firewalls

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Chapter 8 Security Pt 2

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

Firewalls. Ahmad Almulhem March 10, 2012

CIT 480: Securing Computer Systems. Firewalls

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Cornerstones of Security

Firewall Design Principles

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

ABSTRACT CHAPTER I. Preliminary Background

CSE543 - Computer and Network Security Module: Firewalls

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

Content Distribution Networks (CDN)

Chapter 20 Firewalls. Cryptography and Network Security Chapter 22. What is a Firewall? Introduction 4/19/2010

Computer Networks. Secure Systems

Introduction to Firewalls Open Source Security Tools for Information Technology Professionals

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Firewall Firewall August, 2003

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Chapter 20. Firewalls

Network Security Topologies. Chapter 11

Firewall Environments. Name

Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Firewalls. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Firewalls. Characteristics.

Firewalls. Contents. ITS335: IT Security. Firewall Characteristics. Types of Firewalls. Firewall Locations. Summary

Firewalls, Tunnels, and Network Intrusion Detection

UMHLABUYALINGANA MUNICIPALITY FIREWALL MANAGEMENT POLICY

This chapter covers the following topics: Why Network Security Is Necessary Secure Network Design Defined Categorizing Network Security Threats How

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Firewall Architecture Guide

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Firewalls Overview and Best Practices. White Paper

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

A S B

Network Security. Chapter 13. Internet Firewalls. Network Security (WS 07/08): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

How To Protect Your Network From Attack From Outside From Inside And Outside

Transcription:

Overview Firewall Security Chapter 8 Perimeter Security Devices H/W vs. S/W Packet Filtering vs. Stateful Inspection Firewall Topologies Firewall Rulebases Lecturer: Pei-yih Ting 1 2 Perimeter Security Devices Routers Network devices that form the core of perimeter security include Routers Proxy servers Firewalls A perimeter defense must be manageable Balance financial, manpower, and other resources against the degree of security required Routers are used to interconnect networks Usually bridge different physical networks Route traffic from a source to a destination Often the first device encountered as a packet enters a network from the Internet 3 4

Routers (cont d) Routers: Spoofing Protection A Routers may implement some security functionalities Packet filtering through the use of access control lists Reducing load on other devices (ex. firewall, can protect from DOS attacks) Screening traffic with suspicious IP addresses to protect against spoofing Egress filtering: ensure traffic leaving your network bears a valid IP address, prevent hackers from Router A can be configured to Ensure that traffic bearing an IP address in the 129.76 range does not enter the protected New York network from either the Internet or the Chicago network Reject any packets coming from the Internet connection with a source address in the 129.77 range launching spoofing attacks using your network 5 6 B Proxies Proxies (cont d) A proxy is an entity with the authorization to act on behalf of another Proxy servers sit between a client and an untrusted system in the Internet Prevents the untrusted system from having any direct access to the client that would support malicious actions Masks the client s identity Limits network sniffing Client requests are directed to the proxy Proxy either responds from its cache or makes a request to the Web server on behalf of the client and then responds to the client Limit type of the content (filtering) Screen incoming data for malicious content 7 8

Firewalls Types of Firewalls Improve network security Cannot completely eliminate threats and attacks Responsible for screening traffic entering and/or leaving a computer network Each packet that passes is screened following a set of rules stored in the firewall rulebase Several types of firewalls Several common topologies for arranging firewalls 9 A diverse range of firewall solutions are available on the market today Both hardware and software solutions Hardware-based firewalls (appliances) Integrated solutions are standalone devices that contain all hardware and software required to implement the firewall Similar to software firewalls in user interfaces, logging/audit, and remote configuration capabilities More expensive than software firewalls Faster processing possible for high-bandwidth environments 10 Types of Firewalls (cont d) Packet Filtering Software firewalls Relatively inexpensive Purchasing a license agreement will include media required to install and configure the firewall Most firewalls are available for Windows, Unix, and Linux Can also purchase design of the firewall rulebase with configuration, maintenance and support Worthwhile unless you really understand what is needed, a mistake can negate the usefulness of the firewall An early basic technology for screening packets passing through a network Each packet is screened independently Firewall reads and analyzes the packet headers Offers considerable flexibility in what can be screened Common fields: Source address, Destination address, Destination port, and Transport protocol Can be used for performance enhancement by screening non-critical traffic by day or time for example 11 12

Stateful Inspection Firewall Topologies A next-generation firewall technology Overcomes the limitation of packet filtering that treats packets in isolation Treats packets as pieces of a connection Maintains data about legitimate open connections that packets belong to Keeps identity of ports being used for a connection Traffic is allowed to pass until connection is closed or times out Example: a typical Web page retrieving scenario client 1423 server 80 client 1423 server 2901 Firewalls should be placed between the protected network (or subnet) and potential entry points Access points can include dial-up modems, wireless accesses, and broadband lines Three common firewall topologies Bastion host (dual-home firewall) Screened subnet Dual firewalls Firewall installations can include combinations of these topologies for layered protection client 1423 server 2901 13 14 Bastion Host Bastion Host (cont d) Firewall is the sole link between the protected network and the untrusted network Firewall has two network interface cards One to protected network One to untrusted network Relatively inexpensive and easy to implement 15 If services are offered to clients outside of the protected network, there is a significant security risk Port 80 has to stay open Hackers can potentially compromise the Web server through this port and get access to full protected network (There is no protection between the Web server machine and other machines in the protected network.) 16

Screened Subnet Screened Subnet (cont d) Also called demilitarized zone (DMZ) Single firewall, three network interface cards One to protected network One to screened subnet One to untrusted network (the Internet) 17 Screened subnet contains systems that provide services to external users (Web or SMTP servers etc.) If any machine in the DMZ is compromised, the whole DMZ might be attacked, but access is still kept out of the protected network 18 Dual Firewalls Dual Firewalls (cont d) Uses two firewalls, each with two network cards One firewall connects to the untrusted network and the screened subnet The other firewall connects to the screened subnet and the protected network The screened subnet again provides a buffer between the networks Major advantage: minimize the possibility that a malicious individual could compromise the firewall itself For more security, use two different firewalls (H/W vs. S/W, vendors, different security certification levels) Unlikely to have the same security vulnerabilities (apply patch as soon as possible) 19 20

Firewall Rulebases Firewall Rules Rulebase is used to provide the definition of what traffic is allowable and what is not Firewall administrators spend most of their time on the rulebase Most firewalls have good user interfaces (GUI, remote configurable) to support rule definition General rule syntax is <action><protocol> from <source_address><source_port> to <destination_address><destination_port> Most firewalls have advanced functionality to <action> may be either deny or allow <protocol> may be tcp, udp or icmp <source_address> and <destination_address> may be an IP address, an IP address range, or the keyword any <source_port> and <destination_port> may be a port number or the keyword any Advanced <action> could be drop inbound traffic. Dropped traffic is simply ignored, whereas the originator is notified when traffic is blocked Could integrate authentication to apply different security restrictions to different classes of users supplement the basic fields above 21 22 Special Rules Summary These are basic rules that should be included in all firewall installations Cleanup Rule Ex. deny any from any any to any any Deny everything that is not explicitly allowed. Last rule in any firewall rulebase Many firewalls include this rule implicitly in the installation Stealth Rule Ex. deny any from any any to firewall any Prevents anyone from directly connecting to the firewall over the network (to protect from attacks) First rule in the firewall rulebase (unless limited connections are explicitly allowed by previous rules) 23 Perimeter security involves a combination of network devices including routers, proxy servers, and firewalls Routers are used for routing traffic May have some security functionality Proxy servers sit between a protected client and an untrusted network, masking potentially dangerous interactions Firewalls screen traffic entering and leaving a network on a packet-by-packet basis 24

Summary (cont d) Firewalls can be purchased as software or as integrated hardware packages There are two primary types of firewall filtering Packet filtering examines each packet in isolation Stateful inspection examines each packet within the context of a specific open connection There are three primary firewall topologies Bastion host uses a single firewall with two interface cards Screened subnet uses a single firewall with three interface cards Dual firewalls uses two firewalls, each with two interface Summary (cont d) Firewalls rely on rulebases to configure the specific screening that will be done on packets Specific rules should be based on the business requirements for the particular organization There are two special rules that should be implemented by every firewall Cleanup rule Stealth rule cards 25 26 Assignments Reading: Chapter 8 Practice 8.7 Challenge Questions Turn in Challenge Exercise 8.2 next week 27

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information