Firewalls. Network Security. Firewalls Defined. Firewalls



Similar documents
Firewalls. Chapter 3

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Firewalls, IDS and IPS

Distributed Systems. Firewalls: Defending the Network. Paul Krzyzanowski

Firewalls and System Protection

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Chapter 15. Firewalls, IDS and IPS

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Security Technology: Firewalls and VPNs

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Lecture 23: Firewalls

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

A S B

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Cisco Configuring Commonly Used IP ACLs

Introduction to Firewalls

CMPT 471 Networking II

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

FIREWALLS & CBAC. philip.heimer@hh.se

Firewalls P+S Linux Router & Firewall 2013

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Chapter 8 Security Pt 2

Security threats and network. Software firewall. Hardware firewall. Firewalls

12. Firewalls Content

ΕΠΛ 674: Εργαστήριο 5 Firewalls

What is Firewall? A system designed to prevent unauthorized access to or from a private network.

Internet Security Firewalls

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Multi-Homing Dual WAN Firewall Router

Cisco PIX vs. Checkpoint Firewall

Firewalls. Castle and Moat Analogy. Dr.Talal Alkharobi. Dr.Talal Alkharobi

allow all such packets? While outgoing communications request information from a

Chapter 8 Network Security

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Basic Network Configuration

Firewalls. Ahmad Almulhem March 10, 2012

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

CSCI Firewalls and Packet Filtering

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

INTRODUCTION TO FIREWALL SECURITY

Classification of Firewalls and Proxies

Firewall Firewall August, 2003

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

Lab Objectives & Turn In

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Linux MDS Firewall Supplement

Protecting and controlling Virtual LANs by Linux router-firewall

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Firewall Design Principles

Guideline on Firewall

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Internet Security Firewalls

CS5008: Internet Computing

Packet filtering and other firewall functions

CSCE 465 Computer & Network Security

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

Security: Firewall/Proxy Server Chapter

Firewalls (IPTABLES)

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

finger, ftp, host, hostname, mesg, rcp, rlogin, rsh, scp, sftp, slogin, ssh, talk, telnet, users, w, walla, who, write,...

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Solution of Exercise Sheet 5

Stateful Inspection Technology

CIT 480: Securing Computer Systems. Firewalls

Networking for Caribbean Development

Stateful Firewalls. Hank and Foo

TECHNICAL NOTE 01/02 PROTECTING YOUR COMPUTER NETWORK

Cisco Secure PIX Firewall with Two Routers Configuration Example

Implementing Secure Converged Wide Area Networks (ISCW)

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

My FreeScan Vulnerabilities Report

SonicOS 5.9 One Touch Configuration Guide

Firewall Design Principles Firewall Characteristics Types of Firewalls

Implementing Network Address Translation and Port Redirection in epipe

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

Looking for Trouble: ICMP and IP Statistics to Watch

Chapter 7. Address Translation

Proxy Server, Network Address Translator, Firewall. Proxy Server

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Overview - Using ADAMS With a Firewall

FIREWALLS IN NETWORK SECURITY

Overview - Using ADAMS With a Firewall

Firewalls and Intrusion Detection

VLAN und MPLS, Firewall und NAT,

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Linux Network Security

How To Understand A Firewall

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

Topics NS HS12 2 CINS/F1-01

Transcription:

Network Security Firewalls Firewalls Types of Firewalls Screening router firewalls Computer-based firewalls Firewall appliances Host firewalls (firewalls on clients and servers) Inspection Methods Firewall Architecture Configuring, Testing, and Maintenance 2 Firewalls Defined Separate outside network and inside network Selectively forward packets from one network to another Keep the badguy's packets out Let the goodguy's packets in Let everybody's packets get out Prevent network mapping (NAT) 1

Firewall Local Network Firewall Internet 4 Border (ingress) Firewall Passed Packet (Ingress) Passed Packet (Egress) Attack Packet Hardened Client PC Hardened Server Dropped Packet (Ingress) Log File Internet Border Firewall Internet (Not Trusted) Internal Corporate Network (Trusted) Attacker 5 Proxy Function Store Filter Forward 2

Two Generic Filter Categories 1.Circuit Filters Work at the Data Link and Network OSI layers 2.Application Gateways Transport and Application layers 7 Filtering Packets Some get through, some don't How do you pick? Depends on: What information is available? What you want to protect against? 8 Types of Firewall Inspection Packet Inspection Examines IP, TCP,UDP, and ICMP header contents Static packet filtering looks at individual packets in isolation. Stateful inspection inspects packets in the context of the packet s role in an ongoing or incipient conversation Stateful inspection is the preferred packet inspection method today 9 3

What Information Is Available at the IP level? Always available Source and Destination Addresses Filter traffic from or to IP addresses or ranges of addresses Packet size Can filter out large packets Port requested Can filter out ICMP or FTP, etc. 10 finger (79) telnet (23) Ports to Block rlogin (513) ftp (21) X Windows (177) mail (25) http (80) ICMP (RFC 792) ping redirect traceroute 11 Using Port Information If TCP port is requested, a TCPaware filter can use TCP info If ICMP is requested and allowed, can filter by ICMP type, e.g. allow ping, but disallow traceroute What if SSL port is selected? 12 4

Circuit Gateways State-ful filters Who originated? When? Where did the last packet come from/go to (route)? 13 Info at the Application Layer Attachment Format File type Viruses Access to text in the payload Porn Sex Smack Weed 14 Pros and Cons Circuit Filters AdvantageSimplicity DisadvantageLimited scope Application Filters AdvantageWide Scope Disadvantages Complexity Performance 15 5

Some Commercial Firewalls 1. Altavista (DEC) 2. Borderware (Secure Computing Corp) 3. Cyberguard (Cyberguard Corp) 4. Eagle (Raptor Systems) 5. Firewall-1 (Checkpoint Software) 6. Gauntlet (Trusted Info Systems) 7. ON Guard (ON Technology Corp) Firewalls Cannot: Be perfect. Bad stuff will get in/out Good stuff will get filtered Protect against insiders 17 Firewall Hardware and Software Screening Router Firewalls Add firewall software to router Usually provide light filtering only Expensive for the processing power usually must upgrade hardware, too Screens out incoming noise of simple scanning attacks to make the detection of serious attacks easier Good location for egress filtering can eliminate 18 scanning responses, even from the router 6

Software Firewalls Add firewall software to server with an existing operating systemwindows or UNIX Can be purchased with power to handle any load Easy to use because known operating system 19 Special Purpose Computer Bundle software with hardened hardware and operating system software General-purpose operating systems may result in: Slower processing Excess functionality Wasted space Unnecessary vulnerabilities Etc. 20 Host Firewalls Installed on hosts themselves (servers and clients) May use host-specific knowledge For example, filter out everything but webserver transmissions on a webserver Client firewalls typically must be configured by users Might misconfigure or reject the firewall Need to centrally manage remote employee computers 21 7

Drivers of Performance RequirementsTraffic Volume and Complexity of Filtering Complexity of Filtering: Number of Filtering Rules, Complexity Of rules, etc. Performance Requirements Traffic Volume (Packets per Second) 22 Static IP Packet Filter Firewall Corporate Network The Internet Permit (Pass) IP-H TCP-H Application Message IP-H UDP-H Application Message Deny (Drop) IP-H ICMP Message Log File Static Packet Filter Firewall Arriving Packets Examined One at a Time, in Isolation Only IP, TCP, UDP and ICMP Headers Examined 23 Ingress Filtering Prevent attack packets from entering the protected network Rules are applied in order See Figure 5.6 for generic rule format 24 8

Ingress Filtering Deny Known Fallacious Source Addresses Private addresses 10.*.*.* 172.16.*.* to 172.31.*.*, 192.168.*.* Internal Address Ranges Other obvious or known common addresses 1.2.3.4, 0.0.0.0, 0.0.0.1, etc. 25 Ingress Filtering Deny Known TCP Vulnerabilities Syn flood (TCP SYN=1 AND FIN=1) FTP (TCP destination port = 20) Supervisory control connection (TCP destination port = 21) Telnet (TCP destination port = 23) NetBIOS (TCP destination port = 135 through 139) UNIX rlogin (TCP destination port = 513) UNIX rsh launch shell without login (TCP port 514) 26 Ingress Filtering 1. If UDP destination port=69, DENY [Trivial File Transfer Protocol; no login necessary] 2. If ICMP Type = 0, PASS [allow incoming echo reply messages] 3. DENY ALL 27 9

Egress Filtering Deny Destinations private IP address range = 10.*.*.* 172.16.*.* to 172.31.*.* 192.168.*.* not in internal address range 60.47.*.* 28 Egress Filtering Allow ICMP Type = 8, PASS [outgoing echo messages] Deny Protocol=ICMP [all other outgoing ICMP] Deny TCP RST=1[outgoing resets; used in host scanning] 29 Egress Filtering Deny Connections to Well-known ports TCP source port=0 through 49151 UDP source port=0 through 49151 Allow Outgoing Client Connections UDP source port = 49152 65,536 TCP source port =49152 through 65,536 30 10

Firewalls Types of Firewalls Inspection Methods Static Packet Inspection Stateful Packet Inspection NAT Application Firewalls Firewall Architecture Configuring, Testing, and Maintenance 31 Stateful Inspection Firewalls State of Connection Open or Closed State Order of packet within a dialog Often simply whether the packet is 32 part of an open connection Stateful Inspection Firewalls By default, permit connections openings from internal clients to external servers By default, deny connection openings from the outside to inside servers Default behaviors can be changed with ACLs Accept future packets between hosts and ports in open connections with little or no more inspection 33 11

Stateful Inspection Firewalls Can prevent Syn flood Port switching Session hijacking Etc. 34 Questions? 35 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information