Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.

Similar presentations


Presentation on theme: "Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls."— Presentation transcript:

1 Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls

2 Computer Science CSC 474Dr. Peng Ning2 Outline What are firewalls? Types –Filtering Packet filtering Session filtering –Proxy Circuit Level Application Level Brief introduction to Linux firewall

3 Computer Science CSC 474Dr. Peng Ning3 What is a firewall? Device that provides secure connectivity between networks (internal/external; varying levels of trust) Used to implement and enforce a security policy for communication between networks Trusted Networks Untrusted Networks & Servers Firewall Router Internet Intranet DMZ Public Accessible Servers & Networks Trusted Users Untrusted Users

4 Computer Science CSC 474Dr. Peng Ning4 Firewalls Can … Restrict incoming and outgoing traffic by IP address, ports, etc. Block invalid packets Its also convenient … –Give insight into traffic mix via logging –Network Address Translation –Encryption

5 Computer Science CSC 474Dr. Peng Ning5 Firewalls Cannot Protect… Traffic that does not cross it –routing around –Internal traffic When misconfigured

6 Computer Science CSC 474Dr. Peng Ning6 Internet DMZ Net Web Server Pool Corporate Network ALERT!! Security Requirement Control access to network information and resources Protect the network from attacks Access Control

7 Computer Science CSC 474Dr. Peng Ning7 Filtering Typically route packets Packets checked then passed May have different policies for inbound and outbound packets Some firewalls need to understand the application protocols May perform –Fragmentation/reassembly –Sequence number checking

8 Computer Science CSC 474Dr. Peng Ning8 Filtering (Contd) Packet filtering –Access Control Lists Session filtering –Dynamic Packet Filtering –Stateful Inspection –Smart Packet Filtering –Context Based Access Control

9 Computer Science CSC 474Dr. Peng Ning9 Packet Filtering Decisions made on a per-packet basis No state information saved If dynamic protocols are in use, entire ranges of ports must be allowed for the protocol to work. Example configuration –Deny access to ports <= 1024, and allow access to all the others.

10 Computer Science CSC 474Dr. Peng Ning10 Applications Presentations Sessions Transport DataLink Physical DataLink Physical Router Applications Presentations Sessions Transport DataLink Physical Packet Filtering (Contd) Network Network

11 Computer Science CSC 474Dr. Peng Ning11 Session Filtering Packet decision made in the context of a connection If packet is a new connection, check against security policy If packet is part of an existing connection, match it up in the state table & update table Example configuration

12 Computer Science CSC 474Dr. Peng Ning12 Applications Presentations Sessions Transport DataLink Physical DataLink Physical Applications Presentations Sessions Transport DataLink Physical Network Presentations Sessions Transport Applications Dynamic State Tables l Screens ALL attempts, Protects All applications l Extracts & maintains state information l Makes an intelligent security / traffic decision Session Filtering (Contd)

13 Computer Science CSC 474Dr. Peng Ning13 Proxy Firewalls Relay for connections Client Proxy Server Two flavors –Application level –Circuit level

14 Computer Science CSC 474Dr. Peng Ning14 Application Gateways Understands specific applications –Limited proxies available –Proxy impersonates both sides of connection Resource intensive –process per connection HTTP proxies may cache web pages

15 Computer Science CSC 474Dr. Peng Ning15 Application Gateways More appropriate to TCP Must write a new proxy application to support new protocols –Not trivial!

16 Computer Science CSC 474Dr. Peng Ning16 Application Gateways Clients configured for proxy communication Transparent Proxies

17 Computer Science CSC 474Dr. Peng Ning17 Applications Presentations Sessions Transport DataLink Physical Network DataLink Physical Applications Presentations Sessions Transport DataLink Physical Application Gateway Applications Presentations Sessions Transport Network Network TelnetTelnetHTTPHTTPFTPFTP Application Layer GW/proxy

18 Computer Science CSC 474Dr. Peng Ning18 Circuit-Level Gateways Support more services than Application-level Gateway –less control over data Hard to handle protocols like FTP –Passive FTP is usually okay Clients must be aware they are using a circut- level proxy

19 Computer Science CSC 474Dr. Peng Ning19 SOCKS Circuit level Gateway Support TCP SOCKS v5 supports UDP, earlier versions did not See

20 Computer Science CSC 474Dr. Peng Ning20 Comparison SecurityPerformanceServiceSupport Packet Filter31No dynamic w/o holes Session Filter22Dependent on vendor for dynamic support Circuit GW23 App. GW14Typically < 20 Lower is better for security & performance

21 Computer Science CSC 474Dr. Peng Ning21 Comparison (Contd) Modify Client Applications? Packet FilterNo Session FilterNo Circuit GWTypical, SOCKS-ify client applications App. GWUnless transparent, client application must be proxy-aware & configured

22 Computer Science CSC 474Dr. Peng Ning22 Comparison (Contd) ICMPFragmentation Packet FilterYesNo Session FilterYesMaybe Circuit GW (SOCKS v5) Yes App. GWNoYes

23 Computer Science CSC 474Dr. Peng Ning23 Linux Firewall: iptables History –ipfw –ipfwadm –ipchains –iptables Based on the netfilter framework

24 Computer Science CSC 474Dr. Peng Ning24 The Netfilter Framework A framework for packet mangling Protocol stacknetfilter … Kernel modules hooks Kernel User space

25 Computer Science CSC 474Dr. Peng Ning25 The Netfilter Framework (Contd) Current protocols –IPv4, IPv6, and DECnet. Five hooks for IPv4 –[1]: Pre-routing hook; [2]: Local-in hook; –[3]: Forward hook; [4]: Local-out hook; –[5]: Post-routing hook A packet traversing the netfilter system: [1] [2] [ROUTE] [3] [4] [5]

26 Computer Science CSC 474Dr. Peng Ning26 Packet Filtering A packet traversing the netfilter system: [1] [2] [ROUTE] [3] [4] [5] Packet filtering only uses these three hooks

27 Computer Science CSC 474Dr. Peng Ning27 IP Tables A packet selection system –Direct descendent of ipchains Used for –Packet filtering –Network Address Translation (NAT) Masquerading, port forwarding, transparent proxying –Packet mangling Actual changing of packet information

28 Computer Science CSC 474Dr. Peng Ning28 User Space Tool: iptables iptables –Command to configure and communicate with the kernel modules iptables for packet filtering –Three chains INPUT OUTPUT FORWARD

29 Computer Science CSC 474Dr. Peng Ning29 Iptables for Packet Filtering You need three things to configure a firewall rule –Which chain? –What packet pattern? –What action to apply? Example –Drop all packets from –iptables -A INPUT -s j DROP –Use man iptables on Linux to get more information.


Download ppt "Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls."

Similar presentations


Ads by Google