Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Firewalls. 2 References 1.Mark Stamp, Information Security: Principles and Practice, Wiley Interscience, 2006. 2.Robert Zalenski, Firewall Technologies,

Published byJaven Raven Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Firewalls. 2 References 1.Mark Stamp, Information Security: Principles and Practice, Wiley Interscience, 2006. 2.Robert Zalenski, Firewall Technologies,"— Presentation transcript:

1 1 Firewalls

2 2 References 1.Mark Stamp, Information Security: Principles and Practice, Wiley Interscience, 2006. 2.Robert Zalenski, Firewall Technologies, IEEE Potential, 2002, p 24 – 29. 3. Avishai Wool, A Quantitative Study of Firewall Configuration Errors, IEEE Computer, June 2004, p 62 – 67. 4.Steven Bellovin and William Cheswick, Network Firewalls, IEEE Communications Magazine, Sept 1994, p 50 – 57. 5.William Arbaugh, Firewalls: An Outdated Defense, IEEE Computer, June 2003, p 112 – 113. 6.Charles Zhang, Marianne Winslett, Carl Gunter, On the Safety and Efficiency of Firewall Policy Deployment, IEEE Symposium on Security and Privacy, 2007. 7.Mohamed Gouda and Alex Liu, A Model of Stateful Firewalls and its Properties, Proc of the 2005 International Conference on Dependable Systems and Networks, 2005.

3 3 Firewall as Network Access Control Access Control –Authentication –Authorization Single Sign On Firewall –Interface between networks Usually external (internet) and internal –Allows traffic flow in both directions

4 4 Firewall –Interface between networks Usually external (internet) and internal –Allows traffic flow in both directions –Controls the traffic Internet Internal

5 5 Firewall as Secretary A firewall is like a secretary To meet with an executive –First contact the secretary –Secretary decides if meeting is reasonable –Secretary filters out many requests You want to meet chair of CS department? –Secretary does some filtering You want to meet President of US? –Secretary does lots of filtering! [1]

6 6 Security Strategies Least privilege –Objects have the lowest privilege to perform assigned task Defense in depth –Use multiple mechanism –Best if each is independent: minimal overlap Choke point –Facilitates monitoring and control [2]

7 7 Security Strategies - 2 Weakest link Fail-safe –If firewall fails, it should go to fail-safe that denies access to avoid intrusions Default deny Default permit Universal participation –Everyone has to accept the rules [2]

8 8 Security Strategies - 3 Diversity of defense Inherent weaknesses –Multiple technologies to compensate for inherent weakness of one technology Common heritage –If systems configured by the same person, may have the same weakness Simplicity Security through obscurity [2]

9 9 Security Strategies - 4 Configuration errors can be devastating Testing is not perfect Ongoing trial and error will identify weaknesses Enforcing a sound policy is critical [2]

10 10 Types of Firewall No Standard Terminology Packet Filtering (network layer) –Simplest firewall –Filter packets based on specified criteria IP addresses, subnets, TCP or UDP ports Stateful inspection (transport layer) –In addition to packet inspection –Validate attributes of multi-packet flows [2]

11 11 Types of Firewall - 2 Application Based Firewall (application layer) –SW package that allows or denies access across networks –Log access – attempted access and allowed access Personal firewall – single user, home network [2]

12 12 Types of Firewall - 3 Proxy –Intermediate connection between servers on internet and internal servers. –For incoming data Proxy is server to internal network clients –For outgoing data Proxy is client sending out data to the internet [2]

13 13 Types of Firewall - 4 Network Address Translation –Hides internal network from external network –Private IP addresses – expands the IP address space –Creates a choke point Virtual Private Network –Employs encryption and integrity protection –Use internet as part of a private network [2]

14 14 Packet Filter Advantages –Simplest firewall architecture –Works at the Network layer – applies to all systems –One firewall for the entire network Disadvantages –Can be compromised by many attacks Source spoofing

15 15 Packet Filter - Example [2]

16 16 Packet Filter - Example [2]

17 17 Packet Filter - Example Attack succeeds because of rules B and D More secure to add source ports to rules

18 18 Packet Filter - Example [2]

19 19 Packet Filter - Example These packets would be admitted. To avoid this add an ACK bit to the rule set [2]

20 20 Packet Filter - Example Attack fails, because the ACK bit is not set. ACK bit is set if the connection originated from inside. Incoming TCP packets must have ACK bit set. If this started outside, then no matching data, and packet will be rejected. [2]

21 21 TCP Ack for Port Scanning Attacker sends packet with ACK set (without prior handshake) using port p –Violation of TCP/IP protocol Packet filter firewall passes packet –Firewall considers it part of an ongoing connection Receiver sends RST –Indicates to the sender that the connection should be terminated Receiving RST indicates that port p is open!! [1]

22 22 TCP Ack Port Scan RST confirms that port 1209 is open Problem: packet filtering is stateless; the firewall should track the entire connection exchange [1]

23 23 Stateful Packet Filter Remembers packets in the TCP connections (and flag bits) Adds state info to the packet filter firewalls. Operates at the transport layer. Pro: Adds state to packet filter and keeps track of ongoing connection Con: Slower, more over head. Packet content info not used [1] application transport network link physical

24 24 Application Proxy A proxy acts on behalf the system being protected. Application proxy examines incoming app data – verifies that data is safe before passing it to the system. Pros –Complete view of the connections and app data –Filter bad data (viruses, Word macros) –Incoming packet is terminated and new packet is sent to internal network Con –Speed [1]

25 25 Firewalk – Port Scanning Scan ports through firewalls Requires knowledge of –IP address of firewall –IP address of one system in internal network –Number of hops to the firewall Set TTL (time to live) = Hops to firewall +1 Set destination port to be p If firewall does not pass data for port p, then no response If data passes thru firewall on port p, then time exceeded error message [1]

26 26 Firewalk and Proxy Firewall Attack stopped by proxy firewall –Incoming packet destroyed (old TTL value also destroyed) –New outgoing packet will not exceed TTL. [1] Dest port 12345, TTL=4 Dest port 12344, TTL=4 Dest port 12343, TTL=4 Time exceeded Trudy Packet filter Router

27 27 Firewalls and Defense in Depth Example security architecture Internet Intranet with Personal Firewalls Packet Filter Application Proxy DMZ FTP server DNS server WWW server [1]

28 28 [1]

Download ppt "1 Firewalls. 2 References 1.Mark Stamp, Information Security: Principles and Practice, Wiley Interscience, 2006. 2.Robert Zalenski, Firewall Technologies,"

Similar presentations

Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Lecture 25: Firewalls Introduce several types of firewalls

Lecture 25: Firewalls Introduce several types of firewalls
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Circuit & Application Level Gateways CS-431 Dick Steflik.

Circuit & Application Level Gateways CS-431 Dick Steflik.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
A Brief Taxonomy of Firewalls

A Brief Taxonomy of Firewalls
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

Similar presentations

Ads by Google