Presentation is loading. Please wait.

Presentation is loading. Please wait.

FIREWALLS Chapter 11.

Published byDarrius Arnall Modified over 9 years ago

Similar presentations

Presentation on theme: "FIREWALLS Chapter 11."— Presentation transcript:

1 FIREWALLS Chapter 11

2 Firewall Design Principles
Firewall Characteristics All traffic from inside to outside and vice-versa must pass through the firewall. Achieved by physically blocking all access to local networks except via the firewall. Only authorized traffic, as defined by the local security policy, will be allowed to pass. The firewall itself is immune to infiltration.

3 Firewall Access Techniques
Service Control Determines the types of internet services that can be accessed, inbound or outbound. The firewall may filter traffic on the basis of IP address and TCP port number; may provide proxy software that receives and interprets each service request before passing it on; or may host the server software itself, such as a Web or mail service.

4 Firewall Access Techniques (Cont.)
Direction Control Determines the direction in which particular service requests may be initiated and allowed to flow through the firewall. User Control Controls access to a service according to which user is attempting to access it. Typically applied to users inside the firewall perimeter (local users).

5 Firewall Access Techniques (Cont.)
Behavior Control Controls how particular services are used. For example, the firewall may filter to eliminate spam, or it may enable external access to only a portion of the information on a local web server.

6 Capabilities of a Firewall
Defining a single choke point The use of a single choke point simplifies security management because security capabilities and resources are consolidated on a single system or set of systems. Simplification A firewall provides a location for monitoring all security-related events. Audits and alarms may be implemented on the system.

7 Capabilities of a Firewall (Cont.)
Convenient Platform A firewall is a convenient platform for many non-security related events such as a network address translator, which maps local addresses to Internet addresses, and a network management function that audits or logs Internet Usage.

8 Capabilities of a Firewall (Cont.)
IPSec A firewall can serve as a platform for IPSec. Using the tunnel mode capability, the firewall can be used to implement virtual private networks.

9 Firewall Limitations Bypassing Attacks
The firewall cannot protect against attacks which bypass the firewall. Internal systems may have dial-out capability to connect to an ISP. An internal LAN may support a modem pool that provides dial-in capability for traveling employees and telecommuters.

10 Firewall Limitations (Cont.)
Internal Threats The firewall does not protect against internal threats, such as a disgruntled employee or an employee who unwittingly cooperates with an external attacker.

11 Firewall Limitations (Cont.)
Virus-Infected Programs or Files Because of the variety of operating systems and applications supported inside the perimeter, it would be impractical if not impossible to scan all incoming files, , and messages for viruses.

12 Types of Firewalls Packet-Filtering Router
A packet-filtering router applies a set of rules to each incoming IP packet and then forwards or discards the packet. The router is typically configured to filter packets going in both directions (from and to the internal network). Filtering rules are based on information contained in a network packet.

13 Types of Firewalls (Cont.)
Packet-Filtering Router

14 Types of Firewalls (Cont.)
Packet-Filtering Router Advantages One advantage to this type of firewall is its simplicity. Another is that these firewalls are typically transparent to users and are very fast.

15 Types of Firewalls (Cont.)
Packet-Filtering Router Disadvantages Because they do not examine upper-layer data, they cannot prevent attacks that employ application-specific vulnerabilities. Logging functionality present in packet filter firewalls is limited. Do not support advanced user authentication schemes.

16 Types of Firewalls (Cont.)
Packet-Filtering Router Disadvantages Generally vulnerable to attacks and exploits that take advantage of problems within the TCP/IP specification and protocol stack. Susceptible to security breaches caused by improper configurations due to the small number of variables used in access control decisions.

17 Types of Firewalls (Cont.)
Packet-Filtering Router Attacks IP Address Spoofing Source Routing Attacks Tiny Fragment Attacks

18 Types of Firewalls (Cont.)
Packet-Filtering Examples

19 Types of Firewalls (Cont.)
Stateful Inspection Firewalls A stateful inspection packet filter tightens up the rules of TCP traffic by creating a directory of outbound TCP connections. Now, with an entry for each currently established connection, the packet filter will now allow incoming traffic to high-numbered ports only for those packets that fit the profile of one of the entries in this directory.

20 Types of Firewalls (Cont.)
Stateful Inspection Firewalls

21 Types of Firewalls (Cont.)
Application-Level Gateway Also called a proxy server, acts as a relay of application-level traffic. Usually more secure than packet filters. Also easy to log and audit all incoming traffic at the application level. The disadvantage is the additional processing overhead on each connection.

22 Types of Firewalls (Cont.)
Application-Level Gateway

23 Types of Firewalls (Cont.)
Circuit-Level Gateway Does not permit an end-to-end TCP connection; rather, the gateway sets up two TCP connections, one between itself, and the user on the inner host and one between itself and the user on the outside host. The gateway typically relays TCP segments between the two parties without examination. The security lies in the fact that it determines which connections will be allowed.

24 Types of Firewalls (Cont.)
Circuit-Level Gateway

25 Types of Firewalls (Cont.)
Bastion Host A system identified by the firewall administrator as a critical strong point in the network’s security. Serves as a platform for application-level and circuit-level gateways.

26 Firewall Configurations
Screened Host Firewall System Single-Homed Bastion Host

27 Firewall Configurations
Screened Host Firewall System (Single) Firewall consists of two systems A packet-filtering router Configured so that for traffic from the internet, only IP packets destined for the bastion host are allowed in and for traffic from the internal network, only IP packets from the bastion host are allowed. A bastion host Performs authentication and proxy functions.

28 Firewall Configurations
Screened Host Firewall System (Dual-Homed Bastion Host)

29 Firewall Configurations
Screened Host Firewall System (Double) Prevents attacks in which the packet-filtering router have been completely compromised.

30 Firewall Configurations
Screened Subnet Firewall

31 Firewall Configurations
Screened Subnet Firewall Most secure of these 3 configurations. Two packet-filtering routers, one between the bastion host and the Internet and one between the bastion host and the internal network. This configuration creates an isolated sub-network.

Download ppt "FIREWALLS Chapter 11."

Similar presentations

Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 9: Firewalls and Intrusion Prevention.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 9: Firewalls and Intrusion Prevention.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Firewalls 2014.04.07 Uyanga Tserengombo

Firewalls Uyanga Tserengombo
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
FIREWALLS – Chapter 20 network-based threats access to outside world Functionality, Design Security – trusted system.

FIREWALLS – Chapter 20 network-based threats access to outside world Functionality, Design Security – trusted system.
Winter 20021 CMPE 155 Week 7. Winter 20022 Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.

Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.
Fall 2008CS 334: Computer Security1 Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for.

Fall 2008CS 334: Computer Security1 Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for.
Kittiphan Techakittiroj (21/05/58 10:00 น. 21/05/58 10:00 น. 21/05/58 10:00 น.) Firewall Kittiphan Techakittiroj

Kittiphan Techakittiroj (21/05/58 10:00 น. 21/05/58 10:00 น. 21/05/58 10:00 น.) Firewall Kittiphan Techakittiroj
Lecture 14 Firewalls modified from slides of Lawrie Brown.

Lecture 14 Firewalls modified from slides of Lawrie Brown.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
Firewalling Techniques Prabhaker Mateti. ACK Not linux specific Not linux specific Some figures are from 3com Some figures are from 3com.

Firewalling Techniques Prabhaker Mateti. ACK Not linux specific Not linux specific Some figures are from 3com Some figures are from 3com.
—On War, Carl Von Clausewitz

—On War, Carl Von Clausewitz

Similar presentations

Ads by Google