Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Defense in Depth Firewalls

Published bySimon Simmons Modified over 8 years ago

Similar presentations

Presentation on theme: "Network Defense in Depth Firewalls"— Presentation transcript:

1 Network Defense in Depth Firewalls
COEN 350 Network Defense in Depth Firewalls

2 Terms of the Trade Border Router DMZ Firewall
First / last router under control of system administration. DMZ Demilitarized zone. Security is low, since not protected by firewall. Locate webservers and other services there that generate potentially unsafe traffic. Firewall Filters packages based on a variety of rules.

3 Terms of the Trade IDS VPN Screened subnet Intrusion Detection System.
NIDS: glean intrusion signatures from traffic. HIDS: monitor activity at a host on which they are located. VPN Virtual private network Screened subnet Area protected by an internal firewall.

4 Terms of the Trade Configuration Management Backdoors
Known vulnerabilities account for most of actually perpetrated exploits. For most of them, patches were available, but not installed. CM tries to enforce uniform security policies. Backdoors An entrance into the system that avoids perimeter defenses.

5 Defense in Depth Rule 1: Multitude of security measures.
Do not relay on one security mechanism. Rule 2: Do not make security so expensive / burdensome that you give legitimate users an incentive to circumvent security.

6 Defense in Depth Example: External tcp packet passes:
Internet Perimeter Router Internet perimeter firewall DMZ firewall Network IPS NetFlow Analyzes connections on network Antivirus on host Host IPS

7 Firewalls Firewalls are perimeter defense:
Keep the bad stuff outside, enjoy life inside.

8 Filtering Signature Any distinctive characteristic that identifies something (with a high degree of probability) Signature Types Atomic Signatures Single packet, single event, single activity is examined. Stateful Signatures State: Needed when analyzing multiple pieces of information that are not available at the same time.

9 Filtering Atomic vs. Stateful Signatures LAND attack
Attacker sends TCP-SYN packet with same source and destination address. Caused TCP stacks to crash. Can be discovered looking at a single packet. Search for string “etc/password” in a URL Attacker fragments the packet so that the string is not in either fragment. State is needed in order to recognize the attack.

10 Filtering Signature Triggers Pattern Detection Anomaly Detection
Simple string search Search for string “etc/passwords” ARP Protocol decoders search for string only in protocol fields. ARP request with source address FF:FF:FF:FF:FF:FF Anomaly Detection Traffic going to an unusual port. Protocol compliance for http traffic Behavior Detection Abnormally large / small fragmented packets Search for RPC requests that do not initially utilize the PortMapper

11 Filtering Signature Actions Generating an alert
Dropping / preventing an activity Logging the activity Resetting a TCP connection Blocking future activity Allow activity

12 Packet Filtering Static Packet Filtering
Allow or deny access to packets based on internal characteristics. access list 111 deny ip host any access list 111 permit tcp host any access list 111 deny icmp any any echo-request access list 111 permit icmp any any packet-to-big access list 111 deny icmp any any Cisco extended ACL

13 Static Packet Filtering
Difficult to design efficient rules. Easy to get the rules tables wrong and allow bad traffic. Security risks People can piggy-back bad messages in harmless ones. http traffic is known to be used as a backdoor. Loki uses unused fields in normal TCP packets. Fragmentation allows the filter to look only at a fragment Most only look at the first fragment

14 Static Packet Filtering
Configuring a packet filter: Security Policy: what is allowed, what is not allowed. Allowable types of packets must be specified logically, in terms of logical expression on packet fields. Expressions need to be rewritten in the firewall vendor’s language.

15 Static Packet Filtering
Example Security Policy: Allow inbound mail messages (SMTP, port 25), but only to gateway. Block host faucet. action Our host port Their host comment block * faucet We don’t trust these people. allow OUR-GW 25 Connection to our SMTP server

16 Static Packet Filtering
Example If no rule applies, then the packet is dropped. Without additional rules, our rule set would drop all non-mail packets. There would also be no replies. Beware of a rule like this (intended to allow acks) Based solely on outside host’s port number. Port 25 is usually the mail port. But there is no guarantee. action Our host port Their host comment allow * 25 Connection to their SMTP port

17 Static Packet Filtering
Example Expand rule set to allow connection with the outside: action Our host port Their host Flag comment block * faucet allow OUR-GW 25 (our host) Our packets to their port ACK Their replies Specify the names of all machines allowed to send mail to the outside here.

18 Static Packet Filtering
Combating Address Spoofing At a minimum: Don’t allow inside source addresses coming in. Don’t allow outside source addresses going out. Block source routing at the border routers.

19 Static Packet Filtering
Routing Information If a node is unreachable from the outside then the node is almost (but not quite) as safe as a node disconnected from the net. Internal routers should not advertise paths to such nodes to the outside. Filter routes learned from the outside: Protects against subversion by route confusion. Route squatting: Use internal addresses that belong to a different domain. The nodes are de facto unreachable from the outside. Use non-announced addresses. (e.g. 10.x.x.x) But beware, when companies merge, these addresses tend to be incompatible. So pick addresses in unpopular address ranges.

20 Static Packet Filtering
Performance Packet filtering is done at the border. No degradation for the internal network. Typically, connection to ISP is the bottleneck. However: Degradation depends on the number of rules applied. Can be mitigated by careful ordering of rules.

21 Application Level Filtering
Packet filters only look at The source address The destination address TCP / UDP port numbers TCP / UDP flags. Application filters deals with the details of the service they are checking. E.g. a mail application filter looks at RFC 822 headers. MIME attachments. Might identify virus infected attachments.

22 Application Level Filtering
Snort: Allows to set up rules that pass a packet on to another service. Commercial firewalls Include application level filters for many products. Use non-disclosure agreement to obtain proprietary protocols

23 Dynamic Packet Filtering
Stateful Firewall Still look at each packet. Maintains a state of each connection. Implements connection filtering. Dynamically adjust a filtering table of current connections. Implementation Adjust the filtering rules dynamically. E.g.: We started an HTTP connection to a given host. Now HTTP packages from that host are allowed. OR: Terminate the connection at the firewall and then have the firewall call the ultimate destination (proxying).

24 Proxy Firewalls Proxies act on behalf of a client. Proxy firewall
Reverse Proxy Receives packages on one card. Processes requests. Translates them into internal requests on other card. Receives answers from inside and translates to the outside.

25 Proxy Firewalls Proxy firewall Forward Proxy
Receives requests from the inside. Processes requests. Translates them into requests to the outside on other card. Receives answers from outside and translates to the inside. Acts on behalf of inside machine that is protected from the vagaries of the internet.

26 Proxy Firewalls Application level proxies work at the level of application. Circuit-level proxies does not understand the application makes filtering decisions by validating and monitoring sessions.

27 Virtual Private Networks

28 Virtual Private Networks
VPN uses connections over an existing public network Connection secured with encryption Host to Host Host to Gateway Gateway to Gateway

29 Virtual Private Networks

30 Virtual Private Networks
Encryption can be done at Application level. Transport level. Network level. Data link level.

31 Virtual Private Networks
Application Level Pretty Good Privacy Secure Shell (SSH) Transport Level Secure Socket Layer Does not protect the package, but its content. Typically runs at the application level of the OS, so OS does not need to be changed. Network Level IPSec Encrypts package itself. Encrypted package receives a new package header. IPSec protects port address, but not destination address. OS need to be changed (but only once: Win2000, WinXP) Data Link Layer 2 Tunneling Protocol addition to Point-to-Point protocol (PPP) Encrypts packets on the data layer.

32 Virtual Private Networks
Alternatives are dedicated point-to-point connections such as a private T1 line. Most secure. Most expensive. Takes time to set-up.

Download ppt "Network Defense in Depth Firewalls"

Similar presentations

Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Winter 20021 CMPE 155 Week 7. Winter 20022 Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.

Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
COEN 350 Network Defense in Depth Firewalls. Terms of the Trade Border Router First / last router under control of system administration. DMZ Demilitarized.

COEN 350 Network Defense in Depth Firewalls. Terms of the Trade Border Router First / last router under control of system administration. DMZ Demilitarized.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Chapter 10 Firewalls. Introduction seen evolution of information systems now everyone want to be on the Internet and to interconnect networks has persistent.

Chapter 10 Firewalls. Introduction seen evolution of information systems now everyone want to be on the Internet and to interconnect networks has persistent.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Guide to Computer Network Security

Guide to Computer Network Security
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Similar presentations

Ads by Google