Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCE 201 Network Security Firewalls Fall 2015. CSCE 201 - Farkas2 Traffic Control – Firewall Brick wall placed between apartments to prevent the spread.

Published byGavin Reynolds Modified over 8 years ago

Similar presentations

Presentation on theme: "CSCE 201 Network Security Firewalls Fall 2015. CSCE 201 - Farkas2 Traffic Control – Firewall Brick wall placed between apartments to prevent the spread."— Presentation transcript:

1 CSCE 201 Network Security Firewalls Fall 2015

2 CSCE 201 - Farkas2 Traffic Control – Firewall Brick wall placed between apartments to prevent the spread of fire from one apartment to the next Single, narrow checkpoint placed between two or more networks where security and audit can be imposed on traffic which passes through it

3 CSCE 201 - Farkas3 Firewall security wall between private (protected) network and outside word Private Network External Network Firewall

4 CSCE 201 - Farkas4 Firewall Objectives Keep intruders, malicious code and unwanted traffic or information out Keep proprietary and sensitive information in Private Network External Network Proprietary data External attacks

5 CSCE 201 - Farkas5 Without firewalls, nodes: – Are exposed to insecure services – Are exposed to probes and attacks from outside – Can be defenseless against new attacks – Network security totally relies on host security and all hosts must communicate to achieve high level of security – almost impossible

6 CSCE 201 - Farkas6 Network Address Translation (NAT) Organization uses private IP addresses on its network  increase address space Send packet to Internet: convert private IP address to globally assigned IP address Receive packer from Internet: globally assigned IP addresses converted to private IP addresses Firewalls may Establish connections on behalf of the client Support NAT

7 CSCE 201 - Farkas7 Common firewall features Routing information about the private network can't be observed from outside traceroute and ping -o can't `see' internal hosts Users wishing to log on to an internal host must first log onto a firewall machine (or else start `behind' the firewall).

8 CSCE 201 - Farkas8 Trade-Off between accessibility and Security Accessibility Security Service Access Policy

9 CSCE 201 - Farkas9 Firewall Advantages Protection for vulnerable services Controlled access to site systems Concentrated security Enhanced Privacy Logging and statistics on network use, misuse Policy enforcement

10 CSCE 201 - Farkas10 Controlled Access A site could prevent outside access to its hosts except for special cases (e.g., mail server). Do not give access to a host that does not require access. Some hosts can be reached from outside, some can not. Some hosts can reach outside, some can not.

11 CSCE 201 - Farkas11 Concentrated Security Firewall less expensive than securing all hosts – All or most modified software and additional security software on firewall only (no need to distribute on many hosts) Other network security (e.g., Kerberos) involves modification at each host system.

12 CSCE 201 - Farkas12 Enhanced Privacy Even innocuous information may contain clues that can be used by attackers – E.g., finger: information about the last login time, when e-mail was read, etc. Infer: how often the system is used, active users, whether system can be attacked without drawing attention

13 CSCE 201 - Farkas13 Logging and Statistics on Network Use, Misuse If all access to and from the Internet passes through the firewall, the firewall can theoretically log accesses and provide statistics about system usage Alarm can be added to indicate suspicious activity, probes and attacks – double duty as IDS on smaller networks

14 CSCE 201 - Farkas14 Policy enforcement Means for implementing and enforcing a network access policy Access control for users and services Can’t replace a good education/awareness program, however: – Knowledgeable users could tunnel traffic to bypass policy enforcement on a firewall

15 CSCE 201 - Farkas15 Firewall Disadvantages Restricted access to desirable services Large potential for back doors No protection from insider attacks No protection against data-driven attacks Cannot protect against newly discovered attacks – policy/situation dependent Large learning curve

16 CSCE 201 - Farkas16 Firewall Components Firewall Administrator Firewall policy Packet filters – transparent – does not change traffic, only passes it Proxies – Active – Intercepts traffic and acts as an intermediary

17 CSCE 201 - Farkas17 Firewall Administrator Knowledge of underpinnings of network protocols (ex. TCP/IP, ICMP) Knowledge of workings of applications that run over the lower level protocols Knowledge of interaction between firewall implementation and traffic Vendor specific knowledge

18 CSCE 201 - Farkas18 Firewall Policy High-level policy: service access policy Low-level policy: firewall design policy Firewall policy should be flexible!

19 CSCE 201 - Farkas19 Service Access Policy Part of the Network Security Policy Defines: – TCP/IP protocols – Services that are allowed or denied – Service usage – Exception handling

20 CSCE 201 - Farkas20 Service Access Policy Goal: Keep outsiders out Must be realistic and reflect required security level Full security v.s. full accessibility

21 CSCE 201 - Farkas21 Firewall Design Policy Refinement of service access policy for specific firewall configuration Defines: – How the firewall achieves the service access policy – Unique to a firewall configuration – Difficult!

22 CSCE 201 - Farkas22 Firewall Design Policy Approaches: Open system: Permit any service unless explicitly denied (maximal accessibility) Closed system: Deny any service unless explicitly permitted (maximal security)

23 CSCE 201 - Farkas23 Simple Packet Filters Applies a set of rules to each incoming IP packet to decide whether it should be forwarded or discarded. Header information is used for filtering ( e.g, Protocol number, source and destination IP, source and destination port numbers, etc.) Stateless: each IP packet is examined isolated from what has happened in the past. Often implemented by a router (screening router).

24 CSCE 201 - Farkas24 Simple Packet Filter Placing a simple router (or similar hardware) between internal network and “outside” Allow/prohibit packets from certain services Private Network Packet Filter Packet Filter Outside Packet-level rules

25 CSCE 201 - Farkas25 Simple Packet Filters Advantages: – Does not change the traffic flow or characteristics –passes it through or doesn’t – Simple – Cheap – Flexible: filtering is based on current rules

26 CSCE 201 - Farkas26 Simple Packet Filters Disadvantages: – Direct communication between multiple hosts and internal network – Unsophisticated (protects against simple attacks) – Calibrating rule set may be tricky – Limited auditing – Single point of failure

27 CSCE 201 - Farkas27 Stateful Packet Filters Called Stateful Inspection or Dynamic Packet Filtering Checkpoint patented this technology in 1997 Maintains a history of previously seen packets to make better decisions about current and future packets

28 CSCE 201 - Farkas28 Proxy Firewalls Bastion Host View Private Network Outside Private Network Outside Proxy Server Reality

29 CSCE 201 - Farkas29 Proxy Firewalls Application Gateways – Works at the application layer  must understand and implement application protocol – Called Application-level gateway or proxy server Circuit-Level Gateway – Works at the transport layer – E.g., SOCKS

30 CSCE 201 - Farkas30 Application Gateways Interconnects one network to another for a specific application Understands and implements application protocol Good for higher-level restrictions Client Server Application Gateway

31 CSCE 201 - Farkas31 Application Gateways Advantages: by permitting application traffic directly to internal hosts – Information hiding: names of internal systems are not known to outside systems – Can limit capabilities within an application – Robust authentication and logging: application traffic can be pre- authenticated before reaching host and can be logged – Cost effective: third-party software and hardware for authentication and logging only on gateway – Less-complex filtering rules for packet filtering routers: need to check only destination – Most secure

32 CSCE 201 - Farkas32 Application Gateways Disadvantages: – Keeping up with new applications – Need to know all aspects of protocols – May need to modify application client/protocols

33 CSCE 201 - Farkas33 Firewall Evaluation Level of protection on the private network ? – Prevented attacks – Missed attacks – Amount of damage to the network How well the firewall is protected? – Possibility of compromise – Detection of the compromise – Effect of compromise on the protected network Ease of use Efficiency, scalability, redundancy Expense

Download ppt "CSCE 201 Network Security Firewalls Fall 2015. CSCE 201 - Farkas2 Traffic Control – Firewall Brick wall placed between apartments to prevent the spread."

Similar presentations

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Firewalls 2014.04.07 Uyanga Tserengombo

Firewalls Uyanga Tserengombo
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Firewalls : usage Data encryption Access control : usage restriction on some protocols/ports/services Authentication : only authorized users and hosts.

Firewalls : usage Data encryption Access control : usage restriction on some protocols/ports/services Authentication : only authorized users and hosts.
Lecture 14 Firewalls modified from slides of Lawrie Brown.

Lecture 14 Firewalls modified from slides of Lawrie Brown.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
Chapter 11 Firewalls.

Chapter 11 Firewalls.
Firewall Configuration Strategies

Firewall Configuration Strategies
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.

Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.

Similar presentations

Ads by Google