FIREWALL APOORV SRIVASTAVA- 2011026 VAIBHAV KUMAR- 2011166 HARENDRA SINGH- 2011195 YOGENDRA SINGH- 2011180
Introduction Internet age Evolution of information systems Inevitable to provide an access to the Internet to/from any size of organizations Persistent security concerns
What are the risks? Theft or disclosure of internal data Unauthorized access to internal hosts Interception or alteration of data Denial of service
What needs to be secured? Crown jewels: patent work, source code, market analysis; information assets Any way into your network Any way out of your network Information about your network
What is firewall? An effective means of protecting a local system or network of systems from network-based threats while at the same time affording access to the outside world via wide area networks and the Internet What does firewall do?? Isolate the private network resources Allow users to access the public resources A single choke point of control and monitoring Imposes restrictions on network services Only authorized traffic is allowed Is itself immune to penetration
Firewall Characteristics Design goals: All traffic from inside to outside must pass through the firewall (physically blocking all access to the local network except via the firewall) Only authorized traffic (defined by the local security policy) will be allowed to pass The firewall itself is immune to penetration (use of trusted system with a secure operating system)
Firewall Characteristics Four general techniques: Service control Determines the types of Internet services that can be accessed, inbound or outbound Direction control Determines the direction in which particular service requests are allowed to flow User control Controls access to a service according to which user is attempting to access Behavior control Controls how particular services are used (e.g. filter e-mail)
Types of Firewalls Four common types of Firewalls: Packet-filtering routers Application-level gateways Circuit-level gateways (Bastion host)
Types of Firewalls Packet-filtering Router
Types of Firewalls Packet filtering The action a device takes to selectively control the flow of data to and from a network. Packet filters allow or block packets, usually while routing them from one network to another (most often from the Internet to an internal network, and vice versa). To accomplish packet filtering, you set up a set of rules that specify what types of packets (e.g., those to or from a particular IP address or port) are to be allowed and what types are to be blocked. Packet filtering may occur in a router, in a bridge, or on an individual host. It is sometimes known as screening.
Types of Firewalls Packet-filtering Router Applies a set of rules to each incoming IP packet and then forwards or discards the packet Filter packets going in both directions The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header Two default policies (discard or forward)
Types of Firewalls Advantages: Simplicity Transparency to users High speed Disadvantages: Difficulty of setting up packet filter rules Lack of Authentication
Types of Firewalls Application-level Gateway
Types of Firewalls Also called proxy server Application-level Gateway Also called proxy server Acts as a relay of application-level traffic
Types of Firewalls Proxy A program that deals with external servers on behalf of internal clients. Proxy clients talk to proxy servers, which relay approved client requests on to real servers, and relay answers back to clients.
Types of Firewalls Advantages: Higher security than packet filters Only need to scrutinize a few allowable applications Easy to log and audit all incoming traffic Disadvantages: Additional processing overhead on each connection (gateway as splice point)
Circuit Level Gateway Bastion Host
Circuit Level Gateway A circuit-level gateway monitors TCP handshaking between packets from trusted clients or servers to untrusted hosts and vice versa to determine whether a requested session is legitimate. To filter packets in this way, a circuit-level gateway relies on data contained in the packet headers for the Internet's TCP session-layer protocol. This gateway operates two layers higher than a packet-filtering firewall. This handshaking involves an exchange of TCP packets that are flagged SYN (synchronize) or ACK (acknowledge). These packet types are legitimate only at certain points during the session. When a user Web page access request passes throaugh the circuit gateway, basic internal user information, such as IP address, is exchanged for proper feedback. Then, the proxy server forwards the request to the Web server. Upon receiving the request, the external server sees the proxy server’s IP address but does not receive any internal user information. The Web or real server sends the proxy server a proper response, which is forwarded to the client or end user via the circuit-level gateway.
Circuit Level Gateway Circuit level gateways work at the session layer of the OSI model. They monitor TCP handshaking between packets to determine whether a requested session is legitimate. Does not allow end to end TCP connection Sets up two TCP connection , one between itself and a TCP user inside and other between itself and another TCP user outside. Information passed to a remote computer through a circuit level gateway appears to have originated from the gateway.
Circuit Level Gateway Firewall technology supervise TCP handshaking among packets to confirm a session is genuine. Firewall traffic is clean based on particular session rules and may be controlled to a acknowledged computers only. Circuit-level firewalls conceal the network itself from the external, which is helpful for interdicting access to impostors. But Circuit-Level Firewalls don't clean entity packets. This is useful for hiding information about protected networks. Circuit level gateways are relatively inexpensive and have the advantage of hiding information about the private network they protect. On the other hand, they do not filter individual packets. User where internal users are trusted for all outbound services. Disadv: Requires Ified client SOCKS package v5 : RFC 1928 Uses Port 1080
Bastion Host A bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer. It is hardened in this manner primarily due to its location and purpose, which is either on the outside of the firewall or in the DMZ and usually involves access from untrusted networks or computer In computer security, a DMZ or Demilitarized Zone (sometimes referred to as a perimeter network) is a physical or logical sub-network that contains and exposes an organization's external-facing services to a larger and untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external attacker only has direct access to equipment in the DMZ, rather than any other part of the network. The name is derived from the term "demilitarized zone", an area between nation states in which military operation is not permitted.
Bastion Host It is a system identified by firewall administrator as critical strong point in network security. A bastion host is a computer that is fully exposed to attack. The system is on the public side of the demilitarized zone (DMZ), unprotected by a firewall or filtering router. Indeed the firewalls and routers can be considered bastion hosts. Other types of bastion hosts include web, mail, DNS, and FTP servers. In computer security, a DMZ or Demilitarized Zone (sometimes referred to as a perimeter network) is a physical or logical sub-network that contains and exposes an organization's external-facing services to a larger and untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external attacker only has direct access to equipment in the DMZ, rather than any other part of the network. The name is derived from the term "demilitarized zone", an area between nation states in which military operation is not permitted.
Bastion Host Placement There are two common network configurations that include bastion hosts and their placement. The first requires two firewalls, with bastion hosts sitting between the first "outside world" firewall, and an inside firewall, in a demilitarized zone (DMZ).
Bastion Host Placement Often smaller networks do not have multiple firewalls, so if only one firewall exists in a network, bastion hosts are commonly placed outside the firewall. Example DNS (Domain Name System) server Email server FTP (File Transfer Protocol)
How to bypass the firewall ?
How to bypass the firewall ? “Legal” ways: - IP address spoofing - Source routing - Tiny fragments “Illegal” ways: - Rootkit - Trojan
IP ADDRESS SPOOFING IP address spoofing can be defined as an intentional misrepresentation of the source IP address in an IP packet in order to conceal the identity of the sender or to impersonate another computing system. In IP address spoofing, the user gains unauthorized access to a computer or a network by making it appear that the message comes from a trusted machine by “spoofing” the IP address of that machine
SOURCE ROUTING Source routing is a technique that the sender of a packet can specify the route that a packet should take through the network. As a packet travels through the network, each router will examine the "destination IP address" and choose the next hop to forward the packet. In source routing, the "source" (i.e. the sender) makes some or all of these decisions.
SOURCE ROUTING(cont..) A: Sender F: Destination To bypass the firewall, the sender A specific the routing: A -> B -> C -> D -> E -> F A C B D E F
TINY FRAGMENT Tiny fragments is a means that the user uses the IP fragmentation to create extremely small fragments and force the TCP header information into a separate packet fragment. This way is designed to bypass the filtering rules that depend on TCP header information. The users hopes that only the first fragment is examined by the filtering router and the remaining fragments are passed through.
ROOTKIT Rootkit is a set of software tools intended to conceal running processes, files or system data, thereby helping an intruder to maintain access to a system whilst avoiding detection. Rootkit is known to exist for a variety of operating systems such as Linux, Solaris, and versions of Microsoft Windows.
TROJAN In the computer software, a Trojan horse is a malicious program. The term is derived from the classical myth of the Trojan Horse. They may look useful or interesting (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed. Often the term is shortened to simply Trojan.
References en.Wikipedia.org www.Lib.ru http://www.techopedia.com/definition/24780/circuit-level-gateway http://firewall-review.narod.ru/circuit_level_gateway.html
Thank you