1 Firewalls. 2 References 1.Mark Stamp, Information Security: Principles and Practice, Wiley Interscience, 2006. 2.Robert Zalenski, Firewall Technologies,

Slides:

Advertisements

Similar presentations

Network Security Essentials Chapter 11

Advertisements

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

IUT– Network Security Course 1 Network Security Firewalls.

FIREWALLS Chapter 11.

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

Lecture 25: Firewalls Introduce several types of firewalls

Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

Circuit & Application Level Gateways CS-431 Dick Steflik.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

A Brief Taxonomy of Firewalls

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.

Intranet, Extranet, Firewall. Intranet and Extranet.

FIREWALL Mạng máy tính nâng cao-V1.

Network Security Essentials Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.

Firewalls. Evil Hackers FirewallYour network Firewalls mitigate risk Block many threats They have vulnerabilities.

Chapter 6: Packet Filtering

Part 2  Access Control 1 CAPTCHA Part 2  Access Control 2 Turing Test Proposed by Alan Turing in 1950 Human asks questions to another human and a computer,

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

FIREWALLS Prepared By: Hilal TORGAY Uğurcan SOYLU.

FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.

Defense Techniques Sepehr Sadra Tehran Co. Ltd. Ali Shayan November 2008.

Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

Internet and Intranet Fundamentals Class 9 Session A.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.

1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.

Security and Firewalls Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls John P. Wack and Lisa J. Carnahan NIST Special Publication.

Internet Security and Firewall Design Chapter 32.

Security fundamentals Topic 10 Securing the network perimeter.

Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:

Firewall Matthew Prestifilippo, Bill Kazmierski, Pat Sparrow.

1 An Introduction to Internet Firewalls Dr. Rocky K. C. Chang 12 April 2007.

Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.

Firewall Technology and InterCell Communication Peter T. Dinsmore Trusted Information Systems Network Associates Inc 3060 Washington Rd (Rt. 97) Glenwood,

IP packet filtering Breno de Medeiros. Florida State University Fall 2005 Packet filtering Packet filtering is a network security mechanism that works.

1 CNLab/University of Ulsan Chapter 19 Firewalls  Packet Filtering Firewall  Application Gateway Firewall  Firewall Architecture.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos

Security fundamentals

Chapter3 Security Strategies.

Computer Data Security & Privacy

Firewall – Survey Purpose of a Firewall Characteristic of a firewall

* Essential Network Security Book Slides.

Firewalls Purpose of a Firewall Characteristic of a firewall

Firewalls Routers, Switches, Hubs VPNs

POOJA Programmer, CSE Department

Firewalls Jiang Long Spring 2002.

Introduction to Network Security

Session 20 INST 346 Technologies, Infrastructure and Architecture

Presentation transcript:

1 Firewalls

2 References 1.Mark Stamp, Information Security: Principles and Practice, Wiley Interscience, Robert Zalenski, Firewall Technologies, IEEE Potential, 2002, p 24 – Avishai Wool, A Quantitative Study of Firewall Configuration Errors, IEEE Computer, June 2004, p 62 – Steven Bellovin and William Cheswick, Network Firewalls, IEEE Communications Magazine, Sept 1994, p 50 – William Arbaugh, Firewalls: An Outdated Defense, IEEE Computer, June 2003, p 112 – Charles Zhang, Marianne Winslett, Carl Gunter, On the Safety and Efficiency of Firewall Policy Deployment, IEEE Symposium on Security and Privacy, Mohamed Gouda and Alex Liu, A Model of Stateful Firewalls and its Properties, Proc of the 2005 International Conference on Dependable Systems and Networks, 2005.

3 Firewall as Network Access Control Access Control –Authentication –Authorization Single Sign On Firewall –Interface between networks Usually external (internet) and internal –Allows traffic flow in both directions

4 Firewall –Interface between networks Usually external (internet) and internal –Allows traffic flow in both directions –Controls the traffic Internet Internal

5 Firewall as Secretary A firewall is like a secretary To meet with an executive –First contact the secretary –Secretary decides if meeting is reasonable –Secretary filters out many requests You want to meet chair of CS department? –Secretary does some filtering You want to meet President of US? –Secretary does lots of filtering! [1]

6 Security Strategies Least privilege –Objects have the lowest privilege to perform assigned task Defense in depth –Use multiple mechanism –Best if each is independent: minimal overlap Choke point –Facilitates monitoring and control [2]

7 Security Strategies - 2 Weakest link Fail-safe –If firewall fails, it should go to fail-safe that denies access to avoid intrusions Default deny Default permit Universal participation –Everyone has to accept the rules [2]

8 Security Strategies - 3 Diversity of defense Inherent weaknesses –Multiple technologies to compensate for inherent weakness of one technology Common heritage –If systems configured by the same person, may have the same weakness Simplicity Security through obscurity [2]

9 Security Strategies - 4 Configuration errors can be devastating Testing is not perfect Ongoing trial and error will identify weaknesses Enforcing a sound policy is critical [2]

10 Types of Firewall No Standard Terminology Packet Filtering (network layer) –Simplest firewall –Filter packets based on specified criteria IP addresses, subnets, TCP or UDP ports Stateful inspection (transport layer) –In addition to packet inspection –Validate attributes of multi-packet flows [2]

11 Types of Firewall - 2 Application Based Firewall (application layer) –SW package that allows or denies access across networks –Log access – attempted access and allowed access Personal firewall – single user, home network [2]

12 Types of Firewall - 3 Proxy –Intermediate connection between servers on internet and internal servers. –For incoming data Proxy is server to internal network clients –For outgoing data Proxy is client sending out data to the internet [2]

13 Types of Firewall - 4 Network Address Translation –Hides internal network from external network –Private IP addresses – expands the IP address space –Creates a choke point Virtual Private Network –Employs encryption and integrity protection –Use internet as part of a private network [2]

14 Packet Filter Advantages –Simplest firewall architecture –Works at the Network layer – applies to all systems –One firewall for the entire network Disadvantages –Can be compromised by many attacks Source spoofing

15 Packet Filter - Example [2]

16 Packet Filter - Example [2]

17 Packet Filter - Example Attack succeeds because of rules B and D More secure to add source ports to rules

18 Packet Filter - Example [2]

19 Packet Filter - Example These packets would be admitted. To avoid this add an ACK bit to the rule set [2]

20 Packet Filter - Example Attack fails, because the ACK bit is not set. ACK bit is set if the connection originated from inside. Incoming TCP packets must have ACK bit set. If this started outside, then no matching data, and packet will be rejected. [2]

21 TCP Ack for Port Scanning Attacker sends packet with ACK set (without prior handshake) using port p –Violation of TCP/IP protocol Packet filter firewall passes packet –Firewall considers it part of an ongoing connection Receiver sends RST –Indicates to the sender that the connection should be terminated Receiving RST indicates that port p is open!! [1]

22 TCP Ack Port Scan RST confirms that port 1209 is open Problem: packet filtering is stateless; the firewall should track the entire connection exchange [1]

23 Stateful Packet Filter Remembers packets in the TCP connections (and flag bits) Adds state info to the packet filter firewalls. Operates at the transport layer. Pro: Adds state to packet filter and keeps track of ongoing connection Con: Slower, more over head. Packet content info not used [1] application transport network link physical

24 Application Proxy A proxy acts on behalf the system being protected. Application proxy examines incoming app data – verifies that data is safe before passing it to the system. Pros –Complete view of the connections and app data –Filter bad data (viruses, Word macros) –Incoming packet is terminated and new packet is sent to internal network Con –Speed [1]

25 Firewalk – Port Scanning Scan ports through firewalls Requires knowledge of –IP address of firewall –IP address of one system in internal network –Number of hops to the firewall Set TTL (time to live) = Hops to firewall +1 Set destination port to be p If firewall does not pass data for port p, then no response If data passes thru firewall on port p, then time exceeded error message [1]

26 Firewalk and Proxy Firewall Attack stopped by proxy firewall –Incoming packet destroyed (old TTL value also destroyed) –New outgoing packet will not exceed TTL. [1] Dest port 12345, TTL=4 Dest port 12344, TTL=4 Dest port 12343, TTL=4 Time exceeded Trudy Packet filter Router

27 Firewalls and Defense in Depth Example security architecture Internet Intranet with Personal Firewalls Packet Filter Application Proxy DMZ FTP server DNS server WWW server [1]

28 [1]