Fall 2008CS 334: Computer Security1 Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for.

Slides:



Advertisements
Similar presentations
Network Security Essentials Chapter 11
Advertisements

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.
Firewalls Uyanga Tserengombo
IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
FIREWALLS – Chapter 20 network-based threats access to outside world Functionality, Design Security – trusted system.
Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Lecture 14 Firewalls modified from slides of Lawrie Brown.
Security Firewall Firewall design principle. Firewall Characteristics.
Firewalling Techniques Prabhaker Mateti. ACK Not linux specific Not linux specific Some figures are from 3com Some figures are from 3com.
—On War, Carl Von Clausewitz
Chapter 11 Firewalls.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Firewalls and Intrusion Detection Systems
5/4/01EMTM 5531 EMTM 553: E-commerce Systems Lecture 7b: Firewalls Insup Lee Department of Computer and Information Science University of Pennsylvania.
Chapter 10 Firewalls. Introduction seen evolution of information systems now everyone want to be on the Internet and to interconnect networks has persistent.
EE579T/10 #1 Spring 2003 © , Richard A. Stanley WPI EE579T Network Security 10: Firewalls Prof. Richard A. Stanley.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey
EE579T/6GD #1 Summer 2003 © , Richard A. Stanley EE579T Network Security 6: Firewalls and Trusted Networks Prof. Richard A. Stanley.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Chapter 20 Firewalls.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
Intranet, Extranet, Firewall. Intranet and Extranet.
Network Security Essentials Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Fall 2004CS 395: Computer Security1 Chapter 20: Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the.
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.
Chapter 6: Packet Filtering
1 Pertemuan 13 IDS dan Firewall Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
The Security Aspect of Social Engineering Justin Steele.
Chapter 11 Firewalls.
1 Internet Firewalls What it is all about Concurrency System Lab, EE, National Taiwan University R355.
Firewalls, etc.. Network Security2 Outline Intro Various firewall technologies: –Static Packet Filtering (or nonstateful packet filter) –Dynamic Packet.
1 Chapter 20: Firewalls Fourth Edition by William Stallings Lecture slides by Lawrie Brown(modified by Prof. M. Singhal, U of Kentucky)
Fundamentals of The Internet Learning outcomes After this session, you should be able to: Identify the threat of intruders in systems and networks and.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
NS-H /11041 Intruder. NS-H /11042 Intruders Three classes of intruders (hackers or crackers): –Masquerader –Misfeasor –Clandestine user.
Firewall – Survey Purpose of a Firewall – To allow ‘proper’ traffic and discard all other traffic Characteristic of a firewall – All traffic must go through.
Karlstad University Firewall Ge Zhang. Karlstad University A typical network topology Threats example –Back door –Port scanning –…–…
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
Firewall – Survey  Purpose of a Firewall  To allow ‘proper’ traffic and discard all other traffic  Characteristic of a firewall  All traffic must go.
1 An Introduction to Internet Firewalls Dr. Rocky K. C. Chang 12 April 2007.
UNIT -5 Password Management Firewall Design Principles.
Cryptography and Network Security
Computer Security Firewalls and Intrusion Prevention Systems.
Lecture 12 Page 1 CS 136, Spring 2009 Network Security: Firewalls CS 136 Computer Security Peter Reiher May 12, 2009.
Fall 2006CS 395: Computer Security1 Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for.
Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos
FIREWALL APOORV SRIVASTAVA VAIBHAV KUMAR
Why do we need Firewalls?
Firewall.
Firewalls.
Computer Data Security & Privacy
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Lecture # 7 Firewalls الجدر النارية. Lecture # 7 Firewalls الجدر النارية.
* Essential Network Security Book Slides.
Firewalls Purpose of a Firewall Characteristic of a firewall
POOJA Programmer, CSE Department
Firewalls Jiang Long Spring 2002.
دیواره ی آتش.
Presentation transcript:

Fall 2008CS 334: Computer Security1 Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for these slides.

Fall 2008CS 334: Computer Security2 Outline Firewall Design Principles –Firewall Characteristics –Types of Firewalls

Fall 2008CS 334: Computer Security3 Firewalls Effective means of protection a local system or network of systems from network-based security threats while affording access to the outside world via WANs or the Internet Information systems undergo a steady evolution (from small LAN`s to Internet connectivity) Strong security features for all workstations and servers not established

Fall 2008CS 334: Computer Security4Why? Systems provide many services by default –Many workstations provide remote access to files and configuration databases (for ease of management and file sharing) –Even if configured only for specific users, they can sometimes be tricked into providing services they shouldn’t E.g. missing bounds check in input parsers –Also, users sometimes forget to close temporary holes E.g. leaving file system remote mountable for file sharing

Fall 2008CS 334: Computer Security5Why? Firewalls enforce policies that centrally manage access to services in ways that workstations should, but don’t Which services? –Finger –telnet: requires authentication, but password sent in clear –rlogin: similar to telnet, but uses IP address based authentication (Bad!) –ftp: Tricky because two connections, control channel from sender, and data connection from receiver. (passive ftp has both sender originated) –X Windows –ICMP

Fall 2008CS 334: Computer Security6 Firewall Design Principles The firewall is inserted between the premises network and the Internet Aims: –Establish a controlled link –Protect the premises network from Internet-based attacks –Provide a single choke point

Fall 2008CS 334: Computer Security7 Firewall Characteristics Design goals: –All traffic from inside to outside must pass through the firewall (physically blocking all access to the local network except via the firewall) –Only authorized traffic (defined by the local security policy) will be allowed to pass –The firewall itself is immune to penetration (use of trusted system with a secure operating system)

Fall 2008CS 334: Computer Security8 Firewall Characteristics Four general techniques: Service control –Determines the types of Internet services that can be accessed, inbound or outbound Direction control –Determines the direction in which particular service requests are allowed to flow

Fall 2008CS 334: Computer Security9 Firewall Characteristics User control –Controls access to a service according to which user is attempting to access it Behavior control –Controls how particular services are used (e.g. filter )

Fall 2008CS 334: Computer Security10 Firewall Limitations Cannot protect against attacks that bypass the firewall –E.g. an internal modem pool Firewall does not protect against internal threats Firewall cannot protect against transfer of virus infected programs –Too many different apps and operating systems supported to make it practical to scan all incoming files for viruses

Fall 2008CS 334: Computer Security11 Types of Firewalls Three common types of Firewalls: –Packet-filtering routers –Application-level gateways –Circuit-level gateways –(Bastion host)

Fall 2008CS 334: Computer Security12 Types of Firewalls Packet-filtering Router

Fall 2008CS 334: Computer Security13 Types of Firewalls Packet-filtering Router –Applies a set of rules to each incoming IP packet and then forwards or discards the packet –Filter packets going in both directions –The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header –Two default policies (discard or forward)

Fall 2008CS 334: Computer Security14 Types of Firewalls Advantages: –Simplicity –Transparency to users –High speed Disadvantages: –Difficulty of setting up packet filter rules –Lack of Authentication Who really sent the packet?

Fall 2008CS 334: Computer Security15 Firewalls – Packet Filters

Fall 2008CS 334: Computer Security16 Firewalls – Packet Filters Can be clever: –Allow connections initiated from inside network to outside, but not initiated from outside. Traffic flows both way, but if firewall only allows incoming packets with ACK set in TCP header, this manages the issue. Problem: some apps require outside node to initiate connection with inside node (e.g. ftp, Xwindows), even if original request initiated by inside node. Solution (sort of): allow packets from outside if they are connecting to high port number.

Fall 2008CS 334: Computer Security17 Stateful Packet Filter Changes filtering rules dynamically (by remembering what has happened in recent past) Example: Connection initiated from inside node S to outside IP address D. For short time allow incoming connections from D to appropriate ports (I.e. ftp port). In practice, much more caution –Stateful filter notices the incoming port requested by S and only allows connections from D to that port. Requires parsing ftp control packets

Fall 2008CS 334: Computer Security18 Types of Firewalls Possible attacks and appropriate countermeasures –IP address spoofing Discard packet with inside source address if it arrives on external interface –Source routing attacks Discard all source routed packets

Fall 2008CS 334: Computer Security19 Types of Firewalls Possible attacks and appropriate countermeasures –Tiny fragment attacks Intruder uses IP fragment option to create extremely small IP packets that force TCP header information into separate packet fragments Discard all packets where protocol type is TCP and IP fragment offset is small

Fall 2008CS 334: Computer Security20 Types of Firewalls Application-level Gateway

Fall 2008CS 334: Computer Security21 Types of Firewalls Application-level Gateway –Also called proxy server –Acts as a relay of application-level traffic –Can act as router, but typically placed between two packet filtering firewalls (for total of three boxes) Two firewalls are routers that refuse to forward anything from the global net that is not to gateway, and anything to global net that is not from gateway. Sometimes called a bastion host (we use the term differently)

Fall 2008CS 334: Computer Security22 Types of Firewalls Advantages: –Higher security than packet filters –Only need to scrutinize a few allowable applications –Easy to log and audit all incoming traffic Disadvantages: –Additional processing overhead on each connection (gateway as splice point)

Fall 2008CS 334: Computer Security23 Types of Firewalls Circuit-level Gateway

Fall 2008CS 334: Computer Security24 Types of Firewalls Circuit-level Gateway –Stand-alone system or –Specialized function performed by an Application-level Gateway –Sets up two TCP connections –The gateway typically relays TCP segments from one connection to the other without examining the contents

Fall 2008CS 334: Computer Security25 Types of Firewalls Circuit-level Gateway –The security function consists of determining which connections will be allowed –Typically use is a situation in which the system administrator trusts the internal users

Fall 2008CS 334: Computer Security26 Types of Firewalls Bastion Host –A system identified by the firewall administrator as a critical strong point in the network´s security –The bastion host serves as a platform for an application-level or circuit-level gateway

Fall 2008CS 334: Computer Security27 Firewall Configurations In addition to the use of simple configuration of a single system (single packet filtering router or single gateway), more complex configurations are possible We won’t go into these

Fall 2008CS 334: Computer Security28 Why Firewalls Don’t Work Assume all bad guys are on outside, and everyone inside can be trusted. Firewalls can be defeated if malicious code can be injected into corporate network –E.g. trick someone into launching an executable from an message or into downloading something from the net. Often make it difficult for legitimate users to get their work done. –Misconfiguration, failure to recognize new app

Fall 2008CS 334: Computer Security29 Why Firewalls Don’t Work If firewall allows anything through, people figure out how to do what they need by disguising their traffic as allowed traffic –E.g. file transfer by sending it through . If size of s limited, then user breaks them into chunks, etc. –Firewall friendly traffic (e.g. using http for other purposes) Defeats effort of sysadmin to control traffic Less efficient than not using http

Fall 2008CS 334: Computer Security30 Recommended Reading Chapman, D., and Zwicky, E. Building Internet Firewalls. O’Reilly, 1995 Cheswick, W., and Bellovin, S. Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley, 2000

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.