8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service.

Slides:



Advertisements
Similar presentations
Network Security Essentials Chapter 11
Advertisements

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Firewalls Uyanga Tserengombo
IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.
Fall 2008CS 334: Computer Security1 Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for.
Lecture 14 Firewalls modified from slides of Lawrie Brown.
Security Firewall Firewall design principle. Firewall Characteristics.
Firewalling Techniques Prabhaker Mateti. ACK Not linux specific Not linux specific Some figures are from 3com Some figures are from 3com.
—On War, Carl Von Clausewitz
Chapter 11 Firewalls.
Lecture 25: Firewalls Introduce several types of firewalls
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Firewalls and Intrusion Detection Systems
5/4/01EMTM 5531 EMTM 553: E-commerce Systems Lecture 7b: Firewalls Insup Lee Department of Computer and Information Science University of Pennsylvania.
Chapter 10 Firewalls. Introduction seen evolution of information systems now everyone want to be on the Internet and to interconnect networks has persistent.
Electronic Commerce 2. Definition Ecommerce is the process of buying and selling products and services via distributed electronic media, usually the World.
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Chapter 20 Firewalls.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.
Intranet, Extranet, Firewall. Intranet and Extranet.
FIREWALL Mạng máy tính nâng cao-V1.
Network Security Essentials Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.
Chapter 6: Packet Filtering
1 Pertemuan 13 IDS dan Firewall Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Firewalls A note on the use of these ppt slides:
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
Chapter 11 Firewalls.
1 Internet Firewalls What it is all about Concurrency System Lab, EE, National Taiwan University R355.
Firewalls, etc.. Network Security2 Outline Intro Various firewall technologies: –Static Packet Filtering (or nonstateful packet filter) –Dynamic Packet.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
1 Chapter 20: Firewalls Fourth Edition by William Stallings Lecture slides by Lawrie Brown(modified by Prof. M. Singhal, U of Kentucky)
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
Internet and Intranet Fundamentals Class 9 Session A.
NS-H /11041 Intruder. NS-H /11042 Intruders Three classes of intruders (hackers or crackers): –Masquerader –Misfeasor –Clandestine user.
TCP/IP Protocols Contains Five Layers
Firewall – Survey Purpose of a Firewall – To allow ‘proper’ traffic and discard all other traffic Characteristic of a firewall – All traffic must go through.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Firewall Tutorial Hyukjae Jang Nc lab, CS dept, Kaist.
Karlstad University Firewall Ge Zhang. Karlstad University A typical network topology Threats example –Back door –Port scanning –…–…
1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.
Security fundamentals Topic 10 Securing the network perimeter.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
Cryptography and Network Security
Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos
Security fundamentals
Why do we need Firewalls?
Firewall.
Computer Data Security & Privacy
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Introduction to Networking
Lecture # 7 Firewalls الجدر النارية. Lecture # 7 Firewalls الجدر النارية.
* Essential Network Security Book Slides.
Firewalls Purpose of a Firewall Characteristic of a firewall
Firewalls 5/4/01 EMTM 553.
Firewalls Jiang Long Spring 2002.
Session 20 INST 346 Technologies, Infrastructure and Architecture
Presentation transcript:

8: Network Management1 Firewalls

8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service attacks: m SYN flooding: attacker establishes many bogus TCP connections. Attacked host alloc’s TCP buffers for bogus connections, none left for “real” connections. To prevent illegal modification of internal data. m e.g., attacker replaces CIA’s homepage with something else To prevent intruders from obtaining secret info. isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others. firewall

8: Network Management3 Packet Filtering r Internal network is connected to Internet through a router. r Router manufacturer provides options for filtering packets, based on: m source IP address m destination IP address m TCP/UDP source and destination port numbers m ICMP message type m TCP SYN and ACK bits r Example 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23. m All incoming and outgoing UDP flows and telnet connections are blocked. r Example 2: Block inbound TCP segments with ACK=0. m Prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside.

8: Network Management4 Application gateways r Filters packets on application data as well as on IP/TCP/UDP fields. r Example: allow select internal users to telnet outside. host-to-gateway telnet session gateway-to-remote host telnet session application gateway router and filter 1. Require all telnet users to telnet through gateway. 2. For authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections 3. Router filter blocks all telnet connections not originating from gateway.

8: Network Management5 Limitations of firewalls and gateways r IP spoofing: router can’t know if data “really” comes from claimed source r If multiple app’s. need special treatment, each has own app. gateway. r Client software must know how to contact gateway. m e.g., must set IP address of proxy in Web browser r Filters often use all or nothing policy for UDP. r Tradeoff: degree of communication with outside world, level of security r Many highly protected sites still suffer from attacks.

8: Network Management6 참고자료 : Firewalls

8: Network Management7 Acknowledgements Professor Insup Lee r Department of Computer and Information Science r University of Pennsylvania r r

8: Network Management8 Why do we need firewalls ?

8: Network Management9

10

8: Network Management11 BEFORE AFTER (your results may vary)

8: Network Management12 What is a firewall? r Two goals: m To provide the people in your organization with access to the WWW without allowing the entire world to peak in; m To erect a barrier between an untrusted piece of software, your organization’s public Web server, and the sensitive information that resides on your private network. r Basic idea: m Impose a specifically configured gateway machine between the outside world and the site’s inner network. m All traffic must first go to the gateway, where software decide whether to allow or reject.

8: Network Management13 What is a firewall r A firewall is a system of hardware and software components designed to restrict access between or among networks, most often between the Internet and a private Internet. r The firewall is part of an overall security policy that creates a perimeter defense designed to protect the information resources of the organization.

8: Network Management14 Firewalls DO r Implement security policies at a single point r Monitor security-related events (audit, log) r Provide strong authentication r Allow virtual private networks r Have a specially hardened/secured operating system

8: Network Management15 Firewalls DON ’ T r Protect against attacks that bypass the firewall m Dial-out from internal host to an ISP r Protect against internal threats m disgruntled employee m Insider cooperates with and external attacker r Protect against the transfer of virus- infected programs or files

8: Network Management16 Types of Firewalls r Packet-Filtering Router r Application-Level Gateway r Circuit-Level Gateway r Hybrid Firewalls

8: Network Management17 Packet Filtering Routers Forward or discard IP packet according a set of rules Filtering rules are based on fields in the IP and transport header

8: Network Management18 What information is used for filtering decision? r Source IP address (IP header) r Destination IP address (IP header) r Protocol Type r Source port (TCP or UDP header) r Destination port (TCP or UDP header) r ACK. bit

8: Network Management19 Web Access Through a Packet Filter Firewall [Stein]

8: Network Management20 Packet Filtering Routers pros and cons r Advantages: m Simple m Low cost m Transparent to user r Disadvantages: m Hard to configure filtering rules m Hard to test filtering rules m Don’t hide network topology(due to transparency) m May not be able to provide enough control over traffic m Throughput of a router decreases as the number of filters increases

8: Network Management21 Application Level Gateways (Proxy Server)

8: Network Management22 A Telnet Proxy

8: Network Management23 A sample telnet session

8: Network Management24 Application Level Gateways (Proxy Server) r Advantages: m complete control over each service (FTP/HTTP…) m complete control over which services are permitted m Strong user authentication (Smart Cards etc.) m Easy to log and audit at the application level m Filtering rules are easy to configure and test r Disadvantages: m A separate proxy must be installed for each application- level service m Not transparent to users

8: Network Management25 Circuit Level Gateways

8: Network Management26 Circuit Level Gateways (2) r Often used for outgoing connections where the system administrator trusts the internal users r The chief advantage is that a firewall can be configured as a hybrid gateway supporting application-level/proxy services for inbound connections and circuit-level functions for outbound connections

8: Network Management27 Hybrid Firewalls r In practice, many of today's commercial firewalls use a combination of these techniques. r Examples: m A product that originated as a packet-filtering firewall may since have been enhanced with smart filtering at the application level. m Application proxies in established areas such as FTP may augment an inspection-based filtering scheme.

8: Network Management28 Firewall Configurations r Bastion host m a system identified by firewall administrator as a critical strong point in the network’s security m typically serves as a platform for an application-level or circuit-level gateway m extra secure O/S, tougher to break into r Dual homed gateway m Two network interface cards: one to the outer network and the other to the inner m A proxy selectively forwards packets r Screened host firewall system m Uses a network router to forward all traffic from the outer and inner networks to the gateway machine r Screened-subnet firewall system

8: Network Management29 Dual-homed gateway

8: Network Management30 Screened-host gateway

8: Network Management31 Screened Host Firewall

8: Network Management32 Screened Subnet Firewall

8: Network Management33 Screened subnet gateway

8: Network Management34 Selecting a firewall system r Operating system r Protocols handled r Filter types r Logging r Administration r Simplicity r Tunneling

8: Network Management35 Commercial Firewall Systems

8: Network Management36 Widely used commercial firewalls r AltaVista r BorderWare (Secure Computing Corporation) r CyberGurad Firewall (CyberGuard Corporation) r Eagle (Raptor Systems) r Firewall-1 (Checkpoint Software Technologies) r Gauntlet (Trusted Information Systems) r ON Guard (ON Technology Corporation)

8: Network Management37 Firewall ’ s security policy r Embodied in the filters that allow or deny passages to network traffic r Filters are implemented as proxy programs. m Application-level proxies one for particular communication protocol E.g., HTTP, FTP, SM Can also filter based on IP addresses m Circuit-level proxies Lower-level, general purpose programs that treat packets as black boxes to be forward or not Only looks at header information Advantages: speed and generality One proxy can handle many protocols

8: Network Management38 Configure a Firewall (1) r Outgoing Web Access m Outgoing connections through a packet filter firewall m Outgoing connections through an application- level proxy m Outgoing connections through a circuit proxy

8: Network Management39 Firewall Proxy Configuring Netscape to use a firewall proxy involves entering the address and port number for each proxied service. [Stein]

8: Network Management40 Configure a Firewall (2) r Incoming Web Access m The “Judas” server m The “Sacrificial Lamb” m The “Private Affair” server m The doubly fortified server

8: Network Management41 The “ Judas ” Server (not recommended) [Stein]

8: Network Management42 The “ sacrificial lamb ” [Stein]

8: Network Management43 The “ private affair ” server [Stein]

8: Network Management44 Internal Firewall An Internal Firewall protects the Web server from insider threats. [Stein]

8: Network Management45 Placing the sacrificial lamb in the demilitarized zone. [Stein]

8: Network Management46 Poking holes in the firewall r If you need to support a public Web server, but no place to put other than inside the firewall. r Problem: if the server is compromised, then you are cooked.

8: Network Management47 Simplified Screened-Host Firewall Filter Rules [Stein]

8: Network Management48 Filter Rule Exceptions for Incoming Web Services [Stein]

8: Network Management49 Screened subnetwork Placing the Web server on its own screened subnetwork insulates it from your organization while granting the outside world limited access to it. [Stein]

8: Network Management50 Filter Rules for a Screened Public Web Server [Stein]