Presentation is loading. Please wait.

Presentation is loading. Please wait.

Firewalls firewall Isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others. administered network public.

Published byWinfred McCarthy Modified over 6 years ago

Similar presentations

Presentation on theme: "Firewalls firewall Isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others. administered network public."— Presentation transcript:

1 Firewalls firewall Isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others. administered network public Internet firewall Network Security

2 Firewalls: Why Prevent denial of service attacks:
Denial-of-Service (DoS) attack: Send many fake requests to congest link or consume server resource (CPU, memory) SYN flooding: attacker sends many SYNs to victim; victim has to allocate connection resource; victim has no resource left for real connection requests any more. Usually with spoofed source IP address Prevent illegal modification/access of internal data. e.g., attacker replaces CIA’s homepage with something else Network Security

3 Firewalls: Why Allow only authorized access to inside network
Set of authenticated users Set of authorized IP addresses Two types of firewalls: application-level Checking application level data packet-filtering Checking TCP or IP packets only Network Security

4 Should arriving packet be allowed in? Departing packet let out?
Packet Filtering Should arriving packet be allowed in? Departing packet let out? internal network connected to Internet via router firewall router filters packet-by-packet, decision to forward/drop packet based on: source IP address, destination IP address TCP/UDP source and destination port numbers ICMP message type TCP SYN and ACK bits Network Security

5 (control panelsecurity centerwindows firewall)
Packet Filtering Example 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23. All incoming and outgoing UDP flows and telnet connections are blocked. Example 2: Block inbound TCP segments with SYN=1. Prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside. Example of Windows XP service pack 2 firewall (control panelsecurity centerwindows firewall) Network Security

6 Stateless packet filtering: more examples
Policy Firewall Setting No outside Web access. Drop all outgoing packets to any IP address, port 80, 443 No incoming TCP connections, except those for institution’s public Web server only. Drop all incoming TCP SYN packets to any IP except , port 80,443 Prevent Web-radios (UDP based) from eating up the available bandwidth. Drop all incoming UDP packets - except DNS and router broadcasts. Prevent your network from being used for a smurf DoS attack. Drop all ICMP packets going to a “broadcast” address (eg ). Prevent your network from being tracerouted Drop all outgoing ICMP TTL expired traffic Network Security

7 A Real Example: Lab setup when I was a PhD student
DMZ Gateway: a cheap Linux machine runs Iptables Web server: Linux machine runs Apache web server Main server: Linux machine runs SSH, Sendmail (SMTP and IMAPS) Allow a specific machine outside to print to main server’s printer Network Security

8 Traffic Allowance Policy:
DMZ Traffic Allowance Policy: (1). Internet ==> LAN    To Main Server: SSH, SMTP,IMAP+SSL, LPD request from a trusted IP. (2). Internet ==> DMZ Web Server SSH, Web request. (3). Internet ==> Gateway ----    SSH only (for admin) (4). DMZ Web Server==> LAN, Internet     SSH to Internet and only to Main Server in LAN; DNS request; WWW/FTP request to Internet. (5). LAN ==> Internet, DMZ WebServer SSH, DNS, WWW/FTP, SMTP, RealPlay. Network Security

9 HTTP forwarding from Internet to DMZ web server (port 80)
iptables -t nat -A PREROUTING -p tcp --sport $UNPRIVPORTS -d $out.IP --dport 80 -j DNAT --to-destination $DMZ_SERVER iptables -A FORWARD -o $eth2 -p tcp --sport $UNPRIVPORTS -d $DMZ_SERVER --dport 80 -m state --state NEW -j ACCEPT SMTP from internal mail server to external Mail Server iptables -A FORWARD -i $eth1 -o $eth0 -p tcp -s $LAN_MAINSERVER --sport $UNPRIVPORTS --dport 25 -m state --state NEW -j ACCEPT Allow Telnet to outside from LAN iptables -A FORWARD -i $LAN_IF -o $EXT_IF -p tcp --sport $UNPRIVPORTS --dport 23 -m state --state NEW -j ACCEPT Network Security

10 Application gateways gateway-to-remote host telnet session host-to-gateway telnet session Filters packets on application data as well as on IP/TCP/UDP fields. Example: allow select internal users to telnet outside. application gateway router and filter 1. Require all telnet users to telnet through gateway. 2. For authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections 3. Router filter blocks all telnet connections not originating from gateway. Example: block user access to know porn websites Check if the Web URL is in a “black-list” Network Security

11 Limitations of firewalls and gateways
IP spoofing: router can’t know if data “really” comes from claimed source SYN flood attack UDP traffic client software must know how to contact application gateway. e.g., must set IP address of proxy in Web browser Speed constraint on high-bandwidth link Application-level firewall is time consuming filters often use all or nothing policy for UDP Usually most incoming UDP ports are blocked The trouble caused to real-time Internet video Network Security

12 Limitations of firewalls and gateways
tradeoff: degree of communication with outside world, level of security Trend --- remote office Blurred boundary between inside <-> outside Employee laptop threat many highly protected sites still suffer from attacks Network Security

13 Internet security threats
Mapping: before attacking: “case the joint” – find out what services are implemented on network Use ping to determine what hosts have addresses on network Port-scanning: try to establish TCP connection to each port in sequence (see what happens) nmap ( mapper: “network exploration and security auditing” Countermeasures? Network Security

14 Internet security threats
Mapping: countermeasures record traffic entering network look for suspicious activity (IP addresses, pots being scanned sequentially) Firewall to block incoming TCP/SYN to ports or computers not providing the services Block ping traffic Network Security

15 Internet security threats
Packet sniffing: broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (e.g. passwords) e.g.: C sniffs B’s packets A C src:B dest:A payload B Countermeasures? Network Security

16 Internet security threats
Packet sniffing: countermeasures all hosts in orgnization run software that checks periodically if host interface in promiscuous mode. one host per segment of broadcast media (switched Ethernet at hub) A C src:B dest:A payload B Network Security

17 Internet security threats
IP Spoofing: can generate “raw” IP packets directly from application, putting any value into IP source address field receiver can’t tell if source is spoofed e.g.: C pretends to be B A C src:B dest:A payload B Countermeasures? Network Security

18 Internet security threats
IP Spoofing: egress filtering routers should not forward outgoing packets with invalid source addresses (e.g., datagram source address not in router’s network) great, but egress filtering can not be mandated for all networks A C src:B dest:A payload B Network Security

19 Internet security threats
Denial of service (DOS): flood of maliciously generated packets “swamp” receiver Distributed DOS (DDOS): multiple coordinated sources swamp receiver e.g., C and remote host SYN-attack A A C SYN SYN SYN SYN SYN B SYN Countermeasures? SYN Network Security

20 Internet security threats
Denial of service (DOS): countermeasures filter out flooded packets (e.g., SYN) before reaaching host Cooperation with source routers Detect spoofed SYN based on TTL values traceback to source of floods (most likely an innocent, compromised machine) A C SYN SYN SYN SYN SYN B SYN SYN Network Security

21 Pretty good privacy (PGP)
Internet encryption scheme, de-facto standard. uses symmetric key cryptography, public key cryptography, hash function, and digital signature as described. provides secrecy, sender authentication, integrity. inventor, Phil Zimmerman, was target of 3-year federal investigation. A PGP signed message: ---BEGIN PGP SIGNED MESSAGE--- Hash: SHA1 Bob:My husband is out of town tonight.Passionately yours, Alice ---BEGIN PGP SIGNATURE--- Version: PGP 5.0 Charset: noconv yhHJRHhGJGhgg/12EpJ+lo8gE4vB3mqJhFEvZP9t6n7G6m5Gw2 ---END PGP SIGNATURE--- Network Security

22 Secure sockets layer (SSL)
provides transport layer security to any TCP-based application using SSL services. e.g., between Web browsers, servers for e-commerce (shttp) security services: server authentication, data encryption, client authentication (optional) Application Application SSL sublayer SSL socket TCP TCP TCP socket IP IP TCP API TCP enhanced with SSL Network Security

23 Secure sockets layer (SSL)
server authentication: SSL-enabled browser includes public keys for trusted CAs. Browser requests server certificate, issued by trusted CA. Browser uses CA’s public key to extract server’s public key from certificate. check your browser’s security menu to see its trusted CAs. transport layer security to any TCP-based app using SSL services. used between Web browsers, servers for e-commerce (shttp). security services: server authentication data encryption client authentication (optional) Network Security

24 SSL (continued) Encrypted SSL session:
Browser generates symmetric session key, encrypts it with server’s public key, sends encrypted key to server. Using private key, server decrypts session key. Browser, server know session key All data sent into TCP socket (by client or server) encrypted with session key. SSL: basis of IETF Transport Layer Security (TLS). SSL can be used for non-Web applications, e.g., IMAP. Client authentication can be done with client certificates. Not widely used since too many clients Network Security

25 SSL: three phases 1. Handshake:
TCP SYN 1. Handshake: Bob establishes TCP connection to Alice authenticates Alice via CA signed certificate creates, encrypts (using Alice’s public key), sends master secret key to Alice nonce exchange not shown TCP SYNACK TCP ACK SSL hello certificate create Master Secret (MS) KA+(MS) decrypt using KA- to get MS Network Security

26 SSL: three phases 2. Key Derivation:
Alice, Bob use shared secret (MS) to generate 4 keys: EB: Bob->Alice data encryption key EA: Alice->Bob data encryption key MB: Bob->Alice MAC key (message authentication code) MA: Alice->Bob MAC key encryption and MAC algorithms negotiable between Bob, Alice why 4 keys? Different keys by each person Different keys for encryption and integrity checking Network Security

27 . . SSL: three phases 3. Data transfer TCP byte stream MB
b1b2b3 … bn d MB block n bytes together H( ) . compute MAC EB d H(d) H( ) . encrypt d, MAC, SSL seq. # (why ssl#?) SSL seq. # d H(d) SSL record format Type Ver Len d H(d) unencrypted encrypted using EB Network Security

28 IPsec: Network Layer Security
network-layer secrecy: sending host encrypts the data in IP datagram TCP and UDP segments; ICMP and SNMP messages. network-layer authentication destination host can authenticate source IP address two principal protocols: authentication header (AH) protocol encapsulation security payload (ESP) protocol for both AH and ESP, source, destination handshake: create network-layer logical channel called a security association (SA) each SA unidirectional. uniquely determined by: security protocol (AH or ESP) source IP address 32-bit connection ID Network Security

29 Authentication Header (AH) Protocol
provides source authentication, data integrity, no confidentiality AH header inserted between IP header, data field. protocol field: 51 intermediate routers process datagrams as usual AH header includes: connection identifier authentication data: source- signed message digest calculated over original IP datagram. next header field: specifies type of data (e.g., TCP, UDP, ICMP) IP header data (e.g., TCP, UDP segment) AH header Network Security

30 IEEE 802.11 security Packet sniffing is unavoidable
War-driving: drive around Bay area, see what networks available? More than 9000 accessible from public roadways 85% use no encryption/authentication packet-sniffing and various attacks easy! Wired Equivalent Privacy (WEP): authentication as in protocol ap4.0 (require shared symmetric key) host requests authentication from access point access point sends 128 bit nonce host encrypts nonce using shared symmetric key access point decrypts nonce, authenticates host Network Security

31 IEEE 802.11 security Wired Equivalent Privacy (WEP): data encryption
Host/AP share 40 bit symmetric key (semi-permanent) Host appends 24-bit initialization vector (IV) to create 64-bit key IV is equivalent to a “nonce” 64 bit key used to generate stream of keys, kiIV (using RC4 stream cipher) kiIV used to encrypt i-th byte, di, in frame: ci = di XOR kiIV IV and encrypted bytes, ci sent in frame Network Security

32 Sender-side WEP encryption
Network Security

33 802.11 WEP Security Concern 40 bits in encryption is too short
RC4 is not properly used in A more secure protocol is standard i Network Security

34 Breaking 802.11 WEP encryption
security hole: 24-bit IV, one IV per frame, -> IV’s eventually reused IV transmitted in plaintext -> IV reuse detected attack: Trudy causes Alice to encrypt known plaintext d1 d2 d3 d4 … Trudy sees: ci = di XOR kiIV Trudy knows ci di, so can compute kiIV Trudy knows encrypting key sequence k1IV k2IV k3IV … Next time IV is used, Trudy can decrypt! Network Security

35 Network Security (summary)
Basic techniques…... cryptography (symmetric and public) authentication message integrity key distribution …. used in many different security scenarios secure secure transport (SSL) IP sec security Network Security

Download ppt "Firewalls firewall Isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others. administered network public."

Similar presentations

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
Security in Networks (Part 2) CPSC 363 Computer Networks Ellen Walker Hiram College (Includes figures from Computer Networking by Kurose & Ross, © Addison.

Security in Networks (Part 2) CPSC 363 Computer Networks Ellen Walker Hiram College (Includes figures from Computer Networking by Kurose & Ross, © Addison.
McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.
Chapters 8 Network Security Professor Rick Han University of Colorado at Boulder

Chapters 8 Network Security Professor Rick Han University of Colorado at Boulder
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Lecture 25 Secure Communications CPE 401 / 601 Computer Network Systems slides are modified from Jim Kurose & Keith Ross and Dave Hollinger.

Lecture 25 Secure Communications CPE 401 / 601 Computer Network Systems slides are modified from Jim Kurose & Keith Ross and Dave Hollinger.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.

8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.
Review and Announcement r Ethernet m Ethernet CSMA/CD algorithm r Hubs, bridges, and switches m Hub: physical layer Can’t interconnect 10BaseT & 100BaseT.

Review and Announcement r Ethernet m Ethernet CSMA/CD algorithm r Hubs, bridges, and switches m Hub: physical layer Can’t interconnect 10BaseT & 100BaseT.
Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.

Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.

8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.
24-1 Last time □ Message Integrity □ Authentication □ Key distribution and certification.

24-1 Last time □ Message Integrity □ Authentication □ Key distribution and certification.
8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.

8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.
FIREWALL Mạng máy tính nâng cao-V1.

FIREWALL Mạng máy tính nâng cao-V1.
Network Security7-1 Firewalls isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others. firewall.

Network Security7-1 Firewalls isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others. firewall.
Network Security7-1 Today r Collect Ch6 HW r Assign Ch7 HW m Ch7 #2,3,4,5,7,9,10,12 m Due Wednesday Nov 19 r Continue with Chapter 7 (Security)

Network Security7-1 Today r Collect Ch6 HW r Assign Ch7 HW m Ch7 #2,3,4,5,7,9,10,12 m Due Wednesday Nov 19 r Continue with Chapter 7 (Security)
Secure connections.

Secure connections.
Network Security. Information secrecy-only specified parties know the information exchanged. Provided by criptography. Information integrity-the information.

Network Security. Information secrecy-only specified parties know the information exchanged. Provided by criptography. Information integrity-the information.
Network Security7-1 Chapter 7 Network Security Computer Networking: A Top Down Approach Featuring the Internet, 2 nd edition. Jim Kurose, Keith Ross Addison-Wesley,

Network Security7-1 Chapter 7 Network Security Computer Networking: A Top Down Approach Featuring the Internet, 2 nd edition. Jim Kurose, Keith Ross Addison-Wesley,

Similar presentations

Ads by Google