Presentation is loading. Please wait.

Presentation is loading. Please wait.

Firewall.

Published byVanessa Dickerson Modified over 6 years ago

Similar presentations

Presentation on theme: "Firewall."— Presentation transcript:

1 Firewall

2 Introduction Forms a barrier through which the traffic going in each direction must pass Security policy dictates which traffic is authorized to pass in each direction Designed to operate as a filter at the level of IP packets

3 Trusted System is a computer or OS that can be verified to implement a given security policy
Policy is implemented that dictates what objects may be accessed by what subjects Firewall can be an effective means of protecting a local system or network of systems

4 Design Principles Centralized data processing system, with a central mainframe supporting a number of directly connected terminals Local area networks (LANs) interconnecting PCs and terminals to each other and the mainframe Premises network, consisting of a number of LANs, interconnecting PCs, servers, and perhaps a mainframe or two

5 Design Principles Enterprise-wide network, consisting of multiple, geographically distributed premises networks interconnected by a private wide area network (WAN) Internet connectivity, in which the various premises networks all hook into the Internet and may or may not also be connected by a private WAN

6 Internet connectivity is no longer optional for organizations.
Internet access provides benefits to the organization, it enables the outside world to reach and interact with local network assets. This creates a threat to the organization.

7 The firewall is inserted between the premises network and the Internet to establish a controlled link and to erect an outer security wall or perimeter. The aim of this perimeter is to protect the premises network from Internet-based attacks and to provide a single choke point where security and audit can be imposed. The firewall may be a single computer system or a set of two or more systems that cooperate to perform the firewall function.

8 Characteristics All traffic from inside to outside, and vice versa, must pass through the firewall. This is achieved by physically blocking all access to the local network except via the firewall. Various configurations are possible. Only authorized traffic, as defined by the local security policy, will be allowed to pass. Various types of firewalls are used, which implement various types of security policies.

9 Characteristics The firewall itself is immune to penetration. This implies that use of a trusted system with a secure operating system.

10 General Techniques that firewalls use to control access
Service control: Determines the types of Internet services that can be accessed, inbound or outbound. The firewall may filter traffic on the basis of IP address and TCP port number; may provide proxy software that receives and interprets each service request before passing it on; or may host the server software itself, such as a Web or mail service.

11 General Techniques that firewalls use to control access
Direction control: Determines the direction in which particular service requests may be initiated and allowed to flow through the firewall.

12 General Techniques that firewalls use to control access
User control: Controls access to a service according to which user is attempting to access it. This feature is typically applied to users inside the firewall perimeter (local users). It may also be applied to incoming traffic from external users; the latter requires some form of secure authentication technology, such as is provided in IPSec.

13 General Techniques that firewalls use to control access
Behavior control: Controls how particular services are used. For example, the firewall may filter to eliminate spam, or it may enable external access to only a portion of the information on a local Web server.

14 Scope of Firewall A firewall defines a single choke point that keeps unauthorized users out of the protected network, prohibits potentially vulnerable services from entering or leaving the network, and provides protection from various kinds of IP spoofing and routing attacks. The use of a single choke point simplifies security management because security capabilities are consolidated on a single system or set of systems.

15 Scope of Firewall A firewall provides a location for monitoring security-related events. Audits and alarms can be implemented on the firewall system. A firewall can serve as the platform for IPSec. Using the tunnel mode capability, the firewall can be used to implement virtual private networks.

16 Limitations of Firewall
The firewall cannot protect against attacks that bypass the firewall. Internal systems may have dial-out capability to connect to an ISP. An internal LAN may support a modem pool that provides dial-in capability for traveling employees and telecommuters. The firewall does not protect against internal threats, such as a disgruntled employee or an employee who unwittingly cooperates with an external attacker.

17 Limitations of Firewall
The firewall cannot protect against the transfer of virus-infected programs or files. Because of the variety of operating systems and applications supported inside the perimeter, it would be impractical and perhaps impossible for the firewall to scan all incoming files, , and messages for viruses.

18 Types of Firewalls Packet Filters Application level Gateways
Circuit-level Gateways

19 Packet Filtering Firewall

20 Application – level Gateway

21 Circuit Level Gateway

22 Packet Filtering Router
Applies a set of rules to each incoming and outgoing IP packets Forwards or discards the packet Filter packets going in both directions Filtering rules based on the information contained in the packet Source IP address, Destination IP address, Source and Destination transport level address, IP protocol field, Interface

23 Two default policies are possible
Default = discard Default = forward Initially everything is blocked Services must be added case-by-case basis Security administrator must react each to each new security threat as it becomes known

24

25

26

27 Advantages Simplicity Transparent to users Very fast

28 Weakness Do not examine upper layer data
Cannot prevent attacks that employ application-specific vulnerabilities or functions Because of limited information available to the firewall, the logging functionality present in packet filtering firewalls is limited. Most packet filter firewall do not support advanced user authentication schemes

29 Packet filter firewalls are generally vulnerable to attacks and exploits that take advantage of problems within the TCP/IP specification and protocol stack Due to the small number of variables used in access control decisions, packet filter firewalls are susceptible to security breaches caused by improper configurations

30 Attacks made in packet filtering firewalls
IP address spoofing Source routing attacks Tiny fragments attacks

31 Stateful Inspection Firewalls
A traditional packet filter makes filtering decisions on an individual packet basis does not take into consideration any higher layer context.

32 In general, when an application that uses TCP creates a session with a remote host, it creates a TCP connection in which the TCP port number for the remote (server) application is a number less than 1024 and the TCP port number for the local (client) application is a number between 1024 and The numbers less than 1024 are the "well-known" port numbers and are assigned permanently to particular applications (e.g., 25 for server SMTP). The numbers between 1024 and are generated dynamically and have temporary significance only for the lifetime of a TCP connection.

33 A stateful inspection packet filter tightens up the rules for TCP traffic by creating a directory of outbound TCP connections There is an entry for each currently established connection. The packet filter will now allow incoming traffic to high-numbered ports only for those packets that fit the profile of one of the entries in this directory.

34

35 Application-Level Gateway
Called a proxy server Acts as a relay of application-level traffic User contacts the gateway using a TCP/IP application, such as Telnet or FTP Gateway asks the user for the name of the remote host to be accessed More secure than packet filtering firewall

36 Application – level Gateway

37 Disadvantage Additional overhead

38 Circuit Level Gateway can be a stand-alone system or it can be a specialized function performed by an application-level gateway A circuit-level gateway does not permit an end-to-end TCP connection; rather, the gateway sets up two TCP connections, one between itself and a TCP user on an inner host and one between itself and a TCP user on an outside host.

39 Gateway typically relays TCP segments from one connection to the other without examining the contents. The security function consists of determining which connections will be allowed system administrator trusts the internal users The gateway can be configured to support application-level or proxy service on inbound connections and circuit-level functions for outbound connections.

40 Bastion Host A bastion host is a system identified by the firewall administrator as a critical strong point in the network's security. serves as a platform for an application-level or circuit-level gateway

41 Characteristics The bastion host hardware platform executes a secure version of its operating system, making it a trusted system. Only the services that the network administrator considers essential are installed on the bastion host DNS, Telnet, FTP, SMTP and User authentication Additional authentication is required before a user is allowed access to the proxy services.

42 Characteristics Each proxy is configured to support only a subset of the standard application's command set. Each proxy maintains detailed audit information by logging all traffic, each connection, and the duration of each connection. The audit log is an essential tool for discovering and terminating intruder attacks.

43 Characteristics Each proxy module is a very small software package specifically designed for network security. Each proxy is independent of other proxies on the bastion host. If there is a problem with the operation of any proxy, or if a future vulnerability is discovered, it can be uninstalled without affecting the operation of the other proxy applications.

44 Characteristics A proxy generally performs no disk access other than to read its initial configuration file. makes it difficult for an intruder to install Trojan horse sniffers or other dangerous files on the bastion host. Each proxy runs as a non-privileged user in a private and secured directory on the bastion host.

45 Firewall Configurations
Apart from simple configuration, three common firewall configurations are allowed Screened host firewall, Single-homed bastion Screened host firewall, dual homed bastion Screened subnet firewall

46 Screened host firewall, single homed bastion
firewall consists of two systems: a packet-filtering router and a bastion host Router is configured For traffic from the Internet, only IP packets destined for the bastion host are allowed in. For traffic from the internal network, only IP packets from the bastion host are allowed out.

47 Higher security than others
Bastion host Performances authentication and proxy functions Higher security than others Affords flexibility in providing direct Internet Access The packet filtering firewall is completely compromised, traffic flow directly through the router between the Internet and other hosts

48

Download ppt "Firewall."

Similar presentations

Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Firewalls 2014.04.07 Uyanga Tserengombo

Firewalls Uyanga Tserengombo
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
FIREWALLS – Chapter 20 network-based threats access to outside world Functionality, Design Security – trusted system.

FIREWALLS – Chapter 20 network-based threats access to outside world Functionality, Design Security – trusted system.
Winter 20021 CMPE 155 Week 7. Winter 20022 Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.

Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.
Fall 2008CS 334: Computer Security1 Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for.

Fall 2008CS 334: Computer Security1 Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for.
Lecture 14 Firewalls modified from slides of Lawrie Brown.

Lecture 14 Firewalls modified from slides of Lawrie Brown.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
—On War, Carl Von Clausewitz

—On War, Carl Von Clausewitz
Chapter 11 Firewalls.

Chapter 11 Firewalls.
5/4/01EMTM 5531 EMTM 553: E-commerce Systems Lecture 7b: Firewalls Insup Lee Department of Computer and Information Science University of Pennsylvania.

5/4/01EMTM 5531 EMTM 553: E-commerce Systems Lecture 7b: Firewalls Insup Lee Department of Computer and Information Science University of Pennsylvania.

Similar presentations

Ads by Google