Presentation is loading. Please wait.

Presentation is loading. Please wait.

Firewall Raghunathan Srinivasan October 30, 2007 CSE 466/598 Computer Systems Security.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Firewall Raghunathan Srinivasan October 30, 2007 CSE 466/598 Computer Systems Security."— Presentation transcript:

1 Firewall Raghunathan Srinivasan October 30, 2007 CSE 466/598 Computer Systems Security

2 Before we start  Something Interesting I found about XEN  And something more: http://kerneltrap.org/OpenBSD/Virtualiz ation_Security http://kerneltrap.org/OpenBSD/Virtualiz ation_Security  A little bit on HW 2, problem 1 & 2 Not discussing problem 3 & 4 as they are fairly simple

3 What are we protecting  Data Private Data  Secret  Integrity  Availability  Resources Network resources Other computer resources  Reputation Your reputation

4 Means for Protection  Anti-Virus Why doesn’t it work?  Rather why is it ineffective  Firewall Does it suffer from same problems as above

5 What is a firewall  Is it just a wall that we are burning? No, I guess bad joke  Ok, it is a barrier between your computer and the outside world Rather protects the boundary of an intranet against the Internet  Computer networks are designed to exchange data  So why do we want to restrict data flow?

6 Ideal World  Everyone is good  No attacker  No one can compromise data  No one will try to steal data  No one will try to install backdoor  No one …. (basically a really good world)  Unfortunately, this can never exist

7 Working World  There are attackers  People will try and steal data  People will try opening ports on your machine for remote exploitation  Individual users are not smart enough to configure network connections So we need some service that can at least differentiate between good & bad connections In practice may not be the case

8 Firewall Outside Network Your Network

9 Tasks of a Firewall  Access control based on sender/receiver address or on addressed services  Hiding Internal network  Logging of traffic  Implements Packet Filter & Proxy server

10 7 Layered OSI  Application Layer Supports end – user processes, Telnet, FTP  Presentation Layer  Session Layer  Transport Layer Flow Control  Network Layer Switching, routing  Data Link Layer Data encoded and coded into bits  Physical Layer

11 Packet Filter  Analyzes network traffic and filters based on rules in layers 3 & 4 Typically can be Source / Dest Addr  If firewall is combined with a router, it is called screening router  Simple, Cheap

12 Packet Filter  Possible Principles Everything that is not explicitly allowed is denied Everything that is not explicitly denied is allowed

13 Example  Lame Example 1: Let your SMTP server be 149.169.0.1, and port be 40  Rule1 From (IP *), (port *) TO (149.169.0.1) (40) : DENY From (149.169.0.1), (40) TO (*) (*): Allow  Rules are applied in order listed

14 Proxy Server  Controls access to a service  Proxy is the only known computer to outside Internet  Access control can be done based on user identity, content, used protocol

15 Packet Filter vs Proxy Server  PF Simple, Cheap Correctly specifying filters is error prone If you re-order rules, then policy may change  Proxy User authentication possible Application Protocol control can be integrated Logging Circuit level proxies/Application level proxies  AL proxies more expensive, but versatile  Need one ALP for each application  Circuit level Proxies hide network info apart from providing packet filter functionalities

16 Firewall Generations  First – Packet Filter  Second – Stateful Filters  Third – Application Layer

17 First generation  Just checks for the individual packets Which means most filtering is done based on a strict set of rules  Lame example: Drop packets coming from a specific IP address The filter does not care whether the incoming/outgoing packet is part of an existing connection

18 2 nd Gen - Stateful Filters  Also called circuit level firewalls  Do not examine each packet  It maintains records of all connections passing through the firewall  Can determine whether a packet is part of an existing connection or a new connection  There are static rules that configure firewall behaviour

19 3 rd generation  Application layer firewall  it can "understand" certain applications and protocols  can detect whether an unwanted protocol is being sneaked through on a non-standard port  whether a protocol is being abused in a known harmful way.

20 Firewall Architectures  Single Box Architecture  Screened Host Architecture  Screened Subnet Architectures  Other Variations

21 Single Box Architecture  Screening Router  Dual Homed Host

22 Screening router Internet Screener PC 1 PC n Internal Network

23 Features  You can configure connections at one place  So the firewall is installed in the router  Can deny by port numbers/IP addr  Not flexible  Useful where network inside is considered secure

24 Dual-Homed Host Internet PC 1 PC n Internal Network eth0 eth1

25 Features  The protected network cannot directly communicate to the Internet  Applications should not be real time or business critical  Traffic to Internet is small  Users do not perform only Internet based jobs  Packet filter & Proxy server together

26 Bastion Host  special purpose computer on a network  specifically designed and configured to withstand attack  Contains very few applications proxy server services the requests of its clients by forwarding requests to other servers  Why? To reduce threats and vulnerabilities

27 Screened Host Architecture Internet Screener PC 1 PC n Internal Network Bastion Host

28 Features  Bastion Host provides proxy  Screening router provides packet filtering of incoming traffic

29 Personal Firewall  A software installed on a PC  Part of OS to protect user machines  Learning filter Annoying at times

30 Honeypot  Show a machine with weak security to outside world  Monitor all the attacks that it experiences

31 NAT - Network address translation  Technique for transmitting/receiving network traffic through a router Re-writing of source/destination addresses Re-writing of TCP port number  NAT is a popular way of dealing with IPv4 address shortage  NAT enables multiple hosts on a private network to use a single public IP address

32 NAT  A host typically uses 192.168.x.x  10.x.x.x  172.16-31.x.x  The router has a public address  Example  My router’s add 75-167-48-xxx  My PC address 192.168.1.100

33 NAT  When traffic moves from local network to Internet Router performs address change on source IP Router stores data about outgoing connection When reply returns to router, it uses stored data to forward packets to corresponding machine

34 Drawbacks  True end to end connectivity not there  Cannot participate in some network protocols  Services that require initiation from outside network cannot function

35 Benefits  NAT helps prevent many malicious attacks External network cannot initiate a connection  I wont receive any malicious data unless my machine initiated it  Can my machine initiate it?  Practical solution to exhaustion of IPv4 address

36 Can a firewall inside a computer be bypassed  Yes  It is just a service  A program can disable it Bagle Bagz  So it all boils down to Is my PC secure  I believe that this problem is not in P

37 A little refresher  Digital signature  Challenge Response – midterm  The mid term problem 1:

Download ppt "Firewall Raghunathan Srinivasan October 30, 2007 CSE 466/598 Computer Systems Security."

Similar presentations

Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
5/4/01EMTM 5531 EMTM 553: E-commerce Systems Lecture 7b: Firewalls Insup Lee Department of Computer and Information Science University of Pennsylvania.

5/4/01EMTM 5531 EMTM 553: E-commerce Systems Lecture 7b: Firewalls Insup Lee Department of Computer and Information Science University of Pennsylvania.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Electronic Commerce 2. Definition Ecommerce is the process of buying and selling products and services via distributed electronic media, usually the World.

Electronic Commerce 2. Definition Ecommerce is the process of buying and selling products and services via distributed electronic media, usually the World.
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey

Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey
Circuit & Application Level Gateways CS-431 Dick Steflik.

Circuit & Application Level Gateways CS-431 Dick Steflik.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Firewalls CS591 Topics in Internet Security November 15 1999 Steve Miskovitz, Steve Peckham, Kan Hayashi.

Firewalls CS591 Topics in Internet Security November Steve Miskovitz, Steve Peckham, Kan Hayashi.

Similar presentations

Ads by Google