Presentation is loading. Please wait.

Presentation is loading. Please wait.

Firewalls and Info Services Prevent unathorized access between nets Most of the protection is based upon examination of the IP packets There is always.

Published byJustin Quinn Modified over 8 years ago

Similar presentations

Presentation on theme: "Firewalls and Info Services Prevent unathorized access between nets Most of the protection is based upon examination of the IP packets There is always."— Presentation transcript:

1 Firewalls and Info Services Prevent unathorized access between nets Most of the protection is based upon examination of the IP packets There is always a tradeoff between security and ease of use PROTECT outsideinside outside and

2 Primary Types of Firewalls Internet Dual-Homed Gateway Inner Network bastion host Internet Screened Host Gateway Inner Network screened host router

3 ftp proxy Any data wanting to pass through to/from the bastion host should be required to pass through a PROXY agent. Proxy software can be configured to use encryption. Clients may need to be replaced with proxy clients Internet Dual-Homed Gateway Inner Network bastion host ftp requestpasses through telnet requestno agentX

4 Only data allowed through is data for the screened host Router can allow holes to certain hosts on inner net. Router uses IP addresses and port numbers to control the flow of data Internet Screened Host Gateway Inner Network screened host router Router for bastion host passes through for other nodes Inner Network X not allowed Screened Host

5 Some Risks Once you allow holes in the router, the nodes to which you allow “extra” access increase your ZONE OF RISK. Those machines need to be as secure as your screened/bastion host or represent your weak link. The larger the program, the more susceptible to errors and security leaks. –Browsers are good examples of large programs

6 router Two Other Types of Firewalls Internet Screening Router Inner Network bastion host Internet Router-only Gateway Inner Network router

7 Planning Steps Know the details of how client-server connections are made Determine physical location of equipment Decide who gets access in either direction –Screening router is on basis of IP/port not user Determine a strategy for logging activity –What to write –How to monitor –Under what conditions do you take specific actions Must develop a failure plan if firewall breaks Develop a thorough testing procedure

8 Software for Firewall Support Cern WEB server Proxy mode to handle requests for internal clients Handles http AND OTHER PROTOCOLS –browser clients usually handle other protocols NOT SERVERS Requires the client to be configurable to use proxy mode. Not sure how common the is in the client p.504 of text setenv http_proxy “http://web.bastion.host:80/” setenv ftp_proxy “http://web.bastion.host:80/” What if the client doesn’t go through the WEB server? –bastion serves as a router of sorts and doesn’t let any other data through –router will deny passge if not through the screened host Has caching features so only one copy needed for entire inner net

9 Freeware running on bastion host Presumably configures the bastion to do filtering of data passing through SOCKS is a proxy server dealing with TCP streams, not client dependent The specific client must be written to be SOCKsified SOCKsified versions are available for PCs and unix environments Check it out at ftp.nec.com Software for Firewall Support SOCKS

10 tn-gw, ftp-gw, plug-gw(socket to socket) Does NOT requires a special client Client must RUN the program differently Software for Firewall Support Firewall Toolkit “netacl” can be used with inetd.conf to check server requests against an access list first A scaled down ftp to allow anonymous ftp to the bastion and to proxy other requests instead of: telnet remotehost you must: tn-gw tn-gw>connect remotehost OTHER FEATURES

11 Where does the server go? WWW Dual homed gateway –Outside the firewall »may be difficult to connect at service entry »sacrificial lamb –On bastion host »software is avialable »if server cracked, the whole inner net is vulnerable –Behind the firewall »internal access is easy / external access is difficult »needs a socksified browser –One inside and one outside »inside company confidential »outside for public info

12 Screened host –Outside firewall (as before) –On screened host segment »router only sends outside requests to a SPECIFIC port on the server –On the Screened Host itself »It controls too much access in and out With a screened subnet –On the screened subnet »SECOND ROUTER ONLY ALLOWS ACCESS FROM THE server/port TO THE INSIDE »if server cracked, can’t get inside Where does the server go? WWW Preferred

13 Connections are initiated from both directions Where does the server go? FTP SERVERCLIENT time connects to port 21 ( command channel ) get “file” connects from port 20 ( data channel ) NET

14 Dual Homed Gateway –Possible to have your service provider handle it »the ftp clients would require the provider agent to proxy ftp –Suggest putting it on the bastion host »ftp to chroot() ed area of the disk »run daemon as a non-priviledged user Screened host –Preferred to be inside... preferred with screened subnet –run ftp server in proxy mode –if possible, run clients in proxy (PASV) mode so client creates both end of the connection –router allows IN->OUT not OUT->IN, no inward server connections –router allows incoming on 21 and outgoing on 20 Where does the server go? FTP

15 Safeguards for internal servers Strip inner network priviledges –hostp.equiv and.rhosts Internal machines should NOT trust server Strip the server of networking clients –telnet, ftp, rlogin, rsh, etc. NFS & NIS should be disabled Kernel should not route IP packets Disable all services in inetd.conf which do not support the service USED IN CONJUNCTION WITH SCREENED SUBNET, THESE DO THE BEST JOB

16 Other things to do for Protection Leave traps for attackers –If hackers gain access to your server, they will try to access other machines by clients like telnet, rsh, etc –Change the client to look like it has errors and use it to mail the sys admin that a problem exists »error messages and delays to occupy attacker Periodically run software to verify the integrity of your system. –Store files with encryption signatures –Files which are public relations (or more) for your business should be protected. –This way you verify no one has misrepresented you Run servers in a chroot()ed area –Should do this anyway

17 Helping clients access through the firewall TELNET Always on port 23 Screened host –an access list in the router can typically be configured to allow outgoing on port 23 Dual Homed –use a proxy –use socks –use firewall toolkit

18 Interesting because it uses UDP not TCP –The routers look at acceptable connections by looking at the CONNECT sequence –UDP does not do connections to consider acceptable data (don’t know who started it) So how do you know whether your archie server is ok? Special solution: only a limited (about 20) Archie servers on the net. Set router to accept from any of them DH Gateway use a proxy –must also proxy ftp since archie uses ftp Helping clients access through the firewall ARCHIE

19 Web clients must access lots of types of servers Easiest solution is to use cern web server and let it proxy for you Otherwise must provide individual proxies Routers allowing messages from inside to out solves the problem for most... not for ftp. Helping clients access through the firewall Web clients

20 PCs Screened hosts can use holes in router... Some ftps support PASV mode so that it can be used with a screened host For Dual Homed Gateway, use SOCKS SOCKS is available for pc software DLLs are (being made) available for a SOCKsified version of winsock.dll

Download ppt "Firewalls and Info Services Prevent unathorized access between nets Most of the protection is based upon examination of the IP packets There is always."

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Winter 20021 CMPE 155 Week 7. Winter 20022 Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.

Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
5/4/01EMTM 5531 EMTM 553: E-commerce Systems Lecture 7b: Firewalls Insup Lee Department of Computer and Information Science University of Pennsylvania.

5/4/01EMTM 5531 EMTM 553: E-commerce Systems Lecture 7b: Firewalls Insup Lee Department of Computer and Information Science University of Pennsylvania.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Firewall Raghunathan Srinivasan October 30, 2007 CSE 466/598 Computer Systems Security.

Firewall Raghunathan Srinivasan October 30, 2007 CSE 466/598 Computer Systems Security.
1 Sonia FahmyPurdue University Firewalls and Firewall Testing Techniques Sonia Fahmy Department of Computer Sciences Purdue University

1 Sonia FahmyPurdue University Firewalls and Firewall Testing Techniques Sonia Fahmy Department of Computer Sciences Purdue University
Beth Johnson April 27, 1998. What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.

Beth Johnson April 27, What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.
Proxy Servers CS-480b Dick Steflik Proxy Servers Part of an overall Firewall strategy Sits between the local network and the external network Originally.

Proxy Servers CS-480b Dick Steflik Proxy Servers Part of an overall Firewall strategy Sits between the local network and the external network Originally.
Firewalls CS591 Topics in Internet Security November 15 1999 Steve Miskovitz, Steve Peckham, Kan Hayashi.

Firewalls CS591 Topics in Internet Security November Steve Miskovitz, Steve Peckham, Kan Hayashi.
Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.

Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.

Similar presentations

Ads by Google