Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCE 522 Firewalls.

Published byJulian Johnson Modified over 8 years ago

Similar presentations

Presentation on theme: "CSCE 522 Firewalls."— Presentation transcript:

1 CSCE 522 Firewalls

2 Readings Pfleeger: 7.4 CSCE Farkas

3 Traffic Control – Firewall
Brick wall placed between apartments to prevent the spread of fire from one apartment to the next Single, narrow checkpoint placed between two or more networks where security and audit can be imposed on traffic which passes through it CSCE Farkas

4 Firewall Private Network External Network
security wall between private (protected) network and outside word Firewall External Network CSCE Farkas

5 Firewall Objectives Keep intruders, malicious code and unwanted traffic or information out Keep proprietary and sensitive information in Private Network External Network Proprietary data External attacks CSCE Farkas

6 Without firewalls, nodes:
Are exposed to insecure services Are exposed to probes and attacks from outside Can be defenseless against new attacks Network security totally relies on host security and all hosts must communicate to achieve high level of security – almost impossible CSCE Farkas

7 Common firewall features
Routing information about the private network can't be observed from outside traceroute and ping -o can't “see” internal hosts Users wishing to log on to an internal host must first log onto a firewall machine CSCE Farkas

8 Trade-Off between accessibility and Security
Service Access Policy Accessibility Security CSCE Farkas

9 Firewall Advantages Protection for vulnerable services
Controlled access to site systems Concentrated security Enhanced Privacy Logging and statistics on network use, misuse Policy enforcement CSCE Farkas

10 Controlled Access A site could prevent outside access to its hosts except for special cases (e.g., mail server). Do not give access to a host that does not require access Some hosts can be reached from outside, some can not. Some hosts can reach outside, some can not. CSCE Farkas

11 Concentrated Security
Firewall less expensive than securing all hosts All or most modified software and additional security software on firewall only (no need to distribute on many hosts) Other network security (e.g., Kerberos) involves modification at each host system. CSCE Farkas

12 Enhanced Privacy Even innocuous information may contain clues that can be used by attackers E.g., finger: information about the last login time, when was read, etc. Infer: how often the system is used, active users, whether system can be attacked without drawing attention CSCE Farkas

13 Logging and Statistics on Network Use, Misuse
If all access to and from the Internet passes through the firewall, the firewall can theoretically log accesses and provide statistics about system usage Alarm can be added to indicate suspicious activity, probes and attacks – double duty as IDS on smaller networks CSCE Farkas

14 Policy enforcement Means for implementing and enforcing a network access policy Access control for users and services Can’t replace a good education/awareness program, however: Knowledgeable users could tunnel traffic to bypass policy enforcement on a firewall CSCE Farkas

15 Firewall Disadvantages
Restricted access to desirable services Large potential for back doors No protection from insider attacks No protection against data-driven attacks Cannot protect against newly discovered attacks – policy/situation dependent Large learning curve CSCE Farkas

16 Restricted Access to Desirable Services
May block services that users want E.g., telnet, ftp, X windows, NFS, etc. Need well-balanced security policy Similar problems would occur with host access control Network topology may not fit the firewall design E.g., using insecure services across major gateways Need to investigate other solutions (e.g., Kerberos) CSCE Farkas

17 Back Doors Firewalls DO NOT protect against back doors into the site
e.g., if unrestricted modem access is still permitted into a site the attacker could jump around the firewall Legacy network topology in large networks CSCE Farkas

18 Little Protection from Insider Attacks
Generally does not provide protection from insider threats Sneaker Net - insider may copy data onto tape or print it and take it out of the facility CSCE Farkas

19 Data-Driven Attacks Viruses: Executable Content: End to End Encryption
users downloading virus-infected personal computer programs Executable Content: Java applets ActiveX Controls JavaScript, VBScript End to End Encryption Tunneling/Encapsulation CSCE Farkas

20 Other Issues Throughput: potential bottleneck (all connections must pass through firewall) Single point of failure: concentrates security in one spot => compromised firewall is disaster Complexity - feature bloat Some services do not work well with firewalls Lack of standard performance measurements or techniques CSCE Farkas

21 Firewall Components Firewall Administrator Firewall policy
Packet filters transparent does not change traffic, only passes it Proxies Active Intercepts traffic and acts as an intermediary CSCE Farkas

22 Firewall Administrator
Knowledge of underpinnings of network protocols (e.g., TCP/IP, ICMP) Knowledge of workings of applications that run over the lower level protocols Knowledge of interaction between firewall implementation and traffic Vendor specific knowledge CSCE Farkas

23 Firewall Policy Firewall policy should be flexible!
High-level policy: service access policy Low-level policy: firewall design policy Firewall policy should be flexible! CSCE Farkas

24 Service Access Policy Part of the Network Security Policy
Goal: Keep outsiders out Must be realistic and reflect required security level Full security vs. full accessibility CSCE Farkas

25 Firewall Design Policy
Refinement of service access policy for specific firewall configuration Defines: How the firewall achieves the service access policy Unique to a firewall configuration Difficult! CSCE Farkas

26 Firewall Design Policy
Approaches: Open system: Permit any service unless explicitly denied (maximal accessibility) Closed system: Deny any service unless explicitly permitted (maximal security) CSCE Farkas

27 Simple Packet Filters Applies a set of rules to each incoming IP packet to decide whether it should be forwarded or discarded. Header information is used for filtering ( e.g, Protocol number, source and destination IP, source and destination port numbers, etc.) Stateless: each IP packet is examined isolated from what has happened in the past. Often implemented by a router (screening router). CSCE Farkas

28 Allow/prohibit packets from certain services
Simple Packet Filter Private Network Placing a simple router (or similar hardware) between internal network and “outside” Allow/prohibit packets from certain services Packet-level rules Packet Filter Outside CSCE Farkas

29 Simple Packet Filters Advantages:
Does not change the traffic flow or characteristics –passes it through or doesn’t Simple Cheap Flexible: filtering is based on current rules CSCE Farkas

30 Simple Packet Filters Disadvantages:
Direct communication between multiple hosts and internal network Unsophisticated (protects against simple attacks) Calibrating rule set may be tricky Limited auditing Single point of failure CSCE Farkas

31 Stateful Packet Filters
Called Stateful Inspection or Dynamic Packet Filtering Checkpoint patented this technology in 1997 Maintains a history of previously seen packets to make better decisions about current and future packets Check out: CheckPoint, Stateful Inspection Technology, CSCE Farkas

32 View Reality Proxy Firewalls Proxy Server Outside Outside
Private Network Private Network Bastion Host Proxy Server Outside Outside CSCE Farkas

33 Proxy Firewalls Application Gateways Circuit-Level Gateway
Works at the application layer  must understand and implement application protocol Called Application-level gateway or proxy server Circuit-Level Gateway Works at the transport layer E.g., SOCKS CSCE Farkas

34 Application Gateways Interconnects one network to another for a specific application Understands and implements application protocol Good for higher-level restrictions Server Client Application Gateway CSCE Farkas

35 Application Gateways Advantages: by permitting application traffic directly to internal hosts Information hiding: names of internal systems are not known to outside systems Can limit capabilities within an application Robust authentication and logging: application traffic can be pre-authenticated before reaching host and can be logged Cost effective: third-party software and hardware for authentication and logging only on gateway Less-complex filtering rules for packet filtering routers: need to check only destination Most secure CSCE Farkas

36 Application Gateways Disadvantages: Keeping up with new applications
Need to know all aspects of protocols May need to modify application client/protocols CSCE Farkas

37 Circuit-Level Gateways
Is basically a generic proxy server for TCP Works like an application-level gateway, but at a lower level SOCKS – most widely know circuit-level gateway CSCE Farkas

38 Circuit-Level Gateways
Advantages: Don’t need a separate proxy server for each application Provides an option for applications for which proxy servers don’t yet exist Simpler to implement than application specific proxy servers Most Open-Source packages can be easily extended to use SOCKS CSCE Farkas

39 Circuit-Level Gateways
Disadvantages: No knowledge of higher level protocols – can’t scan for active content or disallowed commands Can only handle TCP connections – new extensions proposed for UDP Proprietary packages, TCP/IP stacks must be modified by vendor to use circuit-level gateways CSCE Farkas

40 Home Users Home routers: Come with built-in firewall
Generally simple packet filters Can block all incoming connections on all ports if desired Open connections as needed Examples: Download files from outside using FTP: allow incoming connections on Port 21 CSCE Farkas

41 Windows Firewall Functionality:
Help block computer viruses and worms from reaching your computer Ask for your permission to block or unblock certain connection requests Allow to create a record (a security log), if you want one, that records successful and unsuccessful attempts to connect to your computer CSCE Farkas

42 Windows Firewall What it does not support:
Detect or disable computer viruses and worms if they are already on your computer Stop you from opening with dangerous attachments Block spam or unsolicited from appearing in your inbox CSCE Farkas

43 Third Party Firewall Ranging in price between FREE and $50 on average
ZoneAlarm Pro 5 PC-Cillin 2004 Internet Security Norton Personal Firewall 2005 McAfee Personal Firewall CSCE Farkas

44 Firewall Evaluation Level of protection on the private network ?
Prevented attacks Missed attacks Amount of damage to the network How well the firewall is protected? Possibility of compromise Detection of the compromise Effect of compromise on the protected network Ease of use Efficiency, scalability, redundancy Expense CSCE Farkas

45 Next class: Intrusion Detection
CSCE Farkas

Download ppt "CSCE 522 Firewalls."

Similar presentations

Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Firewalls 2014.04.07 Uyanga Tserengombo

Firewalls Uyanga Tserengombo
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Lecture 14 Firewalls modified from slides of Lawrie Brown.

Lecture 14 Firewalls modified from slides of Lawrie Brown.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
Chapter 11 Firewalls.

Chapter 11 Firewalls.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Electronic Commerce 2. Definition Ecommerce is the process of buying and selling products and services via distributed electronic media, usually the World.

Electronic Commerce 2. Definition Ecommerce is the process of buying and selling products and services via distributed electronic media, usually the World.
Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.

Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey

Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Firewalls CS591 Topics in Internet Security November 15 1999 Steve Miskovitz, Steve Peckham, Kan Hayashi.

Firewalls CS591 Topics in Internet Security November Steve Miskovitz, Steve Peckham, Kan Hayashi.

Similar presentations

Ads by Google