Presentation is loading. Please wait.

Presentation is loading. Please wait.

Karlstad University Firewall Ge Zhang. Karlstad University A typical network topology Threats example –Back door –Port scanning –…–…

Published byArron Todd Modified over 8 years ago

Similar presentations

Presentation on theme: "Karlstad University Firewall Ge Zhang. Karlstad University A typical network topology Threats example –Back door –Port scanning –…–…"— Presentation transcript:

1 Karlstad University Firewall Ge Zhang

2 Karlstad University A typical network topology Threats example –Back door –Port scanning –…–…

3 Karlstad University

4 What is Firewall? A single checking point that reacts traffic to and from a network (pass, discard, block, log) Design goals –All traffic from inside to outside and vice versa must pass through the firewall Internet

5 Karlstad University Services by a firewall Service control Direction control User Control (internal network) Behavior control (the firewall needs to know the application protocol) Logging flow information Hidden internal topology

6 Karlstad University Capabilities and limitations Capabilities –Prevent unauthorized traffics –Monitoring security-related events –The platform for Network address translator (NAT) –The platform for IPSec tunnel mode (VPN) Limitations –Attacks the bypass the firewall (over other channels) –Internal threats (internal employees cooperate with external attackers) –Transferring virus-infected programs

7 Karlstad University The working flow of a Firewall if {condition_1} then {action_1} else if{condition_2} then {action_2} else if{condition_3} then {action_3} else if{condition_4} then {action_4} … else if{condition_n} then {action_n} How to define the conditions?

8 Karlstad University Layered TCP/IP model

9 Karlstad University Types of firewalls Packet-Filtering router Application-level gateway Circuit-level gateway

10 Karlstad University Packet-Filtering router (1) Packet-Filtering Firewall –Applies a set of rules –Decides forwarding or discarding the packet –Only examine the header, do not “ see inside ” a packet

11 Karlstad University Packet-Filtering router (2) sourcedestinationprotocoldest. portaction Ane_homeAne_workany Allow anySIP proxyTcp, udp5060, 5061Allow anyMail serverTcp, udp25Allow anyWeb servertcp80, 8080Allow any Deny sourcedestinationprotocoldest. portaction mal1any Deny mal2any Deny mal1any Deny mal3any Deny any Allow

12 Karlstad University Requirements on rule set design Consistency : The rules are ordered correctly Completeness : every packet satisfies at least one rule in the firewall Compactness : firewall has no redundant rules

13 Karlstad University An example Interfacesourcedestinationprotocoldest. portaction 0anyWeb servertcp80Allow 0anyWeb serverany Deny 0maliciousany Deny 1hostany Allow 1any Allow Consistency error Compactness error 0Not malicioushostany ???? Completeness error

14 Karlstad University Improvement Interfacesourcedestinationprotocoldest. portaction 0maliciousany Deny 0anyWeb servertcp80Allow 0anyWeb serverany Deny 0any Allow 1any Allow

15 Karlstad University Efficiency of rule set sourcedestinationprotocoldest. portaction 192.163.0.1anytcp80, 8080Deny 192.163.0.2anytcp80, 8080Deny 192.163.0.3anytcp80, 8080Deny 10.1.1.2anytcp80, 8080Allow 10.1.1.3anytcp80, 8080Allow sourcedestinationprotocoldest. portaction 192.163.0.*anytcp80,8080Deny 10.1.1.*anytcp80,8080Allow

16 Karlstad University Stateful PF For TCP connections –Server ports are mostly fixed (<1024) –Client ports are dynamically used ( from 1024 to 65535) Stateful: tightens up the rules for TCP traffic by creating a directory of outbound TCP connections srcSrc portdesDes portstate 192.168.1.1001030210.9.88.2980established 192.168.1.1023331216.32.1.12225established

17 Karlstad University Pro and cons in PF Pro: –Simple, high efficient –Transparent to users Con: –Does not work with application-specific vulnerabilities –Limited log information –No user authentication –Difficulty to configure rulesets

18 Karlstad University Attacks on a PF IP address spoofing: (use spoofed IP address which can be trusted) Fragment attacks –Tiny fragment –Overlapping fragment

19 Karlstad University IP fragment A firewall only inspects the first fragmented one.

20 Karlstad University Tiny fragment attack

21 Karlstad University Overlapping fragment

22 Karlstad University Application-level Gateway (mainly for inbound requests) Have more checking parameters (user names, message format, client software version, etc) Only deal with allowable applications More useful log information Con: high processing overhead

23 Karlstad University Circuit level gateway (mainly for outbound requests) Based on connections instead of packets Similar to stateful PF Perform authentication Implementations: Socks server

24 Karlstad University Bastion Host A secure version of its operating system A platform for an application-level gateway or circuit-level gateway Only support allowed applications Only support a subset of the standard applications Needs additional authentication

25 Karlstad University Demilitarized Zone (DMZ) Demilitarized zone is a subnet that contains and exposes an organization's public services to an external network DNS, web server, VoIP server Internal network, work stations

26 Karlstad University Setup Firewalls in a network Screened host firewall (single-homes bastion)

27 Karlstad University Sceened host firewall (dual-homed bastion host)

28 Karlstad University Screened subnet firewall

29 Karlstad University Practical experiences on firewall itself Stealth rule: drop any packet from outside to the firewall Insecure firewall management: drop packets to the firewall over insecure protocols (telnet, ftp, x11) Limited management machines: firewalls should be managed from a small number of machines

30 Karlstad University High-throughput firewall (1) Application Specific Integrated Circuit (ASIC) e.g., netscreen 100 (100Mbps firewall )

31 Karlstad University High-throughput firewall (2) Load balance

32 Karlstad University Key points Types of firewall Pros and cons of the three types Ruleset of PF (consistency, completeness, compactness, efficiency) Stateful PF Attack on PF Bastion host DMZ Setup firewalls in a network

Download ppt "Karlstad University Firewall Ge Zhang. Karlstad University A typical network topology Threats example –Back door –Port scanning –…–…"

Similar presentations

Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 9: Firewalls and Intrusion Prevention.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 9: Firewalls and Intrusion Prevention.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.
Firewalls 2014.04.07 Uyanga Tserengombo

Firewalls Uyanga Tserengombo
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
FIREWALLS – Chapter 20 network-based threats access to outside world Functionality, Design Security – trusted system.

FIREWALLS – Chapter 20 network-based threats access to outside world Functionality, Design Security – trusted system.
Winter 20021 CMPE 155 Week 7. Winter 20022 Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.

Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.
Fall 2008CS 334: Computer Security1 Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for.

Fall 2008CS 334: Computer Security1 Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for.
Lecture 14 Firewalls modified from slides of Lawrie Brown.

Lecture 14 Firewalls modified from slides of Lawrie Brown.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
Firewalling Techniques Prabhaker Mateti. ACK Not linux specific Not linux specific Some figures are from 3com Some figures are from 3com.

Firewalling Techniques Prabhaker Mateti. ACK Not linux specific Not linux specific Some figures are from 3com Some figures are from 3com.
—On War, Carl Von Clausewitz

—On War, Carl Von Clausewitz
Chapter 11 Firewalls.

Chapter 11 Firewalls.

Similar presentations

Ads by Google