1 / 13

Firewalls

Firewalls. Single Host Firewall. Simplest type of firewall—one host acts as a gateway between internal and external networks. Types of Single Host Firewall. Screening Router Organizations already have a router Most routers have packet filtering capabilities Advantages: cheap, simple

missy
Télécharger la présentation

Firewalls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Firewalls CSC 382: Computer Security

  2. Single Host Firewall Simplest type of firewall—one host acts as a gateway between internal and external networks. CSC 382: Computer Security

  3. Types of Single Host Firewall Screening Router • Organizations already have a router • Most routers have packet filtering capabilities • Advantages: cheap, simple • Disadvantages: can only do packet filtering Dual-homed Host • Server with two NICs • Advantages • Configurable: packet filter, circuit proxy, app proxy • Disadvantages • Lower performance than router CSC 382: Computer Security

  4. Screened Subnet Isolates internal network from external networks by means of a perimeter network, called a DMZ. CSC 382: Computer Security

  5. Screened Subnet Bastion hosts isolated from internal network • Compromise of a bastion host doesn’t directly compromise internal network. • Bastion hosts also can’t sniff internal traffic, since they’re on a different subnet. No single point of failure • Attacker must compromise both exterior and interior routers to gain access to internal net. Advantages: greater security Disadvantages: higher cost and complexity CSC 382: Computer Security

  6. Screened Subnet External Access • Filtered: via interior + exterior routers • Proxied: use a bastion host as a proxy server Bastion Hosts • Proxy server • External web/ftp servers • External DNS server • E-mail gateway CSC 382: Computer Security

  7. Screened Subnet Exterior Router • Simple filtering rules • Ingress/Egress Filtering • DOS prevention • Simple ACLs • May be controlled by ISP Interior Router • Complex filtering rules. • Must protect internal network from bastion hosts as well as external network. Recommendation: use different hardware/software for interior and exterior routers. CSC 382: Computer Security

  8. Tunneling Tunneling: Encapsulation of one network protocol in another protocol • Carrier Protocol: protocol used by network through which the information is travelling • Encapsulating Protocol: protocol (GRE, IPsec, L2TP) that is wrapped around original data • Passenger Protocol: protocol that carries original data CSC 382: Computer Security

  9. ssh Tunneling SSH can tunnel TCP connections • Carrier Protocol: IP • Encapsulating Protocol: ssh • Passenger Protocol: TCP on a specific port POP-3 forwarding ssh -L 110:pop3host:110 -l user pop3host • Uses ssh to login to pop3host as user • Creates tunnel from port 110 (leftmost port #) on localhost to port 110 (rightmost post #)of pop3host • User configures mail client to use localhost as POP3 server, then proceeds as normal CSC 382: Computer Security

  10. Virtual Private Network (VPN) • Two or more computers or networks connected by a private tunnel through a public network (typically the Internet.) • Requirements: • Confidentiality: encryption • Integrity: MACs, sequencing, timestamps • Firewall Interactions • Tunnels can bypass firewall • Firewall is convenient place to add VPN features CSC 382: Computer Security

  11. Firewall Limitations Cannot protect from internal attacks • May be able to limit access with internal firewalls to a segment of your network. Cannot protect you from user error • Users will still run trojan horses that make it past your AV scanner. Firewall mechanism may not precisely enforce your security policy. CSC 382: Computer Security

  12. Key Points • Almost everything is spoofable. • Denial of service attacks are easy. • Port scanning • Stealth • OS Fingerprinting • Firewalls • Packet filtering • Proxying • DMZ CSC 382: Computer Security

  13. References • Steven Bellovin, “Security Problems in the TCP/IP Protocol Suite”, Computer Communication Review, Vol. 19, No. 2, pp. 32-48, April 1989. • Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005. • William Cheswick, Steven Bellovin, and Avriel Rubin, Firewalls and Internet Security, 2nd edition, 2003. • Fyodor, “The Art of Port Scanning,” http://www.insecure.org/nmap/nmap_doc.html • Fyodor, NMAP man page, http://www.insecure.org/nmap/data/nmap_manpage.html • Fyodor, “Remote OS detection via TCP/IP Stack FingerPrinting,” Phrack 54, http://www.insecure.org/nmap/nmap-fingerprinting-article.html • Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical UNIX and Internet Security, 3rd edition, O’Reilly & Associates, 2003. • Johnny Long, Google Hacking for Penetration Testers, Snygress, 2004. • Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed, 3rd edition, McGraw-Hill, 2001. • Ed Skoudis, Counter Hack, Prentice Hall, 2002. • Elizabeth Zwicky, Brent Chapman, Simon Cooper, Building Internet Firewalls, 2nd edition, O’Reilly & Associates, 2000. CSC 382: Computer Security

More Related