1 / 16

Telecommunications Networking II

Telecommunications Networking II. Lecture 41e Firewalls. Firewalls Ref: Firewalls and Internet Security, W.R. Cheswick and S.M. Bellovin. Firewall.

kathie
Télécharger la présentation

Telecommunications Networking II

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Telecommunications Networking II Lecture 41e Firewalls

  2. FirewallsRef: Firewalls and Internet Security, W.R. Cheswick and S.M. Bellovin

  3. Firewall • A firewall is a mechanism through which we can attempt to protect a collection of computers and networks within an enclave from attacks launched from outside of the protected enclave • Firewalls can also be used to provide barriers between subsets of computers and networks within an enclave

  4. Firewalls Gateway computer ENCLAVE The rest of cyberspace

  5. The rest of cyberspace Subnet 2 Subnet 1 Enclave Firewalls

  6. Packet Filterref: Firewalls and Internet Security action ourhost port theirhost port comment block * * spigot * block these guys allow our GW 25 * * our GW’s mail allow * * * 25 ???

  7. Packet Filters • In the previous slide, we filter packets on the basis of which of “our hosts” (inside the firewall) and which our “their hosts” (outside the firewall), and which ports are involved in a TCP connection, independent of which end established the connection • The first rule keeps spigot from participating in TCP connections with our hosts (we block packets to/from spigot)

  8. Packet Filters • The second rule allows any host to establish a connection to port 25 (SMTP =mail) on our gateway machine • The last rule says that any of our hosts can participate in a port 25 (SMTP =mail) TCP connection with any other host. This is dangerous, because an exterior host could use its port 25 to initiate a connection to one of our hosts for a purpose other than mail

  9. Packet Filterref: Firewalls and Internet Security action source port dest port flags allow {ourhosts} * * * allow * * * * ACK allow * * * >1023

  10. Packet Filters • In the previous slide, we implement filtering based on which host has originated the TCP session • In particular, if a packet is a initial request to open up a TCP session, it does not have the TCP “ACK” bit set. All other packets have the “ACK” bit set. Therefore, we can block TCP connections that are initiated by “their host” (outside of the firewall)

  11. Packet Filters • We assume that our hosts will reject packets with the ACK bit set, if the corresponding TCP connection has not been initiated • Thus a host that is not one of our hosts cannot establish a TCP connection under either of the first two rules • The last rule allows external hosts to establish a TCP connection to our hosts if the target port number is higher than 1023

  12. The rest of cyberspace Subnet 2 Subnet 1 Enclave Where to put the filters

  13. Where to put the filters • The location of the filters is critical for-catching problems as close to the source as possible-identifying the link on which a packet has arrived

  14. Comments • The lack of authentication of packet sources and of routes taken by packets…as well as opportunities to modify packets in transit make the packet filtering problem much harder

  15. Application Level Gateways • This type of gateway acts as an intermediary between outside hosts and inside hosts (their hosts and our hosts) by accepting packets associated with a specific application (e.g., Email) and scrutinizing the contents of those packets (or sets of related packets) at the application level. • An application level gateway can also provide useful functions, such as mail forwarding and reformatting

  16. Circuit Level Gateways • A circuit level gateway acts as an intermediary between two hosts that wish to establish a TCP connection between them. The TCP connection is established host-to-gateway-to-host. Since the gateway is in the middle of the TCP connection (not just looking at isolated packets) it can monitor and control some aspects of the connection (e.g., the number of bytes that are transferred, and how fast bytes can move through the connection)

More Related