1 / 28

Firewalls

Learn about firewalls, their role as network access control, authentication, authorization, and more. Understand different types of firewalls, such as packet filtering and application-based firewalls, and their advantages and disadvantages.

mgross
Télécharger la présentation

Firewalls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Firewalls

  2. References • Mark Stamp, Information Security: Principles and Practice, Wiley Interscience, 2006. • Robert Zalenski, Firewall Technologies, IEEE Potential, 2002, p 24 – 29. • Avishai Wool, A Quantitative Study of Firewall Configuration Errors, IEEE Computer, June 2004, p 62 – 67. • Steven Bellovin and William Cheswick, Network Firewalls, IEEE Communications Magazine, Sept 1994, p 50 – 57. • William Arbaugh, Firewalls: An Outdated Defense, IEEE Computer, June 2003, p 112 – 113. • Charles Zhang, Marianne Winslett, Carl Gunter, On the Safety and Efficiency of Firewall Policy Deployment, IEEE Symposium on Security and Privacy, 2007. • Mohamed Gouda and Alex Liu, A Model of Stateful Firewalls and its Properties, Proc of the 2005 International Conference on Dependable Systems and Networks, 2005.

  3. Firewall as Network Access Control • Access Control • Authentication • Authorization • Single Sign On • Firewall • Interface between networks • Usually external (internet) and internal • Allows traffic flow in both directions

  4. Firewall Internal Internet • Interface between networks • Usually external (internet) and internal • Allows traffic flow in both directions • Controls the traffic

  5. Firewall as Secretary • A firewall is like a secretary • To meet with an executive • First contact the secretary • Secretary decides if meeting is reasonable • Secretary filters out many requests • You want to meet chair of CS department? • Secretary does some filtering • You want to meet President of US? • Secretary does lots of filtering! [1]

  6. Security Strategies • Least privilege • Objects have the lowest privilege to perform assigned task • Defense in depth • Use multiple mechanism • Best if each is independent: minimal overlap • Choke point • Facilitates monitoring and control [2]

  7. Security Strategies - 2 • Weakest link • Fail-safe • If firewall fails, it should go to fail-safe that denies access to avoid intrusions • Default deny • Default permit • Universal participation • Everyone has to accept the rules [2]

  8. Security Strategies - 3 • Diversity of defense • Inherent weaknesses • Multiple technologies to compensate for inherent weakness of one technology • Common heritage • If systems configured by the same person, may have the same weakness • Simplicity • Security through obscurity [2]

  9. Security Strategies - 4 • Configuration errors can be devastating • Testing is not perfect • Ongoing trial and error will identify weaknesses • Enforcing a sound policy is critical [2]

  10. Types of Firewall • No Standard Terminology • Packet Filtering (network layer) • Simplest firewall • Filter packets based on specified criteria • IP addresses, subnets, TCP or UDP ports • Stateful inspection (transport layer) • In addition to packet inspection • Validate attributes of multi-packet flows [2]

  11. Types of Firewall - 2 • Application Based Firewall (application layer) • SW package that allows or denies access across networks • Log access – attempted access and allowed access • Personal firewall – single user, home network [2]

  12. Types of Firewall - 3 • Proxy • Intermediate connection between servers on internet and internal servers. • For incoming data • Proxy is server to internal network clients • For outgoing data • Proxy is client sending out data to the internet [2]

  13. Types of Firewall - 4 • Network Address Translation • Hides internal network from external network • Private IP addresses – expands the IP address space • Creates a choke point • Virtual Private Network • Employs encryption and integrity protection • Use internet as part of a private network [2]

  14. Packet Filter • Advantages • Simplest firewall architecture • Works at the Network layer – applies to all systems • One firewall for the entire network • Disadvantages • Can be compromised by many attacks • Source spoofing

  15. Packet Filter - Example [2]

  16. Packet Filter - Example [2]

  17. Packet Filter - Example • Attack succeeds because of rules B and D • More secure to add source ports to rules

  18. Packet Filter - Example [2]

  19. Packet Filter - Example • These packets would be admitted. To avoid this add an ACK bit to the rule set [2]

  20. Packet Filter - Example • Attack fails, because the ACK bit is not set. ACK bit is set if the connection originated from inside. • Incoming TCP packets must have ACK bit set. If this started outside, then no matching data, and packet will be rejected. [2]

  21. Attacker sends packet with ACK set (without prior handshake) using port p Violation of TCP/IP protocol Packet filter firewall passes packet Firewall considers it part of an ongoing connection Receiver sends RST Indicates to the sender that the connection should be terminated Receiving RST indicates that port p is open!! TCP Ack for Port Scanning [1]

  22. TCP Ack Port Scan • RST confirms that port 1209 is open • Problem: packet filtering is stateless; the firewall should track the entire connection exchange [1]

  23. application transport network link physical Stateful Packet Filter • Remembers packets in the TCP connections (and flag bits) • Adds state info to the packet filter firewalls. • Operates at the transport layer. • Pro: Adds state to packet filter and keeps track of ongoing connection • Con: Slower, more over head. Packet content info not used [1]

  24. Application Proxy • A proxy acts on behalf the system being protected. • Application proxy examines incoming app data – verifies that data is safe before passing it to the system. • Pros • Complete view of the connections and app data • Filter bad data (viruses, Word macros) • Incoming packet is terminated and new packet is sent to internal network • Con • Speed [1]

  25. Firewalk – Port Scanning • Scan ports through firewalls • Requires knowledge of • IP address of firewall • IP address of one system in internal network • Number of hops to the firewall • Set TTL (time to live) = Hops to firewall +1 • Set destination port to be p • If firewall does not pass data for port p, then no response • If data passes thru firewall on port p, then time exceeded error message [1]

  26. Packet filter Router Router Router Trudy Dest port 12343, TTL=4 Dest port 12344, TTL=4 Dest port 12345, TTL=4 Time exceeded Firewalk and Proxy Firewall • Attack stopped by proxy firewall • Incoming packet destroyed (old TTL value also destroyed) • New outgoing packet will not exceed TTL. [1]

  27. Firewalls and Defense in Depth • Example security architecture DMZ FTP server WWW server DNS server Intranet with Personal Firewalls Packet Filter Application Proxy Internet [1]

  28. [1]

More Related