1 / 15

Network Firewalls

Network Firewalls. John Kristoff jtk@depaul.edu +1 312 362-5878 DePaul University Chicago, IL 60604. The network is just a highway. How do you secure the highway Police patrol Toll booths Licensed drivers Vehicle inspections and standards Rules of the road

wind
Télécharger la présentation

Network Firewalls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Firewalls • John Kristoff • jtk@depaul.edu • +1 312 362-5878 • DePaul University • Chicago, IL 60604

  2. The network is just a highway • How do you secure the highway • Police patrol • Toll booths • Licensed drivers • Vehicle inspections and standards • Rules of the road • Are the highways completely safe now?

  3. What network firewalls do • Define untrusted and trusted boundaries • Inspect traffic traversing firewall boundary • Limit communication traversing boundary • Help shield insecure hosts

  4. Network firewalls illustrated

  5. Key ideas • Firewalls should be unnecessary • They're a network solution to a host problem • They don't solve the real problem and... • ..make it hard/impossible to do certain things • Ultimate control of hosts is out of our hands • Securing a LOT of hosts is hard! • But.. network solutions are *sigh* necessary

  6. Packet filtering firewalls • Filter everything - not very useful • Filter by IP address • Filter by application type (TCP, UDP) • Filter on field/flag settings (source route) • Filter invalid packets (SYN/FIN packets) • Other pattern match

  7. Screened subnet implementation

  8. Application Layer Gateway (ALG) • Also commonly called a proxy firewall • These permit no direct communication • Firewall intercepts all traffic in each direction • Very intelligent device... • ...must understand what a user is doing • Difficult to install if it doesn't currently exist

  9. Proxy/ALG illustrated

  10. Other common firewall features • Stateful inspection • Network address translation (NAT) • Authenticaton (VPNs) • Dynamic triggers • Reporting, logging and IDS support

  11. What can't a network firewall stop? • Bad packets that look good • Denial of service (DoS) attacks • Well, they can stop them at the firewall • But then the firewall has just been DoS'd • Stupid user tricks • Things that go around the firewall • Things that don't cross the firewall boundary

  12. So you're saying...? • It would be nice if all hosts could be secured • Network solutions can help • Malicious insiders can get by anything you got • A holistic approach is needed. Including: • Audits, detection and response • Education • Standards and best practices

  13. What does DePaul do? • We stop some obvious stuff in various places • We're beginning to do more at the edges • Note: the network will be very fast soon... • ...big firewalls get in the way big time • Regardless of what you may have heard... • We're better off than we were 2 years ago • Of course so are the attackers

  14. Final thoughts • Overly secure systems are not at all useful • Big border firewalls are obsolescent • Distributed firewalls are getting a lot of talk • Firewall vendors of course like this approach • You should demand open AND secure access • We can do it, but it ain't gonna easy • If we fail, the Internet will become very boring

  15. References http://networks.depaul.edu/security/ http://condor.depaul.edu/~jkristof/ news://news.depaul.edu/dpu.security http://www.cert.org http://www.sans.org http://www.cerias.purdue.edu http://www.neohapsis.com http://www.lists.gnac.net/firewalls/ http://www.interhack.net/pubs/fwfaq/

More Related