Lecture 12 Page 1 CS 236, Spring 2008 Network Security: Firewalls, VPNs, and Honeypots CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Slides:



Advertisements
Similar presentations
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Advertisements

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.
Fall 2008CS 334: Computer Security1 Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Lecture 14 Firewalls modified from slides of Lawrie Brown.
Security Firewall Firewall design principle. Firewall Characteristics.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Chapter 11 Firewalls.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Chapter 20 Firewalls.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
Intranet, Extranet, Firewall. Intranet and Extranet.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
1 Chapter 20: Firewalls Fourth Edition by William Stallings Lecture slides by Lawrie Brown(modified by Prof. M. Singhal, U of Kentucky)
Internet and Intranet Fundamentals Class 9 Session A.
Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.
Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
Lecture 9 Page 1 CS 136, Fall 2014 Network Security Computer Security Peter Reiher November 4, 2014.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
Lecture 13 Page 1 CS 136, Spring 2009 Network Security: Firewalls continued, VPNS, Honeypots CS 136 Computer Security Peter Reiher May 14, 2009.
Lecture 12 Page 1 CS 236 Online Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite coasts.
Network Security Chapter 11 powered by DJ 1. Chapter Objectives  Describe today's increasing network security threats and explain the need to implement.
Firewall Security.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Lecture 12 Page 1 CS 236, Spring 2008 Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite.
1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.
Security and Firewalls Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls John P. Wack and Lisa J. Carnahan NIST Special Publication.
Security fundamentals Topic 10 Securing the network perimeter.
Lecture 12 Page 1 CS 236 Online Network Security: Firewalls, VPNs, and Honeypots CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Role Of Network IDS in Network Perimeter Defense.
Lecture 15 Page 1 CS 236 Online Evaluating Running Systems Evaluating system security requires knowing what’s going on Many steps are necessary for a full.
Lecture 3 Page 1 CS 236 Online Security Mechanisms CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 12 Page 1 CS 136, Fall 2011 Network Security, Continued CS 136 Computer Security Peter Reiher November 1, 2011.
Cryptography and Network Security
Lecture 9 Page 1 CS 136, Spring 2014 Network Security CS 136 Computer Security Peter Reiher May 6, 2014.
Lecture 10 Page 1 CS 236 Online SSL and TLS SSL – Secure Socket Layer TLS – Transport Layer Security The common standards for securing network applications.
Lecture 12 Page 1 CS 136, Spring 2009 Network Security: Firewalls CS 136 Computer Security Peter Reiher May 12, 2009.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Lecture 9 Page 1 CS 136, Spring 2016 Network Security Computer Security Peter Reiher April 26, 2016.
Lecture 9 Page 1 CS 236 Online Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Security fundamentals
Some Important Network Characteristics for Security
Outline What is a firewall? Types of firewalls
Firewall Configuration and Administration
Introduction to Networking
Firewalls.
Network Security: Firewalls continued, Virtual Private Networks, and Honeypots CS 136 Computer Security Peter Reiher February 18, 2010.
Firewalls Jiang Long Spring 2002.
Firewalls.
Network Security: Firewalls, VPNs, and Honeypots CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Network Security: Firewalls, VPNs, and Honeypots CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
6. Application Software Security
Implementing Firewalls
Outline The concept of perimeter defense and networks Firewalls.
Presentation transcript:

Lecture 12 Page 1 CS 236, Spring 2008 Network Security: Firewalls, VPNs, and Honeypots CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008

Lecture 12 Page 2 CS 236, Spring 2008 Firewalls “A system or combination of systems that enforces a boundary between two or more networks” - NCSA Firewall Functional Summary Usually, a computer that keeps the bad guys out

Lecture 12 Page 3 CS 236, Spring 2008 Typical Use of a Firewall Local Network The Internet ??? Firewall ???

Lecture 12 Page 4 CS 236, Spring 2008 What Is a Firewall, Really? Typically a machine that sits between a LAN/WAN and the Internet Running special software That somehow regulates network traffic between the LAN/WAN and the Internet

Lecture 12 Page 5 CS 236, Spring 2008 Firewalls and Perimeter Defense Firewalls implement a form of security called perimeter defense Protect the inside of something by defending the outside strongly –The firewall machine is often called a bastion host Control the entry and exit points If nothing bad can get in, I’m safe, right?

Lecture 12 Page 6 CS 236, Spring 2008 Weaknesses of Perimeter Defense Models Breaching the perimeter compromises all security Windows passwords are a form of perimeter defense –If you get past the password, you can do anything Perimeter defense is part of the solution, not the entire solution

Lecture 12 Page 7 CS 236, Spring 2008 Weaknesses of Perimeter Defense

Lecture 12 Page 8 CS 236, Spring 2008 Defense in Depth An old principle in warfare Don’t rely on a single defensive mechanism or defense at a single point Combine different defenses Defeating one defense doesn’t defeat your entire plan

Lecture 12 Page 9 CS 236, Spring 2008 So What Should Happen?

Lecture 12 Page 10 CS 236, Spring 2008 Or, Better

Lecture 12 Page 11 CS 236, Spring 2008 Or, Even Better

Lecture 12 Page 12 CS 236, Spring 2008 So Are Firewalls Any Use? Definitely! They aren’t the full solution, but they are absolutely part of it Anyone who cares about security needs to run a decent firewall They just have to do other stuff, too 97% of respondents in 2007 CSI/FBI survey say they use firewalls

Lecture 12 Page 13 CS 236, Spring 2008 Types of Firewalls Filtering gateways –AKA screening routers Application level gateways –AKA proxy gateways

Lecture 12 Page 14 CS 236, Spring 2008 Filtering Gateways Based on packet routing information Look at information in the incoming packets’ headers Based on that information, either let the packet through or reject it

Lecture 12 Page 15 CS 236, Spring 2008 Example Use of Filtering Gateways Allow particular external machines to telnet into specific internal machines –Denying telnet to other machines Or allow full access to some external machines And none to others

Lecture 12 Page 16 CS 236, Spring 2008 A Fundamental Problem IP addresses can be spoofed If your filtering firewall trusts packet headers, it offers little protection Situation may be improved by IPsec –But hasn’t been yet Firewalls can perform the ingress/egress filtering discussed earlier

Lecture 12 Page 17 CS 236, Spring 2008 Filtering Based on Ports Most incoming traffic is destined for a particular machine and port –Which can be derived from the IP and TCP headers Only let through packets to select machines at specific ports Makes it impossible to externally exploit flaws in little-used ports –If you configure the firewall right...

Lecture 12 Page 18 CS 236, Spring 2008 Pros and Cons of Filtering Gateways +Fast +Cheap +Flexible +Transparent –Limited capabilities –Dependent on header authentication –Generally poor logging –May rely on router security

Lecture 12 Page 19 CS 236, Spring 2008 Application Level Gateways Also known as proxy gateways and stateful firewalls Firewalls that understand the application- level details of network traffic –To some degree Traffic is accepted or rejected based on the probable results of accepting it

Lecture 12 Page 20 CS 236, Spring 2008 How Application Level Gateways Work The firewall serves as a general framework Various proxies are plugged into the framework Incoming packets are examined –And handled by the appropriate proxy

Lecture 12 Page 21 CS 236, Spring 2008 Firewall Proxies Programs capable of understanding particular kinds of traffic –E.g., FTP, HTTP, videoconferencing Proxies are specialized A good proxy must have deep understanding of the network application

Lecture 12 Page 22 CS 236, Spring 2008 An Example Proxy A proxy to audit What might such a proxy do? –Only allow from particular users through –Or refuse from known spam sites –Or filter out with unsafe inclusions (like executables)

Lecture 12 Page 23 CS 236, Spring 2008 What Are the Limits of Proxies? Proxies can only test for threats they understand Either they must permit a very limited set of operations Or they must have deep understanding of the program they protect –If too deep, they may share the flaw Performance limits on how much work they can do on certain types of packets

Lecture 12 Page 24 CS 236, Spring 2008 Pros and Cons of Application Level Gateways +Highly flexible +Good logging +Content-based filtering +Potentially transparent –Slower –More complex and expensive –A good proxy is hard to find

Lecture 12 Page 25 CS 236, Spring 2008 More Firewall Topics Statefulness Transparency Handling authentication Handling encryption Looking for viruses

Lecture 12 Page 26 CS 236, Spring 2008 Stateful Firewalls Much network traffic is connection- oriented –E.g., telnet and videoconferencing Proper handling of that traffic requires the firewall to maintain state But handling information about connections is more complex

Lecture 12 Page 27 CS 236, Spring 2008 Firewalls and Transparency Ideally, the firewall should be invisible –Except when it vetoes access Users inside should be able to communicate outside without knowing about the firewall External users should be able to invoke internal services transparently

Lecture 12 Page 28 CS 236, Spring 2008 Firewalls and Authentication Many systems want to allow specific sites or users special privileges Firewalls can only support that to the extent that strong authentication is available –At the granularity required For general use, may not be possible –In current systems

Lecture 12 Page 29 CS 236, Spring 2008 Firewalls and Encryption Firewalls provide no confidentiality Unless the data is encrypted But if the data is encrypted, the firewall can’t examine it So typically the firewall must be able to decrypt –Or only work on unencrypted parts of packets Can decrypt, analyze, and re-encrypt

Lecture 12 Page 30 CS 236, Spring 2008 Firewalls and Viruses Firewalls are an excellent place to check for viruses –Only one place needs to be updated Virus detection software can be run on incoming executables Requires that firewall knows when executables come in And must be reasonably fast Again, might be issues with encryption

Lecture 12 Page 31 CS 236, Spring 2008 Firewall Configuration and Administration Again, the firewall is the point of attack for intruders Thus, it must be extraordinarily secure How do you achieve that level of security?

Lecture 12 Page 32 CS 236, Spring 2008 Firewall Location Clearly, between you and the bad guys But you may have some very different types of machines/functionalities Sometimes makes sense to divide your network into segments –Most typically, less secure public network and more secure internal network –Using separate firewalls

Lecture 12 Page 33 CS 236, Spring 2008 Firewall Hardening Devote a special machine only to firewall duties Alter OS operations on that machine –To allow only firewall activities –And to close known vulnerabilities Strictly limit access to the machine –Both login and remote execution

Lecture 12 Page 34 CS 236, Spring 2008 Firewalls and Logging The firewall is the point of attack for intruders Logging activities there is thus vital The more logging, the better Should log what the firewall allows And what it denies Tricky to avoid information overload

Lecture 12 Page 35 CS 236, Spring 2008 Keep Your Firewall Current New vulnerabilities are discovered all the time Must update your firewall to fix them Even more important, sometimes you have to open doors temporarily –Make sure you shut them again later Can automate some updates to firewalls How about getting rid of old stuff?

Lecture 12 Page 36 CS 236, Spring 2008 Closing the Back Doors Firewall security is based on assumption that all traffic goes through the firewall So be careful with: –Modem connections –Wireless connections –Portable computers Put a firewall at every entry point to your network And make sure all your firewalls are up to date

Lecture 12 Page 37 CS 236, Spring 2008 What About Portable Computers? Local Café BobCarolXavierAlice

Lecture 12 Page 38 CS 236, Spring 2008 Now Bob Goes To Work... Bob’s Office Worker Bob

Lecture 12 Page 39 CS 236, Spring 2008 How To Handle This Problem? Essentially quarantine the portable computer until it’s safe Don’t permit connection to wireless access point until you’re satisfied that the portable is safe UCLA did it first with QED Now very common in Cisco, Microsoft, and other companies’ products –Network access control

Lecture 12 Page 40 CS 236, Spring 2008 Microsoft Network Access Protection In recent Microsoft OS platforms –Vista, XP service pack 3,Server 2008 Allows administrators to specify policies governing machines on network Automatically checks “health” of machines –If non-compliant, can provide updates Can limit access until compliant Highly configurable and customizable

Lecture 12 Page 41 CS 236, Spring 2008 How To Tell When It’s Safe? Local network needs to examine the quarantined device Looking for evidence of worms, viruses, etc. If any are found, require decontamination before allowing the portable machine access

Lecture 12 Page 42 CS 236, Spring 2008 Single Machine Firewalls Instead of separate machine protecting network, A machine puts software between the outside world and the rest of machine Under its own control To protect itself Available on most modern systems

Lecture 12 Page 43 CS 236, Spring 2008 Pros and Cons of Individual Firewalls +Customized to particular machine +Under machine owner’s control +Provides defense in depth −Only protects that machine −Less likely to be properly configured Generally considered a good idea

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.