Lecture 9 Page 1 CS 236 Online Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits.

Slides:



Advertisements
Similar presentations
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Advertisements

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Security Firewall Firewall design principle. Firewall Characteristics.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Firewalls and Intrusion Detection Systems
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Electronic Commerce 2. Definition Ecommerce is the process of buying and selling products and services via distributed electronic media, usually the World.
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey
Guide to Computer Network Security
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Chapter 20 Firewalls.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
Intranet, Extranet, Firewall. Intranet and Extranet.
FIREWALL Mạng máy tính nâng cao-V1.
Chapter 6: Packet Filtering
Chapter 11 Firewalls.
Internet and Intranet Fundamentals Class 9 Session A.
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
Lecture 9 Page 1 CS 136, Fall 2014 Network Security Computer Security Peter Reiher November 4, 2014.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Network Security Chapter 11 powered by DJ 1. Chapter Objectives  Describe today's increasing network security threats and explain the need to implement.
Firewall Security.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.
Security and Firewalls Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls John P. Wack and Lisa J. Carnahan NIST Special Publication.
1 OFF SYMB - 12/7/2015 Firewalls Basics. 2 OFF SYMB - 12/7/2015 Overview Why we have firewalls What a firewall does Why is the firewall configured the.
CSCE 201 Network Security Firewalls Fall CSCE Farkas2 Traffic Control – Firewall Brick wall placed between apartments to prevent the spread.
Lecture 12 Page 1 CS 236 Online Network Security: Firewalls, VPNs, and Honeypots CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Firewalls Priyanka Verma & Jessica Wong. What is it? n A firewall is a collection of security measures designed to prevent unauthorised electronic access.
Role Of Network IDS in Network Perimeter Defense.
Lecture 12 Page 1 CS 136, Fall 2011 Network Security, Continued CS 136 Computer Security Peter Reiher November 1, 2011.
Lecture 9 Page 1 CS 136, Spring 2014 Network Security CS 136 Computer Security Peter Reiher May 6, 2014.
Lecture 12 Page 1 CS 236, Spring 2008 Network Security: Firewalls, VPNs, and Honeypots CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 12 Page 1 CS 136, Spring 2009 Network Security: Firewalls CS 136 Computer Security Peter Reiher May 12, 2009.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Lecture 9 Page 1 CS 136, Spring 2016 Network Security Computer Security Peter Reiher April 26, 2016.
Lecture 10 Page 1 CS 236 Online Encryption and Network Security Cryptography is widely used to protect networks Relies on encryption algorithms and protocols.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos
Security fundamentals
Firewall Techniques Matt Cupp.
Network Security Mechanisms
Some Important Network Characteristics for Security
Outline What is a firewall? Types of firewalls
Encryption and Network Security
Click to edit Master subtitle style
Introduction to Networking
Firewalls.
6.6 Firewalls Packet Filter (=filtering router)
Firewalls Purpose of a Firewall Characteristic of a firewall
Firewalls Jiang Long Spring 2002.
دیواره ی آتش.
Firewall.
Firewalls.
Firewalls Chapter 8.
Introduction to Network Security
Network Security: Firewalls, VPNs, and Honeypots CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Network Security: Firewalls, VPNs, and Honeypots CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Session 20 INST 346 Technologies, Infrastructure and Architecture
6. Application Software Security
Implementing Firewalls
Outline The concept of perimeter defense and networks Firewalls.
Presentation transcript:

Lecture 9 Page 1 CS 236 Online Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits between a LAN/WAN and the Internet Running special software to regulate network traffic

Lecture 9 Page 2 CS 236 Online Typical Use of a Firewall Local Network The Internet ??? Firewall ???

Lecture 9 Page 3 CS 236 Online Firewalls and Perimeter Defense Firewalls implement a form of security called perimeter defense Protect the inside of something by defending the outside strongly –The firewall machine is often called a bastion host Control the entry and exit points If nothing bad can get in, I’m safe, right?

Lecture 9 Page 4 CS 236 Online Weaknesses of Perimeter Defense Models Breaching the perimeter compromises all security Windows passwords are a form of perimeter defense –If you get past the password, you can do anything Perimeter defense is part of the solution, not the entire solution

Lecture 9 Page 5 CS 236 Online Weaknesses of Perimeter Defense

Lecture 9 Page 6 CS 236 Online Defense in Depth An old principle in warfare Don’t rely on a single defensive mechanism or defense at a single point Combine different defenses Defeating one defense doesn’t defeat your entire plan

Lecture 9 Page 7 CS 236 Online So What Should Happen?

Lecture 9 Page 8 CS 236 Online Or, Better

Lecture 9 Page 9 CS 236 Online Or, Even Better

Lecture 9 Page 10 CS 236 Online So Are Firewalls Any Use? Definitely! They aren’t the full solution, but they are absolutely part of it Anyone who cares about security needs to run a decent firewall They just have to do other stuff, too

Lecture 9 Page 11 CS 236 Online The Brass Tacks of Firewalls What do they really do? Examine each incoming packet Decide to let the packet through or drop it –Criteria could be simple or complex Perhaps log the decision Maybe send rejected packets elsewhere Pretty much all there is to it

Lecture 9 Page 12 CS 236 Online Types of Firewalls Filtering gateways –AKA screening routers Application level gateways –AKA proxy gateways Reverse firewalls

Lecture 9 Page 13 CS 236 Online Filtering Gateways Based on packet header information –Primarily, IP addresses, port numbers, and protocol numbers Based on that information, either let the packet through or reject it Stateless firewalls

Lecture 9 Page 14 CS 236 Online Example Use of Filtering Gateways Allow particular external machines to telnet into specific internal machines –Denying telnet to other machines Or allow full access to some external machines And none to others

Lecture 9 Page 15 CS 236 Online A Fundamental Problem IP addresses can be spoofed If your filtering firewall trusts packet headers, it offers little protection Situation may be improved by IPsec –But hasn’t been yet Firewalls can perform the ingress/egress filtering discussed earlier

Lecture 9 Page 16 CS 236 Online Filtering Based on Ports Most incoming traffic is destined for a particular machine and port –Which can be derived from the IP and TCP headers Only let through packets to select machines at specific ports Makes it impossible to externally exploit flaws in little-used ports –If you configure the firewall right...

Lecture 9 Page 17 CS 236 Online Pros and Cons of Filtering Gateways +Fast +Cheap +Flexible +Transparent –Limited capabilities –Dependent on header authentication –Generally poor logging –May rely on router security

Lecture 9 Page 18 CS 236 Online Application Level Gateways Also known as proxy gateways Firewalls that understand the application- level details of network traffic –To some degree Traffic is accepted or rejected based on the probable results of accepting it Stateful firewalls

Lecture 9 Page 19 CS 236 Online How Application Level Gateways Work The firewall serves as a general framework Various proxies are plugged into the framework Incoming packets are examined –Handed to the appropriate proxy Proxy typically accepts or rejects

Lecture 9 Page 20 CS 236 Online Deep Packet Inspection Another name for typical activity of application level firewalls Looking into packets beyond their headers –Especially the IP header “Deep” sometimes also means deeper understanding of what’s going on –Though not always

Lecture 9 Page 21 CS 236 Online Firewall Proxies Programs capable of understanding particular kinds of traffic –E.g., FTP, HTTP, videoconferencing Proxies are specialized A good proxy has deep understanding of the network application Typically limited by complexity and performance issues

Lecture 9 Page 22 CS 236 Online Pros and Cons of Application Level Gateways +Highly flexible +Good logging +Content-based filtering +Potentially transparent –Slower –More complex and expensive –Highly dependent on proxy quality

Lecture 9 Page 23 CS 236 Online Reverse Firewalls Normal firewalls keep stuff from the outside from getting inside Reverse firewalls keep stuff from the insider from getting outside Often colocated with regular firewalls Why do we need them?

Lecture 9 Page 24 CS 236 Online Possible Uses of Reverse Firewalls Concealing details of your network from attackers Preventing compromised machines from sending things out –E.g., intercepting bot communications or stopping DDoS –Preventing data exfiltration

Lecture 9 Page 25 CS 236 Online Firewall Characteristics Statefulness Transparency Handling authentication Handling encryption

Lecture 9 Page 26 CS 236 Online Stateful Firewalls Much network traffic is connection- oriented –E.g., telnet and videoconferencing Proper handling of that traffic requires the firewall to maintain state But handling information about connections is more complex

Lecture 9 Page 27 CS 236 Online Firewalls and Transparency Ideally, the firewall should be invisible –Except when it vetoes access Users inside should be able to communicate outside without knowing about the firewall External users should be able to invoke internal services transparently

Lecture 9 Page 28 CS 236 Online Firewalls and Authentication Many systems want to give special privileges to specific sites or users Firewalls can only support that to the extent that strong authentication is available –At the granularity required For general use, may not be possible –In current systems

Lecture 9 Page 29 CS 236 Online Firewalls and Encryption Firewalls provide no confidentiality Unless the data is encrypted But if the data is encrypted, the firewall can’t examine it So typically the firewall must be able to decrypt –Or only work on unencrypted parts of packets Can decrypt, analyze, and re-encrypt