CIT 480: Securing Computer Systems

Slides:



Advertisements
Similar presentations
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
Advertisements

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
IUT– Network Security Course 1 Network Security Firewalls.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Firewalls and Intrusion Detection Systems
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
FIREWALL Mạng máy tính nâng cao-V1.
SOCKS Group: Challenger Member: Lichun Zhan. Agenda Introduction SOCKS v4 SOCKS v5 Summary Conclusion References Questions.
CSC 382: Computer SecuritySlide #1 CSC 382: Computer Security Firewalls.
Chapter 6: Packet Filtering
Access Control List ACL. Access Control List ACL.
1 Internet Firewalls What it is all about Concurrency System Lab, EE, National Taiwan University R355.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
CSC 382: Computer SecuritySlide #1 Firewalls. CSC 382: Computer SecuritySlide #2 Single Host Firewall Simplest type of firewall—one host acts as a gateway.
CSC 382: Computer SecuritySlide #1 Firewalls. CSC 382: Computer SecuritySlide #2 Firewalls 1.What is a firewall? 2.Types of Firewalls 3.Packet Filtering.
Firewalling With Netfilter/Iptables. What Is Netfilter/Iptables? Improved successor to ipchains available in linux kernel 2.4/2.6. Netfilter is a set.
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
Firewall Tutorial Hyukjae Jang Nc lab, CS dept, Kaist.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration Access Lists.
1 Firewalls Types of Firewalls Inspection Methods  Static Packet Inspection  Stateful Packet Inspection  NAT  Application Firewalls Firewall Architecture.
Security fundamentals Topic 10 Securing the network perimeter.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
Introduction to Linux Firewall
1 An Introduction to Internet Firewalls Dr. Rocky K. C. Chang 12 April 2007.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
IP packet filtering Breno de Medeiros. Florida State University Fall 2005 Packet filtering Packet filtering is a network security mechanism that works.
1 CNLab/University of Ulsan Chapter 19 Firewalls  Packet Filtering Firewall  Application Gateway Firewall  Firewall Architecture.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
防火牆 Firewall All rights reserved. No part of this publication and file may be reproduced, stored in a retrieval system, or transmitted in any form or.
Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos
Firewalls. A Firewall is: a) Device that interconnects two networks b) Network device that regulates the access to an internal network c) Program that.
S ECURITY APPLIANCES Module 2 Unit 2. S ECURE NETWORK TOPOLOGIES A topology is a description of how a computer network is physically or logically organized.
Security fundamentals
Firewalls Dr. X (Derived from slides by Prof. William Enck, NCSU)
FIREWALL configuration in linux
Why do we need Firewalls?
Computer Data Security & Privacy
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
CIT 480: Securing Computer Systems
Introduction to Networking
Firewalls.
Chapter 4: Access Control Lists (ACLs)
Firewalls.
* Essential Network Security Book Slides.
Firewalls Purpose of a Firewall Characteristic of a firewall
Setting Up Firewall using Netfilter and Iptables
POOJA Programmer, CSE Department
Chapter 8 Network Perimeter Security
Firewalls By conventional definition, a firewall is a partition made
Firewalls Jiang Long Spring 2002.
دیواره ی آتش.
Lecture 3: Secure Network Architecture
Firewalls.
Firewalls Chapter 8.
Session 20 INST 346 Technologies, Infrastructure and Architecture
CSCD 434 Spring 2019 Lecture 16 Firewalls.
Presentation transcript:

CIT 480: Securing Computer Systems Firewalls CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems Topics What is a firewall? Types of Firewalls Packet filters (stateless) Stateful firewalls Proxy servers Application layer firewalls Configuring the Linux Firewall Firewall Architectures and DMZs CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems What is a Firewall? A software or hardware component that restricts network communication between two computers or networks. In buildings, a firewall is a fireproof wall that restricts the spread of a fire. Network firewall prevents threats from spreading from one network to another. CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems Internet Firewalls Many organizations/individuals deploy a firewall to restrict access to their network from Internet. Fig 1.1, Building Internet Firewalls, 2nd ed CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems What is a Firewall? (2) A security control to enforce network policy Choke point that traffic has to flow through. ACLs on a host/network level. Policy Decisions: What traffic should be allowed into network? Integrity: protect integrity of internal systems. Availability: protection from DoS attacks. What traffic should be allowed out? Confidentiality: protection from data leakage. CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems Firewall Policies Blacklist Specify traffic to be blocked. Let everything else through. Whitelist Specify traffic to be accepted. Block everything else. CIT 480: Securing Computer Systems

Types of Firewalls Packet Filters (Stateless) Stateful Filters Apply access rules to individual packets. Most routers have this capabilities. Stateful Filters Apply access rules to network flows or sessions. Must maintain a table of active flows. Application Layer Firewalls A proxy server that relays byte streams from client to server and vice versa. Inspects application headers for undesirable sites and application data for undesirable content (malware etc.)

Stateless Firewalls A stateless firewall doesn’t maintain any remembered context (or “state”) with respect to the packets it is processing. Instead, it treats each packet attempting to travel through it in isolation without considering packets that it has processed previously. Trusted internal network SYN Seq = x Port=80 SYN-ACK Seq = y Ack = x + 1 ACK Seq = x + 1 Ack = y + 1 Allow outbound SYN packets, destination port=80 Allow inbound SYN-ACK packets, source port=80 Client Server Firewall

Stateless Restrictions Stateless firewalls may have to be fairly restrictive in order to prevent most attacks. Trusted internal network SYN Seq = y Port=80 Allow outbound SYN packets, destination port=80 Drop inbound SYN packets, Allow inbound SYN-ACK packets, source port=80 Client Attacker (blocked) Firewall

Packet Filtering Information Forward or drop packets based on TCP/IP header information, most often: IP source and destination addresses Protocol (ICMP, TCP, or UDP) TCP/UDP source and destination ports TCP Flags, especially SYN and ACK ICMP message type Multi-homed hosts also make decisions based on: Network interface the packet arrived on. Network interface the packet will depart on. CIT 480: Securing Computer Systems

Stateful Firewall Example Trusted internal network SYN Seq = x Port=80 SYN-ACK Seq = y Ack = x + 1 ACK Seq = x + 1 Ack = y + 1 Allow outbound TCP sessions, destination port=80 Client Attacker (blocked) Established TCP session: (128.34.78.55, 76.120.54.101) 128.34.78.55 76.120.54.101 Firewall state table Server Firewall

Stateful Packet Filters Identify network flows by Protocol (TCP, UDP) Source IP address Source port Destination IP address Destination port Apply access rules on initial connection. Check if later packets are part of flow. Apply same decision to them. CIT 480: Securing Computer Systems

Netfilter and IPtables Tables do specific tasks such as filtering or NAT. Each table consists of one or more chains of rules. Chains can be built-in or user defined.

Filter Table Built-In Chains # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) Chain OUTPUT (policy ACCEPT) CIT 480: Securing Computer Systems

Chains are Lists of Rules Packet traverses a chain sequentially until A rule matches the packet and makes a final decision to ACCEPT or REJECT it. A rule matches the packet and sends it to another chain. The end of the chain is reached. If the end is reached, the packet either Returns to being processed by the calling chain. Is processed by the default policy of the chain. CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems Chain Configuration Append a Rule to a Chain iptables –A chain firewall-rule List Rules in a Chain iptables –L chain Delete a Rule from a Chain iptables –D chain rule-number Set Chain Default Policy iptables –P chain DROP or append a rule that drops all packets to the end. iptables –P chain –j DROP CIT 480: Securing Computer Systems

Packet Matching Options -p: protocol (tcp, udp, icmp, etc.) -s: source IP address(es) -d: destination IP address --sport: source port (for TCP or UDP) --dport: destination port (for TCP or UDP) CIT 480: Securing Computer Systems

Stateful Matching Options -m state: enable stateful filtering for rule --state NEW: allow new connections Matches TCP SYN flag. Adds connection (IPs, ports) to state table. --state ESTABLISHED: allow established. Matches source IP, source port, destination IP, destination port recorded in state table. CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems Rule Targets ACCEPT: let the packet through. DROP: do not let the packet through. REJECT: do not allow + send ICMP error. RETURN: stop processing on this chain and return to the next rule in the calling chain. chain: continue processing packet with the named chain. CIT 480: Securing Computer Systems

Writing Firewall Rules Allow incoming SSH using stateful rules iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT Allow server to be pinged iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT CIT 480: Securing Computer Systems

Ingress/Egress Filtering Block spoofed IP addresses Ingress Filtering Drop packets arriving on external interface whose source IP addresses claims to be from internal network. Egress Filtering Drop packets arriving on internal interface whose source IP address is not from internal network. CIT 480: Securing Computer Systems

Packet Filtering Summary Advantages: One packet filter can protect an entire network Cheap and efficient (requires little CPU) Supported by most routers Disadvantages: Difficult to configure correctly Must consider rule set in its entirety Difficult to test completely Performance penalty for complex rulesets Stateful packet filtering much more expensive Enforces ACLs at layer 3 + 4, without knowing any application details CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems Proxy Servers Proxy host relays Transport/App connections Packet filter blocks direct connections. Client makes connection to proxy. Proxy forwards connection to server. Proxy can provide multiple security features: Access Control Authentication Logging Anonymity CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems Example: SOCKS v5 Socks Server Socks Client Library Clients must be linked against library. Library offers replacements for UNIX network socket system calls. User Authentication Protocols Cleartext username/password. GSS-API authentication. RFC 1928 CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems Proxy Servers Advantages: User-level authentication possible. Efficient logging, as proxy deals with circuit connections instead of individual packets. Disadvantages: Clients have to be recompiled or reconfigured to use proxy service. Some services can’t be proxied. Cannot protect you from all protocol weaknesses. CIT 480: Securing Computer Systems

Application Layer Firewalls Application layer rules HTTP: URLs, headers, etc. SMTP: spam statistics More complex Only 216 ports, but An infinite number of URLs, HTTP headers, bodies, etc.

CIT 480: Securing Computer Systems Single Firewall Simplest type of firewall—one host acts as a gateway between internal and external networks. Figure 6.2, Building Internet Firewalls, 2nd ed CIT 480: Securing Computer Systems

DMZ Firewall Architecture CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems Single Firewall DMZ CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems DMZ Servers w/ external access isolated from internal net Compromise of a DMZ server doesn’t directly compromise internal network. DMZ servers also can’t sniff internal traffic, since they’re on a different subnet. No single point of failure Attacker must compromise both exterior and interior routers to gain access to internal net. Advantages: greater security Disadvantages: higher cost and complexity CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems Firewall Limitations Cannot protect from internal attacks May be able to limit access with internal firewalls to a segment of your network. Cannot protect you from user error Users will still run trojan horses that make it past your AV scanner. Users visiting malicious sites run malicious Javascript inside the firewalls. Firewall mechanism may not precisely enforce your security policy. CIT 480: Securing Computer Systems

Key Points Firewall types Netfilter and Iptables Packet filtering (stateless) Stateful firewalls Proxy servers Application layer firewalls Netfilter and Iptables Tables and chains Rules and actions Firewall Architectures Single firewall DMZ Single firewall DMZ

CIT 480: Securing Computer Systems References William Cheswick, Steven Bellovin, and Avriel Rubin, Firewalls and Internet Security, 2nd edition, 2003. Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical UNIX and Internet Security, 3rd edition, O’Reilly & Associates, 2003. Goodrich and Tammasia, Introduction to Computer Security, Pearson, 2011. Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006. Elizabeth Zwicky, Brent Chapman, Simon Cooper, Building Internet Firewalls, 2nd edition, O’Reilly & Associates, 2000. CIT 480: Securing Computer Systems

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.