Chapter 8 Network Perimeter Security

Slides:



Advertisements
Similar presentations
Network Security Essentials Chapter 11
Advertisements

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.
5-Network Defenses Dr. John P. Abraham Professor UTPA.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Security Firewall Firewall design principle. Firewall Characteristics.
Chapter 11 Firewalls.
Firewall Configuration Strategies
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
1 Pertemuan 05 Firewall Matakuliah: H0451/Praktikum Jaringan Komputer Tahun: 2006 Versi: 1/0.
Security Awareness: Applying Practical Security in Your World
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey
Firewalls Screen packets coming into the Privet Networks from external, Untrusted Networks (Internet) Ingress Packet Filtering  Firewall examine incoming.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Chapter 20 Firewalls.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
Network Security Essentials Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.
Chapter 6: Packet Filtering
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Firewall Technologies Prepared by: Dalia Al Dabbagh Manar Abd Al- Rhman University of Palestine
TCP/IP Protocols Contains Five Layers
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Firewall Security.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.
Security fundamentals Topic 10 Securing the network perimeter.
Overview of Firewalls. Outline Objective Background Firewalls Software Firewall Hardware Firewall Demilitarized Zone (DMZ) Firewall Types Firewall Configuration.
1 An Introduction to Internet Firewalls Dr. Rocky K. C. Chang 12 April 2007.
1 CNLab/University of Ulsan Chapter 19 Firewalls  Packet Filtering Firewall  Application Gateway Firewall  Firewall Architecture.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
FIREWALLS By k.shivakumar 08k81f0025. CONTENTS Introduction. What is firewall? Hardware vs. software firewalls. Working of a software firewalls. Firewall.
Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos
Defining Network Infrastructure and Network Security Lesson 8.
S ECURITY APPLIANCES Module 2 Unit 2. S ECURE NETWORK TOPOLOGIES A topology is a description of how a computer network is physically or logically organized.
Firewalls Definition: Device that interconnects two or more networks and manages the network traffic between those interfaces. Maybe used to: Protect a.
Security fundamentals
Firewall.
Computer Data Security & Privacy
Securing the Network Perimeter with ISA 2004
Click to edit Master subtitle style
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Introduction to Networking
Firewalls.
6.6 Firewalls Packet Filter (=filtering router)
Lecture # 7 Firewalls الجدر النارية. Lecture # 7 Firewalls الجدر النارية.
* Essential Network Security Book Slides.
Firewalls Jiang Long Spring 2002.
دیواره ی آتش.
Firewall.
Firewalls.
Firewalls Chapter 8.
Introduction to Network Security
Implementing Firewalls
Presentation transcript:

Chapter 8 Network Perimeter Security J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015

Chapter 8 Outline 8.1 General Framework 8.2 Packet Filters 8.3 Circuit Gateways 8.4 Application Gateways 8.5 Trusted Systems and Bastion Hosts 8.6 Firewall Configuration 8.7 Network Address Translations 8.8 Setting Up Firewalls J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015

Overview LANs, WANs, WLANs are known as edge networks Why firewall? May be contained within businesses or homes Needs to be protected from the rest of the Internet! Why firewall? Encryption? Cannot stop malicious packets from getting into an edge network Authentication? Can determine whether an incoming IP packet comes from a trusted user However, not all host computers have resources to run authentication algorithms Host computers managed by different users with different skill levels. J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015

General Framework J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015

General Framework What is a firewall? Firewall placement A hardware device, a software package, or a combination of both A barrier between the Internet and an edge network (internal network) A mechanism to filter Incoming (ingress) and outgoing (egress) packets. May be hardware and/or software Hardware is faster but can be difficult to update Software is slower but easier to update Firewall placement J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015

Chapter 8 Outline 8.1 General Framework 8.2 Packet Filters 8.3 Circuit Gateways 8.4 Application Gateways 8.5 Trusted Systems and Bastion Hosts 8.6 Firewall Configuration 8.7 Network Address Translations 8.8 Setting Up Firewalls J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015

Packet Filters Perform ingress (incoming) and egress (outgoing) filtering on packets Only inspect IP and TCP/UDP headers, not the payloads Can perform either stateless or stateful filtering Stateless filtering: easy to implement but very simple Stateful filtering: harder to implement but more powerful J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015

Stateless Filters Perform “dumb” filtering Apply a set of static rules to inspect every packet Do not keep results from previous packets A set of rules used is referred to as an Access Control List (ACL) Rules are checked from top to bottom and the first rule found is applied If no rules match, the packet is blocked by default J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015

ACL Example Blocks egress/ingress packets from certain IP address or port Monitors an ingress packet with an internal address as the source IP address for possible crafted packet Identifies Packets that specifies certain router for possible bypassing firewall Watches for packets with small payload for possible fragmentation attack Blocks control packets from going outside J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015

Stateful Filters Smarter than a stateless filter Keep track of connection states between internal and external hosts Will only accept/reject based on the connection state Usually combined with a stateless filter Must pay attention to memory and CPU time requirements; connection tracking can be expensive! Connection state table example J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015

Chapter 8 Outline 8.1 General Framework 8.2 Packet Filters 8.3 Circuit Gateways 8.4 Application Gateways 8.5 Trusted Systems and Bastion Hosts 8.6 Firewall Configuration 8.7 Network Address Translations 8.8 Setting Up Firewalls J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015

Circuit Gateways Operate at the transport layer Examine information of IP addresses and port numbers in TCP/UDP headers to determine if a connection is allowed Usually combined with a packet filter to form a dynamic packet filter Basic structure: Relay a TCP connection between an internal and external host Disallow direct connection between the external and the internal networks Maintain a table for valid connection and check incoming packet against the table J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015

Examples J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015

SOCKetS (SOCKS) A network protocol for implementing circuit gateway Consists of three components: SOCKS server Run on a packet filtering firewall through port 1080 SOCKS client Run on an external client host SOCKS client library Run on an internal host Verifies information for authentication and decides establishing connection upon the information Provides an authenticated relay for a remote network J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015

Chapter 8 Outline 8.1 General Framework 8.2 Packet Filters 8.3 Circuit Gateways 8.4 Application Gateways 8.5 Trusted Systems and Bastion Hosts 8.6 Firewall Configuration 8.7 Network Address Translations 8.8 Setting Up Firewalls J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015

Application Gateways Also called application-level gateway or proxy server Act like a proxy for internal hosts, processing service request from external clients. Perform deep packet inspection on all packet Inspect application program formats Apply rules based on the payload Have the ability to detect malicious and suspicious packets Extremely resource intensive J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015

Cache Gateway J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015

Application Gateways Place a router behind the gateway to protect connections between the gateway and the internal hosts J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015

Stateful Packet Inspection Application-level extension of stateful packet filtering Support scanning packet payloads Will drop packets that do not match the expected connection state or data type for protocol J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015

Chapter 8 Outline 8.1 General Framework 8.2 Packet Filters 8.3 Circuit Gateways 8.4 Application Gateways 8.5 Trusted Systems and Bastion Hosts 8.6 Firewall Configuration 8.7 Network Address Translations 8.8 Setting Up Firewalls J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015

Trusted Systems and Bastion Hosts Application gateways are placed between the external and the internal networks Exposed to attacks from the external network Need to have strong security protections Trusted operating system Bastion hosts J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015

Trusted Operating Systems An operating system that meets a particular set of security requirements System design contains no defects System software contains no loopholes System is configured properly System management is appropriate May have users at different levels of security clearance Must follow strict rules regarding permissions J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015

Access Rights No read-up No write-down Users of a lower level of clearance cannot execute programs of a higher level of secrecy Programs of a lower level of secrecy cannot read files of higher level of secrecy No write-down Users of a higher level of clearance cannot use programs of lower level of secrecy to write data to a file Programs of a higher level of secrecy cannot write data into files of a lower level of secrecy J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015

Bastion Hosts Systems with strong defensive mechanisms Serves as hosts computers for implementing: Gateways Circuit gateways Other types of firewall Operated on a trusted operating system Must not have any unnecessary functionality! Keeps the system simple to reduce error probabilities J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015

Requirements Gateway software should be written using only small modules May provide user authentication at the network level Should be connected to the smallest possible number of internal hosts Extensive logs should be kept of all activity passing through the system If they are running on a single host, multiple gateways must operate independently Hosts should avoid writing data to their hard disks Gateways running on bastion hosts should not be given administration rights J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015

Chapter 8 Outline 8.1 General Framework 8.2 Packet Filters 8.3 Circuit Gateways 8.4 Application Gateways 8.5 Trusted Systems and Bastion Hosts 8.6 Firewall Configuration 8.7 Network Address Translations 8.8 Setting Up Firewalls J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015

Single-Homed Bastion System Consists of a packet-filtering router and a bastion host Router connects internal network to external network Bastion host is inside the internal network PF firewall inspects each egress and blocks it if its source address is not the IP address of bastion host If the PF router is compromised, the attacker can modify the ACLs and bypass the bastion host J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015

Dual-Homed Bastion System Two zones in the internal network: Inner zone: hosts are unreachable from external Outer zone: hosts may be reached from Internet Hosts in inner zone are protected by both bastion host and PF router Servers in outer zone protected by PF router Prevents access to the internal network even if the PF router is compromised J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015

Screened Subnets A SHBH network paired with a second PF router for the internal network Area between the two PF routers is called a screened subnet Hides the internal network structure from external hosts J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015

Demilitarized Zones (DMZ) A subnet between two firewalls in an internal network External firewall protects DMZ from external threats Internal firewall protects internal network from DMZ DMZs can be implemented in a hierarchal structure J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015

Network Security Topology Firewalls divide networks into three areas: Distrusted region Semi-trusted region Trusted region J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015

Chapter 8 Outline 8.1 General Framework 8.2 Packet Filters 8.3 Circuit Gateways 8.4 Application Gateways 8.5 Trusted Systems and Bastion Hosts 8.6 Firewall Configuration 8.7 Network Address Translations 8.8 Setting Up Firewalls J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015

Network Address Translations (NAT) Divides IP addresses into public and private (non-routable) groups IANA has 3 IP blocks designated as private 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 Many private IP addresses can connect to Internet via a few public IP addresses Overcomes the 232 address limit in IPv4 J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015

Dynamic NAT Dynamically assigns a small number of public IPs to a large number of private IPs Port Address Translation (PAT), a variant of NAT Allows one or more private networks to share a single public IP Commonly used for homes and small businesses Works by remapping the source and destination addresses and ports of packets J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015

Virtual Local-Area Networks (VLAN) A technology for creating several independent logical LANs over the same physical network VLANs can be created using software VLAN switches: A VLAN switch can be configured to several logical groupings of switch ports for creating independent VLANs: J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015

Small Office and Home Office Firewalls (SOHO) J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015

Chapter 8 Outline 8.1 General Framework 8.2 Packet Filters 8.3 Circuit Gateways 8.4 Application Gateways 8.5 Trusted Systems and Bastion Hosts 8.6 Firewall Configuration 8.7 Network Address Translations 8.8 Setting Up Firewalls J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015

Setting Up Firewalls Windows Systems: Linux FreeBSD UNIX Built-in firewalls under Control Panel Linux Use the iptables program: iptables <option> <chain> <matching criteria> <target> Example: iptables –A INPUT –p TCP –s 129.63.8.109 –j ACCEPT iptables –A INPUT –p TCP ! –syn –d 129.63.8.109 –j ACCEPT iptables –A INPUT –p TCP –d 129.63.8.109 telnet –j DROP FreeBSD UNIX Use the ipf program J. Wang and Z. Kissel. Introduction to Computer Network Security: Theory and Practice. Wiley 2015