Firewalls Steven M. Bellovin https://www.cs.columbia.edu/~smb Matsuzaki ‘maz’ Yoshinobu 1.

Slides:



Advertisements
Similar presentations
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Advertisements

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.
Network Security Essentials Chapter 11
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Firewalling Techniques Prabhaker Mateti. ACK Not linux specific Not linux specific Some figures are from 3com Some figures are from 3com.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
5/4/01EMTM 5531 EMTM 553: E-commerce Systems Lecture 7b: Firewalls Insup Lee Department of Computer and Information Science University of Pennsylvania.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Norman SecureSurf Protect your users when surfing the Internet.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
Intranet, Extranet, Firewall. Intranet and Extranet.
Network Security Essentials Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 6: Packet Filtering
SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.
1 Internet Firewalls What it is all about Concurrency System Lab, EE, National Taiwan University R355.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
CONTENTS  INTRODUCTION.  KEYWORDS  WHAT IS FIREWALL ?  WHY WE NEED FIREWALL ?  WHY NOT OTHER SECURITY MECHANISM ?  HOW FIREWALL WORKS ?  WHAT IT.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
Internet and Intranet Fundamentals Class 9 Session A.
Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.
Firewall Technologies Prepared by: Dalia Al Dabbagh Manar Abd Al- Rhman University of Palestine
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
1 Firewalls G53ACC Chris Greenhalgh. 2 Contents l Attacks l Principles l Simple filters l Full firewall l Books: Comer ch
CPT 123 Internet Skills Class Notes Internet Security Session A.
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
Firewall – Survey Purpose of a Firewall – To allow ‘proper’ traffic and discard all other traffic Characteristic of a firewall – All traffic must go through.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Firewall Security.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.
Security and Firewalls Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls John P. Wack and Lisa J. Carnahan NIST Special Publication.
Security fundamentals Topic 10 Securing the network perimeter.
1 Firewall Rules. 2 Firewall Configuration l Firewalls can generally be configured in one of two fundamental ways. –Permit all that is not expressly denied.
SYSTEM ADMINISTRATION Chapter 10 Public vs. Private Networks.
FIREWALLS Created and Presented by: Dawn Blitch & Fredda Hutchinson.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos
Defining Network Infrastructure and Network Security Lesson 8.
Security fundamentals
Critical Security Controls
Why do we need Firewalls?
Computer Data Security & Privacy
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Introduction to Networking
Introduction to Networking
Firewalls.
Firewalls Purpose of a Firewall Characteristic of a firewall
FIREWALL By Abhishar Baloni I.D
Firewalls Jiang Long Spring 2002.
دیواره ی آتش.
Firewalls Chapter 8.
Presentation transcript:

Firewalls Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1

What’s a Firewall? A barrier between “us” and the Internet All traffic, inbound or outbound, must pass through it Firewalls enforce policy: only certain traffic is allowed to flow 2

inside and outside firewalls3 “good” users the same security policy bad/untrusted users Inside Outside Firewall

Why Use Firewalls? Firewalls are a scalable solution: you don’t have to manage many boxes Firewalls are under your control Usual purpose: keep attackers away from buggy code on hosts Generally speaking, firewalls are not network security devices; they’re the network’s response to buggy, insecure hosts – A suitably hardened host isn’t helped much by a firewall 4

Policies Firewalls can enforce policies at any layer of the network stack Accept/reject MAC addresses, IP addresses, port numbers, various forms of application content, etc. Policies reflect organizational needs – General philosophy: accept “safe”, necessary traffic; reject all else 7Application 6Presentation 5Session 4Transport 3Network 2Link 1Physical 5

Firewalls Implement Policy If you do not have a security policy, a firewall can’t help you – Firewalls are not magic security devices – Simply having one doesn’t protect you; what matters is the policy they enforce If there is no single policy for the entire network, a firewall doesn’t do much good – Example: ISP networks can’t be firewalled, because every customer has different security needs and policies – But—the ISP’s own computers can be firewalled 6

failure models firewalls7 Firewall “good” and “bad” users exceptions and complex policy Inside Outside VPN other internet connections attacking through a policy hole

Some Sample Policy Rules Allow inbound TCP port 25 (SMTP) destined for the mail host Block and log outbound TCP port 25 unless it’s from the authorized mail host Allow outbound TCP ports 80 or 443 or… Allow outbound TCP ports 80 or 443 only from the designated web proxy 8

Crafting Policy Rules A complex process: must balance business needs against network threats – Both are constantly changing – Generally, no single person knows both well It’s easy to get it wrong; both the policy and its implementation can have errors Iterative process: deploy a set of rules, and watch for errors and complaints – Check your log files and flow records! 9

Topology Three classes of nets: untrusted (the outside), trusted, and semi-trusted (DMZ=“Demilitarized Zone”) Service hosts—mail, DNS, web, etc.—go in the DMZ – Mostly protected from the outside, but not fully trusted because of outside exposure 10 Inside DMZ Internet

Implementing Firewalls Any router or Linux/BSD host can filter at layers 3 and 4 The real troubles are higher up: ed viruses, infected PDFs, web pages with Javascript that exploits browser bugs, and more Some protocols, e.g., FTP and SIP, can’t be handled just at the lower layers, because they require other ports to be opened up dynamically Must have application proxies for many protocols; either rules or mechanisms must be able to divert traffic to these proxies 11

The Trouble with Firewalls There is too much connectivity that doesn’t fit the simple model – Special links to customers, suppliers, joint venture partners, contractors, etc. – Very many connections to the outside – Branch offices – Laptops and smartphones! Different threat models The classic model of the firewall doesn’t work that well any more for large organizations 12

Mobile Devices By definition, mobile devices sometimes live outside the firewall This is necessary if people are to get their jobs done But they have to have inside connectivity (or at least sensitive inside data), too Risk: devices can be compromised when outside, and bring the infection home Risk: devices can be stolen 13

Firewalls and Threat Models Firewalls generally (but not always) deflect unskilled hackers Opportunistic hackers may or may not be kept out; they can often penetrate a single inside host and work from there Disgruntled employees are already on the inside Intelligence agencies won’t be kept out by simple schemes – The NSA reputedly has canned tools to attack common commercial firewalls 14

What to Do? Multiple layers of defense – Large, enterprise firewall to protect the company, complete with central service hosts – Departmental firewalls to isolate printers, file servers, etc. – Hardened hosts, plus automated tools to maintain them – Lots of logging and monitoring 15

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.