Firewalling Techniques Prabhaker Mateti. ACK Not linux specific Not linux specific Some figures are from 3com Some figures are from 3com.

Slides:



Advertisements
Similar presentations
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Advertisements

DMZ (De-Militarized Zone)
Network Security Essentials Chapter 11
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Firewalls Uyanga Tserengombo
IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.
Fall 2008CS 334: Computer Security1 Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Kittiphan Techakittiroj (21/05/58 10:00 น. 21/05/58 10:00 น. 21/05/58 10:00 น.) Firewall Kittiphan Techakittiroj
Security Firewall Firewall design principle. Firewall Characteristics.
Chapter 11 Firewalls.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Firewalls and Intrusion Detection Systems
5/4/01EMTM 5531 EMTM 553: E-commerce Systems Lecture 7b: Firewalls Insup Lee Department of Computer and Information Science University of Pennsylvania.
Chapter 10 Firewalls. Introduction seen evolution of information systems now everyone want to be on the Internet and to interconnect networks has persistent.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Chapter 20 Firewalls.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
NW Security and Firewalls Network Security
Intranet, Extranet, Firewall. Intranet and Extranet.
FIREWALL Mạng máy tính nâng cao-V1.
Network Security Essentials Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.
Chapter 6: Packet Filtering
8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service.
1 Internet Firewalls What it is all about Concurrency System Lab, EE, National Taiwan University R355.
Firewalls, etc.. Network Security2 Outline Intro Various firewall technologies: –Static Packet Filtering (or nonstateful packet filter) –Dynamic Packet.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
1 Chapter 20: Firewalls Fourth Edition by William Stallings Lecture slides by Lawrie Brown(modified by Prof. M. Singhal, U of Kentucky)
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
Internet and Intranet Fundamentals Class 9 Session A.
1 Firewalls G53ACC Chris Greenhalgh. 2 Contents l Attacks l Principles l Simple filters l Full firewall l Books: Comer ch
Firewall – Survey Purpose of a Firewall – To allow ‘proper’ traffic and discard all other traffic Characteristic of a firewall – All traffic must go through.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Firewall Tutorial Hyukjae Jang Nc lab, CS dept, Kaist.
Firewall Security.
Karlstad University Firewall Ge Zhang. Karlstad University A typical network topology Threats example –Back door –Port scanning –…–…
Security and Firewalls Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls John P. Wack and Lisa J. Carnahan NIST Special Publication.
Security fundamentals Topic 10 Securing the network perimeter.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
Overview of Firewalls. Outline Objective Background Firewalls Software Firewall Hardware Firewall Demilitarized Zone (DMZ) Firewall Types Firewall Configuration.
SYSTEM ADMINISTRATION Chapter 10 Public vs. Private Networks.
Cryptography and Network Security
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos
Security fundamentals
Why do we need Firewalls?
Firewall.
Computer Data Security & Privacy
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
PROJECT PRESENTATION ON INTERNET FIREWALLS PRESENTED BY THE GUARDS
* Essential Network Security Book Slides.
Firewalls Purpose of a Firewall Characteristic of a firewall
Firewalls Jiang Long Spring 2002.
Firewalls.
Session 20 INST 346 Technologies, Infrastructure and Architecture
Presentation transcript:

Firewalling Techniques Prabhaker Mateti

ACK Not linux specific Not linux specific Some figures are from 3com Some figures are from 3com

Components of the Firewall System Bastion Host Bastion Host Packet-filtering router Packet-filtering router Application-level gateway (or proxy server) Application-level gateway (or proxy server) Circuit-level gateway Circuit-level gateway

Dual Homed Gateway A system that has A system that has two or more network interfaces, each of which is connected to a different network. two or more network interfaces, each of which is connected to a different network. Acts to block or filter some or all of the traffic trying to pass between the networks. Acts to block or filter some or all of the traffic trying to pass between the networks.

Bastion Host Runs general purpose operating system Runs general purpose operating system hardened to resist attack hardened to resist attack

Proxy services Proxy servers on a bastion host can prohibit direct connections from the outside and reduce data-driven attacks. Proxy servers on a bastion host can prohibit direct connections from the outside and reduce data-driven attacks.

Circuit Relay Determines if the connection is valid according to rules Determines if the connection is valid according to rules opens a session and permits traffic opens a session and permits traffic only from the allowed source and only from the allowed source and possibly only for a limited period of time. possibly only for a limited period of time. Whether a connection is valid is based upon: Whether a connection is valid is based upon: destination IP address and/or port destination IP address and/or port source IP address and/or port source IP address and/or port time of day time of day protocol protocol user user password password

Demilitarized Zone (DMZ) a neutral zone between the private LAN and the public Internet. a neutral zone between the private LAN and the public Internet. FTP servers, Web servers and the like are located in DMZ. FTP servers, Web servers and the like are located in DMZ.

Location of a Firewall Untrusted Network Firewall DMZ Internal LAN External LAN www SMTP

An Application Gateway: Problem Allow select internal users to telnet outside. Allow select internal users to telnet outside. Users authenticate themselves to create telnet connection Users authenticate themselves to create telnet connection A “ gateway ” used in this sense is different from a standard gateway. A “ gateway ” used in this sense is different from a standard gateway.

An Application Gateway: Solution Router filter blocks all telnet connections not originating from gateway. Router filter blocks all telnet connections not originating from gateway. For authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections For authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections host-to-gateway telnet session gateway-to-remote host telnet session application gateway router and filter

Packet Filtering Router

Decide not only how, but should a packet be forwarded Decide not only how, but should a packet be forwarded Not best when detail protocol knowledge required for decision Not best when detail protocol knowledge required for decision Proxy may be a better choice Proxy may be a better choice Lots of leverage as all hosts behind are protected Lots of leverage as all hosts behind are protected Can provide unique capabilities Can provide unique capabilities Rejecting forged internal or external packets (address spoofing) Rejecting forged internal or external packets (address spoofing) Recognition of malformed packets Recognition of malformed packets

Packet-Filtering Router Service-Dependent Filtering Service-Dependent Filtering Some typical filtering rules include: Some typical filtering rules include: Permit incoming Telnet sessions only to a Permit incoming Telnet sessions only to a specific list of internal hosts specific list of internal hosts Permit incoming FTP sessions only to Permit incoming FTP sessions only to specific internal hosts specific internal hosts Permit all outbound Telnet sessions Permit all outbound Telnet sessions Permit all outbound FTP sessions Permit all outbound FTP sessions Deny all incoming traffic from specific Deny all incoming traffic from specific external networks external networks Service-Independent Filtering Service-Independent Filtering Source IP Address Spoofing Attacks. Source Routing Attacks. In Tiny Source IP Address Spoofing Attacks. Source Routing Attacks. In Tiny Fragment Attacks. Tiny fragment attacks are designed to circumvent Fragment Attacks. Tiny fragment attacks are designed to circumvent userdefined filtering rules; the hacker hopes that a filtering router userdefined filtering rules; the hacker hopes that a filtering router will examine only the first fragment and allows all other fragments to will examine only the first fragment and allows all other fragments to pass. A tiny fragment attack can be defeated by discarding all packets pass. A tiny fragment attack can be defeated by discarding all packets where the protocol type is TCP and the IP FragmentOffset is equal to where the protocol type is TCP and the IP FragmentOffset is equal to Defining packet filters can be a complex task Defining packet filters can be a complex task Generally, the packet throughput of a router decreases as the number Generally, the packet throughput of a router decreases as the number of filters increases. of filters increases.

Filtering by Service Characteristics of internal to external telnet connection Characteristics of internal to external telnet connection Source is inside, Source is inside, destination is outside, destination is outside, is TCP, destination port 23, is TCP, destination port 23, source port > 1023, source port > 1023, first packet an outbound SYN first packet an outbound SYN Characteristics of ext to int ‘opposite’ Characteristics of ext to int ‘opposite’ Risk: trusting the port implies trusting the server on that port Risk: trusting the port implies trusting the server on that port Any service can be run from any port by root Any service can be run from any port by root Can telnet from port 23, for example Can telnet from port 23, for example

Security Policy “It is important to note that an Internet firewall is not just a router, a bastion host, or a combination of devices that provides security for a network. “It is important to note that an Internet firewall is not just a router, a bastion host, or a combination of devices that provides security for a network. “The firewall is part of an overall security policy that creates a perimeter defense designed to protect the information resources of the organization. “The firewall is part of an overall security policy that creates a perimeter defense designed to protect the information resources of the organization. “This security policy must include published security guidelines to inform users of their responsibilities; corporate policies defining network access, service access, local and remote user authentication, dial-in and dialout, disk and data encryption, and virus protection measures; and employee training. All potential points of network attack must be protected with the same level of network security. Setting up an Internet firewall without a comprehensive security policy is like placing a steel door on a tent.” “This security policy must include published security guidelines to inform users of their responsibilities; corporate policies defining network access, service access, local and remote user authentication, dial-in and dialout, disk and data encryption, and virus protection measures; and employee training. All potential points of network attack must be protected with the same level of network security. Setting up an Internet firewall without a comprehensive security policy is like placing a steel door on a tent.” [From a web based article] [From a web based article]

Security Policy Describes a Perimeter Defense

A Connection Circumventing an Internet Firewall

Benefits of an Internet Firewall Without a firewall, each host system on the private network is exposed to attacks from other hosts on the Internet. Without a firewall, each host system on the private network is exposed to attacks from other hosts on the Internet. Firewalls offer a convenient point where Internet security can be monitored and alarms generated. Firewalls offer a convenient point where Internet security can be monitored and alarms generated. An Internet firewall is a logical place to deploy a Network Address Translator (NAT) that can help alleviate the address space shortage and eliminate the need to renumber when an organization changes Internet service providers (ISPs). An Internet firewall is a logical place to deploy a Network Address Translator (NAT) that can help alleviate the address space shortage and eliminate the need to renumber when an organization changes Internet service providers (ISPs). An Internet firewall is the perfect point to audit or log Internet usage. An Internet firewall is the perfect point to audit or log Internet usage. An Internet firewall can also offer a central point of contact for information delivery service to customers. An Internet firewall can also offer a central point of contact for information delivery service to customers.

Limitations of an Internet Firewall Creates a single point of failure. Creates a single point of failure. Cannot protect against attacks that do not go through the firewall. Cannot protect against attacks that do not go through the firewall. Cannot protect against the types of threats posed by traitors or unwitting users. Cannot protect against the types of threats posed by traitors or unwitting users. Cannot protect against the transfer of virus-infected software or files. Cannot protect against the transfer of virus-infected software or files. Cannot protect against data-driven attacks. A data- driven attack occurs when seemingly harmless data is mailed or copied to an internal host and is executed to launch an attack. Cannot protect against data-driven attacks. A data- driven attack occurs when seemingly harmless data is mailed or copied to an internal host and is executed to launch an attack.

Limitations of firewalls and gateways IP spoofing IP spoofing router can’t know if data “really” comes from claimed source router can’t know if data “really” comes from claimed source If multiple app’s. need special treatment, each has own app. gateway. If multiple app’s. need special treatment, each has own app. gateway. client software must know how to contact gateway. client software must know how to contact gateway. e.g., must set IP address of proxy in Web browser e.g., must set IP address of proxy in Web browser Tradeoff Tradeoff degree of communication with outside world, level of security degree of communication with outside world, level of security Performance problem Performance problem

Three Myths of Firewalls Firewalls make the assumption that the only way in or out of a corporate network is through the firewalls; that there are no "back doors" to your network. In practice, this is rarely the case, especially for a network which spans a large enterprise. Users may setup their own backdoors, using modems, terminal servers, or use such programs as "PC Anywhere" so that they can work from home. The more inconvenient a firewall is to your user community, the more likely someone will set up their own "back door" channel to their machine, thus bypassing your firewall. Firewalls make the assumption that the only way in or out of a corporate network is through the firewalls; that there are no "back doors" to your network. In practice, this is rarely the case, especially for a network which spans a large enterprise. Users may setup their own backdoors, using modems, terminal servers, or use such programs as "PC Anywhere" so that they can work from home. The more inconvenient a firewall is to your user community, the more likely someone will set up their own "back door" channel to their machine, thus bypassing your firewall. Firewalls make the assumption that all of the bad guys are on the outside of the firewall, and everyone on the inside of the can be considered trustworthy. This neglects the large number of computer crimes which are committed by insiders. Firewalls make the assumption that all of the bad guys are on the outside of the firewall, and everyone on the inside of the can be considered trustworthy. This neglects the large number of computer crimes which are committed by insiders. Newly evolving systems are blurring the lines between data and executables more and more. With macros, JavaScript, Java, and other forms executable fragments which can be embedded inside data, a security model which neglects this will leave you wide open to a wide range of attacks. Newly evolving systems are blurring the lines between data and executables more and more. With macros, JavaScript, Java, and other forms executable fragments which can be embedded inside data, a security model which neglects this will leave you wide open to a wide range of attacks.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.