Firewall Raghunathan Srinivasan October 30, 2007 CSE 466/598 Computer Systems Security.

Slides:



Advertisements
Similar presentations
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Advertisements

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.
IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.
5-Network Defenses Dr. John P. Abraham Professor UTPA.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Security Firewall Firewall design principle. Firewall Characteristics.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
5/4/01EMTM 5531 EMTM 553: E-commerce Systems Lecture 7b: Firewalls Insup Lee Department of Computer and Information Science University of Pennsylvania.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Electronic Commerce 2. Definition Ecommerce is the process of buying and selling products and services via distributed electronic media, usually the World.
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey
Circuit & Application Level Gateways CS-431 Dick Steflik.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Firewalls CS591 Topics in Internet Security November Steve Miskovitz, Steve Peckham, Kan Hayashi.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Network Security (Firewall) Instructor: Professor Morteza Anvari Student: Xiuxian Chen ID: Term: Spring 2001.
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
NW Security and Firewalls Network Security
Intranet, Extranet, Firewall. Intranet and Extranet.
Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
Internet and Intranet Fundamentals Class 9 Session A.
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
(c) University of Technology, Sydney Firewall Architectures.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Network Security Technologies CS490 - Security in Computing Copyright © 2005 by Scott Orr and the Trustees of Indiana University.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Firewall Security.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Karlstad University Firewall Ge Zhang. Karlstad University A typical network topology Threats example –Back door –Port scanning –…–…
1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.
Security and Firewalls Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls John P. Wack and Lisa J. Carnahan NIST Special Publication.
1 Firewall Rules. 2 Firewall Configuration l Firewalls can generally be configured in one of two fundamental ways. –Permit all that is not expressly denied.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Role Of Network IDS in Network Perimeter Defense.
SYSTEM ADMINISTRATION Chapter 10 Public vs. Private Networks.
Computer Security Firewalls and Intrusion Prevention Systems.
Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
FIREWALLS By k.shivakumar 08k81f0025. CONTENTS Introduction. What is firewall? Hardware vs. software firewalls. Working of a software firewalls. Firewall.
Lecture 9 Page 1 CS 236 Online Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits.
Firewalls Definition: Device that interconnects two or more networks and manages the network traffic between those interfaces. Maybe used to: Protect a.
Firewall.
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Introduction to Networking
Firewalls.
* Essential Network Security Book Slides.
Firewalls Purpose of a Firewall Characteristic of a firewall
Firewalls Routers, Switches, Hubs VPNs
FIREWALL By Abhishar Baloni I.D
POOJA Programmer, CSE Department
Firewalls Jiang Long Spring 2002.
Firewall.
Firewalls.
Implementing Firewalls
Presentation transcript:

Firewall Raghunathan Srinivasan October 30, 2007 CSE 466/598 Computer Systems Security

Before we start  Something Interesting I found about XEN  And something more: ation_Security ation_Security  A little bit on HW 2, problem 1 & 2 Not discussing problem 3 & 4 as they are fairly simple

What are we protecting  Data Private Data  Secret  Integrity  Availability  Resources Network resources Other computer resources  Reputation Your reputation

Means for Protection  Anti-Virus Why doesn’t it work?  Rather why is it ineffective  Firewall Does it suffer from same problems as above

What is a firewall  Is it just a wall that we are burning? No, I guess bad joke  Ok, it is a barrier between your computer and the outside world Rather protects the boundary of an intranet against the Internet  Computer networks are designed to exchange data  So why do we want to restrict data flow?

Ideal World  Everyone is good  No attacker  No one can compromise data  No one will try to steal data  No one will try to install backdoor  No one …. (basically a really good world)  Unfortunately, this can never exist

Working World  There are attackers  People will try and steal data  People will try opening ports on your machine for remote exploitation  Individual users are not smart enough to configure network connections So we need some service that can at least differentiate between good & bad connections In practice may not be the case

Firewall Outside Network Your Network

Tasks of a Firewall  Access control based on sender/receiver address or on addressed services  Hiding Internal network  Logging of traffic  Implements Packet Filter & Proxy server

7 Layered OSI  Application Layer Supports end – user processes, Telnet, FTP  Presentation Layer  Session Layer  Transport Layer Flow Control  Network Layer Switching, routing  Data Link Layer Data encoded and coded into bits  Physical Layer

Packet Filter  Analyzes network traffic and filters based on rules in layers 3 & 4 Typically can be Source / Dest Addr  If firewall is combined with a router, it is called screening router  Simple, Cheap

Packet Filter  Possible Principles Everything that is not explicitly allowed is denied Everything that is not explicitly denied is allowed

Example  Lame Example 1: Let your SMTP server be , and port be 40  Rule1 From (IP *), (port *) TO ( ) (40) : DENY From ( ), (40) TO (*) (*): Allow  Rules are applied in order listed

Proxy Server  Controls access to a service  Proxy is the only known computer to outside Internet  Access control can be done based on user identity, content, used protocol

Packet Filter vs Proxy Server  PF Simple, Cheap Correctly specifying filters is error prone If you re-order rules, then policy may change  Proxy User authentication possible Application Protocol control can be integrated Logging Circuit level proxies/Application level proxies  AL proxies more expensive, but versatile  Need one ALP for each application  Circuit level Proxies hide network info apart from providing packet filter functionalities

Firewall Generations  First – Packet Filter  Second – Stateful Filters  Third – Application Layer

First generation  Just checks for the individual packets Which means most filtering is done based on a strict set of rules  Lame example: Drop packets coming from a specific IP address The filter does not care whether the incoming/outgoing packet is part of an existing connection

2 nd Gen - Stateful Filters  Also called circuit level firewalls  Do not examine each packet  It maintains records of all connections passing through the firewall  Can determine whether a packet is part of an existing connection or a new connection  There are static rules that configure firewall behaviour

3 rd generation  Application layer firewall  it can "understand" certain applications and protocols  can detect whether an unwanted protocol is being sneaked through on a non-standard port  whether a protocol is being abused in a known harmful way.

Firewall Architectures  Single Box Architecture  Screened Host Architecture  Screened Subnet Architectures  Other Variations

Single Box Architecture  Screening Router  Dual Homed Host

Screening router Internet Screener PC 1 PC n Internal Network

Features  You can configure connections at one place  So the firewall is installed in the router  Can deny by port numbers/IP addr  Not flexible  Useful where network inside is considered secure

Dual-Homed Host Internet PC 1 PC n Internal Network eth0 eth1

Features  The protected network cannot directly communicate to the Internet  Applications should not be real time or business critical  Traffic to Internet is small  Users do not perform only Internet based jobs  Packet filter & Proxy server together

Bastion Host  special purpose computer on a network  specifically designed and configured to withstand attack  Contains very few applications proxy server services the requests of its clients by forwarding requests to other servers  Why? To reduce threats and vulnerabilities

Screened Host Architecture Internet Screener PC 1 PC n Internal Network Bastion Host

Features  Bastion Host provides proxy  Screening router provides packet filtering of incoming traffic

Personal Firewall  A software installed on a PC  Part of OS to protect user machines  Learning filter Annoying at times

Honeypot  Show a machine with weak security to outside world  Monitor all the attacks that it experiences

NAT - Network address translation  Technique for transmitting/receiving network traffic through a router Re-writing of source/destination addresses Re-writing of TCP port number  NAT is a popular way of dealing with IPv4 address shortage  NAT enables multiple hosts on a private network to use a single public IP address

NAT  A host typically uses x.x  10.x.x.x  x.x  The router has a public address  Example  My router’s add xxx  My PC address

NAT  When traffic moves from local network to Internet Router performs address change on source IP Router stores data about outgoing connection When reply returns to router, it uses stored data to forward packets to corresponding machine

Drawbacks  True end to end connectivity not there  Cannot participate in some network protocols  Services that require initiation from outside network cannot function

Benefits  NAT helps prevent many malicious attacks External network cannot initiate a connection  I wont receive any malicious data unless my machine initiated it  Can my machine initiate it?  Practical solution to exhaustion of IPv4 address

Can a firewall inside a computer be bypassed  Yes  It is just a service  A program can disable it Bagle Bagz  So it all boils down to Is my PC secure  I believe that this problem is not in P

A little refresher  Digital signature  Challenge Response – midterm  The mid term problem 1:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.