1 Sonia FahmyPurdue University Firewalls and Firewall Testing Techniques Sonia Fahmy Department of Computer Sciences Purdue University

Slides:



Advertisements
Similar presentations
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.
Advertisements

Network Security Essentials Chapter 11
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Firewalls Uyanga Tserengombo
IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.
Fall 2008CS 334: Computer Security1 Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Lecture 14 Firewalls modified from slides of Lawrie Brown.
Security Firewall Firewall design principle. Firewall Characteristics.
—On War, Carl Von Clausewitz
Chapter 11 Firewalls.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
5/4/01EMTM 5531 EMTM 553: E-commerce Systems Lecture 7b: Firewalls Insup Lee Department of Computer and Information Science University of Pennsylvania.
Chapter 10 Firewalls. Introduction seen evolution of information systems now everyone want to be on the Internet and to interconnect networks has persistent.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
NW Security and Firewalls Network Security
Intranet, Extranet, Firewall. Intranet and Extranet.
Network Security Essentials Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.
Chapter 6: Packet Filtering
The Security Aspect of Social Engineering Justin Steele.
Chapter 11 Firewalls.
FIREWALLS Prepared By: Hilal TORGAY Uğurcan SOYLU.
1 Internet Firewalls What it is all about Concurrency System Lab, EE, National Taiwan University R355.
Firewalls, etc.. Network Security2 Outline Intro Various firewall technologies: –Static Packet Filtering (or nonstateful packet filter) –Dynamic Packet.
1 Chapter 20: Firewalls Fourth Edition by William Stallings Lecture slides by Lawrie Brown(modified by Prof. M. Singhal, U of Kentucky)
Defense Techniques Sepehr Sadra Tehran Co. Ltd. Ali Shayan November 2008.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
Firewall Technologies Prepared by: Dalia Al Dabbagh Manar Abd Al- Rhman University of Palestine
Firewalls First notions. Breno de MedeirosFlorida State University Fall 2005 Types of outsider attacks Intrusions –Data compromise confidentiality, integrity.
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
Firewall – Survey Purpose of a Firewall – To allow ‘proper’ traffic and discard all other traffic Characteristic of a firewall – All traffic must go through.
Network Security Technologies CS490 - Security in Computing Copyright © 2005 by Scott Orr and the Trustees of Indiana University.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Firewall Security.
Karlstad University Firewall Ge Zhang. Karlstad University A typical network topology Threats example –Back door –Port scanning –…–…
Security and Firewalls Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls John P. Wack and Lisa J. Carnahan NIST Special Publication.
Security fundamentals Topic 10 Securing the network perimeter.
Firewall – Survey  Purpose of a Firewall  To allow ‘proper’ traffic and discard all other traffic  Characteristic of a firewall  All traffic must go.
CSCE 201 Network Security Firewalls Fall CSCE Farkas2 Traffic Control – Firewall Brick wall placed between apartments to prevent the spread.
1 An Introduction to Internet Firewalls Dr. Rocky K. C. Chang 12 April 2007.
1 CNLab/University of Ulsan Chapter 19 Firewalls  Packet Filtering Firewall  Application Gateway Firewall  Firewall Architecture.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Security fundamentals
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Firewalls (March 2, 2016) © Abdou Illia – Spring 2016.
Firewalls Purpose of a Firewall Characteristic of a firewall
POOJA Programmer, CSE Department
Firewalls Jiang Long Spring 2002.
Firewalls.
Presentation transcript:

1 Sonia FahmyPurdue University Firewalls and Firewall Testing Techniques Sonia Fahmy Department of Computer Sciences Purdue University

2 Sonia FahmyPurdue University q What is a firewall? q Firewall types and architectures q Firewall operations q Firewall testing Overview

3 Sonia FahmyPurdue University What is a Firewall? q A firewall is a method of achieving security between trusted and untrusted networks q The choice, configuration and operation of a firewall is defined by policy, which determines the the services and type of access permitted q Firewall = policy+implementation q Firewall = “zone of risk” for the trusted network Gateway (DMZ)

4 Sonia FahmyPurdue University Firewalls Should… q Support and not impose a security policy q Use a “deny all services except those specifically permitted” policy q Accommodate new facilities and services q Contain advanced authentication measures q Employ filtering techniques to permit or deny services to specific hosts and use flexible and user-friendly filtering q Use proxy services for applications q Handle dial-in q Log suspicious activity

5 Sonia FahmyPurdue University Firewalls Cannot… q Protect against malicious insiders q Protect against connections that do not go through them (e.g., dial-up) q Protect against new threats or new viruses

6 Sonia FahmyPurdue University Firewalls in Relation to 7 Layers Application Layer Presentation Layer Session Layer Transport Layer Network Layer Link Layer Physical Layer Packet Level Filter Application Level Filter

7 Sonia FahmyPurdue University Simple Packet Filters q Example: q InterfaceSourceDest.Prot.SPortDport q 2**TCP*21 (FTP) q *.**TCP*25 (SMTP) Internal network Filter Internet Internal 12 Difficult to handle X-Windows, RPC (including NFS and NIS), rlogin, rsh, rexec, rcp, and TFTP

8 Sonia FahmyPurdue University Stateful Inspection q Also known as dynamic packet filtering (dynamic rule set) q Requires storing state for each stream, assuming: q If there is one packet, there will be more q If there is one packet, responses will be returned q Prime candidate for resource starvation attacks q What should be done when table is full? q Least recently used q Random early drop q Time out entries q Wait for FIN messages, etc.

9 Sonia FahmyPurdue University Bastion Host q Inside users log onto the bastion host to use outside services q Outside snoopers cannot see internal traffic even if they break in the firewall (perimeter = stub network = DMZ) R1 R2 Internet Internal

10 Sonia FahmyPurdue University Firewall Architectures q Screened host: Bastion host and exterior router q Screened subnet: Exterior and interior routers q Multiple bastion hosts, multiple interior routers, multiple exterior routers, multiple internal networks (with/without backbone), multiple perimeter networks q Merged interior and exterior routers, bastion host and exterior router and bastion host and interior router (not recommended) R1 R2 Internet Internal

11 Sonia FahmyPurdue University Dual-homed Host q The dual-homed host is the firewall in this case Internet Internal

12 Sonia FahmyPurdue University Application-Level Gateways q Specialized programs on bastion host relay requests and responses, enforcing site policies (refusing some requests) q Sometimes referred to as “proxy servers” q Transparent with special “proxy client” programs q Full protocol decomposition, e.g, Raptor, or “plug mode” e.g., Firewall-1 and PIX Internet Dual-homed Host and Proxy Server Server Client

13 Sonia FahmyPurdue University Policies q Network service access policy q Defines which services are to be explicitly allowed or denied+ways in which these services are to be used q Firewall design policy q Defines how the firewall implements restricted access and service filtering specified by the NSAP q FDP must be continuously updated with new vulnerabilities

14 Sonia FahmyPurdue University Packet Traversal in a Firewall Packet receipt by firewall Link layer filtering Dynamic ruleset (state) Packet legality checks IP and port filtering NAT/PAT (header rewrite) Packet reassembly Application level analysis Routing decision Dynamic ruleset (state) Packet sanity checks IP and port filtering Packet release Packet flow Packet may be dropped Stream may be dropped Optional outbound filtering Bypass On Match

15 Sonia FahmyPurdue University Firewall Testing q Vulnerabilities = design or coding flaws = invalid assumptions, e.g., insufficient verification, memory available, user data, trusted network object, predictable sequence, etc. q Develop a vulnerability-operation matrix q Place Common Vulnerabilities Exposure (CVE), and its candidates (CAN), and other known and new firewall problems in appropriate matrix cell q Find clusters in matrix q Predict problems q Automate firewall testing through focusing on common problems

16 Sonia FahmyPurdue University Example q CVE q Cisco PIX firewall manager (PFM) allows retrieval of any file whose name and location is known q PIX proxy’s verification failure q Application level q Insufficient verification

17 Sonia FahmyPurdue University Key Points q Firewalls can employ: q Packet filters q Stateful inspection q Application-level gateways (many types) q Also circuit-level q Large variations, e.g., Raptor, PIX, Firewall-1, Gauntlet q Several architectures to prevent all-or-nothing effect q Importance of policy q Firewall testing automation underway

18 Sonia FahmyPurdue University References q RFC 2647, “Benchmarking” + drafts q Simonds, “Network Security”, 1996 q Hunt, “Internet/Intranet firewall security”, Computer Communications, 1998 q Frantzen et al, “A framework for understanding vulnerabilties in firewalls using a dataflow model of firewall internals”, in preparation q Kamara et al, “Testing firewalls”, in preparation q Chapman, “Network (In)Security through IP packet filtering” q q Web pages and mailing lists

19 Sonia FahmyPurdue University Thank You! Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.