1 Carnegie Mellon University CERT Coordination Center Firewalls Institute of Internal Auditors Advanced Technology Conference and InfoExpo September 21,

Slides:



Advertisements
Similar presentations
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Advertisements

Guide to Network Defense and Countermeasures Second Edition
IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Security Firewall Firewall design principle. Firewall Characteristics.
Chapter 11 Firewalls.
Firewall Configuration Strategies
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
1 Pertemuan 05 Firewall Matakuliah: H0451/Praktikum Jaringan Komputer Tahun: 2006 Versi: 1/0.
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey
Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : August 1999 The Chinese University.
1 Carnegie Mellon University CERT Coordination Center Firewalls CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Network Security (Firewall) Instructor: Professor Morteza Anvari Student: Xiuxian Chen ID: Term: Spring 2001.
A Brief Taxonomy of Firewalls
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.
Chapter 20 Firewalls.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
Intranet, Extranet, Firewall. Intranet and Extranet.
Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.
1 Pertemuan 13 IDS dan Firewall Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Chapter 13 – Network Security
ACM 511 Chapter 2. Communication Communicating the Messages The best approach is to divide the data into smaller, more manageable pieces to send over.
TCP/IP Yang Wang Professor: M.ANVARI.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.
P RESENTED B Y - Subhomita Gupta Roll no: 10 T OPICS TO BE DISCUSS ARE : Introduction to Firewalls  History Working of Firewalls Needs Advantages and.
1 Internet Firewalls What it is all about Concurrency System Lab, EE, National Taiwan University R355.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
CSC8320. Outline Content from the book Recent Work Future Work.
Defense Techniques Sepehr Sadra Tehran Co. Ltd. Ali Shayan November 2008.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.
Firewall Technologies Prepared by: Dalia Al Dabbagh Manar Abd Al- Rhman University of Palestine
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
NS-H /11041 Intruder. NS-H /11042 Intruders Three classes of intruders (hackers or crackers): –Masquerader –Misfeasor –Clandestine user.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
Network Security Technologies CS490 - Security in Computing Copyright © 2005 by Scott Orr and the Trustees of Indiana University.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
CSCE 522 Firewalls.
1.1 1 Purpose of firewall : –Control access to or from a protected network; –Implements network access policy connections pass through firewall and are.
1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.
Security and Firewalls Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls John P. Wack and Lisa J. Carnahan NIST Special Publication.
A Pattern Language for Firewalls Eduardo B. Fernandez, Maria M. Petrie, Naeem Seliya, Nelly Delessy, and Angela Herzberg.
Security fundamentals Topic 10 Securing the network perimeter.
1 Firewalls - Introduction l What is a firewall? –Firewalls are frequently thought of as a very complex system that is some sort of magical, mystical..
FORESEC Academy FORESEC Academy Security Essentials (III)
CSCE 201 Network Security Firewalls Fall CSCE Farkas2 Traffic Control – Firewall Brick wall placed between apartments to prevent the spread.
Regan Little. Definition Methods of Screening Types of Firewall Network-Level Firewalls Circuit-Level Firewalls Application-Level Firewalls Stateful Multi-Level.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos
Security fundamentals
Why do we need Firewalls?
Computer Data Security & Privacy
Introduction to Networking
Lecture # 7 Firewalls الجدر النارية. Lecture # 7 Firewalls الجدر النارية.
IS4680 Security Auditing for Compliance
Firewalls Routers, Switches, Hubs VPNs
Firewalls Jiang Long Spring 2002.
دیواره ی آتش.
Presentation transcript:

1 Carnegie Mellon University CERT Coordination Center Firewalls Institute of Internal Auditors Advanced Technology Conference and InfoExpo September 21, 1994 CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 1521 Tom Longstaff The CERT Coordination Center is sponsored by the Advanced Research Projects Agency (ARPA). The Software Engineering Institute is sponsored by the U.S. Department of Defense. SM

2 Carnegie Mellon University CERT Coordination Center Definition “A fireproof wall used in buildings and machinery to prevent the spread of fire” The American Heritage Desk Dictionary In an automobile, a firewall prevents the spread of fire while allowing control and monitoring connections to pass through

3 Carnegie Mellon University CERT Coordination Center Network Firewall Concept PUBLICNETWORKPUBLICNETWORK Firewall System Your Domain Legitimate Activity Violations

4 Carnegie Mellon University CERT Coordination Center Legitimate Activity Regulated by policy Defined by type of service (application), source, and destinationallow electronic mail to and from anyone allow news reading but not news posting allow login from inside to outside but not vice versa allow file transfer to a single system in your domain only do not give out the names of any systems in the environment

5 Carnegie Mellon University CERT Coordination Center Violations Violations are activities or behaviors not permitted in the policy these can be either explicit or implied Firewall technology may help with the detection and prevention of violations from outsiders are intrusions

6 Carnegie Mellon University CERT Coordination Center Firewalls and Policy Firewalls automate the enforcement of a network access policy Some firewall architectures may also provide additional functionality monitoring public services Firewalls cannot determine intent prevent abuse of allowed services provide host security protect against violations through other pathways

7 Carnegie Mellon University CERT Coordination Center Firewall Types Filters Restrict traffic based on packet header information Most common fields are type (tcp, udp, etc), src, dst, port/service Advanced filters may restrict traffic based on traffic patterns or other aggregate information Proxies (or Application Gateways) Restrict traffic based on packet content Is application specific VPN/IPSec Gateways Supports tunneling between networks Can support tunneling to mobile nodes

8 Carnegie Mellon University CERT Coordination Center Filter Rules Two philosophies Allow all except those packet types that carry known vulnerabilities Deny all except those packet types that are required by users Some rules carry context Connection-oriented Based on SYN/ACK protocol Filters have problems with: Malformed packets/fragmented packets Out-of-sequence protocols Backward client-server protocols (X11, FTP)

9 Carnegie Mellon University CERT Coordination Center Gateways and Proxies These are paths through your firewall to allow services Proxies are intermediaries that regulate service through the firewall Application gateways and proxies allow specific application interfaces through the firewall Encryption is the bane of gateways and proxies

10 Carnegie Mellon University CERT Coordination Center Firewall Architectures Where to position firewalls? between your domain and every access to the outside between administrative domains of dissimilar policy between networks where the boundary much be controlled What architecture to use? simple router router with multiple interfaces gateway/proxy services between dual routers a gateway separating dual routers

11 Carnegie Mellon University CERT Coordination Center The Simple Router (packet filter) -1 PUBLICNETWORKPUBLICNETWORK Firewall Router Your Domain

12 Carnegie Mellon University CERT Coordination Center The Simple Router (packet filter) -2 Advantages cheap - usually a must-have anyway simple - only one configuration file to contend with verifiable - packet monitoring at the site will assure filtering is working Disadvantages no flexibility with applications - packet filter only only extreme for security limited logging capability

13 Carnegie Mellon University CERT Coordination Center A Router with Multiple Interfaces -1 PUBLICNETWORKPUBLICNETWORK Your Domain Site Router

14 Carnegie Mellon University CERT Coordination Center A Router with Multiple Interfaces -2 Advantages ability to segment a site into distinct domains flexibility to create logical architectures single configuration file to maintain Disadvantages single point of failure convoluted configuration file possible confusion over interfaces vulnerabilities associated with the router

15 Carnegie Mellon University CERT Coordination Center Gateway/Proxy Services Between Dual Routers -1 PUBLICNETWORKPUBLICNETWORK Your Domain Firewall Router Site Router Proxy/ Gateway Proxy/ Gateway Proxy/ Gateway Proxy/ Gateway Proxies and Gateways

16 Carnegie Mellon University CERT Coordination Center Gateway/Proxy Services Between Dual Routers -2 Advantages ability to provide risky services application filtering possible allows you to hide many hosts behind the second router provides a good auditing point Disadvantages still a physical connection between routers may allow unprotected services and tunnelling throughrvice to “slip by” the proxy multiple configuration files to maintain

17 Carnegie Mellon University CERT Coordination Center A Gateway Separating Dual Routers (“belt and suspenders”) -1 PUBLICNETWORKPUBLICNETWORK Your Domain Firewall Router Site Router Filtering Gateway

18 Carnegie Mellon University CERT Coordination Center Gateway Separating Dual Routers -2 Advantages provides both logical and physical separation restricts services not addressed by the proxy or gateway system provides controlled functionality through the firewall supports a limited access policy (e.g., only) excellent central point for accounting/monitoring Disadvantages limits functionality to available gateway/proxy software causes a bottleneck for traffic difficult to setup and maintain

19 Carnegie Mellon University CERT Coordination Center The Future of Firewalls Firewall technology relies on controlling access points to the network When access to the network becomes more distributed and ubiquitous, control becomes difficult Restrictive firewalls discourage network growth and development Trust in firewalls may cause a false sense of security

20 Carnegie Mellon University CERT Coordination Center Site Administrative Boundary PC LAN ISDN Telecomm Systems Mainframe With Dial-up PPP Multi-Protocol Router Workstation Dial-ins Mobile Computing

21 Carnegie Mellon University CERT Coordination Center Discussion If your security policy does not allow Java applets to be run on an internal network, is a proxy or filter more appropriate? Why? What are some of the issues involved in attempting to use a proxy to disallow Java applets? Presentation Opportunity: CERT report on State of the Art for Intrusion Detection Systems Firewall papers (many) Research CISCO PIX firewall product family and describe the features, performance, and reliability. Also describe how the PIX is configured and determine how easy this would fit into a complex architecture