Chapter 5 Copyright Prentice-Hall 2003

Slides:



Advertisements
Similar presentations
DMZ (De-Militarized Zone)
Advertisements

Network Security Essentials Chapter 11
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
IUT– Network Security Course 1 Network Security Firewalls.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
Firewalls (March 4, 2015) © Abdou Illia – Spring 2015.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Firewalls and Intrusion Detection Systems
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Security (Part 2) School of Business Eastern Illinois University © Abdou Illia, Spring 2007 (Week 13, Thursday 4/5/2007)
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Computer Security Prevention and detection of unauthorized actions by users of a computer system Confidentiality Integrity Availability.
K. Salah1 Firewalls. 2 Firewalls Trusted hosts and networks Firewall Router Intranet DMZ Demilitarized Zone: publicly accessible servers and networks.
Firewalls Screen packets coming into the Privet Networks from external, Untrusted Networks (Internet) Ingress Packet Filtering  Firewall examine incoming.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Guide to Computer Network Security
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
1 Firewalls Types of Firewalls  Screening router firewalls  Computer-based firewalls  Firewall appliances  Host firewalls (firewalls on clients and.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
Intranet, Extranet, Firewall. Intranet and Extranet.
Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.
Chapter 6: Packet Filtering
0Gold 11 0Gold 11 LapLink Gold 11 Firewall Service How Connections are Created A Detailed Overview for the IT Manager.
P RESENTED B Y - Subhomita Gupta Roll no: 10 T OPICS TO BE DISCUSS ARE : Introduction to Firewalls  History Working of Firewalls Needs Advantages and.
1 Firewalls Types of Firewalls Inspection Methods  Static Packet Inspection  Stateful Packet Inspection  NAT  Application Firewalls Firewall Architecture.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
1 Firewalls G53ACC Chris Greenhalgh. 2 Contents l Attacks l Principles l Simple filters l Full firewall l Books: Comer ch
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Firewall Security.
1 Firewalls Types of Firewalls Inspection Methods  Static Packet Inspection  Stateful Packet Inspection  NAT  Application Firewalls Firewall Architecture.
Security and Firewalls Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls John P. Wack and Lisa J. Carnahan NIST Special Publication.
Security fundamentals Topic 10 Securing the network perimeter.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
1 Firewalls Chapter 5 Copyright Prentice-Hall 2003.
Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos
Security fundamentals
NAT、DHCP、Firewall、FTP、Proxy
Computer Data Security & Privacy
Introduction to Networking
Firewalls Chapter 5 Revised March 2004 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall.
Chapter 5r1 September 2004 Copyright Prentice-Hall 2004
Guide to Computer Network Security
Firewalls (March 2, 2016) © Abdou Illia – Spring 2016.
Firewalls Types of Firewalls Inspection Methods Firewall Architecture
POOJA Programmer, CSE Department
Chapter 8 Network Perimeter Security
Firewalls Jiang Long Spring 2002.
دیواره ی آتش.
Firewalls.
Firewalls Chapter 8.
Session 20 INST 346 Technologies, Infrastructure and Architecture
CSCD 434 Spring 2019 Lecture 16 Firewalls.
Presentation transcript:

Chapter 5 Copyright Prentice-Hall 2003 Firewalls Chapter 5 Copyright Prentice-Hall 2003

Figure 5-1: Border Firewall Passed Packet (Egress) Passed Packet (Ingress) Attack Packet Hardened Client PC Internet (Not Trusted) Attacker Internet Border Firewall Dropped Packet (Ingress) Hardened Server Log File Internal Corporate Network (Trusted)

Figure 5-2: Types of Firewall Inspection Packet Inspection Examines IP, TCP,UDP, and ICMP header contents Static packet filtering looks at individual packets in isolation. Misses many attacks Stateful inspection inspects packets in the context of the packet’s role in an ongoing or incipient conversation Stateful inspection is the proffered packet inspection method today

Figure 5-2: Types of Firewall Inspection Application Inspection Examines application layer messages Stops some attacks that packet inspection cannot Network Address Translation Hides the IP address of internal hosts to thwart sniffers Benignly spoofs source IP addresses in outgoing packets

Figure 5-2: Types of Firewall Inspection Denial-of-Service Inspection Recognizes incipient DoS attacks and takes steps to stop them Limited to a few common types of attacks Authentication Only packets from users who have proven their identity are allowed through Not commonly user, but can be valuable

Figure 5-2: Types of Firewall Inspection Virtual Private Network Handling Virtual private networks offer message-by- message confidentiality, authentication, message integrity, and anti-replay protection VPN protection often works in parallel with other types of inspection instead of being integrated with them

Figure 5-2: Types of Firewall Inspection Integrated Firewalls Most commercial products combine multiple types of filtering Some freeware and shareware firewall products offer only one types of filtering

Firewalls Types of Firewalls Inspection Methods Firewall Architecture Screening router firewalls Computer-based firewalls Firewall appliances Host firewalls (firewalls on clients and servers) Inspection Methods Firewall Architecture Configuring, Testing, and Maintenance

Figure 5-3: Firewall Hardware and Software Screening Router Firewalls Add firewall software to router Usually provide light filtering only Expensive for the processing power—usually must upgrade hardware, too Screens out incoming “noise” of simple scanning attacks to make the detection of serious attacks easier Good location for egress filtering—can eliminate scanning responses, even from the router

Figure 5-3: Firewall Hardware and Software Computer-Based Firewalls Add firewall software to server with an existing operating system: Windows or UNIX Can be purchased with power to handle any load Easy to use because know operating system Firewall vendor might bundle software with hardened hardware and operating system software

Figure 5-3: Firewall Hardware and Software Computer-Based Firewalls General-purpose operating systems result in slower processing Security: Attackers may be able to hack the operating system Change filtering rules to allow attack packets in Change filtering rules to drop legitimate packets

Figure 5-3: Firewall Hardware and Software Firewall Appliances Boxes with minimal operating systems Therefore, difficult to hack Setup is minimal Not customized to specific firm’s situation Must be able to update

Figure 5-3: Firewall Hardware and Software Host Firewalls Installed on hosts themselves (servers and sometimes clients) Enhanced security because of host-specific knowledge For example, filter out everything but webserver transmissions on a webserver

Figure 5-3: Firewall Hardware and Software Host Firewalls Defense in depth Normally used in conjunction with other firewalls Although on single host computers attached to internet, might be only firewall

Figure 5-3: Firewall Hardware and Software Host Firewalls If not centrally managed, configuration can be a nightmare Especially if rule sets change frequently Client firewalls typically must be configured by ordinary users Might misconfigure or reject the firewall Need to centrally manage remote employee computers

Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Number of Filtering Rules, Of rules, etc. Performance Requirements Traffic Volume (Packets per Second)

Firewalls Types of Firewalls Inspection Methods Firewall Architecture Static Packet Inspection Stateful Packet Inspection NAT Application Firewalls Firewall Architecture Configuring, Testing, and Maintenance

Figure 5-5: Static Packet Filter Firewall Corporate Network The Internet Permit (Pass) IP-H TCP-H Application Message IP-H UDP-H Application Message Deny (Drop) IP-H ICMP Message Arriving Packets Examined One at a Time, in Isolation Only IP, TCP, UDP and ICMP Headers Examined Static Packet Filter Firewall Log File

Figure 5-6: Access Control List (ACL) For Ingress Filtering at a Border Router 1. If source IP address = 10.*.*.*, DENY [private IP address range] 2. If source IP address = 172.16.*.* to 172.31.*.*, DENY [private IP address range] 3. If source IP address = 192.168.*.*, DENY [private IP address range] 4. If source IP address = 60.40.*.*, DENY [internal address range] 5. If source IP address = 1.2.3.4, DENY [black-holed address of attacker] 6. If TCP SYN=1 AND FIN=1, DENY [crafted attack packet]

Figure 5-6: Access Control List (ACL) for Ingress Filtering at a Border Router 7. If destination IP address = 60.47.3.9 AND TCP destination port=80 OR 443, PASS [connection to a public webserver] 8. If TCP SYN=1 AND ACK=0, DENY [attempt to open a connection from the outside] 9. If TCP destination port = 20, DENY [FTP data connection] 10. If TCP destination port = 21, DENY [FTP supervisory control connection] 11. If TCP destination port = 23, DENY [Telnet data connection] 12. If TCP destination port = 135 through 139, DENY [NetBIOS connection for clients]

Figure 5-6: Access Control List (ACL) for Ingress Filtering at a Border Router 13. If TCP destination port = 513, DENY [UNIX rlogin without password] 14. If TCP destination port = 514, DENY [UNIX rsh launch shell without login] 15. If TCP destination port = 22, DENY [SSH for secure login, but some versions are insecure] 16. If UDP destination port=69, DENY [Trivial File Transfer Protocol; no login necessary] 17. If ICMP Type = 0, PASS [allow incoming echo reply messages] DENY ALL

Figure 5-7: Access Control List (ACL) for Egress Filtering at a Border Router 1. If source IP address = 10.*.*.*, DENY [private IP address range] 2. If source IP address = 172.16.*.* to 172.31.*.*, DENY [private IP address range] 3. If source IP address = 192.168.*.*, DENY [private IP address range] 4. If source IP address NOT = 60.47.*.*, DENY [not in internal address range] 5. If ICMP Type = 8, PASS [allow outgoing echo messages] 6. If Protocol=ICMP, DENY [drop all other outgoing ICMP messages]

Figure 5-7: Access Control List (ACL) for Egress Filtering at a Border Router 7. If TCP RST=1, DENY [do not allow outgoing resets; used in host scanning] 8. If source IP address = 60.47.3.9 and TCP source port = 80 OR 443, PERMIT [public webserver] 9. If TCP source port=0 through 49151, DENY [well-known and registered ports] 10. If UDP source port=0 through 49151, DENY [well-known and registered ports] 11. If TCP source port =49152 through 65,536, PASS [allow outgoing client connections] 12. If UDP source port = 49152 through 65,536, PERMIT [allow outgoing client connections] 13. DENY ALL

Firewalls Types of Firewalls Inspection Methods Firewall Architecture Static Packet Inspection Stateful Packet Inspection NAT Application Firewalls Firewall Architecture Configuring, Testing, and Maintenance

Figure 5-8: Stateful Inspection Firewalls State of Connection: Open or Closed State: Order of packet within a dialog Often simply whether the packet is part of an open connection

Figure 5-8: Stateful Inspection Firewalls Stateful Firewall Operation For TCP, record two IP addresses and port numbers in state table as OK (open) (Figure 5-9) By default, permit connections from internal clients (on trusted network) to external servers (on untrusted network) This default behavior can be changed with an ACL Accept future packets between these hosts and ports with little or no inspection

Figure 5-9: Stateful Inspection Firewall Operation I 2. Establish Connection 1. TCP SYN Segment From: 60.55.33.12:62600 To: 123.80.5.34:80 3. TCP SYN Segment From: 60.55.33.12:62600 To: 123.80.5.34:80 External Webserver 123.80.5.34 Note: Outgoing Connections Allowed By Default Stateful Firewall Internal Client PC 60.55.33.12 Connection Table Type Internal IP Internal Port External IP External Port Status TCP 60.55.33.12 62600 123.80.5.34 80 OK

Figure 5-9: Stateful Inspection Firewall Operation I External Webserver 123.80.5.34 6. TCP SYN/ACK Segment From: 123.80.5.34:80 To: 60.55.33.12:62600 Stateful Firewall 4. TCP SYN/ACK Segment From: 123.80.5.34:80 To: 60.55.33.12:62600 Internal Client PC 60.55.33.12 5. Check Connection OK Connection Table Type Internal IP Internal Port External IP External Port Status TCP 60.55.33.12 62600 123.80.5.34 80 OK

Figure 5-8: Stateful Inspection Firewalls Stateful Firewall Operation For UDP, also record two IP addresses in port numbers in the state table Connection Table Type Internal IP Internal Port External IP External Port Status TCP 60.55.33.12 62600 123.80.5.34 80 OK UDP 60.55.33.12 63206 1.8.33.4 69 OK

Figure 5-8: Stateful Inspection Firewalls Static Packet Filter Firewalls are Stateless Filter one packet at a time, in isolation If a TCP SYN/ACK segment is sent, cannot tell if there was a previous SYN to open a connection But stateful firewalls can (Figure 5-10)

Figure 5-10: Stateful Firewall Operation II Attacker Spoofing External Webserver 10.5.3.4 1. Spoofed TCP SYN/ACK Segment From: 10.5.3.4.:80 To: 60.55.33.12:64640 Internal Client PC 60.55.33.12 2. Check Connection Table: No Connection Match: Drop Connection Table Type Internal IP Internal Port External IP External Port Status TCP 60.55.33.12 62600 123.80.5.34 80 OK UDP 60.55.33.12 63206 222.8.33.4 69 OK

Figure 5-8: Stateful Inspection Firewalls Static Packet Filter Firewalls are Stateless Filter one packet at a time, in isolation Cannot deal with port-switching applications But stateful firewalls can (Figure 5-11)

Figure 5-11: Port-Switching Applications with Stateful Firewalls 2. To Establish Connection 1. TCP SYN Segment From: 60.55.33.12:62600 To: 123.80.5.34:21 3. TCP SYN Segment From: 60.55.33.12:62600 To: 123.80.5.34:21 External FTP Server 123.80.5.34 Internal Client PC 60.55.33.12 Stateful Firewall State Table Type Internal IP Internal Port External IP External Port Status Step 2 TCP 60.55.33.12 62600 123.80.5.34 21 OK

Figure 5-11: Port-Switching Applications with Stateful Firewalls External FTP Server 123.80.5.34 6. TCP SYN/ACK Segment From: 123.80.5.34:21 To: 60.55.33.12:62600 Use Ports 20 and 55336 for Data Transfers 4. TCP SYN/ACK Segment From: 123.80.5.34:21 To: 60.55.33.12:62600 Use Ports 20 and 55336 for Data Transfers Internal Client PC 60.55.33.12 Stateful Firewall 5. To Allow, Establish Second Connection State Table Type Internal IP Internal Port External IP External Port Status Step 2 TCP 60.55.33.12 62600 123.80.5.34 21 OK TCP 60.55.33.12 55336 123.80.5.34 20 OK Step 5

Figure 5-8: Stateful Inspection Firewalls Stateful Inspection Access Control Lists (ACLs) Primary allow or deny applications Simple because probing attacks that are not part of conversations do not need specific rules because they are dropped automatically In integrated firewalls, ACL rules can specify that messages using a particular application protocol or server be authenticated or passed to an application firewall for inspection

Firewalls Types of Firewalls Inspection Methods Firewall Architecture Static Packet Inspection Stateful Packet Inspection NAT Application Firewalls Firewall Architecture Configuring, Testing, and Maintenance

Figure 5-12: Network Address Translation (NAT) From 192.168.5.7, Port 61000 From 60.5.9.8, Port 55380 1 Server Host 2 Internet Client 192.168.5.7 NAT Firewall 3 To 60.5.9.8, Port 55380 4 Sniffer To 192.168.5.7, Port 61000 Internal External IP Addr Port IP Addr Port Translation Table 192.168.5.7 61000 60.5.9.8 55380 . . . . . . . . . . . .

Firewalls Types of Firewalls Inspection Methods Firewall Architecture Static Packet Inspection Stateful Packet Inspection NAT Application Firewalls Firewall Architecture Configuring, Testing, and Maintenance

Figure 5-13: Application Firewall Operation 2. Filtering 3. Examined HTTP Request From 60.45.2.6 1. HTTP Request From 192.168.6.77 4. HTTP Response to 60.45.2.6 6. Examined HTTP Response To 192.168.6.77 Browser HTTP Proxy Webserver Application 5. Filtering on Post Out, Hostname, URL, MIME, etc. In FTP Proxy SMTP (E-Mail) Proxy Webserver 123.80.5.34 Client PC 192.168.6.77 Outbound Filtering on Put Inbound and Outbound Filtering on Obsolete Commands, Content Application Firewall 60.45.2.6

Figure 5-14: Header Destruction With Application Firewalls Header Removed Arriving Packet New Packet X App MSG (HTTP) App MSG (HTTP) Orig. TCP Hdr Orig. IP Hdr App MSG (HTTP) New TCP Hdr New IP Hdr Application Firewall 60.45.2.6 Attacker 1.2.3.4 Webserver 123.80.5.34 Application Firewall Strips Original Headers from Arriving Packets Creates New Packet with New Headers This Stops All Header-Based Packet Attacks

Figure 5-15: Protocol Spoofing Trojan Horse 2. Protocol is Not HTTP Firewall Stops The Transmission X 1. Trojan Transmits on Port 80 to Get Through Simple Packet Filter Firewall Application Firewall Internal Client PC 60.55.33.12 Attacker 1.2.3.4

Figure 5-16: Circuit Firewall 1. Authentication 3. Passed Transmission: No Filtering 2. Transmission 4. Reply 5. Passed Reply: No Filtering Webserver 60.80.5.34 Circuit Firewall (SOCKS v5) 60.34.3.31 External Client 123.30.82.5

Firewalls Types of Firewalls Inspection Methods Firewall Architecture Single site in large organization Home firewall SOHO firewall router Distributed firewall architecture Configuring, Testing, and Maintenance

Figure 5-17: Single-Site Firewall Architecture for a Larger Firm with a Single Site 2. Main Firewall Last Rule=Deny All 1. Screening Router 60.47.1.1 Last Rule=Permit All 3. Internal Firewall Internet 172.18.9.x Subnet 4. Client Host Firewall Public Webserver 60.47.3.9 External DNS Server 60.47.3.4 6. DMZ SMTP Relay Proxy 60.47.3.10 HTTP Proxy Server 60.47.3.1 Marketing Client on 172.18.5.x Subnet Accounting Server on 172.18.7.x Subnet 5. Server Host Firewall

Figure 5-18: Home Firewall PC Firewall Always-On Connection Home PC Internet Service Provider UTP Cord Coaxial Cable Broadband Modem

Figure 5-19: SOHO Firewall Router Internet Service Provider UTP Ethernet Switch UTP User PC UTP Broadband Modem (DSL or Cable) SOHO Router --- DHCP Sever, NAT Firewall, and Limited Application Firewall User PC User PC Many Access Routers Combine the Router and Ethernet Switch in a Single Box

Figure 5-20: Distributed Firewall Architecture Management Console Internet Home PC Firewall Site A Site B

Figure 5-21: Other Security Architecture Issues Host and Application Security (Chapters 6 and 9) Antivirus Protection (Chapter 4) Intrusion Detection Systems (Chapter 10) Virtual Private Networks (Chapter 8) Policy Enforcement System

Firewalls Types of Firewalls Inspection Methods Firewall Architecture Configuring, Testing, and Maintenance

Figure 5-22: Configuring, Testing, and Maintaining Firewalls Firewall Misconfiguration is a Serious Problem ACL rules must be executed in series Easy to make misordering problems Easy to make syntax errors

Figure 5-22: Configuring, Testing, and Maintaining Firewalls Create Policies Before ACLs Policies are easier to read than ACLs Can be reviewed by others more easily than ACLs Policies drive ACL development Policies also drive testing

Figure 5-22: Configuring, Testing, and Maintaining Firewalls Must test Firewalls with Security Audits Only way to tell if policies are being supported Must be driven by policies Maintaining Firewalls New threats appear constantly ACLs must be updated constantly if firewall is to be effective

Figure 5-23: FireWall-1 Modular Management Architecture Log Files Policy Policy Firewall Module Enforces Policy Sends Log Entries Application Module (GUI) Create, Edit Policies Management Module Stores Policies Stores Log Files Log File Entry Log File Data Firewall Module Enforces Policy Sends Log Entries Application Module (GUI) Read Log Files

Figure 5-24: FireWall-1 Service Architecture 2. Statefully Filtered Packet 1. Arriving Packet 3. DoS Protection Optional Authentications Internal Client External Server FireWall-1 Firewall 4. Content Vectoring Protocol 5. Statefully Filtered Packet Plus Application Inspection Third-Party Application Inspection Firewall

Figure 5-25: Security Level-Based Stateful Filtering in PIX Firewalls Automatically Accept Connection Internet Security Level Inside=100 Security Level Outside=0 Router Automatically Reject Connection Internal Network Security Level=60 Connections Are Allowed from More Secure Networks to Less Secure Networks

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.