A Pattern Language for Firewalls Eduardo B. Fernandez, Maria M. Petrie, Naeem Seliya, Nelly Delessy, and Angela Herzberg.

Slides:

Advertisements

Similar presentations

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.

Advertisements

Network Security Essentials Chapter 11

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

Firewalls Uyanga Tserengombo

FIREWALLS Chapter 11.

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

Lecture 14 Firewalls modified from slides of Lawrie Brown.

Security Firewall Firewall design principle. Firewall Characteristics.

Chapter 11 Firewalls.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Network and Security Patterns

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

1 Pertemuan 05 Firewall Matakuliah: H0451/Praktikum Jaringan Komputer Tahun: 2006 Versi: 1/0.

Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey

Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : August 1999 The Chinese University.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Firewalls CS591 Topics in Internet Security November Steve Miskovitz, Steve Peckham, Kan Hayashi.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

A Brief Taxonomy of Firewalls

BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.

NW Security and Firewalls Network Security

Intranet, Extranet, Firewall. Intranet and Extranet.

Network Security Essentials Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

IP Ports and Protocols used by H.323 Devices Liane Tarouco.

January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.

Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.

Chapter 6: Packet Filtering

FIREWALLS Prepared By: Hilal TORGAY Uğurcan SOYLU.

P RESENTED B Y - Subhomita Gupta Roll no: 10 T OPICS TO BE DISCUSS ARE : Introduction to Firewalls  History Working of Firewalls Needs Advantages and.

Patterns for Application Firewalls Eduardo B. Fernandez Nelly A. Delessy Gassant.

FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.

1 Chapter 20: Firewalls Fourth Edition by William Stallings Lecture slides by Lawrie Brown(modified by Prof. M. Singhal, U of Kentucky)

Defense Techniques Sepehr Sadra Tehran Co. Ltd. Ali Shayan November 2008.

Firewall Technologies Prepared by: Dalia Al Dabbagh Manar Abd Al- Rhman University of Palestine

1 實驗九：建置網路安全閘道器教師：助教：. 2 Outline  Background  Proxy – Squid  Firewall – IPTables  VPN – OpenVPN  Experiment  Internet gateway  Firewall  VPN.

1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

Firewall Security.

5 Firewalls in VoIP Selected Topics in Information Security – Bazara Barry.

1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.

1 OFF SYMB - 12/7/2015 Firewalls Basics. 2 OFF SYMB - 12/7/2015 Overview Why we have firewalls What a firewall does Why is the firewall configured the.

Security Patterns for Web Services 02/03/05 Nelly A. Delessy.

What's a Firewall? A security system that acts as a protective boundary between a network and the outside world Isolates computer from the internet using.

Regan Little. Definition Methods of Screening Types of Firewall Network-Level Firewalls Circuit-Level Firewalls Application-Level Firewalls Stateful Multi-Level.

Cryptography and Network Security

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

FIREWALLS By k.shivakumar 08k81f0025. CONTENTS Introduction. What is firewall? Hardware vs. software firewalls. Working of a software firewalls. Firewall.

Computer Data Security & Privacy

Prepared By : Pina Chhatrala

Firewall – Survey Purpose of a Firewall Characteristic of a firewall

Introduction to Networking

* Essential Network Security Book Slides.

Firewalls Jiang Long Spring 2002.

دیواره ی آتش.

Presentation transcript:

A Pattern Language for Firewalls Eduardo B. Fernandez, Maria M. Petrie, Naeem Seliya, Nelly Delessy, and Angela Herzberg

Agenda Introduction The Pattern Language The Basic Firewall Pattern The Proxy-Based Firewall Pattern

Introduction Firewall: A choke point of entry (and exit) into a local network Allows access to approved traffic to and from the local network Denies access to unauthorized traffic to and from the local network Can enforce security policies

The Pattern Language Stateful Firewall Address Filter Firewall (static packet filter) Proxy-Based Firewall (application level) Content-Based Firewall Address Filtering

The Basic Firewall Pattern Intent To filter incoming and outgoing network traffic in a computer system, based on network addresses. Context Computer systems on a local network connected to the Internet and to external networks. Problem A local network is usually attacked from the outside The local network may be partitioned and attacks may come from other local networks The private information should be maintained within the local network.

The Basic Firewall Pattern Forces Need for filtering in a user-transparent form Need to have a clear model of what is being filtered and how The configuration of the firewalls must reflect the institution policies The configuration of the firewalls must be easy to change Logging is necessary for auditing or defense purposes

* Communicates Through The Basic Firewall Pattern Solution Firewall RuleBase 1 Network Level Implementation Level * * requestService * LocalNetwork address Rule in/out ExplicitRuleDefaultRule * 1 {ordered}

The Basic Firewall Pattern Dynamics Filtering a Local Network ’ s Request Use Case. LN1 : Local Network LN2 : Local Network : Firewall : RuleBase requestService filterRequest verify checkRule requestAccepted : Rule

The Basic Firewall Pattern Dynamics Defining a Rule Use Case. : Firewall : RuleBase : Administrator addRule(rule, location) addRule(rule) ruleAdded >

The Basic Firewall Pattern Consequences Advantages: A firewall filters all the traffic that passes through it based on network addresses and transparently to applications It is possible to express the filtering policies of the institutions through its rules. A firewall facilitates the detection of possible attacks and to hold regular users responsible of their actions. A firewall lends to a systematic logging of incoming and outgoing messages. Low cost, it is included as part of many operating systems. Good performance. It only needs to look at packets headers.

The Basic Firewall Pattern Consequences Liabilities: A firewall ’ s effectiveness may be limited due to its rule set (order of precedence). A firewall ’ s effectiveness is limited to the point of entry into the local network, and once a potential attacker has passed through the firewall the security of the system may be breached. A firewall can only enforce security policies on traffic that goes through the firewall. A (basic) firewall cannot stop higher level attacks ( , FTP).

The Basic Firewall Pattern Consequences Liabilities: A firewall generally tends to adversely affect the usability, performance, and cost of the protected system. The security policies that a firewall enforces are different for different sites, networks, and systems. Addition of new rules may interfere with existing rules in the rule set; hence, a careful approach should be taken in adding and updating access rules. Not state aware A packet filter cannot recognize forged addresses from traffic coming from outside.

The Basic Firewall Pattern Known Uses This model is a basic firewall architecture that is seen in commercial firewall products. The basic firewall model is used as an underlying architecture for other types of firewalls that include more advanced features.

The Basic Firewall Pattern Related Patterns: The authorization Pattern can be considered as a higher level pattern of the proposed Basic Firewall Pattern. The role-based access control pattern, a specialization of the authorization pattern, is applicable if the networks and their access rules are respectively defined in terms of roles and rights. The Firewall Pattern is also a special case of the Single-Point-of-Access

The Proxy-Based Firewall Pattern Intent To filter incoming and outgoing network traffic in a computer system based on application data inspection. To virtually separate the local network from the external network and its clients. Context Computer systems on a local network connected to the Internet and to external networks. A higher level of network traffic security is needed compared to the Basic Firewall context.

The Proxy-Based Firewall Pattern Problem The Basic Filtering Firewall does not provide security at the application level It does not provide security against IP spoofing.

The Proxy-Based Firewall Pattern Forces Forces of the Basic Firewall Pattern The user of the internal network may be required to configure the network

1 1 represents Proxy * * request Service 1 The Proxy-Based Firewall Pattern Solution RuleBase 1 Application Level Network Level * Rule in/out ExplicitRuleDefaultRule * 1 {ordered} LocalNetwork address service Service * port ApplicationLevel Firewall * * accessService

The Proxy-Based Firewall Pattern LocalNetwork1 :LocalNetwork2 :: Application Level Firewall : Proxy: Rule Base requestService filterRequest verifyRequest requestAccepted requestService provideService > Dynamics Providing Service to Client ’ s Request Use Case.

Consequences Advantages: The firewall inspects, modifies (if needed), and filters all access requests based on predefined application proxies that are transparent to the client It is possible to express the institution ’ s filtering policies through its application proxies and their rules It is possible to modify certain portions of the information in cases where suspicious commands are included in/or the data segment of packets A firewall facilitates the detection of possible attacks and to hold regular users responsible of their actions. The Proxy-Based Firewall Pattern

Consequences Advantages: It protects against possible implementation faults in the protocol stacks of the internal systems [Sch03]. The IP (Internet protocol) address of the internal network is always hidden to the external networks. A firewall lends to a systematic logging and tracking of all service requests going through it. High security performance since it inspects the complete packet including the headers and data segments. The Proxy-Based Firewall Pattern

Consequences Liabilities: High implementation cost due to the rebuilding of different protocols for each application. Delay due to the application proxy overhead and the inspection of the data segment of packets. Increased complexity of the firewall. Application Proxy Firewalls may require change in applications and/or the user ’ s interaction with the system. A firewall generally tends to adversely affect the usability, performance, and cost of the protected system. The Proxy-Based Firewall Pattern

Consequences Liabilities: A firewall ’ s effectiveness is limited to the point of entry into the local network, and once a potential attacker has passed through the firewall the security of the system may be breached. A firewall can only enforce security policies on traffic that goes through the firewall. The security policies that a firewall enforces are different for different sites, networks, and systems. Addition of new rules for a given application proxy may interfere with existing rules in the rule set; hence, a careful approach should be taken in adding and updating access rules. Not state aware. The Proxy-Based Firewall Pattern

Known Uses ARGuE Guard. Some specific firewall products that use application proxies are Pipex Security Firewalls and InterGate Firewall. The Proxy-Based Firewall Pattern

Related Pattern: The basic Address Filtering Firewall Pattern defines the packet filtering firewall model. The Authorization pattern defines the security model for the Basic Firewall Pattern. The Role-Based Access Control pattern, a specialization of the authorization pattern, is applicable if the networks and their access rules are respectively defined in terms of roles and rights. The Firewall pattern is also a special case of the Single-Point-of-Access. The Proxy Pattern The Proxy-Based Firewall Pattern