Firewalls Original slides prepared by Theo Benson.

Slides:



Advertisements
Similar presentations
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Advertisements

CSC458 Programming Assignment II: NAT Nov 7, 2014.
CS 4700 / CS 5700 Network Fundamentals Lecture 15: NAT (You Better Forward Those Ports) Revised 3/9/2013.
IUT– Network Security Course 1 Network Security Firewalls.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 7 Working with Proxy Servers & Application-Level Firewalls By Whitman, Mattord,
Firewalls and Intrusion Detection Systems
1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
Firewall Technology. Firewall Technology - Outline Defining the types of firewalls. Developing a firewall configuration. Designing a firewall rule set.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)
Network Attacks. Network Trust Issues – TCP Congestion control – IP Src Spoofing – Wireless transmission Denial of Service Attacks – TCP-SYN – Name Servers.
Chapter 7: Working with Proxy Servers & Application-Level Firewalls
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Firewalls. Similar to streaming a Video … Browser Network HTTP Requests Get: image.png HTTP Requests Get: image.png HTTP Requests Get: video.avi HTTP.
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)
Lab 5: NAT CS144 Review Session 7 November 13 th, 2009 Roger Liao.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
Chapter 6: Packet Filtering
1 The Firewall Menu. 2 Firewall Overview The GD eSeries appliance provides multiple pre-defined firewall components/sections which you can configure uniquely.
Defense Techniques Sepehr Sadra Tehran Co. Ltd. Ali Shayan November 2008.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
Access Control List (ACL)
1 Firewalls G53ACC Chris Greenhalgh. 2 Contents l Attacks l Principles l Simple filters l Full firewall l Books: Comer ch
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
Firewall Tutorial Hyukjae Jang Nc lab, CS dept, Kaist.
Proxy Servers.
1 Firewalls Types of Firewalls Inspection Methods  Static Packet Inspection  Stateful Packet Inspection  NAT  Application Firewalls Firewall Architecture.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Module 10: How Middleboxes Impact Performance
Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.
Lectu re 1 Recap: “Operational” view of Internet r Internet: “network of networks” m Requires sending, receiving of messages r protocols control sending,
5 Firewalls in VoIP Selected Topics in Information Security – Bazara Barry.
Karlstad University Firewall Ge Zhang. Karlstad University A typical network topology Threats example –Back door –Port scanning –…–…
Unleashing the Power of IP Communications™ Calling Across The Boundaries Mike Burkett, VP Products September 2002.
Security fundamentals Topic 10 Securing the network perimeter.
Access Control List (ACL) W.lilakiatsakun. Transport Layer Review (1) TCP (Transmission Control Protocol) – HTTP (Web) – SMTP (Mail) UDP (User Datagram.
Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos
Firewalls Definition: Device that interconnects two or more networks and manages the network traffic between those interfaces. Maybe used to: Protect a.
CS 3700 Networks and Distributed Systems
NAT (Network Address Translation)
CSC458 Programming Assignment II: NAT
Original slides prepared by Theo Benson
Network Address Translation (NAT)
The Linux Operating System
CS 3700 Networks and Distributed Systems
Network Address Translation (NAT)
Introduction to Networking
Introducing To Networking
* Essential Network Security Book Slides.
I. Basic Network Concepts
CS 3700 Networks and Distributed Systems
POOJA Programmer, CSE Department
Chapter 8 Network Perimeter Security
Lecture 3: Secure Network Architecture
Firewalls Chapter 8.
Protocol Application TCP/IP Layer Model
Request for Comments(RFC) 3489
Session 20 INST 346 Technologies, Infrastructure and Architecture
Presentation transcript:

Firewalls Original slides prepared by Theo Benson

Unix Firewalls FreeBSD: ipfw Linux: ipfw → ipchains → iptables MacOS X: ipfw ipfw example rules: # SSH # Allow ssh from unc.edu hosts /sbin/ipfw -f add allow tcp from /16 to any 22 setup /sbin/ipfw -f add allow tcp from /16 to any 22 setup /sbin/ipfw -f add allow tcp from /16 to any 22 setup

Stateful Firewalls A bit more complicated Keep track of transport layer connections (e.g., TCP, UDP) that may comprise multiple packets Often allow only connections initiated from behind the firewall

How are they deployed? “circle of trust” The Internet AKA “Everything evil” The firewall is the gatekeeper Only one way in or out into the circle

Similar to streaming a Video … Browser Network HTTP Requests Get: image.png HTTP Requests Get: image.png HTTP Requests Get: video.avi HTTP Requests Get: video.avi Loading Youtube

Similar to streaming a Video … Browser Network HTTP Requests Get: image.png HTTP Requests Get: image.png HTTP Requests Get: video.avi HTTP Requests Get: video.avi Loading Youtube

Similar to streaming a Video … Browser Network HTTP Requests Get: image.png HTTP Requests Get: image.png HTTP Requests Get: video.avi HTTP Requests Get: video.avi Loading Youtube

Similar to streaming a Video … Browser Network HTTP Requests Get: image.png HTTP Requests Get: image.png HTTP Requests Get: video.avi HTTP Requests Get: video.avi Loading Youtube

Similar to streaming a Video … Browser Network HTTP Requests Get: image.png HTTP Requests Get: image.png HTTP Requests Get: video.avi HTTP Requests Get: video.avi Loading Youtube

Similar to streaming a Video … Browser Network HTTP Requests Get: image.png HTTP Requests Get: image.png HTTP Requests Get: video.avi HTTP Requests Get: video.avi Loading Youtube

Similar to streaming a Video … Browser Network HTTP Requests Get: image.png HTTP Requests Get: image.png HTTP Requests Get: video.avi HTTP Requests Get: video.avi Loading Youtube

Allowing Outbound Connections Only “circle of trust” The Internet AKA “Everything evil” SYN Why would someone from the outside want to start a connection?

Allowing Outbound Connections Only “circle of trust” The Internet AKA “Everything evil” SYN Why would someone from the outside want to start a connection? – They would if you were running a web-server, an -server, a gaming server …. Pretty much any ‘server’ service. – Firewall configuration may allow “punching holes” to specific addresses/ports

Traversing Firewalls Two hosts behind separate firewalls may try to fool their firewalls by simultaneously establishing outbound connections. An external server may help coordinate which source ports, sequence numbers, to use. (E.g., STUN protocol.)

Network Address Translation (NAT) For outbound packets, the translator replaces (typically) private address with it’s own public address, and rewrites the source port. Translator remembers the mapping. For inbound packets, the reverse translation is performed Src: :32532 Src: :45323

NAT versus Firewall A network address translator is not intrinsically a firewall, but – Often the two are combined in one device – Traffic cannot be sent directly to private addresses used behind a NAT from the public Internet – A NAT may block incoming connections by necessity because it does not know which private address to forward the traffic to

What Happens When you Connect to a Website? Browser Network Loading SoundCloud HTTP Requests Get: image.png HTTP Requests Get: image.png HTTP Requests Get: sound.mp3 HTTP Requests Get: sound.mp3 What happens if the virus/worm is hidden in an ? Picture? Or if the security exploit is in an HTML page?

Deep Packet Inspection Examine payload (data) portion of packet as well as headers IP Header TCP/UDP Header Payload

Application Level Firewall Why are they needed? Attackers are tricky – When exploiting security vulnerabilities – Attacks span multiple packets Need a system to scan across multiple packets for Virus/Worm/Vulnerability exploits

Application Level Firewalls Similar to Packet-filters except: – Supports regular expression – Search across different packets for a match – Reconstructs objects (images,pictures) from packets and scans objects.

Application Level Firewalls Similar to Packet-filters except: – Supports regular expression – Searches across different packets for a match – Reconstructs objects (images,pictures) from packets and scans objects. HTTP Requests Get: image.png HTTP Requests Get: image.png Appy reg-ex to the object:

Application Level Firewalls Similar to Packet-filters except: – Supports regular expression – Searches across different packets for a match – Reconstructs objects (images,pictures) from packets and scans objects. HTTP Requests Get: image.png HTTP Requests Get: image.png

Why doesn’t everyone use App level firewalls? Object re-assembly requires a lot of memory Regular-expressions require a lot of CPU App level firewalls are a lot more expensive – And also much slower  – So you need more -- a lot more.

How do you Attack the Firewall? Most Common: Denial-of-Service attacks – Figure out a bug in the Firewall code – Code causes it to handle a packet incorrectly – Send a lot of ‘bug’ packets and no one can use the firewall

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.