Firewall in the Internet Security By Dou Wang, Ying Chen, Jiaying Shi School of Computer Science University of Windsor November 2007.

Slides:

Advertisements

Similar presentations

Welcome to Middleware Joseph Amrithraj

Advertisements

Network Security Essentials Chapter 11

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

IUT– Network Security Course 1 Network Security Firewalls.

1 Firewalls. 2 References 1.Mark Stamp, Information Security: Principles and Practice, Wiley Interscience, Robert Zalenski, Firewall Technologies,

FIREWALLS Chapter 11.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Security Firewall Firewall design principle. Firewall Characteristics.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

Firewalls and Intrusion Detection Systems

William Stallings Data and Computer Communications 7 th Edition (Selected slides used for lectures at Bina Nusantara University) Internetworking.

1 Pertemuan 05 Firewall Matakuliah: H0451/Praktikum Jaringan Komputer Tahun: 2006 Versi: 1/0.

Security Awareness: Applying Practical Security in Your World

Implementing a Distributed Firewall

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

Department Of Computer Engineering

A Survey on Interfaces to Network Security

Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Introducing Kerio Control Unified Threat Management Solution Release date: June 1, 2010 Kerio Technologies, Inc.

Network Security (Firewall) Instructor: Professor Morteza Anvari Student: Xiuxian Chen ID: Term: Spring 2001.

A Brief Taxonomy of Firewalls

BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.

Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.

Intranet, Extranet, Firewall. Intranet and Extranet.

Network Security Essentials Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.

Page 1 NAT & VPN Lecture 8 Hassan Shuja 05/02/2006.

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

FIREWALLS Prepared By: Hilal TORGAY Uğurcan SOYLU.

P RESENTED B Y - Subhomita Gupta Roll no: 10 T OPICS TO BE DISCUSS ARE : Introduction to Firewalls  History Working of Firewalls Needs Advantages and.

FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.

Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

Firewall Technologies Prepared by: Dalia Al Dabbagh Manar Abd Al- Rhman University of Palestine

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

Overview of Microsoft ISA Server. Introducing ISA Server New Product—Proxy Server In 1996, Netscape had begun to sell a web proxy product, which optimized.

Linux Networking and Security

1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

Security Requirements of NVO3 draft-hartman-nvo3-security-requirements-01 S. Hartman M. Wasserman D. Zhang 1.

Secure Wired Local Area Network( LAN ) By Sentuya Francis Derrick ID Module code:CT3P50N BSc Computer Networking London Metropolitan University.

Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.

5 Firewalls in VoIP Selected Topics in Information Security – Bazara Barry.

1 OFF SYMB - 12/7/2015 Firewalls Basics. 2 OFF SYMB - 12/7/2015 Overview Why we have firewalls What a firewall does Why is the firewall configured the.

Security fundamentals Topic 10 Securing the network perimeter.

Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and the Cisco Security Appliance.

Role Of Network IDS in Network Perimeter Defense.

Regan Little. Definition Methods of Screening Types of Firewall Network-Level Firewalls Circuit-Level Firewalls Application-Level Firewalls Stateful Multi-Level.

Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Security fundamentals

Computer Data Security & Privacy

Prepared By : Pina Chhatrala

Securing the Network Perimeter with ISA 2004

Firewall – Survey Purpose of a Firewall Characteristic of a firewall

Network Security: IP Spoofing and Firewall

Firewalls Routers, Switches, Hubs VPNs

Firewalls Jiang Long Spring 2002.

دیواره ی آتش.

Introduction to Network Security

Presentation transcript:

Firewall in the Internet Security By Dou Wang, Ying Chen, Jiaying Shi School of Computer Science University of Windsor November 2007

Outline Introduction of Firewall Packet filtering Firewall policy management Firewall implementation Comments Conclusions

Introduction What is firewall? Firewall is a collection of components interposed between two networks that filter traffic between them according to some security policy. [5] They are strategically placed between internal network and outside Internet network (e.g., the Internet service provider). It always appeared on the edge, which apart trusted networks from un-trusted networks. Introduction

What is firewall management ? Basically, the management program configured in two ways: default-deny and default-allow policy. The former approach is by far more secure in security but usually many networks will deploy the latter approach due to the difficulty in configuration and limitation of certain knowledge. Introduction

Firewalls can be divided into the following categories by working principle: Packet filtering firewall, it has a list of firewall security rules which are able to block traffic based on IP protocol, IP address and IP port number. Stateful firewall, it is more intelligent on keeping track of active connections. Because it employs state machines to maintain state associated with established protocol connections. Deep packet inspection firewall, it will actually examine the data in the packet. Application-aware firewall, which is similar to deep packet inspection firewall, and it understands certain protocols and could parse them, so that signatures or rules can be specially addressed in protocol. Introduction

Firewalls also can be divided into the following categories by usage: Personal firewall, this generally refers to software runs on your workstation and acts as a packet filtering firewall. Distributed firewall, its security policy is defined centrally but enforced at each individual network endpoint. Policy distribution can take various forms. Layer 2 firewall (transparent bridge mode ) allows to be inserted without disrupting operation of network. This feature let it easy deployment and mitigate an ongoing attack. Introduction

Additional services from firewall: Network Address Translation Split-horizon DNS Mitigating Host Fingerprinting Virtual Private Network Damage Mitigation Intrusion Prevention Systems (IPS) Host-subnet Quarantining Introduction

Packet filtering In the paper: “Adaptive Statistical Optimization Techniques for Firewall Packet Filtering”, it discusses the packet filtering optimization in two aspects. The first aspect they propose an approximation algorithm that analyzes firewall policy rules off-line and generates different near-optimal solutions and constructs a set of rules that can reject the maximum number of unwanted packets as early as possible. The other aspect they propose using statistical search tree based on the matching-frequency of different field values in the policy, as calculated from the traffic. They present two tree structures: near-optimal cascade tree structure for single-threaded processing; parallel tree structure for network processor platforms.

Packet filtering First part discusses the early traffic rejection. There are three algorithms comprise the main operations of the early rejection module. In Algorithm 1, builds up of the candidate rejection rule list out of different solutions to the set cover problem takes place. [3] Algorithm 2, periodically adds or moves rules according to the performance gain/loss of each rule. Algorithm 3 shows the per-packet operation of filtering and shows the location of early rejection relative to normal packet filtering, as well as the update of statistics required for early rejection.

Packet filtering Second part discusses the statistic optimization. In statistical optimization part, the following steps involved: A. Locality of matching properties in firewall filtering B. Statistical matching tree C. Matching tree construction using alphabetic trees D. Policy matching algorithms using alphabetic trees E. Tree reconstruction and updates

Firewall policy deployment The paper: “On the Safety and Efficiency of Firewall Policy Deployment” provides the first formal definition and theoretical analysis of safety in firewall policy deployment. As ample research is focus on tools for policy specification, correctness analysis and optimization, few has on firewall policy deployment.

Firewall policy deployment A firewall controls traffic by examining the contents of network packets, which is why a firewall is also called a packet filtering device. Five packet fields are most commonly used for traffic filtering: protocol type, source IP address, source port, destination IP address, and destination port. In every packet, each of the five fields assumes a specific value, such as. Fields other than those in the 5-tuple, e.g., IP TOS (Type of Service) and TTL (Time to Live) values.

Firewall policy deployment Table1: Results of Experiments of Firewall Policy Deployment [2]

Firewall implementation The paper: “Nedgty: Web Services Firewall” introduce a open source web service firewall applying business specific rules in a centralized manner. It also secure web services against denial of services, buffer overflow and XML denial of services attacks. IPTables Soap Filter Packet Queue Parser Interface Validation Unit Packet Forger Server Repository Packet from Client Non-SOAP Packets Write rules Log Existing rules Port 80 traffic Valid SOAP Rules Parsed XML Request verdict SOAP packets Packet Payload Parsed XML SOAP Packet Set Verdict

Comments We noticed that there are still some limitations or drawbacks in their firewall systems: The very first is those firewalls do very little, if anything, against the attack from the inside network. (e.g. there are attackers on the inside network, for example, a disgruntled employee) The second is firewall found relatively difficult to handle some protocols as they involved multiple and seemingly independent packet flows. Take FTP for example, a control connection is initiated by client to server, while data connections are initiated by server to client. The third is end-to-end encryption can be a threat to firewalls, because it prevents firewalls from looking at the packet fields, where filtering should be done.

Comments Solution of end-to-end encryption: When encryption is used for confidentiality (often called Virtual Private Networks), there are two general cases: Encryption is performed by the firewall, i.e. it is the endpoint of a VPN. The firewall could understand and filter the actual protocol used within the VPN and provide intelligent logging. Encryption is performed by a host inside the firewall (End-to-End encryption). The VPN becomes a point of entry for an attacker that the Firewall administrator cannot detect. Therefore, the VPN endpoint inside the firewall must be VERY well configured / monitored and use firewall mechanisms such as strong authentication.

Conclusions From the centralized, single threaded convention firewall to become distributed and multi-threaded much intelligent modern firewall, the safety and efficiency have been both enhanced by deployed different kinds of techniques. From the first generation firewall focused on packet filtering and the second generation firewall on state, the third generation turned on application-aware, including intrusion prevention system that greatly enhance security functionality.

Reference [1] Bebawy, R.; Sabry, H.; El-Kassas, S.; Hanna, Y.; Youssef, Y.; “Nedgty: Web Services Firewall”, Web Services, ICWS Proceedings IEEE International Conference on July 2005Web Services, ICWS Proceedings IEEE International Conference on [2] Zhang, Charles C.; Winslett, Marianne; Gunter, Carl A.; “On the Safety and Efficiency of Firewall Policy Deployment” Security and Privacy, SP '07. IEEE Symposium on May 2007 Page(s): Security and Privacy, SP '07. IEEE Symposium on [3] Hamed, H.; El-Atawy, A.; Al-Shaer, E.; “Adaptive Statistical Optimization Techniques for Firewall Packet Filtering”, 25th IEEE International Conference on Computer Communications. April 2006 Page(s):1 – 1225th IEEE International Conference on Computer Communications. [4] Introduction of Firewall security, [5] C.Douligeris and D.N. Serpanos, “Network Security: Current Status and Future Directions”, 2007 the Institute of Electrical and Electronics Engineers, Inc. [6] Firewall, http://en.wikipedia.org/wiki/Firewall Reference

?