1 An Introduction to Internet Firewalls Dr. Rocky K. C. Chang 12 April 2007.

Slides:

Advertisements

Similar presentations

Network Security Essentials Chapter 11

Advertisements

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Firewalls Uyanga Tserengombo

IUT– Network Security Course 1 Network Security Firewalls.

FIREWALLS Chapter 11.

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.

Fall 2008CS 334: Computer Security1 Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

Security Firewall Firewall design principle. Firewall Characteristics.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Firewalls and Intrusion Detection Systems

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

1 Sonia FahmyPurdue University Firewalls and Firewall Testing Techniques Sonia Fahmy Department of Computer Sciences Purdue University

Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey

Circuit & Application Level Gateways CS-431 Dick Steflik.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Network Security (Firewall) Instructor: Professor Morteza Anvari Student: Xiuxian Chen ID: Term: Spring 2001.

A Brief Taxonomy of Firewalls

BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.

Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.

Intranet, Extranet, Firewall. Intranet and Extranet.

Network Security Essentials Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

SOCKS Group: Challenger Member: Lichun Zhan. Agenda Introduction SOCKS v4 SOCKS v5 Summary Conclusion References Questions.

January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.

Chapter 6: Packet Filtering

Chapter 13 – Network Security

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Firewalls, etc.. Network Security2 Outline Intro Various firewall technologies: –Static Packet Filtering (or nonstateful packet filter) –Dynamic Packet.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.

Access Control List (ACL)

Firewalls First notions. Breno de MedeirosFlorida State University Fall 2005 Types of outsider attacks Intrusions –Data compromise confidentiality, integrity.

TCP/IP Protocols Contains Five Layers

1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

5 Firewalls in VoIP Selected Topics in Information Security – Bazara Barry.

Karlstad University Firewall Ge Zhang. Karlstad University A typical network topology Threats example –Back door –Port scanning –…–…

1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.

Security fundamentals Topic 10 Securing the network perimeter.

Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:

Network Router Security Packeting Filtering. OSI Model 1.It is the most commonly refrenced protocol model. It provides common ground when describing any.

Firewall Technology and InterCell Communication Peter T. Dinsmore Trusted Information Systems Network Associates Inc 3060 Washington Rd (Rt. 97) Glenwood,

Access Control List (ACL) W.lilakiatsakun. Transport Layer Review (1) TCP (Transmission Control Protocol) – HTTP (Web) – SMTP (Mail) UDP (User Datagram.

IP packet filtering Breno de Medeiros. Florida State University Fall 2005 Packet filtering Packet filtering is a network security mechanism that works.

Computer Security Firewalls and Intrusion Prevention Systems.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos

Firewalls Definition: Device that interconnects two or more networks and manages the network traffic between those interfaces. Maybe used to: Protect a.

Security fundamentals

* Essential Network Security Book Slides.

Firewalls Purpose of a Firewall Characteristic of a firewall

POOJA Programmer, CSE Department

Chapter 8 Network Perimeter Security

Firewalls Jiang Long Spring 2002.

دیواره ی آتش.

Introduction to Network Security

Presentation transcript:

1 An Introduction to Internet Firewalls Dr. Rocky K. C. Chang 12 April 2007

2 Rocky K. C. Chang 1. Components of a firewall: Packet filtering  A firewall today uses a combination of packet filtering and proxy services.  Screening router: It performs packet filtering based on the source and destination addresses, types of packets, TCP/UDP ports, etc. For example, it blocks all incoming connections except for incoming SMTP connections, or it blocks all connections to and from certain systems you distrust.  The principle of default deny stance is usually employed for packet filtering: That which is not expressly permitted is prohibited.

3 Rocky K. C. Chang 1.1 Components of a firewall: Proxies  With an intermediate proxy, an TCP connection is broken into two and the proxy is responsible for splicing them.  An UDP association, similarly, consists of two separate UDP associations. Proxy TCP connection TCP

4 Rocky K. C. Chang 1.1 Components of a firewall: Proxies  Transport-level proxies: Proxies that do not understand particular application protocols, e.g., SOCKS. For example, a SOCKS proxy only allows users inside the firewall to open TCP connections, and refuses to accept connection requests from outside.  Application-level proxies: Proxies that understand particular application protocols, e.g., telnet, ftp, http proxies. For example, a FTP proxy may refuse to let users export files, or may allows users to import files only from certain sites.  The proxies are usually run on a bastion host, which is a highly secured system.

5 Rocky K. C. Chang 1.2 Stateful inspection by Checkpoint  Unlike application proxies, stateful inspection does not break an TCP connection or an UDP association.  Unlike transport-level proxies, stateful inspection understands application protocols.  Stateful inspection, however, is not a proxy technology, and it intercepts packets at the network layer and then the INSPECT engine takes over. The engine extracts “state-related information” required for the security decision from all application layers. It maintains this information in dynamic state tables for evaluating subsequent connection attempts. For example, establishing a FTP back connection.

6 Rocky K. C. Chang 2. Screened host firewall architecture  This architecture consists of a separate bastion host and a screening router.  For the incoming connectivity, the packet filter is set up in such a way that the bastion host is the only system on the internal network that hosts outside can communicate with.  For the outgoing connectivity, the packet filter permits the bastion host to open allowable connections to the outside world. For other internal hosts, the packet filter may allow them to open connections to outside for certain services or disallow all connections from internal hosts (forcing them to use proxy services via the bastion host).  The zone of risk is restricted to the screening router and the bastion host.

7 Rocky K. C. Chang 2. Screened host firewall architecture

8 Rocky K. C. Chang 3. Screened subnet firewall architecture  This architecture adds an extra layer of security to the screened host architecture by adding a perimeter network. A perimeter network lies between an external network and a protected network, sometimes called a De- Militarized Zone (DMZ). By isolating the bastion host on a perimeter network, the impact of a break-in on the bastion host is significantly reduced.  A simple design is to have a single perimeter network with two screening routers (exterior and interior). It is also possible to create a layered series of perimeter nets. Less trusted and more vulnerable services are placed on the outer perimeter nets.

9 Rocky K. C. Chang 3. Screened subnet firewall architecture  The interior router does most of the packet filtering. It allows selected services outbound from the internal net to the Internet. The services between the bastion host and internal hosts may also be limited to services that are actually needed, e.g., SMTP and DNS, and limited to certain hosts, e.g., SMTP mail servers.  The exterior router may block any incoming packets that have forged source addresses.  Other variations: Use different bastion hosts for different services. Merge the interior router and the exterior router.

10 Rocky K. C. Chang 3. Screened subnet firewall architecture

11 Rocky K. C. Chang 4. Packet filtering  A screening router parses the headers of incoming packets and then apply rules from a simple rule base to determine whether to route or drop the packet. The filtering rules are generally expressed as a table of conditions and actions that are applied in a certain order until a decision is reached.  For example, consider a network employs a policy to allow all incoming packets destined to its mail server , Except for a malicious IP address

12 Rocky K. C. Chang A packet filtering example  Rule A: Permit all incoming SMTP packets destined to the mail server.  Rule B: Deny incoming packets from the malicious IP address.  Rule C: Permit any outgoing packets.  Rule D: Permit any incoming or going packets. Firewall Internal network Internet 0 1

13 Rocky K. C. Chang A consistent problem  Rules A and B are in conflict: A malicious packet matches to both rules A and B, but have different decisions.  In other words, the decision for a malicious packet is rule-order dependent. A rule cannot be understood by its literal meaning. The rule B should be “discard all non-SMTP packets originated from ”  Swap rules A and B.

14 Rocky K. C. Chang A completeness problem  The set of rules should ensure that all possible packets are considered, i.e., matched to at least a rule.  Rule D says that non-SMTP packets from all, except the known malicious IP, are allowed to reach the mail server.  Two new rules added after rule A.

15 Rocky K. C. Chang A compactness problem  A rule in a firewall is redundant iff removing the rule does not change the firewall’s function. That is, it does not change the decision of the firewall for every packet.  A firewall is compact iff it does not have redundant rules.  Rule C is redundant Rules C and D have the same decision if a packet does not match rules A and B.

16 Rocky K. C. Chang 4.3 Dynamic packet filtering  Compared with TCP, it is much more difficult to filter UDP packets. There are no state information to rely on for keeping track of the connection’s status.  However, some firewalls modify filtering rules on the fly. The firewalls remember outgoing UDP packets that they have seen, and then allow only the corresponding response packets back in through the filtering mechanism. Those rules modified on the fly are time- limited; they time out after a few seconds or minutes.

17 Rocky K. C. Chang 4.3 Dynamic packet filtering

18 Rocky K. C. Chang 5. SOCKS: A generic proxy  SOCKS is a session/transport layer proxy, providing a generic mechanism for IP to traverse a firewall. SOCKS provides relay services for UDP and TCP traffic with network and port translation. SOCKS usually allows only TCP connections and UDP packet transmissions initiated from inside. SOCKS provides a single platform integrating other security mechanisms, e.g., user-level authentication (from user password to IPSec), encryption methods, key management systems, etc.  A TCP/UDP data connection is initiated by a SOCKS server to the remote server on behalf of the actual client.

19 Rocky K. C. Chang 5.1 Socksified clients  A client needs to be “socksified” in order to use the proxy service. Socksification of a client creates a thin SOCKS layer between the application and transport layers. A proxy client resides in that layer to communicate with a proxy server.  There are two ways to socksify a client: The first one requires compiling and relinking the applications. The second is to perform dynamic library linking.  A socksified client intercepts a socket call, and if the local policy is allowed, it will redirect the call to the proxy server.

20 Rocky K. C. Chang 5.2 SOCKS’ transport model  The SOCKS protocol exchange between a server and a client consists of two phases: Proxy establishment and data relay. In the first phase, user authentication and other option negotiation are performed in the control channel. In the second phase, the data packets are relayed between the SOCKS client and SOCKS server.  SOCKS supports both TCP and UDP data transmissions. SOCKS uses an in-band transport model for TCP data. SOCKS uses an out-of-band transport model for UDP data.

21 Rocky K. C. Chang 5.2 SOCKS’ transport model

22 Rocky K. C. Chang Acknowledgements  The slides on the firewalls are based on E. Zwicky, S. Cooper, and D. Chapman, Building Internet Firewalls, Second Edition, O’Reilly & Associates, Inc.,  The SMTP filtering example is based on M. Gouda and A. Liu, “Firewall design: Consistency, Completeness, and Compactness,” Proc. IEEE ICDCS, 2004.