Presentation is loading. Please wait.

Presentation is loading. Please wait.

Firewalls and DMZ Dr. X. Firewalls Filtering traffic based on policy Policy determines what is acceptable traffic Access control over traffic Accept or.

Published byDouglas Norris Modified over 8 years ago

Similar presentations

Presentation on theme: "Firewalls and DMZ Dr. X. Firewalls Filtering traffic based on policy Policy determines what is acceptable traffic Access control over traffic Accept or."— Presentation transcript:

1 Firewalls and DMZ Dr. X

2 Firewalls Filtering traffic based on policy Policy determines what is acceptable traffic Access control over traffic Accept or deny May perform other duties Logging (forensics, SLA) Flagging (intrusion detection) QoS (differentiated services)

3 IP Firewall Policy Specifies what traffic is (not) allowed Maps attributes to address and ports Example: HTTP should be allowed to any external host, but inbound only to web-server Rules typically refer to IP addresses, not hostnames -- WHY?

4 Default Accept vs Default Deny Default policy specifies what to do if no other policy applies Most OSes default to default accept Most organizations default to default deny Blacklisting Whitelisting

5 Stateless vs. Stateful Stateless: each packet considered in isolation Stateful: allows historical context consideration Q: What are the advantages/disadvantages of stateless and stateful?

6 DMZ

7 Practical issues and limitations Network layer firewalls are dominant DMZs allow multi-tiered firewalling Tools are widely available and mature Personal firewalls gaining popularity Issues Network perimeters not quite as clear as before: e.g., telecommuters, VPNs, wireless Every access point must be protected Hard to debug, maintain consistency and correctness Often seen by non-security personnel as impediment E.g., Just open port X so I can use my wonder widget

8 Firewall implementations Linux iptables PF: OpenBSD Packet Filter Mac OS X Application Firewall Windows firewall thingy

9 IPTables concepts The iptables firewall looks in the firewall table to see if the chain associated with the current hook matches a packet, and executes the target if it does. Table: all the firewall rules Chain: list of rules associated with the chain identifier, e.g., hook name Match: when all of a rule’s field match the packet Target: operation to execute on a packet given a match

10 Iptables rule parameters Non-comprehensive list of things you can match on: Destination/Source Specific IPs, or IP address range and netmask Protocol of packet: ICMP, TCP, etc Fragmented only Incoming/outgoing interface

11 Targets ACCEPT/DROP QUEUE for user-space application LOG any packet that matches REJECT drops and returns error packet RETURN enables packet to return to previous chain

12 Examples iptables -A INPUT -s 200.200.200.2 -j ACCEPT iptables -A INPUT -s 200.200.200.1 -j DROP iptables -A INPUT -s 200.200.200.1 -p tcp -j DROP iptables -A INPUT -s 200.200.200.1 -p tcp --dport telnet -j DROP iptables -A INPUT -p tcp --destination-port telnet -i eth0 –j DROP

13 Sources https://www.csc.ncsu.edu/faculty/enck/csc474-f15/index.html http://www.netfilter.org/documentation/HOWTO/packet-filtering- HOWTO.html

Download ppt "Firewalls and DMZ Dr. X. Firewalls Filtering traffic based on policy Policy determines what is acceptable traffic Access control over traffic Accept or."

Similar presentations

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
Security of Information Systems Network Defense

Security of Information Systems Network Defense
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.

Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Firewalls and intrusion detection systems Bencsáth Boldizsár.

Firewalls and intrusion detection systems Bencsáth Boldizsár.
Packet Filtering CS-480b Dick Steflik. Stateless Packet Filters A border router configured to pass or reject packets based on information in the header.

Packet Filtering CS-480b Dick Steflik. Stateless Packet Filters A border router configured to pass or reject packets based on information in the header.
Ipchains A packet-filtering Firewalls supported by Linux distributions.

Ipchains A packet-filtering Firewalls supported by Linux distributions.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.

NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.
07/11/2012 www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: 90 366364 voice.

07/11/ L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: voice.
Packet Filtering and Firewall

Packet Filtering and Firewall
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.

Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
Chapter 6: Packet Filtering

Chapter 6: Packet Filtering

Similar presentations

Ads by Google