Presentation is loading. Please wait.

Presentation is loading. Please wait.

Executive Director and Endowed Chair

Published byBrittany Oliver Modified over 7 years ago

Similar presentations

Presentation on theme: "Executive Director and Endowed Chair"— Presentation transcript:

1 Executive Director and Endowed Chair
CS 5323 Firewalls Prof. Ravi Sandhu Executive Director and Endowed Chair Lecture 16 © Ravi Sandhu World-Leading Research with Real-World Impact!

2 TCP/IP Basics World-Leading Research with Real-World Impact!
© Ravi Sandhu World-Leading Research with Real-World Impact!

3 OSI Reference Model END USER A END USER B Application Layer
higher level protocols Presentation Layer End user functions Presentation Layer higher level protocols Session Layer Session Layer Transport Layer Transport Layer lower level protocols or network services Network Layer Network Layer Network functions lower level protocols or network services Data Link Layer Data Link Layer Physical Layer Physical Layer PHYSICAL MEDIUM © Ravi Sandhu World-Leading Research with Real-World Impact! 3

4 OSI Reference Model END USER A END USER B INTERMEDIATE NETWORK NODE
higher level protocols higher level protocols lower level protocols or network services lower level protocols or network services INTERMEDIATE NETWORK NODE SOURCE NODE DESTINATION NODE © Ravi Sandhu World-Leading Research with Real-World Impact! 4

5 TELNET FTP SMTP HTTP etc TCP UDP
TCP/IP Protocol Stack: Basic Protocols layer 5-7 4 3 2 TELNET FTP SMTP HTTP etc TCP UDP IP IEEE Token-Ring ATM PPP etc © Ravi Sandhu World-Leading Research with Real-World Impact! 5

6 TCP/IP Protocol Stack: Basic Protocols
IP (Internet Protocol) connectionless routing of packets UDP (User Datagram Protocol) unreliable datagram protocol TCP (Transmission Control Protocol) connection-oriented, reliable, transport protocol Application layer protocols TELNET (network virtual terminal) FTP (File Transfer Protocol) SMTP (Simple Mail Transfer Protocol) HTTP (Hyper Text Transfer Protocol) …… © Ravi Sandhu World-Leading Research with Real-World Impact! 6

7 Internet Hourglass Model TCP/IP
TCP RFC 793 Sept. 1981 IPv4 RFC 791 Sept. 1981 © Ravi Sandhu World-Leading Research with Real-World Impact!

8 TELNET FTP SMTP HTTP etc TCP UDP
TCP/IP Protocol Stack: Infrastructure Protocols layer 5-7 4 3 2 TELNET FTP SMTP HTTP etc TCP UDP IP IEEE Token-Ring ATM PPP etc DNS DHCP RIP BGP ICMP ARP RARP © Ravi Sandhu World-Leading Research with Real-World Impact! 8

9 TCP/IP Protocol Stack: Infrastructure Protocols
DNS: Domain Name Service DHCP: Dynamic Host Configuration Protocol OSPF: Open Shortest Path First BGP: Border Gateway Protocol ICMP: Internet Control Message Protocol ARP: Address Resolution Protocol RARP: Reverse Address Resolution Protocol © Ravi Sandhu World-Leading Research with Real-World Impact! 9

10 TELNET FTP SMTP HTTP etc TCP UDP
TCP/IP Protocol Stack: Security Protocols layer 5-7 4 3 2 TELNET FTP SMTP HTTP etc TCP UDP IP IEEE Token-Ring ATM PPP etc DNS DHCP SSL RIP BGP ICMP IPSEC ARP RARP © Ravi Sandhu World-Leading Research with Real-World Impact! 10

11 Internet Security Protocols
IPsec, 1998 SSL,1994 Largely failed Half successful Dozens of other security protocols Some successes Many failures © Ravi Sandhu World-Leading Research with Real-World Impact!

12 IP v4 Packet header data carries a layer 4 protocol
TCP, UDP or a layer 3 protocol ICMP, IPSEC, IP or a layer 2 protocol IEEE 802.3 © Ravi Sandhu World-Leading Research with Real-World Impact! 12

13 TCP Inside IP IP HEADER TCP HEADER
© Ravi Sandhu World-Leading Research with Real-World Impact! 13

14 IP Header Format version: 4bit, currently v4
header length: 4 bit, length in 32 bit words TOS (type of service): unused total length: 16 bits, length in bytes identification, flags, fragment offset: total 16 bits used for packet fragmentation and reassembly TTL (time to live): 8 bits, used as hop count Protocol: 8 bit, protocol being carried in IP packet, usually TCP, UDP but also ICMP, IPSEC, IP, IEEE 802.3 header checksum: 16 bit checksum source address: 32 bit IP address destination address: 32 bit IP address © Ravi Sandhu World-Leading Research with Real-World Impact! 14

15 IP Header Format options source routing
enables route of a packet and its response to be explicitly controlled route recording timestamping security labels © Ravi Sandhu World-Leading Research with Real-World Impact! 15

16 TCP Header Format source port number
source IP address + source port number is a socket: uniquely identifies sender destination port number destination IP address + destination port number is a socket : uniquely identifies receiver SYN and ACK flags sequence number acknowledgement number © Ravi Sandhu World-Leading Research with Real-World Impact! 16

17 TCP/IP Vulnerabilities
© Ravi Sandhu World-Leading Research with Real-World Impact!

18 TCP 3 Way Handshake SYN(X) SYN(Y), ACK(X) ACK(Y) initiator responder
© Ravi Sandhu World-Leading Research with Real-World Impact! 18

19 TCP SYN Flooding Attack
TCP 3 way handshake send SYN packet with random IP source address return SYN-ACK packet is lost half-open connection stays for some time-out period Denial of service attack Basis for IP spoofing attack © Ravi Sandhu World-Leading Research with Real-World Impact! 19

20 IP Spoofing Send SYN packet with spoofed source IP address
SYN-flood real source so it drops SYN-ACK packet guess sequence number and send ACK packet to target target will continue to accept packets and response packets will be dropped © Ravi Sandhu World-Leading Research with Real-World Impact! 20

21 TCP Session Hijacking Send RST packet with spoofed source IP address and appropriate sequence number to one end SYN-flood that end send ACK packets to target at other end © Ravi Sandhu World-Leading Research with Real-World Impact! 21

22 Fundamental Vulnerability
IP packet carries no authentication of source address IP spoofing is possible Firewalls do not solve this problem Requires cryptographic solutions © Ravi Sandhu World-Leading Research with Real-World Impact! 22

23 IP Spoofing Story ALLOW GOOD GUYS IN KEEP BAD GUYS OUT
IP Spoofing predicted in Bell Labs report ≈ 1985 Unencrypted Telnet with passwords in clear 1st Generation firewalls deployed ≈ 1992 IP Spoofing attacks proliferate in the wild ≈ 1993 Virtual Private Networks emerge ≈ late 1990’s Vulnerability shifts to the client PC Network Admission Control ≈ 2000’s Persists as a Distributed Denial of Service mechanism Most of these fixes have not changed or extended IPv4 © Ravi Sandhu World-Leading Research with Real-World Impact! 23

24 Firewalls © Ravi Sandhu World-Leading Research with Real-World Impact!

25 What is a Firewall? external Internet internal network FIRE- WALL
© Ravi Sandhu World-Leading Research with Real-World Impact! 25

26 What is a Firewall? all traffic between external and internal networks must go through the firewall easier said than done firewall has opportunity to ensure that only suitable traffic goes back and forth © Ravi Sandhu World-Leading Research with Real-World Impact! 26

27 Benefits secure and carefully administer firewall machines to allow controlled interaction with external Internet internal machines can be administered with varying degrees of care does work © Ravi Sandhu World-Leading Research with Real-World Impact! 27

28 Basic Limitations connections which bypass firewall
services through the firewall introduce vulnerabilities insiders can exercise internal vulnerabilities performance may suffer single point of failure © Ravi Sandhu World-Leading Research with Real-World Impact! 28

29 Ultimate Firewall external Internet internal network Air Gap
© Ravi Sandhu World-Leading Research with Real-World Impact! 29

30 Types of Firewalls Packet filtering firewalls
IP layer Application gateway firewalls Application layer © Ravi Sandhu World-Leading Research with Real-World Impact! 30

31 Packet Filtering Firewalls
IP packets are filtered based on source IP address + source port number destination IP address + destination port number protocol field: TCP or UDP TCP protocol flag: SYN or ACK TCP/UDP: protocol field © Ravi Sandhu World-Leading Research with Real-World Impact! 31

32 Filtering Routers internal external network Internet packet filtering
mail gateway © Ravi Sandhu World-Leading Research with Real-World Impact! 32

33 Packet Filtering Firewalls
drop packets based on filtering rules static (stateless) filtering no context is kept dynamic (stateful) filtering keeps context © Ravi Sandhu World-Leading Research with Real-World Impact! 33

34 Packet Filtering Firewalls
Should never allow packet with source address of internal machine to enter from external internet Cannot trust source address to allow selective access from outside © Ravi Sandhu World-Leading Research with Real-World Impact! 34

35 Packet Filtering Firewalls
packet filtering is effective for coarse-grained controls not so effective for fine-grained control can do: allow outgoing ftp from a particular internal host cannot do: allow outgoing ftp from a particular internal user © Ravi Sandhu World-Leading Research with Real-World Impact! 35

36 Filtering Routers internal network 1 external Internet internal
packet filtering router external Internet internal network 2 mail gateway (internal network 3) © Ravi Sandhu World-Leading Research with Real-World Impact! 36

37 Filtering Host external Internet internal network
router internal network packet filtering firewall host one can use a packet filtering firewall even if connection to Internet is via an external service provider © Ravi Sandhu World-Leading Research with Real-World Impact! 37

38 Application Gateway Firewalls
external Internet external router internal network application gateway firewall host © Ravi Sandhu World-Leading Research with Real-World Impact! 38

39 Application Proxies have to be implemented for each service
may not be safe (depending on service) typically used for outgoing http requests from internal users © Ravi Sandhu World-Leading Research with Real-World Impact! 39

40 Demilitarized Zone (DMZ)
Outgoing web proxy Filtering Router Filtering Router I n t r a e I n t e r Outgoing & incoming server Webserver Static content Webserver Dynamic User-dependent content © Ravi Sandhu World-Leading Research with Real-World Impact! 40

Download ppt "Executive Director and Endowed Chair"

Similar presentations

CCNA – Network Fundamentals

CCNA – Network Fundamentals
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.
Lesson 7 – THE BUSINESS OF NETWORKING. TCP/IP and UDP Other Internet protocols Important Internet protocols OVERVIEW.

Lesson 7 – THE BUSINESS OF NETWORKING. TCP/IP and UDP Other Internet protocols Important Internet protocols OVERVIEW.
ITIS 6167/8167: Network and Information Security Weichao Wang.

ITIS 6167/8167: Network and Information Security Weichao Wang.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.

Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.
Defining Network Protocols Application Protocols –Application Layer –Presentation Layer –Session Layer Transport Protocols –Transport Layer Network Protocols.

Defining Network Protocols Application Protocols –Application Layer –Presentation Layer –Session Layer Transport Protocols –Transport Layer Network Protocols.
Chapter Eleven An Introduction to TCP/IP. Objectives To compare TCP/IP’s layered structure to OSI To review the structure of an IP address To look at.

Chapter Eleven An Introduction to TCP/IP. Objectives To compare TCP/IP’s layered structure to OSI To review the structure of an IP address To look at.
CS426Fall 2010/Lecture 331 Computer Security CS 426 Lecture 33 Network Security (1)

CS426Fall 2010/Lecture 331 Computer Security CS 426 Lecture 33 Network Security (1)
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.

January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.
Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.

Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 3: TCP/IP Architecture.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 3: TCP/IP Architecture.
What is a Protocol A set of definitions and rules defining the method by which data is transferred between two or more entities or systems. The key elements.

What is a Protocol A set of definitions and rules defining the method by which data is transferred between two or more entities or systems. The key elements.
1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.

1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.
Chapter 6: Packet Filtering

Chapter 6: Packet Filtering
1 Chapter Overview TCP/IP DoD model. 2 Network Layer Protocols Responsible for end-to-end communications on an internetwork Contrast with data-link layer.

1 Chapter Overview TCP/IP DoD model. 2 Network Layer Protocols Responsible for end-to-end communications on an internetwork Contrast with data-link layer.
TCP/IP Essentials A Lab-Based Approach Shivendra Panwar, Shiwen Mao Jeong-dong Ryoo, and Yihan Li Chapter 5 UDP and Its Applications.

TCP/IP Essentials A Lab-Based Approach Shivendra Panwar, Shiwen Mao Jeong-dong Ryoo, and Yihan Li Chapter 5 UDP and Its Applications.
1 7-Oct-15 OSI transport layer CCNA Exploration Semester 1 Chapter 4.

1 7-Oct-15 OSI transport layer CCNA Exploration Semester 1 Chapter 4.
Component 9 – Networking and Health Information Exchange Unit 1-1 ISO Open Systems Interconnection (OSI) This material was developed by Duke University,

Component 9 – Networking and Health Information Exchange Unit 1-1 ISO Open Systems Interconnection (OSI) This material was developed by Duke University,

Similar presentations

Ads by Google