Presentation is loading. Please wait.

Presentation is loading. Please wait.

Original slides prepared by Theo Benson

Published byBritton Cook Modified over 6 years ago

Similar presentations

Presentation on theme: "Original slides prepared by Theo Benson"— Presentation transcript:

1 Original slides prepared by Theo Benson
Firewalls Original slides prepared by Theo Benson

2

3

4

5

6 IP Options of Concern Options may change the length of the IP header, and may require additional processing, putting load on routers/firewalls. IP strict/loose source routing: source specifies a series of intermediate destinations; might be used to bypass security devices, might cost ISPs transit fees IP record route option: each router on the packet’s path appends its address to the option field IP timestamp: like record route, but each router also adds a timestamp to the option field

7

8

9

10 Unix Firewalls FreeBSD: ipfw Linux: ipfw → ipchains → iptables
MacOS X: ipfw ipfw example rules: # SSH # Allow ssh from unc.edu hosts /sbin/ipfw -f add allow tcp from /16 to any 22 setup /sbin/ipfw -f add allow tcp from /16 to any 22 setup /sbin/ipfw -f add allow tcp from /16 to any 22 setup

11

12

13 Stateful Firewalls A bit more complicated
Keep track of transport layer connections (e.g., TCP, UDP) that may comprise multiple packets Often allow only connections initiated from behind the firewall

14 How are they deployed? The firewall is the gatekeeper The Internet
AKA “Everything evil” “circle of trust” Only one way in or out into the circle

15 Similar to streaming a Video …
Network Loading Youtube Browser HTTP Requests Get: image.png HTTP Requests Get: video.avi

16 Similar to streaming a Video …
Network Loading Youtube Browser HTTP Requests Get: image.png HTTP Requests Get: video.avi

17 Similar to streaming a Video …
Network Loading Youtube Browser HTTP Requests Get: image.png HTTP Requests Get: video.avi

18 Similar to streaming a Video …
Network Loading Youtube Browser HTTP Requests Get: image.png HTTP Requests Get: video.avi

19 Similar to streaming a Video …
Network Loading Youtube Browser HTTP Requests Get: image.png HTTP Requests Get: video.avi

20 Similar to streaming a Video …
Network Loading Youtube Browser HTTP Requests Get: image.png HTTP Requests Get: video.avi

21 Similar to streaming a Video …
Network Loading Youtube Browser HTTP Requests Get: image.png HTTP Requests Get: video.avi

22 Allowing Outbound Connections Only
SYN The Internet AKA “Everything evil” “circle of trust” Why would someone from the outside want to start a connection?

23 Allowing Outbound Connections Only
SYN The Internet AKA “Everything evil” “circle of trust” Why would someone from the outside want to start a connection? They would if you were running a web-server, an -server, a gaming server …. Pretty much any ‘server’ service. Firewall configuration may allow “punching holes” to specific addresses/ports

24 An Early Web-based Attack
includes the following embedded links on its home page …

25

26 Traversing Firewalls Two hosts behind separate firewalls may try to fool their firewalls by simultaneously establishing outbound connections. An external server may help coordinate which source ports, sequence numbers, to use. (E.g., STUN protocol.)

27 Network Address Translation (NAT)
Src: :32532 Src: :45323 For outbound packets, the translator replaces (typically) private address with it’s own public address, and rewrites the source port. Translator remembers the mapping. For inbound packets, the reverse translation is performed.

28 NAT versus Firewall A network address translator is not intrinsically a firewall – it can work with public addresses on both sides!, but Often the two are combined in one device Traffic cannot be sent directly to private addresses used behind a NAT from the public Internet Intrinsic security is coming from the use of private addresses rather than public addresses, not from the NAT itself

29

30 What Happens When you Connect to a Website?
Network Loading SoundCloud Browser HTTP Requests Get: image.png HTTP Requests Get: sound.mp3 What happens if the virus/worm is hidden in an ? Picture? Or if the security exploit is in an HTML page?

31 Deep Packet Inspection
Examine payload (data) portion of packet as well as headers IP Header TCP/UDP Header Payload

32 Application Level Firewall
Why are they needed? Attackers are tricky When exploiting security vulnerabilities Attacks span multiple packets Need a system to scan across multiple packets for Virus/Worm/Vulnerability exploits

33 Application Level Firewalls
Similar to Packet-filters except: Supports regular expression Search across different packets for a match Reconstructs objects (images,pictures) from packets and scans objects.

34 Application Level Firewalls
Similar to Packet-filters except: Supports regular expression Searches across different packets for a match Reconstructs objects (images,pictures) from packets and scans objects. Appy reg-ex to the object: HTTP Requests Get: image.png

35 Application Level Firewalls
Similar to Packet-filters except: Supports regular expression Searches across different packets for a match Reconstructs objects (images,pictures) from packets and scans objects. HTTP Requests Get: image.png

36 Why doesn’t everyone use App level firewalls?
Object re-assembly requires a lot of memory Regular-expressions require a lot of CPU App level firewalls are a lot more expensive And also much slower  So you need more -- a lot more.

37 How do you Attack the Firewall?
Most Common: Denial-of-Service attacks Figure out a bug in the Firewall code Code causes it to handle a packet incorrectly Send a lot of ‘bug’ packets and no one can use the firewall

Download ppt "Original slides prepared by Theo Benson"

Similar presentations

CSC458 Programming Assignment II: NAT Nov 7, 2014.

CSC458 Programming Assignment II: NAT Nov 7, 2014.
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
CS 457 – Lecture 16 Global Internet - BGP Spring 2012.

CS 457 – Lecture 16 Global Internet - BGP Spring 2012.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Network Services Networking for Home and Small Businesses – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Network Services Networking for Home and Small Businesses – Chapter 6.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
IP Address 1. 2 Network layer r Network layer protocols in every host, router r Router examines IP address field in all IP datagrams passing through it.

IP Address 1. 2 Network layer r Network layer protocols in every host, router r Router examines IP address field in all IP datagrams passing through it.
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
Firewall Technology. Firewall Technology - Outline Defining the types of firewalls. Developing a firewall configuration. Designing a firewall rule set.

Firewall Technology. Firewall Technology - Outline Defining the types of firewalls. Developing a firewall configuration. Designing a firewall rule set.
IP Address 1. 2 Network layer r Network layer protocols in every host, router r Router examines IP address field in all IP datagrams passing through it.

IP Address 1. 2 Network layer r Network layer protocols in every host, router r Router examines IP address field in all IP datagrams passing through it.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Network Attacks. Network Trust Issues – TCP Congestion control – IP Src Spoofing – Wireless transmission Denial of Service Attacks – TCP-SYN – Name Servers.

Network Attacks. Network Trust Issues – TCP Congestion control – IP Src Spoofing – Wireless transmission Denial of Service Attacks – TCP-SYN – Name Servers.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Firewalls. Similar to streaming a Video … Browser Network HTTP Requests Get: image.png HTTP Requests Get: image.png HTTP Requests Get: video.avi HTTP.

Firewalls. Similar to streaming a Video … Browser Network HTTP Requests Get: image.png HTTP Requests Get: image.png HTTP Requests Get: video.avi HTTP.
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.

BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.

Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.
Lab 5: NAT CS144 Review Session 7 November 13 th, 2009 Roger Liao.

Lab 5: NAT CS144 Review Session 7 November 13 th, 2009 Roger Liao.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
CS 5565 Network Architecture and Protocols

CS 5565 Network Architecture and Protocols

Similar presentations

Ads by Google