Presentation is loading. Please wait.

Presentation is loading. Please wait.

Firewalls Dr. X (Derived from slides by Prof. William Enck, NCSU)

Published byJewel Williamson Modified over 6 years ago

Similar presentations

Presentation on theme: "Firewalls Dr. X (Derived from slides by Prof. William Enck, NCSU)"— Presentation transcript:

1 Firewalls Dr. X (Derived from slides by Prof. William Enck, NCSU)

2 Filtering: Firewalls Filtering traffic based on policy
Policy determines what is acceptable traffic Access control over traffic Accept or deny May perform other duties Logging (forensics, SLA) Flagging (intrusion detection) QoS (differentiated services) 2

3 IP Firewall Policy Specifies what traffic is (not) allowed
Maps attributes to address and ports Example: HTTP should be allowed to any external host, but inbound only to web-server Rules typically refer to IP addresses, not hostnames -- WHY?

4 Default Accept vs Default Deny
Default policy specifies what to do if no other policy applies Most OSes default to default accept Most organizations default to default deny NCSU: Default deny for incoming traffic, what about CofC??

5 Blacklisting and Whitelisting
Specifies connectivity that is explicitly disallowed E.g., prevent connections from badguys.com Whitelisting Specifies connectivity that is explicitly allowed E.g., allow connections from goodguys.com Greylisting Temporarily reject something that is not recognized How do we create these lists?

6 Stateless vs Stateful Stateless: each packet considered in isolation
Single packet contains insufficient data to make access control decision Stateful: allows historical context consideration Firewall collects data over time e.g., TCP packet is part of established session Q: What are the advantages/disadvantages of stateless and stateful?

7 DMZ (De-Militarized Zone)
Zone between LAN and Internet

8 Practical Issues and Limitations
Network layer firewalls are dominant DMZs allow multi-tiered firewalling Tools are widely available and mature Personal firewalls gaining popularity Issues Network perimeters not quite as clear as before: e.g., telecommuters, VPNs, wireless Every access point must be protected Hard to debug, maintain consistency and correctness Often seen by non-security personnel as impediment E.g., Just open port X so I can use my wonder widget

9 Linux Firewall Implementations
Linux iptables ( filtering- HOWTO.html) also referred to as Netfilter lots of GUIs, higher-level apps, etc. e.g., ufw PF: OpenBSD Packet Filter Mac OS X Application Firewall Windows firewall thingy

10 Netfilter Chain: check list of firewall rules Firewall chains:
INPUT: if packet is destined for this host FORWARD: if packet is destined for another network interface OUTPUT: outgoing packets Packets either get dropped or advance towards next chain

11 iptables concepts The iptables firewall looks in the firewall table to see if the chain associated with the current hook matches a packet, and executes the target if it does. Table: all the firewall rules Chain: list of rules associated with the chain identifier, e.g., hook name Match: when all of a rule’s field match the packet Target: operation to execute on a packet given a match

12 iptables commands iptables [-t <table_name>] <cmd> <chain> <plist> Commands Append rule to end or specific location in chain Delete a specific rule in a chain Flush a chain List a chain Create a new user-specified chain Replace a rule

13 Examples iptables -A INPUT -s 200.200.200.2 -j ACCEPT
iptables -A INPUT -s j DROP iptables -A INPUT -s p tcp -j DROP iptables -A INPUT -s p tcp --dport telnet -j DROP iptables -A INPUT -p tcp --destination-port telnet -i eth0 -j DROP

14 Deep Packet Inspection (DPI)
Deep packet inspection looks into the internals of a pack to look for some application/content context e.g., inspect HTTP for URLs that point to malicious websites Can have serious privacy issues if done by, say, Comcast To specify a match in iptables iptables -A INPUT -p tcp -m string --algo bm --string 'exe' iptables -A INPUT -p tcp -m length --length 10:100 matches packet with content containing ‘exe’ matches packet with length between 10 and 100 bytes

15 Next Generation Firewalls
Application blocking instead of port/IP blocking Behavioral analysis for unknown applications Key safe enablement requirements: Identify apps not ports – classify traffic, app ID Prevents port hopping, sneaking across ports, using non standard ports, using ssl or SSH Tie app usage to user – consistency across location Protect from known/unknown threats New malware – Wildefire updates signatures, monitors 100 abnormal behaviors Simplify policy – reduce administrative efforts

16 Reduce Application Risk
Limit webmail Allow streaming, abide to QoS Control Facebook Control web-surfing Consistent security Deny-all-else

17 Palo Alto filtering

18

19

20 Summary Firewalls used for filtering
Different firewalls and configurations Imperfect, however better have than not

21 Sources “Next Generation Firewall Overview”, Palo Alto Networks White Paper “Next Generation Firewalls for Dummies”, Lawrence C. Miller

Download ppt "Firewalls Dr. X (Derived from slides by Prof. William Enck, NCSU)"

Similar presentations

Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.

Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Ipchains A packet-filtering Firewalls supported by Linux distributions.

Ipchains A packet-filtering Firewalls supported by Linux distributions.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.

Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
FIREWALL Mạng máy tính nâng cao-V1.

FIREWALL Mạng máy tính nâng cao-V1.
Network Security Essentials Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Network Security Essentials Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.

NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.
07/11/2012 www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: 90 366364 voice.

07/11/ L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: voice.
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.

January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.
Firewalls A note on the use of these ppt slides:

Firewalls A note on the use of these ppt slides:
OV 12 - 1 Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.

Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
OV 12 - 1 Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Similar presentations

Ads by Google