Presentation is loading. Please wait.

Presentation is loading. Please wait.

or call for office visit,

Published byMolly McDowell Modified over 6 years ago

Similar presentations

Presentation on theme: "or call for office visit,"— Presentation transcript:

1 email or call for office visit, 404 894-5177
ECE-6612 Prof. John A. Copeland fax Office: Klaus 3362 or call for office visit, Chapter 10a - Firewalls 3/10/2013

2 Computer System Evolution
Central Data Processing System: - with directly attached peripherals (card reader, magnetic tapes, line printer). Local Area Networks: - connects PC’s (in “terminal emulation” mode), remote terminals (next building) and mini-computers. Premises Network: - connects LANs and LAN-attached devices to each other. Enterprise-wide Network: - leased data lines (T1, DS-3) connect various offices. Internet Connectivity: - initially for , now for Web access, e-commerce, music and video downloads, social networking, tele-commuting, Web and video conferencing, distance learning, Makes the world accessible, but now the world also has access to you. 2

3 Connectivity Provided by the Georgia Backbone Network
Citizens Schools WWW Contractors Libraries City & County Kiosks Governments Firewalls State WWW Gateway State Internet Agency Gateway & Other Agencies Web Server Agency Virtual Private Network Private Virtual Connection Agency Server LANs at Agency Offices across Georgia Non-Agency State Server 3

4 Agency Firewall - Protects Agency Subnets
from Unwanted Connections from Unwanted Connections Subnet 1 Subnet 2 Gate- WAN Gate- way way Firewalls (and many routers) can reject: Packets with certain source and destination addresses Packets with certain high-level protocols (UDP, Telnet) Proxy Servers - for specific applications messages assembled and inspected, then passed to internal server machine. Prevent Cyber Loafing - Using the Internet for fun and personal business (not very effective). 4

5 Router-Firewall can drop packets based on source or destination,
Web Server Browser Application Application Router-Firewall can drop packets based on source or destination, ip address and/or port Layer Layer (HTTP) (HTTP) Port 80 Port 31337 Transport Transport Layer Layer (TCP,UDP) (TCP,UDP) Segment No. Segment No. Network Network Layer (IP) Layer (IP) IP Address Network Network IP Address Layer Layer Token Ring E'net Data Token Ring E'net Data Link Layer Link Layer Data-Link Layer Data Link Layer Ethernet Token Ring E'net Phys. Token Ring Phys. Layer Phys. Layer Layer Phys. Layer 5

6 Transport or App.-Layer
Process Process Application Application Layer (HTTP, Gateway, or Proxy Layer FTP, TELNET, (HTTP(HTTP, SMTP) FTP, TELNET, SMTP) Transport Transport Transport Transport Layer Layer Layer Layer (TCP, UDP) (TCP, UDP) (TCP, UDP) (TCP,UDP) Network Network Network Network Layer (IP) Layer (IP) Layer (IP) Layer (IP) E'net Data TR Data Link Link E'net Data TR Data Layer Link Layer Layer Link Layer E'net Phys. E'net Phys. TR Phys. TR Phys. Layer Layer Layer Layer 6

7 Policy No outside Web access. Outside connections to Public Web Server Only. Prevent Web-Radios from eating up the available bandwidth. Prevent your network from being used for a Smuft DoS attack. Prevent your network from being tracerouted or Ping scanned. Firewall Setting Drop all outgoing packets to any IP, Port 80 Drop all incoming TCP SYN packets to any IP except 130:207: , port 80 Drop all incoming UDP packets - except DNS and Router Broadcasts. Drop all ICMP packets going to a “broadcast” address ( or ). Drop all incoming ICMP, UDP, or TCP echo-request packets, drop all packets with TTL < 5. 7

8 Firewall Attacks IP Internal-Address Spoofing Source Routing (External Spoof) Tiny Fragment Attacks 2nd-Fragment Probes SYN-ACK Probes Internal Outbound Hacking Firewall Defense Drop all incoming packets with local source address. Drop all IP packets with Source-Routing Option. Drop all incoming packet fragments with small size. Assemble IP fragments (hard work), or at least *. Be “Stateful” -keep track of TCP outgoing SYN packets (start of all TCP connections). Drop all outgoing packets which do not have an "internal" source IP address. * Fragments after the first one have no transport header (no way to tell if it is TCP, UDP, ICMP, ... , or determine port numbers. Firewall must at least keep a temporary list of approved IP ID-Numbers based on the first fragment decision. 8

9 A Network Firewall is a single point that a Network Administrator can control, even if individual computers are managed by workers or departments. Over half of corporate computer misfeasance is caused by employees who are already behind the main firewall. Solution 1 - isolate subnets with firewalls (usually routers or Ethernet switches with “filter” capabilities). Protect Finance Department from Engineering Department [Problem: internal network is much higher bit rate, firewalls more expensive]. Solution 2 - implement host-based firewalls to limit access except on certain TCP/UDP ports from specific hosts or subnets. Must be centrally managed to be economical. Solution 3 – Use a Intruder Detection System that divides the network into zones, and reports unauthorized cross-zone connections. 9

10 Stateful Firewall Local PC ip1 External Host ip2 10 TCP SYN
establishes “state” (ip1,ip2,tcp, 33489,80) TCP SYN-ACK or RESET or relatedICMP established “state” (ip1,ip2,tcp, 33489,80) TCP ACK’s established “state” (ip1,ip2,tcp, 33489,80) TCP or UDP or ICMP Not part of an established “state” 10

11 # iptables -L -n Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp / /0 ACCEPT tcp / /0 ACCEPT all / /0 tcp dpt:22 ACCEPT tcp / tcp dpt:22 ACCEPT tcp / /0 ACCEPT udp / / tcp dpt:22 ACCEPT tcp / / tcp dpt:22 ACCEPT tcp / / tcp dpt:22 DROP all / /0 Chain FORWARD (policy DROP) DROP all -- anywhere anywhere Chain OUTPUT (policy DROP) ACCEPT icmp -- anywhere /24 ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED A “-n” option speeds up iptables because it stops reverse lookups. Also beneficial for “route”, “netstat”, … . 11

12 Uncomplicated Firewall (UFW) for Ubuntu (LINUX)
$ ufw status numbered Status: active To Action From [ 1] 8822/tcp ALLOW IN [ 2] Anywhere ALLOW IN /25 [ 3] 8822/tcp ALLOW IN [ 4] 8822/tcp ALLOW IN /16 [ 5] 8822/tcp ALLOW IN /16 [ 6] Anywhere DENY IN Anywhere $ ufw insert 1 allow proto tcp from /16 to any port 8822 Rule Inserted $ ufw activate (changes iptables configuration) 12

13 nftables (Jan. 2014) is meant to replace netfilter (configured by iptables).
nftables (configured by nft) is a subsystem of the Linux kernel, providing filtering and classification of network packets/datagrams/frames. Mac non-server: "man 5 pf.conf" & "man 8 pfctl" (server: af.conf, afctl) . By ScotXW - Own work, CC BY-SA 4.0,

14 NAT - Network Address Translation Web Server 130.27.8.35 Internet
To :y from :80 To :80 from :y 3 2 x & y are high number ephemeral client ports. Simple NATs, use x=y Router with NAT 4 To :x from :80 To :80 from :x 1 Host Web Client Host Host Web Server port 80 FTP Server port 21 Local Web client accessing an external Web server 14

15 External FTP client accessing a local FTP server
Internet To : 21 from :x To : x from :21 Forwarding Table Port 80 -> .10 Port 21 -> .30 1 4 Router with NAT 2 3 To :y from :21 To :21 from :y Host Host Host Host Web Server port 80 FTP Server port 21 External FTP client accessing a local FTP server 15

16 16

17 Home Routers allow incoming connections based on server port
New Home Routers also allow port translation (e.g., > 22) 17

18 Combined Firewalls and IDS
(see also: IBM Proventia 18

19 from www.watchguard.com
Protocol Anomaly Detection WatchGuard Transparent Application layer proxies examine entire connection data streams, identifying protocol anomalies and discarding harmful or questionable information. In addition, WatchGuard firewalls perform: * Packet Handling - prevents packets from entering the network until they are reassembled and examined. * Packet Reassembly - reassembles packet fragments to prevent fragment overlap attacks such as Teardrop and other Layer 3 protocol anomaly based attacks. Signature Element Analysis Rather than using signatures that precisely identify specific attacks, WatchGuard systems look at what any attack of a certain type (e.g., ) must do to succeed (e.g., auto-execute an attachment). With rule sets, you can choose to allow or deny traffic, or even deny all traffic from a source for a specific period. In addition to rigorous rule sets, the firewall processes policy-based configurations, and management subsystems perform state and content analysis. These processes protect against entire known and unknown attack classes, and can narrow the vulnerability window without having to make you wait for updated attack-specific signatures. Behavior-Based Analysis Although behavior-based intrusion detection is a relatively new technology, WatchGuard has mechanisms in place within the firewall to identify known attack behaviors, such as: * Port scans and probes * Spoofing * SYN flood attacks * DoS and DDoS attacks * The misuse of IP options such as source routing from 19

20 from www.lancope.com 20 Network Operations
* Resolve network performance issues in minutes * Provides enterprise network visibility down to user level * Troubleshoots network incidents at 1/3 the time of point solutions * Analyzes NetFlow / sFlow to facilitate capacity planning and traffic engineering Network Security * Detects attacks that bypass signature based, perimeter defenses * Leverages flow data, including packet capture, to reduce security risks by 90% * Enforces policies and assures compliance with agent-free user identity tracking * Delivers scalable, robust security and risk management from (also see 20

21 Firewall Configuration Helpers
For Mac Built-in System Pref.s/Security/Firewall Little Snitch Murus For Windows Built-in Set from Control Panel For Linux Do "man 5 pf.conf" & "man 8 pfctl" ufw (Uncomplicated Firewall) 21

Download ppt "or call for office visit,"

Similar presentations

Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
1 Computer System Evolution Central Data Processing System: - with directly attached peripherals (card reader, magnetic tapes, line printer). Local Area.

1 Computer System Evolution Central Data Processing System: - with directly attached peripherals (card reader, magnetic tapes, line printer). Local Area.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)

IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.

Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
FIREWALL Mạng máy tính nâng cao-V1.

FIREWALL Mạng máy tính nâng cao-V1.
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.

January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.
Chapter 6: Packet Filtering

Chapter 6: Packet Filtering
Firewalls A note on the use of these ppt slides:

Firewalls A note on the use of these ppt slides:

Similar presentations

Ads by Google