Presentation is loading. Please wait.

Presentation is loading. Please wait.

Filtering/Firewalls CSE 581, Winter Anand Patwardhan

Published byWinifred Jenkins Modified over 6 years ago

Similar presentations

Presentation on theme: "Filtering/Firewalls CSE 581, Winter Anand Patwardhan"— Presentation transcript:

1 Filtering/Firewalls CSE 581, Winter 2002 -Anand Patwardhan
6/23/2018 Filtering/Firewalls CSE 581, Winter 2002 Instructor : Prof. Wu-chang Feng -Anand Patwardhan A. Patwardhan

2 Paper group “Fast firewall implementations for software and hardware based routers”, L. Qiu, G. Varghese, S. Suri “A DNS filter and switch for Packet-filtering Gateways”, B. Cheswick, S. Bellovin “Network (In)security through IP packet filtering”, D. Chapman “Implementing a distributed firewall”, S. Ioannidis, A. Keromytis, S. Bellovin, J. Smith A. Patwardhan

3 Main ideas Classification algorithms DNS filtering IP packet filtering
6/23/2018 Main ideas Classification algorithms backtracking compression pipelined search DNS filtering IP packet filtering Distributed Firewalls Connection level access control A. Patwardhan

4 Part I : Algorithms for packet classification
A. Patwardhan

5 Routers Packet classification at wirespeed Small memory budget
6/23/2018 Routers Packet classification at wirespeed Small memory budget Existing/proposed search algorithms have poor worse case complexity O(Nk) space vs ((logN)k-1) search time tradeoff Need to re-examine simpler techniques A. Patwardhan

6 Simple techniques Backtracking Set pruning Tries
6/23/2018 Simple techniques Backtracking Maintaining state information expensive Limited no. of fast registers in a hardware router Pipelining difficult Set pruning Tries Space requirements prohibitive Should fit in fast memory A. Patwardhan

7 Backtracking Essentially depth first search
6/23/2018 Backtracking Essentially depth first search Worst case look-up time = (Wk) Can be improved to O(Wk-1) Needs to remember W*K W = average no. of matches in a dimension K = no. of dimensions A. Patwardhan

8 Save all matching pieces of each field and then move
6/23/2018 Backtracking search Depth First Search : Save all matching pieces of each field and then move to next D1 Field D D2 D3 S1 Field S S1 S2 S2 S2 A. Patwardhan Field P P1 P1 P1 P1 P1

9 Backtracking Search Optimizations
6/23/2018 Backtracking Search Optimizations Instead of W*K, need to store only K+1 pieces of state Instead of remembering all the past backtracking points per field, remember only one Iteratively explore through the descendant fields Move downwards = more specific A. Patwardhan

10 Optimized backtracking
6/23/2018 Optimized backtracking Traces: D1, S1 ,P1 D1, S2, P1 D2, S2, P1 D3, S1, P1 D3, S2, P1 D1 Field D D2 D3 S1 Field S S1 S2 S2 S2 A. Patwardhan Field P P1 P1 P1 P1 P1

11 Optimizations for set pruning tries
6/23/2018 Optimizations for set pruning tries DAG optimization At all the field boundaries, replace identical tries with a single copy Use pointers instead of multiple copies Compression 1 0000 1 1 1 A. Patwardhan

12 6/23/2018 Improvements Simple Backtracking modified to reduce space requirements, improved worse case complexity Pipelining of backtracking searches possible by use of (k+1) registers per stage Compression and DAG optimizations speed up searches and save space A. Patwardhan

13 DNS filtering Packet filtering Distributed firewalls
Part II DNS filtering Packet filtering Distributed firewalls A. Patwardhan

14 DNS Filtering DNS : Domain Name System
6/23/2018 DNS Filtering DNS : Domain Name System Hierarchical, domain based naming implemented as a distributed database Basically maps name to IP address, so that a TCP connection can be made Lookup process : Firewall * A. Patwardhan Application Resolver Local Name Server (Trusted) Remote Name Server (?)

15 Security issues BSD r* What about external DNS info?
6/23/2018 Security issues BSD r* rlogin, rcp, rsh use address based authentication (reverse lookup) What about external DNS info? Answers are cached by clients, additional DNS entries returned from untrusted servers may be forged (client cache can be corrupted/ misused) A. Patwardhan

16 Examples of DNS Filters
6/23/2018 Examples of DNS Filters Drop malformed packets Does the answer, really answer the query made ? Was the answer received from the appropriate server ? A. Patwardhan

17 6/23/2018 Use of DNSproxy A proxy, which performs checks on the answers from outside DNS servers Located within the firewall on a trusted host Intercepts DNS queries, filters, modifies and forwards in appropriate direction A. Patwardhan

18 IP Packet filtering Firewalls guard network periphery
6/23/2018 IP Packet filtering Firewalls guard network periphery Packet filtering firewalls have an “inside” and “outside” Firewalls enforce security policies The internal network is trusted, is to be protected from “bad-guy” outsiders unauthorized access attacks A. Patwardhan

19 Packet filtering firewall capabilities
6/23/2018 Packet filtering firewall capabilities Can parse Headers, and enforce rules based on header values Protocol, src & dest ip+port, flags, packet size, interface etc. Can accept, reject or drop packets Accept : allows packet to pass through Reject : Notify rejection to sender Drop : Drop and be silent A. Patwardhan

20 6/23/2018 What to filter ... There are two directions : “in” and “out” w.r.t the firewall Rules are of the form <pattern, action> Services available to outsiders can be restricted On a match the associated rule is applied to the packet Examples Deny all unless explicitly permitted Allow HTTP, HTTPS, SSL (TCP) Reject all non-DNS UDP traffic Only allow packets originating from Class C network A. Patwardhan

21 6/23/2018 IP issues Source address in a packet is presumed to be true (can be spoofed) Fragmentation of packets Privileged and non-privileged ports Random ports CIDR makes filtering rules complex A. Patwardhan

22 Other (IP based) Protocols
6/23/2018 Other (IP based) Protocols TCP based protocols (FTP, HTTP etc.) Rules for inbound and outbound traffic (Connection monitoring requires stateful packet filters e.g. iptables) UDP Connectionless Random port assignments make filtering difficult (e.g. RPC) Note: Another example : ICMP packets communicate connection related information, need to be associated with actual connections. Ping of death : well known attack. A. Patwardhan

23 Suggested solutions for packet filtering
Simple language for rule specification. All headers available as filtering criteria Inbound and outbound filters Tools for developing, testing and monitoring filters Note : Paper published in ‘92 : Explains importance of packet filtering as a network security measure. Most of these issues have been addressed in present day firewalls. A. Patwardhan

24 Firewall limitations Traditional firewalls guard the perimeter i.e. network entry points They can only enforce rules on packets passing through them (backdoors : e.g. unauthorized dial-up connections ) Internal network traffic is never seen by these firewalls Network is unprotected from any “insider bad guy” A. Patwardhan

25 A Distributed Firewall
Centrally defined security policy Enforcement left to individual hosts Security policy can be pushed or pulled via a secure channel SSL, IPsec etc. A. Patwardhan

26 Components A language for policies (rules) and requests
A mechanism for secure distribution of policy A mechanism that enforces the policy (at each) host A. Patwardhan

27 Prototype Implementation
Uses a web/ftp-server to distribute policy Uses KeyNote trust management system ( and its language for expressing policies) Digital signatures used for verification, non-repudiation X.509 Crypto-certificates for I&A and secure communication A. Patwardhan

28 Policy enforcement Connection level access control Achieved by :
modified system calls + policy daemon policy device serves as communication medium A. Patwardhan

29 Access control Application Policy daemon Library Open(),close()
read(), write(), ioctl() accept()/connect() User space Kernel space Modified System calls /dev/policy Policy Context A. Patwardhan

30 Summary IP packet filtering as a network security mechanism
Limitations of a firewall OS-wrappers : a method for connection level access control, can be extended to packet level A. Patwardhan

Download ppt "Filtering/Firewalls CSE 581, Winter Anand Patwardhan"

Similar presentations

Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
Fast Firewall Implementation for Software and Hardware-based Routers Lili Qiu, Microsoft Research George Varghese, UCSD Subhash Suri, UCSB 9 th International.

Fast Firewall Implementation for Software and Hardware-based Routers Lili Qiu, Microsoft Research George Varghese, UCSD Subhash Suri, UCSB 9 th International.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Fall 2008CS 334: Computer Security1 Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for.

Fall 2008CS 334: Computer Security1 Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Implementing a Distributed Firewall

Implementing a Distributed Firewall
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.

TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.

Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.

Similar presentations

Ads by Google