Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIT 480: Securing Computer Systems

Published byClare Roberts Modified over 6 years ago

Similar presentations

Presentation on theme: "CIT 480: Securing Computer Systems"— Presentation transcript:

1 CIT 480: Securing Computer Systems
Firewalls CIT 480: Securing Computer Systems

2 CIT 480: Securing Computer Systems
Topics What is a firewall? Types of Firewalls Packet filters (stateless) Stateful firewalls Proxy servers Application layer firewalls Configuring the Linux Firewall Firewall Architectures and DMZs CIT 480: Securing Computer Systems

3 CIT 480: Securing Computer Systems
What is a Firewall? A software or hardware component that restricts network communication between two computers or networks. In buildings, a firewall is a fireproof wall that restricts the spread of a fire. Network firewall prevents threats from spreading from one network to another. CIT 480: Securing Computer Systems

4 CIT 480: Securing Computer Systems
Internet Firewalls Many organizations/individuals deploy a firewall to restrict access to their network from Internet. Fig 1.1, Building Internet Firewalls, 2nd ed CIT 480: Securing Computer Systems

5 CIT 480: Securing Computer Systems
What is a Firewall? (2) A security control to enforce network policy Choke point that traffic has to flow through. ACLs on a host/network level. Policy Decisions: What traffic should be allowed into network? Integrity: protect integrity of internal systems. Availability: protection from DoS attacks. What traffic should be allowed out? Confidentiality: protection from data leakage. CIT 480: Securing Computer Systems

6 CIT 480: Securing Computer Systems
Firewall Policies Blacklist Specify traffic to be blocked. Let everything else through. Whitelist Specify traffic to be accepted. Block everything else. CIT 480: Securing Computer Systems

7 Types of Firewalls Packet Filters (Stateless) Stateful Filters
Apply access rules to individual packets. Most routers have this capabilities. Stateful Filters Apply access rules to network flows or sessions. Must maintain a table of active flows. Application Layer Firewalls A proxy server that relays byte streams from client to server and vice versa. Inspects application headers for undesirable sites and application data for undesirable content (malware etc.)

8 Stateless Firewalls A stateless firewall doesn’t maintain any remembered context (or “state”) with respect to the packets it is processing. Instead, it treats each packet attempting to travel through it in isolation without considering packets that it has processed previously. Trusted internal network SYN Seq = x Port=80 SYN-ACK Seq = y Ack = x + 1 ACK Seq = x + 1 Ack = y + 1 Allow outbound SYN packets, destination port=80 Allow inbound SYN-ACK packets, source port=80 Client Server Firewall

9 Stateless Restrictions
Stateless firewalls may have to be fairly restrictive in order to prevent most attacks. Trusted internal network SYN Seq = y Port=80 Allow outbound SYN packets, destination port=80 Drop inbound SYN packets, Allow inbound SYN-ACK packets, source port=80 Client Attacker (blocked) Firewall

10 Packet Filtering Information
Forward or drop packets based on TCP/IP header information, most often: IP source and destination addresses Protocol (ICMP, TCP, or UDP) TCP/UDP source and destination ports TCP Flags, especially SYN and ACK ICMP message type Multi-homed hosts also make decisions based on: Network interface the packet arrived on. Network interface the packet will depart on. CIT 480: Securing Computer Systems

11 Stateful Firewall Example
Trusted internal network SYN Seq = x Port=80 SYN-ACK Seq = y Ack = x + 1 ACK Seq = x + 1 Ack = y + 1 Allow outbound TCP sessions, destination port=80 Client Attacker (blocked) Established TCP session: ( , ) Firewall state table Server Firewall

12 Stateful Packet Filters
Identify network flows by Protocol (TCP, UDP) Source IP address Source port Destination IP address Destination port Apply access rules on initial connection. Check if later packets are part of flow. Apply same decision to them. CIT 480: Securing Computer Systems

13 Netfilter and IPtables
Tables do specific tasks such as filtering or NAT. Each table consists of one or more chains of rules. Chains can be built-in or user defined.

14 Filter Table Built-In Chains
# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) Chain OUTPUT (policy ACCEPT) CIT 480: Securing Computer Systems

15 Chains are Lists of Rules
Packet traverses a chain sequentially until A rule matches the packet and makes a final decision to ACCEPT or REJECT it. A rule matches the packet and sends it to another chain. The end of the chain is reached. If the end is reached, the packet either Returns to being processed by the calling chain. Is processed by the default policy of the chain. CIT 480: Securing Computer Systems

16 CIT 480: Securing Computer Systems
Chain Configuration Append a Rule to a Chain iptables –A chain firewall-rule List Rules in a Chain iptables –L chain Delete a Rule from a Chain iptables –D chain rule-number Set Chain Default Policy iptables –P chain DROP or append a rule that drops all packets to the end. iptables –P chain –j DROP CIT 480: Securing Computer Systems

17 Packet Matching Options
-p: protocol (tcp, udp, icmp, etc.) -s: source IP address(es) -d: destination IP address --sport: source port (for TCP or UDP) --dport: destination port (for TCP or UDP) CIT 480: Securing Computer Systems

18 Stateful Matching Options
-m state: enable stateful filtering for rule --state NEW: allow new connections Matches TCP SYN flag. Adds connection (IPs, ports) to state table. --state ESTABLISHED: allow established. Matches source IP, source port, destination IP, destination port recorded in state table. CIT 480: Securing Computer Systems

19 CIT 480: Securing Computer Systems
Rule Targets ACCEPT: let the packet through. DROP: do not let the packet through. REJECT: do not allow + send ICMP error. RETURN: stop processing on this chain and return to the next rule in the calling chain. chain: continue processing packet with the named chain. CIT 480: Securing Computer Systems

20 Writing Firewall Rules
Allow incoming SSH using stateful rules iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT Allow server to be pinged iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT CIT 480: Securing Computer Systems

21 Ingress/Egress Filtering
Block spoofed IP addresses Ingress Filtering Drop packets arriving on external interface whose source IP addresses claims to be from internal network. Egress Filtering Drop packets arriving on internal interface whose source IP address is not from internal network. CIT 480: Securing Computer Systems

22 Packet Filtering Summary
Advantages: One packet filter can protect an entire network Cheap and efficient (requires little CPU) Supported by most routers Disadvantages: Difficult to configure correctly Must consider rule set in its entirety Difficult to test completely Performance penalty for complex rulesets Stateful packet filtering much more expensive Enforces ACLs at layer 3 + 4, without knowing any application details CIT 480: Securing Computer Systems

23 CIT 480: Securing Computer Systems
Proxy Servers Proxy host relays Transport/App connections Packet filter blocks direct connections. Client makes connection to proxy. Proxy forwards connection to server. Proxy can provide multiple security features: Access Control Authentication Logging Anonymity CIT 480: Securing Computer Systems

24 CIT 480: Securing Computer Systems
Example: SOCKS v5 Socks Server Socks Client Library Clients must be linked against library. Library offers replacements for UNIX network socket system calls. User Authentication Protocols Cleartext username/password. GSS-API authentication. RFC 1928 CIT 480: Securing Computer Systems

25 CIT 480: Securing Computer Systems
Proxy Servers Advantages: User-level authentication possible. Efficient logging, as proxy deals with circuit connections instead of individual packets. Disadvantages: Clients have to be recompiled or reconfigured to use proxy service. Some services can’t be proxied. Cannot protect you from all protocol weaknesses. CIT 480: Securing Computer Systems

26 Application Layer Firewalls
Application layer rules HTTP: URLs, headers, etc. SMTP: spam statistics More complex Only 216 ports, but An infinite number of URLs, HTTP headers, bodies, etc.

27 CIT 480: Securing Computer Systems
Single Firewall Simplest type of firewall—one host acts as a gateway between internal and external networks. Figure 6.2, Building Internet Firewalls, 2nd ed CIT 480: Securing Computer Systems

28 DMZ Firewall Architecture
CIT 480: Securing Computer Systems

29 CIT 480: Securing Computer Systems
Single Firewall DMZ CIT 480: Securing Computer Systems

30 CIT 480: Securing Computer Systems
DMZ Servers w/ external access isolated from internal net Compromise of a DMZ server doesn’t directly compromise internal network. DMZ servers also can’t sniff internal traffic, since they’re on a different subnet. No single point of failure Attacker must compromise both exterior and interior routers to gain access to internal net. Advantages: greater security Disadvantages: higher cost and complexity CIT 480: Securing Computer Systems

31 CIT 480: Securing Computer Systems
Firewall Limitations Cannot protect from internal attacks May be able to limit access with internal firewalls to a segment of your network. Cannot protect you from user error Users will still run trojan horses that make it past your AV scanner. Users visiting malicious sites run malicious Javascript inside the firewalls. Firewall mechanism may not precisely enforce your security policy. CIT 480: Securing Computer Systems

32 Key Points Firewall types Netfilter and Iptables
Packet filtering (stateless) Stateful firewalls Proxy servers Application layer firewalls Netfilter and Iptables Tables and chains Rules and actions Firewall Architectures Single firewall DMZ Single firewall DMZ

33 CIT 480: Securing Computer Systems
References William Cheswick, Steven Bellovin, and Avriel Rubin, Firewalls and Internet Security, 2nd edition, 2003. Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical UNIX and Internet Security, 3rd edition, O’Reilly & Associates, 2003. Goodrich and Tammasia, Introduction to Computer Security, Pearson, 2011. Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006. Elizabeth Zwicky, Brent Chapman, Simon Cooper, Building Internet Firewalls, 2nd edition, O’Reilly & Associates, 2000. CIT 480: Securing Computer Systems

Download ppt "CIT 480: Securing Computer Systems"

Similar presentations

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.

BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.

Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.

Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
FIREWALL Mạng máy tính nâng cao-V1.

FIREWALL Mạng máy tính nâng cao-V1.
SOCKS Group: Challenger Member: Lichun Zhan. Agenda Introduction SOCKS v4 SOCKS v5 Summary Conclusion References Questions.

SOCKS Group: Challenger Member: Lichun Zhan. Agenda Introduction SOCKS v4 SOCKS v5 Summary Conclusion References Questions.
CSC 382: Computer SecuritySlide #1 CSC 382: Computer Security Firewalls.

CSC 382: Computer SecuritySlide #1 CSC 382: Computer Security Firewalls.
Chapter 6: Packet Filtering

Chapter 6: Packet Filtering
Access Control List ACL. Access Control List ACL.

Access Control List ACL. Access Control List ACL.

Similar presentations

Ads by Google