Presentation is loading. Please wait.

Presentation is loading. Please wait.

Indian Institute of Technology Indore

Published byKenneth Joseph Modified over 6 years ago

Similar presentations

Presentation on theme: "Indian Institute of Technology Indore"— Presentation transcript:

1 Indian Institute of Technology Indore
Firewall By Neminath Hubballi Indian Institute of Technology Indore

2 Indian Institute of Technology Indore
What is Firewall ? It is a feature controlling the movement of network traffic in and out of system Can be implemented in software Can be a standalone hardware too Name originates from conventional wall built to avoid fire spreading, it’s a kind of misnomer Connects a presumably trusted computer/inside network to potentially non trusted external network It is a perimeter security entity Protects inside systems from malicious activities Imposes restrictions on network services only authorized traffic is allowed Indian Institute of Technology Indore

3 Indian Institute of Technology Indore
Why Firewall Internet is full of untrusted and potentially malicious machines We need to guard our networks and systems from malicious connections and entries Much like soldiers protect nation borders Use restrictions on entry and exit Companies want all its users to adhere to policies At a larger scale countries like china are doing large scale censorship of internet Create demilitarized zones between trusted and untrusted networks Indian Institute of Technology Indore

4 Indian Institute of Technology Indore
Design Goals Establish a controlled link Determines the types of Internet services that can be accessed, inbound or outbound Protect the premises network from Internet- based attacks By blocking packets from reaching to inside systems Provide a single choke point Incoming Outgoing Indian Institute of Technology Indore

5 How the Firewall Look Like
Routers Connects two or more networks Most routers can do rudimentary firewall functions Appliance Having dedicated hardware Can support full fledged functionality May have default behavior configured already You buy, plug in, it start working ! Software only firewalls Does other things in addition to firewall functionality Normally a general purpose computer One for all Many vendors are coming up with tools that does everything Router, wireless modem, firewall, etc. Indian Institute of Technology Indore

6 Indian Institute of Technology Indore
Firewall Policy Policy can be enforced on traffic using one of the following Accept : traffic is allowed to go through Drop : not allowed through Reject : not allowed through and attempt to inform the source it is not permitted Policies are defined on many attributes Transport layer attributes IP layer attributes Application level attributes like payload Indian Institute of Technology Indore

7 Firewall Rules Look Like
Specification Allow all and block specified Easy Exception list of blocked sites and protocols Needs encoding of rules for every possible intrusion methods of attackers Which is merely impossible Block all and allow specified More secure Few rules Constant updating not required Indian Institute of Technology Indore

8 Indian Institute of Technology Indore
Firewall Rules Indian Institute of Technology Indore

9 Firewall Rules Look Like
Indian Institute of Technology Indore

10 Indian Institute of Technology Indore
Hybrid Firewall Rules Deny network traffic on all IP ports. Except, allow network traffic on port 80 (HTTP). Except, from all HTTP traffic, deny HTTP video content. Except, allow HTTP video content for members of the Trainers group. Except, deny Trainers to download HTTP video content at night. Indian Institute of Technology Indore

11 Rule Preference and Conflicts
Rules are processed In order Give preference to rules which deny content Identify the best fit Indian Institute of Technology Indore

12 Indian Institute of Technology Indore
Types of Firewall Depending on the protocol level data it uses to restrict data movement Packet filtering Circuit gateways Application gateways Bastion host Combination of above is dynamic packet filter Depending on the size Personal firewall Departmental or small organization firewall Enterprise firewall Indian Institute of Technology Indore

13 Indian Institute of Technology Indore
General Features Port Control Network Address Translation Application Monitoring (Program Control) Packet Filtering based on addresses Content filtering Firewall integrated with virus scanners can inspect the content Reporting activities Indian Institute of Technology Indore

14 Indian Institute of Technology Indore
Additional Features Data encryption Hiding presence Reporting/logging Log everything – nobody has time to read it Log less – you can not make out what happened Log nothing – you do not understand what firewall is doing virus protection Pop-up ad blocking Cookie digestion Spyware protection etc. Indian Institute of Technology Indore

15 Packet Filtering Firewall
Packet-filtering Router Uses only header fields to inspect packets Rules can be written using Source IP address Destination IP address Source port number Destination port number ICMP messages Fragmentation fields IP options setting Relatively simpler for implementation Can not give a comprehensive protection Indian Institute of Technology Indore

16 Stateless Packet Filtering
Do not remember history Decision to allow or deny based on individual packets Most routers and IP tables will provide this functionality Limitations Internet traffic is bidirectional (TCP) A telnet service runs on port 23 Clients can use any port number A configuration to allow telnet communication may look like the following Client ( ) and Server ( ) Src , Src Port XXX, Dst Dst Port 23 Src , Src Port 23, Dst Dst Port XXX Indian Institute of Technology Indore

17 Stateless Firewall Rules
Permit TCP packets from with any source port to on port 23 Permit TCP packets from with source port 23 and to any destination port to What's wrong with above rules ? it is dangerous to allow such configuration Port number and IP address can be spoofed Only advantage with stateless firewalls is it is simple and efficient in terms of memory and computation required Indian Institute of Technology Indore

18 Stateful Packet Filtering
Remember the history Established connections, flows Maintain a cache to log entries of open flows and connections Port numbers and IP addresses become part of this Inspect packets against the logged state information Much improvement over stateless packet filtering Typically On arrival of a packet Check cache entry for flow record If exists allow packet Otherwise verify it against rules Indian Institute of Technology Indore

19 Indian Institute of Technology Indore
Stateful Firewall Advantages Relatively more secure Rules does not required to be written for broad return traffic Simply contain what needs to be there in cache flow record Limitations Limited cache size How long to remember the state Connection drops Connection timeout How to fix reasonable time How many connections can be handled Indian Institute of Technology Indore

20 IP Header Manipulation
TTL value is decreased Checksum is recalculated NAT IP address and port number are replaced Prevents network structure revealing Indian Institute of Technology Indore

21 Indian Institute of Technology Indore
Handling ICMP Packets Echo request and reply messages are used for connection discovery Destination unreachable – no route to the target host Protocol unreachable – protocol is not supported TTL exceeded – when TTL counter hits 0 Above all are mostly harmless ICMP redirect Scope for lying Echo request and reply messages may also be harmful Attackers can gather information to discover the layout of network and computers Indian Institute of Technology Indore

22 Indian Institute of Technology Indore
Handling ICMP Packets A typical firewall configuration for ICMP messages Indian Institute of Technology Indore

23 Handling Fragmentation
Fragmentation is done to route the packet on a network with small MTU Each fragment becomes independent after fragmentation Indian Institute of Technology Indore

24 Handling Fragmentation
What's wrong with fragmentation? Entire transport segment is treated as payload and used to distribute across multiple fragments TCP/UDP header information is most likely will be in the first fragment How to verify rules involving transport layer header fields How to address this Do not allow fragmented packets at all That’s little harsh Reassemble the fragmented packet and then verify Overhead Waiting time Denial of service Filter based on first fragment and allow rest to go through End hot waits for fragments to come Indian Institute of Technology Indore

25 Indian Institute of Technology Indore
Handling NAT A stateful firewall maintains a table Address translation is done Private addresses are not routed by routers It’s a kind of ethical IP spoofing IP addresses inside the payload Replace all Leave as it is Indian Institute of Technology Indore

26 What Firewalls Can Not Do
Insider attacks Social engineering Mostly fail to block virus and worms Tunneled protocols Port 80 is almost always open Peer to peer traffic Administer needs to be an expert Tell firewall what to allow and what to block Indian Institute of Technology Indore

27 Indian Institute of Technology Indore
Matching Algorithms Rules basically consist of attribute matching (d of them ) Each attribute value has a range [s,e] derived from the packet header For example port numbers are 8 bit results into a number of size 2^32 With d such attributes we can visualize a d dimensional box If we have N rules for the firewall, the matching algorithm essentially boils down to identifying one such box with highest priority Depending on the order preference Indian Institute of Technology Indore

28 Firewall Gateways Firewall runs set of proxy programs
Proxies filter incoming, outgoing packets All incoming traffic directed to firewall All outgoing traffic appears to come from firewall Acts as a relay between applications Policy embedded in proxy programs Two kinds of proxies Application-level gateways/proxies Tailored to http, ftp, smtp, etc. Circuit-level gateways/proxies Working on TCP level Gateway is like a NAT box, ie, a home router.

29 Application Gateway

30 Application Level Gateway
Need separate proxies for each service E.g., SMTP ( ) NNTP (Net news) DNS (Domain Name System) NTP (Network Time Protocol) custom services generally not supported Advantages Better security compared to packet filtering firewalls Understands application details There are only handful of permitted applications which are permitted Compared to packet filters efficient Drawbacks Processing overhead

31 Circuit Level Gateway

32 Circuit Level Gateway Typically work at session layer of OSI reference model Handles TCP connections and relays Relays TCP segments between two systems Rules are written for Allowing/disallowing TCP sessions SOCKS proxy we use is an example of circuit level gateway

33 Bastion Host

Download ppt "Indian Institute of Technology Indore"

Similar presentations

Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Lecture 14 Firewalls modified from slides of Lawrie Brown.

Lecture 14 Firewalls modified from slides of Lawrie Brown.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Network Security (Firewall) Instructor: Professor Morteza Anvari Student: Xiuxian Chen ID: 93036 Term: Spring 2001.

Network Security (Firewall) Instructor: Professor Morteza Anvari Student: Xiuxian Chen ID: Term: Spring 2001.
A Brief Taxonomy of Firewalls

A Brief Taxonomy of Firewalls
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.

BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.

Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Similar presentations

Ads by Google