Presentation is loading. Please wait.

Presentation is loading. Please wait.

Firewalls (March 2, 2016) © Abdou Illia – Spring 2016.

Published byTeresa Dorsey Modified over 5 years ago

Similar presentations

Presentation on theme: "Firewalls (March 2, 2016) © Abdou Illia – Spring 2016."— Presentation transcript:

1 Firewalls (March 2, 2016) © Abdou Illia – Spring 2016

2 Test your Firewall knowledge
Which of the following is true about firewalls? A firewall can be a hardware device A firewall can be a software program Firewalls can be hardware or software They are used to protect a whole network against attacks They are used to protect single computers against attacks Both a and b.

3 Test your Firewall knowledge (cont)
Which of the following is true about firewalls? They are configured to monitor inbound traffic and protect against attacks by intruders They are configured to monitor outbound traffic and prevent specific types of messages from leaving the protected network. Both a and b

4 Firewall: definition Hardware or software tool used to protect a single host1 or an entire network2 by “sitting” between a trusted network (or a trusted host) and an untrusted network Applying preconfigured rules and/or traffic knowledge to allow or deny access to incoming and outgoing traffic Trusted network PC with Host-based Firewall Untrusted network Network-Based Firewall 1 Host-based or personal firewall 2 network-based firewall

5 Questions What is the main advantage of having a host-based firewall in addition to having a network-based one? Answer:_________________________________________ What kind of security issue could be associated with having host-based firewall on users PCs? Answer:__________________________________________ Trusted network PC with Host-based Firewall Untrusted network Network-Based Firewall

6 Firewall Architecture
Most firms have multiple firewalls. Their arrangement is called the firm’s firewall architecture Firewall Architecture Internet Main Border Firewall x Subnet Marketing Client on x Subnet Accounting Server on x Subnet Public Webserver SMTP Application Proxy Server HTTP Application Proxy Server External DNS Server Screening Router Firewall Internal Host Server on x Subnet Demilitarized Zone (DMZ)

7 Firewall Architecture
Internal Firewall Screening Router Firewall Internet x Subnet Demilitarized Zone (DMZ) Main Border Firewall Public Webserver External DNS Server Host Firewall Host Firewall Host Firewall The DMZ is a subnet that includes most vulnerable hosts to attacks; i.e. hosts that provide services to outside users. Common hosts in DMZ: Public web servers, Public DNS servers, public FTP servers, proxy servers. Host in DMZ must be heavily protected. SMTP Application Proxy Server HTTP Application Proxy Server Marketing Client on x Subnet Accounting Server on x Subnet Server on x Subnet

8 Questions What is a DMZ? Why are public web servers usually put in the DMZ? Why are public DNS servers usually put in the DMZ? Which of the following may be placed in a DMZ? A SMTP proxy server A server that contains files available for downloading by employees An File Transfer Protocol server A SQL (Structured Query Language) database server What IP addresses should a DNS server in the DMZ be able to find? All company’s IP addresses Only the IP addresses of the computers in the internal subnet Only the IP addresses of the computers in the DMZ You work as the security administrator at King.com. King.com has been receiving a high volume of attacks on the king.com web site. You want to collect information on the attackers so that legal action can be taken. Which of the following can you use to accomplish this? A DMZ (Demilitarized Zone). A honeypot. A firewall. None of the above.

9 Basic Firewall Operation
Passed Packet (Egress) Passed Legitimate Packet (Ingress) Legitimate Packet 2 Legitimate Packet 1 Attack Packet 1 1. Internet (Not Trusted) Legitimate Packet 1 Legitimate Packet 2 Attacker Border Firewall Attack Packet 1 Legitimate User Dropped Packet (Ingress) Egress filtering: filtering packets leaving to external networks Ingress filtering: filtering packets coming from external networks Log File Internal Corporate Network (Trusted)

10 Application Layer Message
IP-H TCP-H UDP-H Application Layer Message Types of Firewalls Static Packet Filtering Firewalls (1st generation) Inspect TCP, UDP, IP headers to make filtering decisions Do static filtering of individual packets based on configured ruleset (or Access Control List) Prevent attacks that use IP or port spoofing, etc. Stateful Packet Filtering Firewalls (2nd generation) Do stateful filtering by checking the firewall’s state table for relation of packets to packets already filtered If packet does not match existing connect, ruleset (static filt.) is used If packet matches existing connection, it is allowed to pass Prevent SYN attacks, teardrops, etc. State Table Connection Source IP Destination IP State Connection 1 :80 TCP opening Connection 2 Data transfer …… ………. ………

11 Types of Firewalls (cont.)
IP-H TCP-H UDP-H Application Layer Message Types of Firewalls (cont.) Application Firewalls (3rd generation) Also called proxy firewalls Inspect the Application Layer message (e.g. HTTP requests, s, etc. Specialized proxy firewalls more effective than general-purpose HTTP proxy firewalls for HTTP requests SMTP proxy firewalls for SMTP s FTP proxy firewall for FTP-based file transfer requests Prevent malware attacks HTTP Proxy 2. Passed inspected HTTP Request 1. HTTP Request Browser 4. Passed inspected HTTP Response 3. HTTP Response Webserver Application Log File

12 Types of Firewalls (cont.)
Network Address Translation Firewall Replace IP address in outgoing message by a spoof IP address Hide internal hosts’ IP address to outsiders Help prevent IP spoofing attacks using internal IP addresses Host IP Address Outgoing IP Address Request ID 120121 120122 120123 …….. ………

13 Network Address Translation (Cont)
From , Port 61000 From , Port 55380 1 Server Host 2 Internet Client NAT Firewall Sniffer Internal External IP Addr Port IP Addr Port Translation Table 61000 55380 . . . . . . . . . . . .

14 Network Address Translation (Cont)
Server Host Internet Client NAT Firewall 3 4 Sniffer To , Port 61000 To , Port 55380 Internal External IP Addr Port IP Addr Port Translation Table 61000 55380 . . . . . . . . . . . .

15 Perspective on NAT NAT/PAT
NAT does more than network (IP) address translation Also does port number translation Should be called NAT/PAT, but NAT is the common term

16 Firewalls configuration
Default configuration (default Rulesets or ACLs) Pass connections initiated by an internal host Deny connections initiated by an external host Can change default configuration with access control lists (ACLs) for ingress and egress filtering ACLs are sets of IF-THEN rules applied in sequential order Automatically Pass Connection Attempt Internet Router Automatically Deny Connection Attempt

17 Ingress ACL Untrusted network Firewall Trusted network 1
1 If Source IP Address = 10.*.*.*, DENY [Private IP Address Range] 2 If Source IP Address = *.*, DENY [Private IP Address Range] 3 If Source IP Address = *.*, DENY [Private IP Address Range] 4 If Destination IP Address = AND TCP Destination Port = 80 or 443, PASS 5 If Destination IP Address = *.*, DENY 6 If Incoming packet TCP SYN = 1 and ACK = 0, DENY [Attempt to open connection form the outside] 7 If TCP Destination Port = 20, DENY 8 If TCP Destination Port = 135 Trough 139, DENY 9 If UDP Destination Port = 69, DENY 10 DENY ALL Port Number Primary Protocol Application 20 TCP FTP Data Traffic 21 FTP Supervisory Connection. Passwords sent in the clear 23 Telnet. Passwords sent in the clear 25 Simple Mail Transfer Protocol (SMTP) 69 UDP Trivial File Transfer Protocol (TFTP). No login necessary 80 Hypertext Transfer Protocol (HTTP) NETBIOS service for peer-to-peer file sharing in older versions of Windows 443 HTTP over SSL/TLS

18 Ingress ACL Untrusted network Firewall
Firewall 1 If Source IP Address = 10.*.*.*, DENY [Private IP Address Range] 2 If Source IP Address = *.*, DENY [Private IP Address Range] 3 If Source IP Address = *.*, DENY [Private IP Address Range] 4 If Destination IP Address = AND TCP Destination Port = 80 or 443, PASS 5 If Destination IP Address = *.*, DENY 6 If Incoming packet TCP SYN = 1 and ACK = 0, DENY [Attempt to open connection form the outside] 7 If TCP Destination Port = 20, DENY 8 If TCP Destination Port = 135 Trough 139, DENY 9 If UDP Destination Port = 69, DENY 10 DENY ALL What kind of messages does Rule 7 block? Why does Rule 5 have to come after Rule 4? Why does Rule 6 have to come after Rule 4? You work as the security administrator for the trusted network. Employees often download files from a FTP (File Transfer Protocol) server located in the untrusted network. What TCP port do you open in the firewall configuration? Open port 69 to all inbound connections. Open port 69 to all outbound connections. Open port 20/21 to all inbound connections. Open port 20/21 to all outbound connections.

19 Typical attacks and firewall config.
Flag Fields (6 bits) ACK SYN FIN RST URG PSH Typical attacks and firewall config. Attacks Typical configuration Comments Ping of death Any packet with Total Length more than maximum allowed is dropped Stateful firewall IP fragmentation-based attacks (e.g. Teardrop) The firewall intercepts all fragments for an IP packet and attempts to reassemble them before forwarding to destination. If any problems or errors are found during reassembly, the fragments are dropped. Smurf Attack The firewall drops any ping responses that are not part of an active session. Attacks that send TCP URG packets Any TCP packets that have the URG flag set are discarded by the firewall. Land Attack Any packets with the same source and destination IP addresses are discarded. IP broadcast Packets with a broadcast source or destination IP address are discarded. TCP SYN/ACK attack TCP Opening segments that have SYN and ACK flags set AND that are not linked to a TCP SYN request are discarded. Invalid TCP Segment Number The sequence numbers for every active TCP session are maintained in the firewall session database. If the firewall received a segment with an unexpected (or invalid) sequence number, the packet is dropped.

20 Firewall Principles Danger of Overload
If a firewall is overloaded and cannot handle the traffic, it drops unprocessed packets This is the safest choice, because attack packets cannot enter the network However, this creates a self-inflicted denial- of-service attack

21 Firewall Principles (Continued)
Danger of Overload So firewalls must have the capacity to handle the traffic Some can handle normal traffic but cannot handle traffic during heavy attacks Need to regularly check firewalls logs: If too much unchecked packets are dropped, then need to upgrade the firewall.

22 Centralized Firewall Management System
Management Console Remote PCs must be actively managed centrally Remote Management is needed to reduce management labor Dangerous because if an attacker compromises it, they own the network Internet Home PC Firewall Site A Site B

23 Firewall Management Firewalls are Ineffective without Planning and Maintenance Planning Asset Assessment: identify all assets and their relative sensitivities Threat Assessment: what threats can attack each asset? Design a Firewall Policy for Each Asset Design a Firewall Architecture

24 Firewall Management (Continued)
Implementation Firewall Operating System Hardening Firewall appliances are hardened at the factory Firewall vendors often sell firewalls that are general-purpose computers that have pre-hardened versions of Unix or Windows If a firm purchases a general purpose computer and firewall software, strong actions must be taken to harden the operating system

25 Firewall Management (Continued)
Implementation Select Implementation Options e.g., Turn off remote management if not needed Firewall ACL Rule Configuration Complex and therefore error-prone Driven by firewall policies Vulnerability Testing After Configuration Must do vulnerability test even after “trivial” changes

26 Firewall Management (Continued)
Maintenance Constantly change firewall policies and ACLs to deal with new threats Document each change carefully! Read log files daily to understand the current threat environment Read log files daily to detect problems (the dropping of legitimate traffic, etc.) Update the firewall software when there are new releases

27 Firewalls, IDSs, and IPSs
Drops Packets? Yes No Logs Packets Sophistication in Filtering Medium High Creates Alarms? Sometimes

28 Firewalls, IDSs, and IPSs (Cont)
Sophistication in Filtering Message stream analysis, not just individual packets Reassemble fragmented application messages Deep packet inspection: both internet-level headers and application headers

Download ppt "Firewalls (March 2, 2016) © Abdou Illia – Spring 2016."

Similar presentations

DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
Firewalls (March 4, 2015) © Abdou Illia – Spring 2015.

Firewalls (March 4, 2015) © Abdou Illia – Spring 2015.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Firewalls Screen packets coming into the Privet Networks from external, Untrusted Networks (Internet) Ingress Packet Filtering  Firewall examine incoming.

Firewalls Screen packets coming into the Privet Networks from external, Untrusted Networks (Internet) Ingress Packet Filtering  Firewall examine incoming.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)

1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Chapter 5 Copyright Prentice-Hall 2003

Chapter 5 Copyright Prentice-Hall 2003

Similar presentations

Ads by Google