Presentation is loading. Please wait.

Presentation is loading. Please wait.

Pertemuan-12 Firewall.

Published bySurya Setiabudi Modified over 6 years ago

Similar presentations

Presentation on theme: "Pertemuan-12 Firewall."— Presentation transcript:

1 Pertemuan-12 Firewall

2 In general, firewalls are installed to prevent attacks.
What is a firewall? A firewall is a device (or software feature) designed to control the flow of traffic into and out-of a network. In general, firewalls are installed to prevent attacks. 12/7/2018

3 What’s a DMZ? A DMZ is a demilitarized zone. The DMZ is where corporate servers reside, protected from both external and internal attacks. In our case, internal attacks could come from compromised machines. That never happens, does it… 12/7/2018

4 Attack covers many things:
What is an attack? Attack covers many things: Someone probing a network for computers. Someone attempting to crash services on a computer. Someone attempting to crash a computer (Win nuke). Someone attempting to gain access to a computer to use resources or information. 12/7/2018

5 Diagram of a firewall on a network. Without a DMZ
12/7/2018

6 Diagram of a firewall on a network. With a DMZ
12/7/2018

7 Edge Firewall An edge firewall is usually software running on a server or workstation. An edge firewall protects a single computer from attacks directed against it. Examples of these firewalls are: ZoneAlarm BlackIce IPFW on OSX 12/7/2018

8 Firewall Appliance An appliance firewall is a device whose sole function is to act as a firewall. Examples of these firewalls are: Cisco PIX. Netscreen series. 12/7/2018

9 Network Firewall Router/Bridge based Firewall
A firewall running on a bridge or a router protects from a group of devices to an entire network. Cisco has firewall feature sets in their IOS operating system. Computer-based Network Firewall A network firewall runs on a computer (such as a PC or Unix computer). These firewalls are some of the most flexible. Many free products are available including IPFilter (the first package we tried), PF (the current package we are using found on OpenBSD 3.0 and later) and IPTables (found on Linux). Commercial products include: Checkpoint Firewall-1. Apple OSX includes IPFW (included in an operating system you gotta purchase). 12/7/2018

10 Why use a firewall? Protect a wide range of machines from general probes and many attacks. Provides some protection for machines lacking in security. 12/7/2018

11 Great first line of defense.
Having a firewall is a necessary evil. It’s like living in a gated community. The gate may stop 99% of unwanted visitors. The locks on your doors stop the remaining 1% (maybe, but you get the idea). Don’t let the firewall give you a false sense of security. Harden your machines by turning off services you don’t need. 12/7/2018

12 How does a firewall work?
Blocks packets based on: Source IP Address or range of addresses. Source IP Port Destination IP Address or range of addresses. Destination IP Port Some allow higher layers up the OSI model. Other protocols (How would you filter DecNET anyway?). Common ports 80 HTTP 443 HTTPS 20 & 21 FTP (didn’t know 20 was for FTP, did you?) 23 Telnet 22 SSH 25 SMTP 12/7/2018

13 Sample firewall rules Protected server: 134.71.1.25
Protected subnet: /24 $internal refers to the internal network interface on the firewall. $external refers to the external network interface on the firewall. 12/7/2018

14 Sample rules: Can you find the problem?
(For this example, when a packet matches a rule, rule processing stops.) Pass in on $external from any proto tcp to port = 80 Pass in on $external from any proto tcp to port = 53 Pass in on $external from any proto udp to port = 53 Pass in on $external from any proto tcp to port = 25 Block in log on $external from any to Block in on $external from any to /24 Pass in on $external from any proto tcp to port = 22 Pass out on $internal from /24 to any keep state 12/7/2018

15 Sample rules: Can you find the problem?
(For this example, when a rules matches a packet, rule processing stops.) Pass in on $external from any proto tcp to port = 80 Pass in on $external from any proto tcp to port = 53 Pass in on $external from any proto udp to port = 53 Pass in on $external from any proto tcp to port = 25 Block in log on $external from any to Block in on $external from any to /24 Pass in on $external from any proto tcp to port = 22 Pass out on $internal from /24 to any keep state The SSH rule would never have a chance to be evaluated. All traffic to is block with the previous two rules. 12/7/2018

16 Logging is both good and bad.
To log or not to log… Logging is both good and bad. If you set your rules to log too much, your logs will not be examined. If you log too little, you won’t see things you need. If you don’t log, you have no information on how your firewall is operating. 12/7/2018

17 Sample log file Jul 31 11:00:06 kd2 ipmon[14110]: 11:00: b , > ,23 PR tcp len S IN Jul 31 11:00:07 kd2 ipmon[14110]: 11:00: b , > ,23 PR tcp len S IN Jul 31 11:00:08 kd2 ipmon[14110]: 11:00: b , > ,23 PR tcp len S IN Jul 31 11:00:10 kd2 ipmon[14110]: 11:00: b , > ,23 PR tcp len S IN Jul 31 11:00:15 kd2 ipmon[14110]: 11:00: b , > ,23 PR tcp len S IN Jul 31 11:50:02 kd2 ipmon[14110]: 11:50: b ,4588 -> ,80 PR tcp len S IN Jul 31 11:50:02 kd2 ipmon[14110]: 11:50: b ,4597 -> ,80 PR tcp len S IN Jul 31 11:50:02 kd2 ipmon[14110]: 11:50: b ,4610 -> ,80 PR tcp len S IN Jul 31 11:50:05 kd2 ipmon[14110]: 11:50: b ,4610 -> ,80 PR tcp len S IN Jul 31 11:50:17 kd2 ipmon[14110]: 11:50: b ,1406 -> ,80 PR tcp len S IN Jul 31 11:50:20 kd2 ipmon[14110]: 11:50: b ,1688 -> ,80 PR tcp len S IN Jul 31 11:50:20 kd2 ipmon[14110]: 11:50: b ,1701 -> ,80 PR tcp len S IN Jul 31 11:50:24 kd2 ipmon[14110]: 11:50: b ,1944 -> ,80 PR tcp len S IN Jul 31 11:50:24 kd2 ipmon[14110]: 11:50: b ,1957 -> ,80 PR tcp len S IN Jul 31 11:50:27 kd2 ipmon[14110]: 11:50: b ,2243 -> ,80 PR tcp len S IN Jul 31 11:50:27 kd2 ipmon[14110]: 11:50: b ,2260 -> ,80 PR tcp len S IN Jul 31 11:50:30 kd2 ipmon[14110]: 11:50: b ,2243 -> ,80 PR tcp len S IN Jul 31 11:50:30 kd2 ipmon[14110]: 11:50: b ,2260 -> ,80 PR tcp len S IN Jul 31 11:52:48 kd2 ipmon[14110]: 11:52: b ,1610 -> ,113 PR tcp len S IN Jul 31 11:52:51 kd2 ipmon[14110]: 11:52: b ,1610 -> ,113 PR tcp len S IN Jul 31 11:52:54 kd2 ipmon[14110]: 11:52: b ,1610 -> ,113 PR tcp len S IN Jul 31 11:52:56 kd2 ipmon[14110]: 11:52: b ,6346 -> ,3343 PR tcp len A IN Jul 31 11:52:57 kd2 ipmon[14110]: 11:52: b ,1610 -> ,113 PR tcp len S IN Jul 31 11:53:00 kd2 ipmon[14110]: 11:52: b ,1610 -> ,113 PR tcp len S IN Jul 31 12:00:24 kd2 ipmon[14110]: 12:00: b , > ,10336 PR tcp len S IN Jul 31 12:00:26 kd2 ipmon[14110]: 12:00: b , > ,10336 PR tcp len S IN Jul 31 12:00:28 kd2 ipmon[14110]: 12:00: b , > ,10336 PR tcp len S IN Jul 31 12:00:34 kd2 ipmon[14110]: 12:00: b , > ,10336 PR tcp len S IN Jul 31 12:00:46 kd2 ipmon[14110]: 12:00: b , > ,10336 PR tcp len S IN 12/7/2018

18 Had enough yet? Jul 31 12:00:58 kd2 ipmon[14110]: 12:00: b ,3363 -> ,10336 PR tcp len S IN Jul 31 12:01:01 kd2 ipmon[14110]: 12:01: b ,4510 -> ,10336 PR tcp len S IN Jul 31 12:01:01 kd2 ipmon[14110]: 12:01: b ,3363 -> ,10336 PR tcp len S IN Jul 31 12:01:03 kd2 ipmon[14110]: 12:01: b ,2403 -> ,10336 PR tcp len S IN Jul 31 12:01:03 kd2 ipmon[14110]: 12:01: b ,4510 -> ,10336 PR tcp len S IN Jul 31 12:01:05 kd2 ipmon[14110]: 12:01: b ,3816 -> ,10336 PR tcp len S IN Jul 31 12:01:05 kd2 ipmon[14110]: 12:01: b ,1834 -> ,10336 PR tcp len S IN Jul 31 12:01:06 kd2 ipmon[14110]: 12:01: b ,2403 -> ,10336 PR tcp len S IN Jul 31 12:01:07 kd2 ipmon[14110]: 12:01: b ,3363 -> ,10336 PR tcp len S IN Jul 31 12:01:07 kd2 ipmon[14110]: 12:01: b , > ,10336 PR tcp len S IN Jul 31 12:01:08 kd2 ipmon[14110]: 12:01: b ,3816 -> ,10336 PR tcp len S IN Jul 31 12:01:08 kd2 ipmon[14110]: 12:01: b ,1834 -> ,10336 PR tcp len S IN Jul 31 12:01:09 kd2 ipmon[14110]: 12:01: b , > ,10336 PR tcp len R IN Jul 31 12:01:09 kd2 ipmon[14110]: 12:01: b ,4510 -> ,10336 PR tcp len S IN Jul 31 12:01:12 kd2 ipmon[14110]: 12:01: b ,2403 -> ,10336 PR tcp len S IN Jul 31 12:01:14 kd2 ipmon[14110]: 12:01: b ,3816 -> ,10336 PR tcp len S IN Jul 31 12:01:14 kd2 ipmon[14110]: 12:01: b ,1834 -> ,10336 PR tcp len S IN Jul 31 12:01:28 kd2 ipmon[14110]: 12:01: b ,4886 -> ,10336 PR tcp len S IN Jul 31 12:01:29 kd2 ipmon[14110]: 12:01: b ,4886 -> ,10336 PR tcp len S IN Jul 31 12:01:36 kd2 ipmon[14110]: 12:01: b ,4886 -> ,10336 PR tcp len S IN Jul 31 12:01:39 kd2 ipmon[14110]: 12:01: b ,3792 -> ,1065 PR udp len IN Jul 31 12:02:02 kd2 ipmon[14110]: 12:02: b ,2868 -> ,10336 PR tcp len S IN Jul 31 12:02:05 kd2 ipmon[14110]: 12:02: b ,2868 -> ,10336 PR tcp len S IN Jul 31 12:02:10 kd2 ipmon[14110]: 12:02: b ,2613 -> ,10336 PR tcp len S IN Jul 31 12:02:11 kd2 ipmon[14110]: 12:02: b ,2868 -> ,10336 PR tcp len S IN Jul 31 12:02:13 kd2 ipmon[14110]: 12:02: b ,2613 -> ,10336 PR tcp len S IN Jul 31 12:02:14 kd2 ipmon[14110]: 12:02: x b ,138 -> ,138 PR udp len IN Jul 31 12:02:20 kd2 ipmon[14110]: 12:02: b ,2613 -> ,10336 PR tcp len S IN Jul 31 12:07:59 kd2 ipmon[14110]: 12:07: b , > ,9074 PR tcp len S IN Jul 31 12:33:33 kd2 ipmon[14110]: 12:33: b ,4286 -> ,80 PR tcp len S IN 12/7/2018

19 What is a state? When your computer makes a connection with another computer on the network, several things are exchanged including the source and destination ports. In a standard firewall configuration, most inbound ports are blocked. This would normally cause a problem with return traffic since the source port is randomly assigned (different from the destination port). A state is a dynamic rule created by the firewall containing the source-destination port combination, allowing the desired return traffic to pass the firewall. 12/7/2018

20 How many states can a computer have?
A single computer could have hundreds of states depending on the number of established connections. Consider a server supporting POP3, FTP, WWW and Telnet/SSH access. It could have thousands of states. 12/7/2018

21 What happens without state?
Without state, your request for traffic would leave the firewall but the reply would be blocked. 12/7/2018

22 Sample state table. kd2.ec.csupomona.edu - IP Filter: v state top :50:50 Src = Dest = Proto = any Sorted by = # bytes Source IP Destination IP ST PR #pkts #bytes ttl , , /4 tcp :59:56 , , /4 tcp :59:59 , , /4 tcp :59:16 , , /0 udp :06 , , /6 tcp :58:03 , , /0 udp :13 /0 igmp :20 , , /0 udp :51 , , /0 udp :11 , , /4 tcp :59:59 , , /0 udp :49 , , /0 udp :00 , , /0 udp :59 , , /0 udp :58 /0 igmp :54 , , /6 tcp :53:26 , , /0 tcp :47 , , /0 tcp :48 12/7/2018

23 Where does a firewall fit in the security model?
The firewall is the first layer of defense in any security model. It should not be the only layer. A firewall can stop many attacks from reaching target machines. If an attack can’t reach its target, the attack is defeated. 12/7/2018

24 Two main approaches to designing a ruleset are:
Ruleset design Two main approaches to designing a ruleset are: Block everything then open holes. Block nothing then close holes. 12/7/2018

25 Ruleset design – Block Everything
Blocking everything provides the strongest security but the most inconvenience. Things break and people complain. The block everything method covers all bases but creates more work in figuring out how to make some applications work then opening holes. 12/7/2018

26 Ruleset design – Block Nothing
Blocking nothing provides minimal security by only closing holes you can identify. Blocking nothing provides the least inconvenience to our users. Blocking nothing means you must spend time figuring out what you want to protect yourself from then closing each hole. 12/7/2018

27 IDS is an Intrusion Detection System.
What is IDS? IDS is an Intrusion Detection System. IDS can identify many attacks and traffic patterns crossing a border device. 12/7/2018

28 An IDS sounds good. Is it? Yes and no.
An IDS can identify port scans, different web attacks, known buffer overflow attacks, etc. An IDS can also produce many false positive hits. AOL Instant Messenger triggers port scan hits because it talks to several AOL Ad servers within a few seconds. An IDS can create more information on a small network than a network administrator can deal with. 12/7/2018

29 Filtering between VLANs
Tired of being scanned and attacked from people on-campus? Join the club. We are working on firewall features on our new routers. Our current routers lack the horsepower to handle the extra load. Designing an inter-VLAN firewall configuration will take a great deal of planning and discussion to ensure desired traffic isn’t blocked. 12/7/2018

30 Filtering bad traffic (RFC 1918, bad headers, options, etc.)
Sending bad traffic or malformed packets is a form of attack easily blocked at a firewall. The firewall inspects every packet and rejects those that are not properly formed or are intentionally malformed, protecting devices that may be succeptible. 12/7/2018

31 Filtering bad traffic (RFC 1918, bad headers, options, etc.)
Private IP address traffic should never be seen on our network. Our network uses a registered, valid, legal block of IP addresses. Private IP address blocks (RFC 1918): – ( mask) – ( mask) – ( mask) 12/7/2018

32 NAT (a small detour) Some firewalls provide a feature call Network Address Translation (NAT for short). NAT allows the use of an RFC1918 address on the Internet by tunneling the traffic through one or more valid addresses. 12/7/2018

33 Black hole or Return-RST (or how to respond to things you don’t want.)
Should you tell a sending machine that their traffic was blocked or let them wait until they timeout? For some traffic, it’s better to let the sending machine wait. This slows down the rate of attack. For other traffic (such as SMTP) it may be nice to tell the sender that the SMTP port is closed. 12/7/2018

34 Poking holes How to allow traffic and expose yourself.
OK. You’ve decided to block traffic. Do you have to block all traffic? No. You can allow select traffic in. The criteria for allowing traffic are the same as blocking traffic. 12/7/2018

35 Compromised Machines Just a note about compromised machines:
When a machine is compromised, you have no way to determine exactly what was hacked. Cleaning what you think is the problem may not rid yourself of everything. Most instances require a reformat and reinstall of the operating system for proper cleaning. 12/7/2018

36 Honey Pots A honey pot is a machine sitting on the network for people to hack into. It allows you to watch how a machine can be hacked and (hopefully) learn from the experience. 12/7/2018

37 Where does the Campus Go from Here?
Campus border firewall. Inter-VLAN firewall. filtering through main campus servers. Edge firewalls for now. 12/7/2018

38 PF on OpenBSD Our current firewall is a PC (really high powered) running OpenBSD Since OpenBSD 3.0, PF (packet filter) has replaced IPF as the firewall of choice. PF provides stateful filtering of IP packets along with the ability to bridge between interfaces. 12/7/2018

39 Where can I find more information?
12/7/2018

Download ppt "Pertemuan-12 Firewall."

Similar presentations

IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
6/3/2015Firewall Basics - Ken Diliberto 1 Firewall Basics Everything you’ve ever wanted to know about a firewall but didn’t have the.

6/3/2015Firewall Basics - Ken Diliberto 1 Firewall Basics Everything you’ve ever wanted to know about a firewall but didn’t have the.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
K. Salah1 Firewalls. 2 Firewalls Trusted hosts and networks Firewall Router Intranet DMZ Demilitarized Zone: publicly accessible servers and networks.

K. Salah1 Firewalls. 2 Firewalls Trusted hosts and networks Firewall Router Intranet DMZ Demilitarized Zone: publicly accessible servers and networks.
1 Firewall Basics Everything you’ve ever wanted to know about a firewall but didn’t have the time to ask. (Well, almost everything) Credits: PowerPoint.

1 Firewall Basics Everything you’ve ever wanted to know about a firewall but didn’t have the time to ask. (Well, almost everything) Credits: PowerPoint.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
A Brief Taxonomy of Firewalls

A Brief Taxonomy of Firewalls
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)

1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Chapter 6: Packet Filtering

Chapter 6: Packet Filtering
By : Himanshu Mishra Nimish Agarwal CPSC 624.  A system designed to prevent unauthorized access to or from a private network.  It must have at least.

By : Himanshu Mishra Nimish Agarwal CPSC 624.  A system designed to prevent unauthorized access to or from a private network.  It must have at least.

Similar presentations

Ads by Google