Presentation is loading. Please wait.

Presentation is loading. Please wait.

Firewalls By conventional definition, a firewall is a partition made

Published byDjaja Hardja Modified over 6 years ago

Similar presentations

Presentation on theme: "Firewalls By conventional definition, a firewall is a partition made"— Presentation transcript:

1 Firewalls By conventional definition, a firewall is a partition made of fireproof material designed to prevent the spread of fire from one part of a building to another. firewall isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others. Internet privately administered 222.22/16 Introduction

2 Firewall goals: All traffic from outside to inside and vice-versa passes through the firewall. Only authorized traffic, as defined by local security policy, will be allowed to pass. The firewall itself is immune to penetration. Introduction

3 Firewalls: taxonomy Traditional packet filters Major firewall vendors:
filters often combined with router, creating a firewall Stateful filters Application gateways Major firewall vendors: Checkpoint Cisco PIX Introduction

4 Traditional packet filters
Analyzes each datagram going through it; makes drop decision based on: source IP address destination IP address source port destination port TCP flag bits SYN bit set: datagram for connection initiation ACK bit set: part of established connection TCP or UDP or ICMP Firewalls often configured to block all UDP direction Is the datagram leaving or entering the internal network? router interface decisions can be different for different interfaces Introduction

5 Filtering Rules - Examples
Policy Firewall Setting No outside Web access. Drop all outgoing packets to any IP address, port 80 External connections to public Web server only. Drop all incoming TCP SYN packets to any IP except , port 80 Prevent IPTV from eating up the available bandwidth. Drop all incoming UDP packets - except DNS and router broadcasts. Prevent your network from being used for a Smurf DoS attack. Drop all ICMP packets going to a “broadcast” address (eg ). Prevent your network from being tracerouted Drop all outgoing ICMP Introduction

6 Access control lists Apply rules from top to bottom: action source
address dest protocol port flag bit allow 222.22/16 outside of TCP > 1023 80 any ACK UDP 53 --- ---- deny all Introduction

7 Access control lists Each router/firewall interface can have its own ACL Most firewall vendors provide both command-line and graphical configuration interface Introduction

8 Advantages and disadvantages of traditional packet filters
One screening router can protect entire network Can be efficient if filtering rules are kept simple Widely available. Almost any router, even Linux boxes Disadvantages Can possibly be penetrated Cannot enforce some policies. For example, permit certain users. Rules can get complicated and difficult to test Introduction

9 Firewall Lab: iptables
Converts linux box into a packet filter. Included in most linux distributions today. linux host w/ iptables linux host external network your job: configure Introduction

10 Firewall lab: iptables
Provides firewall capability to a linux host Comes installed with most linux distributions Three types of tables: FILTER, NAT, MANGLE Let’s only consider FILTER table for now Introduction

11 Network or host firewall?
Network firewall: linux host with 2 interfaces: filter table linux host w/ iptables Internet protected network Host firewall: linux host with 1 interface: filter table linux host w/ iptables network Introduction

12 Chain types for host firewall
linux host w/ iptables network INPUT chain OUTPUT Introduction

13 INPUT, OUTPUT, FORWARD CHAINS for network firewall
INPUT chain applies for all packets destined to firewall OUTPUT chain applies for all packets originating from firewall FORWARD chain applies for all packets passing through firewall. Introduction

14 Chain types for network firewall
linux host w/ iptables Internet protected network INPUT chain linux host w/ iptables Internet protected network OUTPUT chain linux host w/ iptables Internet protected network FORWARD chain Introduction

15 iptables: Example command
iptables –A INPUT –i eth0 –s /24 –j ACCEPT Sets a rule Accepts packets that enter from interface eth0 and have source address in /24 Kernel applies the rules in order. The first rule that matches packet determines the action for that packet Append: -A Adds rule to bottom of list of existing rules Introduction

16 iptables: Example command
iptables –A INPUT –i eth0 –j DENY Sets a rule Rejects all packets that enter from interface eth0 (except for those accepted by previous rules) Introduction

17 iptables: More examples
iptables –L list current rules iptables –F flush all rules iptables –D INPUT 2 deletes 2nd rule in INPUT chain iptables –I INPUT 1 –p tcp –tcp-flags SYN –s /24 –d 0/0:22 –j ACCEPT -I INPUT 1: insert INPUT rule at top Accept TCP SYNs to from /24 to firewall port 22 (ssh) Introduction

18 iptables Options -p protocol type (tcp, udp, icmp)
-s source IP address & port number -d dest IP address & port number -i interface name (lo, ppp0, eth0) -j target (ACCEPT, DENY) -l log this packet --sport source port --dport dest port --icmp-type Introduction

19 iptable Table types FILTER: NAT: MANGLE
What we have been talking about! 3 chain types: INPUT, OUTPUT, and FORWARD NAT: Hide internal network hosts from outside world. Outside world only sees the gateway’s external IP address, and no other internal IP addresses PREROUTING, POSTROUTING, and others MANGLE Don’t worry about it. Introduction

20 Tables, Chains & Rules Three types of tables: FILTER, NAT, MANGLE
A table consists of chains. For example, a filter table can have an INPUT chain, OUTPUT chain, and a FORWARD chain. A chain consists of a set of rules. Introduction

21 Firewall Lab m1 m2 m3 Configure m2 with iptables. Introduction

22 Firewall Lab: Part A Configure NAT in m2 using NAT table with POSTROUTING chain: MASQUERADE packets so that internal IP addresses are hidden from external network From m1 and m3, only allow ssh to external network This NAT configuration will remain in force throughout the lab Introduction

23 Firewall Lab: Part B Rules for packets originating from or terminating at m2 (the gateway): Allow ssh connections originating from m2 and destined to m2. Allow pings originating from m2 and destined to m2. Block all other traffic to or from m2. Hint: Part B requires INPUT and OUTPUT chains but no FORWARD chain Introduction

24 Firewall Lab: Part C Flush filter table rules from Part B.
Allow only m1 (and not m3) to initiate an ssh session to hosts in the external network Reject all other traffic Hint: Part C requires FORWARD, INPUT and OUTPUT chains Introduction

25 Stateful Filters In earlier example, any packet with ACK=1 and source port 80 gets in. Attacker could, for example, attempt a malformed packet attack by sending ACK=1 segments Stateful filter: Adds more intelligence to the filter decision-making process Stateful = remember past packets Memory implemented in a very dynamic state table Introduction

26 Stateful filters: example
Log each TCP connection initiated through firewall: SYN segment Timeout entries which see no activity for, say, 60 seconds source address dest port 12699 80 37654 48712 If rule table indicates that stateful table must be checked: check to see if there is already a connection in stateful table Stateful filters can also remember outgoing UDP segments Introduction

27 Stateful example Packet arrives from outside: SA= , SP=80, DA= , DP=12699, SYN=0, ACK=1 Check filter table ➜ check stateful table action source address dest proto port flag bit check conxion allow 222.22/16 outside of TCP > 1023 80 any ACK x UDP 53 --- ---- deny all 3) Connection is listed in connection table ➜ let packet through Introduction

28 Application gateways (aka proxy gateways)
Gateway sits between user on inside and server on outside. Instead of talking directly, user and server talk through proxy. Allows more fine grained and sophisticated control than packet filtering. For example, ftp server may not allow files greater than a set size. A mail server is an example of an application gateway Can’t deposit mail in recipient’s mail server without passing through sender’s mail server gateway-to-remote host ftp session host-to-gateway ftp session application gateway Introduction

29 Configuring client Tools/options/connections/LAN settings/proxies:
Introduction

30 Advantages and disadvantages of proxy gateways
Proxy can log all connections, activity in connections Proxy can provide caching Proxy can do intelligent filtering based on content Proxy can perform user-level authentication Disadvantages Not all services have proxied versions May need different proxy server for each service Requires modification of client Performance Introduction

31 Application gateways + packet filter
host-to-gateway ftp session gateway-to-remote host ftp session application gateway router and filter Filters packets on application data as well as on IP/TCP/UDP fields. Example: allow select internal users to ftp outside. 1. Require all ftp users to ftp through gateway. 2. For authorized users, gateway sets up ftp connection to dest host. Gateway relays data between 2 connections 3. Router filter blocks all ftp connections not originating from gateway. Introduction

32 Chaining Proxies proxy 2 proxy 1 Introduction

33 SOCKS Proxy protocol Generic proxy protocol
Don’t have to redo all of the code when proxifying an application. Can be used by HTTP, FTP, telnet, SSL,… Independent of application layer protocol Includes authentication, restricting which users/apps/IP addresses can pass through firewall. Introduction

34 SOCKS proxy protocol 1. For example, let’s assume that browser requests a page 3. The SOCKS Daemon runs on the firewall host. The daemon authenticates the user and forwards all the data to the server. 4. The server receives requests as ordinary HTTP. It does not need a SOCKS library. 2. SOCKS Library is a collection of procedures. It translates requests into a specific format and sends them to SOCKS Daemon Apache/IIS Firefox/Opera/IE Firewall Application HTTP HTTP SOCKS Daemon SOCKS Library TCP TCP TCP Introduction

35 Demilitarized Zone (DMZ)
application gateway firewall Internet Internal network Web server DNS server FTP server Demilitarized zone Introduction

36 Firewalls: Summary Filters Stateful filters Application gateways
Widely available in routers, linux Stateful filters Maintains connection state Application gateways Often implemented with SOCKS today Introduction

Download ppt "Firewalls By conventional definition, a firewall is a partition made"

Similar presentations

Access Control List (ACL)

Access Control List (ACL)
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.

Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.

8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.
A Brief Taxonomy of Firewalls

A Brief Taxonomy of Firewalls
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.

BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
Introduction to firewalls and IDS/IPS

Introduction to firewalls and IDS/IPS
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.

Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
FIREWALL Mạng máy tính nâng cao-V1.

FIREWALL Mạng máy tính nâng cao-V1.
NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.

NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.
07/11/2012 www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: 90 366364 voice.

07/11/ L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: voice.

Similar presentations

Ads by Google