Download presentation
Presentation is loading. Please wait.
Published byJaven Raven Modified over 9 years ago
1
1 Firewalls
2
2 References 1.Mark Stamp, Information Security: Principles and Practice, Wiley Interscience, 2006. 2.Robert Zalenski, Firewall Technologies, IEEE Potential, 2002, p 24 – 29. 3. Avishai Wool, A Quantitative Study of Firewall Configuration Errors, IEEE Computer, June 2004, p 62 – 67. 4.Steven Bellovin and William Cheswick, Network Firewalls, IEEE Communications Magazine, Sept 1994, p 50 – 57. 5.William Arbaugh, Firewalls: An Outdated Defense, IEEE Computer, June 2003, p 112 – 113. 6.Charles Zhang, Marianne Winslett, Carl Gunter, On the Safety and Efficiency of Firewall Policy Deployment, IEEE Symposium on Security and Privacy, 2007. 7.Mohamed Gouda and Alex Liu, A Model of Stateful Firewalls and its Properties, Proc of the 2005 International Conference on Dependable Systems and Networks, 2005.
3
3 Firewall as Network Access Control Access Control –Authentication –Authorization Single Sign On Firewall –Interface between networks Usually external (internet) and internal –Allows traffic flow in both directions
4
4 Firewall –Interface between networks Usually external (internet) and internal –Allows traffic flow in both directions –Controls the traffic Internet Internal
5
5 Firewall as Secretary A firewall is like a secretary To meet with an executive –First contact the secretary –Secretary decides if meeting is reasonable –Secretary filters out many requests You want to meet chair of CS department? –Secretary does some filtering You want to meet President of US? –Secretary does lots of filtering! [1]
6
6 Security Strategies Least privilege –Objects have the lowest privilege to perform assigned task Defense in depth –Use multiple mechanism –Best if each is independent: minimal overlap Choke point –Facilitates monitoring and control [2]
7
7 Security Strategies - 2 Weakest link Fail-safe –If firewall fails, it should go to fail-safe that denies access to avoid intrusions Default deny Default permit Universal participation –Everyone has to accept the rules [2]
8
8 Security Strategies - 3 Diversity of defense Inherent weaknesses –Multiple technologies to compensate for inherent weakness of one technology Common heritage –If systems configured by the same person, may have the same weakness Simplicity Security through obscurity [2]
9
9 Security Strategies - 4 Configuration errors can be devastating Testing is not perfect Ongoing trial and error will identify weaknesses Enforcing a sound policy is critical [2]
10
10 Types of Firewall No Standard Terminology Packet Filtering (network layer) –Simplest firewall –Filter packets based on specified criteria IP addresses, subnets, TCP or UDP ports Stateful inspection (transport layer) –In addition to packet inspection –Validate attributes of multi-packet flows [2]
11
11 Types of Firewall - 2 Application Based Firewall (application layer) –SW package that allows or denies access across networks –Log access – attempted access and allowed access Personal firewall – single user, home network [2]
12
12 Types of Firewall - 3 Proxy –Intermediate connection between servers on internet and internal servers. –For incoming data Proxy is server to internal network clients –For outgoing data Proxy is client sending out data to the internet [2]
13
13 Types of Firewall - 4 Network Address Translation –Hides internal network from external network –Private IP addresses – expands the IP address space –Creates a choke point Virtual Private Network –Employs encryption and integrity protection –Use internet as part of a private network [2]
14
14 Packet Filter Advantages –Simplest firewall architecture –Works at the Network layer – applies to all systems –One firewall for the entire network Disadvantages –Can be compromised by many attacks Source spoofing
15
15 Packet Filter - Example [2]
16
16 Packet Filter - Example [2]
17
17 Packet Filter - Example Attack succeeds because of rules B and D More secure to add source ports to rules
18
18 Packet Filter - Example [2]
19
19 Packet Filter - Example These packets would be admitted. To avoid this add an ACK bit to the rule set [2]
20
20 Packet Filter - Example Attack fails, because the ACK bit is not set. ACK bit is set if the connection originated from inside. Incoming TCP packets must have ACK bit set. If this started outside, then no matching data, and packet will be rejected. [2]
21
21 TCP Ack for Port Scanning Attacker sends packet with ACK set (without prior handshake) using port p –Violation of TCP/IP protocol Packet filter firewall passes packet –Firewall considers it part of an ongoing connection Receiver sends RST –Indicates to the sender that the connection should be terminated Receiving RST indicates that port p is open!! [1]
22
22 TCP Ack Port Scan RST confirms that port 1209 is open Problem: packet filtering is stateless; the firewall should track the entire connection exchange [1]
23
23 Stateful Packet Filter Remembers packets in the TCP connections (and flag bits) Adds state info to the packet filter firewalls. Operates at the transport layer. Pro: Adds state to packet filter and keeps track of ongoing connection Con: Slower, more over head. Packet content info not used [1] application transport network link physical
24
24 Application Proxy A proxy acts on behalf the system being protected. Application proxy examines incoming app data – verifies that data is safe before passing it to the system. Pros –Complete view of the connections and app data –Filter bad data (viruses, Word macros) –Incoming packet is terminated and new packet is sent to internal network Con –Speed [1]
25
25 Firewalk – Port Scanning Scan ports through firewalls Requires knowledge of –IP address of firewall –IP address of one system in internal network –Number of hops to the firewall Set TTL (time to live) = Hops to firewall +1 Set destination port to be p If firewall does not pass data for port p, then no response If data passes thru firewall on port p, then time exceeded error message [1]
26
26 Firewalk and Proxy Firewall Attack stopped by proxy firewall –Incoming packet destroyed (old TTL value also destroyed) –New outgoing packet will not exceed TTL. [1] Dest port 12345, TTL=4 Dest port 12344, TTL=4 Dest port 12343, TTL=4 Time exceeded Trudy Packet filter Router
27
27 Firewalls and Defense in Depth Example security architecture Internet Intranet with Personal Firewalls Packet Filter Application Proxy DMZ FTP server DNS server WWW server [1]
28
28 [1]
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.