Presentation is loading. Please wait.

Presentation is loading. Please wait.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

Similar presentations


Presentation on theme: "FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you."— Presentation transcript:

1 FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you take up your command, block the frontier passes, destroy the official tallies, and stop the passage of all emissaries —The Art of War, Sun Tzu

2 What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets of digital information that attempt to pass through the perimeter of a network. A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets of digital information that attempt to pass through the perimeter of a network. A firewall is simply a program or hardware device that filters the information coming through the Internet connection into your private network or computer system. If an incoming packet of information is flagged by the filters, it is not allowed through. A firewall is simply a program or hardware device that filters the information coming through the Internet connection into your private network or computer system. If an incoming packet of information is flagged by the filters, it is not allowed through.network computer systemnetwork computer system

3 Perimeter Defense A firewall is said to provide “perimeter security” because it sits on the outer boundary, or perimeter, of a network. The network boundary is the point at which one network connects to another.

4 What is a Firewall? a choke point that keeps unauthorized users out of the protected network. a choke point that keeps unauthorized users out of the protected network. interconnects networks with differing trust interconnects networks with differing trust imposes restrictions on network services imposes restrictions on network services only authorized traffic is allowed only authorized traffic is allowed auditing and controlling access auditing and controlling access can implement alarms for abnormal behavior can implement alarms for abnormal behavior is itself immune to penetration is itself immune to penetration provides perimeter defence provides perimeter defence

5 Firewall Limitations cannot protect from attacks bypassing it cannot protect from attacks bypassing it cannot protect against internal threats cannot protect against internal threats e.g. disgruntled employee e.g. disgruntled employee cannot protect against transfer of all virus infected programs or files cannot protect against transfer of all virus infected programs or files because of huge range of O/S & file types because of huge range of O/S & file types

6 Types of Firewalls Packet Filters Packet Filters Application-Level Gateways Application-Level Gateways Circuit-Level Gateways Circuit-Level Gateways

7 Firewalls – Packet Filters

8 A packet filtering router applies a set of rules to each incoming IP packet and then forwards or discards the packet. A packet filtering router applies a set of rules to each incoming IP packet and then forwards or discards the packet. The router is typically configured to filter packets going in both directions (from and to the internal network). The router is typically configured to filter packets going in both directions (from and to the internal network).

9 Firewalls – Packet Filters Filtering rules are based on information contained in a network packet: Source IP address: The IP address of the system that originated the IP packet (e.g., 192.168.1.1) Source IP address: The IP address of the system that originated the IP packet (e.g., 192.168.1.1) Destination IP address: The IP address of the system the IP packet is trying to reach (e.g. 192.168.1.2) Destination IP address: The IP address of the system the IP packet is trying to reach (e.g. 192.168.1.2) Source and destination transport-level address: The transport level (e.g., TCP or UDP) port number, which defines applications such as SNMP or TELNET Source and destination transport-level address: The transport level (e.g., TCP or UDP) port number, which defines applications such as SNMP or TELNET

10 Firewalls – Packet Filters: Default Policies Packet filtering is typically set up as a list of rules based on matches to fields in the IP or TCP header. When there is no match to any rule, a default action is taken. There are two possible default policies: discard or forward.

11 Firewalls – Packet Filters: Default Policies Default = discard: that which is not expressly permitted is prohibited. It is very conservative. Initially, everything is blocked—services must be added on a case- by-case basic. Default = forward: that which is not expressly prohibited is permitted. It increases ease of use for end users but provides reduced security. The security administrator must, in essence, react to each new security threat as it becomes available

12 Firewalls – Packet Filters

13 Attacks on Packet Filters IP address spoofing IP address spoofing fake source address to be trusted fake source address to be trusted add filters on router to block add filters on router to block source routing attacks source routing attacks attacker sets a route other than default attacker sets a route other than default block source routed packets block source routed packets tiny fragment attacks tiny fragment attacks split header info over several tiny packets split header info over several tiny packets either discard or reassemble before check either discard or reassemble before check

14 Firewalls - Application Level Gateway (or Proxy)

15 Acts as relay of application-level traffic. The user contacts the gateway using a TCP/IP application, such as FTP, and the gateway asks the user for the name of a remote host to be accessed. When the user responds and provides a valid user ID and authentication information, the gateway contacts the application on the remote host and relays TCP segments containing the application data between the two points.

16 Firewalls - Application Level Gateway (or Proxy) Tend to be more secure than packet filters. Tend to be more secure than packet filters. Need only scrutinize a few allowable applications. Need only scrutinize a few allowable applications. It is easy to log and audit all incoming traffic at the application level. It is easy to log and audit all incoming traffic at the application level.

17 Firewalls - Application Level Gateway (or Proxy) Main Disadvantage Additional Processing overhead on each connection. Additional Processing overhead on each connection.

18 Firewalls - Circuit Level Gateway

19 relays two TCP connections (one between itself and a TCP user on an inner host and one between itself and a TCP user on an outside host) relays two TCP connections (one between itself and a TCP user on an inner host and one between itself and a TCP user on an outside host) imposes security by limiting which such connections are allowed imposes security by limiting which such connections are allowed once created usually relays traffic without examining contents once created usually relays traffic without examining contents typically used when trust internal users by allowing general outbound connections typically used when trust internal users by allowing general outbound connections SOCKS (a protocol) commonly used for this SOCKS (a protocol) commonly used for this

20 Bastion Host highly secure host system that serves as a platform for an application-level or circuit- level gateway. highly secure host system that serves as a platform for an application-level or circuit- level gateway. host hardware platform executes a secure version of it’s operating system, making it a trusted system. host hardware platform executes a secure version of it’s operating system, making it a trusted system. only services that the network administrator considers essential are installed on the bastion host (e.g. Telnet, DNS, FTP, and user authentication) only services that the network administrator considers essential are installed on the bastion host (e.g. Telnet, DNS, FTP, and user authentication)

21 Firewall Configurations

22 Single-Homed Bastion: Advantages Consists of two systems: a packet-filtering router and a bastion host. The router is configured so that Consists of two systems: a packet-filtering router and a bastion host. The router is configured so that For traffic from the Internet, only IP packets destined for the bastion host are allowed in. For the traffic from the internal network, only IP packets from the bastion host are allowed to out. The bastion host performs authentication and proxy functions. The bastion host performs authentication and proxy functions.

23 Single-Homed Bastion Has greater security than simply a packet filtering router or an application level gateway alone. Has greater security than simply a packet filtering router or an application level gateway alone. Implements both packet-level and application-level filtering, allowing for considerable flexibility in defining security policy. Implements both packet-level and application-level filtering, allowing for considerable flexibility in defining security policy. An intruder must generally penetrate two separate systems before the security of the internal network is compromised. An intruder must generally penetrate two separate systems before the security of the internal network is compromised. Affords flexibility in providing direct Internet access. Affords flexibility in providing direct Internet access. If the packet-filtering router is completely compromised, traffic could flow directly through the router between the Internet and other hosts on the private network. If the packet-filtering router is completely compromised, traffic could flow directly through the router between the Internet and other hosts on the private network.

24 Firewall Configurations

25

26 Screened Subnet Firewall There are now three levels of defense to thwart intruders. There are now three levels of defense to thwart intruders. The outside router advertises only the existence of the screened subnet to the Internet; therefore, the internal network is invisible to the Internet. The outside router advertises only the existence of the screened subnet to the Internet; therefore, the internal network is invisible to the Internet. Similarly, the inside router advertises only the existence of the screened subnet to the internal network; therefore, the systems on the inside network cannot construct direct routes to the Internet. Similarly, the inside router advertises only the existence of the screened subnet to the internal network; therefore, the systems on the inside network cannot construct direct routes to the Internet.


Download ppt "FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you."

Similar presentations


Ads by Google