Presentation is loading. Please wait.

Presentation is loading. Please wait.

FIREWALLS – Chapter 20 network-based threats access to outside world Functionality, Design Security – trusted system.

Published byDaniela Johns Modified over 10 years ago

Similar presentations

Presentation on theme: "FIREWALLS – Chapter 20 network-based threats access to outside world Functionality, Design Security – trusted system."— Presentation transcript:

1 FIREWALLS – Chapter 20 network-based threats access to outside world Functionality, Design Security – trusted system

2 INTERNET CONNECTIVITY essential – via LAN, ISP, …..etc Network – thousands of mixed systems Firewall is: a single point for security and audit Premise Network || Internet firewall

3 FIREWALL CHARACTERISTICS 1. All traffic through firewall 2. Only authorised traffic 3. Immune to penetration - trusted system - secure Operating System

4 FIREWALL CONTROL TECHNIQUES Service – filter (IP address, TCP port no) - proxy software - host server e.g. web/mail Direction – control direction of service requests User – access control (local users) - for external users, use IPSec auth. Behaviour – controls service use (e.g. filter spam) - restrict external access to local web server

5 FIREWALL CAPABILITIES 1.Single ’choke’ point unauthorised users out stop vulnerable services using firewall stop IP spoofing/routing attacks 2. Location for security monitoring – audits/alarms 3. Platform for non-security internet functions (e.g. address translator) 4. Platform for IPSec – VPNs using tunnel

6 LIMITATIONS Cannot protect against - Firewall bypass - e.g. internal system dial-out - Internal threats - Virus - impossible to scan everything

7 FIREWALL TYPES Fig 20.1

8 FIREWALL TYPES 1. Packet Filters rules  IP packet TCP/UDP header fields forward discard Default rule discard (prohibit if not permitted) forward (permit if not prohibited) Table 20.1 (discard policy used)

9 FIREWALL TYPES 1.Packet Filters (continued) Table 20.1 A – inbound mail allowed, but only to gateway host. but mail from SPIGOT is blocked B – default policy C – inside host can send mail outside, but attacker can access TCP port no 25 D - same as C but: TCP segment ACK flag set source IP addr. from internal host allows incoming packets with port 25 and ACK

10 FIREWALL TYPES 1.Packet Filters (continued) Table 20.1 E – FTP connections – two TCP connections 1. control connection (FTP setup) 2. data connection (file transfer) different port no. Rule sets - packets that originate internally - reply packets to connection initiated by internal m/c - packets  high numbered internal port Advantages of packet filtering: Simple/Transparency/Fast Disadvantages of packet filtering: Difficult to configure rules correctly No authorisation

11 Attacks on Packet-Filtering Routers IP Address Spoofing intruder  firewall packets[sourceIP=internal host addr.] countermeasure: discard if internal addr. from external interface Source Routing Attack source specifies packet route to avoid security measures countermeasure: discard packets using this option

12 Attacks on Packet-Filtering Routers Tiny Fragments Attack Intruder (IP fragmentation) TCP header filter fragments countermeasure: discard packets where protocol type is TCP/IP fragment offset = 1

13 TYPES OF FIREWALLS (continued) 2. Application-Level Gateway (proxy server) - Fig 20.1b user contacts gateway using TCP/IP application (e.g. Telnet/FTP) user  (remote host, ID, auth.)  gateway gateway  remote host TCP (if and only if gateway implements segments proxy code for application) (appl. data) gateway supports only specific application features

14 TYPES OF FIREWALLS (continued) 2. Application-Level Gateway more secure than packet-filters -only deals with allowable application - easier to log and audit disadvantage: - processing overhead

15 TYPES OF FIREWALLS (continued) 3. Circuit-Level Gateway (Fig 20.1c) stand-alone or specialised appl.-level NO end-to-end TCP outside inside TCP circuit-level TCP user gateway user TCP TCP connection 1 connection 2

16 TYPES OF FIREWALLS (continued) 3. Circuit-Level Gateway (Fig 20.1c) - does not examine traffic - instead security is obtained according to connections allowed e.g. if system admin. trusts internal users e.g. appl.-level/proxy  inbound examined by gateway outbound  circuit-level not examined by gateway

17 TYPES OF FIREWALLS (continued) 3. Bastion Host Critical strong point Platform for appl.-level,circuit-level gateway Secure version of OS-trusted system Essential services only proxy appl. – telnet,DNS,FTP,SMTP, user auth. Additional authentication from user to access proxy services

18 TYPES OF FIREWALLS (continued) 3. Bastion Host (continued) Proxy supports only subset of commands Proxy only allows access to specific hosts Proxy maintains detailed audit to discover and terminate attacks Proxy is very small software module - easier to check for security flaws

19 TYPES OF FIREWALLS (continued) 3. Bastion Host (continued) Each proxy independent of other proxies on Bastion Host. No disk access by proxy except to read initial configuration. Proxy is non-priviledged user in private, secure directory.

20 FIREWALL CONFIGURATIONS Fig 20.2

21 FIREWALL CONFIGURATIONS Single system – e.g. packet-filtering, gateway Complex Configuration (e.g. Fig 20.2) Fig 20.2a – Screened Host Firewall Two Systems: a) Packet-Filtering Router IP packets  Bastion Host only b) Bastion Host Bastion performs auth./proxy Advantages: packet-level/appl.-level filtering flexible intruder must penetrate 2 systems but internal web server can use router to bypass Bastion

22 SCREENED HOST FIREWALL Fig 20.2b Dual Security layers Web Server can have direct communications but private hosts must go through Bastion

23 SCREENED SUBNET FIREWALL Fig 20.2c Most secure: two packet-filtering routers Isolated Subnetwork – Bastion, Web Servers, modems Advantages - three levels of defence - internal network invisible to internet - no direct routes from internet to internal network Bastion  Internet Bastion  Internal

24 TRUSTED SYSTEMS Data Access Control Operating System grants user permissions but Database Management System decides on each individual access Criteria: User ID, parts of data being accessed, information already divulged Access Matrix (Fig 20.3a) Subject / Object / Access Right users,terminals, data fields entries in matrix hosts,….

25 ACCESS MATRIX SPARSE Implemented by decomposition Matrix Columns: Access Control Lists (Fig 20.3b) lists (users,rights) including (default,rights) Matrix Rows: Capability Tickets (Fig 20.3c) (authorised objects, user operations) Each user has # tickets (unforgeable) ….can loan or give to others OS may hold tickets in inaccessible memory

26 TRUSTED SYSTEMS - concept – Multilevel Security Protect data/resources - levels of security e.g. military - U,C,S,TS - clearances High-Level Lower/Another Level Subject A Subject B only if authorised - No Read Up - No Write Down

27 REFERENCE MONITOR CONCEPT Fig 20.4

28 REFERENCE MONITOR CONCEPT (RM) Regulates Subject  Object enforces no read-up, no write-down Security Kernel Database: - access privileges - attributes RMC – Complete Mediation rules always enforced, expensive – use hardware - Isolation – RM/database protected - Verifiability – correctness of RM Trusted System very difficult proven rigorously

29 TROJAN HORSE ATTACK Trojan Horse Attacks – use secure trusted OS Fig 20.5: Bob  DataFile{”CPE1704TKS”} Bob : r/w Fig 20.5a: Alice  legitimate access  installs Trojan to system Private File (back pocket) Alice : r/w Bob : w Fig 20.5b: invoke Trojan Alice  Bob  {”CPE1704TKS”}  back pocket

30 TROJAN HORSE DEFENCE Secure OS, Fig 20.5c: At logon, subjects  security levels e.g. Sensitive/Public Bob: Programs, Files : Sensitive Alice: Programs, Files : Public Fig 20.5d: Bob  ”CPE1704TKS” backpocket

Download ppt "FIREWALLS – Chapter 20 network-based threats access to outside world Functionality, Design Security – trusted system."

Similar presentations

Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 9: Firewalls and Intrusion Prevention.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 9: Firewalls and Intrusion Prevention.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.
Firewalls 2014.04.07 Uyanga Tserengombo

Firewalls Uyanga Tserengombo
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Winter 20021 CMPE 155 Week 7. Winter 20022 Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.

Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.
Fall 2008CS 334: Computer Security1 Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for.

Fall 2008CS 334: Computer Security1 Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for.
Lecture 14 Firewalls modified from slides of Lawrie Brown.

Lecture 14 Firewalls modified from slides of Lawrie Brown.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
—On War, Carl Von Clausewitz

—On War, Carl Von Clausewitz
Chapter 11 Firewalls.

Chapter 11 Firewalls.
Firewall Configuration Strategies

Firewall Configuration Strategies
5/4/01EMTM 5531 EMTM 553: E-commerce Systems Lecture 7b: Firewalls Insup Lee Department of Computer and Information Science University of Pennsylvania.

5/4/01EMTM 5531 EMTM 553: E-commerce Systems Lecture 7b: Firewalls Insup Lee Department of Computer and Information Science University of Pennsylvania.

Similar presentations

Ads by Google