Presentation is loading. Please wait.

Presentation is loading. Please wait.

Advanced Network Security – Firewall Implementation and Design Term: January 2005 Dana Epp COMP.

Published byDorthy McCormick Modified over 9 years ago

Similar presentations

Presentation on theme: "Advanced Network Security – Firewall Implementation and Design Term: January 2005 Dana Epp COMP."— Presentation transcript:

1 Advanced Network Security – Firewall Implementation and Design Term: January 2005 Dana Epp dana@scorpionsoft.com http://silverstr.ufies.org/blog/ COMP 4706

2 AgendaAgenda Review from last class Review from last class Group STRIDE analysis Group STRIDE analysis Building a firewall port matrix Building a firewall port matrix Introduction to NMAP Introduction to NMAP Hands on - Scanning ports with NMAP Hands on - Scanning ports with NMAP Hands on – Creating basic firewall rules on Linux Hands on – Creating basic firewall rules on Linux

3 Learning Outcomes Identify various types of firewalls and their functions, including which firewalls operate at which OSI protocol layer, and the basic variations of firewall architectures Identify various types of firewalls and their functions, including which firewalls operate at which OSI protocol layer, and the basic variations of firewall architectures Describe risk mitigation techniques to varying threats with the use of different firewall architectures Describe risk mitigation techniques to varying threats with the use of different firewall architectures Demonstrate the ability to design and deploy policies on a firewall Demonstrate the ability to design and deploy policies on a firewall On successful completion of this course, students will be able to:

4 Basic Types of Firewalls Packet filtering firewalls Packet filtering firewalls Stateful packet inspection firewalls Stateful packet inspection firewalls Application proxies Application proxies Hybrids Hybrids

5 Packet filter Source IP address Source IP address Destination IP address Destination IP address TCP/UDP source port TCP/UDP source port TCP/UDP destination port TCP/UDP destination port A packet filter firewall is the simplest type of firewall. Dealing with each individual packet, the firewall applies its rule set to determine which packet to allow or disallow. The firewall examines each packet based on the following criteria:

6 Packet Filter - Pros They are fast because they operate on IP addresses and TCP/UDP port numbers alone, ignoring the data contents (payload) of packets. They are fast because they operate on IP addresses and TCP/UDP port numbers alone, ignoring the data contents (payload) of packets. Due to the fact that packet payload is ignored, application independence exists. Due to the fact that packet payload is ignored, application independence exists. Least expensive of the three types of firewalls. Least expensive of the three types of firewalls. Packet filtering rules are relatively easy to configure. Packet filtering rules are relatively easy to configure. There are no configuration changes necessary to the protected workstations. There are no configuration changes necessary to the protected workstations.

7 Packet filters - Cons Allow a direct connection between endpoints through the firewall. This leaves the potential for a vulnerability to be exploited. Allow a direct connection between endpoints through the firewall. This leaves the potential for a vulnerability to be exploited. There is no screening of packet payload available. It is impossible to block users from visiting web sites deemed off limits, for example. There is no screening of packet payload available. It is impossible to block users from visiting web sites deemed off limits, for example. Logging of network traffic includes only IP addresses and TCP/UDP port numbers, no packet payload information is available. Logging of network traffic includes only IP addresses and TCP/UDP port numbers, no packet payload information is available. Complex firewall policies are difficult to implement using filtering rules alone. Complex firewall policies are difficult to implement using filtering rules alone. There is a reliance on the IP address for authentication rather than user authentication. There is a reliance on the IP address for authentication rather than user authentication. Dynamic IP addressing schemes such as DHCP may complicate filtering rules involving IP addresses. Dynamic IP addressing schemes such as DHCP may complicate filtering rules involving IP addresses.

8 Stateful packet inspection Examines the contents of packets rather than just filtering them; that is, they consider their contents as well as their addresses. Stateful packet inspection firewalls also take into account the state of the connections they handle so that, for example, a legitimate incoming packet can be matched with the outbound request for that packet and allowed in.

9 Stateful packet inspection - Pros Offers improved security over basic packet filters due to packet examination. Offers improved security over basic packet filters due to packet examination. Offers a degree of application independence, based on level of stateful packet examination. Offers a degree of application independence, based on level of stateful packet examination. Better logging of activities over basic packet filters. Better logging of activities over basic packet filters. Good performance. Good performance. Configuration changes to the protected workstations are unnecessary. Configuration changes to the protected workstations are unnecessary.

10 Stateful packet inspection - Cons Allow a direct connection between endpoints through the firewall. This leaves the potential for a vulnerability to be exploited. Allow a direct connection between endpoints through the firewall. This leaves the potential for a vulnerability to be exploited. No hiding of your private systems. No hiding of your private systems. Setting up stateful packet examination rules is more complicated. Setting up stateful packet examination rules is more complicated. Only supported protocols at the application layer. Only supported protocols at the application layer. No user authentication. No user authentication.

11 Application proxies An application proxy is a program running on the firewall that emulates both ends of a network connection. One can think of it as a sort of "translator" in-between the two computers communicating.

12 Application proxies - Pros Firewall does not let end points communicate directly with one another. Thus a vulnerability in a protocol which could slip by a packet filter or stateful packet inspection firewall could be overcome by the proxy program. Firewall does not let end points communicate directly with one another. Thus a vulnerability in a protocol which could slip by a packet filter or stateful packet inspection firewall could be overcome by the proxy program. Has the best content filtering capability. Has the best content filtering capability. Can hide private systems. Can hide private systems. Robust user authentication. Robust user authentication. Offers the best logging of activities. Offers the best logging of activities. Policy rules are usually easier than packet filtering rules. Policy rules are usually easier than packet filtering rules.

13 Application proxies - Cons Performance problems; much slower than the other two Performance problems; much slower than the other two Must have a proxy for every protocol. Failure to have a proxy may prevent a protocol from being handled correctly by the firewall. Must have a proxy for every protocol. Failure to have a proxy may prevent a protocol from being handled correctly by the firewall. TCP is the preferred transport. UDP may not be supported. TCP is the preferred transport. UDP may not be supported. Limited transparency, clients may need to be modified. Setting up the proxy server in a browser, for example. Limited transparency, clients may need to be modified. Setting up the proxy server in a browser, for example. No protection from all protocol weaknesses. No protection from all protocol weaknesses.

14 OSI – Open System Interconnect

15 TCP/IP Protocol Architecture

16 Three way TCP handshake

17 Common Ports and Services Windows: %windir%\System32\drivers\etc\services Windows: %windir%\System32\drivers\etc\services Linux: /etc/services Linux: /etc/services Examples: SMTP = port 25 HTTP = port 80 POP3 = port 110 PPTP = port 1723 Examples: SMTP = port 25 HTTP = port 80 POP3 = port 110 PPTP = port 1723

18 The STRIDE Threat Model Spoofing identity Spoofing identity Attacker obtains something that enables authentication Attacker obtains something that enables authentication Tampering with data Tampering with data Unauthorized change made to stored or in-transit information Unauthorized change made to stored or in-transit information Repudiation Repudiation Performing an illegal operation in a system that lacks the ability to trace such operations Performing an illegal operation in a system that lacks the ability to trace such operations Information disclosure Information disclosure Exposing critical information to unauthorized individuals Exposing critical information to unauthorized individuals Denial of Service (DoS) Denial of Service (DoS) Denies service to others Denies service to others Elevation of privileges Elevation of privileges Attacker exploits a weakness to gain greater privileges on a system than were intended Attacker exploits a weakness to gain greater privileges on a system than were intended

19 Ranking and Prioritizing Threats Chance of attack occurring Chance of attack occurring 1 = high10 = low 1 = high10 = low How much effort/cost/time is needed to launch the attack? How much effort/cost/time is needed to launch the attack? What is the cost/damage if it occurs? What is the cost/damage if it occurs? 1 = little10 = massive 1 = little10 = massive RISK = Damage / Chance RISK = Damage / Chance Goal is to reduce risk Goal is to reduce risk Do high risk items first Do high risk items first

20 How to Respond to Threats 1. Do nothing. 2. Inform the user of the threat. 3. Remove the problem. 4. Fix the problem.

21 Defense in Depth Assume external systems are insecure Assume external systems are insecure “We’re secure, we have a firewall” *ugh* “We’re secure, we have a firewall” *ugh* Assume your system(s) is the last thing standing Assume your system(s) is the last thing standing Plan on failure Plan on failure More layers of security means more work to compromise a target More layers of security means more work to compromise a target Threat risk goes down as threat difficulty goes up Threat risk goes down as threat difficulty goes up Never depend on security through obscurity Never depend on security through obscurity

22 Group STRIDE Analysis

23 Building a firewall port matrix Determine trust zones Determine trust zones Determine ports that need opening Determine ports that need opening Determine packet type (tcp/udp) Determine packet type (tcp/udp) Determines direction of packet flow Determines direction of packet flow Determine any limitations you can set on src/dst Determine any limitations you can set on src/dst

24 LUNCHLUNCH

25 Introduction to NMAP Can scan networks to find active (online) hosts Can scan networks to find active (online) hosts Can scan hosts to find open ports Can scan hosts to find open ports Can send crafted packets to fingerprint the operating system Can send crafted packets to fingerprint the operating system Can be used defensively to identify weaknesses that need to be corrected, or offensively by an attacker to probe for vulnerabilities to exploit. Can be used defensively to identify weaknesses that need to be corrected, or offensively by an attacker to probe for vulnerabilities to exploit.

26 Interesting NMAP options -v = Verbose logging -v = Verbose logging -O = OS fingerprinting -O = OS fingerprinting -sS = SYN stealth scan -sS = SYN stealth scan -P0 = Scan without ping probes -P0 = Scan without ping probes nmap –v –O –sS your.host.com nmap –v –O –sS your.host.com

27 Introduction to iptables 3 rd generation firewall on Linux 3 rd generation firewall on Linux Supports basic packet filtering as well as connection state tracking Supports basic packet filtering as well as connection state tracking For our needs for this course, we will use simple/basic packet filtering For our needs for this course, we will use simple/basic packet filtering

28 Introduction to iptables # Sample firewall – incomplete… do not use. For discussion only IPTABLES=/sbin/iptables ANY=“0.0.0.0/0” ETHIP=“10.10.1.1” ADMINNOC=“10.10.1.250” # Flush chains $IPTABLES --flush # Set default policies $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT # Allow SSH from admin NOC $IPTABLES -A INPUT -p tcp -s $ADMINNOC --sport 1024:65534 --dport 22 -j ACCEPT $IPTABLES -A OUTPUT -p tcp -d $ADMINNOC -sport 22 --dport 1024:65534 -j ACCEPT # Allow Web access $IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT # Allows secure web access $IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT $IPTABLES -A INPUT -j DROP

29 Dropping vs Rejecting Packets Rejecting packets COULD resource starve your system Rejecting packets COULD resource starve your system Dropping packets could cause network diagnostic hell for the other end if you don’t respond ‘nicely’ Dropping packets could cause network diagnostic hell for the other end if you don’t respond ‘nicely’ Dana’s Law: It is better to DROP packets and buy your favorite network admin a beer than to REJECT and have alarms go off at 2 in the morning during a DoS, waking you up. Dana’s Law: It is better to DROP packets and buy your favorite network admin a beer than to REJECT and have alarms go off at 2 in the morning during a DoS, waking you up.

30 Hands on LAB

31 Good reading IPTables Packet Filtering HOWTO http://netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html IPTables Packet Filtering HOWTO http://netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html Building Internet Firewalls ISBN:1-56592-124-0 Building Internet Firewalls ISBN:1-56592-124-0 Linux Firewalls ISBN: 0-7357-0900-9 Linux Firewalls ISBN: 0-7357-0900-9 Threat Modeling ISBN: 0-7356-1991-3 Threat Modeling ISBN: 0-7356-1991-3

32 Any Questions?

Download ppt "Advanced Network Security – Firewall Implementation and Design Term: January 2005 Dana Epp COMP."

Similar presentations

Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.
Firewall Technology. Firewall Technology - Outline Defining the types of firewalls. Developing a firewall configuration. Designing a firewall rule set.

Firewall Technology. Firewall Technology - Outline Defining the types of firewalls. Developing a firewall configuration. Designing a firewall rule set.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Firewalls: General Principles & Configuration (in Linux)

Firewalls: General Principles & Configuration (in Linux)
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.

Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.
PROS & CONS of Proxy Firewall

PROS & CONS of Proxy Firewall
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
A Brief Taxonomy of Firewalls

A Brief Taxonomy of Firewalls
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau (20086034) Lee Shirly (20095815) Ong Ivy (20095040)

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.

Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
Intranet, Extranet, Firewall. Intranet and Extranet.

Intranet, Extranet, Firewall. Intranet and Extranet.
Firewall Implementation and Design Term: January 2005 Dana Epp COMP 4706.

Firewall Implementation and Design Term: January 2005 Dana Epp COMP 4706.

Similar presentations

Ads by Google