Download presentation
Presentation is loading. Please wait.
1
Controlling access with packet filters and firewalls
2
Security vulnarabilities of the TCP/IP protocols IP packets are transmitted in the clear and without authentication facilities Can routers trust routing updates received from others? TCP and UDP segments are transmitted in clear and without authentication facilities Auxiliary protocols have similar problems (ICMP, DNS, ARP, BOOTP, TFTP) Application protocols are without protection or use weak password protection (TELNET, FTP) Specific protection applied as “add ons” (NFS, SNMP, X11)
3
Methods of access control Physical protection of entities (devices, cables) Packet Filter Network Relay Firewalls –visible –invisible Security mechanisms of individual computers or applications („personal firewall“, „personal internet security“, e-mail security, telebanking)
4
Physical security Protection against physical access to power distribution or network cables Protection of internal or external access points (distributors, patch panels) Protection of active devices (routers, bridges) against physical access (lock them up) Problems: How to support mobile users How to protect a wireless infrastructure How to allow secure access to external resources
5
Access control using packet filters Operates primarily on IP layer, however also peeking into transport layer information Filtering based on –IP address of the source –IP address of the receiver –Port number of receiver –Sometimes port number of the source –Type of transport protocol used (TCP/UDP) Uses set of filter rules Pure packet filters do not have information on connection states
6
Filter rules 123.45.6.0 135.79.0.0 135.79.99.0 123.45.0.0 RuleSourceDestinationAction A135.79.0.0/16123.45.6.0/24Permit B135.79.99.0/24123.45.0.0/16Deny C0.0.0.0/00.0.0.0/0Deny PF
7
Access control using network relay Monitoring and controlling host Router External connections Internal connections Invisible private subnet Configuration and logging database
8
Access control by visible firewall Users use the Internet exclusively from the firewall All users need to have a user account on the firewall The firewall terminates DNS, e-mail, http User authentication must be secure (with cryptographic means) Reduced user friendliness
9
Access control by invisible firewall Termination of all store-and-forward services (DNS, e-mail) with servers on the firewall Selective forwarding of connections (stateful) Authentication of external and internal peers Logging and intrusion detection Network Address Translation Proxy functions InternetFirewall 1 Firewall 2 Protected internal network DNSDNS (DMZ – „de-militarized zone“) public servers DNSDNS Variant 1
10
Access control by invisible firewall (Variant 2) Uses only one physical firewall unit Internet Protected internal network DNSDNS (DMZ – „de-militarized zone“) public servers DNSDNS Ruleset 1 Ruleset 2 Firewall
11
User or application is “proxy aware” Internet Explorer Netscape Navigator
12
Proxy-based firewall services
13
Some applications are not “proxy aware” talk, ping, … Specific implementation of such applications Offering replacement applications Such appliations may also not be accessible to normal users at all
14
Literature B. Chapman, E. Zwicky, “Building Internet Firewalls”, O’Reilly & Associates, 1995 W. Cheswick, S. Bellovin, „Firewalls and Internet Security“, Addison-Wesley, 1994
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.