Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Forum 2001John Kristoff - DePaul University1 Network Firewalls John Kristoff +1 312 362-5878 DePaul University Chicago, IL 60604.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Forum 2001John Kristoff - DePaul University1 Network Firewalls John Kristoff +1 312 362-5878 DePaul University Chicago, IL 60604."— Presentation transcript:

1 Security Forum 2001John Kristoff - DePaul University1 Network Firewalls John Kristoff jtk@depaul.edu +1 312 362-5878 DePaul University Chicago, IL 60604

2 Security Forum 2001John Kristoff - DePaul University2 The network is just a highway • How do you secure the highway • Police patrol • Toll booths • Licensed drivers • Vehicle inspections and standards • Rules of the road • Are the highways completely safe now?

3 Security Forum 2001John Kristoff - DePaul University3 What network firewalls do • Define untrusted and trusted boundaries • Inspect traffic traversing firewall boundary • Limit communication traversing boundary • Help shield insecure hosts

4 Security Forum 2001John Kristoff - DePaul University4 Network firewalls illustrated

5 Security Forum 2001John Kristoff - DePaul University5 Key ideas • Firewalls should be unnecessary • They're a network solution to a host problem • They don't solve the real problem and... •..make it hard/impossible to do certain things • Ultimate control of hosts is out of our hands • Securing a LOT of hosts is hard! • But.. network solutions are *sigh* necessary

6 Security Forum 2001John Kristoff - DePaul University6 Packet filtering firewalls • Filter everything - not very useful • Filter by IP address • Filter by application type (TCP, UDP) • Filter on field/flag settings (source route) • Filter invalid packets (SYN/FIN packets) • Other pattern match

7 Security Forum 2001John Kristoff - DePaul University7 Screened subnet implementation

8 Security Forum 2001John Kristoff - DePaul University8 Application Layer Gateway (ALG) • Also commonly called a proxy firewall • These permit no direct communication • Firewall intercepts all traffic in each direction • Very intelligent device... •...must understand what a user is doing • Difficult to install if it doesn't currently exist

9 Security Forum 2001John Kristoff - DePaul University9 Proxy/ALG illustrated

10 Security Forum 2001John Kristoff - DePaul University10 Other common firewall features • Stateful inspection • Network address translation (NAT) • Authenticaton (VPNs) • Dynamic triggers • Reporting, logging and IDS support

11 Security Forum 2001John Kristoff - DePaul University11 What can't a network firewall stop? • Bad packets that look good • Denial of service (DoS) attacks • Well, they can stop them at the firewall • But then the firewall has just been DoS'd • Stupid user tricks • Things that go around the firewall • Things that don't cross the firewall boundary

12 Security Forum 2001John Kristoff - DePaul University12 So you're saying...? • It would be nice if all hosts could be secured • Network solutions can help • Malicious insiders can get by anything you got • A holistic approach is needed. Including: • Audits, detection and response • Education • Standards and best practices

13 Security Forum 2001John Kristoff - DePaul University13 What does DePaul do? • We stop some obvious stuff in various places • We're beginning to do more at the edges • Note: the network will be very fast soon... •...big firewalls get in the way big time • Regardless of what you may have heard... • We're better off than we were 2 years ago • Of course so are the attackers

14 Security Forum 2001John Kristoff - DePaul University14 Final thoughts • Overly secure systems are not at all useful • Big border firewalls are obsolescent • Distributed firewalls are getting a lot of talk • Firewall vendors of course like this approach • You should demand open AND secure access • We can do it, but it ain't gonna easy • If we fail, the Internet will become very boring

15 Security Forum 2001John Kristoff - DePaul University15 References http://networks.depaul.edu/security/ http://condor.depaul.edu/~jkristof/ news://news.depaul.edu/dpu.security http://www.cert.org http://www.sans.org http://www.cerias.purdue.edu http://www.neohapsis.com http://www.lists.gnac.net/firewalls/ http://www.interhack.net/pubs/fwfaq/

Download ppt "Security Forum 2001John Kristoff - DePaul University1 Network Firewalls John Kristoff +1 312 362-5878 DePaul University Chicago, IL 60604."

Similar presentations

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
Firewalls Anand Sharma Austin Wellman Kingdon Barrett.

Firewalls Anand Sharma Austin Wellman Kingdon Barrett.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
TDC365 Spring 2001John Kristoff - DePaul University1 Internetwork Technologies Internetwork Security.

TDC365 Spring 2001John Kristoff - DePaul University1 Internetwork Technologies Internetwork Security.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Firewall Configuration Strategies

Firewall Configuration Strategies
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Introduction to Firewall Technologies. Objectives Upon completion of this course, you will be able to: Understand basic concepts of network security Master.

Introduction to Firewall Technologies. Objectives Upon completion of this course, you will be able to: Understand basic concepts of network security Master.
IDS Colloquium 2001John Kristoff - DePaul University1 Intrusion Detection Systems (IDS) John Kristoff +1 312 362-5878 DePaul University.

IDS Colloquium 2001John Kristoff - DePaul University1 Intrusion Detection Systems (IDS) John Kristoff DePaul University.
TDC375 Winter 2002John Kristoff - DePaul University1 Network Protocols John Kristoff +1 312 362-5878 DePaul University Chicago, IL 60604.

TDC375 Winter 2002John Kristoff - DePaul University1 Network Protocols John Kristoff DePaul University Chicago, IL
TDC365 Spring 2001John Kristoff - DePaul University1 Interconnection Technologies John Kristoff +1 312 362-5878 DePaul University Chicago,

TDC365 Spring 2001John Kristoff - DePaul University1 Interconnection Technologies John Kristoff DePaul University Chicago,
ISOC-Chicago 2001John Kristoff - DePaul University1 Journey to the Center of the Internet John Kristoff +1 312 362-5878 DePaul University.

ISOC-Chicago 2001John Kristoff - DePaul University1 Journey to the Center of the Internet John Kristoff DePaul University.
Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.

Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Similar presentations

Ads by Google