Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Sonia FahmyPurdue University Firewalls and Firewall Testing Techniques Sonia Fahmy Department of Computer Sciences Purdue University

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Sonia FahmyPurdue University Firewalls and Firewall Testing Techniques Sonia Fahmy Department of Computer Sciences Purdue University"— Presentation transcript:

1 1 Sonia FahmyPurdue University Firewalls and Firewall Testing Techniques Sonia Fahmy Department of Computer Sciences Purdue University fahmy@cs.purdue.edu http://www.cs.purdue.edu/homes/fahmy/

2 2 Sonia FahmyPurdue University q What is a firewall? q Firewall types and architectures q Firewall operations q Firewall testing Overview

3 3 Sonia FahmyPurdue University What is a Firewall? q A firewall is a method of achieving security between trusted and untrusted networks q The choice, configuration and operation of a firewall is defined by policy, which determines the the services and type of access permitted q Firewall = policy+implementation q Firewall = “zone of risk” for the trusted network Gateway (DMZ)

4 4 Sonia FahmyPurdue University Firewalls Should… q Support and not impose a security policy q Use a “deny all services except those specifically permitted” policy q Accommodate new facilities and services q Contain advanced authentication measures q Employ filtering techniques to permit or deny services to specific hosts and use flexible and user-friendly filtering q Use proxy services for applications q Handle dial-in q Log suspicious activity

5 5 Sonia FahmyPurdue University Firewalls Cannot… q Protect against malicious insiders q Protect against connections that do not go through them (e.g., dial-up) q Protect against new threats or new viruses

6 6 Sonia FahmyPurdue University Firewalls in Relation to 7 Layers Application Layer Presentation Layer Session Layer Transport Layer Network Layer Link Layer Physical Layer Packet Level Filter Application Level Filter

7 7 Sonia FahmyPurdue University Simple Packet Filters q Example: q InterfaceSourceDest.Prot.SPortDport q 2**TCP*21 (FTP) q 1128.5.*.**TCP*25 (SMTP) Internal network Filter Internet Internal 12 Difficult to handle X-Windows, RPC (including NFS and NIS), rlogin, rsh, rexec, rcp, and TFTP

8 8 Sonia FahmyPurdue University Stateful Inspection q Also known as dynamic packet filtering (dynamic rule set) q Requires storing state for each stream, assuming: q If there is one packet, there will be more q If there is one packet, responses will be returned q Prime candidate for resource starvation attacks q What should be done when table is full? q Least recently used q Random early drop q Time out entries q Wait for FIN messages, etc.

9 9 Sonia FahmyPurdue University Bastion Host q Inside users log onto the bastion host to use outside services q Outside snoopers cannot see internal traffic even if they break in the firewall (perimeter = stub network = DMZ) R1 R2 Internet Internal

10 10 Sonia FahmyPurdue University Firewall Architectures q Screened host: Bastion host and exterior router q Screened subnet: Exterior and interior routers q Multiple bastion hosts, multiple interior routers, multiple exterior routers, multiple internal networks (with/without backbone), multiple perimeter networks q Merged interior and exterior routers, bastion host and exterior router and bastion host and interior router (not recommended) R1 R2 Internet Internal

11 11 Sonia FahmyPurdue University Dual-homed Host q The dual-homed host is the firewall in this case Internet Internal

12 12 Sonia FahmyPurdue University Application-Level Gateways q Specialized programs on bastion host relay requests and responses, enforcing site policies (refusing some requests) q Sometimes referred to as “proxy servers” q Transparent with special “proxy client” programs q Full protocol decomposition, e.g, Raptor, or “plug mode” e.g., Firewall-1 and PIX Internet Dual-homed Host and Proxy Server Server Client

13 13 Sonia FahmyPurdue University Policies q Network service access policy q Defines which services are to be explicitly allowed or denied+ways in which these services are to be used q Firewall design policy q Defines how the firewall implements restricted access and service filtering specified by the NSAP q FDP must be continuously updated with new vulnerabilities

14 14 Sonia FahmyPurdue University Packet Traversal in a Firewall Packet receipt by firewall Link layer filtering Dynamic ruleset (state) Packet legality checks IP and port filtering NAT/PAT (header rewrite) Packet reassembly Application level analysis Routing decision Dynamic ruleset (state) Packet sanity checks IP and port filtering Packet release Packet flow Packet may be dropped Stream may be dropped Optional outbound filtering Bypass On Match

15 15 Sonia FahmyPurdue University Firewall Testing q Vulnerabilities = design or coding flaws = invalid assumptions, e.g., insufficient verification, memory available, user data, trusted network object, predictable sequence, etc. q Develop a vulnerability-operation matrix q Place Common Vulnerabilities Exposure (CVE), and its candidates (CAN), and other known and new firewall problems in appropriate matrix cell q Find clusters in matrix q Predict problems q Automate firewall testing through focusing on common problems

16 16 Sonia FahmyPurdue University Example q CVE-1999-0158 q Cisco PIX firewall manager (PFM) allows retrieval of any file whose name and location is known q PIX proxy’s verification failure q Application level q Insufficient verification

17 17 Sonia FahmyPurdue University Key Points q Firewalls can employ: q Packet filters q Stateful inspection q Application-level gateways (many types) q Also circuit-level q Large variations, e.g., Raptor, PIX, Firewall-1, Gauntlet q Several architectures to prevent all-or-nothing effect q Importance of policy q Firewall testing automation underway

18 18 Sonia FahmyPurdue University References q RFC 2647, “Benchmarking” + drafts q Simonds, “Network Security”, 1996 q Hunt, “Internet/Intranet firewall security”, Computer Communications, 1998 q Frantzen et al, “A framework for understanding vulnerabilties in firewalls using a dataflow model of firewall internals”, in preparation q Kamara et al, “Testing firewalls”, in preparation q Chapman, “Network (In)Security through IP packet filtering” q http://cve.mitre.org/, www.sans.org, www.cert.org http://cve.mitre.org/www.sans.orgwww.cert.org q Web pages and mailing lists

19 19 Sonia FahmyPurdue University Thank You! Questions?

Download ppt "1 Sonia FahmyPurdue University Firewalls and Firewall Testing Techniques Sonia Fahmy Department of Computer Sciences Purdue University"

Similar presentations

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.
Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Firewalls 2014.04.07 Uyanga Tserengombo

Firewalls Uyanga Tserengombo
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Winter 20021 CMPE 155 Week 7. Winter 20022 Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.

Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.
Fall 2008CS 334: Computer Security1 Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for.

Fall 2008CS 334: Computer Security1 Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Lecture 14 Firewalls modified from slides of Lawrie Brown.

Lecture 14 Firewalls modified from slides of Lawrie Brown.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
—On War, Carl Von Clausewitz

—On War, Carl Von Clausewitz
Chapter 11 Firewalls.

Chapter 11 Firewalls.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.

Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.

Similar presentations

Ads by Google