Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Computer System Evolution Central Data Processing System: - with directly attached peripherals (card reader, magnetic tapes, line printer). Local Area.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Computer System Evolution Central Data Processing System: - with directly attached peripherals (card reader, magnetic tapes, line printer). Local Area."— Presentation transcript:

1 1 Computer System Evolution Central Data Processing System: - with directly attached peripherals (card reader, magnetic tapes, line printer). Local Area Networks: - connects PC’s (in “terminal emulation” mode), remote terminals (next building) and mini-computers. Premises Network: - connects LANs and LAN-attached devices to each other. Enterprise-wide Network: - leased data lines (T1, DS-3) connect various offices. Internet Connectivity: - initially for email, now for Web access, e-commerce,.... Makes the world accessible, but now the world also has access to you.

2 2 Agency Virtual Private Network LANs at Agency Offices across Georgia State WWW Gateway State Internet Citizens Contractors City & County Governments Agency Gateway & Web Server Non-Agency State Server Private Virtual Connection Agency Server Schools Libraries Kiosks Connectivity Provided by the Georgia Backbone Network Other Agencies WWW

3 Agency Firewall - Protects Agency Subnets from Unwanted Connections Agency Firewall - Protects Agency Subnets from Unwanted Connections Subnet 1 Subnet 2 Gate- way WAN Firewalls (and many routers) can reject: Packets with certain source and destination addresses Packets with certain high-level protocols (UDP, Telnet) Proxy Servers - for specific applications Email messages assembled and inspected, then passed to internal email server machine. Prevent Cyber Loafing - Exploring the Internet for fun. Gate- way 3

4 4 Application Layer (HTTP) Transport Layer (TCP,UDP) Network Layer (IP) E'net Data Link Layer Ethernet Phys. Layer Network Layer E'net Data Link Layer E'net Phys. Layer Network Layer Web Server Browser Router-Firewall can drop packets based on source or destination, ip address and/or port Application Layer (HTTP) Transport Layer (TCP,UDP) Network Layer (IP) Token Ring Data-Link Layer Token Ring Phys. Layer IP Address 130.207.22.5 IP Address 24.88.15.22 Port 80 Port 31337 Segment No. Token Ring Data Link Layer Token Ring Phys. Layer

5 Application Layer (HTTP, FTP, TELNET, SMTP) Transport Layer (TCP, UDP) Network Layer (IP) E'net Data Link Layer E'net Phys. Layer Transport Layer (TCP, UDP) Network Layer (IP) E'net Data Link Layer E'net Phys. Layer Process Transport or App.-Layer Gateway, or Proxy Application Layer (HTTP(HTTP, FTP, TELNET, SMTP) Transport Layer (TCP,UDP) Network Layer (IP) TR Data Link Layer TR Phys. Layer Transport Layer (TCP, UDP) Network Layer (IP) TR Data Link Layer TR Phys. Layer 5

6 Policy No outside Web access. Outside connections to Public Web Server Only. Prevent Web-Radios from eating up the available bandwidth. Prevent your network from being used for a Smuft DoS attack. Prevent your network from being tracerouted or scanned. Firewall Setting Drop all outgoing packets to any IP, Port 80 Drop all incoming TCP SYN packets to any IP except 130:207:244.203, port 80 Drop all incoming UDP packets - except DNS and Router Broadcasts. Drop all ICMP packets going to a “broadcast” address (130.207.255.255 or 130.207.0.0). Drop all incoming ICMP, UDP, or TCP echo- request packets, drop all packets with TTL < 5. 6

7 Firewall Attacks IP Internal-Address Spoofing. Source Routing (External Spoof). Tiny Fragment Attacks. 2nd-Fragment Probes. SYN-ACK Probes. Firewall Defense Drop all incoming packets with local address. Drop all IP packets with Source-Routing Option. Drop all incoming packets with small offset. Assemble IP fragments (hard work). Be “Stateful” -keep track of TCP outgoing SYN packets (start of all TCP connections) (hard work). 7

8 A Firewall is a single point that a Network Administrator can control, even if individual computers are managed by workers or departments. ------- Over half of corporate computer misfeasance is caused by employees who are already behind the main firewall. Solution 1 - isolate subnets with firewalls (usually routers or Ethernet switches with “filter” capabilities). Protect Finance from Engineering. Solution 2 - implement “IP Chains” to limit access to individual computers at the lowest protocol level possible, to specific hosts and subnets. 8

9 IP Chains /etc/hosts.deny ALL:ALL /etc/hosts.allow in.telnetd: 199.77.146 24.88.154.17 in.ftpd: 199.77.146.19 199.77.146.102 UNIX and Linux computers allow network contact to be limited to individual hosts or subnets (199.77.146 means 199.77.146.any). Above, telnet connection is available to all on the 199.77.146.0 subnet, and a single off-subnet host, 24.88.154.17 FTP service is available to only to two local hosts,.19 and.102. The format for each line is “daemon:host-list” 9

10 Router Setup with Network Address Translation (NAT) Addresses 10.0.0.0 and 192.168.0.0 reserved for private networks.

11 Internet Router 24.88.48.47 with NAT that Masquerades could be a “dual-homed bastion host” Host 192.168.0.10 Host 192.168.0.20 11 Host 192.168.0.30 Host 192.168.0.40 Web Server port 80 FTP Server port 23 FTP Client 130.27.8.35 To 130.27.8.35:x from 192.168.0.40:23 To 130.27.8.35:x from 24.88.48.47:23 To 24.88.48.47:23 from 130.27.8.35:x To 192.168.0.40:23 from 130.27.8.35:x Note: x is a high port number, 1024-65,535

12 Internet Router 24.88.48.47 with NAT that Masquerades Host 192.168.0.10 Web Client 192.168.0.20 12 Host 192.168.0.30 Host 192.168.0.40 Web Server port 80 FTP Server port 23 Web Host 130.27.8.35 To 130.27.8.35:80 from 192.168.0.20:x To 130.27.8.35:80 from 24.88.48.47:x To 24.88.48.47:x from 130.27.8.35:80 To 192.168.0.20:x from 130.27.8.35:80

Download ppt "1 Computer System Evolution Central Data Processing System: - with directly attached peripherals (card reader, magnetic tapes, line printer). Local Area."

Similar presentations

©2012 ClearOne Communications. Confidential and proprietary. COLLABORATE ® Video Conferencing Networking Basics.

©2012 ClearOne Communications. Confidential and proprietary. COLLABORATE ® Video Conferencing Networking Basics.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
IST 201 Chapter 9. TCP/IP Model Application Transport Internet Network Access.

IST 201 Chapter 9. TCP/IP Model Application Transport Internet Network Access.
Firewalling Techniques Prabhaker Mateti. ACK Not linux specific Not linux specific Some figures are from 3com Some figures are from 3com.

Firewalling Techniques Prabhaker Mateti. ACK Not linux specific Not linux specific Some figures are from 3com Some figures are from 3com.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &

1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.

Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.
Firewalls Screen packets coming into the Privet Networks from external, Untrusted Networks (Internet) Ingress Packet Filtering  Firewall examine incoming.

Firewalls Screen packets coming into the Privet Networks from external, Untrusted Networks (Internet) Ingress Packet Filtering  Firewall examine incoming.
Privacy - not readable Permanent - not alterable (can't edit, delete) Reliable - (changes detectable) But the data must be accessible to persons authorized.

Privacy - not readable Permanent - not alterable (can't edit, delete) Reliable - (changes detectable) But the data must be accessible to persons authorized.
Bob Baker Communications Bob Baker September 1999.

Bob Baker Communications Bob Baker September 1999.
1 Version 3.0 Module 9 TCP/IP Protocol and IP Addressing.

1 Version 3.0 Module 9 TCP/IP Protocol and IP Addressing.
1 Networking A computer network is a collection of computing devices that are connected in various ways in order to communicate and share resources. The.

1 Networking A computer network is a collection of computing devices that are connected in various ways in order to communicate and share resources. The.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.

8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.

Similar presentations

Ads by Google