Presentation is loading. Please wait.

Presentation is loading. Please wait.

Spring 2004 CMPE 151: Network Administration Lecture 6.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Spring 2004 CMPE 151: Network Administration Lecture 6."— Presentation transcript:

1 Spring 2004 CMPE 151: Network Administration Lecture 6

2 Spring 2004 Project 6: Network Gateway Firewall. NAT.

3 Spring 2004 Firewalls What is a firewall? Security at the network level. Wide-area network access makes vital information/resources available (corporations, educational and research institutions). But, security threats from (mainly) the “outside world”. Secure each machine and/or protect the whole network.

4 Spring 2004 Firewalls “Outer security wall”. Protect organization’s network from attacks originating outside network. Also, single “choke point” for security and auditing purposes. Firewall can be a single machine or a group of machines performing the firewall functions collaboratively.

5 Spring 2004 Firewalls (cont’d) Convenient location for other “Internet- related” functions, e.g., NAT’ing, auditing Internet usage, etc.

6 Spring 2004 Firewall operation All incoming/outgoing traffic must pass through firewall. Only authorized traffic (as defined by local security policy) allowed to pass. Firewall itself immune to penetration (trusted system + secure OS).

7 Spring 2004 Types of access control Service control: types of service that can be accessed (inside and outside). Filtering based on IP address and TCP port #. Proxy services that receives and interprets traffic. May host service, e.g., Web server. Direction control: determines directions in which certain traffic allowed to flow.

8 Spring 2004 Types of access control (cont’d) User control: determines which user allowed to access which service. Behavior control: controls access to particular services (e.g., filtering out e- mail spam, enabling external access to only portion of Web server information, etc.).

9 Spring 2004 Types of firewalls Packet-filtering. Application-level. Stateful inspection. Circuit-level.

10 Spring 2004 Packet-filtering firewalls Restricts type of traffic that go through. Applies set of rules to each IP packet. Decides to forward or discard it. Filters packets in both directions. Filtering based on packet header (IP and transport) information (e.g., destination/source address, port number, IP protocol field).

11 Spring 2004 Rules Consist of and. : IP/TCP/UDP fields and values. : discard or forward. Default policies: Discard: whatever is not expressly permitted is discarded. Forward: … Rules are added as new threats become known.

12 Spring 2004 Example rules actionourhostporttheirhostport allow OUR-GW 25 * * block * * SPIGOT *

13 Spring 2004 Observations Service-specific filtering based on client using non-privileged port to contact privileged server port. FTP uses 2 TCP connections: one for control and another for data. Client initiates control connection and server initiates data connection. If FTP is allowed, need to allow inbound access to all non-privileged (> 1024) TCP ports.

14 Spring 2004 Two-stage filtering One machine gateways to the Internet; the other lies between the outer gateway and the rest of the local net. Outer gateway relatively open. Inner gateway very conservative. FTP and other “less secure” network services available from outer gateway.

15 Spring 2004 Limitations Cannot protect against attacks bypassing the firewall (e.g., local users with dial-up connections to ISP). Cannot protect against internal threats (e.g., malicious local user). Cannot protect against transfer of virus- infected files.

16 Spring 2004 Application-level firewalls Also called service proxy firewalls. Acts as relay for application-level traffic. Intercepts connections to/from outside world and establish connections to service outside/inside local network. User contacts firewall using specific application (e.g., telnet, http, etc.); firewall contacts remote host and relays application traffic between two endpoints. Firewall must support specific applications.

17 Spring 2004 Observations Application-level firewalls tend to be more secure: they only need to secure a few applications. Easier to log and audit application-level traffic. Drawbacks: Non-transparent. Slower. Less flexible.

18 Spring 2004 Stateful inspection firewalls Inspect traffic that flows through to detect “abnormal” activity. Example: Examine FTP control exchange for data port; firewall should expect data connection to that port. Problem: keep state for all active connections using different protocols. Current stateful inspection firewalls inspect limited number of connections/protocols. Or, search for known attack patterns.

19 Spring 2004 Circuit-level firewalls Acts as intermediate to all TCP connections. Always sets up 2 connections: between local user and itself and itself and remote host. Usually relays data without inspection. Security relies on determining which connections to allow.

20 Spring 2004 Circuit-level gateway example SOCKS package. SOCKS version 5 specified in RFC 1928. Client opens connection to appropriate SOCKs port on SOCKs server (port 1080). Authentication exchange and then relay request. Server evaluates request and establishes TCP connection or denies it.

21 Spring 2004 Firewall configurations More complex configurations. Combine multiple firewalls. For more details, “Network Security Essentials”, Stallings.

22 Spring 2004 How safe are firewalls? Should not be the single defense. Supplemental security measure. Negative effect if it causes other defenses to be weakned/not employed. Individual hosts should be protected. Tools like crack, COPS, tripwire, etc.

23 Spring 2004 Security policies Local users should be able to connect to any Internet service. But, outside users should only be allowed to connect to limited set of local services (e.g., FTP access to local archive, SMTP connections to mail server).

24 Spring 2004 Sources of security-related information CERT Computer Emergency Response Team. DARPA sponsored organization at CMU. Basically, informational: CERT advisories. Vendor security patches. Security tool announcements. Known security attacks. www.crt.org.

25 Spring 2004 More sources of security info… SecurityFocus.com Security information repository: news, relevant papers, tools. BugTraq mailing list. Discussion of security vulnerabilities and fixes. Mail to listserv@securityfocus.com.listserv@securityfocus.com SANS System Administrator, Networking and Security Institute. Sponsors conferences, training, etc. www.sans.org.

26 Spring 2004 NAT

27 Spring 2004 NAT Network address translation. Quick fix to address depletion problem. Organization assigned one or a few IP addresses. NAT box replaces “internal” addresses with real IP address on the way out.

28 Spring 2004 NAT Illustration Internet Private network NAT Pool of IP addresses and/or ports Operation:Sp wants to talk to Dg: Create Sg-Sp mapping Replace Sp with Sg for outgoing packets Replace Sg with Sp for incoming packets DgSp data DgSg data D PG Q: what happens if we reverse the question and Dg wants to talk to Sp?

29 Spring 2004 NAT disadvantages Need to keep track of who originated the connection to be able to route back to that host/port. TCP source port field replaced with index into NAT box translation table which holds internal IP address and port number.

30 Spring 2004 NAT disadvantages (cont’d) Violates “IP address uniqueness”. Violates “stateless” design principle. Violates layering principle or Internet’s “end2end”ness. What if TCP and UDP are not used? Application-specific gateways.

31 Spring 2004 More details “Network Security Essentials”, Stallings. “UNIX System Administrator Handbook”, Nemeth et al. Also, look at references on both books.

Download ppt "Spring 2004 CMPE 151: Network Administration Lecture 6."

Similar presentations

Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.
Firewalls 2014.04.07 Uyanga Tserengombo

Firewalls Uyanga Tserengombo
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Winter 20021 CMPE 155 Week 7. Winter 20022 Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.

Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.
Fall 2008CS 334: Computer Security1 Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for.

Fall 2008CS 334: Computer Security1 Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for.
Lecture 14 Firewalls modified from slides of Lawrie Brown.

Lecture 14 Firewalls modified from slides of Lawrie Brown.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
—On War, Carl Von Clausewitz

—On War, Carl Von Clausewitz
Chapter 11 Firewalls.

Chapter 11 Firewalls.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
5/4/01EMTM 5531 EMTM 553: E-commerce Systems Lecture 7b: Firewalls Insup Lee Department of Computer and Information Science University of Pennsylvania.

5/4/01EMTM 5531 EMTM 553: E-commerce Systems Lecture 7b: Firewalls Insup Lee Department of Computer and Information Science University of Pennsylvania.

Similar presentations

Ads by Google