Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSE331: Introduction to Networks and Security Lecture 29 Fall 2002.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "CSE331: Introduction to Networks and Security Lecture 29 Fall 2002."— Presentation transcript:

1 CSE331: Introduction to Networks and Security Lecture 29 Fall 2002

2 CSE331 Fall 20022 Announcements Project 3 is due today. Project 4 will be available on the web site this afternoon. Homework 3 will be handed out on Wednesday.

3 CSE331 Fall 20023 Recap Access Control (Authorization) –Access Control Matrix –Access Control Lists Today –Capability Lists –Firewalls

4 CSE331 Fall 20024 Capabilities Lists A[s][o]Obj 1 Obj 2 …Obj N Subj 1 {r,w,x}{r,w}…{} Subj 2 {w,x}{}…{r} …………… Subj M {x}{r,w,x}… For each subject, store a list of (Object x Rights) pairs.

5 CSE331 Fall 20025 Capabilities A capability is a (Object, Rights) pair –Used like a movie ticket (“Harry Potter”, {view}) Should be unforgeable –Otherwise, subjects could get illegal access Authentication takes place when the capabilities are granted (not needed at use) Harder to do revocation (must find all tickets) –Capabilities can be passed from subject to subject Easy to audit a subject, hard to audit an object

6 CSE331 Fall 20026 Implementing Capabilities Must be able to name objects Unique identifiers –Must keep map of UIDs to objects –Must protect integrity of the map –Extra level of indirection to use the object –Generating UIDs can be difficult Pointers –Name changes when the object moves –Remote pointers in distributed setting –Aliasing possible

7 CSE331 Fall 20027 Unforgeability of Capabilities Special hardware: tagged words in memory –Can’t copy/modify tagged words Store the capabilities in protected address space Could use static scoping mechanism of safe programming languages. –Java’s “private” fields Could use cryptographic techniques –OS kernel could sign (Object, Rights) pairs using a private key –Any process can verify the capability

8 CSE331 Fall 20028 Firewalls Gateway InsideOutside Filter Filters protect against “bad” packets. A gateway machine restores needed services. Protect services offered internally from outside access. Provide outside services to hosts located inside.

9 CSE331 Fall 20029 Possible Firewall Architecture Hosts Routers Networks Internal Network External Network Gateway DMZ Filtering Routers “Demilitarized Zone”

10 CSE331 Fall 200210 Benefits of Firewalls Increased security for internal hosts. Reduced amount of effort required to counter break ins. Possible added convenience of operation within firewall (with some risk). Reduced legal and other costs associated with hacker activities.

11 CSE331 Fall 200211 Costs of Firewalls Hardware purchase and maintenance Software development or purchase, and update costs Administrative setup and training, and ongoing administrative costs and trouble- shooting Lost business or inconvenience from broken gateway Loss of some services that an open connection would supply.

12 CSE331 Fall 200212 Kinds of Firewalls Filtering: operates by filtering based on packet headers Circuit: operates at the level of TCP Application: operates at the level of the application

13 CSE331 Fall 200213 Filtering Firewalls Filtering can take advantage of the following information from network and transport layer headers: –Source –Destination –Source Port –Destination Port –Flags (e.g. ACK)

14 CSE331 Fall 200214 IPv4 Packet Format IPv4 (Version field set to “4”) Version Hlen TOS Length Ident Flags Offset TTL Protocol Checksum SourceAddr DestinationAddr Options(variable length) Pad Other Headers and Payload

15 CSE331 Fall 200215 TCP and UDP packets Protocols support O.S. “port numbers”: SrcPort DstPort Checksum LengthSequenceNum SrcPort DstPort Options (variable) Checksum UrgPtr HL 0 Flags Advert.Wind. Acknowledgment Other Headers and Payload UDPTCP Other Headers and Payload

16 CSE331 Fall 200216 Three-Way Handshake

17 CSE331 Fall 200217 TCP State Transitions

18 CSE331 Fall 200218 Ports Ports are used to distinguish applications and services on a machine. Low numbered ports are often reserved for server listening. High numbered ports are often assigned for client requests. Port 7 (UDP,TCP): echo server Port 13 (UDP,TCP): daytime Port 20 (TCP): FTP data Port 21 (TCP): FTP control Port 23 (TCP): telnet Port 25 (TCP): SMTP Port 79 (TCP): finger Port 80 (TCP): HTTP Port 123 (UDP): NTP Port 2049 (UDP): NFS Ports 6000 to 6xxx (TCP): X11

19 CSE331 Fall 200219 Filter Example Actionourhostporttheirhostportcomment block**BAD*untrusted host allowGW25**allow our SMTP port Actionourhostporttheirhostportcomment block****default Apply rules from top to bottom with assumed default entry: Bad entry intended to allow connections to SMTP from inside: Actionourhostporttheirhostportcomment allow***25connect to their SMTP This allows all connections from port 25, but an outside machine can run anything on its port 25!

20 CSE331 Fall 200220 Filter Example Continued Actionsrcportdestportflagscomment allow{our hosts}**25*their SMTP allow*25**ACKtheir replies Permit outgoing calls to port 25. This filter doesn’t protect against IP address spoofing. The bad hosts can “pretend” to be one of {our hosts}.

21 CSE331 Fall 200221 When to Filter Router Inside Outside

22 CSE331 Fall 200222 On Input or Output Filtering on output can be more efficient since it can be combined with table lookup of the route. However, some information is lost at the output stage –e.g. the physical input port on which the packet arrived. –Can be useful information to prevent address spoofing. Filtering on input can protect the router itself.

23 CSE331 Fall 200223 Recommend: Filter ASAP Actionsrcportdestportcomment blockBAD***we don’t trust them allow**GW25connect to our SMTP allowGW25**our reply packets Actionsrcportdestportcomment block**BAD*subtle difference allow**GW25connect to our SMTP allowGW25**our reply packets Is preferred over:

24 CSE331 Fall 200224 Example of a Pitfall Filter output to allow incoming and outgoing mail, but prohibit all else. Apply this output filter set to both interfaces of the router. Does it work? Unintended consequence: allows all communication on high numbered ports! Actiondestportcomment allow*25incoming mail allow*>= 1024outgoing responses block**nothing else

Download ppt "CSE331: Introduction to Networks and Security Lecture 29 Fall 2002."

Similar presentations

CSE331: Introduction to Networks and Security Lecture 30 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 30 Fall 2002.
IPv6 – IPv4 Network Address, Port & Protocol Translation & Multithreaded DNS Gateway Navpreet Singh, Abhinav Singh, Udit Gupta, Vinay Bajpai, Toshu Malhotra.

IPv6 – IPv4 Network Address, Port & Protocol Translation & Multithreaded DNS Gateway Navpreet Singh, Abhinav Singh, Udit Gupta, Vinay Bajpai, Toshu Malhotra.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
CSE331: Introduction to Networks and Security Lecture 7 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 7 Fall 2002.
CS682 Session 6 Prof. Katz. Firewalls An intelligent router? Used as a traffic control mechanism Based on information in the Layer 3 and 4 headers Administrator.

CS682 Session 6 Prof. Katz. Firewalls An intelligent router? Used as a traffic control mechanism Based on information in the Layer 3 and 4 headers Administrator.
1 CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms.

1 CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms.
TCP/IP Protocol Suite 1 Chapter 11 Upon completion you will be able to: User Datagram Protocol Be able to explain process-to-process communication Know.

TCP/IP Protocol Suite 1 Chapter 11 Upon completion you will be able to: User Datagram Protocol Be able to explain process-to-process communication Know.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.

Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.

BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.

Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.

Similar presentations

Ads by Google