Presentation is loading. Please wait.

Presentation is loading. Please wait.

Firewalls CS591 Topics in Internet Security November 15 1999 Steve Miskovitz, Steve Peckham, Kan Hayashi.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Firewalls CS591 Topics in Internet Security November 15 1999 Steve Miskovitz, Steve Peckham, Kan Hayashi."— Presentation transcript:

1 Firewalls CS591 Topics in Internet Security November 15 1999 Steve Miskovitz, Steve Peckham, Kan Hayashi

2 Outline Overview/Motivation Packet Filtering Application Gateway

3 Overview/Motivation Why Do We Need Firewalls? Design Issues Firewall Characteristics Typical Setups/Analysis

4 Why Do We Need Firewalls? Prevent unauthorized access to private networks Prevent unauthorized export of private information

5 Design Issues That which is not expressly permitted is prohibited –firewall is designed to block everything, services are enabled on a case-by-case basis –can be seen as a hindrance by users That which is not expressly prohibited is permitted –reactive, must predict what kinds of actions would compromise the security of the firewall

6 Firewall Characteristics Damage Control –If the firewall is compromised or destroyed what kinds of threats does it leave the private network open to? Zones of Risk –How large is the zone of risk during normal operation?

7 Firewall Characteristics Failure Mode –If the firewall is broken into or destroyed, how easy is it to detect? –How much information is retained to analyze the attack? Ease of Use –How much of an inconvenience is the firewall? Stance –Permissive or prohibitive?

8 Typical Setups Screening Router Dual Homed Gateway Screened Host Gateway Screened Subnet

9 Screening Router Basic router with some kind of packet filtering capability –Typically will be able to block traffic between networks or specific hosts on an IP level

10 Analysis of Screening Router Damage control is difficult because you would need to examine every host for traces of a break-in Zone of risk is the all the hosts on the private network because direct communication is permitted Usually set up as permissive

11 Analysis of Screening Router In the case of destruction of the firewall it is very hard to trace because commercial routers generally do not keep logs Can fairly easily get around the screening using tunnelling Popular because they allow fairly free access from any point in the private network

12 Dual Homed Gateway Has a system on both the private network and the Internet, with TCP/IP forwarding disabled

13 Analysis of Dual Homed Gateway Often used and easy to implement Hosts on the private network can communicate with the gateway, as can hosts on the Internet, but direct traffic between the networks is blocked If the gateway is compromised then the whole private network is accessible Zone of risk is only the gateway host

14 Analysis of Dual Homed Gateway Permissiveness dependant on the stance of the gateway –logins on gateway is permissive –application gateways is prohibitive Can be adapted more easily to keep logs which can help with tracing what went wrong and which machines on the private network were compromised

15 Screened Host Gateway Combines a screening router and a dual homed gateway. The screening router is configured such that the gateway is the only system reachable from the Internet

16 Analysis of Screened Host Gateway Can be configured to block traffic to the gateway on certain ports, permitting only a small number of services to communicate with it Generally very secure, while fairly easy to implement Router is configured to only permit Internet access to the gateway

17 Analysis of Screened Host Gateway Zone of risk is the gateway and the router Gateway can be on the private network so connectivity is good for local users Stance is dependant upon the gateway Similar to a dual homed gateway

18 Screened Subnet An isolated subnet is created, between the private network and the Internet –isolate the private network using screening routers with varying levels of filtering

19 Analysis of Screened Subnet Generally, both the Internet and the private network have access to the subnet but traffic across the screened subnet is blocked Usually configured with one host as the sole point of access on the subnet Zone of risk is host and any screening routers that connect the subnet Appealing for firewalls that use routing to reinforce the existing screening

20 Analysis of Screened Subnet Forces all services to be provided by application gateways Strongly prohibitive Much harder to break into since you need to compromise multiple systems Can be an inconvenience since hosts that are not addressed correctly cannot use the firewall properly

21 Packet Filtering Overview Control data traffic using header of each packet –source IP address –destination IP address –etc Screened (Host, Subnet) Setups

22 Static Packet Filtering “Static” = “doors” are open at all times Advantages –Low overhead / High throughput –Inexpensive or free –Good for traffic management Disadvantages –Allows dangerous direct connections –Leaves holes open –Unsuitable for complex environment –No user authentication

23 Dynamic Packet Filtering “Dynamic” = opens and closes “doors” according packet header data Can keep track of context information about a session. (stateful filtering) Advantages –Only temporarily opens holes in Network Perimeter –Low overhead / High throughput –Supports almost any service Disadvantages –Allows direct IP connections –No user authentication (requires application gateway)

24 Application Gateways Overview First Generation vs. Second Generation (transparent) TCP connection state and sequencing are maintained. Prevents direct access to services on the internal network. Outgoing traffic appears to be coming from the firewall rather than the internal network. Works on an application (or service) level.

25 Application Gateways Lawyer Example A B B’s Lawyer Approved Message Unapproved Message

26 Application Gateways Example of masking internal network

27 Application Gateways Advantages Doesn’t allow direct connections between internal and external hosts (proxy). Supports user-level authentication. Ability to analyze application specific commands inside traffic. Can keep logs of traffic.

28 Application Gateways Disadvantages Takes time to check requests. Doesn’t support every type of connection.

29 References Thinking About Firewalls V2.0: Beyond Perimeter Security (1997) –http://www.clark.net/pub/mjr/pubs/think/index. htm Application Gateways and Stateful Inspection: A Brief Note Comparing and Contrasting (Avolio & Blask 1998) –http://www.avolio.com/apgw+spf.html

Download ppt "Firewalls CS591 Topics in Internet Security November 15 1999 Steve Miskovitz, Steve Peckham, Kan Hayashi."

Similar presentations

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.
Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Firewalls 2014.04.07 Uyanga Tserengombo

Firewalls Uyanga Tserengombo
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
Chapter 11 Firewalls.

Chapter 11 Firewalls.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
5/4/01EMTM 5531 EMTM 553: E-commerce Systems Lecture 7b: Firewalls Insup Lee Department of Computer and Information Science University of Pennsylvania.

5/4/01EMTM 5531 EMTM 553: E-commerce Systems Lecture 7b: Firewalls Insup Lee Department of Computer and Information Science University of Pennsylvania.
Chapter 10 Firewalls. Introduction seen evolution of information systems now everyone want to be on the Internet and to interconnect networks has persistent.

Chapter 10 Firewalls. Introduction seen evolution of information systems now everyone want to be on the Internet and to interconnect networks has persistent.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey

Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey
Circuit & Application Level Gateways CS-431 Dick Steflik.

Circuit & Application Level Gateways CS-431 Dick Steflik.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

Similar presentations

Ads by Google