Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Carnegie Mellon University CERT Coordination Center Firewalls Institute of Internal Auditors Advanced Technology Conference and InfoExpo September 21,

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Carnegie Mellon University CERT Coordination Center Firewalls Institute of Internal Auditors Advanced Technology Conference and InfoExpo September 21,"— Presentation transcript:

1 1 Carnegie Mellon University CERT Coordination Center Firewalls Institute of Internal Auditors Advanced Technology Conference and InfoExpo September 21, 1994 CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 1521 Tom Longstaff The CERT Coordination Center is sponsored by the Advanced Research Projects Agency (ARPA). The Software Engineering Institute is sponsored by the U.S. Department of Defense. SM

2 2 Carnegie Mellon University CERT Coordination Center Definition “A fireproof wall used in buildings and machinery to prevent the spread of fire” The American Heritage Desk Dictionary In an automobile, a firewall prevents the spread of fire while allowing control and monitoring connections to pass through

3 3 Carnegie Mellon University CERT Coordination Center Network Firewall Concept PUBLICNETWORKPUBLICNETWORK Firewall System Your Domain Legitimate Activity Violations

4 4 Carnegie Mellon University CERT Coordination Center Legitimate Activity Regulated by policy Defined by type of service (application), source, and destinationallow electronic mail to and from anyone allow news reading but not news posting allow login from inside to outside but not vice versa allow file transfer to a single system in your domain only do not give out the names of any systems in the environment

5 5 Carnegie Mellon University CERT Coordination Center Violations Violations are activities or behaviors not permitted in the policy these can be either explicit or implied Firewall technology may help with the detection and prevention of violations from outsiders are intrusions

6 6 Carnegie Mellon University CERT Coordination Center Firewalls and Policy Firewalls automate the enforcement of a network access policy Some firewall architectures may also provide additional functionality monitoring public services Firewalls cannot determine intent prevent abuse of allowed services provide host security protect against violations through other pathways

7 7 Carnegie Mellon University CERT Coordination Center Firewall Types Filters Restrict traffic based on packet header information Most common fields are type (tcp, udp, etc), src, dst, port/service Advanced filters may restrict traffic based on traffic patterns or other aggregate information Proxies (or Application Gateways) Restrict traffic based on packet content Is application specific VPN/IPSec Gateways Supports tunneling between networks Can support tunneling to mobile nodes

8 8 Carnegie Mellon University CERT Coordination Center Filter Rules Two philosophies Allow all except those packet types that carry known vulnerabilities Deny all except those packet types that are required by users Some rules carry context Connection-oriented Based on SYN/ACK protocol Filters have problems with: Malformed packets/fragmented packets Out-of-sequence protocols Backward client-server protocols (X11, FTP)

9 9 Carnegie Mellon University CERT Coordination Center Gateways and Proxies These are paths through your firewall to allow services Proxies are intermediaries that regulate service through the firewall Application gateways and proxies allow specific application interfaces through the firewall Encryption is the bane of gateways and proxies

10 10 Carnegie Mellon University CERT Coordination Center Firewall Architectures Where to position firewalls? between your domain and every access to the outside between administrative domains of dissimilar policy between networks where the boundary much be controlled What architecture to use? simple router router with multiple interfaces gateway/proxy services between dual routers a gateway separating dual routers

11 11 Carnegie Mellon University CERT Coordination Center The Simple Router (packet filter) -1 PUBLICNETWORKPUBLICNETWORK Firewall Router Your Domain

12 12 Carnegie Mellon University CERT Coordination Center The Simple Router (packet filter) -2 Advantages cheap - usually a must-have anyway simple - only one configuration file to contend with verifiable - packet monitoring at the site will assure filtering is working Disadvantages no flexibility with applications - packet filter only only extreme for security limited logging capability

13 13 Carnegie Mellon University CERT Coordination Center A Router with Multiple Interfaces -1 PUBLICNETWORKPUBLICNETWORK Your Domain Site Router

14 14 Carnegie Mellon University CERT Coordination Center A Router with Multiple Interfaces -2 Advantages ability to segment a site into distinct domains flexibility to create logical architectures single configuration file to maintain Disadvantages single point of failure convoluted configuration file possible confusion over interfaces vulnerabilities associated with the router

15 15 Carnegie Mellon University CERT Coordination Center Gateway/Proxy Services Between Dual Routers -1 PUBLICNETWORKPUBLICNETWORK Your Domain Firewall Router Site Router Proxy/ Gateway Proxy/ Gateway Proxy/ Gateway Proxy/ Gateway Proxies and Gateways

16 16 Carnegie Mellon University CERT Coordination Center Gateway/Proxy Services Between Dual Routers -2 Advantages ability to provide risky services application filtering possible allows you to hide many hosts behind the second router provides a good auditing point Disadvantages still a physical connection between routers may allow unprotected services and tunnelling throughrvice to “slip by” the proxy multiple configuration files to maintain

17 17 Carnegie Mellon University CERT Coordination Center A Gateway Separating Dual Routers (“belt and suspenders”) -1 PUBLICNETWORKPUBLICNETWORK Your Domain Firewall Router Site Router Filtering Gateway

18 18 Carnegie Mellon University CERT Coordination Center Gateway Separating Dual Routers -2 Advantages provides both logical and physical separation restricts services not addressed by the proxy or gateway system provides controlled functionality through the firewall supports a limited access policy (e.g., email only) excellent central point for accounting/monitoring Disadvantages limits functionality to available gateway/proxy software causes a bottleneck for traffic difficult to setup and maintain

19 19 Carnegie Mellon University CERT Coordination Center The Future of Firewalls Firewall technology relies on controlling access points to the network When access to the network becomes more distributed and ubiquitous, control becomes difficult Restrictive firewalls discourage network growth and development Trust in firewalls may cause a false sense of security

20 20 Carnegie Mellon University CERT Coordination Center Site Administrative Boundary PC LAN ISDN Telecomm Systems Mainframe With Dial-up PPP Multi-Protocol Router Workstation Dial-ins Mobile Computing

21 21 Carnegie Mellon University CERT Coordination Center Discussion If your security policy does not allow Java applets to be run on an internal network, is a proxy or filter more appropriate? Why? What are some of the issues involved in attempting to use a proxy to disallow Java applets? Presentation Opportunity: CERT report on State of the Art for Intrusion Detection Systems Firewall papers (many) Research CISCO PIX firewall product family and describe the features, performance, and reliability. Also describe how the PIX is configured and determine how easy this would fit into a complex architecture

Download ppt "1 Carnegie Mellon University CERT Coordination Center Firewalls Institute of Internal Auditors Advanced Technology Conference and InfoExpo September 21,"

Similar presentations

Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Winter 20021 CMPE 155 Week 7. Winter 20022 Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.

Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
Chapter 11 Firewalls.

Chapter 11 Firewalls.
Firewall Configuration Strategies

Firewall Configuration Strategies
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
1 Pertemuan 05 Firewall Matakuliah: H0451/Praktikum Jaringan Komputer Tahun: 2006 Versi: 1/0.

1 Pertemuan 05 Firewall Matakuliah: H0451/Praktikum Jaringan Komputer Tahun: 2006 Versi: 1/0.
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey

Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey
Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : 97077200 7 August 1999 The Chinese University.

Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : August 1999 The Chinese University.
1 Carnegie Mellon University CERT Coordination Center Firewalls CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh.

1 Carnegie Mellon University CERT Coordination Center Firewalls CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Similar presentations

Ads by Google