Presentation is loading. Please wait.

Presentation is loading. Please wait.

Firewalls CS461/ECE422 Spring 2012. Reading Material Text chapter 9 “Firewalls and Internet Security: Repelling the Wily Hacker”, Cheswick, Bellovin,

Published byAnnabelle Holland Modified over 9 years ago

Similar presentations

Presentation on theme: "Firewalls CS461/ECE422 Spring 2012. Reading Material Text chapter 9 “Firewalls and Internet Security: Repelling the Wily Hacker”, Cheswick, Bellovin,"— Presentation transcript:

1 Firewalls CS461/ECE422 Spring 2012

2 Reading Material Text chapter 9 “Firewalls and Internet Security: Repelling the Wily Hacker”, Cheswick, Bellovin, and Rubin.

3 Firewall Goal Insert after the fact security by wrapping or interposing a filter on network traffic

4 Firewall Requirements All traffic between network section A and network section B (and visa versa) must pass through the firewall (or a consistently controlled set of firewalls) Only authorized traffic (as specified by the security policy) is allowed to pass The firewall itself is immune to penetration

5 “Typical” corporate network Web Server Mail forwarding Mail server DNS (internal) DNS (DMZ) Internet File Server User machines Web Server Demilitarized Zone (DMZ) Intranet Firewall

6 Packet Filter Firewall Operates at Layer 3 in router or HW firewall Has access to the Layer 3 header and Layer 4 header Can block traffic based on source and destination address, ports, and protocol Does not reconstruct Layer 4 payload, so cannot do reliable analysis of layer 4 or higher content

7 Rule Scenario

8 Example Packet Filter Rules Rules attached to outside interface Rules attached to inside interface ActionSource Addr Src port Dest AddrDest Port ProtocolComment BlockOutside host****Don’t trust Allow**Our Mail Server 25TcpAllow mail traffic ActionSource Addr Source Port Dest AddrDest PortProtocolComment Block**Outside host **Don’t trust AllowOur Mail Server 25**TcpAllow Mail traffic

9 Same Rules in iptables Rules in the filter table -A FORWARD –p ip -s outside_host –j REJECT -A FORWARD –p ip –d outside_host –j REJECT -A FORWARD –i outside –p tcp –d our_mail_server –m tcp --dport 25 –j ACCEPT -A FORWARD –i inside –p tcp –s our_mail_server –m tcp --sport 25 –j ACCEPT -A FORWARD –j REJECT

10 More Example Pack Filter Rules Rules attached to inside interface Rules attached to outside interface ActionSource Addr Source Port Dest Addr Dest Port ProtoComment Allow***25TCPAllow traffic to all mail servers ActionSource Addr Source Port Dest Addr Dest Port ProtoComment Allow*25**TCPAllow return traffic from all mail servers

11 A Better Example Rules attached to inside interface Rules attached to outside interface ActionSource Addr Source Port Dest Addr Dest Port ProtoComment AllowInside networks **25TCPAllow traffic to all mail servers ActionSource Addr Source Port Dest Addr Dest Port ProtoFlagsComment Allow*25Inside networks *TCPACKAllow return traffic from all mail servers

12 FTP Example Rules attached to inside interface Rules attached to outside interface ActionSource Addr Source Port Dest Addr Dest Port ProtoFlagsComment AllowInside networks **21TCPAllow Control channel traffic out AllowInside networks > 1024**TCPACKAllow data traffic back ActionSource Addr Source Port Dest Addr Dest Port ProtoFlagsComment Allow*21Inside networks *TCPACKAllow return traffic for FTP control channel Allow**Inside networks >1024TCPInitiate data traffic

13 Stateful Inspection Firewall Evolved as packet filters aimed for proxy functionality In addition to Layer 3 reassembly, it can reconstruct layer 4 traffic Some application layer analysis exists, e.g., for HTTP, FTP, H.323 – Called context-based access control (CBAC) on IOS – Configured by fixup command on PIX Some of this analysis is necessary to enable address translation and dynamic access for negotiated data channels Reconstruction and analysis can be expensive. – Must be configured on specified traffic streams – At a minimum the user must tell the Firewall what kind of traffic to expect on a port – Degree of reconstruction varies per platform, e.g. IOS does not do IP reassembly

14 Circuit Firewall Actually creates two separate TCP connections – Completely reconstructs TCP connections – SOCKS is an example implementation

15 Example Stateful Rules Rules attached to outside interface Rules attached to inside interface ActionSource Addr Src port Dest AddrDest Port ProtocolComment BlockOutside host****Don’t trust Allow**Our Mail Server 25TcpAllow mail traffic ActionSource Addr Source Port Dest AddrDest PortProtocolComment Block**Outside host **Don’t trust

16 Same Rules in iptables Rules in the filter table -A FORWARD –p ip -s outside_host –j REJECT -A FORWARD –p ip –d outside_host –j REJECT -A FORWARD –m state --state ESTABLISHED, RELATED – j ACCEPT -A FORWARD –i outside –m state –state NEW –p tcp – d our_mail_server –m tcp --dport 25 –j ACCEPT -A FORWARD –j REJECT

17 Application Proxy Firewall Firewall software runs in application space on the firewall The traffic source must be aware of the proxy and add an additional header Now transparent proxy support is available (TPROXY) Leverage basic network stack functionality to sanitize application level traffic – Block java or active X – Filter out “bad” URLs – Ensure well formed protocols or block suspect aspects of protocol

18 Traffic reconstruction

19 Ingress and Egress Filtering Ingress filtering – Filter out packets from invalid addresses before entering your network Egress filtering – Filter out packets from invalid addresses before leaving your network

20 Denial of Service Example attacks – Smurf Attack – TCP SYN Attack – Teardrop DoS general exploits resource limitations – Denial by Consumption – Denial by Disruption – Denial by Reservation

21 Teardrop Attack Send series of fragments that don't fit together – Poor stack implementations would crash – Early windows stacks Offset 0, len 60 Offset 30, len 90 Offset 41, len 173

22 Address Translation Traditional NAT RFC 3022 Reference RFC Map real address to alias address – Real address associated with physical device, generally an unroutable address – Alias address generally a routeable associated with the translation device Originally motivated by limited access to publicly routable IP addresses – Folks didn’t want to pay for addresses and/or hassle with getting official addresses Later folks said this also added security – By hiding structure of internal network – Obscuring access to internal machines Adds complexity to firewall technology – Must dig around in data stream to rewrite references to IP addresses and ports – Limits how quickly new protocols can be firewalled

23 Address Hiding (NAPT) Many to few dynamic mapping – Packets from a large pool of private addresses are mapped to a small pool of public addresses at runtime Port remapping makes this sharing more scalable – Two real addresses can be rewritten to the same alias address – Rewrite the source port to differentiate the streams Traffic must be initiated from the real side Called masquerading in iptables if the interface IP is used for the alias address

24 NAT example

25 Static Mapping One-to-one fixed mapping – One real address is mapped to one alias address at configuration time – Traffic can be initiated from either side Used to statically map out small set of servers from a network that is otherwise hidden Static port remapping is also available

26 NAT example

27 Deployment Hardware Firewall – Buy firewall from vendor They provide software and hardware Depending on cost, may include hardware accelerators Software Firewall on hardened bastion server – Buy software from vendor or use open source – Harden server to reduce attack surface Host-based firewall – Additional layer of defense for application server Personal firewall – Protect desktops/laptops from undesired probing

28 DMZ Network Web Server Mail forwarding Mail server DNS (internal) DNS (DMZ) Internet File Server User machines Web Server Demilitarized Zone (DMZ) Intranet Firewall

29 VPN Network

30 Distributed Firewalls

31 Intrusion Prevention Discussed in the Intrusion Detection lecture Enables more dynamic rules and access rules that rely on more communication details – Can download new signatures or adapt anomaly rules on a daily basis

32 Unified Threat Management (UTM) Firewalls at the border provide a nice point for analysis – Might as well perform other analysis as long as flows have been tracked – Deploy one box instead of N boxes Additional actions could be – Virus scanning – URL filtering – IDS/IPS/anomaly detection – Spam filtering

33 Limits to firewalls Cannot analyze encrypted traffic – Beyond header information Everything is driven through port 80 – Relies on port as indicator of service – Newer firewalls dynamically analyze traffic to determine protocol Cannot react to new attacks on protocols that must be allowed – IPS can help Tracking IP addresses instead of people Costs too much to manage firewalls

34 Summary Different types of firewalls for different needs – Packet filtering/stateful/application – Network/Host/personal Firewalls have been a stalwart element of network security for decades – Not the end all solution – But still beneficial

Download ppt "Firewalls CS461/ECE422 Spring 2012. Reading Material Text chapter 9 “Firewalls and Internet Security: Repelling the Wily Hacker”, Cheswick, Bellovin,"

Similar presentations

Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Network Security. Reasons to attack Steal information Modify information Deny service (DoS)

Network Security. Reasons to attack Steal information Modify information Deny service (DoS)
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Firewall Configuration Strategies

Firewall Configuration Strategies
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Guide to Computer Network Security

Guide to Computer Network Security
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.

Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Similar presentations

Ads by Google