Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 5 Copyright Prentice-Hall 2003

Published byDorcas Hopkins Modified over 9 years ago

Similar presentations

Presentation on theme: "Chapter 5 Copyright Prentice-Hall 2003"— Presentation transcript:

1 Chapter 5 Copyright Prentice-Hall 2003
Firewalls Chapter 5 Copyright Prentice-Hall 2003

2 Figure 5-1: Border Firewall
Passed Packet (Egress) Passed Packet (Ingress) Attack Packet Hardened Client PC Internet (Not Trusted) Attacker Internet Border Firewall Dropped Packet (Ingress) Hardened Server Log File Internal Corporate Network (Trusted)

3 Figure 5-2: Types of Firewall Inspection
Packet Inspection Examines IP, TCP,UDP, and ICMP header contents Static packet filtering looks at individual packets in isolation. Misses many attacks Stateful inspection inspects packets in the context of the packet’s role in an ongoing or incipient conversation Stateful inspection is the proffered packet inspection method today

4 Figure 5-2: Types of Firewall Inspection
Application Inspection Examines application layer messages Stops some attacks that packet inspection cannot Network Address Translation Hides the IP address of internal hosts to thwart sniffers Benignly spoofs source IP addresses in outgoing packets

5 Figure 5-2: Types of Firewall Inspection
Denial-of-Service Inspection Recognizes incipient DoS attacks and takes steps to stop them Limited to a few common types of attacks Authentication Only packets from users who have proven their identity are allowed through Not commonly user, but can be valuable

6 Figure 5-2: Types of Firewall Inspection
Virtual Private Network Handling Virtual private networks offer message-by- message confidentiality, authentication, message integrity, and anti-replay protection VPN protection often works in parallel with other types of inspection instead of being integrated with them

7 Figure 5-2: Types of Firewall Inspection
Integrated Firewalls Most commercial products combine multiple types of filtering Some freeware and shareware firewall products offer only one types of filtering

8 Firewalls Types of Firewalls Inspection Methods Firewall Architecture
Screening router firewalls Computer-based firewalls Firewall appliances Host firewalls (firewalls on clients and servers) Inspection Methods Firewall Architecture Configuring, Testing, and Maintenance

9 Figure 5-3: Firewall Hardware and Software
Screening Router Firewalls Add firewall software to router Usually provide light filtering only Expensive for the processing power—usually must upgrade hardware, too Screens out incoming “noise” of simple scanning attacks to make the detection of serious attacks easier Good location for egress filtering—can eliminate scanning responses, even from the router

10 Figure 5-3: Firewall Hardware and Software
Computer-Based Firewalls Add firewall software to server with an existing operating system: Windows or UNIX Can be purchased with power to handle any load Easy to use because know operating system Firewall vendor might bundle software with hardened hardware and operating system software

11 Figure 5-3: Firewall Hardware and Software
Computer-Based Firewalls General-purpose operating systems result in slower processing Security: Attackers may be able to hack the operating system Change filtering rules to allow attack packets in Change filtering rules to drop legitimate packets

12 Figure 5-3: Firewall Hardware and Software
Firewall Appliances Boxes with minimal operating systems Therefore, difficult to hack Setup is minimal Not customized to specific firm’s situation Must be able to update

13 Figure 5-3: Firewall Hardware and Software
Host Firewalls Installed on hosts themselves (servers and sometimes clients) Enhanced security because of host-specific knowledge For example, filter out everything but webserver transmissions on a webserver

14 Figure 5-3: Firewall Hardware and Software
Host Firewalls Defense in depth Normally used in conjunction with other firewalls Although on single host computers attached to internet, might be only firewall

15 Figure 5-3: Firewall Hardware and Software
Host Firewalls If not centrally managed, configuration can be a nightmare Especially if rule sets change frequently Client firewalls typically must be configured by ordinary users Might misconfigure or reject the firewall Need to centrally manage remote employee computers

16 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering
Number of Filtering Rules, Of rules, etc. Performance Requirements Traffic Volume (Packets per Second)

17 Firewalls Types of Firewalls Inspection Methods Firewall Architecture
Static Packet Inspection Stateful Packet Inspection NAT Application Firewalls Firewall Architecture Configuring, Testing, and Maintenance

18 Figure 5-5: Static Packet Filter Firewall
Corporate Network The Internet Permit (Pass) IP-H TCP-H Application Message IP-H UDP-H Application Message Deny (Drop) IP-H ICMP Message Arriving Packets Examined One at a Time, in Isolation Only IP, TCP, UDP and ICMP Headers Examined Static Packet Filter Firewall Log File

19 Figure 5-6: Access Control List (ACL) For Ingress Filtering at a Border Router
1. If source IP address = 10.*.*.*, DENY [private IP address range] 2. If source IP address = *.* to *.*, DENY [private IP address range] 3. If source IP address = *.*, DENY [private IP address range] 4. If source IP address = *.*, DENY [internal address range] 5. If source IP address = , DENY [black-holed address of attacker] 6. If TCP SYN=1 AND FIN=1, DENY [crafted attack packet]

20 Figure 5-6: Access Control List (ACL) for Ingress Filtering at a Border Router
7. If destination IP address = AND TCP destination port=80 OR 443, PASS [connection to a public webserver] 8. If TCP SYN=1 AND ACK=0, DENY [attempt to open a connection from the outside] 9. If TCP destination port = 20, DENY [FTP data connection] 10. If TCP destination port = 21, DENY [FTP supervisory control connection] 11. If TCP destination port = 23, DENY [Telnet data connection] 12. If TCP destination port = 135 through 139, DENY [NetBIOS connection for clients]

21 Figure 5-6: Access Control List (ACL) for Ingress Filtering at a Border Router
13. If TCP destination port = 513, DENY [UNIX rlogin without password] 14. If TCP destination port = 514, DENY [UNIX rsh launch shell without login] 15. If TCP destination port = 22, DENY [SSH for secure login, but some versions are insecure] 16. If UDP destination port=69, DENY [Trivial File Transfer Protocol; no login necessary] 17. If ICMP Type = 0, PASS [allow incoming echo reply messages] DENY ALL

22 Figure 5-7: Access Control List (ACL) for Egress Filtering at a Border Router
1. If source IP address = 10.*.*.*, DENY [private IP address range] 2. If source IP address = *.* to *.*, DENY [private IP address range] 3. If source IP address = *.*, DENY [private IP address range] 4. If source IP address NOT = *.*, DENY [not in internal address range] 5. If ICMP Type = 8, PASS [allow outgoing echo messages] 6. If Protocol=ICMP, DENY [drop all other outgoing ICMP messages]

23 Figure 5-7: Access Control List (ACL) for Egress Filtering at a Border Router
7. If TCP RST=1, DENY [do not allow outgoing resets; used in host scanning] 8. If source IP address = and TCP source port = 80 OR 443, PERMIT [public webserver] 9. If TCP source port=0 through 49151, DENY [well-known and registered ports] 10. If UDP source port=0 through 49151, DENY [well-known and registered ports] 11. If TCP source port =49152 through 65,536, PASS [allow outgoing client connections] 12. If UDP source port = through 65,536, PERMIT [allow outgoing client connections] 13. DENY ALL

24 Firewalls Types of Firewalls Inspection Methods Firewall Architecture
Static Packet Inspection Stateful Packet Inspection NAT Application Firewalls Firewall Architecture Configuring, Testing, and Maintenance

25 Figure 5-8: Stateful Inspection Firewalls
State of Connection: Open or Closed State: Order of packet within a dialog Often simply whether the packet is part of an open connection

26 Figure 5-8: Stateful Inspection Firewalls
Stateful Firewall Operation For TCP, record two IP addresses and port numbers in state table as OK (open) (Figure 5-9) By default, permit connections from internal clients (on trusted network) to external servers (on untrusted network) This default behavior can be changed with an ACL Accept future packets between these hosts and ports with little or no inspection

27 Figure 5-9: Stateful Inspection Firewall Operation I
2. Establish Connection 1. TCP SYN Segment From: :62600 To: :80 3. TCP SYN Segment From: :62600 To: :80 External Webserver Note: Outgoing Connections Allowed By Default Stateful Firewall Internal Client PC Connection Table Type Internal IP Internal Port External IP External Port Status TCP 62600 80 OK

28 Figure 5-9: Stateful Inspection Firewall Operation I
External Webserver 6. TCP SYN/ACK Segment From: :80 To: :62600 Stateful Firewall 4. TCP SYN/ACK Segment From: :80 To: :62600 Internal Client PC 5. Check Connection OK Connection Table Type Internal IP Internal Port External IP External Port Status TCP 62600 80 OK

29 Figure 5-8: Stateful Inspection Firewalls
Stateful Firewall Operation For UDP, also record two IP addresses in port numbers in the state table Connection Table Type Internal IP Internal Port External IP External Port Status TCP 62600 80 OK UDP 63206 69 OK

30 Figure 5-8: Stateful Inspection Firewalls
Static Packet Filter Firewalls are Stateless Filter one packet at a time, in isolation If a TCP SYN/ACK segment is sent, cannot tell if there was a previous SYN to open a connection But stateful firewalls can (Figure 5-10)

31 Figure 5-10: Stateful Firewall Operation II
Attacker Spoofing External Webserver 1. Spoofed TCP SYN/ACK Segment From: :80 To: :64640 Internal Client PC 2. Check Connection Table: No Connection Match: Drop Connection Table Type Internal IP Internal Port External IP External Port Status TCP 62600 80 OK UDP 63206 69 OK

32 Figure 5-8: Stateful Inspection Firewalls
Static Packet Filter Firewalls are Stateless Filter one packet at a time, in isolation Cannot deal with port-switching applications But stateful firewalls can (Figure 5-11)

33 Figure 5-11: Port-Switching Applications with Stateful Firewalls
2. To Establish Connection 1. TCP SYN Segment From: :62600 To: :21 3. TCP SYN Segment From: :62600 To: :21 External FTP Server Internal Client PC Stateful Firewall State Table Type Internal IP Internal Port External IP External Port Status Step 2 TCP 62600 21 OK

34 Figure 5-11: Port-Switching Applications with Stateful Firewalls
External FTP Server 6. TCP SYN/ACK Segment From: :21 To: :62600 Use Ports 20 and for Data Transfers 4. TCP SYN/ACK Segment From: :21 To: :62600 Use Ports 20 and for Data Transfers Internal Client PC Stateful Firewall 5. To Allow, Establish Second Connection State Table Type Internal IP Internal Port External IP External Port Status Step 2 TCP 62600 21 OK TCP 55336 20 OK Step 5

35 Figure 5-8: Stateful Inspection Firewalls
Stateful Inspection Access Control Lists (ACLs) Primary allow or deny applications Simple because probing attacks that are not part of conversations do not need specific rules because they are dropped automatically In integrated firewalls, ACL rules can specify that messages using a particular application protocol or server be authenticated or passed to an application firewall for inspection

36 Firewalls Types of Firewalls Inspection Methods Firewall Architecture
Static Packet Inspection Stateful Packet Inspection NAT Application Firewalls Firewall Architecture Configuring, Testing, and Maintenance

37 Figure 5-12: Network Address Translation (NAT)
From , Port 61000 From , Port 55380 1 Server Host 2 Internet Client NAT Firewall 3 To , Port 55380 4 Sniffer To , Port 61000 Internal External IP Addr Port IP Addr Port Translation Table 61000 55380 . . . . . . . . . . . .

38 Firewalls Types of Firewalls Inspection Methods Firewall Architecture
Static Packet Inspection Stateful Packet Inspection NAT Application Firewalls Firewall Architecture Configuring, Testing, and Maintenance

39 Figure 5-13: Application Firewall Operation
2. Filtering 3. Examined HTTP Request From 1. HTTP Request From 4. HTTP Response to 6. Examined HTTP Response To Browser HTTP Proxy Webserver Application 5. Filtering on Post Out, Hostname, URL, MIME, etc. In FTP Proxy SMTP ( ) Proxy Webserver Client PC Outbound Filtering on Put Inbound and Outbound Filtering on Obsolete Commands, Content Application Firewall

40 Figure 5-14: Header Destruction With Application Firewalls
Header Removed Arriving Packet New Packet X App MSG (HTTP) App MSG (HTTP) Orig. TCP Hdr Orig. IP Hdr App MSG (HTTP) New TCP Hdr New IP Hdr Application Firewall Attacker Webserver Application Firewall Strips Original Headers from Arriving Packets Creates New Packet with New Headers This Stops All Header-Based Packet Attacks

41 Figure 5-15: Protocol Spoofing
Trojan Horse 2. Protocol is Not HTTP Firewall Stops The Transmission X 1. Trojan Transmits on Port 80 to Get Through Simple Packet Filter Firewall Application Firewall Internal Client PC Attacker

42 Figure 5-16: Circuit Firewall
1. Authentication 3. Passed Transmission: No Filtering 2. Transmission 4. Reply 5. Passed Reply: No Filtering Webserver Circuit Firewall (SOCKS v5) External Client

43 Firewalls Types of Firewalls Inspection Methods Firewall Architecture
Single site in large organization Home firewall SOHO firewall router Distributed firewall architecture Configuring, Testing, and Maintenance

44 Figure 5-17: Single-Site Firewall Architecture for a Larger Firm with a Single Site
2. Main Firewall Last Rule=Deny All 1. Screening Router Last Rule=Permit All 3. Internal Firewall Internet x Subnet 4. Client Host Firewall Public Webserver External DNS Server 6. DMZ SMTP Relay Proxy HTTP Proxy Server Marketing Client on x Subnet Accounting Server on x Subnet 5. Server Host Firewall

45 Figure 5-18: Home Firewall
PC Firewall Always-On Connection Home PC Internet Service Provider UTP Cord Coaxial Cable Broadband Modem

46 Figure 5-19: SOHO Firewall Router
Internet Service Provider UTP Ethernet Switch UTP User PC UTP Broadband Modem (DSL or Cable) SOHO Router --- DHCP Sever, NAT Firewall, and Limited Application Firewall User PC User PC Many Access Routers Combine the Router and Ethernet Switch in a Single Box

47 Figure 5-20: Distributed Firewall Architecture
Management Console Internet Home PC Firewall Site A Site B

48 Figure 5-21: Other Security Architecture Issues
Host and Application Security (Chapters 6 and 9) Antivirus Protection (Chapter 4) Intrusion Detection Systems (Chapter 10) Virtual Private Networks (Chapter 8) Policy Enforcement System

49 Firewalls Types of Firewalls Inspection Methods Firewall Architecture
Configuring, Testing, and Maintenance

50 Figure 5-22: Configuring, Testing, and Maintaining Firewalls
Firewall Misconfiguration is a Serious Problem ACL rules must be executed in series Easy to make misordering problems Easy to make syntax errors

51 Figure 5-22: Configuring, Testing, and Maintaining Firewalls
Create Policies Before ACLs Policies are easier to read than ACLs Can be reviewed by others more easily than ACLs Policies drive ACL development Policies also drive testing

52 Figure 5-22: Configuring, Testing, and Maintaining Firewalls
Must test Firewalls with Security Audits Only way to tell if policies are being supported Must be driven by policies Maintaining Firewalls New threats appear constantly ACLs must be updated constantly if firewall is to be effective

53 Figure 5-23: FireWall-1 Modular Management Architecture
Log Files Policy Policy Firewall Module Enforces Policy Sends Log Entries Application Module (GUI) Create, Edit Policies Management Module Stores Policies Stores Log Files Log File Entry Log File Data Firewall Module Enforces Policy Sends Log Entries Application Module (GUI) Read Log Files

54 Figure 5-24: FireWall-1 Service Architecture
2. Statefully Filtered Packet 1. Arriving Packet 3. DoS Protection Optional Authentications Internal Client External Server FireWall-1 Firewall 4. Content Vectoring Protocol Statefully Filtered Packet Plus Application Inspection Third-Party Application Inspection Firewall

55 Figure 5-25: Security Level-Based Stateful Filtering in PIX Firewalls
Automatically Accept Connection Internet Security Level Inside=100 Security Level Outside=0 Router Automatically Reject Connection Internal Network Security Level=60 Connections Are Allowed from More Secure Networks to Less Secure Networks

Download ppt "Chapter 5 Copyright Prentice-Hall 2003"

Similar presentations

DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
Firewalls (March 4, 2015) © Abdou Illia – Spring 2015.

Firewalls (March 4, 2015) © Abdou Illia – Spring 2015.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Security (Part 2) School of Business Eastern Illinois University © Abdou Illia, Spring 2007 (Week 13, Thursday 4/5/2007)

Security (Part 2) School of Business Eastern Illinois University © Abdou Illia, Spring 2007 (Week 13, Thursday 4/5/2007)
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Computer Security Prevention and detection of unauthorized actions by users of a computer system Confidentiality Integrity Availability.

Computer Security Prevention and detection of unauthorized actions by users of a computer system Confidentiality Integrity Availability.
K. Salah1 Firewalls. 2 Firewalls Trusted hosts and networks Firewall Router Intranet DMZ Demilitarized Zone: publicly accessible servers and networks.

K. Salah1 Firewalls. 2 Firewalls Trusted hosts and networks Firewall Router Intranet DMZ Demilitarized Zone: publicly accessible servers and networks.
Firewalls Screen packets coming into the Privet Networks from external, Untrusted Networks (Internet) Ingress Packet Filtering  Firewall examine incoming.

Firewalls Screen packets coming into the Privet Networks from external, Untrusted Networks (Internet) Ingress Packet Filtering  Firewall examine incoming.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Similar presentations

Ads by Google