Presentation is loading. Please wait.

Presentation is loading. Please wait.

January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.

Published byLinette Johnston Modified over 9 years ago

Similar presentations

Presentation on theme: "January 2009Prof. Reuven Aviv: Firewalls1 Firewalls."— Presentation transcript:

1 January 2009Prof. Reuven Aviv: Firewalls1 Firewalls

2 January 2007Prof. Reuven Aviv: Firewalls2 Outline What and where are firewalls Goals of a firewall Types of Firewalls –Packet Filter –Application Level (Proxy Server) Gateway

3 January 2007Prof. Reuven Aviv: Firewalls3 What and where are Firewalls? Trusted Networks Untrusted Networks & Servers Firewall Router Internet Intranet DMZ Public Accessible Servers & Networks Trusted Users Untrusted Users Goals??

4 January 2009Prof. Reuven Aviv: Firewalls4 Firewall Goals The firewall is inserted between the premises network and the Internet Goals: –Protect the premises network from Internet- based attacks –Establish access control gate Name types of traffic that passes or blocked by the firewall

5 January 2009Prof. Reuven Aviv: Firewalls5 Access Control gate Internet DMZ Net Web Server Pool ALERT!! How do we protect the firewall itself?

6 January 2009Prof. Reuven Aviv: Firewalls6 Access Control Functions Service control: types of traffic to permit/ deny in which direction User control: which user to which service –E.g denied websites Application behavior control –Only Filtered email can come in

7 January 2009Prof. Reuven Aviv: Firewalls7 Types of Firewalls Two common types of Firewalls that we consider in this course –Packet-filtering –Application-level gateways

8 January 2007Prof. Reuven Aviv: Firewalls8 Packet Filtering Firewalls Apply Rules to incoming/outgoing IP packet and then forwards or discards the packet Rules based on fields in the IP or TCP header –IP address, port numbers, flags Two default policies (discard or forward)

9 January 2009Prof. Reuven Aviv: Firewalls9 Packet Filter at the TCP/IP Level Applications Transport DataLink Physical DataLink Physical Router/Firewall Applications Transport DataLink Physical Network Network Give examples of rules

10 January 2009 10 Data Link Layer Header VersionType of ServiceTotal Length IdentifierFlagsFragment Offset Time To LiveProtocolHeader Checksum Source Address Destination Address Options + Padding Source PortDestination Port Sequence Number Acknowledgement Number Offset/ReservedU A P R S FWindow ChecksumUrgent Pointer Options + Padding Data Data Link Layer Trailer IP Datagram IP Header TCP Header TCP/IP packet

11 January 2007Prof. Reuven Aviv: Firewalls11 Basic Filtering Rules ActionInternalPortExternalPortcomment block* * 134.72.5.1* AllowOur Mail Server add 25* Block**** Allow***80 Not trusted external host Mail Transport allowed Default: Deny everything Allow http connection to external web servers

12 January 2007Prof. Reuven Aviv: Firewalls12 Filtering Rules: direction, flags ActionsrcPortDestPortFlag comment AllowInternal*External25 Allow*25**ACK AllowInternal*External* AllowExternal*Internal*ACK Allow***>1024 Outgoing SMTP SMTP ACK from outside Allow All outgoing connections Ack outgoing connections Traffic to non standard Servers (Dangerous)

13 January 2007Prof. Reuven Aviv: Firewalls13 Session Filtering Applications Transport DataLink Physical DataLink Physical Applications Transport DataLink Physical Network Transport Applications Dynamic State Tables l Screens ALL attempts, Protects All applications l Extracts & maintains ‘state’ information l Makes an intelligent security / traffic decision

14 January 2007Prof. Reuven Aviv: Firewalls14 Controlling Telnet traffic via firewall  Client opens TCP connection: tells server its port number. The ACK bit is not set  Server sends acknowledgement “PORT 1234”   “ACK” Telnet Client Telnet Server 231234 Internal External

15 January 2007Prof. Reuven Aviv: Firewalls15 access-list 100 permit tcp host 172.168.10.11 gt 1023 any eq 23 ! Allows packets to (External) Telnet servers access-list 101 permit tcp any eq 23 host 172.168.10.11 established ! Allows packets (back) from (External) Telnet Server. It verifies that the ACK bit is set interface Ethernet 0 access-list 100 out ! Apply 1’st rule to outgoing traffic access-list 101 in ! Apply 2’nd rule to incoming traffic ! Rule: Allow telnet from 172.168.10.11 to any External Server (port 23), and reverse Ack

16 January 2007Prof. Reuven Aviv: Firewalls16 access-list [ ] [ ] Router Rule Format

17 January 2009 Prof. Reuven Aviv: Firewalls17 FTP “active Mode” Scenario “PORT 5151”   “OK”  DATA CHANNEL  TCP ACK External FTP ClientInternal FTP Server 20 Data 21 Command51505151  Client opens command channel; tells server second port number.  Server acks.  Server opens data channel to client’s 2’nd port.  Client Acknowledges.

18 January 2007Prof. Reuven Aviv: Firewalls18 Example FTP – Packet Filter access-list 100 permit tcp any gt 1023 host 172.168.10.12 eq 21 access-list 100 permit tcp any gt 1023 host 172.168.10.12 eq 20 ! Allows packets from any (External) client to the (Internal) FTP control and data ports access-list 101 permit tcp host 172.168.10.12 eq 21 any gt 1023 access-list 101 permit tcp host 172.168.10.12 eq 20 any gt 1023 ! Allows the (Internal) FTP server to send packets back to any (External) IP address with TCP ports > 1023 interface Ethernet 0 access-list 100 in ! Apply the first rule to incoming traffic access-list 101 out ! Apply the second rule to outgoing traffic!

19 January 2007Prof. Reuven Aviv: Firewalls19 “PASV”   “OK 3267”  TCP ACK  DATA CHANNEL FTP Client Internal FTP Server 20 Data 21 Command51505151  Client opens command channel ; requests passive mode.  Server tells client port number.  Client opens data channel to server’s 2nd port.  Server Acknowledges. FTP “Passive Mode” Scenario 3267

20 January 2007Prof. Reuven Aviv: Firewalls20 Packet Filtering Firewalls Advantages: Simplicity Transparency to users High speed Disadvantages: Difficulty of setting up packet filter rules Lack of Authentication

21 January 2007Prof. Reuven Aviv: Firewalls21 Packet Filtering Firewall: Attacks IP address spoofing Fragmentation Attacks

22 January 2007Prof. Reuven Aviv: Firewalls22 Anti Spoofing Policy: Do not allow outgoing traffic with false sender address Internet Service Provider 130.207.5.0 130.207.3.0 130.207.4.0 E1 E2E3 E4 Allowed outgoing traffic: E1: only from 130.207.4.0/24 E2: only from 130.207.3.0/24 E3: only from 130.207.5.0/24 ISP: Allow outgoing data only with legal addresses

23 January 2009 23 Data Link Layer Header VersionType of ServiceTotal Length IdentifierFlagsFragment Offset Time To LiveProtocolHeader Checksum Source Address Destination Address Options + Padding Source PortDestination Port Sequence Number Acknowledgement Number Offset/ReservedU A P R S FWindow ChecksumUrgent Pointer Options + Padding Data Data Link Layer Trailer IP Datagram IP Header TCP Header Fragmentation

24 Prof. Reuven Aviv: Firewalls24   External Telnet Client Internal Telnet Server 231234 Firewall allows OUT: with SYN IN: data with ACK  All following packets will have the ACK bit set  FRAG1 (with ACK) FRAG2 (with ACK) SYN packet (no ACK) ACK Basic Fragmentation Attack Allow only if ACK bit set Allow only if SYN bit set ,  Client Send 2 fragments with ACK. Server re- assembles: Fragments overlap - full datagram SYN bit set!

25 January 2007Prof. Reuven Aviv: Firewalls25 General Fragmentation Attack Instead of fragmenting TCP header – Fragment data portion of packet or ICMP –attack applications in Clients Clients – not all do bounds checking –Oversized reassembled packets on client maybe too large, cause buffer overflow Remedy: Application Level Firewall

26 January 2007Prof. Reuven Aviv: Firewalls26 Application Level (Proxy) Gateway

27 January 2007Prof. Reuven Aviv: Firewalls27 Application Level (Proxy) Gateway Acts as a relay of application-level traffic via a single TCP connection Knows the Application Protocol –Rules are tailored to expected and un expected behavior of application traffic Can stop / deny according to its rules Advantages / Disadvantages?

28 January 2007Prof. Reuven Aviv: Firewalls28 Application Level Gateway Advantages: –Higher security than packet filters –Only need to scrutinize a few allowable applications –Easy to log and audit all incoming traffic Disadvantages: –Additional processing overhead on each connection (gateway as splice point)

29 January 2007Prof. Reuven Aviv: Firewalls29 Comparison Table Modify Client Applications? Packet FilterNo Application Level Gateway client application must be proxy- aware & configured to connect to the proxy server

Download ppt "January 2009Prof. Reuven Aviv: Firewalls1 Firewalls."

Similar presentations

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Firewalls 2014.04.07 Uyanga Tserengombo

Firewalls Uyanga Tserengombo
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Winter 20021 CMPE 155 Week 7. Winter 20022 Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.

Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.
Fall 2008CS 334: Computer Security1 Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for.

Fall 2008CS 334: Computer Security1 Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
—On War, Carl Von Clausewitz

—On War, Carl Von Clausewitz
Chapter 11 Firewalls.

Chapter 11 Firewalls.
Lecture 25: Firewalls Introduce several types of firewalls

Lecture 25: Firewalls Introduce several types of firewalls
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey

Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.

Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.

Similar presentations

Ads by Google