Presentation is loading. Please wait.

Presentation is loading. Please wait.

Firewalls.

Published byDwight Stevenson Modified over 9 years ago

Similar presentations

Presentation on theme: "Firewalls."— Presentation transcript:

1 Firewalls

2 Firewalls Network layer firewall
works as a packet filter Decides what packets will pass the firewall according to rules defined by the administrator Filtering rules can act on the basis of: source address destination address ports higher-level network protocols the packet contains Network layer firewalls tend to operate very fast, and transparently to users.

3 Network layer firewalls
Generally fall into two sub-categories Stateful Hold some information on the state of connections as part of their rules for example: established or not, initiation, handshaking, data or breaking down the connection only hosts inside the firewall can establish connections on a certain port Non-stateful (stateless) Have packet-filtering capabilities Cannot make more complex decisions on what stage communications between hosts have reached offer less security. Somewhat resemble a router in their ability to filter packets

4 Firewalls Software Hardware Combination of Both
Extra software on the host Any normal computer running an operating system which supports packet filtering and routing can function as a network layer firewall. Appropriate operating systems for such a configuration include Linux, Solaris, BSDs or Windows Server Hardware An external computer with special software Combination of Both

5 Stateless Firewalls

6 Stateless Firewalls A firewall that treats each network frame (or packet) in isolation It has no way of knowing if any given packet is part of an existing connection, trying to establish a new connection just a rogue packet. Typical behavior of firewalls before the advent of stateful firewalls Modern firewalls are connection-aware (or state-aware) Allows network administrators finer-grained control of network traffic.

7 Stateless Firewalls Problem:
The classic example is the File Transfer Protocol By design it opens new connections to random ports Suppose you are the firewall of company X, protecting the company from unauthorized traffic from the Internet You notice a TCP packet coming from some host across the globe, destined for a machine of your internal network, TCP port number 4970. This port number does not correspond to any well-known service that your protected network is supposed to provide (like Web, FTP or SSH), you discard the packet. you just broke a legitimate FTP connection!.

8 Stateless Firewalls FTP, among other protocols
Needs to be able to open connections to arbitrary high ports to function properly. Since the firewall has no way of knowing that the packet destined to the protected network, to some host's port 4970, is part of a legitimate FTP session, it will drop the packet. Stateful firewalls solve this problem maintaining a table of open connections intelligently associating new connection requests with existing, legitimate connections.

9 Stateful Firewalls

10 Stateful Firewalls A firewall that keeps track of the state of network connections traveling across it such as TCP streams Performs stateful packet inspection or stateful inspection Programmed to distinguish legitimate packets for different types of connections Only packets which match a known connection state will be allowed by the firewall Others will be rejected.

11 Stateful Firewalls Early attempts at producing firewalls operated at the application level of the seven-layer OSI model Required too much CPU power Packet filters operate at the network layer (layer-3) Function more efficiently because they only look at the header part of a packet However, pure packet filters Have no concept of state Subject to spoofing attacks and other exploits

12 Stateful Firewalls How It Works
Holds in memory significant attributes of each connection from start to finish These attributes, collectively known as the state of the connection, may include such details as: The IP addresses and ports involved in the connection The sequence numbers of the packets traversing the connection The most CPU intensive checking is performed at the time of setup of the connection All packets after that (for that session) are processed rapidly because it is simple and fast to determine whether it belongs to an existing, pre-screened session Once the session has ended, its entry in the state-table is discarded.

13 Stateful Firewalls How It Works
Depends on the three-way handshake of the TCP protocol When a client initiates a new connection, it sends a packet with the SYN bit set in the packet header. All packets with the SYN bit set are considered by the firewall as NEW connections. If the service which the client has requested is available on the server the service will reply to the SYN packet with a packet in which both the SYN and the ACK bit are set. The client will then respond with a packet in which only the ACK bit is set, and the connection will enter the ESTABLISHED state. The firewall built-in to Windows XP will, for instance pass all outgoing packets through will only allow incoming packets if they are part of an ESTABLISHED connection ensuring that hackers cannot start unsolicited connections with the protected machine

14 Stateful Firewalls How it Works (cont)
In order to prevent the state table from filling up Sessions will time out if no traffic has passed for a certain period These stale connections are removed from the state table Many applications therefore send keepalive messages periodically Keeps a firewall from dropping the connection during periods of no user-activity Some firewalls can be instructed to send these messages for applications It is worth noting that the most common Denial of Service attack on the internet these days is the SYN flood A malicious user intentionally sends large amounts of SYN packets to the server in order to overflow its state table Blocks the server from accepting other connections

15 Stateful Firewalls How it Works (cont)
Many stateful firewalls are able to track the state of connections in connectionless protocols, like UDP Such connections usually enter the ESTABLISHED state immediately after the first packet is seen by the firewall Sessions in connectionless protocols can only end by time-out By keeping track of the connection state stateful firewalls provide added efficiency in terms of packet inspection Existing connections the FW need only check the state table instead of checking the packet against the FW's rule set can be extensive An additional cost when the FW's rule set is updated Should cause the state table to be flushed The concept of deep packet inspection is unrelated to stateful firewalls.

16 Stateful Firewalls Application-level Filters
Today, firewalls are again using application level filters called proxies - or application level proxies Machines with modern CPU speeds can do deep packet inspection These proxies can read the data part of each packet Make a more intelligent decision about the connection For IRC or peer to peer file sharing protocols Traditional stateful firewalls cannot detect this An application level firewall can detect and selectively block HTTP connections according to content Modern computers typically exchange data by breaking it up to network frames These frames are called "packets" in TCP/IP Firewalls inspect each packet and decide: Should be allowed to pass the firewall and continue travelling towards its destination Should it be be discarded Common ways of filtering packets are according to the source/destination address or according to the source/destination port

17 Stateful Firewalls Application-level Filters
But in some cases this information is not enough. The administrator of the firewall might want to allow packets to pass the firewall according to the context of the connection, and not just the packet header characteristics. This deep packet inspection provides a much finer grained control Deep packet inspection costs more time to process, thus it is important to compensate for this by also providing stateful inspection Note: The finer-grained security functionality provided by application-level filters can be defeated by users who encrypt packet contents (e.g. by tunneling via SSL)

18 Stateful Firewalls Examples of stateful firewalls:
VPN-1/FireWall-1 Cisco PIX IPFilter Netfilter kernel-level packet filter of the Linux kernel. PF, OpenBSD packet filter, also found in other BSDs Examples of application level proxy firewalls: Sidewinder G2 (Secure Computing) a hybrid of the earlier SC Sidewinder and NAI Gauntlet firewalls closer now to Gauntlet than the old Sidewinder Cyberguard (Now owned by Secure Computing) Gauntlet Symantec Enterprise Firewall

19 Network Address Translation
Firewalls often have network address translation (NAT) functionality the hosts protected behind a firewall commonly have addresses in the "private address range“ Hides the true address of protected hosts Originally, developed to address the limited amount of IPv4 routable addresses available By companies By individuals Reduce both the amount Reduce the cost of obtaining enough public addresses for every computer in an organization. Hiding the addresses of protected devices has become an increasingly important defense against network reconnaissance

20 Nat Flavors Two kinds of network address translation exist.
The type popularly called simply "NAT" (also sometimes named "Network Address Port Translation" or "NAPT" or even PAT) refers to network address translation Involves the mapping of port numbers Allows multiple machines to share a single IP address The other, technically simpler, form—also called NAT or "one-to-one NAT" or "basic NAT" or "static NAT“ Involves only address translation, not port mapping This requires an external IP address for each simultaneous connection Broadband routers often use this feature, sometimes labelled "DMZ host“ Allows a designated computer to accept all external connections even when the router itself uses the only available external IP address

21 NATP NAT with port-translation comes in two sub-types:
Source address translation (source NAT) Re-writes the IP address of the computer which initiated the connection Destination address translation (destination NAT) In practice, both are usually used together in coordination for two-way communication

22 Firewall Summary Firewalls Simply filter out unwanted traffic
Can have complex rules Simplest ones allow only return communications from sessions established by the host computer Can mask the real IP address of computers behind it

Download ppt "Firewalls."

Similar presentations

IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Firewalls.

Firewalls.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
1 Pertemuan 05 Firewall Matakuliah: H0451/Praktikum Jaringan Komputer Tahun: 2006 Versi: 1/0.

1 Pertemuan 05 Firewall Matakuliah: H0451/Praktikum Jaringan Komputer Tahun: 2006 Versi: 1/0.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.

Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Design and Implementation of a Server Director Project for the LCCN Lab at the Technion.

Design and Implementation of a Server Director Project for the LCCN Lab at the Technion.
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.

Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Firewall Slides by John Rouda

Firewall Slides by John Rouda
Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.

Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.

Similar presentations

Ads by Google