Presentation is loading. Please wait.

Presentation is loading. Please wait.

Internet and Intranet Fundamentals Class 9 Session A.

Similar presentations


Presentation on theme: "Internet and Intranet Fundamentals Class 9 Session A."— Presentation transcript:

1 Internet and Intranet Fundamentals Class 9 Session A

2 Topics Firewalls (continued)

3 Firewalls (Continued) Bastion Hosts Packet Filtering

4 Bastion Hosts Public Presence on the Internet The “Lobby” Analogy Public Exposure Implies Increased Security Requirements –focus special attention on building a Bastion host –host security some principles apply to other hosts as well

5 Bastion Hosts Various Types Non-routing Dual-homed Hosts –make sure they are non-routing! Victim Machines –sacrificial goat –don’t let users put valuables on them Internal, semi-Bastion Hosts –inside the firewall –communicate with external bastion

6 Bastion Hosts General Design Guidelines Minimize the Number of Services Provided –keep it simple, scholar –server software may have bugs that can be exploited Expect Bastion Host to be Compromised –expect the worst and plan for it –most likely to be attacked –bastion host considered untrusted host

7 Bastion Hosts What Platform? –Unix, NT, etc. ? Criteria –your experience –firewall tools availability Class of Machine –minimal –not a supercomputer –RAM more important than CPU

8 Bastion Hosts Location Physical Location –safe Network Location –preferably on a perimeter network –or a network not susceptible to spoofing ATM, Ethernet switch

9 Bastion Host Services Proxy and Relay Services –HTTP Proxy –SMTP Server –NNTP Server –FTP Server Public Services –HTTP –SMTP

10 Bastion Hosts Construction Steps Secure the Machine –start with minimal, clean operating system –fix all known system bugs –use a security checklist –safeguard the system logs requires lots of logging

11 Bastion Hosts Construction Steps Disable Non-required Services Install or Modify Services Reconfigure Machine from Development to Deployment Perform Security Audit Connect Machine to Network

12 Packet Filtering Topics What is it? Advantages and Disadvantages Configuring a Packet Filtering Router Various Kinds of Filtering

13 Packet Filtering What is it? Selectively reject IP packets based on: –source address –destination address –incoming physical port –tcp application port

14 Packet Filtering Advantages and Disadvantages Advantages –one router protects an entire network –doesn’t require user knowledge or cooperation –widely available Disadvantages –current filtering tools not perfect can be hard to configure, test, and maintain may have bugs –some protocols don’t lend themselves to filtering

15 Packet Filtering Configuring a PF Router Protocols Bidirectional Inbound vs. Outbound Semantics –packets vs. services –think “packets” Default Security Policy –permit or deny? Returning ICMP Error Codes –destination unreachable, for example

16 Various Kinds of Filtering Rules –Direction –Source Address –Destination Address –ACK Set –Action

17 Various Kinds of Filtering Rules

18 Various Kinds of Filtering Risks of Address Filtering Address Forgery –source does not hope to get any packets back –man-in-the-middle must intercept return packets must alter network topology to get in the middle

19 Various Kinds of Filtering Filtering by Service More Complicated TELNET –outgoing local host’s IP source address remote host’s IP destination address TCP packet type TCP destination port is 23 content: your keystrokes

20 Various Kinds of Filtering Filtering by Service TELNET –incoming remote host’s IP source address local host’s IP destination address TCP packet type TCP source port is 23 TCP destination port is same as prior source port ACK set

21 Various Kinds of Filtering Filtering by Service TELNET –Rules permit output on port 23 permit inbound on port 23 if ACK is set deny both outbound and inbound for everything else –default rule Risks –some other service on port 23?


Download ppt "Internet and Intranet Fundamentals Class 9 Session A."

Similar presentations


Ads by Google