Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Firewalls. 2 What is a firewall? Device that provides secure connectivity between networks (internal/external; varying levels of trust) Used to implement.

Published byEunice Walsh Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Firewalls. 2 What is a firewall? Device that provides secure connectivity between networks (internal/external; varying levels of trust) Used to implement."— Presentation transcript:

1 1 Firewalls

2 2 What is a firewall? Device that provides secure connectivity between networks (internal/external; varying levels of trust) Used to implement and enforce a security policy for communication between networks Trusted Networks Untrusted Networks & Servers Firewall Router Internet Intranet DMZ Public Accessible Servers & Networks Trusted Users Untrusted Users

3 3 Firewalls From Webster’s Dictionary: a wall constructed to prevent the spread of fire Internet firewalls are more the moat around a castle than a building firewall Controlled access point

4 4 Firewalls can: Restrict incoming and outgoing traffic by IP address, ports, or users Block invalid packets

5 5 Firewalls Cannot Protect… Traffic that does not cross it –routing around –Internal traffic When misconfigured

6 6 Internet DMZ Net Web Server Pool Corporate Network ALERT!! Security Requirement Control access to network information and resources Protect the network from attacks Access Control

7 7 Filtering Packets checked then passed – typically route packets Inbound & outbound affect when policy is checked Packet filtering –Access Control Lists Session filtering –Dynamic Packet Filtering –Stateful Inspection –Context Based Access Control Fragmentation/reassembly Sequence number checking ICMP

8 8 Packet Filtering Decisions made on a per-packet basis No state information saved

9 Applications Presentations Sessions Transport DataLink Physical DataLink Physical Router Applications Presentations Sessions Transport DataLink Physical Network Network Packet Filter

10 10 Session Filtering Packet decision made in the context of a connection If packet is a new connection, check against security policy If packet is part of an existing connection, match it up in the state table & update table

11 11 Session Filtering Applications Presentations Sessions Transport DataLink Physical DataLink Physical Applications Presentations Sessions Transport DataLink Physical Network Presentations Sessions Transport Applications Dynamic State Tables l Screens ALL attempts, Protects All applications l Extracts & maintains ‘state’ information l Makes an intelligent security / traffic decision

12 12 Proxy Firewalls Relay for connections Client Proxy Server Two flavors –Application Level –Circuit Level

13 13 Application Gateway Understand specific applications –Limited proxies available –Proxy “impersonate” both sides of the connection Resource intensive –Process per connection HTTP proxies may cache we pages More appropriate for TCP Block all unless specifically allowed Must write a new proxy application to support new applications –Non Trivial

14 Applications Presentations Sessions Transport DataLink Physical Network DataLink Physical Applications Presentations Sessions Transport DataLink Physical Application Gateway Applications Presentations Sessions Transport Network Network TelnetTelnetHTTPHTTPFTPFTP Application Layer GW/proxy

15 15 Encryption (VPNs) Allows trusted users to access sensitive information while traversing untrusted networks Useful for remote users/sites IPSec Encrypted Tunnels

16 16 PGP

17 17 Pretty Good Privacy (PGP) widely used de facto secure email developed by Phil Zimmermann selected best available crypto algs to use integrated into a single program available on Unix, PC, Macintosh and Amiga systems originally free, now have commercial versions available also

18 18 PGP Five services –Authentication, confidentiality, compression, email compatibility, segmentation Functions –Digital signature –Message encryption –Compression –Email compatibility –segmentation

19 19 PGP Operation – Integrity and Authentication 1.Sender creates a message 2.SHA-1 used to generate 160-bit hash code of message 3.hash code is encrypted with RSA using the sender's private key, and result is attached to message 4.receiver uses RSA or DSS with sender's public key to decrypt and recover hash code 5.receiver generates new hash code for message and compares with decrypted hash code, if match, message is accepted as authentic

20 20 Pretty Good Privacy (PGP) - Message Integrity and Authentication

21 21 PGP Operation – Confidentiality 1.sender generates message and random 128-bit number to be used as session key for this message only 2.message is encrypted, using CAST-128 / IDEA/3DES with session key 3.session key is encrypted using RSA with recipient's public key, then attached to message 4.receiver uses RSA with its private key to decrypt and recover session key 5.session key is used to decrypt message

22 22 PGP Message Encryption Decrypt message using DES with secret keyk DecryptE(k) using RSA with my private keyk Convert ASCII message Encrypt k using RSA with recipient‘ s public key Encode message + E(k) in ASCII for transmission Encrypt message using DES with secret keyk Create a random secret key k Original message Transmitted message

23 23 PGP Operation – Compression by default PGP compresses message after signing but before encrypting –so can store uncompressed message & signature for later verification –& because compression is non deterministic uses ZIP compression algorithm

24 24 Segmentation & Reassembly Email systems impose maximum length –50 Kb, for example PGP provides automatic segmentation –Done after all other operations –Thus only one session key needed

25 25 PGP Alice wants to provide secrecy, sender authentication, message integrity. Alice uses three keys: her private key, Bob’s public key, newly created symmetric key H( ). K A ( ). - + K A (H(m)) - m KAKA - m K S ( ). K B ( ). + + K B (K S ) + KSKS KBKB + Internet KSKS

26 26 Folklore

27 27 Perfect Forward Security A protocol property that prevents someone who records an encrypted conversation from being able to later decrypt the conversation Keep the conversation secret from –Someone (an escrow agent, attacker..) who knows the long-term key Two ways –A Diffie-Hellman exchange, then forget DH information –Ephemeral public/private key pair

28 28 Change Keys Periodically The more examples of ciphertexts you can see, the more likely you can break the encryption and find the key Change keys (key rollover)

29 29 Continue.. Use different keys in the two directions Use different secret keys for encryption vs. integrity protection Use different keys for different purposes

30 30 Continue.. Have both sides contribute to the master key HMAC rather than Simple MD Key expansion Randomly Chosen IVs Use nonce in protocols Compress data before encrypting it Do not do encryption only Minimal vs. redundant designs

31 31 Continue… Put Checksums at the end of data Forward Compatibility Negotiating Parameters –Different Algorithms

Download ppt "1 Firewalls. 2 What is a firewall? Device that provides secure connectivity between networks (internal/external; varying levels of trust) Used to implement."

Similar presentations

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Email Security 1. email is one of the most widely used and regarded network services currently message contents are not secure may be inspected either.

Security 1. is one of the most widely used and regarded network services currently message contents are not secure may be inspected either.
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Lecture 5: Email security: PGP Anish Arora CSE 5473 Introduction to Network Security.

Lecture 5: security: PGP Anish Arora CSE 5473 Introduction to Network Security.
Lecture 5: Email security: PGP Anish Arora CIS694K Introduction to Network Security.

Lecture 5: security: PGP Anish Arora CIS694K Introduction to Network Security.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Part 5:Security Network Security (Access Control, Encryption, Firewalls)

Part 5:Security Network Security (Access Control, Encryption, Firewalls)
1 Pertemuan 12 E-mail Security Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 12 Security Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.

8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.
NS-H0503-02/11041 E-mail Security. NS-H0503-02/11042 Email Security email is one of the most widely used and regarded network services currently message.

NS-H / Security. NS-H / Security is one of the most widely used and regarded network services currently message.
Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Electronic mail security -- Pretty Good Privacy.

Electronic mail security -- Pretty Good Privacy.
Cryptography and Network Security Chapter 15 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 15 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Electronic Mail Security. Authentication and confidentiality problems Two systems: - PGP (Pretty Good Privacy) - S/MIME (Science Multipurpose Internet.

Electronic Mail Security. Authentication and confidentiality problems Two systems: - PGP (Pretty Good Privacy) - S/MIME (Science Multipurpose Internet.
Lecture 9: Email Security via PGP CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 9: Security via PGP CS 436/636/736 Spring 2012 Nitesh Saxena.

Similar presentations

Ads by Google