Download presentation
Presentation is loading. Please wait.
Published byFelix Lindsey Modified over 9 years ago
1
1 Firewalls G53ACC Chris Greenhalgh
2
2 Contents l Attacks l Principles l Simple filters l Full firewall l Books: Comer ch. 40.10-40.13
3
3 Typical Remote Attacks l Security exploits (too much trust!). l Password attacks –guess, eavesdrop, trojan, crack passwd. l Bug exploits, esp. buffer overflows –can cause execution of alien machine code. l IP spoofing –fake source address. l Macros, trojans. l Denial of service.
4
4 Firewall principles (i) LAN Local host Router The Internet Remote access? login, HTTP, email, news, FTP, X-windows, NFS, DNS, NIS,... Potential firewall
5
5 Firewall principles (ii) l Remove external dependencies (and trust) –no NFS, NIS across firewall l Control traffic crossing firewall –packet filters l Replace necessary access/services in a controlled way –FTP, remote login, HTTP, email,...
6
6 Simple filters l Router filters on: –protocol (e.g. TCP, UDP,...) –source/destination IP address –source/destination TCP/UDP port numbers l destination ports < 1024 = reserved: 21=FTP, 23=telnet, 25=smtp, 517(udp)=talk, 80=HTTP, 512=exec, 513=login, 79=finger, 515=printer
7
7 Simple filter: example l Deny access to local ports < 1024: –no log in, etc. l Deny access to any non-IP protocol l Permit access to certain ports/machines: –web server TCP port 80, etc. l Allow access to all remote ports: –can log in from LAN to remote machines, etc.
8
8 Simple filter: reservations l Trojan horse? –could open port above 1024 and give access l Collusion –employee cooperates with external person l Non-standard port usage –services’ ports always under 1024? –random ports always over 1024?
9
9 Stateful filter l Builds and maintains session state from passing packets l => can take account of more factors: –Direction of connection establishment l E.g. allow only connections from clients behind the firewall –Duration of connection (e.g. probing) –Number of active connections (e.g. DoS attack) –High rates of fragments or SYNs (e.g. DoS attack) l Can apply filters to application payload data –E.g. web URLs, mail content l Can be combined with NAT (Network Address Translation), esp. port-mapping
10
10 Full firewall l Router = “Choke” –cuts of ALL packets which are not too/from designated “Gate” machine (AKA “DMZ”, De- Militarized Zone) l Gate –single point of access in/out –single point to monitor (keep logs!) –single point to control
11
11 Full Firewall in action LAN Local host GateLocal host The Internet Potential firewall X HTTP, FTP server, HTTP proxy, email exchanger,... Choke
12
12 Gate: uses l Application gateways: –HTTP proxy (for internal users) –HTTP and FTP server (for external users) –email gateway for all internal machines (use DNS MX records) –Supports temporary/controlled accounts for l FTP access to outside world l remote log-in to site
13
13 Full De-Militarized Zone (DMZ) secure LAN Local host Gate Local host The Internet External firewall HTTP/web app. server, email exchanger,... Choke DMZ LAN Choke2 Internal firewall e.g. databases, Back-end services, Enterprise systems… Limits potential damage if gate is compromised
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.