Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Network Firewalls CSCI 5931 - Web Security Spring 2003 Presented By Yasir Zahur.

Published byJody Baldwin Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Network Firewalls CSCI 5931 - Web Security Spring 2003 Presented By Yasir Zahur."— Presentation transcript:

1 1 Network Firewalls CSCI 5931 - Web Security Spring 2003 Presented By Yasir Zahur

2 2 Agenda Reference Monitor Introduction Types of Firewalls Screening Routers Proxy Gateways Guard Sample Configurations

3 3 Reference Monitor Kernel is the heart of operating system Security Kernel is responsible for enforcing security mechanisms of entire operating system Portion of security kernel that controls accesses to objects is called reference monitor Reference Monitor must be Tamperproof Always invoked Small and simple enough for rigorous analysis

4 4 Reference Monitor (…cont)

5 5 First Line of Defense: The Firewall Special form of reference monitor Primary means of securing a private network against penetration from a public network An access control device, performing perimeter security by deciding which packets are allowed or denied, and which must be modified before passing Core of enterprise’s comprehensive security policy Can monitor all traffic entering and leaving the private network, and alert the IT staff to any attempts to circumvent security or patterns of inappropriate use

6 6 Network Firewall Concept Firewall System Your Domain Legitimate Activity Violations

7 7 Types of Firewalls Screening Routers (Packet Level Filters) Proxy Gateways (Bastion Host) Guards

8 8 Screening Routers Simplest and in some cases most effective type of firewall. Most simple form includes Access control Lists (ACLs) and Network Address Translation (NAT) Packet Filter Also called Packet Filter since filtering mechanism does not keep a record of interaction or a history of previous datagrams A manager can list any combination of source IP address, destination IP address, protocol, source protocol port number, destination port protocol number as packet filter specification

9 9 Routers Screening Outside Addresses

10 10 Security Policy in Packet Filtering A packet filter that allows a manager to specify which datagrams to blockA packet filter that allows a manager to specify which datagrams to block Requires continuous monitoring and updates as number of well known ports are large and rapidly growing in number Certain services can assign port numbers dynamically e.g. RPC (Remote Procedure Call) Listing ports of well-known services leaves the firewall vulnerable to tunneling The answerThe answer Block all datagrams except those explicitly specified

11 11 Consequence Of Restricted Access For Clients Each server operates at a well known port, a client does not A client attempts to communicate with a server outside the organization. Each outgoing datagram has client’s protocol port as source port and server’s protocol port as destination port. Firewall will not block such datagrams as they leave However, when response reaches back to firewall from outside, (with destination port now being client’s port) it will be blocked by the firewall since destination port is not approved

12 12 Proxy Gateway A firewall that simulates the effects of an application by running “pseudo-applications” BASTION HOST Because the firewall computer must be strongly fortified to serve as a secure communication channel, it is also called BASTION HOST To the inside it implements part of the application protocol to make itself look as if it is the outside connection To the outside it implements part of the application protocol to act just like the inside process would It also examines the contents, not just the header of the packet

13 13 Proxy Gateway Example. 1 Consider Web access from an inside host User cannot use a browser for direst access since firewall prevents user’s computer from receiving incoming datagrams However organization uses web proxy server on Bastion Host Browser on each host is configured to use proxy Thus whenever user requests a URL, browser contacts proxy which in turn contacts outside server, obtains the page and delivers it to the inside host

14 14 Proxy Gateway Example. 2 Consider a site that blocks all incoming TELNET and FTP connections using a packet filtering router. The router allows TELNET and FTP packets to go to one host only, the TELNET/FTP application gateway. An outside user first telnets to the application gateway and enters the name of an internal host, Gateway checks the user's source IP address and accepts or rejects it according to any access criteria in place, User may need to authenticate The proxy service creates a TELNET connection between the gateway and the internal host, The proxy service then passes bytes between the two connections, and The application gateway logs the connection

15 15 Proxy Gateway - Advantages proxy services allow only those services through for which there is a proxy protocol can be filtered. Some firewalls, for example, can filter FTP connections and deny use of the FTP put command information hiding, in which the names of internal systems need not necessarily be made known via DNS to outside systems, only application gateway’s name must be known cost-effectiveness, because third-party software or hardware for authentication or logging need be located only at the application gateway application traffic can be pre-authenticated before it reaches internal hosts and can be logged more effectively than if logged with standard host logging

16 16 Guard More “sophisticated” and “complex” proxy firewall Since it is more complex, code is more prone to error Can examine and interpret the contents of a packet Usually implements and enforces certain business policies E.g. enforcing email quota on proxy etc

17 17 Firewall Configuration.. 1

18 18 Firewall Configuration.. 2

19 19 References Firewalls http://www.cyber.ust.hk/fw-report1/index.html Security In Computing, 2 nd Ed By Charles P. Pfleeger. Prentice Hall Internetworking with TCP/IP, Vol:1 By Douglas E. Comer. Prentice Hall Network Security Presentation Slides By Andrew Yang http://nas/yang/teaching/csci5233fall02/index.htm#topicsNotes Presentation on Firewalls by Tom Longstaff Cert Coordination Center - Carnegie Mellon University http://www.andrew.cmu.edu/course/95- 750/yihudoc/Lecture6.ppthttp://www.andrew.cmu.edu/course/95- 750/yihudoc/Lecture6.ppt

Download ppt "1 Network Firewalls CSCI 5931 - Web Security Spring 2003 Presented By Yasir Zahur."

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
Chapter 11 Firewalls.

Chapter 11 Firewalls.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Electronic Commerce 2. Definition Ecommerce is the process of buying and selling products and services via distributed electronic media, usually the World.

Electronic Commerce 2. Definition Ecommerce is the process of buying and selling products and services via distributed electronic media, usually the World.
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey

Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey
Beth Johnson April 27, 1998. What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.

Beth Johnson April 27, What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.

Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Similar presentations

Ads by Google