Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security and Firewalls Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls John P. Wack and Lisa J. Carnahan NIST Special Publication.

Published byJade Dixon Modified over 8 years ago

Similar presentations

Presentation on theme: "Security and Firewalls Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls John P. Wack and Lisa J. Carnahan NIST Special Publication."— Presentation transcript:

1 Security and Firewalls Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls John P. Wack and Lisa J. Carnahan NIST Special Publication 800-10

2 What A firewall is a barrier that prevents something bad from passing and doing harm Network Firewalls are systems through which must pass all traffic going into or out of a protected network environment –The gateway becomes the guardian, protecting the network by selectively forbidding access

3 Why TCP/IP services were not all designed with security in mind –a determined attacker takes advantage of security risks inherent in some service implementations Networks and computing resources, including the data stored, are increasingly critical to an organization’s survival

4 What, more Firewall –systems –routers –policy –central connection Restrict –access to or from selected systems –block certain TCP/IP services

5 Authentication Weak authentication –password files are accessible password attacks are sophisticated finding one vulnerable password gives access to the system –Granularity of authentication user level or host level trusted user may come from a host accessible to many untrusted users.

6 Monitoring Unencrypted passwords cross networks when using telnet or ftp Monitoring traffic on a LAN is easy Information displayed may be critical

7 Spoofing Source routing of IP packets allows an intruder to masquerade as a trusted site Many services determine access rights based on the IP address, assuming that traffic from a trusted domain is safe Mail is easily spoofed and allows an intruder to gain access to the mail privileges of a legitimate user. More can be said, but we probably all know that the networks are vulnerable to attack.

8 Structure A barrier The Internet Our network to be protected

9 Firewall Services Protection from vulnerable services Controlled access to specific systems Concentrated security Enhanced privacy Logging and statistics on network use, misuse Policy enforcement

10 Service restriction Refuse to respond to source-routed packets Restrict NFS and NIS service access –Constrain them to a local network where the services are needed –Disallow remote access

11 Site access restriction A Policy matter –What internal sites should be accessible from outside? –Base: no access unless there is a reason for it

12 Concentrated security Only one place needs to be configured and maintained for control of access to the systems. –Reduces the burden of configuring many systems –Increases the likelihood of well maintained access control

13 Privacy Blocking some service access –finger on unix systems in addition to information about the user that might be better restricted to internal use, it gives information on when the user last logged in. usage patterns can be useful to intruders –DNS knowledge about the configuration of network internals can be useful in attacks.

14 Logging If all access to network resources goes through one site, comprehensive logging of activity becomes feasible. What might look unimportant when logs of one host are examined, may be serious when aggregated with information about access to other hosts on the same network.

15 Policy A reasonable policy –allows access that is needed and useful –denies access that serves no good use and might be dangerous A firewall is a way to enforce a good policy

16 Issues, problems with Firewalls Restricted access adds a burden to legitimate users Firewall provides no protection from attacks that originate behind the firewall A false sense of security may lead to carelessness

17 Firewall components network policy –what restrictions –how enforced advanced authentication mechanisms –one-time passwords, biometrics, smartcards, etc. packet filtering –source, destination IP address or port application gateways –proxy service

18 Packet filtering Flexibility in what you allow Perhaps allow http or smtp access to specific internal hosts, but no access to others Example: (port 23= telnet; 25 = smtp; 119 = nntp; 123 = NTP )

19 What to restrict tftp, port 69, trivial FTP, used for booting diskless workstations, terminal servers and routers, can also be used to read any file on the system if set up incorrectly X Windows, OpenWindows, ports 6000+, port 2000, can leak information from X window displays including all keystrokes RPC, port 111, Remote Procedure Call services including NIS and NFS, which can be used to steal system information such as passwords and read and write to files rlogin, rsh, and rexec, ports 513, 514, and 512, services that if improperly configured can permit unauthorized access to accounts and commands. Quoted from the reference source

20 More restrictions TELNET, port 23, often restricted to only certain systems, FTP, ports 20 and 21, like TELNET, often restricted to only certain systems, SMTP, port 25, often restricted to a central e-mail server, RIP, port 520, routing information protocol, can be spoofed to redirect packet routing, DNS, port 53, domain names service zone transfers, contains names of hosts and information about hosts that could be helpful to attackers, could be spoofed, UUCP, port 540, UNIX-to-UNIX CoPy, if improperly configured can be used for unauthorized access, NNTP, port 119, Network News Transfer Protocol, for accessing and reading network news, and gopher, http ports 70 and 80, information servers and client programs for gopher and WWW clients, should be restricted to an application gateway that contains proxy services.

21 Examples Firewalls come in several types –Packet filtering simplest, common, block addresses and/or protocols –Dual homed proxy for all services that are needed –Screened host more flexible, less secure –Screened subnet no need for dual homed host

22 Dual homed host Internet Info server Application Gateway Complete block to IP traffic between the protected network and the Internet Service only available by proxy servers on the Application Gateway IP filtering Host based application must accept all requests for specific services and pass on or not. Mail, telnet, ftp, http, etc.

23 Screened host Internet Info server Application Gateway IP filtering Application traffic from Internet to App Gateway ok; all other incoming traffic rejected; application from App Gateway to Internet ok; all other traffic from the network to the Internet rejected

24 Screened subnet 1 Internet Info server E-mail server Application Gateway Similar in function to a dual homed host 2

25 Firewall summary The goal: impose a barrier between the protected network and the potential intruder The problem: provide protection without undo restriction on services to legitimate users. Most important: have a policy Options available for how to implement the policy

Download ppt "Security and Firewalls Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls John P. Wack and Lisa J. Carnahan NIST Special Publication."

Similar presentations

DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
Network Security Introduction Security technologies protect mission-critical networks from corruption and intrusion. Network security enables new business.

Network Security Introduction Security technologies protect mission-critical networks from corruption and intrusion. Network security enables new business.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
Compare Firewall products Yan xie 2001825 Term Project of Network Security.

Compare Firewall products Yan xie Term Project of Network Security.
Firewall COSC 513 By Lerraj Khommeteeyuthakan. Introduction to Firewall zA method for keeping a network secure zFirewall is an approach to security zHelps.

Firewall COSC 513 By Lerraj Khommeteeyuthakan. Introduction to Firewall zA method for keeping a network secure zFirewall is an approach to security zHelps.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey

Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey
Beth Johnson April 27, 1998. What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.

Beth Johnson April 27, What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.

Similar presentations

Ads by Google