Presentation is loading. Please wait.

Presentation is loading. Please wait.

Firewalls Original slides prepared by Theo Benson.

Published byEdward Warren Modified over 9 years ago

Similar presentations

Presentation on theme: "Firewalls Original slides prepared by Theo Benson."— Presentation transcript:

1 Firewalls Original slides prepared by Theo Benson

2

3

4

5

6

7

8

9 Unix Firewalls FreeBSD: ipfw Linux: ipfw → ipchains → iptables MacOS X: ipfw ipfw example rules: # SSH # Allow ssh from unc.edu hosts /sbin/ipfw -f add allow tcp from 152.2.0.0/16 to any 22 setup /sbin/ipfw -f add allow tcp from 152.19.0.0/16 to any 22 setup /sbin/ipfw -f add allow tcp from 152.23.0.0/16 to any 22 setup

10

11

12 Stateful Firewalls A bit more complicated Keep track of transport layer connections (e.g., TCP, UDP) that may comprise multiple packets Often allow only connections initiated from behind the firewall

13 How are they deployed? “circle of trust” The Internet AKA “Everything evil” The firewall is the gatekeeper Only one way in or out into the circle

14 Similar to streaming a Video … Browser Network HTTP Requests Get: image.png HTTP Requests Get: image.png HTTP Requests Get: video.avi HTTP Requests Get: video.avi Loading Youtube

15 Similar to streaming a Video … Browser Network HTTP Requests Get: image.png HTTP Requests Get: image.png HTTP Requests Get: video.avi HTTP Requests Get: video.avi Loading Youtube

16 Similar to streaming a Video … Browser Network HTTP Requests Get: image.png HTTP Requests Get: image.png HTTP Requests Get: video.avi HTTP Requests Get: video.avi Loading Youtube

17 Similar to streaming a Video … Browser Network HTTP Requests Get: image.png HTTP Requests Get: image.png HTTP Requests Get: video.avi HTTP Requests Get: video.avi Loading Youtube

18 Similar to streaming a Video … Browser Network HTTP Requests Get: image.png HTTP Requests Get: image.png HTTP Requests Get: video.avi HTTP Requests Get: video.avi Loading Youtube

19 Similar to streaming a Video … Browser Network HTTP Requests Get: image.png HTTP Requests Get: image.png HTTP Requests Get: video.avi HTTP Requests Get: video.avi Loading Youtube

20 Similar to streaming a Video … Browser Network HTTP Requests Get: image.png HTTP Requests Get: image.png HTTP Requests Get: video.avi HTTP Requests Get: video.avi Loading Youtube

21 Allowing Outbound Connections Only “circle of trust” The Internet AKA “Everything evil” SYN Why would someone from the outside want to start a connection?

22 Allowing Outbound Connections Only “circle of trust” The Internet AKA “Everything evil” SYN Why would someone from the outside want to start a connection? – They would if you were running a web-server, an email-server, a gaming server …. Pretty much any ‘server’ service. – Firewall configuration may allow “punching holes” to specific addresses/ports

23

24 Traversing Firewalls Two hosts behind separate firewalls may try to fool their firewalls by simultaneously establishing outbound connections. An external server may help coordinate which source ports, sequence numbers, to use. (E.g., STUN protocol.)

25 Network Address Translation (NAT) For outbound packets, the translator replaces (typically) private address with it’s own public address, and rewrites the source port. Translator remembers the mapping. For inbound packets, the reverse translation is performed. 192.168.1.100 128.2.205.42 Src: 192.168.1.100:32532 Src: 128.2.205.42:45323

26 NAT versus Firewall A network address translator is not intrinsically a firewall, but – Often the two are combined in one device – Traffic cannot be sent directly to private addresses used behind a NAT from the public Internet – A NAT may block incoming connections by necessity because it does not know which private address to forward the traffic to

27

28 What Happens When you Connect to a Website? Browser Network Loading SoundCloud HTTP Requests Get: image.png HTTP Requests Get: image.png HTTP Requests Get: sound.mp3 HTTP Requests Get: sound.mp3 What happens if the virus/worm is hidden in an email? Picture? Or if the security exploit is in an HTML page?

29 Deep Packet Inspection Examine payload (data) portion of packet as well as headers IP Header TCP/UDP Header Payload

30 Application Level Firewall Why are they needed? Attackers are tricky – When exploiting security vulnerabilities – Attacks span multiple packets Need a system to scan across multiple packets for Virus/Worm/Vulnerability exploits

31 Application Level Firewalls Similar to Packet-filters except: – Supports regular expression – Search across different packets for a match – Reconstructs objects (images,pictures) from packets and scans objects.

32 Application Level Firewalls Similar to Packet-filters except: – Supports regular expression – Searches across different packets for a match – Reconstructs objects (images,pictures) from packets and scans objects. HTTP Requests Get: image.png HTTP Requests Get: image.png Appy reg-ex to the object:

33 Application Level Firewalls Similar to Packet-filters except: – Supports regular expression – Searches across different packets for a match – Reconstructs objects (images,pictures) from packets and scans objects. HTTP Requests Get: image.png HTTP Requests Get: image.png

34 Why doesn’t everyone use App level firewalls? Object re-assembly requires a lot of memory Regular-expressions require a lot of CPU App level firewalls are a lot more expensive – And also much slower  – So you need more -- a lot more.

35 How do you Attack the Firewall? Most Common: Denial-of-Service attacks – Figure out a bug in the Firewall code – Code causes it to handle a packet incorrectly – Send a lot of ‘bug’ packets and no one can use the firewall

Download ppt "Firewalls Original slides prepared by Theo Benson."

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
CSC458 Programming Assignment II: NAT Nov 7, 2014.

CSC458 Programming Assignment II: NAT Nov 7, 2014.
CS 4700 / CS 5700 Network Fundamentals Lecture 15: NAT (You Better Forward Those Ports) Revised 3/9/2013.

CS 4700 / CS 5700 Network Fundamentals Lecture 15: NAT (You Better Forward Those Ports) Revised 3/9/2013.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.

H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 7 Working with Proxy Servers & Application-Level Firewalls By Whitman, Mattord,

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 7 Working with Proxy Servers & Application-Level Firewalls By Whitman, Mattord,
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)

1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
Firewall Technology. Firewall Technology - Outline Defining the types of firewalls. Developing a firewall configuration. Designing a firewall rule set.

Firewall Technology. Firewall Technology - Outline Defining the types of firewalls. Developing a firewall configuration. Designing a firewall rule set.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.

Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)
Network Attacks. Network Trust Issues – TCP Congestion control – IP Src Spoofing – Wireless transmission Denial of Service Attacks – TCP-SYN – Name Servers.

Network Attacks. Network Trust Issues – TCP Congestion control – IP Src Spoofing – Wireless transmission Denial of Service Attacks – TCP-SYN – Name Servers.
Chapter 7: Working with Proxy Servers & Application-Level Firewalls

Chapter 7: Working with Proxy Servers & Application-Level Firewalls
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Firewalls. Similar to streaming a Video … Browser Network HTTP Requests Get: image.png HTTP Requests Get: image.png HTTP Requests Get: video.avi HTTP.

Firewalls. Similar to streaming a Video … Browser Network HTTP Requests Get: image.png HTTP Requests Get: image.png HTTP Requests Get: video.avi HTTP.
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.

Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.

Similar presentations

Ads by Google