Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 12 Page 1 CS 236 Online Network Security: Firewalls, VPNs, and Honeypots CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Published byBrenda Walters Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture 12 Page 1 CS 236 Online Network Security: Firewalls, VPNs, and Honeypots CS 236 On-Line MS Program Networks and Systems Security Peter Reiher."— Presentation transcript:

1 Lecture 12 Page 1 CS 236 Online Network Security: Firewalls, VPNs, and Honeypots CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

2 Lecture 12 Page 2 CS 236 Online Firewalls “A system or combination of systems that enforces a boundary between two or more networks” - NCSA Firewall Functional Summary Usually, a computer that keeps the bad guys out

3 Lecture 12 Page 3 CS 236 Online Typical Use of a Firewall Local Network The Internet ??? Firewall ???

4 Lecture 12 Page 4 CS 236 Online What Is a Firewall, Really? Typically a machine that sits between a LAN/WAN and the Internet Running special software That somehow regulates network traffic between the LAN/WAN and the Internet

5 Lecture 12 Page 5 CS 236 Online Firewalls and Perimeter Defense Firewalls implement a form of security called perimeter defense Protect the inside of something by defending the outside strongly –The firewall machine is often called a bastion host Control the entry and exit points If nothing bad can get in, I’m safe, right?

6 Lecture 12 Page 6 CS 236 Online Weaknesses of Perimeter Defense Models Breaching the perimeter compromises all security Windows passwords are a form of perimeter defense –If you get past the password, you can do anything Perimeter defense is part of the solution, not the entire solution

7 Lecture 12 Page 7 CS 236 Online Weaknesses of Perimeter Defense

8 Lecture 12 Page 8 CS 236 Online Defense in Depth An old principle in warfare Don’t rely on a single defensive mechanism or defense at a single point Combine different defenses Defeating one defense doesn’t defeat your entire plan

9 Lecture 12 Page 9 CS 236 Online So What Should Happen?

10 Lecture 12 Page 10 CS 236 Online Or, Better

11 Lecture 12 Page 11 CS 236 Online Or, Even Better

12 Lecture 12 Page 12 CS 236 Online So Are Firewalls Any Use? Definitely! They aren’t the full solution, but they are absolutely part of it Anyone who cares about security needs to run a decent firewall They just have to do other stuff, too 94% of respondents in 2008 CSI/FBI survey say they use firewalls

13 Lecture 12 Page 13 CS 236 Online Types of Firewalls Filtering gateways –AKA screening routers Application level gateways –AKA proxy gateways

14 Lecture 12 Page 14 CS 236 Online Filtering Gateways Based on packet routing information Look at information in the incoming packets’ headers Based on that information, either let the packet through or reject it

15 Lecture 12 Page 15 CS 236 Online Example Use of Filtering Gateways Allow particular external machines to telnet into specific internal machines –Denying telnet to other machines Or allow full access to some external machines And none to others

16 Lecture 12 Page 16 CS 236 Online A Fundamental Problem IP addresses can be spoofed If your filtering firewall trusts packet headers, it offers little protection Situation may be improved by IPsec –But hasn’t been yet Firewalls can perform the ingress/egress filtering discussed earlier

17 Lecture 12 Page 17 CS 236 Online Filtering Based on Ports Most incoming traffic is destined for a particular machine and port –Which can be derived from the IP and TCP headers Only let through packets to select machines at specific ports Makes it impossible to externally exploit flaws in little-used ports –If you configure the firewall right...

18 Lecture 12 Page 18 CS 236 Online Pros and Cons of Filtering Gateways +Fast +Cheap +Flexible +Transparent –Limited capabilities –Dependent on header authentication –Generally poor logging –May rely on router security

19 Lecture 12 Page 19 CS 236 Online Application Level Gateways Also known as proxy gateways and stateful firewalls Firewalls that understand the application- level details of network traffic –To some degree Traffic is accepted or rejected based on the probable results of accepting it

20 Lecture 12 Page 20 CS 236 Online How Application Level Gateways Work The firewall serves as a general framework Various proxies are plugged into the framework Incoming packets are examined –And handled by the appropriate proxy

21 Lecture 12 Page 21 CS 236 Online Firewall Proxies Programs capable of understanding particular kinds of traffic –E.g., FTP, HTTP, videoconferencing Proxies are specialized A good proxy must have deep understanding of the network application

22 Lecture 12 Page 22 CS 236 Online An Example Proxy A proxy to audit email What might such a proxy do? –Only allow email from particular users through –Or refuse email from known spam sites –Or filter out email with unsafe inclusions (like executables)

23 Lecture 12 Page 23 CS 236 Online What Are the Limits of Proxies? Proxies can only test for threats they understand Either they must permit a very limited set of operations Or they must have deep understanding of the program they protect –If too deep, they may share the flaw Performance limits on how much work they can do on certain types of packets

24 Lecture 12 Page 24 CS 236 Online Pros and Cons of Application Level Gateways +Highly flexible +Good logging +Content-based filtering +Potentially transparent –Slower –More complex and expensive –A good proxy is hard to find

25 Lecture 12 Page 25 CS 236 Online More Firewall Topics Statefulness Transparency Handling authentication Handling encryption Looking for viruses

26 Lecture 12 Page 26 CS 236 Online Stateful Firewalls Much network traffic is connection- oriented –E.g., telnet and videoconferencing Proper handling of that traffic requires the firewall to maintain state But handling information about connections is more complex

27 Lecture 12 Page 27 CS 236 Online Firewalls and Transparency Ideally, the firewall should be invisible –Except when it vetoes access Users inside should be able to communicate outside without knowing about the firewall External users should be able to invoke internal services transparently

28 Lecture 12 Page 28 CS 236 Online Firewalls and Authentication Many systems want to allow specific sites or users special privileges Firewalls can only support that to the extent that strong authentication is available –At the granularity required For general use, may not be possible –In current systems

29 Lecture 12 Page 29 CS 236 Online Firewalls and Encryption Firewalls provide no confidentiality Unless the data is encrypted But if the data is encrypted, the firewall can’t examine it So typically the firewall must be able to decrypt –Or only work on unencrypted parts of packets Can decrypt, analyze, and re-encrypt

30 Lecture 12 Page 30 CS 236 Online Firewalls and Viruses Firewalls are an excellent place to check for viruses –Only one place needs to be updated Virus detection software can be run on incoming executables Requires that firewall knows when executables come in And must be reasonably fast Again, might be issues with encryption

31 Lecture 12 Page 31 CS 236 Online Firewall Configuration and Administration Again, the firewall is the point of attack for intruders Thus, it must be extraordinarily secure How do you achieve that level of security?

32 Lecture 12 Page 32 CS 236 Online Firewall Location Clearly, between you and the bad guys But you may have some very different types of machines/functionalities Sometimes makes sense to divide your network into segments –Most typically, less secure public network and more secure internal network –Using separate firewalls

33 Lecture 12 Page 33 CS 236 Online Firewalls and DMZs A standard way to configure multiple firewalls for a single organization Used when organization runs machines with different openness needs –And security requirements Basically, use firewalls to divide your network into segments

34 Lecture 12 Page 34 CS 236 Online A Typical DMZ Organization Your production LAN Your web server The Internet Firewall set up to protect your LAN Firewall set up to protect your web server DMZ

35 Lecture 12 Page 35 CS 236 Online Advantages of DMZ Approach Can customize firewalls for different purposes Can customize traffic analysis in different areas of network Keeps inherently less safe traffic away from critical resources

36 Lecture 12 Page 36 CS 236 Online Firewall Hardening Devote a special machine only to firewall duties Alter OS operations on that machine –To allow only firewall activities –And to close known vulnerabilities Strictly limit access to the machine –Both login and remote execution

37 Lecture 12 Page 37 CS 236 Online Firewalls and Logging The firewall is the point of attack for intruders Logging activities there is thus vital The more logging, the better Should log what the firewall allows And what it denies Tricky to avoid information overload

38 Lecture 12 Page 38 CS 236 Online Keep Your Firewall Current New vulnerabilities are discovered all the time Must update your firewall to fix them Even more important, sometimes you have to open doors temporarily –Make sure you shut them again later Can automate some updates to firewalls How about getting rid of old stuff?

39 Lecture 12 Page 39 CS 236 Online Closing the Back Doors Firewall security is based on assumption that all traffic goes through the firewall So be careful with: –Modem connections –Wireless connections –Portable computers Put a firewall at every entry point to your network And make sure all your firewalls are up to date

40 Lecture 12 Page 40 CS 236 Online What About Portable Computers? Local Café BobCarolXavierAlice

41 Lecture 12 Page 41 CS 236 Online Now Bob Goes To Work... Bob’s Office Worker Bob

42 Lecture 12 Page 42 CS 236 Online How To Handle This Problem? Essentially quarantine the portable computer until it’s safe Don’t permit connection to wireless access point until you’re satisfied that the portable is safe UCLA did it first with QED Now very common in Cisco, Microsoft, and other companies’ products –Network access control

43 Lecture 12 Page 43 CS 236 Online Microsoft Network Access Protection In recent Microsoft OS platforms –Vista, XP service pack 3,Server 2008 Allows administrators to specify policies governing machines on network Automatically checks “health” of machines –If non-compliant, can provide updates Can limit access until compliant Highly configurable and customizable

44 Lecture 12 Page 44 CS 236 Online How To Tell When It’s Safe? Local network needs to examine the quarantined device Looking for evidence of worms, viruses, etc. If any are found, require decontamination before allowing the portable machine access

45 Lecture 12 Page 45 CS 236 Online Single Machine Firewalls Instead of separate machine protecting network, A machine puts software between the outside world and the rest of machine Under its own control To protect itself Available on most modern systems

46 Lecture 12 Page 46 CS 236 Online Pros and Cons of Individual Firewalls +Customized to particular machine +Under machine owner’s control +Provides defense in depth −Only protects that machine −Less likely to be properly configured Generally considered a good idea

Download ppt "Lecture 12 Page 1 CS 236 Online Network Security: Firewalls, VPNs, and Honeypots CS 236 On-Line MS Program Networks and Systems Security Peter Reiher."

Similar presentations

DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Fall 2008CS 334: Computer Security1 Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for.

Fall 2008CS 334: Computer Security1 Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for.
Lecture 14 Firewalls modified from slides of Lawrie Brown.

Lecture 14 Firewalls modified from slides of Lawrie Brown.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Chapter 11 Firewalls.

Chapter 11 Firewalls.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Chapter 10 Firewalls. Introduction seen evolution of information systems now everyone want to be on the Internet and to interconnect networks has persistent.

Chapter 10 Firewalls. Introduction seen evolution of information systems now everyone want to be on the Internet and to interconnect networks has persistent.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey

Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey
Guide to Computer Network Security

Guide to Computer Network Security
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

Similar presentations

Ads by Google