Controlling access with packet filters and firewalls
This presentation is the property of its rightful owner.
Sponsored Links
1 / 14

Controlling access with packet filters and firewalls PowerPoint PPT Presentation


  • 80 Views
  • Uploaded on
  • Presentation posted in: General

Controlling access with packet filters and firewalls. Security vulnarabilities of the TCP/IP protocols. IP packets are transmitted in the clear and without authentication facilities Can routers trust routing updates received from others?

Download Presentation

Controlling access with packet filters and firewalls

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Controlling access with packet filters and firewalls

Controlling access with packet filters and firewalls


Security vulnarabilities of the tcp ip protocols

Security vulnarabilities of the TCP/IP protocols

  • IP packets are transmitted in the clear and without authentication facilities

  • Can routers trust routing updates received from others?

  • TCP and UDP segments are transmitted in clear and without authentication facilities

  • Auxiliary protocols have similar problems (ICMP, DNS, ARP, BOOTP, TFTP)

  • Application protocols are without protection or use weak password protection (TELNET, FTP)

  • Specific protection applied as “add ons” (NFS, SNMP, X11)


Methods of access control

Methods of access control

  • Physical protection of entities (devices, cables)

  • Packet Filter

  • Network Relay

  • Firewalls

    • visible

    • invisible

  • Security mechanisms of individual computers or applications („personal firewall“, „personal internet security“, e-mail security, telebanking)


Physical security

Physical security

  • Protection against physical access to power distribution or network cables

  • Protection of internal or external access points (distributors, patch panels)

  • Protection of active devices (routers, bridges) against physical access (lock them up)

    Problems:

  • How to support mobile users

  • How to protect a wireless infrastructure

  • How to allow secure access to external resources


Access control using packet filters

Access control using packet filters

  • Operates primarily on IP layer, however also peeking into transport layer information

  • Filtering based on

    • IP address of the source

    • IP address of the receiver

    • Port number of receiver

    • Sometimes port number of the source

    • Type of transport protocol used (TCP/UDP)

  • Uses set of filter rules

  • Pure packet filters do not have information on connection states


Filter rules

Filter rules

123.45.6.0

123.45.0.0

RuleSourceDestinationAction

A135.79.0.0/16123.45.6.0/24Permit

B135.79.99.0/24123.45.0.0/16Deny

C0.0.0.0/00.0.0.0/0Deny

PF

135.79.0.0

135.79.99.0


Access control using network relay

Access control using network relay

External connections

Monitoring and controlling host

Router

Configuration and logging database

Invisible private subnet

Internal connections


Access control by visible firewall

Access control by visible firewall

  • Users use the Internet exclusively from the firewall

  • All users need to have a user account on the firewall

  • The firewall terminates DNS, e-mail, http

  • User authentication must be secure (with cryptographic means)

  • Reduced user friendliness


Access control by invisible firewall

Access control by invisible firewall

  • Termination of all store-and-forward services (DNS, e-mail) with servers on the firewall

  • Selective forwarding of connections (stateful)

  • Authentication of external and internal peers

  • Logging and intrusion detection

  • Network Address Translation

  • Proxy functions

Protectedinternal

network

Internet

Firewall 1

Firewall 2

D

N

S

D

N

S

publicservers

Variant 1

(DMZ – „de-militarized zone“)


Access control by invisible firewall variant 2

Access control by invisible firewall(Variant 2)

  • Uses only one physical firewall unit

Ruleset 2

Protectedinternal

network

Firewall

Internet

Ruleset 1

D

N

S

D

N

S

publicservers

(DMZ – „de-militarized zone“)


User or application is proxy aware

User or application is “proxy aware”

Netscape Navigator

Internet Explorer


Proxy based firewall services

Proxy-based firewall services


Some applications are not proxy aware

Some applications are not “proxy aware”

  • talk, ping, …

  • Specific implementation of such applications

  • Offering replacement applications

  • Such appliations may also not be accessible to normal users at all


Literature

Literature

  • B. Chapman, E. Zwicky, “Building Internet Firewalls”, O’Reilly & Associates, 1995

  • W. Cheswick, S. Bellovin, „Firewalls and Internet Security“, Addison-Wesley, 1994


  • Login