1 / 29

CSC 474 Information Systems Security

CSC 474 Information Systems Security. Topic 4.1 Firewalls. Outline. What are firewalls? Types Filtering Packet filtering Session filtering Proxy Circuit Level Application Level Brief introduction to Linux firewall. Untrusted Networks & Servers. Firewall. Trusted Networks.

tomas
Download Presentation

CSC 474 Information Systems Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSC 474Information Systems Security Topic 4.1 Firewalls Dr. Peng Ning

  2. Outline • What are firewalls? • Types • Filtering • Packet filtering • Session filtering • Proxy • Circuit Level • Application Level • Brief introduction to Linux firewall Dr. Peng Ning

  3. Untrusted Networks & Servers Firewall Trusted Networks Untrusted Users Internet Router Intranet Public Accessible Servers & Networks DMZ Trusted Users What is a firewall? • Device that provides secure connectivity between networks (internal/external; varying levels of trust) • Used to implement and enforce a security policy for communication between networks Dr. Peng Ning

  4. Firewalls Can … • Restrict incoming and outgoing traffic by IP address, ports, etc. • Block invalid packets • It’s also convenient … • Give insight into traffic mix via logging • Network Address Translation • Encryption Dr. Peng Ning

  5. Firewalls Cannot Protect… • Traffic that does not cross it • routing around • Internal traffic • When misconfigured Dr. Peng Ning

  6. Internet ALERT!! ALERT!! ALERT!! Access Control Corporate Network • Security Requirement • Control access to network information and resources • Protect the network from attacks DMZ Net Web Server Pool Dr. Peng Ning

  7. Filtering • Typically route packets • Packets checked then passed • May have different policies for inbound and outbound packets • Some firewalls need to understand the application protocols • May perform • Fragmentation/reassembly • Sequence number checking Dr. Peng Ning

  8. Filtering (Cont’d) • Packet filtering • Access Control Lists • Session filtering • Dynamic Packet Filtering • Stateful Inspection • Smart Packet Filtering • Context Based Access Control Dr. Peng Ning

  9. Packet Filtering • Decisions made on a per-packet basis • No state information saved • If dynamic protocols are in use, entire ranges of ports must be allowed for the protocol to work. • Example configuration • Deny access to ports <= 1024, and allow access to all the others. Dr. Peng Ning

  10. Packet Filtering (Cont’d) Applications Applications Presentations Presentations Sessions Sessions Transport Transport Network Network DataLink DataLink DataLink Physical Physical Physical Router Dr. Peng Ning

  11. Session Filtering • Packet decision made in the context of a connection • If packet is a new connection, check against security policy • If packet is part of an existing connection, match it up in the state table & update table • Example configuration Dr. Peng Ning

  12. Dynamic State Tables Dynamic State Tables Dynamic State Tables Session Filtering (Cont’d) • Screens ALL attempts, Protects All applications • Extracts & maintains ‘state’ information • Makes an intelligent security / traffic decision Applications Applications Presentations Applications Presentations Sessions Presentations Sessions Transport Sessions Transport Network Transport Network Network DataLink DataLink DataLink Physical Physical Physical Dr. Peng Ning

  13. Proxy Firewalls • Relay for connections • Client  Proxy  Server • Two flavors • Application level • Circuit level Dr. Peng Ning

  14. Application Gateways • Understands specific applications • Limited proxies available • Proxy ‘impersonates’ both sides of connection • Resource intensive • process per connection • HTTP proxies may cache web pages Dr. Peng Ning

  15. Application Gateways • More appropriate to TCP • Must write a new proxy application to support new protocols • Not trivial! Dr. Peng Ning

  16. Application Gateways • Clients configured for proxy communication • Transparent Proxies Dr. Peng Ning

  17. Application Layer GW/proxy Telnet FTP HTTP Applications Applications Applications Presentations Presentations Presentations Sessions Sessions Sessions Transport Transport Transport Network Network Network DataLink DataLink DataLink Physical Physical Physical Application Gateway Dr. Peng Ning

  18. Circuit-Level Gateways • Support more services than Application-level Gateway • less control over data • Hard to handle protocols like FTP • Passive FTP is usually okay • Clients must be aware they are using a circut-level proxy Dr. Peng Ning

  19. SOCKS • Circuit level Gateway • Support TCP • SOCKS v5 supports UDP, earlier versions did not • See http://www.socks.nec.com Dr. Peng Ning

  20. Comparison Lower is better for security & performance Dr. Peng Ning

  21. Comparison (Cont’d) Dr. Peng Ning

  22. Comparison (Cont’d) Dr. Peng Ning

  23. Linux Firewall: iptables • History • ipfw • ipfwadm • ipchains • iptables • Based on the netfilter framework Dr. Peng Ning

  24. The Netfilter Framework • A framework for packet mangling Kernel Kernel modules Protocol stack netfilter hooks … User space Dr. Peng Ning

  25. The Netfilter Framework (Cont’d) • Current protocols • IPv4, IPv6, and DECnet. • Five hooks for IPv4 • [1]: Pre-routing hook; [2]: Local-in hook; • [3]: Forward hook; [4]: Local-out hook; • [5]: Post-routing hook A packet traversing the netfilter system: [1] [ROUTE] [3] [4] [ROUTE] [2] [5] Dr. Peng Ning

  26. Packet Filtering A packet traversing the netfilter system: [1] [ROUTE] [3] [4] [ROUTE] [2] [5] Packet filtering only uses these three hooks Dr. Peng Ning

  27. IP Tables • A packet selection system • Direct descendent of ipchains • Used for • Packet filtering • Network Address Translation (NAT) • Masquerading, port forwarding, transparent proxying • Packet mangling • Actual changing of packet information Dr. Peng Ning

  28. User Space Tool: iptables • iptables • Command to configure and communicate with the kernel modules • iptables for packet filtering • Three chains • INPUT • OUTPUT • FORWARD Dr. Peng Ning

  29. Iptables for Packet Filtering • You need three things to configure a firewall rule • Which chain? • What packet pattern? • What action to apply? • Example • Drop all packets from 200.200.200.1 • iptables -A INPUT -s 200.200.200.1 -j DROP • Use “man iptables” on Linux to get more information. Dr. Peng Ning

More Related