1 / 29

Firewalls

Firewalls. Outline. What and where are firewalls Goals of a firewall Types of Firewalls Packet Filter Application Level (Proxy Server) Gateway. Untrusted Networks & Servers. Trusted Networks. Firewall. Untrusted Users. Internet. Router. Intranet. DMZ.

barbara-acevedo
Download Presentation

Firewalls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Firewalls Prof. Reuven Aviv: Firewalls

  2. Outline • What and where are firewalls • Goals of a firewall • Types of Firewalls • Packet Filter • Application Level (Proxy Server) Gateway Prof. Reuven Aviv: Firewalls

  3. Untrusted Networks & Servers Trusted Networks Firewall Untrusted Users Internet Router Intranet DMZ Public Accessible Servers & Networks Trusted Users What and where are Firewalls? Goals?? Prof. Reuven Aviv: Firewalls

  4. Firewall Goals • The firewall is inserted between the premises network and the Internet • Goals: • Protect the premises network from Internet-based attacks • Establish access control gate Name types of traffic that passes or blocked by the firewall Prof. Reuven Aviv: Firewalls

  5. Internet ALERT!! ALERT!! ALERT!! DMZ Net Web Server Pool Access Control gate How do we protect the firewall itself? Prof. Reuven Aviv: Firewalls

  6. Access Control Functions • Service control: types of traffic to permit/ deny in which direction • User control: which user to which service • E.g denied websites • Application behavior control • Only Filtered email can come in Prof. Reuven Aviv: Firewalls

  7. Types of Firewalls • Two common types of Firewalls that we consider in this course • Packet-filtering • Application-level gateways Prof. Reuven Aviv: Firewalls

  8. Packet Filtering Firewalls • Apply Rules to incoming/outgoing IP packet and then forwards or discards the packet • Rules based on fields in the IP or TCP header • IP address, port numbers, flags • Two default policies (discard or forward) Prof. Reuven Aviv: Firewalls

  9. Applications Applications Transport Transport Network Network DataLink DataLink DataLink Physical Physical Physical Router/Firewall Packet Filter at the TCP/IP Level Give examples of rules Prof. Reuven Aviv: Firewalls

  10. TCP/IP packet IP Header IP Datagram TCPHeader

  11. Basic Filtering Rules Not trusted external host Mail Transport allowed Default: Deny everything Allow http connection to external web servers Prof. Reuven Aviv: Firewalls

  12. Filtering Rules: direction, flags Outgoing SMTP SMTP ACK from outside Allow All outgoing connections Ack outgoing connections Traffic to non standard Servers (Dangerous) Prof. Reuven Aviv: Firewalls

  13. Screens ALL attempts, Protects All applications • Extracts & maintains ‘state’ information • Makes an intelligent security / traffic decision Applications Applications Applications Transport Transport Network Transport Network Network DataLink DataLink DataLink Physical Physical Physical Dynamic State Tables Dynamic State Tables Dynamic State Tables Session Filtering Prof. Reuven Aviv: Firewalls

  14. Controlling Telnet traffic via firewall External Internal Telnet Server Client opens TCP connection: tells server its port number. The ACK bit is not set Telnet Client 23 1234  “PORT 1234”  “ACK”  Server sends acknowledgement Prof. Reuven Aviv: Firewalls

  15. Rule: Allow telnet from 172.168.10.11 to any External Server (port 23) , and reverse Ack access-list 100 permit tcp host 172.168.10.11 gt 1023 any eq 23 ! Allows packets to (External) Telnet servers access-list 101 permit tcp any eq 23 host 172.168.10.11 established ! Allows packets (back) from (External) Telnet Server. It verifies that the ACK bit is set interface Ethernet 0 access-list 100 out ! Apply 1’st rule to outgoing traffic access-list 101 in ! Apply 2’nd rule to incoming traffic ! Prof. Reuven Aviv: Firewalls

  16. Router Rule Format access-list <rule number> <permit|deny> <protocol> <SOURCE host with IP address| any|IP address and mask> [<gt|eq port number>] <DEST host with IP address| any|IP address and mask> [<gt|eq port number>] Prof. Reuven Aviv: Firewalls

  17. Internal FTP Server External FTP Client 20 Data 21 Command 5150 5151  Client opens command channel; tells server second port number.  “PORT 5151”   “OK”  Server acks. DATA CHANNEL  Server opens data channel to client’s 2’nd port.  TCP ACK  Client Acknowledges. FTP“activeMode”Scenario Prof. Reuven Aviv: Firewalls

  18. Example FTP – Packet Filter access-list 100 permit tcp any gt 1023 host 172.168.10.12 eq 21 access-list 100 permit tcp any gt 1023 host 172.168.10.12 eq 20 ! Allows packets from any (External) client to the (Internal) FTP control and data ports access-list 101 permit tcp host 172.168.10.12 eq 21 any gt 1023 access-list 101 permit tcp host 172.168.10.12 eq 20 any gt 1023 ! Allows the (Internal) FTP server to send packets back to any (External) IP address with TCP ports > 1023 interface Ethernet 0 access-list 100 in! Apply the first rule to incoming traffic access-list 101 out! Apply the second rule to outgoing traffic! Prof. Reuven Aviv: Firewalls

  19. FTP“Passive Mode”Scenario Internal FTP Server FTP Client 20 Data 21 Command 5150 5151  Client opens command channel ; requests passive mode.  “PASV”  “OK 3267”  Server tells client port number.  DATA CHANNEL  Client opens data channel to server’s 2nd port.  TCP ACK  Server Acknowledges. 3267 Prof. Reuven Aviv: Firewalls

  20. Packet Filtering Firewalls • Advantages: • Simplicity • Transparency to users • High speed • Disadvantages: • Difficulty of setting up packet filter rules • Lack of Authentication Prof. Reuven Aviv: Firewalls

  21. Packet Filtering Firewall: Attacks • IP address spoofing • Fragmentation Attacks Prof. Reuven Aviv: Firewalls

  22. Internet Service Provider E4 130.207.3.0 130.207.5.0 E3 E2 E1 Allowed outgoing traffic: E1: only from 130.207.4.0/24 E2: only from 130.207.3.0/24 E3: only from 130.207.5.0/24 130.207.4.0 Anti Spoofing Policy:Do not allow outgoing traffic with false sender address ISP: Allow outgoing data only with legal addresses Prof. Reuven Aviv: Firewalls

  23. Fragmentation IP Header IP Datagram TCPHeader

  24. Basic Fragmentation Attack Internal Telnet Server External Telnet Client Firewall allows OUT: with SYN IN: data with ACK Allow only if SYN bit set 23 1234 Allow only if ACK bit set ,  Client Send 2 fragments with ACK. Server re-assembles: Fragments overlap - full datagram SYN bit set!  FRAG1 (with ACK)  FRAG2 (with ACK)  ACK SYN packet (no ACK)  All following packets will have the ACK bit set Prof. Reuven Aviv: Firewalls

  25. General Fragmentation Attack • Instead of fragmenting TCP header • Fragment data portion of packet or ICMP • attack applications in Clients • Clients – not all do bounds checking • Oversized reassembled packets on client maybe too large, cause buffer overflow • Remedy: Application Level Firewall Prof. Reuven Aviv: Firewalls

  26. Application Level (Proxy) Gateway Prof. Reuven Aviv: Firewalls

  27. Application Level (Proxy) Gateway • Acts as a relay of application-level traffic via a single TCP connection • Knows the Application Protocol • Rules are tailored to expected and un expected behavior of application traffic • Can stop / deny according to its rules Advantages / Disadvantages? Prof. Reuven Aviv: Firewalls

  28. Application Level Gateway • Advantages: • Higher security than packet filters • Only need to scrutinize a few allowable applications • Easy to log and audit all incoming traffic • Disadvantages: • Additional processing overhead on each connection (gateway as splice point) Prof. Reuven Aviv: Firewalls

  29. Comparison Table Prof. Reuven Aviv: Firewalls

More Related