1 / 17

Firewalls

Firewalls. CS 472 Fall 2012. Introduction. Any device, software, or arrangement that limits network access. Categories: Packet filtering (Network level) Circuit gateways Application gateways Dynamic packet filter (Packet filter + circuit-level gateway). Packet Filters.

blaine-lloyd
Download Presentation

Firewalls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Firewalls CS 472 Fall 2012

  2. Introduction • Any device, software, or arrangement that limits network access. • Categories: • Packet filtering (Network level) • Circuit gateways • Application gateways • Dynamic packet filter (Packet filter + circuit-level gateway)

  3. Packet Filters • Runs at the network level • Drop/permit packets based on their source or destination addresses or port#s • No context is kept (memory less)---decision solely based on current packet contents • Filtering may be done at the incoming interface, the outgoing interface, or both. • Ingress filtering: refers to traffic coming into your organization • Egress filtering: Outbound packet security is called egress filtering. • Rules are applied from top to bottom. So the last rule should be to block all those that don’t fit in the above rules.

  4. Example • Intended policies: • Limited connections are permitted through thr router between GW and the outside world • Very limited, but possibly different, conections are permitted between GW and anything on NET 2 or NET 3 • Any thing can pass between Net 2 and NET 3 • Outgoing calls are allowed between NET 2 or NET 2 and the external link

  5. Example (cont.) • Rule set for external interface at the router (that is filtering packets coming in from the outside world)

  6. Example (cont.) • Rule set on the router’s interface to NET 1

  7. Packet-filtering Performance • Total degradation due to filtering depends on the number of rules applied at any point. • It is better to hav eone rule specifying a network rather than to have several rules enumerating different hosts on that network. • Also, speed up things by ordering the rules so that the most common types of traffic are processed first.

  8. Application-level Filtering • Deal with the details of the particular service they are checking • Special purpose code needed for each application • Easy to log and control all incoming and outgoing traffic---e.g., checking mail message for specific words. • Web queries can be checked for conformation with organizational policies • E-mail is generally passed through an application-level filter

  9. Circuit-level Gateways • Work at TCP level---TCP connections are relayed through a computer that essentially acts as a wire • A client wishing to connect to a server, connects to the relay host supplying the needed info. The name and IP are not available to the server. • IP packets now flow from server to host, filtered and then to the client (like NAT) • Circuit relays are generally used to create specific connections between isolated networks

  10. SOCKS – Circuit-level gateway Protocol • SOCKS is an Internetprotocol that allows client-server applications to transparently use the services of a network firewall. SOCKS is an abbreviation for "SOCKetS" [1]. • Clients behind a firewall, needing to access exterior servers, may connect to a SOCKS proxy server instead. Such proxy server controls the eligibility of the client to access the external server and passes the request on to the server. SOCKS can also be used in the opposite way, allowing the clients outside the firewall ("exterior clients") to connect to servers inside the firewall (internal servers).

  11. Distributed Firewalls • Rather than have a separate box on the edge of the network reject all inbound packets to port 80, this rule is enforced by every host.

  12. What Firewalls cannot do • They are not a panacea • Useless against attacks from insiders (legitimate user with a bad intention) • Firewalls act at a specific layer and are not concerned about other layers • Transitivity is a problem: If A trusts B, and B trusts C, then A trusts C whether or not it wants. • Errors in rules or firewall is a serious threat.

  13. Application-Level Filtering • More complex than packet filters---look at the details of the particular service they are checking • Special code for each desired application • Easy to control and log all incoming and outgoing traffic • Look for inappropriate or confidential words • Check if web queries are in conformance with company policies • Strip dangerous attachments • E-mail is usually passed through an application-level gateway

  14. Circuit-level Gateways • Work at the TCP level

  15. Firewall Problems(i) Inadvertent problems • Example: Suppose a company has a policy to drop all e-mail coming through the gateway, to avoid exposure to mail-borne viruses. If port 80 is left open, Web mail services (e.g., gmail, hotmail) introduce a new avenue for malicious code to get in, via-e-mail-over-Web tunnels. • Example: Admin errors are the most common cause of trivial firewall problems. A large set of complex rules is a cause of such problems.

  16. Firewall Problems(ii) Intentional subversions • Consciously subversions---more functionality, malicious parties • Firewalls often allow traffic for port 80 to pass; Inbound HTTP traffic should be allowed only to a Web server, and should not reach other internal machines. Web server should be on a DMZ network • Httptunnel is a publicly available tool for transporting IP packets over HTTP.

  17. Handling of IP Fragments • 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Acknowledgment Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data | |U|A|P|R|S|F| | | Offset| Reserved |R|C|S|S|Y|I| Window | | | |G|K|H|T|N|N| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Checksum | Urgent Pointer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ • IP fragmentation problems---if the destination port# part is in a different fragment than the ACK or SYN, then the firewall will not be able to decide whether or not to allow ACK or SYN packets since it does not know if it is part of a current conversation. • If initial fragments are at least 16 bytes long, the problem can be avoided. Alternately, the firewall can do the reassembly. This is expensive.

More Related