1 / 18

Firewalls

Firewalls. IT443 – Network Security Administration Instructor: Bo Sheng. Survive/ Response: Recovery, Forensics. Prevent: Firewall, IPsec, SSL. Detect: Intrusion Detection. Internet Security Mechanisms. Goal: prevent if possible; detect quickly otherwise; and confine the damage. Firewalls.

dharrington
Download Presentation

Firewalls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Firewalls IT443 – Network Security Administration Instructor: Bo Sheng

  2. Survive/ Response:Recovery, Forensics Prevent:Firewall, IPsec, SSL Detect:Intrusion Detection Internet Security Mechanisms • Goal: prevent if possible; detect quickly otherwise; and confine the damage

  3. Firewalls • Provides secure connectivity between networks • Implements and enforces a security policy for communication between networks

  4. Untrusted Networks & Servers Firewall Trusted Networks Untrusted Users Internet Router Intranet Public Accessible Servers & Networks DMZ Trusted Users Firewalls • Many organizations have distinct needs • access by anyone to public data concerning the company • access only by employees to internal data • Solution: inner and outer (DMZ) networks

  5. Firewall Functions • Controlled access • restrict incoming and outgoing traffic according to security policy • Others • log traffic, for later analysis • network address translation • encryption / decryption • application (payload) transformations

  6. Limitations of Firewalls • Cannot protect against traffic that does not cross it • i.e., there may be other ingress points to the network, such as modems or wireless access points, that bypass the firewall • doesn’t protect against “inside” attacks • Configuration of firewalls to accomplish a desired high-level security policy is non-trivial

  7. Filtering • Compare traffic to patterns, then process traffic according to rules if matched • Two styles • packet filtering • session filtering

  8. Applications Applications Presentations Presentations Sessions Sessions Transport Transport Network Network DataLink DataLink DataLink Physical Physical Physical Router / Firewall Packet Filtering • Patterns specify values in the header of a single packet, e.g., • source IP address and port number • destination IP address and port number • transport protocol type

  9. Packet Filtering • Decisions made on a per-packet basis • no state information (about previous packets) is maintained or used • Assessment • easy to implement • but limited capabilities • May be subject to tiny-fragment attack • first fragment has only a few bytes • rest of TCP header in a second fragment, not examined by firewall

  10. Session Filtering • Packet decisions are made in the context of a connection or flow of packets • If packet is the start of a new connection… • check against rules for new connections • If packet is part of an existing connection… • check against state-based rules for existing connections • update state of this connection

  11. Applications Applications Presentations Applications Presentations Sessions Presentations Sessions Transport Sessions Transport Network Transport Network Network DataLink DataLink DataLink Physical Physical Physical Dynamic State Tables Dynamic State Tables Dynamic State Tables Router / Firewall Session Filtering • Assessment • more powerful than packet filtering, can recognize more sophisticated threats or implement more complex policies • also more expensive to implement

  12. iptables • Tables • Filter • Packet filtering, default table • Nat • Rewrite packet source/destination • Mangle • Alter packet header/content • Raw • Avoid connection track

  13. iptables • Build-in chains • INPUT • OUTPUT • FORWARD • PREROUTING • POSTROUTING

  14. iptables • Basic syntax • iptables [-t table] –[AD] chain rule-spec [options] • Rules • Match condition • E.g., -s 192.168.1.102, --dport 80 • Target (-j): ACCEPT, DROP/REJECT,QUEUE, or RETURN • iptables –L INPUT • iptables -A INPUT -p tcp --dport 22 -j ACCEPT

  15. iptables • Basic syntax • Insert: iptables -I INPUT 2 … • Delete: • iptables-D INPUT -p tcp --dport 22 -j ACCEPT • iptables-D INPUT 2 • iptables-t filter -F INPUT

  16. iptables • Examples • Network setting: • Server (VM): 172.16.190.131 • Client 1(VM): 172.16.190.132 • Client 2(Host): 172.16.190.1 • sudo apt-get install openssh-server telnetd • Block ping • iptables -A INPUT -p icmp -j DROP • Block ping from client 1 • iptables -A INPUT -s 172.16.190.132 -p icmp -j DROP

  17. iptables • Examples • Network setting: • Server (VM): 172.16.190.131 • Client 1(VM): 172.16.190.132 • Client 2(Host): 172.16.190.1 • Block all requests from client 2 except ssh • iptables -A INPUT -s 172.16.190.1-j DROP • iptables –A INPUT –p tcp –s 172.16.190.1--dport 22 –j ACCEPT

  18. iptables • Examples • Network setting: • Server (VM): 172.16.190.131 • Client 1(VM): 172.16.190.132 • Client 2(Host): 172.16.190.1 • Allow at most 1 telnet login from each client • iptables -A INPUT -p tcp --syn --dport 23 –m connlimit --connlimit-above 1 -j DROP • Limit the rate of ping to at most once per second • iptables -A INPUT -p icmp –m limit --limit 1/s --limit-burst 2 -j ACCEPT • iptables -A INPUT -p icmp -j DROP

More Related