Controlling access with packet filters and firewalls
Download
1 / 14

Controlling access with packet filters and firewalls - PowerPoint PPT Presentation


  • 121 Views
  • Uploaded on

Controlling access with packet filters and firewalls. Security vulnarabilities of the TCP/IP protocols. IP packets are transmitted in the clear and without authentication facilities Can routers trust routing updates received from others?

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Controlling access with packet filters and firewalls' - gaia


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Security vulnarabilities of the tcp ip protocols
Security vulnarabilities of the TCP/IP protocols

  • IP packets are transmitted in the clear and without authentication facilities

  • Can routers trust routing updates received from others?

  • TCP and UDP segments are transmitted in clear and without authentication facilities

  • Auxiliary protocols have similar problems (ICMP, DNS, ARP, BOOTP, TFTP)

  • Application protocols are without protection or use weak password protection (TELNET, FTP)

  • Specific protection applied as “add ons” (NFS, SNMP, X11)


Methods of access control
Methods of access control

  • Physical protection of entities (devices, cables)

  • Packet Filter

  • Network Relay

  • Firewalls

    • visible

    • invisible

  • Security mechanisms of individual computers or applications („personal firewall“, „personal internet security“, e-mail security, telebanking)


Physical security
Physical security

  • Protection against physical access to power distribution or network cables

  • Protection of internal or external access points (distributors, patch panels)

  • Protection of active devices (routers, bridges) against physical access (lock them up)

    Problems:

  • How to support mobile users

  • How to protect a wireless infrastructure

  • How to allow secure access to external resources


Access control using packet filters
Access control using packet filters

  • Operates primarily on IP layer, however also peeking into transport layer information

  • Filtering based on

    • IP address of the source

    • IP address of the receiver

    • Port number of receiver

    • Sometimes port number of the source

    • Type of transport protocol used (TCP/UDP)

  • Uses set of filter rules

  • Pure packet filters do not have information on connection states


Filter rules
Filter rules

123.45.6.0

123.45.0.0

Rule Source Destination Action

A 135.79.0.0/16 123.45.6.0/24 Permit

B 135.79.99.0/24 123.45.0.0/16 Deny

C 0.0.0.0/0 0.0.0.0/0 Deny

PF

135.79.0.0

135.79.99.0


Access control using network relay
Access control using network relay

External connections

Monitoring and controlling host

Router

Configuration and logging database

Invisible private subnet

Internal connections


Access control by visible firewall
Access control by visible firewall

  • Users use the Internet exclusively from the firewall

  • All users need to have a user account on the firewall

  • The firewall terminates DNS, e-mail, http

  • User authentication must be secure (with cryptographic means)

  • Reduced user friendliness


Access control by invisible firewall
Access control by invisible firewall

  • Termination of all store-and-forward services (DNS, e-mail) with servers on the firewall

  • Selective forwarding of connections (stateful)

  • Authentication of external and internal peers

  • Logging and intrusion detection

  • Network Address Translation

  • Proxy functions

Protectedinternal

network

Internet

Firewall 1

Firewall 2

D

N

S

D

N

S

publicservers

Variant 1

(DMZ – „de-militarized zone“)


Access control by invisible firewall variant 2
Access control by invisible firewall(Variant 2)

  • Uses only one physical firewall unit

Ruleset 2

Protectedinternal

network

Firewall

Internet

Ruleset 1

D

N

S

D

N

S

publicservers

(DMZ – „de-militarized zone“)


User or application is proxy aware
User or application is “proxy aware”

Netscape Navigator

Internet Explorer



Some applications are not proxy aware
Some applications are not “proxy aware”

  • talk, ping, …

  • Specific implementation of such applications

  • Offering replacement applications

  • Such appliations may also not be accessible to normal users at all


Literature
Literature

  • B. Chapman, E. Zwicky, “Building Internet Firewalls”, O’Reilly & Associates, 1995

  • W. Cheswick, S. Bellovin, „Firewalls and Internet Security“, Addison-Wesley, 1994