firewalls n.
Skip this Video
Loading SlideShow in 5 Seconds..
Firewalls PowerPoint Presentation
Download Presentation

Loading in 2 Seconds...

play fullscreen
1 / 13

Firewalls - PowerPoint PPT Presentation

  • Uploaded on

Firewalls. Single Host Firewall. Simplest type of firewall—one host acts as a gateway between internal and external networks. Types of Single Host Firewall. Screening Router Organizations already have a router Most routers have packet filtering capabilities Advantages: cheap, simple

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Firewalls' - missy

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript


CSC 382: Computer Security

single host firewall
Single Host Firewall

Simplest type of firewall—one host acts as a gateway between internal and external networks.

CSC 382: Computer Security

types of single host firewall
Types of Single Host Firewall

Screening Router

  • Organizations already have a router
  • Most routers have packet filtering capabilities
  • Advantages: cheap, simple
  • Disadvantages: can only do packet filtering

Dual-homed Host

  • Server with two NICs
  • Advantages
    • Configurable: packet filter, circuit proxy, app proxy
  • Disadvantages
    • Lower performance than router

CSC 382: Computer Security

screened subnet
Screened Subnet

Isolates internal network from external networks by means of a perimeter network, called a DMZ.

CSC 382: Computer Security

screened subnet1
Screened Subnet

Bastion hosts isolated from internal network

  • Compromise of a bastion host doesn’t directly compromise internal network.
  • Bastion hosts also can’t sniff internal traffic, since they’re on a different subnet.

No single point of failure

  • Attacker must compromise both exterior and interior routers to gain access to internal net.

Advantages: greater security

Disadvantages: higher cost and complexity

CSC 382: Computer Security

screened subnet2
Screened Subnet

External Access

  • Filtered: via interior + exterior routers
  • Proxied: use a bastion host as a proxy server

Bastion Hosts

  • Proxy server
  • External web/ftp servers
  • External DNS server
  • E-mail gateway

CSC 382: Computer Security

screened subnet3
Screened Subnet

Exterior Router

  • Simple filtering rules
    • Ingress/Egress Filtering
    • DOS prevention
    • Simple ACLs
  • May be controlled by ISP

Interior Router

  • Complex filtering rules.
  • Must protect internal network from bastion hosts as well as external network.

Recommendation: use different hardware/software for interior and exterior routers.

CSC 382: Computer Security


Tunneling: Encapsulation of one network protocol in another protocol

  • Carrier Protocol: protocol used by network through which the information is travelling
  • Encapsulating Protocol: protocol (GRE, IPsec, L2TP) that is wrapped around original data
  • Passenger Protocol: protocol that carries original data

CSC 382: Computer Security

ssh tunneling
ssh Tunneling

SSH can tunnel TCP connections

  • Carrier Protocol: IP
  • Encapsulating Protocol: ssh
  • Passenger Protocol: TCP on a specific port

POP-3 forwarding

ssh -L 110:pop3host:110 -l user pop3host

  • Uses ssh to login to pop3host as user
  • Creates tunnel from port 110 (leftmost port #) on localhost to port 110 (rightmost post #)of pop3host
  • User configures mail client to use localhost as POP3 server, then proceeds as normal

CSC 382: Computer Security

virtual private network vpn
Virtual Private Network (VPN)
  • Two or more computers or networks connected by a private tunnel through a public network (typically the Internet.)
  • Requirements:
    • Confidentiality: encryption
    • Integrity: MACs, sequencing, timestamps
  • Firewall Interactions
    • Tunnels can bypass firewall
    • Firewall is convenient place to add VPN features

CSC 382: Computer Security

firewall limitations
Firewall Limitations

Cannot protect from internal attacks

  • May be able to limit access with internal firewalls to a segment of your network.

Cannot protect you from user error

  • Users will still run trojan horses that make it past your AV scanner.

Firewall mechanism may not precisely enforce your security policy.

CSC 382: Computer Security

key points
Key Points
  • Almost everything is spoofable.
  • Denial of service attacks are easy.
  • Port scanning
    • Stealth
    • OS Fingerprinting
  • Firewalls
    • Packet filtering
    • Proxying
    • DMZ

CSC 382: Computer Security

  • Steven Bellovin, “Security Problems in the TCP/IP Protocol Suite”, Computer Communication Review, Vol. 19, No. 2, pp. 32-48, April 1989.
  • Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005.
  • William Cheswick, Steven Bellovin, and Avriel Rubin, Firewalls and Internet Security, 2nd edition, 2003.
  • Fyodor, “The Art of Port Scanning,”
  • Fyodor, NMAP man page,
  • Fyodor, “Remote OS detection via TCP/IP Stack FingerPrinting,” Phrack 54,
  • Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical UNIX and Internet Security, 3rd edition, O’Reilly & Associates, 2003.
  • Johnny Long, Google Hacking for Penetration Testers, Snygress, 2004.
  • Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed, 3rd edition, McGraw-Hill, 2001.
  • Ed Skoudis, Counter Hack, Prentice Hall, 2002.
  • Elizabeth Zwicky, Brent Chapman, Simon Cooper, Building Internet Firewalls, 2nd edition, O’Reilly & Associates, 2000.

CSC 382: Computer Security