Firewalls - PowerPoint PPT Presentation

missy
firewalls n.
Skip this Video
Loading SlideShow in 5 Seconds..
Firewalls PowerPoint Presentation
play fullscreen
1 / 13
Download Presentation
138 Views
Download Presentation

Firewalls

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Firewalls CSC 382: Computer Security

  2. Single Host Firewall Simplest type of firewall—one host acts as a gateway between internal and external networks. CSC 382: Computer Security

  3. Types of Single Host Firewall Screening Router • Organizations already have a router • Most routers have packet filtering capabilities • Advantages: cheap, simple • Disadvantages: can only do packet filtering Dual-homed Host • Server with two NICs • Advantages • Configurable: packet filter, circuit proxy, app proxy • Disadvantages • Lower performance than router CSC 382: Computer Security

  4. Screened Subnet Isolates internal network from external networks by means of a perimeter network, called a DMZ. CSC 382: Computer Security

  5. Screened Subnet Bastion hosts isolated from internal network • Compromise of a bastion host doesn’t directly compromise internal network. • Bastion hosts also can’t sniff internal traffic, since they’re on a different subnet. No single point of failure • Attacker must compromise both exterior and interior routers to gain access to internal net. Advantages: greater security Disadvantages: higher cost and complexity CSC 382: Computer Security


  6. Screened Subnet External Access • Filtered: via interior + exterior routers • Proxied: use a bastion host as a proxy server Bastion Hosts • Proxy server • External web/ftp servers • External DNS server • E-mail gateway CSC 382: Computer Security

  7. Screened Subnet Exterior Router • Simple filtering rules • Ingress/Egress Filtering • DOS prevention • Simple ACLs • May be controlled by ISP Interior Router • Complex filtering rules. • Must protect internal network from bastion hosts as well as external network. Recommendation: use different hardware/software for interior and exterior routers. CSC 382: Computer Security

  8. Tunneling Tunneling: Encapsulation of one network protocol in another protocol • Carrier Protocol: protocol used by network through which the information is travelling • Encapsulating Protocol: protocol (GRE, IPsec, L2TP) that is wrapped around original data • Passenger Protocol: protocol that carries original data CSC 382: Computer Security

  9. ssh Tunneling SSH can tunnel TCP connections • Carrier Protocol: IP • Encapsulating Protocol: ssh • Passenger Protocol: TCP on a specific port POP-3 forwarding ssh -L 110:pop3host:110 -l user pop3host • Uses ssh to login to pop3host as user • Creates tunnel from port 110 (leftmost port #) on localhost to port 110 (rightmost post #)of pop3host • User configures mail client to use localhost as POP3 server, then proceeds as normal CSC 382: Computer Security

  10. Virtual Private Network (VPN) • Two or more computers or networks connected by a private tunnel through a public network (typically the Internet.) • Requirements: • Confidentiality: encryption • Integrity: MACs, sequencing, timestamps • Firewall Interactions • Tunnels can bypass firewall • Firewall is convenient place to add VPN features CSC 382: Computer Security

  11. Firewall Limitations Cannot protect from internal attacks • May be able to limit access with internal firewalls to a segment of your network. Cannot protect you from user error • Users will still run trojan horses that make it past your AV scanner. Firewall mechanism may not precisely enforce your security policy. CSC 382: Computer Security

  12. Key Points • Almost everything is spoofable. • Denial of service attacks are easy. • Port scanning • Stealth • OS Fingerprinting • Firewalls • Packet filtering • Proxying • DMZ CSC 382: Computer Security

  13. References • Steven Bellovin, “Security Problems in the TCP/IP Protocol Suite”, Computer Communication Review, Vol. 19, No. 2, pp. 32-48, April 1989. • Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005. • William Cheswick, Steven Bellovin, and Avriel Rubin, Firewalls and Internet Security, 2nd edition, 2003. • Fyodor, “The Art of Port Scanning,” http://www.insecure.org/nmap/nmap_doc.html • Fyodor, NMAP man page, http://www.insecure.org/nmap/data/nmap_manpage.html • Fyodor, “Remote OS detection via TCP/IP Stack FingerPrinting,” Phrack 54, http://www.insecure.org/nmap/nmap-fingerprinting-article.html • Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical UNIX and Internet Security, 3rd edition, O’Reilly & Associates, 2003. • Johnny Long, Google Hacking for Penetration Testers, Snygress, 2004. • Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed, 3rd edition, McGraw-Hill, 2001. • Ed Skoudis, Counter Hack, Prentice Hall, 2002. • Elizabeth Zwicky, Brent Chapman, Simon Cooper, Building Internet Firewalls, 2nd edition, O’Reilly & Associates, 2000. CSC 382: Computer Security