firewalls n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Firewalls PowerPoint Presentation
Download Presentation
Firewalls

Loading in 2 Seconds...

play fullscreen
1 / 22

Firewalls - PowerPoint PPT Presentation


  • 191 Views
  • Uploaded on

Firewalls. Firewalls. Most widely sold solution for Internet security Solution in a box appeal Not a substitute for proper configuration management Firewall needs to be configured properly for intended protection. Types of Firewalls. IP packet level Packet filtering TCP session level

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

Firewalls


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
    Presentation Transcript
    1. Firewalls CSE 5349/7349

    2. Firewalls • Most widely sold solution for Internet security • Solution in a box appeal • Not a substitute for proper configuration management • Firewall needs to be configured properly for intended protection CSE 5349/7349

    3. Types of Firewalls • IP packet level • Packet filtering • TCP session level • Circuit gateways • Application level • Application relays/gateway • Dynamic packet filtering • Combination of packet filtering and circuit-level gateways, often with application level semantics • NATs, IDSs, Logging • Ingress vs. Egress filtering CSE 5349/7349

    4. OSI Model Layer Firewall Functionality Packet filtering, Address filtering, packet filtering firewall 7 - Application Application Level Proxies, forward and reverse proxies 6 - Presentation 5 - Session Stateful Firewall 4 – Transport – TCP/UDP Port filtering, circuit level proxy 3 – Network - IP 2 – Data Link 1- Physical Firewalls and OSI Layers CSE 5349/7349

    5. Packet Filters • Read the header and filter by whether fields match specific rules • Administrator makes a list of acceptable/unacceptable field values • Ingress/Egress filtering • Come in standard, specialized, and stateful models • Weaknesses • Easy to botch rules • Logging difficult • Lack of authentication between end points CSE 5349/7349

    6. Network Topology and Address Spoofing • Consider a three network (N1, N2, and N3) system with one router firewall • N1 the DMZ net connecting the GW • Very limited connection between GW and outside • Very limited connection (different set) between GW and N2/N3 (Why?) • Anything can pass between N2 and N3 • Outgoing connections only from N2 or N3 • How to set the packet filter rules • External nodes can spoof internal addresses – block all the source addresses same as internal addresses CSE 5349/7349

    7. Routing Filters • Perfect security if the node is completely unreachable • Routers do not advertise internal routes • Output route filtering • Input route filtering ? • To prevent subversion by route confusion • Route leaks CSE 5349/7349

    8. Stateful Packet Filters (SPFs) • Track last few minutes of network activity. • If a packet doesn’t fit in, drop it • Stronger inspection engines search for information inside the packet’s data • Have to collect and assemble packets in order to have enough data • Examples: • Firewall One, SeattleLabs, ipfilter CSE 5349/7349

    9. Packet Filtering Performance • May affect the router optimization in handling packets • Still the serial link from the router to the Internet may be the bottleneck • Keep the rules simple and uniform • Ordering the rules to get the most common type traffic through, first CSE 5349/7349

    10. Proxy Firewalls • Pass data between two separate connections, one on each side of the firewall. • Types: • Circuit level proxy • Application proxy • Store and forward proxy • Higher latency and lower throughput CSE 5349/7349

    11. Circuit Level Proxy • Client asks connects to the relay host and request a connection to the server • FW connects to server • Server usually do not get details such as IP address of the client • All IP tricks are stopped at the relay host • Fragments • Fire walking probes CSE 5349/7349

    12. Application Proxy • FW transfers only acceptable information between the two connections • The proxy can understand the protocol and filter the data within • Example mail proxies • Usually sore-and-forward CSE 5349/7349

    13. Caching Proxies • Client asks firewall for document; the firewall downloads the document, saves it to disk, and provides the document to the client. The firewall may cache the document • Can do data filtering. • More administration time, hardware, and cost CSE 5349/7349

    14. Network Address Translation (NAT) • Changes ip addresses in a packet • Address of the client inside never shows up outside • Many IPs inside to many static IPs outside • Many IPs inside to many random IPs outside • Many IPs inside to one IP address outside • Examples: Cisco PIX, Linux Masquerading, Firewall One, ipfilter CSE 5349/7349

    15. Logging • Cheap solution to most behavioral problems • program logging • syslog /NT event log • sniffers • TCPdump, SSLdump Argus, Network General, HP Openview • Down side • Overhead intensive • Does not prevent damage (more reactive than proactive) CSE 5349/7349

    16. Firewall Pitfalls • Single point of failure • Useful ones are difficult to configure and integrate • Performance requirements tend to create back doors • False sense of security • May be 40% protection against the top attacks CSE 5349/7349

    17. Where to Put FW CSE 5349/7349

    18. Where (cont’d) CSE 5349/7349

    19. CSE 5349/7349

    20. DMZ • Neither internal nor external • Placed between the external router and the bastion host • Idea is to minimize the services and hence potential attacks • Example: For a web server stop everything but http • Multiple zones for increased availability/security CSE 5349/7349

    21. Distributed Firewalls (DFWs) • To avoid S-P-O-F • To distribute risks • Better scalability • Trend to use sophisticated protocols • IPSec • Instead of IP headers use authentication codes CSE 5349/7349

    22. Switched Firewalls (Air-gap Technology) CSE 5349/7349