mahalingam ramkumar n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Firewalls PowerPoint Presentation
Download Presentation
Firewalls

Loading in 2 Seconds...

play fullscreen
1 / 24

Firewalls - PowerPoint PPT Presentation


  • 155 Views
  • Uploaded on

Mahalingam Ramkumar. Firewalls. Evolution of Networks. Centralized data processing LANs Premises network – interconnection of LANs and mainframes Enterprise-wide network – interconnection of LANs in a private WAN LANs interconnected using the Internet and using virtual private networks.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

Firewalls


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
    Presentation Transcript
    1. Mahalingam Ramkumar Firewalls

    2. Evolution of Networks • Centralized data processing • LANs • Premises network – interconnection of LANs and mainframes • Enterprise-wide network – interconnection of LANs in a private WAN • LANs interconnected using the Internet and using virtual private networks

    3. What is a Firewall? • A “choke point” • A location for monitoring security related events • Audits and alarms • Non-security related functions • NAT, network management • An end-point for IPSec

    4. Firewall Limitations • Cannot protect from attacks bypassing it • eg sneaker net, utility modems, trusted organisations, trusted services (eg SSL/SSH) • Cannot protect against internal threats • eg disgruntled employee • Cannot protect against transfer of virus infected programs or files • because of huge range of O/S & file types

    5. Firewall – Basic Types • Packet-Filtering Router • Stateful Inspection Firewalls • Application Level Gateway • Circuit Level Gateway

    6. Packet Filters

    7. Packet Filters • Filtering based on • Source IP address • Destination IP address • Source and Destination transport-level address • IP protocol field • Interface (physical) • Rules! • Configuration files • Explicit allow / block

    8. Packet Filtering Example

    9. Attacks on Packet Filtering • IP address spoofing • Source routing attacks • Tiny fragment attacks

    10. Firewalls – Stateful Packet Filters • Examine each IP packet in context • keeps tracks of client-server sessions • checks each packet belongs to a valid session • Better ability to detect bogus packets “out of context” • A session might be pinned down by • Source IP and Port, • Dest IP and Port, • Protocol, and • Connection State

    11. Firewalls - Application Level Gateway (or Proxy)

    12. Application Level Gateway • Application specific gateway / proxy • has full access to protocol • user requests service from proxy • proxy validates request as legal • acts on behalf of the user, • returns result to user • need to separate proxies for each service • some services naturally support proxying • others are more problematic • custom services generally not supported

    13. Firewalls - Circuit Level Gateway

    14. Circuit Level Gateway • Relays two TCP connections • Imposes security by limiting types of connections that are allowed • Once created, usually relays traffic without examining contents • Typically used with trusted internal users (by allowing general outbound connections) • SOCKS (RFC 1928) • SOCKS server • SOCKS client library • SOCKSified versions of application programs

    15. SOCKS

    16. Bastion Host • Highly secure host system • Exposed to "hostile" elements • hence secured to withstand attacks • Trusted System • May be single or multi-homed • Enforce trusted separation between network connections • Run circuit / application level gateways • Provide externally accessible services

    17. Firewall Configurations • Screened Host – Single Homed Bastion Host • Screened Host – Dual Homed Bastion Host • Screened Subnet

    18. Screened Host – Single Homed Bastion Host

    19. Screened Host – Dual Homed Bastion Host

    20. Screened-subnet Firewall

    21. Access Control • Given that system has identified a user • Determine what resources they can access • General model - access matrix • subject - active entity (user, process) • object - passive entity (file or resource) • access right – way object can be accessed • can decompose by • columns as access control lists • rows as capability tickets

    22. Access Control Matrix

    23. Trusted Computer Systems • Varying degrees of sensitivity of information • military classifications: confidential, secret, TS, etc • Subjects (people or programs) have varying rights of access to objects (information) • Need to consider ways of increasing confidence in systems to enforce these rights • Multilevel security • subjects have maximum & current security level • objects have a fixed security level classification

    24. Bell LaPadula (BLP) Model • One of the well-known security models • Implemented as mandatory policies on system • Two key policies: • no read up (simple security property) • a subject can only read/write an object if the current security level of the subject dominates (>=) the classification of the object • no write down (*-property) • a subject can only append/write to an object if the current security level of the subject is dominated by (<=) the classification of the object