0
FirewallsFirewalls
by Akhil Sharmaby Akhil Sharma
akhil.sharma.ak@gmail.comakhil.sharma.ak@gmail.com
What is a Firewall?What is a Firewall?
 AA choke pointchoke point of control and monitoringof control and monitoring
 In...
Classification of FirewallClassification of Firewall
Characterized by protocol level it controls inCharacterized by protoc...
Firewalls – Packet FiltersFirewalls – Packet Filters
Firewalls – Packet FiltersFirewalls – Packet Filters
 Simplest of componentsSimplest of components
 Uses transport-layer...
Usage of Packet FiltersUsage of Packet Filters
 Filtering with incoming or outgoing interfacesFiltering with incoming or ...
How to Configure a Packet FilterHow to Configure a Packet Filter
 Start with a security policyStart with a security polic...
Every ruleset is followed by an implicit ruleEvery ruleset is followed by an implicit rule
reading like this.reading like ...
Solution 1:Solution 1:
Example 2:Example 2:
Now suppose that we want to implement theNow suppose that we want to implement...
Solution 2:Solution 2:
This solution allows calls to come from anyThis solution allows calls to come from any
port on an i...
 Our defined restriction is based solely on theOur defined restriction is based solely on the
outside host’s port number,...
 The ACK signifies that the packet is part of anThe ACK signifies that the packet is part of an
ongoing conversationongoi...
Security & Performance of Packet FiltersSecurity & Performance of Packet Filters
 IP address spoofingIP address spoofing
...
Port NumberingPort Numbering
 TCP connectionTCP connection
 Server port is number less than 1024Server port is number le...
Firewalls – Stateful Packet FiltersFirewalls – Stateful Packet Filters
 Traditional packet filters do not examine higherT...
Stateful FilteringStateful Filtering
Firewall OutlinesFirewall Outlines
 Packet filteringPacket filtering
 Application gatewaysApplication gateways
 Circuit...
Firewall GatewaysFirewall Gateways
 Firewall runs set of proxy programsFirewall runs set of proxy programs
 Proxies filt...
Firewalls -Firewalls - Application LevelApplication Level
Gateway (or Proxy)Gateway (or Proxy)
Application-Level FilteringApplication-Level Filtering
 Has full access to protocolHas full access to protocol
 user req...
App-level Firewall ArchitectureApp-level Firewall Architecture
Daemon spawns proxy when communication detectedDaemon spawn...
Enforce policy for specific protocolsEnforce policy for specific protocols
 E.g., Virus scanning for SMTPE.g., Virus scan...
Firewall OutlinesFirewall Outlines
 Packet filteringPacket filtering
 Application gatewaysApplication gateways
 Circuit...
Firewalls -Firewalls - Circuit Level GatewayCircuit Level Gateway
Figure 9.7: A typical SOCKS connection through interface A,
and rogue connection through the external interface, B.
Bastion HostBastion Host
 Highly secure host systemHighly secure host system
 Potentially exposed to "hostile" elementsP...
Screened Host ArchitectureScreened Host Architecture
Screened Subnet Using Two RoutersScreened Subnet Using Two Routers
Firewalls Aren’t Perfect?Firewalls Aren’t Perfect?
 Useless against attacks from the insideUseless against attacks from t...
QuizQuiz
 In this question, we explore some applications andIn this question, we explore some applications and
limitation...
 Can the firewall prevent external users from exploiting aCan the firewall prevent external users from exploiting a
secur...
Backup SlidesBackup Slides
Firewalls -Firewalls - Circuit Level GatewayCircuit Level Gateway
 Relays two TCP connectionsRelays two TCP connections
...
Firewall OutlinesFirewall Outlines
 Packet filteringPacket filtering
 Application gatewaysApplication gateways
 Circuit...
Dynamic Packet FiltersDynamic Packet Filters
 Most commonMost common
 Provide good administrators protection and fullPro...
1.2.3.4
Intended connection from 1.2.3.4 to 5.6.7.8
5.6.7.81.2.3.45.6.7.8
Firewall
Redialing on a dynamic packet filter. T...
1.2.3.4
5.6.7.810.11.12.135.6.7.8
Application
Proxy
Firewall
Intended connection from 1.2.3.4 to 5.6.7.8
A dynamic packet ...
Figure 9.2: A firewall router with multiple internal networks.
Filter Rule: Open access to Net 2 means source
address from...
Address-SpoofingAddress-Spoofing
 Detection is virtually impossible unless source-Detection is virtually impossible unles...
External Interface RulesetExternal Interface Ruleset
Allow outgoing calls, permit incoming calls onlyAllow outgoing calls,...
Net 1 Router Interface RulesetNet 1 Router Interface Ruleset
 Gateway machine speaks directly only to otherGateway machin...
How Many Routers Do We Need?How Many Routers Do We Need?
 If routers only support outgoing filtering, we need two:If rout...
Routing FiltersRouting Filters
 All nodes are somehow reachable from theAll nodes are somehow reachable from the
Internet...
Routing Filters (cont)Routing Filters (cont)
 Packet filters obviate the need for route filtersPacket filters obviate the...
Dual Homed Host ArchitectureDual Homed Host Architecture
Asymmetric RoutesAsymmetric Routes
 Both sides of the firewall know nothing of oneBoth sides of the firewall know nothing...
Are Dynamic Packet Filters Safe?Are Dynamic Packet Filters Safe?
 Comparable to that of circuit gateways, as longComparab...
Distributed FirewallsDistributed Firewalls
 A central management node sets the security policyA central management node s...
Distributed Firewalls DrawbackDistributed Firewalls Drawback
 Allowing in certain services works if and only ifAllowing i...
Where to Filter?Where to Filter?
 Balance between risk and costsBalance between risk and costs
 Always a higher layer th...
Dynamic Packet Filter ImplementationDynamic Packet Filter Implementation
 Dynamically update packet filter’s rulesetDynam...
Per-Interface Tables Consulted byPer-Interface Tables Consulted by
Dynamic Packet FilterDynamic Packet Filter
 Active Con...
Upcoming SlideShare
Loading in...5
×

Firewalls

239

Published on

introduction to firewalls

Published in: Education, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
239
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • A traditional packet filter makes filtering decisions on an individual packet basis and does not take into consideration any higher layer context. A stateful inspection packet filter tightens up the rules for TCP traffic by creating a directory of outbound TCP connections, and will allow incoming traffic to high-numbered ports only for those packets that fit the profile of one of the entries in this directory. Hence they are better able to detect bogus packets sent out of context.
  • Gateway is like a NAT box, ie, a home router.
  • One advantage over normal packet filters: the IP addr is changed. So no internal IP addr is leaked out.
    A circuit-level gateway relays two TCP connections, one between itself and an inside TCP user, and the other between itself and a TCP user on an outside host. Once the two connections are established, it relays TCP data from one connection to the other without examining its contents. The security function consists of determining which connections will be allowed. It is typically used when internal users are trusted to decide what external services to access.
    One of the most common circuit-level gateways is SOCKS, defined in RFC 1928. It consists of a SOCKS server on the firewall, and a SOCKS library & SOCKS-aware applications on internal clients.
  • Transcript of "Firewalls"

    1. 1. FirewallsFirewalls by Akhil Sharmaby Akhil Sharma akhil.sharma.ak@gmail.comakhil.sharma.ak@gmail.com
    2. 2. What is a Firewall?What is a Firewall?  AA choke pointchoke point of control and monitoringof control and monitoring  Interconnects networks with differing trustInterconnects networks with differing trust  Imposes restrictions on network servicesImposes restrictions on network services  only authorized traffic is allowedonly authorized traffic is allowed  Auditing and controlling accessAuditing and controlling access  can implement alarms for abnormal behaviorcan implement alarms for abnormal behavior  Itself immune to penetrationItself immune to penetration  ProvidesProvides perimeter defenceperimeter defence
    3. 3. Classification of FirewallClassification of Firewall Characterized by protocol level it controls inCharacterized by protocol level it controls in  Packet filteringPacket filtering  Circuit gatewaysCircuit gateways  Application gatewaysApplication gateways  Combination of above is dynamic packet filterCombination of above is dynamic packet filter
    4. 4. Firewalls – Packet FiltersFirewalls – Packet Filters
    5. 5. Firewalls – Packet FiltersFirewalls – Packet Filters  Simplest of componentsSimplest of components  Uses transport-layer information onlyUses transport-layer information only  IP Source Address, Destination AddressIP Source Address, Destination Address  Protocol/Next Header (TCP, UDP, ICMP, etc)Protocol/Next Header (TCP, UDP, ICMP, etc)  TCP or UDP source & destination portsTCP or UDP source & destination ports  TCP Flags (SYN, ACK, FIN, RST, PSH, etc)TCP Flags (SYN, ACK, FIN, RST, PSH, etc)  ICMP message typeICMP message type  ExamplesExamples  DNS uses port 53DNS uses port 53  No incoming port 53 packets except known trusted serversNo incoming port 53 packets except known trusted servers
    6. 6. Usage of Packet FiltersUsage of Packet Filters  Filtering with incoming or outgoing interfacesFiltering with incoming or outgoing interfaces  E.g., Ingress filtering of spoofed IP addressesE.g., Ingress filtering of spoofed IP addresses  Egress filteringEgress filtering  Permits or denies certain servicesPermits or denies certain services  Requires intimate knowledge of TCP and UDP portRequires intimate knowledge of TCP and UDP port utilization on a number of operating systemsutilization on a number of operating systems
    7. 7. How to Configure a Packet FilterHow to Configure a Packet Filter  Start with a security policyStart with a security policy  Specify allowable packets in terms of logicalSpecify allowable packets in terms of logical expressions on packet fieldsexpressions on packet fields  Rewrite expressions in syntax supported by yourRewrite expressions in syntax supported by your vendorvendor  General rules - least privilegeGeneral rules - least privilege  All that is not expressly permitted is prohibitedAll that is not expressly permitted is prohibited  If you do not need it, eliminate itIf you do not need it, eliminate it
    8. 8. Every ruleset is followed by an implicit ruleEvery ruleset is followed by an implicit rule reading like this.reading like this. Example 1:Example 1: Suppose we want to allow inbound mailSuppose we want to allow inbound mail (SMTP, port 25) but only to our gateway(SMTP, port 25) but only to our gateway machine. Also suppose that mail from somemachine. Also suppose that mail from some particular site SPIGOT is to be blocked.particular site SPIGOT is to be blocked.
    9. 9. Solution 1:Solution 1: Example 2:Example 2: Now suppose that we want to implement theNow suppose that we want to implement the policy “any inside host can send mail to thepolicy “any inside host can send mail to the outside”.outside”.
    10. 10. Solution 2:Solution 2: This solution allows calls to come from anyThis solution allows calls to come from any port on an inside machine, and will direct themport on an inside machine, and will direct them to port 25 on the outside. Simple enough…to port 25 on the outside. Simple enough… So why is it wrong?So why is it wrong?
    11. 11.  Our defined restriction is based solely on theOur defined restriction is based solely on the outside host’s port number, which we have nooutside host’s port number, which we have no way of controlling.way of controlling.  Now an enemy can access any internal machinesNow an enemy can access any internal machines and port by originating his call from port 25 onand port by originating his call from port 25 on the outside machine.the outside machine. What can be a better solution ?What can be a better solution ?
    12. 12.  The ACK signifies that the packet is part of anThe ACK signifies that the packet is part of an ongoing conversationongoing conversation  Packets without the ACK are connectionPackets without the ACK are connection establishment messages, which we are onlyestablishment messages, which we are only permitting from internal hostspermitting from internal hosts
    13. 13. Security & Performance of Packet FiltersSecurity & Performance of Packet Filters  IP address spoofingIP address spoofing  Fake source address to be trustedFake source address to be trusted  Add filters on router to blockAdd filters on router to block  Tiny fragment attacksTiny fragment attacks  Split TCP header info over several tiny packetsSplit TCP header info over several tiny packets  Either discard or reassemble before checkEither discard or reassemble before check  Degradation depends on number of rules applied atDegradation depends on number of rules applied at any pointany point  Order rules so that most common traffic is dealt withOrder rules so that most common traffic is dealt with firstfirst  Correctness is more important than speedCorrectness is more important than speed
    14. 14. Port NumberingPort Numbering  TCP connectionTCP connection  Server port is number less than 1024Server port is number less than 1024  Client port is number between 1024 and 16383Client port is number between 1024 and 16383  Permanent assignmentPermanent assignment  Ports <1024 assigned permanentlyPorts <1024 assigned permanently  20,21 for FTP 23 for Telnet20,21 for FTP 23 for Telnet  25 for server SMTP 80 for HTTP25 for server SMTP 80 for HTTP  Variable useVariable use  Ports >1024 must be available for client to make anyPorts >1024 must be available for client to make any connectionconnection  This presents a limitation for stateless packet filteringThis presents a limitation for stateless packet filtering  IfIf client wants to use port 2048, firewall must allowclient wants to use port 2048, firewall must allow incomingincoming traffic on this porttraffic on this port  Better: stateful filtering knows outgoing requestsBetter: stateful filtering knows outgoing requests
    15. 15. Firewalls – Stateful Packet FiltersFirewalls – Stateful Packet Filters  Traditional packet filters do not examine higherTraditional packet filters do not examine higher layer contextlayer context  ie matching return packets with outgoing flowie matching return packets with outgoing flow  Stateful packet filters address this needStateful packet filters address this need  They examine each IP packet in contextThey examine each IP packet in context  Keep track of client-server sessionsKeep track of client-server sessions  Check each packet validly belongs to oneCheck each packet validly belongs to one  Hence are better able to detect bogus packetsHence are better able to detect bogus packets out of contextout of context
    16. 16. Stateful FilteringStateful Filtering
    17. 17. Firewall OutlinesFirewall Outlines  Packet filteringPacket filtering  Application gatewaysApplication gateways  Circuit gatewaysCircuit gateways  Combination of above is dynamic packet filterCombination of above is dynamic packet filter
    18. 18. Firewall GatewaysFirewall Gateways  Firewall runs set of proxy programsFirewall runs set of proxy programs  Proxies filter incoming, outgoing packetsProxies filter incoming, outgoing packets  All incoming traffic directed to firewallAll incoming traffic directed to firewall  All outgoing traffic appears to come from firewallAll outgoing traffic appears to come from firewall  Policy embedded in proxy programsPolicy embedded in proxy programs  Two kinds of proxiesTwo kinds of proxies  Application-level gateways/proxiesApplication-level gateways/proxies  Tailored to http, ftp, smtp, etc.Tailored to http, ftp, smtp, etc.  Circuit-level gateways/proxiesCircuit-level gateways/proxies  Working on TCP levelWorking on TCP level
    19. 19. Firewalls -Firewalls - Application LevelApplication Level Gateway (or Proxy)Gateway (or Proxy)
    20. 20. Application-Level FilteringApplication-Level Filtering  Has full access to protocolHas full access to protocol  user requests service from proxyuser requests service from proxy  proxy validates request as legalproxy validates request as legal  then actions request and returns result to userthen actions request and returns result to user  Need separate proxies for each serviceNeed separate proxies for each service  E.g., SMTP (E-Mail)E.g., SMTP (E-Mail)  NNTP (Net news)NNTP (Net news)  DNS (Domain Name System)DNS (Domain Name System)  NTP (Network Time Protocol)NTP (Network Time Protocol)  custom services generally not supportedcustom services generally not supported
    21. 21. App-level Firewall ArchitectureApp-level Firewall Architecture Daemon spawns proxy when communication detectedDaemon spawns proxy when communication detected …… Network Connection Telnet daemon SMTP daemon FTP daemon Telnet proxy FTP proxy SMTP proxy
    22. 22. Enforce policy for specific protocolsEnforce policy for specific protocols  E.g., Virus scanning for SMTPE.g., Virus scanning for SMTP  Need to understand MIME, encoding, Zip archivesNeed to understand MIME, encoding, Zip archives
    23. 23. Firewall OutlinesFirewall Outlines  Packet filteringPacket filtering  Application gatewaysApplication gateways  Circuit gatewaysCircuit gateways  Combination of above is dynamic packet filterCombination of above is dynamic packet filter
    24. 24. Firewalls -Firewalls - Circuit Level GatewayCircuit Level Gateway
    25. 25. Figure 9.7: A typical SOCKS connection through interface A, and rogue connection through the external interface, B.
    26. 26. Bastion HostBastion Host  Highly secure host systemHighly secure host system  Potentially exposed to "hostile" elementsPotentially exposed to "hostile" elements  Hence is secured to withstand thisHence is secured to withstand this  Disable all non-required services; keep it simpleDisable all non-required services; keep it simple  Trusted to enforce trusted separation betweenTrusted to enforce trusted separation between network connectionsnetwork connections  Runs circuit / application level gatewaysRuns circuit / application level gateways  Install/modify services you wantInstall/modify services you want  Or provides externally accessible servicesOr provides externally accessible services
    27. 27. Screened Host ArchitectureScreened Host Architecture
    28. 28. Screened Subnet Using Two RoutersScreened Subnet Using Two Routers
    29. 29. Firewalls Aren’t Perfect?Firewalls Aren’t Perfect?  Useless against attacks from the insideUseless against attacks from the inside  Evildoer exists on insideEvildoer exists on inside  Malicious code is executed on an internal machineMalicious code is executed on an internal machine  Organizations with greater insider threatOrganizations with greater insider threat  Banks and MilitaryBanks and Military  Protection must exist at each layerProtection must exist at each layer  Assess risks of threats at every layerAssess risks of threats at every layer  Cannot protect against transfer of all virusCannot protect against transfer of all virus infected programs or filesinfected programs or files  because of huge range of O/S & file typesbecause of huge range of O/S & file types
    30. 30. QuizQuiz  In this question, we explore some applications andIn this question, we explore some applications and limitations of a stateless packet filtering firewall. Forlimitations of a stateless packet filtering firewall. For each of the question, briefly explain how the firewalleach of the question, briefly explain how the firewall should be configured to defend against the attack, orshould be configured to defend against the attack, or why the firewall cannot defend against the attack.why the firewall cannot defend against the attack.  Can the firewall prevent a SYN flood denial-of-serviceCan the firewall prevent a SYN flood denial-of-service attack from the external network?attack from the external network?  Can the firewall prevent a Smurf attack from the externalCan the firewall prevent a Smurf attack from the external network? Recall that as we discussed in the class before,network? Recall that as we discussed in the class before, the Smurf attack uses the broadcast IP address of thethe Smurf attack uses the broadcast IP address of the subnet.subnet.
    31. 31.  Can the firewall prevent external users from exploiting aCan the firewall prevent external users from exploiting a security bug in a CGI script on an internal web server (thesecurity bug in a CGI script on an internal web server (the web server is serving requests from the Internet)?web server is serving requests from the Internet)?  Can the firewall prevent an online password dictionaryCan the firewall prevent an online password dictionary attack from the external network on the telnet port of anattack from the external network on the telnet port of an internal machine?internal machine?  Can the firewall prevent a user on the external networkCan the firewall prevent a user on the external network from opening a window on an X server in the internalfrom opening a window on an X server in the internal network? Recall that by default an X server listens fornetwork? Recall that by default an X server listens for connections on port 6000connections on port 6000  Can the firewall block a virus embedded in an incomingCan the firewall block a virus embedded in an incoming email?email?  Can the firewall be used to block users on the internalCan the firewall be used to block users on the internal network from browsing a specific external IP address?network from browsing a specific external IP address?
    32. 32. Backup SlidesBackup Slides
    33. 33. Firewalls -Firewalls - Circuit Level GatewayCircuit Level Gateway  Relays two TCP connectionsRelays two TCP connections  Imposes security by limiting which suchImposes security by limiting which such connections are allowedconnections are allowed  Once created usually relays traffic withoutOnce created usually relays traffic without examining contentsexamining contents  Typically used when trust internal users byTypically used when trust internal users by allowing general outbound connectionsallowing general outbound connections  SOCKS commonly used for thisSOCKS commonly used for this
    34. 34. Firewall OutlinesFirewall Outlines  Packet filteringPacket filtering  Application gatewaysApplication gateways  Circuit gatewaysCircuit gateways  Combination of above is dynamic packet filterCombination of above is dynamic packet filter
    35. 35. Dynamic Packet FiltersDynamic Packet Filters  Most commonMost common  Provide good administrators protection and fullProvide good administrators protection and full transparencytransparency  Network given full control over trafficNetwork given full control over traffic  Captures semantics of a connectionCaptures semantics of a connection
    36. 36. 1.2.3.4 Intended connection from 1.2.3.4 to 5.6.7.8 5.6.7.81.2.3.45.6.7.8 Firewall Redialing on a dynamic packet filter. The dashed arrow shows the intended connection; the solid arrows show the actual connections, to and from the relay in the firewall box. The Firewall impersonates each endpoint to the other.
    37. 37. 1.2.3.4 5.6.7.810.11.12.135.6.7.8 Application Proxy Firewall Intended connection from 1.2.3.4 to 5.6.7.8 A dynamic packet filter with an application proxy. Note the change in source address
    38. 38. Figure 9.2: A firewall router with multiple internal networks. Filter Rule: Open access to Net 2 means source address from Net 3 • Why not spoof address from Net 3? Network TopologyNetwork Topology
    39. 39. Address-SpoofingAddress-Spoofing  Detection is virtually impossible unless source-Detection is virtually impossible unless source- address filtering and logging are doneaddress filtering and logging are done  One should not trust hosts outside of one’sOne should not trust hosts outside of one’s administrative controladministrative control
    40. 40. External Interface RulesetExternal Interface Ruleset Allow outgoing calls, permit incoming calls onlyAllow outgoing calls, permit incoming calls only for mail and only to gateway GWfor mail and only to gateway GW Note: Specify GW as destination host instead of Net 1 to prevent open access to Net 1
    41. 41. Net 1 Router Interface RulesetNet 1 Router Interface Ruleset  Gateway machine speaks directly only to otherGateway machine speaks directly only to other machines running trusted mail server softwaremachines running trusted mail server software  Relay machines used to call out to GW to pickRelay machines used to call out to GW to pick up waiting mailup waiting mail Note: Spoofing is avoided with the specification of GW
    42. 42. How Many Routers Do We Need?How Many Routers Do We Need?  If routers only support outgoing filtering, we need two:If routers only support outgoing filtering, we need two:  One to use ruleset that protects against compromisedOne to use ruleset that protects against compromised gatewaysgateways  One to use ruleset that guards against address forgery andOne to use ruleset that guards against address forgery and restricts access to gateway machinerestricts access to gateway machine  An input filter on one port is exactly equivalent to anAn input filter on one port is exactly equivalent to an output filter on the other portoutput filter on the other port  If you trust the network provider, you can go withoutIf you trust the network provider, you can go without input filtersinput filters  Filtering can be done on the output side of the routerFiltering can be done on the output side of the router
    43. 43. Routing FiltersRouting Filters  All nodes are somehow reachable from theAll nodes are somehow reachable from the InternetInternet  Routers need to be able to control what routesRouters need to be able to control what routes they advertise over various interfacesthey advertise over various interfaces  Clients who employ IP source routing make itClients who employ IP source routing make it possible to reach ‘unreachable’ hostspossible to reach ‘unreachable’ hosts  Enables address-spoofingEnables address-spoofing  Block source routing at borders, not at backboneBlock source routing at borders, not at backbone
    44. 44. Routing Filters (cont)Routing Filters (cont)  Packet filters obviate the need for route filtersPacket filters obviate the need for route filters  Route filtering becomes difficult or impossibleRoute filtering becomes difficult or impossible in the presence of complex technologiesin the presence of complex technologies  Route squatting – using unofficial IP addressesRoute squatting – using unofficial IP addresses inside firewalls that belong to someone elseinside firewalls that belong to someone else  Difficult to choose non-addressed address spaceDifficult to choose non-addressed address space
    45. 45. Dual Homed Host ArchitectureDual Homed Host Architecture
    46. 46. Asymmetric RoutesAsymmetric Routes  Both sides of the firewall know nothing of oneBoth sides of the firewall know nothing of one another’s topologyanother’s topology  Solutions:Solutions:  Maintain full knowledge of the topologyMaintain full knowledge of the topology  Not feasible, too much state to keepNot feasible, too much state to keep  Multiple firewalls share state informationMultiple firewalls share state information  Volume of messages may be prohibitive, code complexityVolume of messages may be prohibitive, code complexity
    47. 47. Are Dynamic Packet Filters Safe?Are Dynamic Packet Filters Safe?  Comparable to that of circuit gateways, as longComparable to that of circuit gateways, as long as the implementation strategy is simpleas the implementation strategy is simple  If administrative interfaces use physical networkIf administrative interfaces use physical network ports as the highest-level constructports as the highest-level construct  Legal connections are generally defined in terms ofLegal connections are generally defined in terms of the physical topologythe physical topology  Not if evildoers exist on the insideNot if evildoers exist on the inside  Circuit or application gateways demand userCircuit or application gateways demand user authentication for outbound traffic and are thereforeauthentication for outbound traffic and are therefore more resistant to this threatmore resistant to this threat
    48. 48. Distributed FirewallsDistributed Firewalls  A central management node sets the security policyA central management node sets the security policy enforced by individual hostsenforced by individual hosts  Combination of high-level policy specification with fileCombination of high-level policy specification with file distribution mechanismdistribution mechanism  Advantages:Advantages:  Lack of central point of failureLack of central point of failure  Ability to protect machines outside topologically isolatedAbility to protect machines outside topologically isolated spacespace  Great for laptopsGreat for laptops  Disadvantage:Disadvantage:  Harder to allow in certain services, whereas it’s easy to blockHarder to allow in certain services, whereas it’s easy to block
    49. 49. Distributed Firewalls DrawbackDistributed Firewalls Drawback  Allowing in certain services works if and only ifAllowing in certain services works if and only if you’re sure the address can’t be spoofedyou’re sure the address can’t be spoofed  Requires anti-spoofing protectionRequires anti-spoofing protection  Must maintain ability to roam safelyMust maintain ability to roam safely  Solution: IPsecSolution: IPsec  A machine is trusted if and only if it can performA machine is trusted if and only if it can perform proper cryptographic authenticationproper cryptographic authentication
    50. 50. Where to Filter?Where to Filter?  Balance between risk and costsBalance between risk and costs  Always a higher layer that is hard to filterAlways a higher layer that is hard to filter  HumansHumans
    51. 51. Dynamic Packet Filter ImplementationDynamic Packet Filter Implementation  Dynamically update packet filter’s rulesetDynamically update packet filter’s ruleset  Changes may not be benign due to orderingChanges may not be benign due to ordering  Redialing method offers greater assurance ofRedialing method offers greater assurance of securitysecurity  No special-case code necessaryNo special-case code necessary  FTP handled with user-level daemonFTP handled with user-level daemon  UDP handled just as TCP except for tear downUDP handled just as TCP except for tear down  ICMP handled with pseudoconnections andICMP handled with pseudoconnections and synthesized packetssynthesized packets
    52. 52. Per-Interface Tables Consulted byPer-Interface Tables Consulted by Dynamic Packet FilterDynamic Packet Filter  Active Connection TableActive Connection Table  Socket structure decides whether data is copied toSocket structure decides whether data is copied to outside socket or sent to application proxyoutside socket or sent to application proxy  Ordinary Filter TableOrdinary Filter Table  Specifies which packets may pass in stateless mannerSpecifies which packets may pass in stateless manner  Dynamic TableDynamic Table  Forces creation of local socket structuresForces creation of local socket structures
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×