Your SlideShare is downloading. ×
410F06Notes-14.doc
410F06Notes-14.doc
410F06Notes-14.doc
410F06Notes-14.doc
410F06Notes-14.doc
410F06Notes-14.doc
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

410F06Notes-14.doc

258

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
258
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. CECS 410 Computers and Networks COURSE NOTES -- Part 14 Security Through Isolation: Firewalls Isolation Isolation has been a primary security tool for thousands of years. Example: Castles with moats and drawbridges. Security Issue: Who is controlling access to the drawbridge? Who decides who gets in? Dr. Tracy Bradley Maples (Fall 2006) 1
  • 2. Isolation in Networks One way to provide security is to isolate and organization’s internal network from the Internet, allowing some packets to pass while blocking others (like using a moat and drawbridge). This point of isolation in networks is called a firewall. administered public network Internet What can firewalls do for us? • Prevent denial of service attacks. o For example: SYN flooding when an attacker establishes many bogus TCP connections and no resources left for “real” connections. • Prevent illegal modification/access of internal data. o For example: An attacker replaces the CIA’s homepage with something else. • Allow only authorized access to inside network (to a set of authenticated users/hosts). Dr. Tracy Bradley Maples (Fall 2006) 2
  • 3. Two types of Firewalls 1) Packet-filtering Firewalls 2) Application-level gateways (or proxy servers) Packet Filtering It is possible to configure packet forwarding devices (especially routers) to drop certain packets. Example: Suppose 192.5.48.0 is a test network, and 128.10.0.0 has active workstations.  Install filter to allow packets only from 192.5.48.0 to 128.10.0.0.  Keeps potentially bad packets away from remainder of the network. Dr. Tracy Bradley Maples (Fall 2006) 3
  • 4. Packet Filtering Firewalls Defn: A packet filter placed at the edge of an intranet to exclude unauthorized packets is called a firewall. • A firewall restricts external packets to just a few carefully controlled internal hosts. • Firewalls define a secure perimeter around a local network. • Proxies forward packets through firewall after authorization The router (or firewall) filters on a packet-by-packet basis, making a decision to forward/drop a packet based on: • Source IP address • Destination IP address • TCP/UDP source and destination port numbers • Message type (for example, ICMP messages) • TCP datagram fields (for example, SYN and ACK bits) • Other packet criteria Dr. Tracy Bradley Maples (Fall 2006) 4
  • 5. Application Gateways Application gateways (or proxy servers) can filter packets based on the high-level application layer data, as well as, the fields a firewall router can use. Example: You can select which internal users can telnet outside the network. gateway-to-remote host telnet session host-to-gateway telnet session application router and filter gateway Example: Restrict Telnets 1. Require all telnet users to telnet through the application gateway. 2. For authorized users, the gateway sets-up a telnet connection to destination host. The application gateway relays data between the two connections. 3. The router filter is configured to block all telnet connections not originating from gateway. Application gateways (or proxy servers) are commonly used for mail and web access. Dr. Tracy Bradley Maples (Fall 2006) 5
  • 6. Limitations of Firewalls • IP spoofing: A router cannot know if data “really” comes from a claimed source. (A big problem!) • If multiple applications need special treatment, each must have its own application gateway. • The client software on each computer must know how to contact the application gateway. o For example, an administrator must set-up the IP address of the proxy in Web browser. • Filters often use all or nothing policy for UDP packets. • There are tradeoffs between the degree of communication with outside world and level of security desired. • Many highly protected sites still suffer from attacks. Interesting Quote About Firewalls Firewalls are "… a mechanism that most security purists consider to be an abomination." Networking Authors Peterson & Davie Do you agree? Disagree? Dr. Tracy Bradley Maples (Fall 2006) 6

×