Computer Security  CS 426 Lecture 24   Firewalls (Most Slides taken from Prof. Peng Ning’s Slides on Network Security at N...
Outline <ul><li>What are firewalls? </li></ul><ul><li>Types </li></ul><ul><ul><li>Filtering </li></ul></ul><ul><ul><ul><li...
What is a firewall? <ul><li>Device that provides secure connectivity between networks (internal/external; varying levels o...
Firewalls <ul><li>From Webster’s Dictionary:  a wall constructed to prevent the spread of fire </li></ul><ul><li>Internet ...
Firewalls can: <ul><li>Restrict incoming and outgoing traffic by IP address, ports, or users </li></ul><ul><li>Block inval...
Convenient <ul><li>Give insight into traffic mix via logging </li></ul><ul><li>Network Address Translation </li></ul><ul><...
Firewalls Cannot Protect… <ul><li>traffic that does not cross it </li></ul><ul><ul><li>routing around  </li></ul></ul><ul>...
Access Control DMZ Net Web Server Pool Corporate Network <ul><li>Security Requirement </li></ul><ul><li>Control access to ...
Filtering <ul><li>Typically route packets  </li></ul><ul><li>Packets checked then passed </li></ul><ul><li>Inbound & outbo...
Filtering <ul><li>Packet filtering  </li></ul><ul><ul><li>Access Control Lists </li></ul></ul><ul><li>Session filtering </...
Packet Filtering <ul><li>Decisions made on a per-packet basis </li></ul><ul><li>No state information saved </li></ul>
More about networking: port numbering <ul><li>TCP connection  </li></ul><ul><ul><li>Server port uses number less than 1024...
Typical Configuration <ul><li>Ports > 1024 left open </li></ul><ul><li>If dynamic protocols are in use,  entire ranges of ...
Packet Filter Applications Presentations Sessions Transport DataLink Physical DataLink Physical Router Applications Presen...
Session Filtering <ul><li>Packet decision made in the context of a connection  </li></ul><ul><li>If packet is a new connec...
Typical Configuration <ul><li>All denied unless specifically allowed </li></ul><ul><li>Dynamic protocols (FTP, H323, RealA...
Session Filtering Applications Presentations Sessions Transport DataLink Physical DataLink Physical Applications Presentat...
FTP “ PORT 5151”   “ OK”  DATA CHANNEL  TCP ACK FTP Client FTP Server 20 Data 21 Command 5150 5151    Client opens co...
Proxy Firewalls <ul><li>Relay for connections </li></ul><ul><li>Client     Proxy     Server </li></ul><ul><li>Two flavor...
Application Gateways <ul><li>Understands specific applications </li></ul><ul><ul><li>Limited proxies available </li></ul><...
Application Gateways <ul><li>More appropriate to TCP </li></ul><ul><li>ICMP difficult </li></ul><ul><li>Block all unless s...
Application Gateways <ul><li>Clients configured for proxy communication </li></ul><ul><li>Transparent Proxies </li></ul>
Application Layer GW/proxy Applications Presentations Sessions Transport DataLink Physical Network DataLink Physical Appli...
Personal Firewalls <ul><li>Running on one PC, controlling network access </li></ul><ul><ul><li>Windows firewall, iptables ...
Coming Attractions … <ul><li>November 21:  </li></ul><ul><ul><li>Web Browser Security </li></ul></ul>
Upcoming SlideShare
Loading in...5
×

426_Fall06_lect24.ppt

292

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
292
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Sun Microsystems SunScreen Firewall is an exception. It functions as a bridge instead of a router. See http://www.sun.com/security.
  • efficient packet processing engine extract, analyze and maintain data from OSI layers 2 though 7 throughout a session in order to make comprehensive security decisions about that session. By maintaining packet information throughout the life of a session, state of a session from beginning to end. No packet in the software stream is processed by any of the higher protocol stack layers unless verified that the packet complies with the security policy.
  • From Zwicky, Building Internet Firewalls , second edition page 456
  • 426_Fall06_lect24.ppt

    1. 1. Computer Security CS 426 Lecture 24 Firewalls (Most Slides taken from Prof. Peng Ning’s Slides on Network Security at NCSU)
    2. 2. Outline <ul><li>What are firewalls? </li></ul><ul><li>Types </li></ul><ul><ul><li>Filtering </li></ul></ul><ul><ul><ul><li>Packet filtering </li></ul></ul></ul><ul><ul><ul><li>Session filtering </li></ul></ul></ul><ul><ul><li>Proxy </li></ul></ul><ul><ul><ul><li>Circuit Level </li></ul></ul></ul><ul><ul><ul><li>Application Level </li></ul></ul></ul><ul><li>Brief introduction to Personal Firewalls </li></ul>
    3. 3. What is a firewall? <ul><li>Device that provides secure connectivity between networks (internal/external; varying levels of trust) </li></ul><ul><li>Used to implement and enforce a security policy for communication between networks </li></ul>Trusted Networks Untrusted Networks & Servers Firewall Router Internet Intranet DMZ Public Accessible Servers & Networks Trusted Users Untrusted Users
    4. 4. Firewalls <ul><li>From Webster’s Dictionary: a wall constructed to prevent the spread of fire </li></ul><ul><li>Internet firewalls are more the moat around a castle than a building firewall </li></ul><ul><li>Controlled access point </li></ul>
    5. 5. Firewalls can: <ul><li>Restrict incoming and outgoing traffic by IP address, ports, or users </li></ul><ul><li>Block invalid packets </li></ul>
    6. 6. Convenient <ul><li>Give insight into traffic mix via logging </li></ul><ul><li>Network Address Translation </li></ul><ul><li>Encryption </li></ul>
    7. 7. Firewalls Cannot Protect… <ul><li>traffic that does not cross it </li></ul><ul><ul><li>routing around </li></ul></ul><ul><ul><li>Internal traffic </li></ul></ul><ul><li>when misconfigured </li></ul>
    8. 8. Access Control DMZ Net Web Server Pool Corporate Network <ul><li>Security Requirement </li></ul><ul><li>Control access to network information and resources </li></ul><ul><li>Protect the network from attacks </li></ul>Internet ALERT!! ALERT!! ALERT!!
    9. 9. Filtering <ul><li>Typically route packets </li></ul><ul><li>Packets checked then passed </li></ul><ul><li>Inbound & outbound affect when policy is checked </li></ul><ul><li>Client  Server </li></ul>
    10. 10. Filtering <ul><li>Packet filtering </li></ul><ul><ul><li>Access Control Lists </li></ul></ul><ul><li>Session filtering </li></ul><ul><ul><li>Dynamic Packet Filtering </li></ul></ul><ul><ul><li>Stateful Inspection </li></ul></ul><ul><ul><li>Smart packet filtering </li></ul></ul><ul><ul><li>Context Based Access Control </li></ul></ul>
    11. 11. Packet Filtering <ul><li>Decisions made on a per-packet basis </li></ul><ul><li>No state information saved </li></ul>
    12. 12. More about networking: port numbering <ul><li>TCP connection </li></ul><ul><ul><li>Server port uses number less than 1024 </li></ul></ul><ul><ul><li>Client port uses number between 1024 and 16383 </li></ul></ul><ul><li>Permanent assignment </li></ul><ul><ul><li>Ports <1024 assigned permanently </li></ul></ul><ul><ul><ul><li>20,21 for FTP 23 for Telnet </li></ul></ul></ul><ul><ul><ul><li>25 for server SMTP 80 for HTTP </li></ul></ul></ul><ul><li>Variable use </li></ul><ul><ul><li>Ports >1024 must be available for client to make connection </li></ul></ul><ul><ul><li>Limitation for stateless packet filtering </li></ul></ul><ul><ul><ul><li>If client wants port 2048, firewall must allow incoming traffic </li></ul></ul></ul>
    13. 13. Typical Configuration <ul><li>Ports > 1024 left open </li></ul><ul><li>If dynamic protocols are in use, entire ranges of ports must be allowed for the protocol to work . </li></ul>
    14. 14. Packet Filter Applications Presentations Sessions Transport DataLink Physical DataLink Physical Router Applications Presentations Sessions Transport DataLink Physical Network Network
    15. 15. Session Filtering <ul><li>Packet decision made in the context of a connection </li></ul><ul><li>If packet is a new connection, check against security policy </li></ul><ul><li>If packet is part of an existing connection, match it up in the state table & update table </li></ul>
    16. 16. Typical Configuration <ul><li>All denied unless specifically allowed </li></ul><ul><li>Dynamic protocols (FTP, H323, RealAudio, etc.) allowed only if supported </li></ul>
    17. 17. Session Filtering Applications Presentations Sessions Transport DataLink Physical DataLink Physical Applications Presentations Sessions Transport DataLink Physical Network Network Network Presentations Sessions Transport Applications <ul><li>Screens ALL attempts, Protects All applications </li></ul><ul><li>Extracts & maintains ‘state’ information </li></ul><ul><li>Makes an intelligent security / traffic decision </li></ul>Dynamic State Tables Dynamic State Tables Dynamic State Tables
    18. 18. FTP “ PORT 5151”   “ OK”  DATA CHANNEL  TCP ACK FTP Client FTP Server 20 Data 21 Command 5150 5151  Client opens command channel to server; tells server second port number  Server acknowledges  Server opens data channel to client’s second port  Client acknowledges
    19. 19. Proxy Firewalls <ul><li>Relay for connections </li></ul><ul><li>Client  Proxy  Server </li></ul><ul><li>Two flavors </li></ul><ul><ul><li>Application level </li></ul></ul><ul><ul><li>Circuit level (not application specific) </li></ul></ul>
    20. 20. Application Gateways <ul><li>Understands specific applications </li></ul><ul><ul><li>Limited proxies available </li></ul></ul><ul><ul><li>Proxy ‘impersonates’ both sides of connection </li></ul></ul><ul><li>Resource intensive </li></ul><ul><ul><li>process per connection </li></ul></ul><ul><li>HTTP proxies may cache web pages </li></ul>
    21. 21. Application Gateways <ul><li>More appropriate to TCP </li></ul><ul><li>ICMP difficult </li></ul><ul><li>Block all unless specifically allowed </li></ul><ul><li>Must write a new proxy application to support new protocols </li></ul><ul><ul><li>Not trivial! </li></ul></ul>
    22. 22. Application Gateways <ul><li>Clients configured for proxy communication </li></ul><ul><li>Transparent Proxies </li></ul>
    23. 23. Application Layer GW/proxy Applications Presentations Sessions Transport DataLink Physical Network DataLink Physical Applications Presentations Sessions Transport DataLink Physical Application Gateway Applications Presentations Sessions Transport Network Network Telnet HTTP FTP
    24. 24. Personal Firewalls <ul><li>Running on one PC, controlling network access </li></ul><ul><ul><li>Windows firewall, iptables (Linux), ZoneAlarm, etc. </li></ul></ul><ul><li>Typically determines network access based on application programs </li></ul><ul><li>Typically block most incoming traffic, harder to define policies for outgoing traffic </li></ul><ul><li>Can be bypassed/disabled if host is compromised </li></ul>
    25. 25. Coming Attractions … <ul><li>November 21: </li></ul><ul><ul><li>Web Browser Security </li></ul></ul>
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×