Carnegie Mellon University
CERT   CERT Coordination Center




        Firewalls
        Tom Longstaff


        CERT Coor...
Carnegie Mellon University
CERT   CERT Coordination Center



        Definition
        “A fireproof wall used in buildin...
Carnegie Mellon University
CERT   CERT Coordination Center



        Network Firewall Concept
          P
          U
   ...
Carnegie Mellon University
CERT   CERT Coordination Center



        Legitimate Activity
        Regulated by policy
    ...
Carnegie Mellon University
CERT   CERT Coordination Center



        Violations
        Violations are activities or beha...
Carnegie Mellon University
CERT   CERT Coordination Center



        Firewalls and Policy
        Firewalls automate the ...
Carnegie Mellon University
CERT   CERT Coordination Center



        Firewall Types
        Filters
               • Rest...
Carnegie Mellon University
CERT   CERT Coordination Center



        Filter Rules
        Two philosophies
              ...
Carnegie Mellon University
CERT   CERT Coordination Center



        Gateways and Proxies
        These are paths through...
Carnegie Mellon University
CERT   CERT Coordination Center



        Firewall Architectures
        Where to position fir...
Carnegie Mellon University
CERT   CERT Coordination Center



        The Simple Router (packet filter) -1
         P
    ...
Carnegie Mellon University
CERT   CERT Coordination Center



        The Simple Router (packet filter) -2

        Advant...
Carnegie Mellon University
CERT   CERT Coordination Center



        A Router with Multiple Interfaces -1
         P
    ...
Carnegie Mellon University
CERT   CERT Coordination Center



        A Router with Multiple Interfaces -2
        Advanta...
Carnegie Mellon University
CERT   CERT Coordination Center


        Gateway/Proxy Services Between
        Dual Routers -...
Carnegie Mellon University
CERT   CERT Coordination Center


        Gateway/Proxy Services Between
        Dual Routers -...
Carnegie Mellon University
CERT   CERT Coordination Center


        A Gateway Separating Dual Routers
        (“belt and ...
Carnegie Mellon University
CERT   CERT Coordination Center


        Gateway Separating Dual Routers
        -2
        Ad...
Carnegie Mellon University
CERT   CERT Coordination Center



        The Future of Firewalls
        Firewall technology ...
Carnegie Mellon University
 CERT       CERT Coordination Center


                    Site Administrative Boundary




   ...
Carnegie Mellon University
CERT   CERT Coordination Center



        Discussion
        If your security policy does not ...
Carnegie Mellon University
CERT   CERT Coordination Center




       Intrusion Detection


       Tom Longstaff
         ...
Carnegie Mellon University
CERT   CERT Coordination Center



        Intrusion Detection Types
        Pattern Detection
...
Carnegie Mellon University
CERT   CERT Coordination Center



        Main Points on IDS
        Most do not add any prote...
Carnegie Mellon University
CERT   CERT Coordination Center



        IP Spoofing Attack
        Also called sequence numb...
Upcoming SlideShare
Loading in...5
×

Lecture6.ppt

584

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
584
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Lecture6.ppt

  1. 1. Carnegie Mellon University CERT CERT Coordination Center Firewalls Tom Longstaff CERT Coordination Center Software Engineering Institute SM Carnegie Mellon University Pittsburgh PA 1521 The CERT Coordination Center is sponsored by the Advanced Research Projects Agency (ARPA). The Software Engineering Institute is sponsored by the U.S. Department of Defense. 1
  2. 2. Carnegie Mellon University CERT CERT Coordination Center Definition “A fireproof wall used in buildings and machinery to prevent the spread of fire” The American Heritage Desk Dictionary In an automobile, a firewall prevents the spread of fire while allowing control and monitoring connections to pass through 2
  3. 3. Carnegie Mellon University CERT CERT Coordination Center Network Firewall Concept P U B Violations L I Firewall C System Your N Legitimate Activity Domain E T W O R K 3
  4. 4. Carnegie Mellon University CERT CERT Coordination Center Legitimate Activity Regulated by policy Defined by type of service (application), source, and destinationallow electronic mail to and from anyone • allow news reading but not news posting • allow login from inside to outside but not vice versa • allow file transfer to a single system in your domain only • do not give out the names of any systems in the environment 4
  5. 5. Carnegie Mellon University CERT CERT Coordination Center Violations Violations are activities or behaviors not permitted in the policy • these can be either explicit or implied Firewall technology may help with the detection and prevention of violations from outsiders are intrusions 5
  6. 6. Carnegie Mellon University CERT CERT Coordination Center Firewalls and Policy Firewalls automate the enforcement of a network access policy Some firewall architectures may also provide • additional functionality • monitoring • public services Firewalls cannot • determine intent • prevent abuse of allowed services • provide host security • protect against violations through other pathways 6
  7. 7. Carnegie Mellon University CERT CERT Coordination Center Firewall Types Filters • Restrict traffic based on packet header information • Most common fields are type (tcp, udp, etc), src, dst, port/service • Advanced filters may restrict traffic based on traffic patterns or other aggregate information Proxies (or Application Gateways) • Restrict traffic based on packet content • Is application specific VPN/IPSec Gateways • Supports tunneling between networks • Can support tunneling to mobile nodes 7
  8. 8. Carnegie Mellon University CERT CERT Coordination Center Filter Rules Two philosophies • Allow all except those packet types that carry known vulnerabilities • Deny all except those packet types that are required by users Some rules carry context • Connection-oriented • Based on SYN/ACK protocol Filters have problems with: • Malformed packets/fragmented packets • Out-of-sequence protocols • Backward client-server protocols (X11, FTP) 8
  9. 9. Carnegie Mellon University CERT CERT Coordination Center Gateways and Proxies These are paths through your firewall to allow services Proxies are intermediaries that regulate service through the firewall Application gateways and proxies allow specific application interfaces through the firewall Encryption is the bane of gateways and proxies 9
  10. 10. Carnegie Mellon University CERT CERT Coordination Center Firewall Architectures Where to position firewalls? • between your domain and every access to the outside • between administrative domains of dissimilar policy • between networks where the boundary much be controlled What architecture to use? • simple router • router with multiple interfaces • gateway/proxy services between dual routers • a gateway separating dual routers 10
  11. 11. Carnegie Mellon University CERT CERT Coordination Center The Simple Router (packet filter) -1 P U B L Firewall Router I C Your N Domain E T W O R K 11
  12. 12. Carnegie Mellon University CERT CERT Coordination Center The Simple Router (packet filter) -2 Advantages • cheap - usually a must-have anyway • simple - only one configuration file to contend with • verifiable - packet monitoring at the site will assure filtering is working Disadvantages • no flexibility with applications - packet filter only • only extreme for security • limited logging capability 12
  13. 13. Carnegie Mellon University CERT CERT Coordination Center A Router with Multiple Interfaces -1 P U B L Site I Router C Your N Domain E T W O R K 13
  14. 14. Carnegie Mellon University CERT CERT Coordination Center A Router with Multiple Interfaces -2 Advantages • ability to segment a site into distinct domains • flexibility to create logical architectures • single configuration file to maintain Disadvantages • single point of failure • convoluted configuration file • possible confusion over interfaces • vulnerabilities associated with the router 14
  15. 15. Carnegie Mellon University CERT CERT Coordination Center Gateway/Proxy Services Between Dual Routers -1 P U B L Firewall Site I Router Router C Your N Domain E T Proxy/ W Gateway Proxy/ Gateway Proxy/ O Gateway Proxy/ Gateway and Proxies R Gateways K 15
  16. 16. Carnegie Mellon University CERT CERT Coordination Center Gateway/Proxy Services Between Dual Routers -2 Advantages • ability to provide risky services • application filtering possible • allows you to hide many hosts behind the second router • provides a good auditing point Disadvantages • still a physical connection between routers • may allow unprotected services and tunnelling throughrvice to “slip by” the proxy • multiple configuration files to maintain 16
  17. 17. Carnegie Mellon University CERT CERT Coordination Center A Gateway Separating Dual Routers (“belt and suspenders”) -1 P U B L Firewall Site I Router Router C Your N Domain E Filtering T Gateway W O R K 17
  18. 18. Carnegie Mellon University CERT CERT Coordination Center Gateway Separating Dual Routers -2 Advantages • provides both logical and physical separation • restricts services not addressed by the proxy or gateway system • provides controlled functionality through the firewall • supports a limited access policy (e.g., email only) • excellent central point for accounting/monitoring Disadvantages • limits functionality to available gateway/proxy software • causes a bottleneck for traffic • difficult to setup and maintain 18
  19. 19. Carnegie Mellon University CERT CERT Coordination Center The Future of Firewalls Firewall technology relies on controlling access points to the network When access to the network becomes more distributed and ubiquitous, control becomes difficult Restrictive firewalls discourage network growth and development Trust in firewalls may cause a false sense of security 19
  20. 20. Carnegie Mellon University CERT CERT Coordination Center Site Administrative Boundary Workstation Dial-ins Multi-Protocol Router ISDN Telecomm Systems Mobile Computing Mainframe PC LAN With Dial-up PPP 20
  21. 21. Carnegie Mellon University CERT CERT Coordination Center Discussion If your security policy does not allow Java applets to be run on an internal network, is a proxy or filter more appropriate? Why? What are some of the issues involved in attempting to use a proxy to disallow Java applets? Presentation Opportunity: CERT report on State of the Art for Intrusion Detection Systems Firewall papers (many) Research CISCO PIX firewall product family and describe the features, performance, and reliability. Also describe how the PIX is configured and determine how easy this would fit into a complex 21
  22. 22. Carnegie Mellon University CERT CERT Coordination Center Intrusion Detection Tom Longstaff SM CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 1521 The CERT Coordination Center is sponsored by the Advanced Research Projects Agency (ARPA). The Software Engineering Institute is sponsored by the U.S. Department of Defense. 22
  23. 23. Carnegie Mellon University CERT CERT Coordination Center Intrusion Detection Types Pattern Detection Anomaly Detection Policy-Based Detection handout 23
  24. 24. Carnegie Mellon University CERT CERT Coordination Center Main Points on IDS Most do not add any protection at all, but can help with recognition Not a lot of science involved in IDS design Measurement is problematic The future of IDS is uncertain Real key is to focus on incident response 24
  25. 25. Carnegie Mellon University CERT CERT Coordination Center IP Spoofing Attack Also called sequence number guessing Original attack relies on trusted relationship between two systems Details... 25
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×