Firewall Modified

  • 821 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
821
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
34
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Stallings Fig 20-2.
  • Stallings Fig 20-2.
  • Stallings Fig 20-2.
  • Stallings Fig 20-3.

Transcript

  • 1. Firewalls
  • 2. What is a Firewall?
    • A firewall is a hardware or software (or a combination of hardware and software) that monitors the transmission of packets of digital information that attempt to pass through the perimeter of a network.
    • It is an effective means of protecting a local system or n/w from n/w related security threats
  • 3. Firewall design goals
    • All traffic from inside or outside must pass through the firewall
    • Only authorized traffic as defined by the local security policy, will be allowed to pass
    • The firewall itself is immune to penetration
  • 4. Type of controls
    • Service control
    • Direction control
    • User control
    • Behavior control
  • 5. Firewall capabilities
    • FW defines a single choke point
    • Provides a location for monitoring security-related events
    • Handles network related events
    • Serves as a platform for IPSec
  • 6. Firewall Limitations
    • cannot protect from attacks bypassing it
    • cannot protect against internal threats
      • eg disgruntled employee
    • cannot protect against transfer of all virus infected programs or files
      • because of huge range of O/S & file types
  • 7. Types of Firewalls
    • Packet Filters
    • Application-Level Gateways
    • Circuit-Level Gateways
  • 8. Packet Filters
  • 9. Packet Filters
    • A packet filtering router applies a set of rules to each incoming IP packet and then forwards or discards the packet.
    • The router is typically configured to filter packets going in both directions (from and to the internal network).
    • possible default policies
      • Discard
      • Forward
  • 10. Packet-Filtering Examples Connection to our SMTP port * * 25 OUR-GW Allow We don’t trust these people * SPIGOT * * Block comment Port Theirhost Port Ourhost Action
  • 11. default * * * * Block comment Port Theirhost Port Ourhost Action Connection to their SMTP 25 * * * Allow comment Port Theirhost Port Ourhost Action
  • 12. Attacks on Packet Filters
    • IP address spoofing
      • fake source address (internal)
      • add filters on router to block (external interface)
    • source routing attacks
      • attacker sets a route other than default
      • block source routed packets
    • tiny fragment attacks
      • split header info over several tiny packets
      • either discard or reassemble before check
  • 13.
    • Advantages
      • Simple
      • Transparent to users
      • Very fast
    • Disadvantages
      • Rule generation is difficult
      • Lack of authentication
  • 14. Application Level Gateway (Proxy server) Internal host (private n/w) Application level GW Inside connection External host (part of internet) Outside connection User’s illusion (HTTP,FTP,TELNET,SMTP)
  • 15.
    • Purpose
    • - monitor every connection
    • - provide end-to-end connection
    • Advantage
    • - more secure than packet filter
    • Disadvantage
      • Additional processing overhead on each connections
  • 16. Circuit Level Gateway out out out in in in Inside host Inside connection Outside host Outside connection Circuit-level gateway
  • 17. Circuit Level Gateway
    • Relays two TCP connections
    • Imposes security by limiting which such connections are allowed
    • Once created usually relays traffic without examining contents
    • Typically used when trust internal users by allowing general outbound connections
    • Example: SOCKS package
  • 18. Bastian Host
    • It is a critical strong point in the network security
    • A Bastian host is a system which contains either application-level or circuit-level GW or both
    • Only the services that the n/w administrator considers essential are installed on the bastion host. These include proxies such as Telnet, DNS, FTP, SMTP and user authentication.
    • It executes secure version of it OS
  • 19. Characteristics
    • Most secured OS is included
    • Essential services are included
    • Requires additional authentication of user
    • Configured to support a subset of applications
    • Maintains detailed audit log
    • Allow access only to specific host system
    • Each proxy module is a very small s/w pkg sepcifically designed for n/w security
    • Each proxy is independent of other proxies on the bastion hosts
  • 20. Firewall Configurations
  • 21. Screened host firewall, single-homed bastion configuration
    • Firewall consists of two systems:
      • A packet-filtering router
      • A bastion host
    • Configuration for the packet-filtering router:
      • Only packets from and to the bastion host are allowed to pass through the router
    • The bastion host performs authentication and proxy functions
  • 22.
    • Greater security than single configurations because of two reasons:
      • This configuration implements both packet-level and application-level filtering (allowing for flexibility in defining security policy)
      • An intruder must generally penetrate two separate systems
    • This configuration also affords flexibility in providing direct Internet access (public information server, e.g. Web server)
  • 23.  
  • 24. Screened host firewall, dual-homed bastion configuration
      • If the packet filtering router is compromised, traffic can’t flow directly through the router between Internet and other hosts on the private network.
      • Traffic between the Internet and other hosts on the private network has to flow through the bastion host
  • 25.  
  • 26. Screened subnet firewall configuration
      • Most secure configuration of the three
      • Two packet-filtering routers are used
      • Creation of an isolated sub-network
  • 27.
    • Advantages
    • The outside router advertises only the existence of the screened subnet to the internet
    • The inside router advertises only the existence of the screened subnet to the internal network
  • 28. Trusted Systems
    • One way to enhance the ability of a system to defend against intruders and malicious programs is to implement trusted system technology
  • 29. Data Access Control
    • Through the user access control procedure (log on), a user can be identified to the system
    • Associated with each user, there can be a profile that specifies permissible operations and file accesses
    • The operation system can enforce rules based on the user profile
  • 30.
    • General models of access control:
      • Access matrix
      • Access control list
      • Capability list
  • 31. Access Control Matrix
  • 32.
    • Access Matrix: Basic elements of the model
      • Subject: An entity capable of accessing objects (process)
      • Object: Anything to which access is controlled (e.g. files, programs)
      • Access right: The way in which an object is accessed by a subject (e.g. read, write, execute)
  • 33. Access control list Decomposition of the matrix by columns Access control list for Segment B: Process2(Read) Access control list for Segment A: Process1(Read,Write) Access control list for program1: Process1(Read,Executre)
  • 34.
    • Access Control List
      • An access control list lists users and their permitted access right
  • 35. Capability list Decomposition of the matrix by rows Capability list for process2: Segment B (Read) Capability list for process1: Program1(Read,Executre) Segment A (Read, Write)
  • 36.
    • Capability list
      • A capability ticket specifies authorized objects and operations for a user.
      • Each user have a number of tickets