Published on

Published in: Internet, Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1.  A firewall forms a barrier through which the traffic going in each direction must pass. A firewall security policy dictates which traffic is authorized to pass in each direction.  Firewall is an effective means of protecting a local system or network of systems from network based security threats while at the same time affording access to outside world via WAN or Internet.
  2. 2. ◦ All traffic from inside to outside and vice versa, must pass through the firewall (physically blocking all access to the local network except via the firewall). ◦ Only authorized traffic (defined by the local security policy) will be allowed to pass.
  3. 3.  Service control ◦ Determines the types of Internet services that can be accessed, inbound or outbound.  Direction control ◦ Determines the direction in which particular service requests are allowed to flow through the firewall.  User control ◦ Controls access to a service according to which user is attempting to access it.  Behavior control ◦ Controls how particular services are used (e.g. filter e-mail).
  4. 4.  cannot protect against attacks bypassing it. ◦ eg sneaker net, utility modems.  cannot protect against internal threats. ◦ eg disgruntled employee  cannot protect against transfer of all virus infected programs or files. ◦ because of huge range of O/S & file types
  5. 5.  What Is Firewall?  Name The Techniques Involved In Firewall?  Explain any two techniques?  Any Two Limitations Of Firewall?
  6. 6.  Three common types of Firewalls: ◦ Packet-filtering routers ◦ Application-level gateways ◦ Circuit-level gateways ◦ Bastion host
  7. 7. ◦ Applies a set of rules to each incoming IP packet and then forwards or discards the packet. ◦ Filter packets going in both directions. ◦ The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header. ◦ Two default policies (discard or forward).
  8. 8.  Advantages: ◦ Simplicity ◦ Transparency to users ◦ High speed  Disadvantages: ◦ Difficulty of setting up packet filter rules ◦ Lack of Authentication
  9. 9.  Possible attacks and appropriate countermeasures ◦ IP address spoofing ◦ Source routing attacks ◦ Tiny fragment attacks
  10. 10.  examine each IP packet in context – keeps tracks of client-server sessions – checks each packet validly belongs to one  better able to detect bogus packets out of context
  11. 11.  Application-level Gateway ◦ Also called proxy server. ◦ Acts as a relay of application-level traffic.  Advantages: ◦ Higher security than packet filters. ◦ Easy to log and audit all incoming traffic.  Disadvantages: ◦ Additional processing overhead on each connection (gateway as splice point).
  12. 12.  Circuit-level Gateway ◦ Stand-alone system or ◦ Specialized function performed by an The gateway typically Application-level Gateway ◦ Sets up two TCP connections ◦ relays TCP segments from one connection to the other without examining the contents
  13. 13. ◦ A system identified by the firewall administrator as a critical strong point in the network´s security. ◦ The bastion host serves as a platform for an application-level or circuit-level gateway.
  14. 14. What are the types of firewall?
  15. 15.  What is packet filter?  Name the possible attacks involved in packet filter?  What is Application level gateway?  what is circiut level gateway?  Difference between application and circiut level gateway?
  16. 16.  In addition to the use of simple configuration of a single system (single packet filtering router or single gateway), more complex configurations are possible.
  17. 17.  Screened host firewall system (single-homed bastion host)  Screened host firewall syste (dual-homed bastion host)  Screened-subnet firewall system
  18. 18. Screened host firewall, single-homed bastion configuration  Firewall consists of two systems: ◦ A packet-filtering router. ◦ A bastion host.  Configuration for the packet-filtering router: ◦ Only packets from and to the bastion host are allowed to pass through the router.  The bastion host performs authentication and proxy functions.
  19. 19. Screened host firewall, dual-homed bastion configuration ◦ The packet-filtering router is not completely compromised. ◦ Traffic between the Internet and other hosts on the private network has to flow through the bastion host.
  20. 20.  Screened subnet firewall configuration ◦ Most secure configuration of the three. ◦ Two packet-filtering routers are used. ◦ Creation of an isolated sub-network.
  21. 21.  Advantages: ◦ Three levels of defense to thwart intruders. ◦ The outside router advertises only the existence of the screened subnet to the Internet (internal network is invisible to the Internet). ◦ The inside router advertises only the existence of the screened sub-net to the internal network ( the systems on the inside cannot construct direct routes to the internet.
  22. 22. • given system has identified a user • determine what resources they can access • general model is that of access matrix with – subject - active entity (user, process) – object - passive entity (file or resource) – access right – way object can be accessed
  23. 23. • information security is increasingly important • have varying degrees of sensitivity of information – cf military info classifications: confidential, secret etc • subjects (people or programs) have varying rights of access to objects (information) • want to consider ways of increasing confidence in systems to enforce these rights • known as multilevel security – subjects have maximum & current security level – objects have a fixed security level classification