Firewall Modified


Published on

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Stallings Fig 20-2.
  • Stallings Fig 20-2.
  • Stallings Fig 20-2.
  • Stallings Fig 20-3.
  • Firewall Modified

    1. 1. Firewalls
    2. 2. What is a Firewall? <ul><li>A firewall is a hardware or software (or a combination of hardware and software) that monitors the transmission of packets of digital information that attempt to pass through the perimeter of a network. </li></ul><ul><li>It is an effective means of protecting a local system or n/w from n/w related security threats </li></ul>
    3. 3. Firewall design goals <ul><li>All traffic from inside or outside must pass through the firewall </li></ul><ul><li>Only authorized traffic as defined by the local security policy, will be allowed to pass </li></ul><ul><li>The firewall itself is immune to penetration </li></ul>
    4. 4. Type of controls <ul><li>Service control </li></ul><ul><li>Direction control </li></ul><ul><li>User control </li></ul><ul><li>Behavior control </li></ul>
    5. 5. Firewall capabilities <ul><li>FW defines a single choke point </li></ul><ul><li>Provides a location for monitoring security-related events </li></ul><ul><li>Handles network related events </li></ul><ul><li>Serves as a platform for IPSec </li></ul>
    6. 6. Firewall Limitations <ul><li>cannot protect from attacks bypassing it </li></ul><ul><li>cannot protect against internal threats </li></ul><ul><ul><li>eg disgruntled employee </li></ul></ul><ul><li>cannot protect against transfer of all virus infected programs or files </li></ul><ul><ul><li>because of huge range of O/S & file types </li></ul></ul>
    7. 7. Types of Firewalls <ul><li>Packet Filters </li></ul><ul><li>Application-Level Gateways </li></ul><ul><li>Circuit-Level Gateways </li></ul>
    8. 8. Packet Filters
    9. 9. Packet Filters <ul><li>A packet filtering router applies a set of rules to each incoming IP packet and then forwards or discards the packet. </li></ul><ul><li>The router is typically configured to filter packets going in both directions (from and to the internal network). </li></ul><ul><li>possible default policies </li></ul><ul><ul><li>Discard </li></ul></ul><ul><ul><li>Forward </li></ul></ul>
    10. 10. Packet-Filtering Examples Connection to our SMTP port * * 25 OUR-GW Allow We don’t trust these people * SPIGOT * * Block comment Port Theirhost Port Ourhost Action
    11. 11. default * * * * Block comment Port Theirhost Port Ourhost Action Connection to their SMTP 25 * * * Allow comment Port Theirhost Port Ourhost Action
    12. 12. Attacks on Packet Filters <ul><li>IP address spoofing </li></ul><ul><ul><li>fake source address (internal) </li></ul></ul><ul><ul><li>add filters on router to block (external interface) </li></ul></ul><ul><li>source routing attacks </li></ul><ul><ul><li>attacker sets a route other than default </li></ul></ul><ul><ul><li>block source routed packets </li></ul></ul><ul><li>tiny fragment attacks </li></ul><ul><ul><li>split header info over several tiny packets </li></ul></ul><ul><ul><li>either discard or reassemble before check </li></ul></ul>
    13. 13. <ul><li>Advantages </li></ul><ul><ul><li>Simple </li></ul></ul><ul><ul><li>Transparent to users </li></ul></ul><ul><ul><li>Very fast </li></ul></ul><ul><li>Disadvantages </li></ul><ul><ul><li>Rule generation is difficult </li></ul></ul><ul><ul><li>Lack of authentication </li></ul></ul>
    14. 14. Application Level Gateway (Proxy server) Internal host (private n/w) Application level GW Inside connection External host (part of internet) Outside connection User’s illusion (HTTP,FTP,TELNET,SMTP)
    15. 15. <ul><li>Purpose </li></ul><ul><li>- monitor every connection </li></ul><ul><li>- provide end-to-end connection </li></ul><ul><li>Advantage </li></ul><ul><li>- more secure than packet filter </li></ul><ul><li>Disadvantage </li></ul><ul><ul><li>Additional processing overhead on each connections </li></ul></ul>
    16. 16. Circuit Level Gateway out out out in in in Inside host Inside connection Outside host Outside connection Circuit-level gateway
    17. 17. Circuit Level Gateway <ul><li>Relays two TCP connections </li></ul><ul><li>Imposes security by limiting which such connections are allowed </li></ul><ul><li>Once created usually relays traffic without examining contents </li></ul><ul><li>Typically used when trust internal users by allowing general outbound connections </li></ul><ul><li>Example: SOCKS package </li></ul>
    18. 18. Bastian Host <ul><li>It is a critical strong point in the network security </li></ul><ul><li>A Bastian host is a system which contains either application-level or circuit-level GW or both </li></ul><ul><li>Only the services that the n/w administrator considers essential are installed on the bastion host. These include proxies such as Telnet, DNS, FTP, SMTP and user authentication. </li></ul><ul><li>It executes secure version of it OS </li></ul>
    19. 19. Characteristics <ul><li>Most secured OS is included </li></ul><ul><li>Essential services are included </li></ul><ul><li>Requires additional authentication of user </li></ul><ul><li>Configured to support a subset of applications </li></ul><ul><li>Maintains detailed audit log </li></ul><ul><li>Allow access only to specific host system </li></ul><ul><li>Each proxy module is a very small s/w pkg sepcifically designed for n/w security </li></ul><ul><li>Each proxy is independent of other proxies on the bastion hosts </li></ul>
    20. 20. Firewall Configurations
    21. 21. Screened host firewall, single-homed bastion configuration <ul><li>Firewall consists of two systems: </li></ul><ul><ul><li>A packet-filtering router </li></ul></ul><ul><ul><li>A bastion host </li></ul></ul><ul><li>Configuration for the packet-filtering router: </li></ul><ul><ul><li>Only packets from and to the bastion host are allowed to pass through the router </li></ul></ul><ul><li>The bastion host performs authentication and proxy functions </li></ul>
    22. 22. <ul><li>Greater security than single configurations because of two reasons: </li></ul><ul><ul><li>This configuration implements both packet-level and application-level filtering (allowing for flexibility in defining security policy) </li></ul></ul><ul><ul><li>An intruder must generally penetrate two separate systems </li></ul></ul><ul><li>This configuration also affords flexibility in providing direct Internet access (public information server, e.g. Web server) </li></ul>
    23. 24. Screened host firewall, dual-homed bastion configuration <ul><ul><li>If the packet filtering router is compromised, traffic can’t flow directly through the router between Internet and other hosts on the private network. </li></ul></ul><ul><ul><li>Traffic between the Internet and other hosts on the private network has to flow through the bastion host </li></ul></ul>
    24. 26. Screened subnet firewall configuration <ul><ul><li>Most secure configuration of the three </li></ul></ul><ul><ul><li>Two packet-filtering routers are used </li></ul></ul><ul><ul><li>Creation of an isolated sub-network </li></ul></ul>
    25. 27. <ul><li>Advantages </li></ul><ul><li>The outside router advertises only the existence of the screened subnet to the internet </li></ul><ul><li>The inside router advertises only the existence of the screened subnet to the internal network </li></ul>
    26. 28. Trusted Systems <ul><li>One way to enhance the ability of a system to defend against intruders and malicious programs is to implement trusted system technology </li></ul>
    27. 29. Data Access Control <ul><li>Through the user access control procedure (log on), a user can be identified to the system </li></ul><ul><li>Associated with each user, there can be a profile that specifies permissible operations and file accesses </li></ul><ul><li>The operation system can enforce rules based on the user profile </li></ul>
    28. 30. <ul><li>General models of access control: </li></ul><ul><ul><li>Access matrix </li></ul></ul><ul><ul><li>Access control list </li></ul></ul><ul><ul><li>Capability list </li></ul></ul>
    29. 31. Access Control Matrix
    30. 32. <ul><li>Access Matrix: Basic elements of the model </li></ul><ul><ul><li>Subject: An entity capable of accessing objects (process) </li></ul></ul><ul><ul><li>Object: Anything to which access is controlled (e.g. files, programs) </li></ul></ul><ul><ul><li>Access right: The way in which an object is accessed by a subject (e.g. read, write, execute) </li></ul></ul>
    31. 33. Access control list Decomposition of the matrix by columns Access control list for Segment B: Process2(Read) Access control list for Segment A: Process1(Read,Write) Access control list for program1: Process1(Read,Executre)
    32. 34. <ul><li>Access Control List </li></ul><ul><ul><li>An access control list lists users and their permitted access right </li></ul></ul>
    33. 35. Capability list Decomposition of the matrix by rows Capability list for process2: Segment B (Read) Capability list for process1: Program1(Read,Executre) Segment A (Read, Write)
    34. 36. <ul><li>Capability list </li></ul><ul><ul><li>A capability ticket specifies authorized objects and operations for a user. </li></ul></ul><ul><ul><li>Each user have a number of tickets </li></ul></ul>