Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Published on

Cryptography and network security
Firewall, network security, william stallings

Published in: Engineering
  • Be the first to comment

  • Be the first to like this


  1. 1. Firewall
  2. 2. Characteristics Design Goals Techniques used in Firewall All traffic must pass through the firewall. Only authorised traffic will be allowed to pass. The firewall itself immune to penetration. 1. Service control. 2. Direction Control. 3. User Control. 4. Behaviour Control.
  3. 3. Characteristics Capabilities of the Firewall Keeps unauthorised users out of the protected network. Simplify security mechanism due to single choke point. Provides a location to monitor security related events. Can serve as the platform for IPSec.
  4. 4. Characteristics Limitations of the Firewall Cannot protects against the attacks that bypass the firewall. It does not protects against internal threats. Cannot protects against the transfer of virus-infected programs or files.
  5. 5. Packet Filtering Router Types of FIREWALL
  6. 6. Application Level Gateway Types of FIREWALL
  7. 7. Circuit Level Gateway Types of FIREWALL
  8. 8. Packet Filtering Router Applies a set of rules to each packet Rules are based on Source IP address Destination IP address Source and destination transport level address IP protocol field Interface Default= discard That which is not expressly permitted is prohibited. Default= forward That which is not expressly prohibited is permitted.
  9. 9. Packet Filtering Router Allows all packets whose destination is port 1414 ACTION-ALLOW PORT-1414 Allows all packets from the network ACTION-ALLOW FROM- Denies all ICMP packets that are type 8, except those from the network ACTION-DENY PROTO-ICMP ICMPTYPE-8 Rejects all other packets. DEFAULT-REJECT
  10. 10. Packet Filtering Router Weaknesses of Packet Filtering Firewall Do not examine upper layer data. Logging functionality is limited.(source/dest address, traffic type). Do not support advanced user authentication scheme. Vulnerable to “network layer spoofing” attack
  11. 11. Packet Filtering Router Attacks on Packet Filtering Firewall IP Address Spoofing Source Routing Attack Tiny fragment Attack
  12. 12. Application Level Gateway • have application specific gateway / proxy • has full access to protocol • user requests service from proxy • proxy validates request as legal • then actions request and returns result to user • can log / audit traffic at application level • need separate proxies for each service • some services naturally support proxying • others are more problematic
  13. 13. Circuit Level Gateway • relays two TCP connections • imposes security by limiting what such connections are allowed • once created usually relays traffic without examining contents • typically used when trust internal users by allowing general outbound connections
  14. 14. Firewall Configurations
  15. 15. Firewall Configurations
  16. 16. Firewall Configurations
  17. 17. Trusted Systems
  18. 18. Data Access Control Access Matrix: Subject: An entity capable of accessing objects. Object: Anything to which the access is controlled. Access Right: The way in which an object is accessed by subject.
  19. 19. Data Access Control Access Matrix: Access Control List: Capability List:
  20. 20. Concept of Trusted Systems It is required to protect data or resources on the basis of level of security. Multilevel Security: Subject at a higher level may not convey information to a subject at lower layer. No Read Up (Simple Security Property) A subject can only read an object of less of equal security level No Write Down (* - Property) A subject can only write into an object of greater or equal security level
  21. 21. Concept of Trusted Systems Reference Monitor It is an controlling element in the hardware and operating system of a computer that regulates the access of subjects to objects on the basis of security parameters of subjects and objects. Complete Mediation The security rules are enforced on every access. Isolation The reference monitor and database are protected from unauthorized modification Verifiability The reference monitor’s correctness must be provable. Properties
  22. 22. Concept of Trusted Systems Reference Monitor Concept
  23. 23. Concept of Trusted Systems Trojan Horse Defence
  24. 24. Concept of Trusted Systems Trojan Horse Defence