SlideShare a Scribd company logo

firewall-2.pdf

S
singbling

detail discussion on Firewall in information security

Education
1 of 24
Download to read offline
Blekinge Institute of Technology Fredrik Erlandsson Firewalls
Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 2 Firewalls • Effective means of protection a local system or network of systems from network-based security threats while affording access to the outside world via WAN`s or the Internet • The firewall is inserted between the premises network and the Internet • Aims:  Establish a controlled link  Protect the premises network from Internet-based attacks  Provide a single choke point
Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 3 Design goals • All traffic from inside to outside must pass through the firewall (physically blocking all access to the local network except via the firewall) • Only authorized traffic (defined by the local security police) will be allowed to pass • The firewall itself is immune to penetration (use of trusted system with a secure operating system)
Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 4 Firewall Characteristics 4 general techniques: I. Service control  Determines the types of Internet services that can be accessed, inbound or outbound II. Direction control  Determines the direction in which particular service requests are allowed to flow III. User control  Controls access to a service according to which user is attempting to access it IV. Behavior control  Controls how particular services are used (e.g. filter e-mail)
Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 5 Types of Firewalls 3 common types of Firewalls:  Packet-filtering routers  Application-level gateways  Circuit-level gateways  (Bastion host)
Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 6 Types of Firewalls I • Packet-filtering Router Internet Private Network Security Perimeter (a) Packet-filtering router Packet- filtering router Inside connection Application-level gateway Outside connection Outside host Inside host TELNET FTP SMTP HTTP
Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 7 Packet-filtering Router • Applies a set of rules to each incoming IP packet and then forwards or discards the packet • Filter packets going in both directions • The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header • Two default policies (discard or forward)
Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 8 Packet-filtering Router II  Advantages:  Simplicity  Transparency to users  High speed  Disadvantages:  Difficulty of setting up packet filter rules  Lack of Authentication  Possible attacks and appropriate countermeasures  IP address spoofing  Source routing attacks  Tiny fragment attacks
Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 9 Types of Firewalls II • Application-level Gateway Internet Private Network (a) Packet-filtering router Circuit-level gateway Outside connection Packet- filtering router (b) Application-level gateway Inside connection Application-level gateway Outside connection Outside host Inside host TELNET FTP SMTP HTTP
Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 10 Application-level Gateway • Application-level Gateway – Also called proxy server – Acts as a relay of application-level traffic • Advantages: – Higher security than packet filters – Only need to scrutinise a few allowable applications – Easy to log and audit all incoming traffic • Disadvantages: – Additional processing overhead on each connection (gateway as splice point)
Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 11 Types of Firewalls III • Circuit-level Gateway (c) Circuit-level gateway Inside connection Circuit-level gateway Outside connection Outside host Inside host Out Out Out In In In (b) Application-level gateway Figure 11.1 Firewall Types Outside host Inside host FTP SMTP HTTP
Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 12 Circuit-level Gateway • Circuit-level Gateway  Stand-alone system or  Specialised function performed by an Application-level Gateway  Sets up two TCP connections  The gateway typically relays TCP segments from one connection to the other without examining the contents  The security function consists of determining which connections will be allowed  Typically use is a situation in which the system administrator trusts the internal users  An example is the SOCKS package
Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 13 Bastion Host • Bastion Host  A system identified by the firewall administrator as a critical strong point in the network´s security  The bastion host serves as a platform for an application-level or circuit-level gateway
Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 14 Screened host firewall • Screened host firewall system (single-homed bastion host) • Screened host firewall, single-homed bastion configuration • Firewall consists of two systems:  A packet-filtering router  A bastion host Internet (a) Screened host firewall system (single-homed bastion host) Packet- filtering router Information server Bastion host Private network hosts Internet Bastion host
Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 15 Firewall Configurations  Greater security than single configurations because of two reasons:  This configuration implements both packet-level and application- level filtering (allowing for flexibility in defining security policy)  An intruder must generally penetrate two separate systems  This configuration also affords flexibility in providing direct Internet access (public information server, e.g. Web server)
Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 16 Firewall Configurations  Screened host firewall system (dual-homed bastion host)  Screened host firewall, dual-homed bastion configuration – The packet-filtering router is not completely compromised – Traffic between the Internet and other hosts on the private network has to flow through the bastion host Internet (a) Screened host firewall system (single-homed bastion host) Packet- filtering router Information server Bastion host Private network hosts Bastion host Internet (b) Screened host firewall system (dual-homed bastion host) Packet- filtering router Information server Bastion host Private network hosts
Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 17 Firewall Configurations  Screened-subnet firewall system  Screened subnet firewall configuration – Most secure configuration of the three – Two packet-filtering routers are used – Creation of an isolated sub-network (a) Screened host firewall system (single-homed bastion host) Figure 11.2 Firewall Configurations Internet (c) Screened-subnet firewall system Outside router Inside router Information server Bastion host Modem Internet (b) Screened host firewall system (dual-homed bastion host) Packet- filtering router Information server Bastion host Private network hosts Private network
Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 18 Firewall Configurations  Advantages:  Three levels of defense to thwart intruders  The outside router advertises only the existence of the screened subnet to the Internet (internal network is invisible to the Internet)  The inside router advertises only the existence of the screened subnet to the internal network (the systems on the inside network cannot construct direct routes to the Internet)
Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security Demilitarised zone (DMZ) • Usage of firewalls to create a “no mans land” for services that should be accessible from the external network 19
Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 20 Trusted Systems & Data Access Control  One way to enhance the ability of a system to defend against intruders and malicious programs is to implement trusted system technology  Data Access control • Through the user access control procedure (log on), a user can be identified to the system • Associated with each user, there can be a profile that specifies permissible operations and file accesses • The operation system can enforce rules based on the user profile  General models of access control: – Access matrix – Access control list – Capability list
Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 21 Data Access Control  Access Matrix: Basic elements of the model  Subject: An entity capable of accessing objects, the concept of subject equates with that of process  Object: Anything to which access is controlled (e.g. files, programs)  Access right: The way in which an object is accessed by a subject (e.g. read, write, execute)  Access Control List – An access control list lists users and their permitted access right – The list may contain a default or public entry  Capability list – A capability ticket specifies authorised objects and operations for a user – Each user have a number of tickets
Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 22 The Concept of Trusted Systems  Trusted Systems  Protection of data and resources on the basis of levels of security (e.g. military)  Users can be granted clearances to access certain categories of data  Multilevel security  Definition of multiple categories or levels of data  A multilevel secure system must enforce:  No read up: A subject can only read an object of less or equal security level (Simple Security Property)  No write down: A subject can only write into an object of greater or equal security level (*-Property)
Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 23 The Concept of Trusted Systems II  Reference Monitor  Controlling element in the hardware and operating system of a computer that regulates the access of subjects to objects on basis of security parameters  The monitor has access to a file (security kernel database)  The monitor enforces the security rules (no read up, no write down)  Properties of the Reference Monitor  Complete mediation: Security rules are enforced on every access  Isolation: The reference monitor and database are protected from unauthorised modification  Verifiability: The reference monitor’s correctness must be provable (mathematically)
Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 24 The End END

Recommended

Firewals in Network Security NS10
Firewals in Network Security NS10Firewals in Network Security NS10
Firewals in Network Security NS10koolkampus
 
Firewall ( Cyber Security)
Firewall ( Cyber Security)Firewall ( Cyber Security)
Firewall ( Cyber Security)Jainam Shah
 
Security technologies
Security technologiesSecurity technologies
Security technologiesDhani Ahmad
 
ch10.ppt
ch10.pptch10.ppt
ch10.pptImXaib
 
Chapter 10
Chapter 10Chapter 10
Chapter 10shivz3
 
Network defenses
Network defensesNetwork defenses
Network defensesG Prachi
 
Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Radhika Talaviya
 
Firewalls
FirewallsFirewalls
FirewallsUniversity of Central Punjab
 

Recommended

Firewals in Network Security NS10
Firewals in Network Security NS10Firewals in Network Security NS10
Firewals in Network Security NS10koolkampus
 
Firewall ( Cyber Security)
Firewall ( Cyber Security)Firewall ( Cyber Security)
Firewall ( Cyber Security)Jainam Shah
 
Security technologies
Security technologiesSecurity technologies
Security technologiesDhani Ahmad
 
ch10.ppt
ch10.pptch10.ppt
ch10.pptImXaib
 
Chapter 10
Chapter 10Chapter 10
Chapter 10shivz3
 
Network defenses
Network defensesNetwork defenses
Network defensesG Prachi
 
Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Radhika Talaviya
 
Firewalls
FirewallsFirewalls
FirewallsUniversity of Central Punjab
 
Divyanshu.pptx
Divyanshu.pptxDivyanshu.pptx
Divyanshu.pptxDivyanshu93112
 
Firewalls
FirewallsFirewalls
FirewallsRam Dutt Shukla
 
Network Security_Dr Shivashankar_Module 5.pdf
Network Security_Dr Shivashankar_Module 5.pdfNetwork Security_Dr Shivashankar_Module 5.pdf
Network Security_Dr Shivashankar_Module 5.pdfDr. Shivashankar
 
Firewall
FirewallFirewall
FirewallTapan Khilar
 
[9] Firewall.pdf
[9] Firewall.pdf[9] Firewall.pdf
[9] Firewall.pdflamtran367679
 
Firewall Modified
Firewall ModifiedFirewall Modified
Firewall ModifiedRitesh Verma
 
Cryptography Project by Aelsayed & Kyasser.pdf
Cryptography Project by Aelsayed & Kyasser.pdfCryptography Project by Aelsayed & Kyasser.pdf
Cryptography Project by Aelsayed & Kyasser.pdfahmeddeath6
 
Firewall and It's Types
Firewall and It's TypesFirewall and It's Types
Firewall and It's TypesHem Pokhrel
 
Lessson 2 - Application Layer
Lessson 2 - Application LayerLessson 2 - Application Layer
Lessson 2 - Application LayerMLG College of Learning, Inc
 
Firewall & packet filter new
Firewall & packet filter newFirewall & packet filter new
Firewall & packet filter newKarnav Rana
 
Information Security (Firewall)
Information Security (Firewall)Information Security (Firewall)
Information Security (Firewall)Zara Nawaz
 
Investigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a SecureInvestigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a SecureFiras Alsayied
 
Chapter_Five[1].ppt
Chapter_Five[1].pptChapter_Five[1].ppt
Chapter_Five[1].pptBachaSirata
 
Firewalls
FirewallsFirewalls
FirewallsDr.Florence Dayana
 
Firewall and its types and function
Firewall and its types and functionFirewall and its types and function
Firewall and its types and functionNisarg Amin
 
Ch06-NetworkSecurity2-firewall-tunneling-IDS.ppt
Ch06-NetworkSecurity2-firewall-tunneling-IDS.pptCh06-NetworkSecurity2-firewall-tunneling-IDS.ppt
Ch06-NetworkSecurity2-firewall-tunneling-IDS.pptgocokir267
 
Lessson 2
Lessson 2Lessson 2
Lessson 2MLG College of Learning, Inc
 
Firewall & its configurations
Firewall & its configurationsFirewall & its configurations
Firewall & its configurationsStudent
 
FIREWALL
FIREWALLFIREWALL
FIREWALLswati463221
 
Ch05 Network Defenses
Ch05 Network DefensesCh05 Network Defenses
Ch05 Network DefensesInformation Technology
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting DataJhengPantaleon
 

More Related Content

Similar to firewall-2.pdf

Network Security_Dr Shivashankar_Module 5.pdf
Network Security_Dr Shivashankar_Module 5.pdfNetwork Security_Dr Shivashankar_Module 5.pdf
Network Security_Dr Shivashankar_Module 5.pdfDr. Shivashankar
 
Cryptography Project by Aelsayed & Kyasser.pdf
Cryptography Project by Aelsayed & Kyasser.pdfCryptography Project by Aelsayed & Kyasser.pdf
Cryptography Project by Aelsayed & Kyasser.pdfahmeddeath6
 
Firewall and It's Types
Firewall and It's TypesFirewall and It's Types
Firewall and It's TypesHem Pokhrel
 
Firewall & packet filter new
Firewall & packet filter newFirewall & packet filter new
Firewall & packet filter newKarnav Rana
 
Information Security (Firewall)
Information Security (Firewall)Information Security (Firewall)
Information Security (Firewall)Zara Nawaz
 
Investigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a SecureInvestigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a SecureFiras Alsayied
 
Chapter_Five[1].ppt
Chapter_Five[1].pptChapter_Five[1].ppt
Chapter_Five[1].pptBachaSirata
 
Firewall and its types and function
Firewall and its types and functionFirewall and its types and function
Firewall and its types and functionNisarg Amin
 
Ch06-NetworkSecurity2-firewall-tunneling-IDS.ppt
Ch06-NetworkSecurity2-firewall-tunneling-IDS.pptCh06-NetworkSecurity2-firewall-tunneling-IDS.ppt
Ch06-NetworkSecurity2-firewall-tunneling-IDS.pptgocokir267
 
Firewall & its configurations
Firewall & its configurationsFirewall & its configurations
Firewall & its configurationsStudent
 

Similar to firewall-2.pdf (20)

Divyanshu.pptx
Divyanshu.pptxDivyanshu.pptx
Divyanshu.pptx
 
Firewalls
FirewallsFirewalls
Firewalls
 
Network Security_Dr Shivashankar_Module 5.pdf
Network Security_Dr Shivashankar_Module 5.pdfNetwork Security_Dr Shivashankar_Module 5.pdf
Network Security_Dr Shivashankar_Module 5.pdf
 
Firewall
FirewallFirewall
Firewall
 
[9] Firewall.pdf
[9] Firewall.pdf[9] Firewall.pdf
[9] Firewall.pdf
 
Firewall Modified
Firewall ModifiedFirewall Modified
Firewall Modified
 
Cryptography Project by Aelsayed & Kyasser.pdf
Cryptography Project by Aelsayed & Kyasser.pdfCryptography Project by Aelsayed & Kyasser.pdf
Cryptography Project by Aelsayed & Kyasser.pdf
 
Firewall and It's Types
Firewall and It's TypesFirewall and It's Types
Firewall and It's Types
 
Lessson 2 - Application Layer
Lessson 2 - Application LayerLessson 2 - Application Layer
Lessson 2 - Application Layer
 
Firewall & packet filter new
Firewall & packet filter newFirewall & packet filter new
Firewall & packet filter new
 
Information Security (Firewall)
Information Security (Firewall)Information Security (Firewall)
Information Security (Firewall)
 
Investigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a SecureInvestigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a Secure
 
Chapter_Five[1].ppt
Chapter_Five[1].pptChapter_Five[1].ppt
Chapter_Five[1].ppt
 
Firewalls
FirewallsFirewalls
Firewalls
 
Firewall and its types and function
Firewall and its types and functionFirewall and its types and function
Firewall and its types and function
 
Ch06-NetworkSecurity2-firewall-tunneling-IDS.ppt
Ch06-NetworkSecurity2-firewall-tunneling-IDS.pptCh06-NetworkSecurity2-firewall-tunneling-IDS.ppt
Ch06-NetworkSecurity2-firewall-tunneling-IDS.ppt
 
Lessson 2
Lessson 2Lessson 2
Lessson 2
 
Firewall & its configurations
Firewall & its configurationsFirewall & its configurations
Firewall & its configurations
 
FIREWALL
FIREWALLFIREWALL
FIREWALL
 
Ch05 Network Defenses
Ch05 Network DefensesCh05 Network Defenses
Ch05 Network Defenses
 

Recently uploaded

Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting DataJhengPantaleon
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxPoojaSen20
 
Concept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.CompdfConcept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.CompdfUmakantAnnand
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppCeline George
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsKarinaGenton
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
 

Recently uploaded (20)

Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
 
Staff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSDStaff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSD
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docx
 
Concept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.CompdfConcept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.Compdf
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website App
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its Characteristics
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
 

firewall-2.pdf

  • 1. Blekinge Institute of Technology Fredrik Erlandsson Firewalls
  • 2. Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 2 Firewalls • Effective means of protection a local system or network of systems from network-based security threats while affording access to the outside world via WAN`s or the Internet • The firewall is inserted between the premises network and the Internet • Aims:  Establish a controlled link  Protect the premises network from Internet-based attacks  Provide a single choke point
  • 3. Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 3 Design goals • All traffic from inside to outside must pass through the firewall (physically blocking all access to the local network except via the firewall) • Only authorized traffic (defined by the local security police) will be allowed to pass • The firewall itself is immune to penetration (use of trusted system with a secure operating system)
  • 4. Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 4 Firewall Characteristics 4 general techniques: I. Service control  Determines the types of Internet services that can be accessed, inbound or outbound II. Direction control  Determines the direction in which particular service requests are allowed to flow III. User control  Controls access to a service according to which user is attempting to access it IV. Behavior control  Controls how particular services are used (e.g. filter e-mail)
  • 5. Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 5 Types of Firewalls 3 common types of Firewalls:  Packet-filtering routers  Application-level gateways  Circuit-level gateways  (Bastion host)
  • 6. Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 6 Types of Firewalls I • Packet-filtering Router Internet Private Network Security Perimeter (a) Packet-filtering router Packet- filtering router Inside connection Application-level gateway Outside connection Outside host Inside host TELNET FTP SMTP HTTP
  • 7. Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 7 Packet-filtering Router • Applies a set of rules to each incoming IP packet and then forwards or discards the packet • Filter packets going in both directions • The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header • Two default policies (discard or forward)
  • 8. Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 8 Packet-filtering Router II  Advantages:  Simplicity  Transparency to users  High speed  Disadvantages:  Difficulty of setting up packet filter rules  Lack of Authentication  Possible attacks and appropriate countermeasures  IP address spoofing  Source routing attacks  Tiny fragment attacks
  • 9. Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 9 Types of Firewalls II • Application-level Gateway Internet Private Network (a) Packet-filtering router Circuit-level gateway Outside connection Packet- filtering router (b) Application-level gateway Inside connection Application-level gateway Outside connection Outside host Inside host TELNET FTP SMTP HTTP
  • 10. Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 10 Application-level Gateway • Application-level Gateway – Also called proxy server – Acts as a relay of application-level traffic • Advantages: – Higher security than packet filters – Only need to scrutinise a few allowable applications – Easy to log and audit all incoming traffic • Disadvantages: – Additional processing overhead on each connection (gateway as splice point)
  • 11. Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 11 Types of Firewalls III • Circuit-level Gateway (c) Circuit-level gateway Inside connection Circuit-level gateway Outside connection Outside host Inside host Out Out Out In In In (b) Application-level gateway Figure 11.1 Firewall Types Outside host Inside host FTP SMTP HTTP
  • 12. Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 12 Circuit-level Gateway • Circuit-level Gateway  Stand-alone system or  Specialised function performed by an Application-level Gateway  Sets up two TCP connections  The gateway typically relays TCP segments from one connection to the other without examining the contents  The security function consists of determining which connections will be allowed  Typically use is a situation in which the system administrator trusts the internal users  An example is the SOCKS package
  • 13. Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 13 Bastion Host • Bastion Host  A system identified by the firewall administrator as a critical strong point in the network´s security  The bastion host serves as a platform for an application-level or circuit-level gateway
  • 14. Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 14 Screened host firewall • Screened host firewall system (single-homed bastion host) • Screened host firewall, single-homed bastion configuration • Firewall consists of two systems:  A packet-filtering router  A bastion host Internet (a) Screened host firewall system (single-homed bastion host) Packet- filtering router Information server Bastion host Private network hosts Internet Bastion host
  • 15. Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 15 Firewall Configurations  Greater security than single configurations because of two reasons:  This configuration implements both packet-level and application- level filtering (allowing for flexibility in defining security policy)  An intruder must generally penetrate two separate systems  This configuration also affords flexibility in providing direct Internet access (public information server, e.g. Web server)
  • 16. Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 16 Firewall Configurations  Screened host firewall system (dual-homed bastion host)  Screened host firewall, dual-homed bastion configuration – The packet-filtering router is not completely compromised – Traffic between the Internet and other hosts on the private network has to flow through the bastion host Internet (a) Screened host firewall system (single-homed bastion host) Packet- filtering router Information server Bastion host Private network hosts Bastion host Internet (b) Screened host firewall system (dual-homed bastion host) Packet- filtering router Information server Bastion host Private network hosts
  • 17. Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 17 Firewall Configurations  Screened-subnet firewall system  Screened subnet firewall configuration – Most secure configuration of the three – Two packet-filtering routers are used – Creation of an isolated sub-network (a) Screened host firewall system (single-homed bastion host) Figure 11.2 Firewall Configurations Internet (c) Screened-subnet firewall system Outside router Inside router Information server Bastion host Modem Internet (b) Screened host firewall system (dual-homed bastion host) Packet- filtering router Information server Bastion host Private network hosts Private network
  • 18. Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 18 Firewall Configurations  Advantages:  Three levels of defense to thwart intruders  The outside router advertises only the existence of the screened subnet to the Internet (internal network is invisible to the Internet)  The inside router advertises only the existence of the screened subnet to the internal network (the systems on the inside network cannot construct direct routes to the Internet)
  • 19. Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security Demilitarised zone (DMZ) • Usage of firewalls to create a “no mans land” for services that should be accessible from the external network 19
  • 20. Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 20 Trusted Systems & Data Access Control  One way to enhance the ability of a system to defend against intruders and malicious programs is to implement trusted system technology  Data Access control • Through the user access control procedure (log on), a user can be identified to the system • Associated with each user, there can be a profile that specifies permissible operations and file accesses • The operation system can enforce rules based on the user profile  General models of access control: – Access matrix – Access control list – Capability list
  • 21. Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 21 Data Access Control  Access Matrix: Basic elements of the model  Subject: An entity capable of accessing objects, the concept of subject equates with that of process  Object: Anything to which access is controlled (e.g. files, programs)  Access right: The way in which an object is accessed by a subject (e.g. read, write, execute)  Access Control List – An access control list lists users and their permitted access right – The list may contain a default or public entry  Capability list – A capability ticket specifies authorised objects and operations for a user – Each user have a number of tickets
  • 22. Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 22 The Concept of Trusted Systems  Trusted Systems  Protection of data and resources on the basis of levels of security (e.g. military)  Users can be granted clearances to access certain categories of data  Multilevel security  Definition of multiple categories or levels of data  A multilevel secure system must enforce:  No read up: A subject can only read an object of less or equal security level (Simple Security Property)  No write down: A subject can only write into an object of greater or equal security level (*-Property)
  • 23. Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 23 The Concept of Trusted Systems II  Reference Monitor  Controlling element in the hardware and operating system of a computer that regulates the access of subjects to objects on basis of security parameters  The monitor has access to a file (security kernel database)  The monitor enforces the security rules (no read up, no write down)  Properties of the Reference Monitor  Complete mediation: Security rules are enforced on every access  Isolation: The reference monitor and database are protected from unauthorised modification  Verifiability: The reference monitor’s correctness must be provable (mathematically)
  • 24. Fredrik Erlandsson Blekinge Institute of Technology ET1318 - Network Security 24 The End END