SlideShare a Scribd company logo

Firewall - Network Defense in Depth Firewalls

Download as PPT, PDF
P
phanleson

This document discusses key concepts related to network defense in depth. It defines common terms like firewalls, DMZs, IDS, and VPNs. It also covers techniques for packet filtering, application inspection, network address translation, and virtual private networks. The goal of defense in depth is to implement multiple layers of security and not rely on any single mechanism.

Education
1 of 43
COEN 350 Network Defense in Depth Firewalls
Terms of the Trade  Border Router  First / last router under control of system administration.  DMZ  Demilitarized zone.  Security is low, since not protected by firewall. Locate webservers and other services there that generate potentially unsafe traffic.  Firewall  Filters packages based on a variety of rules.
Terms of the Trade  IDS  Intrusion Detection System.  NIDS: glean intrusion signatures from traffic.  HIDS: monitor activity at a host on which they are located.  VPN  Virtual private network  Screened subnet  Area protected by an internal firewall.
COEN 351 E-Commerce Securit  E-Commerce Security Course Homepage  Lecture Notes
Terms of the Trade  Configuration Management  Known vulnerabilities account for most of actually perpetrated exploits.  For most of them, patches were available, but not installed.  CM tries to enforce uniform security policies.  Backdoors  An entrance into the system that avoids perimeter defenses.
Defense in Depth  Rule 1: Multitude of security measures.  Do not relay on one security mechanism.  Rule 2: Do not make security so expensive / burdensome that you give legitimate users an incentive to circumvent security.
Defense in Depth  Example: External tcp packet passes:  Internet Perimeter Router  Internet perimeter firewall  DMZ firewall  Network IPS  NetFlow  Analyzes connections on network  Antivirus on host  Host IPS
Firewalls  Firewalls are perimeter defense:  Keep the bad stuff outside, enjoy life inside.
Filtering  Signature  Any distinctive characteristic that identifies something (with a high degree of probability)  Signature Types  Atomic Signatures  Single packet, single event, single activity is examined.  Stateful Signatures  State: Needed when analyzing multiple pieces of information that are not available at the same time.
Filtering  Atomic vs. Stateful Signatures  LAND attack  Attacker sends TCP-SYN packet with same source and destination address.  Caused TCP stacks to crash.  Can be discovered looking at a single packet.  Search for string “etc/password” in a URL  Attacker fragments the packet so that the string is not in either fragment.  State is needed in order to recognize the attack.
Filtering  Signature Triggers  Pattern Detection  Simple string search  Search for string “etc/passwords” ARP  Protocol decoders search for string only in protocol fields.  ARP request with source address FF:FF:FF:FF:FF:FF  Anomaly Detection  Traffic going to an unusual port.  Protocol compliance for http traffic  Behavior Detection  Abnormally large / small fragmented packets  Search for RPC requests that do not initially utilize the PortMapper
Filtering  Signature Actions  Generating an alert  Dropping / preventing an activity  Logging the activity  Resetting a TCP connection  Blocking future activity  Allow activity
Packet Filtering  Static Packet Filtering  Allow or deny access to packets based on internal characteristics. access list 111 deny ip host 205.205.205.205.1 any access list 111 permit tcp host 205.205.205.205.1 any access list 111 deny icmp any any echo-request access list 111 permit icmp any any packet-to-big access list 111 deny icmp any any Cisco extended ACL
Static Packet Filtering Difficult to design efficient rules.  Easy to get the rules tables wrong and allow bad traffic.  Security risks  People can piggy-back bad messages in harmless ones.  http traffic is known to be used as a backdoor.  Loki uses unused fields in normal TCP packets.  Fragmentation allows the filter to look only at a fragment  Most only look at the first fragment
Static Packet Filtering  Configuring a packet filter:  Security Policy: what is allowed, what is not allowed.  Allowable types of packets must be specified logically, in terms of logical expression on packet fields.  Expressions need to be rewritten in the firewall vendor’s language.
Static Packet Filtering  Example  Security Policy:  Allow inbound mail messages (SMTP, port 25), but only to gateway.  Block host faucet. action Our host port Their host port comment block * * faucet * We don’t trust these people. allow OUR- GW 25 * * Connection to our SMTP server
Static Packet Filtering  Example  If no rule applies, then the packet is dropped.  Without additional rules, our rule set would drop all non-mail packets. There would also be no replies.  Beware of a rule like this (intended to allow acks)  Based solely on outside host’s port number.  Port 25 is usually the mail port.  But there is no guarantee. action Our host port Their host port comment allow * * * 25 Connection to their SMTP port
Static Packet Filtering  Example  Expand rule set to allow connection with the outside: action Our host port Their host port Flag comment block * * faucet * allow OUR-GW 25 * * allow (our host) * * 25 Our packets to their port allow * 25 * * ACK Their replies Specify the names of all machines allowed to send mail to the outside here.
Static Packet Filtering  Combating Address Spoofing  At a minimum:  Don’t allow inside source addresses coming in.  Don’t allow outside source addresses going out.  Block source routing at the border routers.
Static Packet Filtering  Routing Information  If a node is unreachable from the outside then the node is almost (but not quite) as safe as a node disconnected from the net.  Internal routers should not advertise paths to such nodes to the outside.  Filter routes learned from the outside:  Protects against subversion by route confusion.  Route squatting:  Use internal addresses that belong to a different domain.  The nodes are de facto unreachable from the outside.  Use non-announced addresses. (e.g. 10.x.x.x)  But beware, when companies merge, these addresses tend to be incompatible.  So pick addresses in unpopular address ranges.
Static Packet Filtering  Performance  Packet filtering is done at the border.  No degradation for the internal network.  Typically, connection to ISP is the bottleneck.  However:  Degradation depends on the number of rules applied.  Can be mitigated by careful ordering of rules.
Application Level Filtering  Packet filters only look at  The source address  The destination address  TCP / UDP port numbers  TCP / UDP flags.  Application filters deals with the details of the service they are checking.  E.g. a mail application filter looks at  RFC 822 headers.  MIME attachments.  Might identify virus infected attachments.
Application Level Filtering  Snort:  Allows to set up rules that pass a packet on to another service.  Commercial firewalls  Include application level filters for many products.  Use non-disclosure agreement to obtain proprietary protocols
Dynamic Packet Filtering  Stateful Firewall  Still look at each packet.  Maintains a state of each connection.  Implements connection filtering.  Dynamically adjust a filtering table of current connections.  Implementation  Adjust the filtering rules dynamically.  E.g.: We started an HTTP connection to a given host.  Now HTTP packages from that host are allowed.  OR: Terminate the connection at the firewall and then have the firewall call the ultimate destination (proxying).
Proxy Firewalls  Proxies act on behalf of a client.  Proxy firewall  Reverse Proxy  Receives packages on one card.  Processes requests.  Translates them into internal requests on other card.  Receives answers from inside and translates to the outside.
Proxy Firewalls  Proxy firewall  Forward Proxy  Receives requests from the inside.  Processes requests.  Translates them into requests to the outside on other card.  Receives answers from outside and translates to the inside.  Acts on behalf of inside machine that is protected from the vagaries of the internet.
Proxy Firewalls  Application level proxies work at the level of application.  Circuit-level proxies  does not understand the application  makes filtering decisions by validating and monitoring sessions.
Application Inspection  Dynamic Firewalls allow selective inspection of applications:  http  ftp  dns  icmp  …
Application Inspection  DNS example (Cisco ASA DNS inspection)  Guarantees that the ID of the DNS machine matches the ID of the DNS query  Allows translation of DNS packets using NAT  Reassembles DNS packets to verify its length.
Application Inspection  SMTP (Cisco ASA protection)  Protects against SMTP-based attacks by restricting the types of SMTP commands.  Illegal command is modified and forwarded.  Typically, receiver replies with an SMTP error 500 (command not recognized)  Checks size, …
Network Address Translation  Originally designed to address the IPv4 address shortage:  Use internal IP addresses  192.168.x.x  172.16.x.x, 172.32.x.x  10.x.x.x  NAT box is dual hosted:  One connection to interior network  Other connection to exterior network  with “overloaded” or “public” address
Network Address Translation  Internal host initiates TCP connection to the outside.  NAT box takes TCP package, replaces source IP with its public IP, port with a port chosen for that connection  When reply return to NAT box, forwards package to internal host.  NAT uses stored connection data to determine the interior address
Network Address Translation  NAT increases security:  NAT hides host identities  NAT hides weak sequence number generating hosts by randomizing sequence numbers.  NAT disables inbound TCP connections  NAT breaks most UDP protocols  NAT allow load balancing and transparent failover
Network Address Translation  Full Cone NAT (one to one NAT)  all requests from same internal IP address and port are mapped to the same external IP address and port.  Allows external host to send package to the host by using the mapped external address.
Network Address Translation  Restricted Cone NAT  All requests from same internal IP address and port are mapped to the same external IP address and port.  External host can only send package to internal host if the connection has already been established
Network Address Translation  Port Restricted Cone NAT  Like restricted cone NAT,  but only for certain port numbers  Symmetric NAT  All request from the same internal IP address and port to a specific destination IP and port are mapped to a unique external source IP address and port.  If the same hosts sends to the same port, but another IP address, then a different mapping is used.  External host needs to receive a packet before sending a UDP packet back to the internal host.  In practice:  combinations between these behaviors.
Virtual Private Networks
Virtual Private Networks  VPN uses connections over an existing public network  Connection secured with encryption  Host to Host  Host to Gateway  Gateway to Gateway
Virtual Private Networks
Virtual Private Networks  Encryption can be done at  Application level.  Transport level.  Network level.  Data link level.
Virtual Private Networks VPN Technologies  Application Level  Pretty Good Privacy  Secure Shell (SSH)  Transport Level  Secure Socket Layer  Does not protect the package, but its content.  Typically runs at the application level of the OS, so OS does not need to be changed.  Network Level  IPSec  Encrypts package itself.  Encrypted package receives a new package header.  IPSec protects port address, but not destination address.  OS need to be changed (but only once: Win2000, WinXP)  Data Link  Layer 2 Tunneling Protocol addition to Point-to-Point protocol (PPP)  Encrypts packets on the data layer.  L2TP (Layer 2 Tunneling)
COEN 351 E-Commerce Securit  E-Commerce Security Course Homepage  Lecture Notes
Virtual Private Networks  Alternatives are dedicated point-to-point connections such as a private T1 line.  Most secure.  Most expensive.  Takes time to set-up.

Recommended

T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutionseroglu
 
Barriers to TOR Research at UC Berkeley
Barriers to TOR Research at UC BerkeleyBarriers to TOR Research at UC Berkeley
Barriers to TOR Research at UC Berkeley
joebeone
 
security problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suitesecurity problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suite
Yash Kotak
 
Security problems in TCP/IP
Security problems in TCP/IPSecurity problems in TCP/IP
Security problems in TCP/IP
Sukh Sandhu
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
Security Session
 
Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning
Viren Rao
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 example
Himani Singh
 
Firewall
FirewallFirewall
FirewallManikyala Rao
 

Recommended

T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutionseroglu
 
Barriers to TOR Research at UC Berkeley
Barriers to TOR Research at UC BerkeleyBarriers to TOR Research at UC Berkeley
Barriers to TOR Research at UC Berkeley
joebeone
 
security problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suitesecurity problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suite
Yash Kotak
 
Security problems in TCP/IP
Security problems in TCP/IPSecurity problems in TCP/IP
Security problems in TCP/IP
Sukh Sandhu
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
Security Session
 
Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning
Viren Rao
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 example
Himani Singh
 
Firewall
FirewallFirewall
FirewallManikyala Rao
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanningleminhvuong
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheet
David Sweigert
 
Firewall Essentials
Firewall EssentialsFirewall Essentials
Firewall Essentials
Sylvain Maret
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Ciscoguestd05b31
 
Linux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai PresentationLinux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai Presentation
Vinoth Sivasubramanan
 
New flaws in WPA-TKIP
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIP
vanhoefm
 
Practical Verification of TKIP Vulnerabilities
Practical Verification of TKIP VulnerabilitiesPractical Verification of TKIP Vulnerabilities
Practical Verification of TKIP Vulnerabilities
vanhoefm
 
Aircrack
AircrackAircrack
Aircrack
Nithin Sathees
 
Operation of Ping - (Computer Networking)
Operation of Ping - (Computer Networking) Operation of Ping - (Computer Networking)
Operation of Ping - (Computer Networking)
Jubayer Al Mahmud
 
Entropy based DDos Detection in SDN
Entropy based DDos Detection in SDNEntropy based DDos Detection in SDN
Entropy based DDos Detection in SDNVishal Vasudev
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)
btpsec
 
Ethical hacking Chapter 6 - Port Scanning - Eric Vanderburg
Ethical hacking Chapter 6 - Port Scanning - Eric VanderburgEthical hacking Chapter 6 - Port Scanning - Eric Vanderburg
Ethical hacking Chapter 6 - Port Scanning - Eric Vanderburg
Eric Vanderburg
 
What is Ping
What is PingWhat is Ping
What is Ping
Disha Dudhal
 
Wireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsWireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance tools
Sachidananda Sahu
 
Wireshark
WiresharkWireshark
Wiresharkbtohara
 
Informal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIPInformal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIP
vanhoefm
 
IPsec Basics: AH and ESP Explained
IPsec Basics: AH and ESP ExplainedIPsec Basics: AH and ESP Explained
IPsec Basics: AH and ESP Explained
Andriy Berestovskyy
 
Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANsIshraq Al Fataftah
 
Wireshark tutorial
Wireshark tutorialWireshark tutorial
Wireshark tutorialPiyush Mittal
 
Wireshark Basics
Wireshark BasicsWireshark Basics
Wireshark Basics
Yoram Orzach
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
phanleson
 
Authentication in wireless - Security in Wireless Protocols
Authentication in wireless - Security in Wireless ProtocolsAuthentication in wireless - Security in Wireless Protocols
Authentication in wireless - Security in Wireless Protocols
phanleson
 

More Related Content

What's hot

Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanningleminhvuong
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheet
David Sweigert
 
Firewall Essentials
Firewall EssentialsFirewall Essentials
Firewall Essentials
Sylvain Maret
 
Linux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai PresentationLinux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai Presentation
Vinoth Sivasubramanan
 
New flaws in WPA-TKIP
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIP
vanhoefm
 
Practical Verification of TKIP Vulnerabilities
Practical Verification of TKIP VulnerabilitiesPractical Verification of TKIP Vulnerabilities
Practical Verification of TKIP Vulnerabilities
vanhoefm
 
Aircrack
AircrackAircrack
Aircrack
Nithin Sathees
 
Operation of Ping - (Computer Networking)
Operation of Ping - (Computer Networking) Operation of Ping - (Computer Networking)
Operation of Ping - (Computer Networking)
Jubayer Al Mahmud
 
Entropy based DDos Detection in SDN
Entropy based DDos Detection in SDNEntropy based DDos Detection in SDN
Entropy based DDos Detection in SDNVishal Vasudev
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)
btpsec
 
Ethical hacking Chapter 6 - Port Scanning - Eric Vanderburg
Ethical hacking Chapter 6 - Port Scanning - Eric VanderburgEthical hacking Chapter 6 - Port Scanning - Eric Vanderburg
Ethical hacking Chapter 6 - Port Scanning - Eric Vanderburg
Eric Vanderburg
 
What is Ping
What is PingWhat is Ping
What is Ping
Disha Dudhal
 
Wireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsWireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance tools
Sachidananda Sahu
 
Wireshark
WiresharkWireshark
Wiresharkbtohara
 
Informal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIPInformal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIP
vanhoefm
 
IPsec Basics: AH and ESP Explained
IPsec Basics: AH and ESP ExplainedIPsec Basics: AH and ESP Explained
IPsec Basics: AH and ESP Explained
Andriy Berestovskyy
 
Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANsIshraq Al Fataftah
 
Wireshark Basics
Wireshark BasicsWireshark Basics
Wireshark Basics
Yoram Orzach
 

What's hot (20)

Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanning
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheet
 
Firewall Essentials
Firewall EssentialsFirewall Essentials
Firewall Essentials
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
 
Linux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai PresentationLinux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai Presentation
 
New flaws in WPA-TKIP
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIP
 
Practical Verification of TKIP Vulnerabilities
Practical Verification of TKIP VulnerabilitiesPractical Verification of TKIP Vulnerabilities
Practical Verification of TKIP Vulnerabilities
 
Aircrack
AircrackAircrack
Aircrack
 
Operation of Ping - (Computer Networking)
Operation of Ping - (Computer Networking) Operation of Ping - (Computer Networking)
Operation of Ping - (Computer Networking)
 
Entropy based DDos Detection in SDN
Entropy based DDos Detection in SDNEntropy based DDos Detection in SDN
Entropy based DDos Detection in SDN
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)
 
Ethical hacking Chapter 6 - Port Scanning - Eric Vanderburg
Ethical hacking Chapter 6 - Port Scanning - Eric VanderburgEthical hacking Chapter 6 - Port Scanning - Eric Vanderburg
Ethical hacking Chapter 6 - Port Scanning - Eric Vanderburg
 
What is Ping
What is PingWhat is Ping
What is Ping
 
Wireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsWireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance tools
 
Wireshark
WiresharkWireshark
Wireshark
 
Informal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIPInformal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIP
 
IPsec Basics: AH and ESP Explained
IPsec Basics: AH and ESP ExplainedIPsec Basics: AH and ESP Explained
IPsec Basics: AH and ESP Explained
 
Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANs
 
Wireshark tutorial
Wireshark tutorialWireshark tutorial
Wireshark tutorial
 
Wireshark Basics
Wireshark BasicsWireshark Basics
Wireshark Basics
 

Viewers also liked

Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
phanleson
 
Authentication in wireless - Security in Wireless Protocols
Authentication in wireless - Security in Wireless ProtocolsAuthentication in wireless - Security in Wireless Protocols
Authentication in wireless - Security in Wireless Protocols
phanleson
 
Mobile Security - Wireless hacking
Mobile Security - Wireless hackingMobile Security - Wireless hacking
Mobile Security - Wireless hacking
phanleson
 
Learning spark ch01 - Introduction to Data Analysis with Spark
Learning spark ch01 - Introduction to Data Analysis with SparkLearning spark ch01 - Introduction to Data Analysis with Spark
Learning spark ch01 - Introduction to Data Analysis with Spark
phanleson
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in Depth
Dilum Bandara
 
defense_in_depth_version_12
defense_in_depth_version_12defense_in_depth_version_12
defense_in_depth_version_12Alen Schulze
 
Malware Defense-in-Depth 2.0
Malware Defense-in-Depth 2.0Malware Defense-in-Depth 2.0
Malware Defense-in-Depth 2.0Ayed Al Qartah
 
Fortifying Network Security with a Defense In Depth Strategy - IDC Romania preso
Fortifying Network Security with a Defense In Depth Strategy - IDC Romania presoFortifying Network Security with a Defense In Depth Strategy - IDC Romania preso
Fortifying Network Security with a Defense In Depth Strategy - IDC Romania presoNetwork Performance Channel GmbH
 
Lecture 1 - Getting to know XML
Lecture 1 - Getting to know XMLLecture 1 - Getting to know XML
Lecture 1 - Getting to know XMLphanleson
 
Lecture 4 - Adding XTHML for the Web
Lecture 4 - Adding XTHML for the WebLecture 4 - Adding XTHML for the Web
Lecture 4 - Adding XTHML for the Web
phanleson
 
Squid Caching for Web Content Accerlation
Squid Caching for Web Content AccerlationSquid Caching for Web Content Accerlation
Squid Caching for Web Content Accerlationrahul8590
 
Neogeography
NeogeographyNeogeography
Neogeography
rahul8590
 
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
BeyondTrust
 
Lecture 07 - Executive Information Systems and the Data Warehouse
Lecture 07 - Executive Information Systems and the Data WarehouseLecture 07 - Executive Information Systems and the Data Warehouse
Lecture 07 - Executive Information Systems and the Data Warehouse
phanleson
 
Firewall & its configurations
Firewall & its configurationsFirewall & its configurations
Firewall & its configurations
Student
 
HBase In Action - Chapter 10 - Operations
HBase In Action - Chapter 10 - OperationsHBase In Action - Chapter 10 - Operations
HBase In Action - Chapter 10 - Operations
phanleson
 
How a Proxy Server Works
How a Proxy Server WorksHow a Proxy Server Works
How a Proxy Server Works
Mer Joyce
 
Learning spark ch10 - Spark Streaming
Learning spark ch10 - Spark StreamingLearning spark ch10 - Spark Streaming
Learning spark ch10 - Spark Streaming
phanleson
 
Learning spark ch05 - Loading and Saving Your Data
Learning spark ch05 - Loading and Saving Your DataLearning spark ch05 - Loading and Saving Your Data
Learning spark ch05 - Loading and Saving Your Data
phanleson
 

Viewers also liked (20)

Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
 
Authentication in wireless - Security in Wireless Protocols
Authentication in wireless - Security in Wireless ProtocolsAuthentication in wireless - Security in Wireless Protocols
Authentication in wireless - Security in Wireless Protocols
 
Mobile Security - Wireless hacking
Mobile Security - Wireless hackingMobile Security - Wireless hacking
Mobile Security - Wireless hacking
 
Learning spark ch01 - Introduction to Data Analysis with Spark
Learning spark ch01 - Introduction to Data Analysis with SparkLearning spark ch01 - Introduction to Data Analysis with Spark
Learning spark ch01 - Introduction to Data Analysis with Spark
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in Depth
 
defense_in_depth_version_12
defense_in_depth_version_12defense_in_depth_version_12
defense_in_depth_version_12
 
Malware Defense-in-Depth 2.0
Malware Defense-in-Depth 2.0Malware Defense-in-Depth 2.0
Malware Defense-in-Depth 2.0
 
Fortifying Network Security with a Defense In Depth Strategy - IDC Romania preso
Fortifying Network Security with a Defense In Depth Strategy - IDC Romania presoFortifying Network Security with a Defense In Depth Strategy - IDC Romania preso
Fortifying Network Security with a Defense In Depth Strategy - IDC Romania preso
 
Lecture 1 - Getting to know XML
Lecture 1 - Getting to know XMLLecture 1 - Getting to know XML
Lecture 1 - Getting to know XML
 
Lecture 4 - Adding XTHML for the Web
Lecture 4 - Adding XTHML for the WebLecture 4 - Adding XTHML for the Web
Lecture 4 - Adding XTHML for the Web
 
Proxy
ProxyProxy
Proxy
 
Squid Caching for Web Content Accerlation
Squid Caching for Web Content AccerlationSquid Caching for Web Content Accerlation
Squid Caching for Web Content Accerlation
 
Neogeography
NeogeographyNeogeography
Neogeography
 
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
 
Lecture 07 - Executive Information Systems and the Data Warehouse
Lecture 07 - Executive Information Systems and the Data WarehouseLecture 07 - Executive Information Systems and the Data Warehouse
Lecture 07 - Executive Information Systems and the Data Warehouse
 
Firewall & its configurations
Firewall & its configurationsFirewall & its configurations
Firewall & its configurations
 
HBase In Action - Chapter 10 - Operations
HBase In Action - Chapter 10 - OperationsHBase In Action - Chapter 10 - Operations
HBase In Action - Chapter 10 - Operations
 
How a Proxy Server Works
How a Proxy Server WorksHow a Proxy Server Works
How a Proxy Server Works
 
Learning spark ch10 - Spark Streaming
Learning spark ch10 - Spark StreamingLearning spark ch10 - Spark Streaming
Learning spark ch10 - Spark Streaming
 
Learning spark ch05 - Loading and Saving Your Data
Learning spark ch05 - Loading and Saving Your DataLearning spark ch05 - Loading and Saving Your Data
Learning spark ch05 - Loading and Saving Your Data
 

Similar to Firewall - Network Defense in Depth Firewalls

firewalls.ppt
firewalls.pptfirewalls.ppt
firewalls.ppt
MohanLal141254
 
firewalls.ppt
firewalls.pptfirewalls.ppt
firewalls.ppt
Raj Kumar
 
Firewalls
FirewallsFirewalls
Firewalls
hemantag
 
Marrion Kujinga ; Firewalls
Marrion Kujinga ; FirewallsMarrion Kujinga ; Firewalls
Marrion Kujinga ; FirewallsMarrion Kujinga
 
Chapter_Five[1].ppt
Chapter_Five[1].pptChapter_Five[1].ppt
Chapter_Five[1].ppt
BachaSirata
 
Firewalls
FirewallsFirewalls
Firewalls
Akhil Sharma
 
Cyber security tutorial2
Cyber security tutorial2Cyber security tutorial2
Cyber security tutorial2
sweta dargad
 
Fire wall security
Fire wall securityFire wall security
Fire wall security
Chandresh Suthar
 
Firewall Facts
Firewall FactsFirewall Facts
Firewall Facts
DAVID RAUDALES
 
Firewalls by Puneet Bawa
Firewalls by Puneet BawaFirewalls by Puneet Bawa
Firewalls by Puneet Bawa
Puneet Bawa
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewall
Coder Tech
 
Network and security concepts
Network and security conceptsNetwork and security concepts
Network and security concepts
sonuagain
 
Network security
Network security Network security
Network security
Vikas Jagtap
 
Internetworking With Pix Firewall
Internetworking With Pix FirewallInternetworking With Pix Firewall
Internetworking With Pix FirewallSouvik Santra
 
Lec # 13 Firewall.pptx
Lec # 13 Firewall.pptxLec # 13 Firewall.pptx
Lec # 13 Firewall.pptx
skknowledge
 

Similar to Firewall - Network Defense in Depth Firewalls (20)

firewalls.ppt
firewalls.pptfirewalls.ppt
firewalls.ppt
 
Firewalls (6)
Firewalls (6)Firewalls (6)
Firewalls (6)
 
firewalls.ppt
firewalls.pptfirewalls.ppt
firewalls.ppt
 
Firewalls
FirewallsFirewalls
Firewalls
 
Marrion Kujinga ; Firewalls
Marrion Kujinga ; FirewallsMarrion Kujinga ; Firewalls
Marrion Kujinga ; Firewalls
 
Chapter_Five[1].ppt
Chapter_Five[1].pptChapter_Five[1].ppt
Chapter_Five[1].ppt
 
Firewalls
FirewallsFirewalls
Firewalls
 
100197
100197100197
100197
 
Cyber security tutorial2
Cyber security tutorial2Cyber security tutorial2
Cyber security tutorial2
 
Fire wall security
Fire wall securityFire wall security
Fire wall security
 
Firewall Facts
Firewall FactsFirewall Facts
Firewall Facts
 
Firewall
FirewallFirewall
Firewall
 
Firewalls by Puneet Bawa
Firewalls by Puneet BawaFirewalls by Puneet Bawa
Firewalls by Puneet Bawa
 
Firewall
FirewallFirewall
Firewall
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewall
 
3.Network
3.Network3.Network
3.Network
 
Network and security concepts
Network and security conceptsNetwork and security concepts
Network and security concepts
 
Network security
Network security Network security
Network security
 
Internetworking With Pix Firewall
Internetworking With Pix FirewallInternetworking With Pix Firewall
Internetworking With Pix Firewall
 
Lec # 13 Firewall.pptx
Lec # 13 Firewall.pptxLec # 13 Firewall.pptx
Lec # 13 Firewall.pptx
 

More from phanleson

E-Commerce Security - Application attacks - Server Attacks
E-Commerce Security - Application attacks - Server AttacksE-Commerce Security - Application attacks - Server Attacks
E-Commerce Security - Application attacks - Server Attacks
phanleson
 
HBase In Action - Chapter 04: HBase table design
HBase In Action - Chapter 04: HBase table designHBase In Action - Chapter 04: HBase table design
HBase In Action - Chapter 04: HBase table design
phanleson
 
Hbase in action - Chapter 09: Deploying HBase
Hbase in action - Chapter 09: Deploying HBaseHbase in action - Chapter 09: Deploying HBase
Hbase in action - Chapter 09: Deploying HBase
phanleson
 
Learning spark ch11 - Machine Learning with MLlib
Learning spark ch11 - Machine Learning with MLlibLearning spark ch11 - Machine Learning with MLlib
Learning spark ch11 - Machine Learning with MLlib
phanleson
 
Learning spark ch09 - Spark SQL
Learning spark ch09 - Spark SQLLearning spark ch09 - Spark SQL
Learning spark ch09 - Spark SQL
phanleson
 
Learning spark ch07 - Running on a Cluster
Learning spark ch07 - Running on a ClusterLearning spark ch07 - Running on a Cluster
Learning spark ch07 - Running on a Cluster
phanleson
 
Learning spark ch06 - Advanced Spark Programming
Learning spark ch06 - Advanced Spark ProgrammingLearning spark ch06 - Advanced Spark Programming
Learning spark ch06 - Advanced Spark Programming
phanleson
 
Learning spark ch04 - Working with Key/Value Pairs
Learning spark ch04 - Working with Key/Value PairsLearning spark ch04 - Working with Key/Value Pairs
Learning spark ch04 - Working with Key/Value Pairs
phanleson
 
Learning spark ch01 - Introduction to Data Analysis with Spark
Learning spark ch01 - Introduction to Data Analysis with SparkLearning spark ch01 - Introduction to Data Analysis with Spark
Learning spark ch01 - Introduction to Data Analysis with Spark
phanleson
 
Hướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about Libertagia
Hướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about LibertagiaHướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about Libertagia
Hướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about Libertagia
phanleson
 
Lecture 2 - Using XML for Many Purposes
Lecture 2 - Using XML for Many PurposesLecture 2 - Using XML for Many Purposes
Lecture 2 - Using XML for Many Purposes
phanleson
 
SOA Course - SOA governance - Lecture 19
SOA Course - SOA governance - Lecture 19SOA Course - SOA governance - Lecture 19
SOA Course - SOA governance - Lecture 19
phanleson
 
Lecture 18 - Model-Driven Service Development
Lecture 18 - Model-Driven Service DevelopmentLecture 18 - Model-Driven Service Development
Lecture 18 - Model-Driven Service Development
phanleson
 
Lecture 15 - Technical Details
Lecture 15 - Technical DetailsLecture 15 - Technical Details
Lecture 15 - Technical Details
phanleson
 
Lecture 10 - Message Exchange Patterns
Lecture 10 - Message Exchange PatternsLecture 10 - Message Exchange Patterns
Lecture 10 - Message Exchange Patterns
phanleson
 
Lecture 9 - SOA in Context
Lecture 9 - SOA in ContextLecture 9 - SOA in Context
Lecture 9 - SOA in Context
phanleson
 
Lecture 07 - Business Process Management
Lecture 07 - Business Process ManagementLecture 07 - Business Process Management
Lecture 07 - Business Process Management
phanleson
 
Lecture 04 - Loose Coupling
Lecture 04 - Loose CouplingLecture 04 - Loose Coupling
Lecture 04 - Loose Coupling
phanleson
 
Lecture 2 - SOA
Lecture 2 - SOALecture 2 - SOA
Lecture 2 - SOA
phanleson
 
Lecture 3 - Services
Lecture 3 - ServicesLecture 3 - Services
Lecture 3 - Services
phanleson
 

More from phanleson (20)

E-Commerce Security - Application attacks - Server Attacks
E-Commerce Security - Application attacks - Server AttacksE-Commerce Security - Application attacks - Server Attacks
E-Commerce Security - Application attacks - Server Attacks
 
HBase In Action - Chapter 04: HBase table design
HBase In Action - Chapter 04: HBase table designHBase In Action - Chapter 04: HBase table design
HBase In Action - Chapter 04: HBase table design
 
Hbase in action - Chapter 09: Deploying HBase
Hbase in action - Chapter 09: Deploying HBaseHbase in action - Chapter 09: Deploying HBase
Hbase in action - Chapter 09: Deploying HBase
 
Learning spark ch11 - Machine Learning with MLlib
Learning spark ch11 - Machine Learning with MLlibLearning spark ch11 - Machine Learning with MLlib
Learning spark ch11 - Machine Learning with MLlib
 
Learning spark ch09 - Spark SQL
Learning spark ch09 - Spark SQLLearning spark ch09 - Spark SQL
Learning spark ch09 - Spark SQL
 
Learning spark ch07 - Running on a Cluster
Learning spark ch07 - Running on a ClusterLearning spark ch07 - Running on a Cluster
Learning spark ch07 - Running on a Cluster
 
Learning spark ch06 - Advanced Spark Programming
Learning spark ch06 - Advanced Spark ProgrammingLearning spark ch06 - Advanced Spark Programming
Learning spark ch06 - Advanced Spark Programming
 
Learning spark ch04 - Working with Key/Value Pairs
Learning spark ch04 - Working with Key/Value PairsLearning spark ch04 - Working with Key/Value Pairs
Learning spark ch04 - Working with Key/Value Pairs
 
Learning spark ch01 - Introduction to Data Analysis with Spark
Learning spark ch01 - Introduction to Data Analysis with SparkLearning spark ch01 - Introduction to Data Analysis with Spark
Learning spark ch01 - Introduction to Data Analysis with Spark
 
Hướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about Libertagia
Hướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about LibertagiaHướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about Libertagia
Hướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about Libertagia
 
Lecture 2 - Using XML for Many Purposes
Lecture 2 - Using XML for Many PurposesLecture 2 - Using XML for Many Purposes
Lecture 2 - Using XML for Many Purposes
 
SOA Course - SOA governance - Lecture 19
SOA Course - SOA governance - Lecture 19SOA Course - SOA governance - Lecture 19
SOA Course - SOA governance - Lecture 19
 
Lecture 18 - Model-Driven Service Development
Lecture 18 - Model-Driven Service DevelopmentLecture 18 - Model-Driven Service Development
Lecture 18 - Model-Driven Service Development
 
Lecture 15 - Technical Details
Lecture 15 - Technical DetailsLecture 15 - Technical Details
Lecture 15 - Technical Details
 
Lecture 10 - Message Exchange Patterns
Lecture 10 - Message Exchange PatternsLecture 10 - Message Exchange Patterns
Lecture 10 - Message Exchange Patterns
 
Lecture 9 - SOA in Context
Lecture 9 - SOA in ContextLecture 9 - SOA in Context
Lecture 9 - SOA in Context
 
Lecture 07 - Business Process Management
Lecture 07 - Business Process ManagementLecture 07 - Business Process Management
Lecture 07 - Business Process Management
 
Lecture 04 - Loose Coupling
Lecture 04 - Loose CouplingLecture 04 - Loose Coupling
Lecture 04 - Loose Coupling
 
Lecture 2 - SOA
Lecture 2 - SOALecture 2 - SOA
Lecture 2 - SOA
 
Lecture 3 - Services
Lecture 3 - ServicesLecture 3 - Services
Lecture 3 - Services
 

Recently uploaded

Guidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th SemesterGuidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th Semester
Atul Kumar Singh
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
Jisc
 
MASS MEDIA STUDIES-835-CLASS XI Resource Material.pdf
MASS MEDIA STUDIES-835-CLASS XI Resource Material.pdfMASS MEDIA STUDIES-835-CLASS XI Resource Material.pdf
MASS MEDIA STUDIES-835-CLASS XI Resource Material.pdf
goswamiyash170123
 
Overview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with MechanismOverview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with Mechanism
DeeptiGupta154
 
Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.
Ashokrao Mane college of Pharmacy Peth-Vadgaon
 
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
MysoreMuleSoftMeetup
 
Multithreading_in_C++ - std::thread, race condition
Multithreading_in_C++ - std::thread, race conditionMultithreading_in_C++ - std::thread, race condition
Multithreading_in_C++ - std::thread, race condition
Mohammed Sikander
 
STRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBC
STRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBCSTRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBC
STRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBC
kimdan468
 
1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx
JosvitaDsouza2
 
Lapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdfLapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdf
Jean Carlos Nunes Paixão
 
Digital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and ResearchDigital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and Research
Vikramjit Singh
 
"Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe..."Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe...
SACHIN R KONDAGURI
 
The French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free downloadThe French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free download
Vivekanand Anglo Vedic Academy
 
Synthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptxSynthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptx
Pavel ( NSTU)
 
Digital Artifact 2 - Investigating Pavilion Designs
Digital Artifact 2 - Investigating Pavilion DesignsDigital Artifact 2 - Investigating Pavilion Designs
Digital Artifact 2 - Investigating Pavilion Designs
chanes7
 
Normal Labour/ Stages of Labour/ Mechanism of Labour
Normal Labour/ Stages of Labour/ Mechanism of LabourNormal Labour/ Stages of Labour/ Mechanism of Labour
Normal Labour/ Stages of Labour/ Mechanism of Labour
Wasim Ak
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
TechSoup
 
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Dr. Vinod Kumar Kanvaria
 
Advantages and Disadvantages of CMS from an SEO Perspective
Advantages and Disadvantages of CMS from an SEO PerspectiveAdvantages and Disadvantages of CMS from an SEO Perspective
Advantages and Disadvantages of CMS from an SEO Perspective
Krisztián Száraz
 
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdfUnit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Thiyagu K
 

Recently uploaded (20)

Guidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th SemesterGuidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th Semester
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
 
MASS MEDIA STUDIES-835-CLASS XI Resource Material.pdf
MASS MEDIA STUDIES-835-CLASS XI Resource Material.pdfMASS MEDIA STUDIES-835-CLASS XI Resource Material.pdf
MASS MEDIA STUDIES-835-CLASS XI Resource Material.pdf
 
Overview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with MechanismOverview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with Mechanism
 
Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.
 
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
 
Multithreading_in_C++ - std::thread, race condition
Multithreading_in_C++ - std::thread, race conditionMultithreading_in_C++ - std::thread, race condition
Multithreading_in_C++ - std::thread, race condition
 
STRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBC
STRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBCSTRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBC
STRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBC
 
1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx
 
Lapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdfLapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdf
 
Digital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and ResearchDigital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and Research
 
"Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe..."Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe...
 
The French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free downloadThe French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free download
 
Synthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptxSynthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptx
 
Digital Artifact 2 - Investigating Pavilion Designs
Digital Artifact 2 - Investigating Pavilion DesignsDigital Artifact 2 - Investigating Pavilion Designs
Digital Artifact 2 - Investigating Pavilion Designs
 
Normal Labour/ Stages of Labour/ Mechanism of Labour
Normal Labour/ Stages of Labour/ Mechanism of LabourNormal Labour/ Stages of Labour/ Mechanism of Labour
Normal Labour/ Stages of Labour/ Mechanism of Labour
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
 
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
 
Advantages and Disadvantages of CMS from an SEO Perspective
Advantages and Disadvantages of CMS from an SEO PerspectiveAdvantages and Disadvantages of CMS from an SEO Perspective
Advantages and Disadvantages of CMS from an SEO Perspective
 
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdfUnit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdf
 

Firewall - Network Defense in Depth Firewalls

  • 1. COEN 350 Network Defense in Depth Firewalls
  • 2. Terms of the Trade  Border Router  First / last router under control of system administration.  DMZ  Demilitarized zone.  Security is low, since not protected by firewall. Locate webservers and other services there that generate potentially unsafe traffic.  Firewall  Filters packages based on a variety of rules.
  • 3. Terms of the Trade  IDS  Intrusion Detection System.  NIDS: glean intrusion signatures from traffic.  HIDS: monitor activity at a host on which they are located.  VPN  Virtual private network  Screened subnet  Area protected by an internal firewall.
  • 4. COEN 351 E-Commerce Securit  E-Commerce Security Course Homepage  Lecture Notes
  • 5. Terms of the Trade  Configuration Management  Known vulnerabilities account for most of actually perpetrated exploits.  For most of them, patches were available, but not installed.  CM tries to enforce uniform security policies.  Backdoors  An entrance into the system that avoids perimeter defenses.
  • 6. Defense in Depth  Rule 1: Multitude of security measures.  Do not relay on one security mechanism.  Rule 2: Do not make security so expensive / burdensome that you give legitimate users an incentive to circumvent security.
  • 7. Defense in Depth  Example: External tcp packet passes:  Internet Perimeter Router  Internet perimeter firewall  DMZ firewall  Network IPS  NetFlow  Analyzes connections on network  Antivirus on host  Host IPS
  • 8. Firewalls  Firewalls are perimeter defense:  Keep the bad stuff outside, enjoy life inside.
  • 9. Filtering  Signature  Any distinctive characteristic that identifies something (with a high degree of probability)  Signature Types  Atomic Signatures  Single packet, single event, single activity is examined.  Stateful Signatures  State: Needed when analyzing multiple pieces of information that are not available at the same time.
  • 10. Filtering  Atomic vs. Stateful Signatures  LAND attack  Attacker sends TCP-SYN packet with same source and destination address.  Caused TCP stacks to crash.  Can be discovered looking at a single packet.  Search for string “etc/password” in a URL  Attacker fragments the packet so that the string is not in either fragment.  State is needed in order to recognize the attack.
  • 11. Filtering  Signature Triggers  Pattern Detection  Simple string search  Search for string “etc/passwords” ARP  Protocol decoders search for string only in protocol fields.  ARP request with source address FF:FF:FF:FF:FF:FF  Anomaly Detection  Traffic going to an unusual port.  Protocol compliance for http traffic  Behavior Detection  Abnormally large / small fragmented packets  Search for RPC requests that do not initially utilize the PortMapper
  • 12. Filtering  Signature Actions  Generating an alert  Dropping / preventing an activity  Logging the activity  Resetting a TCP connection  Blocking future activity  Allow activity
  • 13. Packet Filtering  Static Packet Filtering  Allow or deny access to packets based on internal characteristics. access list 111 deny ip host 205.205.205.205.1 any access list 111 permit tcp host 205.205.205.205.1 any access list 111 deny icmp any any echo-request access list 111 permit icmp any any packet-to-big access list 111 deny icmp any any Cisco extended ACL
  • 14. Static Packet Filtering Difficult to design efficient rules.  Easy to get the rules tables wrong and allow bad traffic.  Security risks  People can piggy-back bad messages in harmless ones.  http traffic is known to be used as a backdoor.  Loki uses unused fields in normal TCP packets.  Fragmentation allows the filter to look only at a fragment  Most only look at the first fragment
  • 15. Static Packet Filtering  Configuring a packet filter:  Security Policy: what is allowed, what is not allowed.  Allowable types of packets must be specified logically, in terms of logical expression on packet fields.  Expressions need to be rewritten in the firewall vendor’s language.
  • 16. Static Packet Filtering  Example  Security Policy:  Allow inbound mail messages (SMTP, port 25), but only to gateway.  Block host faucet. action Our host port Their host port comment block * * faucet * We don’t trust these people. allow OUR- GW 25 * * Connection to our SMTP server
  • 17. Static Packet Filtering  Example  If no rule applies, then the packet is dropped.  Without additional rules, our rule set would drop all non-mail packets. There would also be no replies.  Beware of a rule like this (intended to allow acks)  Based solely on outside host’s port number.  Port 25 is usually the mail port.  But there is no guarantee. action Our host port Their host port comment allow * * * 25 Connection to their SMTP port
  • 18. Static Packet Filtering  Example  Expand rule set to allow connection with the outside: action Our host port Their host port Flag comment block * * faucet * allow OUR-GW 25 * * allow (our host) * * 25 Our packets to their port allow * 25 * * ACK Their replies Specify the names of all machines allowed to send mail to the outside here.
  • 19. Static Packet Filtering  Combating Address Spoofing  At a minimum:  Don’t allow inside source addresses coming in.  Don’t allow outside source addresses going out.  Block source routing at the border routers.
  • 20. Static Packet Filtering  Routing Information  If a node is unreachable from the outside then the node is almost (but not quite) as safe as a node disconnected from the net.  Internal routers should not advertise paths to such nodes to the outside.  Filter routes learned from the outside:  Protects against subversion by route confusion.  Route squatting:  Use internal addresses that belong to a different domain.  The nodes are de facto unreachable from the outside.  Use non-announced addresses. (e.g. 10.x.x.x)  But beware, when companies merge, these addresses tend to be incompatible.  So pick addresses in unpopular address ranges.
  • 21. Static Packet Filtering  Performance  Packet filtering is done at the border.  No degradation for the internal network.  Typically, connection to ISP is the bottleneck.  However:  Degradation depends on the number of rules applied.  Can be mitigated by careful ordering of rules.
  • 22. Application Level Filtering  Packet filters only look at  The source address  The destination address  TCP / UDP port numbers  TCP / UDP flags.  Application filters deals with the details of the service they are checking.  E.g. a mail application filter looks at  RFC 822 headers.  MIME attachments.  Might identify virus infected attachments.
  • 23. Application Level Filtering  Snort:  Allows to set up rules that pass a packet on to another service.  Commercial firewalls  Include application level filters for many products.  Use non-disclosure agreement to obtain proprietary protocols
  • 24. Dynamic Packet Filtering  Stateful Firewall  Still look at each packet.  Maintains a state of each connection.  Implements connection filtering.  Dynamically adjust a filtering table of current connections.  Implementation  Adjust the filtering rules dynamically.  E.g.: We started an HTTP connection to a given host.  Now HTTP packages from that host are allowed.  OR: Terminate the connection at the firewall and then have the firewall call the ultimate destination (proxying).
  • 25. Proxy Firewalls  Proxies act on behalf of a client.  Proxy firewall  Reverse Proxy  Receives packages on one card.  Processes requests.  Translates them into internal requests on other card.  Receives answers from inside and translates to the outside.
  • 26. Proxy Firewalls  Proxy firewall  Forward Proxy  Receives requests from the inside.  Processes requests.  Translates them into requests to the outside on other card.  Receives answers from outside and translates to the inside.  Acts on behalf of inside machine that is protected from the vagaries of the internet.
  • 27. Proxy Firewalls  Application level proxies work at the level of application.  Circuit-level proxies  does not understand the application  makes filtering decisions by validating and monitoring sessions.
  • 28. Application Inspection  Dynamic Firewalls allow selective inspection of applications:  http  ftp  dns  icmp  …
  • 29. Application Inspection  DNS example (Cisco ASA DNS inspection)  Guarantees that the ID of the DNS machine matches the ID of the DNS query  Allows translation of DNS packets using NAT  Reassembles DNS packets to verify its length.
  • 30. Application Inspection  SMTP (Cisco ASA protection)  Protects against SMTP-based attacks by restricting the types of SMTP commands.  Illegal command is modified and forwarded.  Typically, receiver replies with an SMTP error 500 (command not recognized)  Checks size, …
  • 31. Network Address Translation  Originally designed to address the IPv4 address shortage:  Use internal IP addresses  192.168.x.x  172.16.x.x, 172.32.x.x  10.x.x.x  NAT box is dual hosted:  One connection to interior network  Other connection to exterior network  with “overloaded” or “public” address
  • 32. Network Address Translation  Internal host initiates TCP connection to the outside.  NAT box takes TCP package, replaces source IP with its public IP, port with a port chosen for that connection  When reply return to NAT box, forwards package to internal host.  NAT uses stored connection data to determine the interior address
  • 33. Network Address Translation  NAT increases security:  NAT hides host identities  NAT hides weak sequence number generating hosts by randomizing sequence numbers.  NAT disables inbound TCP connections  NAT breaks most UDP protocols  NAT allow load balancing and transparent failover
  • 34. Network Address Translation  Full Cone NAT (one to one NAT)  all requests from same internal IP address and port are mapped to the same external IP address and port.  Allows external host to send package to the host by using the mapped external address.
  • 35. Network Address Translation  Restricted Cone NAT  All requests from same internal IP address and port are mapped to the same external IP address and port.  External host can only send package to internal host if the connection has already been established
  • 36. Network Address Translation  Port Restricted Cone NAT  Like restricted cone NAT,  but only for certain port numbers  Symmetric NAT  All request from the same internal IP address and port to a specific destination IP and port are mapped to a unique external source IP address and port.  If the same hosts sends to the same port, but another IP address, then a different mapping is used.  External host needs to receive a packet before sending a UDP packet back to the internal host.  In practice:  combinations between these behaviors.
  • 38. Virtual Private Networks  VPN uses connections over an existing public network  Connection secured with encryption  Host to Host  Host to Gateway  Gateway to Gateway
  • 40. Virtual Private Networks  Encryption can be done at  Application level.  Transport level.  Network level.  Data link level.
  • 41. Virtual Private Networks VPN Technologies  Application Level  Pretty Good Privacy  Secure Shell (SSH)  Transport Level  Secure Socket Layer  Does not protect the package, but its content.  Typically runs at the application level of the OS, so OS does not need to be changed.  Network Level  IPSec  Encrypts package itself.  Encrypted package receives a new package header.  IPSec protects port address, but not destination address.  OS need to be changed (but only once: Win2000, WinXP)  Data Link  Layer 2 Tunneling Protocol addition to Point-to-Point protocol (PPP)  Encrypts packets on the data layer.  L2TP (Layer 2 Tunneling)
  • 42. COEN 351 E-Commerce Securit  E-Commerce Security Course Homepage  Lecture Notes
  • 43. Virtual Private Networks  Alternatives are dedicated point-to-point connections such as a private T1 line.  Most secure.  Most expensive.  Takes time to set-up.

Editor's Notes

  1. Course Homepage : http://ouo.io/SI9jJ Lecture Notes : http://ouo.io/0oFRv
  2. Course Homepage : http://ouo.io/SI9jJ Lecture Notes : http://ouo.io/0oFRv