Uploaded byssuser6c0026
PPT, PDF9 views

firewalls (1) for students in cyber sec.ppt

firewalls (1) for students in cyber sec.ppt

Embed presentation

Download to read offline
Firewalls Firewalls
What is a Firewall? What is a Firewall?  A A choke point choke point of control and monitoring of control and monitoring  Interconnects networks with differing trust Interconnects networks with differing trust  Imposes restrictions on network services Imposes restrictions on network services  only authorized traffic is allowed only authorized traffic is allowed  Auditing and controlling access Auditing and controlling access  can implement alarms for abnormal behavior can implement alarms for abnormal behavior  Itself immune to penetration Itself immune to penetration  Provides Provides perimeter defence perimeter defence
Classification of Firewall Classification of Firewall Characterized by protocol level it controls in Characterized by protocol level it controls in  Packet filtering Packet filtering  Circuit gateways Circuit gateways  Application gateways Application gateways  Combination of above is dynamic packet filter Combination of above is dynamic packet filter
Firewalls – Packet Filters Firewalls – Packet Filters
Firewalls – Packet Filters Firewalls – Packet Filters  Simplest of components Simplest of components  Uses transport-layer information only Uses transport-layer information only  IP Source Address, Destination Address IP Source Address, Destination Address  Protocol/Next Header (TCP, UDP, ICMP, etc) Protocol/Next Header (TCP, UDP, ICMP, etc)  TCP or UDP source & destination ports TCP or UDP source & destination ports  TCP Flags (SYN, ACK, FIN, RST, PSH, etc) TCP Flags (SYN, ACK, FIN, RST, PSH, etc)  ICMP message type ICMP message type  Examples Examples  DNS uses port 53 DNS uses port 53  No incoming port 53 packets except known trusted servers No incoming port 53 packets except known trusted servers
Usage of Packet Filters Usage of Packet Filters  Filtering with incoming or outgoing interfaces Filtering with incoming or outgoing interfaces  E.g., Ingress filtering of spoofed IP addresses E.g., Ingress filtering of spoofed IP addresses  Egress filtering Egress filtering  Permits or denies certain services Permits or denies certain services  Requires intimate knowledge of TCP and UDP port Requires intimate knowledge of TCP and UDP port utilization on a number of operating systems utilization on a number of operating systems
How to Configure a Packet Filter How to Configure a Packet Filter  Start with a security policy Start with a security policy  Specify allowable packets in terms of logical Specify allowable packets in terms of logical expressions on packet fields expressions on packet fields  Rewrite expressions in syntax supported by your Rewrite expressions in syntax supported by your vendor vendor  General rules - least privilege General rules - least privilege  All that is not expressly permitted is prohibited All that is not expressly permitted is prohibited  If you do not need it, eliminate it If you do not need it, eliminate it
Every ruleset is followed by an implicit rule Every ruleset is followed by an implicit rule reading like this. reading like this. Example 1: Example 1: Suppose we want to allow inbound mail Suppose we want to allow inbound mail (SMTP, port 25) but only to our gateway (SMTP, port 25) but only to our gateway machine. Also suppose that mail from some machine. Also suppose that mail from some particular site SPIGOT is to be blocked. particular site SPIGOT is to be blocked.
Solution 1: Solution 1: Example 2: Example 2: Now suppose that we want to implement the Now suppose that we want to implement the policy “any inside host can send mail to the policy “any inside host can send mail to the outside”. outside”.
Solution 2: Solution 2: This solution allows calls to come from any port This solution allows calls to come from any port on an inside machine, and will direect them to on an inside machine, and will direect them to port 25 on the outside. Simple enough… port 25 on the outside. Simple enough… So why is it wrong? So why is it wrong?
 Our defined restriction is based solely on the Our defined restriction is based solely on the outside host’s port number, which we have no outside host’s port number, which we have no way of controlling. way of controlling.  Now an enemy can access any internal machines Now an enemy can access any internal machines and port by originating his call from port 25 on and port by originating his call from port 25 on the outside machine. the outside machine. What can be a better solution ? What can be a better solution ?
 The ACK signifies that the packet is part of an The ACK signifies that the packet is part of an ongoing conversation ongoing conversation  Packets without the ACK are connection Packets without the ACK are connection establishment messages, which we are only establishment messages, which we are only permitting from internal hosts permitting from internal hosts
Security & Performance of Packet Filters Security & Performance of Packet Filters  IP address spoofing IP address spoofing  Fake source address to be trusted Fake source address to be trusted  Add filters on router to block Add filters on router to block  Tiny fragment attacks Tiny fragment attacks  Split TCP header info over several tiny packets Split TCP header info over several tiny packets  Either discard or reassemble before check Either discard or reassemble before check  Degradation depends on number of rules applied at Degradation depends on number of rules applied at any point any point  Order rules so that most common traffic is dealt with Order rules so that most common traffic is dealt with first first  Correctness is more important than speed Correctness is more important than speed
Port Numbering Port Numbering  TCP connection TCP connection  Server port is number less than 1024 Server port is number less than 1024  Client port is number between 1024 and 16383 Client port is number between 1024 and 16383  Permanent assignment Permanent assignment  Ports <1024 assigned permanently Ports <1024 assigned permanently  20,21 for FTP 23 for Telnet 20,21 for FTP 23 for Telnet  25 for server SMTP 80 for HTTP 25 for server SMTP 80 for HTTP  Variable use Variable use  Ports >1024 must be available for client to make any Ports >1024 must be available for client to make any connection connection  This presents a limitation for stateless packet filtering This presents a limitation for stateless packet filtering  If If client wants to use port 2048, firewall must allow client wants to use port 2048, firewall must allow incoming incoming traffic traffic on this port on this port  Better: stateful filtering knows outgoing requests Better: stateful filtering knows outgoing requests
Firewalls – Stateful Packet Filters Firewalls – Stateful Packet Filters  Traditional packet filters do not examine higher Traditional packet filters do not examine higher layer context layer context  ie matching return packets with outgoing flow ie matching return packets with outgoing flow  Stateful packet filters address this need Stateful packet filters address this need  They examine each IP packet in context They examine each IP packet in context  Keep track of client-server sessions Keep track of client-server sessions  Check each packet validly belongs to one Check each packet validly belongs to one  Hence are better able to detect bogus packets Hence are better able to detect bogus packets out of context out of context
Stateful Filtering Stateful Filtering
Firewall Outlines Firewall Outlines  Packet filtering Packet filtering  Application gateways Application gateways  Circuit gateways Circuit gateways  Combination of above is dynamic packet filter Combination of above is dynamic packet filter
Firewall Gateways Firewall Gateways  Firewall runs set of proxy programs Firewall runs set of proxy programs  Proxies filter incoming, outgoing packets Proxies filter incoming, outgoing packets  All incoming traffic directed to firewall All incoming traffic directed to firewall  All outgoing traffic appears to come from firewall All outgoing traffic appears to come from firewall  Policy embedded in proxy programs Policy embedded in proxy programs  Two kinds of proxies Two kinds of proxies  Application-level gateways/proxies Application-level gateways/proxies  Tailored to http, ftp, smtp, etc. Tailored to http, ftp, smtp, etc.  Circuit-level gateways/proxies Circuit-level gateways/proxies  Working on TCP level Working on TCP level
Firewalls - Firewalls - Application Level Application Level Gateway (or Proxy) Gateway (or Proxy)
Application-Level Filtering Application-Level Filtering  Has full access to protocol Has full access to protocol  user requests service from proxy user requests service from proxy  proxy validates request as legal proxy validates request as legal  then actions request and returns result to user then actions request and returns result to user  Need separate proxies for each service Need separate proxies for each service  E.g., SMTP (E-Mail) E.g., SMTP (E-Mail)  NNTP (Net news) NNTP (Net news)  DNS (Domain Name System) DNS (Domain Name System)  NTP (Network Time Protocol) NTP (Network Time Protocol)  custom services generally not supported custom services generally not supported
App-level Firewall Architecture App-level Firewall Architecture Daemon spawns proxy when communication detected … Daemon spawns proxy when communication detected … Network Connection Telnet daemon SMTP daemon FTP daemon Telnet proxy FTP proxy SMTP proxy
Enforce policy for specific protocols Enforce policy for specific protocols  E.g., Virus scanning for SMTP E.g., Virus scanning for SMTP  Need to understand MIME, encoding, Zip archives Need to understand MIME, encoding, Zip archives
Firewall Outlines Firewall Outlines  Packet filtering Packet filtering  Application gateways Application gateways  Circuit gateways Circuit gateways  Combination of above is dynamic packet filter Combination of above is dynamic packet filter
Firewalls - Firewalls - Circuit Level Gateway Circuit Level Gateway
Firewalls - Firewalls - Circuit Level Gateway Circuit Level Gateway  Relays two TCP connections Relays two TCP connections  Imposes security by limiting which such Imposes security by limiting which such connections are allowed connections are allowed  Once created usually relays traffic without Once created usually relays traffic without examining contents examining contents  Typically used when trust internal users by Typically used when trust internal users by allowing general outbound connections allowing general outbound connections  SOCKS commonly used for this SOCKS commonly used for this
Figure 9.7: A typical SOCKS connection through interface A, and rogue connection through the external interface, B.
Bastion Host Bastion Host  Highly secure host system Highly secure host system  Potentially exposed to "hostile" elements Potentially exposed to "hostile" elements  Hence is secured to withstand this Hence is secured to withstand this  Disable all non-required services; keep it simple Disable all non-required services; keep it simple  Trusted to enforce trusted separation between Trusted to enforce trusted separation between network connections network connections  Runs circuit / application level gateways Runs circuit / application level gateways  Install/modify services you want Install/modify services you want  Or provides externally accessible services Or provides externally accessible services
Screened Host Architecture Screened Host Architecture
Screened Subnet Using Two Routers Screened Subnet Using Two Routers
Firewall Outlines Firewall Outlines  Packet filtering Packet filtering  Application gateways Application gateways  Circuit gateways Circuit gateways  Combination of above is dynamic packet filter Combination of above is dynamic packet filter
Dynamic Packet Filters Dynamic Packet Filters  Most common Most common  Provide good administrators protection and full Provide good administrators protection and full transparency transparency  Network given full control over traffic Network given full control over traffic  Captures semantics of a connection Captures semantics of a connection
1.2.3.4 Intended connection from 1.2.3.4 to 5.6.7.8 5.6.7.8 1.2.3.4 5.6.7.8 Firewall Redialing on a dynamic packet filter. The dashed arrow shows the intended connection; the solid arrows show the actual connections, to and from the relay in the firewall box. The Firewall impersonates each endpoint to the other.
1.2.3.4 5.6.7.8 10.11.12.13 5.6.7.8 Application Proxy Firewall Intended connection from 1.2.3.4 to 5.6.7.8 A dynamic packet filter with an application proxy. Note the change in source address
Firewalls Aren’t Perfect? Firewalls Aren’t Perfect?  Useless against attacks from the inside Useless against attacks from the inside  Evildoer exists on inside Evildoer exists on inside  Malicious code is executed on an internal machine Malicious code is executed on an internal machine  Organizations with greater insider threat Organizations with greater insider threat  Banks and Military Banks and Military  Protection must exist at each layer Protection must exist at each layer  Assess risks of threats at every layer Assess risks of threats at every layer  Cannot protect against transfer of all virus Cannot protect against transfer of all virus infected programs or files infected programs or files  because of huge range of O/S & file types because of huge range of O/S & file types
Backup Slides Backup Slides
Figure 9.2: A firewall router with multiple internal networks. Filter Rule: Open access to Net 2 means source address from Net 3 • Why not spoof address from Net 3? Network Topology Network Topology
Address-Spoofing Address-Spoofing  Detection is virtually impossible unless source- Detection is virtually impossible unless source- address filtering and logging are done address filtering and logging are done  One should not trust hosts outside of one’s One should not trust hosts outside of one’s administrative control administrative control
External Interface Ruleset External Interface Ruleset Allow outgoing calls, permit incoming calls only Allow outgoing calls, permit incoming calls only for mail and only to gateway GW for mail and only to gateway GW Note: Specify GW as destination host instead of Net 1 to prevent open access to Net 1
Net 1 Router Interface Ruleset Net 1 Router Interface Ruleset  Gateway machine speaks directly only to other Gateway machine speaks directly only to other machines running trusted mail server software machines running trusted mail server software  Relay machines used to call out to GW to pick Relay machines used to call out to GW to pick up waiting mail up waiting mail Note: Spoofing is avoided with the specification of GW
How Many Routers Do We Need? How Many Routers Do We Need?  If routers only support outgoing filtering, we need two: If routers only support outgoing filtering, we need two:  One to use ruleset that protects against compromised One to use ruleset that protects against compromised gateways gateways  One to use ruleset that guards against address forgery and One to use ruleset that guards against address forgery and restricts access to gateway machine restricts access to gateway machine  An input filter on one port is exactly equivalent to an An input filter on one port is exactly equivalent to an output filter on the other port output filter on the other port  If you trust the network provider, you can go without If you trust the network provider, you can go without input filters input filters  Filtering can be done on the output side of the router Filtering can be done on the output side of the router
Routing Filters Routing Filters  All nodes are somehow reachable from the All nodes are somehow reachable from the Internet Internet  Routers need to be able to control what routes Routers need to be able to control what routes they advertise over various interfaces they advertise over various interfaces  Clients who employ IP source routing make it Clients who employ IP source routing make it possible to reach ‘unreachable’ hosts possible to reach ‘unreachable’ hosts  Enables address-spoofing Enables address-spoofing  Block source routing at borders, not at backbone Block source routing at borders, not at backbone
Routing Filters (cont) Routing Filters (cont)  Packet filters obviate the need for route filters Packet filters obviate the need for route filters  Route filtering becomes difficult or impossible Route filtering becomes difficult or impossible in the presence of complex technologies in the presence of complex technologies  Route squatting – using unofficial IP addresses Route squatting – using unofficial IP addresses inside firewalls that belong to someone else inside firewalls that belong to someone else  Difficult to choose non-addressed address space Difficult to choose non-addressed address space
Dual Homed Host Architecture Dual Homed Host Architecture
Asymmetric Routes Asymmetric Routes  Both sides of the firewall know nothing of one Both sides of the firewall know nothing of one another’s topology another’s topology  Solutions: Solutions:  Maintain full knowledge of the topology Maintain full knowledge of the topology  Not feasible, too much state to keep Not feasible, too much state to keep  Multiple firewalls share state information Multiple firewalls share state information  Volume of messages may be prohibitive, code complexity Volume of messages may be prohibitive, code complexity
Are Dynamic Packet Filters Safe? Are Dynamic Packet Filters Safe?  Comparable to that of circuit gateways, as long Comparable to that of circuit gateways, as long as the implementation strategy is simple as the implementation strategy is simple  If administrative interfaces use physical network If administrative interfaces use physical network ports as the highest-level construct ports as the highest-level construct  Legal connections are generally defined in terms of Legal connections are generally defined in terms of the physical topology the physical topology  Not if evildoers exist on the inside Not if evildoers exist on the inside  Circuit or application gateways demand user Circuit or application gateways demand user authentication for outbound traffic and are therefore authentication for outbound traffic and are therefore more resistant to this threat more resistant to this threat
Distributed Firewalls Distributed Firewalls  A central management node sets the security policy A central management node sets the security policy enforced by individual hosts enforced by individual hosts  Combination of high-level policy specification with file Combination of high-level policy specification with file distribution mechanism distribution mechanism  Advantages: Advantages:  Lack of central point of failure Lack of central point of failure  Ability to protect machines outside topologically isolated Ability to protect machines outside topologically isolated space space  Great for laptops Great for laptops  Disadvantage: Disadvantage:  Harder to allow in certain services, whereas it’s easy to block Harder to allow in certain services, whereas it’s easy to block
Distributed Firewalls Drawback Distributed Firewalls Drawback  Allowing in certain services works if and only if Allowing in certain services works if and only if you’re sure the address can’t be spoofed you’re sure the address can’t be spoofed  Requires anti-spoofing protection Requires anti-spoofing protection  Must maintain ability to roam safely Must maintain ability to roam safely  Solution: IPsec Solution: IPsec  A machine is trusted if and only if it can perform A machine is trusted if and only if it can perform proper cryptographic authentication proper cryptographic authentication
Where to Filter? Where to Filter?  Balance between risk and costs Balance between risk and costs  Always a higher layer that is hard to filter Always a higher layer that is hard to filter  Humans Humans
Dynamic Packet Filter Implementation Dynamic Packet Filter Implementation  Dynamically update packet filter’s ruleset Dynamically update packet filter’s ruleset  Changes may not be benign due to ordering Changes may not be benign due to ordering  Redialing method offers greater assurance of Redialing method offers greater assurance of security security  No special-case code necessary No special-case code necessary  FTP handled with user-level daemon FTP handled with user-level daemon  UDP handled just as TCP except for tear down UDP handled just as TCP except for tear down  ICMP handled with pseudoconnections and ICMP handled with pseudoconnections and synthesized packets synthesized packets
Per-Interface Tables Consulted by Per-Interface Tables Consulted by Dynamic Packet Filter Dynamic Packet Filter  Active Connection Table Active Connection Table  Socket structure decides whether data is copied to Socket structure decides whether data is copied to outside socket or sent to application proxy outside socket or sent to application proxy  Ordinary Filter Table Ordinary Filter Table  Specifies which packets may pass in stateless manner Specifies which packets may pass in stateless manner  Dynamic Table Dynamic Table  Forces creation of local socket structures Forces creation of local socket structures

More Related Content

PPT
Firewalls
byAkhil Sharma
 
PPT
firewalls.ppt
byMohanLal141254
 
PPT
overview of firewall and classification .ppt
byshruti193541
 
PPT
firewalls.ppt
byRaj Kumar
 
PPTX
Fire wall security
byChandresh Suthar
 
PPT
Marrion Kujinga ; Firewalls
byMarrion Kujinga
 
PPT
Firewalls (6)
byBhargu Bhargavi
 
PPT
Introduction to Firewalls and functions.ppt
bydalton6070
 
Firewalls
byAkhil Sharma
 
firewalls.ppt
byMohanLal141254
 
overview of firewall and classification .ppt
byshruti193541
 
firewalls.ppt
byRaj Kumar
 
Fire wall security
byChandresh Suthar
 
Marrion Kujinga ; Firewalls
byMarrion Kujinga
 
Firewalls (6)
byBhargu Bhargavi
 
Introduction to Firewalls and functions.ppt
bydalton6070
 

Similar to firewalls (1) for students in cyber sec.ppt

PPT
Firewall - Network Defense in Depth Firewalls
byphanleson
 
PPT
firewall.ppt
byssuser530a07
 
PPT
Firewalls
byUniversity of Central Punjab
 
PPTX
Firewall
byMudasser Afzal
 
PPT
Network security
byVikas Jagtap
 
PPTX
Firewall
bySaurabh Chauhan
 
PPT
Tech 101: Understanding Firewalls
byLikan Patra
 
PPT
Firewall Essentials
bySylvain Maret
 
PPT
Lecture in network security and mobile computing
byAbdullahOmar704132
 
PPT
Firewalls (1056778990099000000000000).ppt
byTamilArasan564275
 
PPTX
Firewall
byShivank Shah
 
PPTX
FIREWALL
byswati463221
 
PPTX
Lecture-13-Firewall_information_Security.pptx
byhomecooking511
 
PPT
Unit II Chapter 6 firewalls.ppt
byAkshitRana31
 
PPTX
CSS (KNC-301) 4. Packet Filtering Firewall By Vivek Tripathi.pptx
byVivekTripathi684438
 
PPTX
Cyber Security - Firewall and Packet Filters
byRadhika Talaviya
 
PPTX
Firewalls by Puneet Bawa
byPuneet Bawa
 
PPT
Firewalls
byhemantag
 
PPT
Firewalls
byIsrael Marcus
 
PPTX
Cyber security tutorial2
bysweta dargad
 
Firewall - Network Defense in Depth Firewalls
byphanleson
 
firewall.ppt
byssuser530a07
 
Firewalls
byUniversity of Central Punjab
 
Firewall
byMudasser Afzal
 
Network security
byVikas Jagtap
 
Firewall
bySaurabh Chauhan
 
Tech 101: Understanding Firewalls
byLikan Patra
 
Firewall Essentials
bySylvain Maret
 
Lecture in network security and mobile computing
byAbdullahOmar704132
 
Firewalls (1056778990099000000000000).ppt
byTamilArasan564275
 
Firewall
byShivank Shah
 
FIREWALL
byswati463221
 
Lecture-13-Firewall_information_Security.pptx
byhomecooking511
 
Unit II Chapter 6 firewalls.ppt
byAkshitRana31
 
CSS (KNC-301) 4. Packet Filtering Firewall By Vivek Tripathi.pptx
byVivekTripathi684438
 
Cyber Security - Firewall and Packet Filters
byRadhika Talaviya
 
Firewalls by Puneet Bawa
byPuneet Bawa
 
Firewalls
byhemantag
 
Firewalls
byIsrael Marcus
 
Cyber security tutorial2
bysweta dargad
 

More from ssuser6c0026

PPT
firewalls (1) for cyber security students.ppt
byssuser6c0026
 
PDF
ITN_Module_14 for car care students aes.pdf
byssuser6c0026
 
PPT
welcometocomputernetworks-100907004628-phpapp02.ppt
byssuser6c0026
 
PPTX
Endpoint_Security-for cybersecurity .pptx
byssuser6c0026
 
PPT
Wireless & Mobile Networks Mobility Management Principles
byssuser6c0026
 
PPT
Lec1-Applications & Domains of embedded systems.ppt
byssuser6c0026
 
PPT
lecture1-adnaced network for bigginerrs students
byssuser6c0026
 
PPTX
intro-embedded-systems design for engineering.pptx
byssuser6c0026
 
PPT
CHAPTER 06 - RSA cryptosystem,encryption.ppt
byssuser6c0026
 
PPTX
Lec1combo-embedded system design for enginerring.pptx
byssuser6c0026
 
PPT
lec-04-Private-key encryption, message authentication.ppt
byssuser6c0026
 
PPT
Wireless & Mobile Networks Mobility Management Principles.ppt
byssuser6c0026
 
PPT
lecture2-Cryptography Its Uses and Limitations.ppt
byssuser6c0026
 
PPTX
Lec1b-Applications & Domains of embedded systems.pptx
byssuser6c0026
 
PPT
Lecture 03-Traditional Ciphers for rsa.ppt
byssuser6c0026
 
PPT
lecture1-adnaced network for bigginerrs students
byssuser6c0026
 
PPT
Adnaved encryption standrad slides(aes).ppt
byssuser6c0026
 
PPT
lec-05-Message authentication, hashing, basic number theory.ppt
byssuser6c0026
 
PPTX
Lecture 02-Modular Arithmeticfor rsa.pptx
byssuser6c0026
 
PPT
Lecture 08-Finite Fields CHAPTER 06 - RSA cryptosystem,encryptio.ppt
byssuser6c0026
 
firewalls (1) for cyber security students.ppt
byssuser6c0026
 
ITN_Module_14 for car care students aes.pdf
byssuser6c0026
 
welcometocomputernetworks-100907004628-phpapp02.ppt
byssuser6c0026
 
Endpoint_Security-for cybersecurity .pptx
byssuser6c0026
 
Wireless & Mobile Networks Mobility Management Principles
byssuser6c0026
 
Lec1-Applications & Domains of embedded systems.ppt
byssuser6c0026
 
lecture1-adnaced network for bigginerrs students
byssuser6c0026
 
intro-embedded-systems design for engineering.pptx
byssuser6c0026
 
CHAPTER 06 - RSA cryptosystem,encryption.ppt
byssuser6c0026
 
Lec1combo-embedded system design for enginerring.pptx
byssuser6c0026
 
lec-04-Private-key encryption, message authentication.ppt
byssuser6c0026
 
Wireless & Mobile Networks Mobility Management Principles.ppt
byssuser6c0026
 
lecture2-Cryptography Its Uses and Limitations.ppt
byssuser6c0026
 
Lec1b-Applications & Domains of embedded systems.pptx
byssuser6c0026
 
Lecture 03-Traditional Ciphers for rsa.ppt
byssuser6c0026
 
lecture1-adnaced network for bigginerrs students
byssuser6c0026
 
Adnaved encryption standrad slides(aes).ppt
byssuser6c0026
 
lec-05-Message authentication, hashing, basic number theory.ppt
byssuser6c0026
 
Lecture 02-Modular Arithmeticfor rsa.pptx
byssuser6c0026
 
Lecture 08-Finite Fields CHAPTER 06 - RSA cryptosystem,encryptio.ppt
byssuser6c0026
 

Recently uploaded

PDF
Advanced ADAS-Compatible Mercedes Windshield Installation — Trusted Quality Y...
byBertini's German Motors
 
PDF
System Operation Caterpillar D6H TRACK-TYPE TRACTOR Service Pdf
byabjekGoogle
 
PPTX
operating systems in the cybersecurity.pptx
bymartinkambuni
 
PPTX
Development_India_vs_Foreign_Countries_Improved-2.pptx
byjayvjadav2708
 
PDF
AEC_MCQ_Result_2012202 chevjoiyingh5 .pdf
byhammadahsann24
 
PDF
TabScan T6VCM3 VCM3 OE-Level Diagnostic Tool Support IDS FDRS FORScan
byDaniel Yong
 
PDF
fdasokjfasldfhklajsklash fhadsjlhflkasjdfh f akjhfklhaklfshk
bymajixoc607
 
PPTX
David Ebrahimzadeh: Remote Seatbelt Patent
byDavid389860
 
PPTX
Year-End Distribution Review Reveals Where Systems Fall Short
byZylem
 
PPTX
David Ebrahimzadeh: Auto Emergency Evac Patent
byDavid389860
 
PDF
R140LCM-9 Operator Pdf Manual Download.pdf
byabjekGoogle
 
PPTX
Hsjsj nsoff yhe e sjsisPathfinders.pptx
byaashin2007
 
PDF
blacknoirco. a great e-book by ekene patience.pdffffffffff
byEkene Patience Nesiagho
 
PDF
blacknoirco a great e-book by ekene patience.pdf
byEkene Patience Nesiagho
 
PPTX
Poetry and Poetic Devices English Presentation in Yellow Purple Lined Grap_20...
bybabitarony
 
PDF
PowerPoint 2.pdfbjdjdjsjshsbbdhdidhdvdudkdndu
byumar030194830400
 
PPTX
Industry visit 2025 odd Industry visit 2025 odd.pptx.pptx
bypandem2
 
PPTX
1-Fundamental Ckmonon. uho ohouhoncepts.pptx
byakshardham1741
 
PPTX
Communicable_Diseases_With_Diagrams.pptx
byaditya572561
 
PPTX
Water_Conservation__Social_Connect_and_Responsibil.pptx
byvaddarm978
 
Advanced ADAS-Compatible Mercedes Windshield Installation — Trusted Quality Y...
byBertini's German Motors
 
System Operation Caterpillar D6H TRACK-TYPE TRACTOR Service Pdf
byabjekGoogle
 
operating systems in the cybersecurity.pptx
bymartinkambuni
 
Development_India_vs_Foreign_Countries_Improved-2.pptx
byjayvjadav2708
 
AEC_MCQ_Result_2012202 chevjoiyingh5 .pdf
byhammadahsann24
 
TabScan T6VCM3 VCM3 OE-Level Diagnostic Tool Support IDS FDRS FORScan
byDaniel Yong
 
fdasokjfasldfhklajsklash fhadsjlhflkasjdfh f akjhfklhaklfshk
bymajixoc607
 
David Ebrahimzadeh: Remote Seatbelt Patent
byDavid389860
 
Year-End Distribution Review Reveals Where Systems Fall Short
byZylem
 
David Ebrahimzadeh: Auto Emergency Evac Patent
byDavid389860
 
R140LCM-9 Operator Pdf Manual Download.pdf
byabjekGoogle
 
Hsjsj nsoff yhe e sjsisPathfinders.pptx
byaashin2007
 
blacknoirco. a great e-book by ekene patience.pdffffffffff
byEkene Patience Nesiagho
 
blacknoirco a great e-book by ekene patience.pdf
byEkene Patience Nesiagho
 
Poetry and Poetic Devices English Presentation in Yellow Purple Lined Grap_20...
bybabitarony
 
PowerPoint 2.pdfbjdjdjsjshsbbdhdidhdvdudkdndu
byumar030194830400
 
Industry visit 2025 odd Industry visit 2025 odd.pptx.pptx
bypandem2
 
1-Fundamental Ckmonon. uho ohouhoncepts.pptx
byakshardham1741
 
Communicable_Diseases_With_Diagrams.pptx
byaditya572561
 
Water_Conservation__Social_Connect_and_Responsibil.pptx
byvaddarm978
 

firewalls (1) for students in cyber sec.ppt

  • 1.
  • 2.
    What is aFirewall? What is a Firewall?  A A choke point choke point of control and monitoring of control and monitoring  Interconnects networks with differing trust Interconnects networks with differing trust  Imposes restrictions on network services Imposes restrictions on network services  only authorized traffic is allowed only authorized traffic is allowed  Auditing and controlling access Auditing and controlling access  can implement alarms for abnormal behavior can implement alarms for abnormal behavior  Itself immune to penetration Itself immune to penetration  Provides Provides perimeter defence perimeter defence
  • 3.
    Classification of Firewall Classificationof Firewall Characterized by protocol level it controls in Characterized by protocol level it controls in  Packet filtering Packet filtering  Circuit gateways Circuit gateways  Application gateways Application gateways  Combination of above is dynamic packet filter Combination of above is dynamic packet filter
  • 4.
    Firewalls – PacketFilters Firewalls – Packet Filters
  • 5.
    Firewalls – PacketFilters Firewalls – Packet Filters  Simplest of components Simplest of components  Uses transport-layer information only Uses transport-layer information only  IP Source Address, Destination Address IP Source Address, Destination Address  Protocol/Next Header (TCP, UDP, ICMP, etc) Protocol/Next Header (TCP, UDP, ICMP, etc)  TCP or UDP source & destination ports TCP or UDP source & destination ports  TCP Flags (SYN, ACK, FIN, RST, PSH, etc) TCP Flags (SYN, ACK, FIN, RST, PSH, etc)  ICMP message type ICMP message type  Examples Examples  DNS uses port 53 DNS uses port 53  No incoming port 53 packets except known trusted servers No incoming port 53 packets except known trusted servers
  • 6.
    Usage of PacketFilters Usage of Packet Filters  Filtering with incoming or outgoing interfaces Filtering with incoming or outgoing interfaces  E.g., Ingress filtering of spoofed IP addresses E.g., Ingress filtering of spoofed IP addresses  Egress filtering Egress filtering  Permits or denies certain services Permits or denies certain services  Requires intimate knowledge of TCP and UDP port Requires intimate knowledge of TCP and UDP port utilization on a number of operating systems utilization on a number of operating systems
  • 7.
    How to Configurea Packet Filter How to Configure a Packet Filter  Start with a security policy Start with a security policy  Specify allowable packets in terms of logical Specify allowable packets in terms of logical expressions on packet fields expressions on packet fields  Rewrite expressions in syntax supported by your Rewrite expressions in syntax supported by your vendor vendor  General rules - least privilege General rules - least privilege  All that is not expressly permitted is prohibited All that is not expressly permitted is prohibited  If you do not need it, eliminate it If you do not need it, eliminate it
  • 8.
    Every ruleset isfollowed by an implicit rule Every ruleset is followed by an implicit rule reading like this. reading like this. Example 1: Example 1: Suppose we want to allow inbound mail Suppose we want to allow inbound mail (SMTP, port 25) but only to our gateway (SMTP, port 25) but only to our gateway machine. Also suppose that mail from some machine. Also suppose that mail from some particular site SPIGOT is to be blocked. particular site SPIGOT is to be blocked.
  • 9.
    Solution 1: Solution 1: Example2: Example 2: Now suppose that we want to implement the Now suppose that we want to implement the policy “any inside host can send mail to the policy “any inside host can send mail to the outside”. outside”.
  • 10.
    Solution 2: Solution 2: Thissolution allows calls to come from any port This solution allows calls to come from any port on an inside machine, and will direect them to on an inside machine, and will direect them to port 25 on the outside. Simple enough… port 25 on the outside. Simple enough… So why is it wrong? So why is it wrong?
  • 11.
     Our definedrestriction is based solely on the Our defined restriction is based solely on the outside host’s port number, which we have no outside host’s port number, which we have no way of controlling. way of controlling.  Now an enemy can access any internal machines Now an enemy can access any internal machines and port by originating his call from port 25 on and port by originating his call from port 25 on the outside machine. the outside machine. What can be a better solution ? What can be a better solution ?
  • 12.
     The ACKsignifies that the packet is part of an The ACK signifies that the packet is part of an ongoing conversation ongoing conversation  Packets without the ACK are connection Packets without the ACK are connection establishment messages, which we are only establishment messages, which we are only permitting from internal hosts permitting from internal hosts
  • 13.
    Security & Performanceof Packet Filters Security & Performance of Packet Filters  IP address spoofing IP address spoofing  Fake source address to be trusted Fake source address to be trusted  Add filters on router to block Add filters on router to block  Tiny fragment attacks Tiny fragment attacks  Split TCP header info over several tiny packets Split TCP header info over several tiny packets  Either discard or reassemble before check Either discard or reassemble before check  Degradation depends on number of rules applied at Degradation depends on number of rules applied at any point any point  Order rules so that most common traffic is dealt with Order rules so that most common traffic is dealt with first first  Correctness is more important than speed Correctness is more important than speed
  • 14.
    Port Numbering Port Numbering TCP connection TCP connection  Server port is number less than 1024 Server port is number less than 1024  Client port is number between 1024 and 16383 Client port is number between 1024 and 16383  Permanent assignment Permanent assignment  Ports <1024 assigned permanently Ports <1024 assigned permanently  20,21 for FTP 23 for Telnet 20,21 for FTP 23 for Telnet  25 for server SMTP 80 for HTTP 25 for server SMTP 80 for HTTP  Variable use Variable use  Ports >1024 must be available for client to make any Ports >1024 must be available for client to make any connection connection  This presents a limitation for stateless packet filtering This presents a limitation for stateless packet filtering  If If client wants to use port 2048, firewall must allow client wants to use port 2048, firewall must allow incoming incoming traffic traffic on this port on this port  Better: stateful filtering knows outgoing requests Better: stateful filtering knows outgoing requests
  • 15.
    Firewalls – StatefulPacket Filters Firewalls – Stateful Packet Filters  Traditional packet filters do not examine higher Traditional packet filters do not examine higher layer context layer context  ie matching return packets with outgoing flow ie matching return packets with outgoing flow  Stateful packet filters address this need Stateful packet filters address this need  They examine each IP packet in context They examine each IP packet in context  Keep track of client-server sessions Keep track of client-server sessions  Check each packet validly belongs to one Check each packet validly belongs to one  Hence are better able to detect bogus packets Hence are better able to detect bogus packets out of context out of context
  • 16.
  • 17.
    Firewall Outlines Firewall Outlines Packet filtering Packet filtering  Application gateways Application gateways  Circuit gateways Circuit gateways  Combination of above is dynamic packet filter Combination of above is dynamic packet filter
  • 18.
    Firewall Gateways Firewall Gateways Firewall runs set of proxy programs Firewall runs set of proxy programs  Proxies filter incoming, outgoing packets Proxies filter incoming, outgoing packets  All incoming traffic directed to firewall All incoming traffic directed to firewall  All outgoing traffic appears to come from firewall All outgoing traffic appears to come from firewall  Policy embedded in proxy programs Policy embedded in proxy programs  Two kinds of proxies Two kinds of proxies  Application-level gateways/proxies Application-level gateways/proxies  Tailored to http, ftp, smtp, etc. Tailored to http, ftp, smtp, etc.  Circuit-level gateways/proxies Circuit-level gateways/proxies  Working on TCP level Working on TCP level
  • 19.
    Firewalls - Firewalls -Application Level Application Level Gateway (or Proxy) Gateway (or Proxy)
  • 20.
    Application-Level Filtering Application-Level Filtering Has full access to protocol Has full access to protocol  user requests service from proxy user requests service from proxy  proxy validates request as legal proxy validates request as legal  then actions request and returns result to user then actions request and returns result to user  Need separate proxies for each service Need separate proxies for each service  E.g., SMTP (E-Mail) E.g., SMTP (E-Mail)  NNTP (Net news) NNTP (Net news)  DNS (Domain Name System) DNS (Domain Name System)  NTP (Network Time Protocol) NTP (Network Time Protocol)  custom services generally not supported custom services generally not supported
  • 21.
    App-level Firewall Architecture App-levelFirewall Architecture Daemon spawns proxy when communication detected … Daemon spawns proxy when communication detected … Network Connection Telnet daemon SMTP daemon FTP daemon Telnet proxy FTP proxy SMTP proxy
  • 22.
    Enforce policy forspecific protocols Enforce policy for specific protocols  E.g., Virus scanning for SMTP E.g., Virus scanning for SMTP  Need to understand MIME, encoding, Zip archives Need to understand MIME, encoding, Zip archives
  • 23.
    Firewall Outlines Firewall Outlines Packet filtering Packet filtering  Application gateways Application gateways  Circuit gateways Circuit gateways  Combination of above is dynamic packet filter Combination of above is dynamic packet filter
  • 24.
    Firewalls - Firewalls -Circuit Level Gateway Circuit Level Gateway
  • 25.
    Firewalls - Firewalls -Circuit Level Gateway Circuit Level Gateway  Relays two TCP connections Relays two TCP connections  Imposes security by limiting which such Imposes security by limiting which such connections are allowed connections are allowed  Once created usually relays traffic without Once created usually relays traffic without examining contents examining contents  Typically used when trust internal users by Typically used when trust internal users by allowing general outbound connections allowing general outbound connections  SOCKS commonly used for this SOCKS commonly used for this
  • 26.
    Figure 9.7: Atypical SOCKS connection through interface A, and rogue connection through the external interface, B.
  • 27.
    Bastion Host Bastion Host Highly secure host system Highly secure host system  Potentially exposed to "hostile" elements Potentially exposed to "hostile" elements  Hence is secured to withstand this Hence is secured to withstand this  Disable all non-required services; keep it simple Disable all non-required services; keep it simple  Trusted to enforce trusted separation between Trusted to enforce trusted separation between network connections network connections  Runs circuit / application level gateways Runs circuit / application level gateways  Install/modify services you want Install/modify services you want  Or provides externally accessible services Or provides externally accessible services
  • 28.
  • 29.
    Screened Subnet UsingTwo Routers Screened Subnet Using Two Routers
  • 30.
    Firewall Outlines Firewall Outlines Packet filtering Packet filtering  Application gateways Application gateways  Circuit gateways Circuit gateways  Combination of above is dynamic packet filter Combination of above is dynamic packet filter
  • 31.
    Dynamic Packet Filters DynamicPacket Filters  Most common Most common  Provide good administrators protection and full Provide good administrators protection and full transparency transparency  Network given full control over traffic Network given full control over traffic  Captures semantics of a connection Captures semantics of a connection
  • 32.
    1.2.3.4 Intended connection from1.2.3.4 to 5.6.7.8 5.6.7.8 1.2.3.4 5.6.7.8 Firewall Redialing on a dynamic packet filter. The dashed arrow shows the intended connection; the solid arrows show the actual connections, to and from the relay in the firewall box. The Firewall impersonates each endpoint to the other.
  • 33.
    1.2.3.4 5.6.7.8 10.11.12.13 5.6.7.8 Application Proxy Firewall Intended connection from1.2.3.4 to 5.6.7.8 A dynamic packet filter with an application proxy. Note the change in source address
  • 34.
    Firewalls Aren’t Perfect? FirewallsAren’t Perfect?  Useless against attacks from the inside Useless against attacks from the inside  Evildoer exists on inside Evildoer exists on inside  Malicious code is executed on an internal machine Malicious code is executed on an internal machine  Organizations with greater insider threat Organizations with greater insider threat  Banks and Military Banks and Military  Protection must exist at each layer Protection must exist at each layer  Assess risks of threats at every layer Assess risks of threats at every layer  Cannot protect against transfer of all virus Cannot protect against transfer of all virus infected programs or files infected programs or files  because of huge range of O/S & file types because of huge range of O/S & file types
  • 35.
  • 36.
    Figure 9.2: Afirewall router with multiple internal networks. Filter Rule: Open access to Net 2 means source address from Net 3 • Why not spoof address from Net 3? Network Topology Network Topology
  • 37.
    Address-Spoofing Address-Spoofing  Detection isvirtually impossible unless source- Detection is virtually impossible unless source- address filtering and logging are done address filtering and logging are done  One should not trust hosts outside of one’s One should not trust hosts outside of one’s administrative control administrative control
  • 38.
    External Interface Ruleset ExternalInterface Ruleset Allow outgoing calls, permit incoming calls only Allow outgoing calls, permit incoming calls only for mail and only to gateway GW for mail and only to gateway GW Note: Specify GW as destination host instead of Net 1 to prevent open access to Net 1
  • 39.
    Net 1 RouterInterface Ruleset Net 1 Router Interface Ruleset  Gateway machine speaks directly only to other Gateway machine speaks directly only to other machines running trusted mail server software machines running trusted mail server software  Relay machines used to call out to GW to pick Relay machines used to call out to GW to pick up waiting mail up waiting mail Note: Spoofing is avoided with the specification of GW
  • 40.
    How Many RoutersDo We Need? How Many Routers Do We Need?  If routers only support outgoing filtering, we need two: If routers only support outgoing filtering, we need two:  One to use ruleset that protects against compromised One to use ruleset that protects against compromised gateways gateways  One to use ruleset that guards against address forgery and One to use ruleset that guards against address forgery and restricts access to gateway machine restricts access to gateway machine  An input filter on one port is exactly equivalent to an An input filter on one port is exactly equivalent to an output filter on the other port output filter on the other port  If you trust the network provider, you can go without If you trust the network provider, you can go without input filters input filters  Filtering can be done on the output side of the router Filtering can be done on the output side of the router
  • 41.
    Routing Filters Routing Filters All nodes are somehow reachable from the All nodes are somehow reachable from the Internet Internet  Routers need to be able to control what routes Routers need to be able to control what routes they advertise over various interfaces they advertise over various interfaces  Clients who employ IP source routing make it Clients who employ IP source routing make it possible to reach ‘unreachable’ hosts possible to reach ‘unreachable’ hosts  Enables address-spoofing Enables address-spoofing  Block source routing at borders, not at backbone Block source routing at borders, not at backbone
  • 42.
    Routing Filters (cont) RoutingFilters (cont)  Packet filters obviate the need for route filters Packet filters obviate the need for route filters  Route filtering becomes difficult or impossible Route filtering becomes difficult or impossible in the presence of complex technologies in the presence of complex technologies  Route squatting – using unofficial IP addresses Route squatting – using unofficial IP addresses inside firewalls that belong to someone else inside firewalls that belong to someone else  Difficult to choose non-addressed address space Difficult to choose non-addressed address space
  • 43.
    Dual Homed HostArchitecture Dual Homed Host Architecture
  • 44.
    Asymmetric Routes Asymmetric Routes Both sides of the firewall know nothing of one Both sides of the firewall know nothing of one another’s topology another’s topology  Solutions: Solutions:  Maintain full knowledge of the topology Maintain full knowledge of the topology  Not feasible, too much state to keep Not feasible, too much state to keep  Multiple firewalls share state information Multiple firewalls share state information  Volume of messages may be prohibitive, code complexity Volume of messages may be prohibitive, code complexity
  • 45.
    Are Dynamic PacketFilters Safe? Are Dynamic Packet Filters Safe?  Comparable to that of circuit gateways, as long Comparable to that of circuit gateways, as long as the implementation strategy is simple as the implementation strategy is simple  If administrative interfaces use physical network If administrative interfaces use physical network ports as the highest-level construct ports as the highest-level construct  Legal connections are generally defined in terms of Legal connections are generally defined in terms of the physical topology the physical topology  Not if evildoers exist on the inside Not if evildoers exist on the inside  Circuit or application gateways demand user Circuit or application gateways demand user authentication for outbound traffic and are therefore authentication for outbound traffic and are therefore more resistant to this threat more resistant to this threat
  • 46.
    Distributed Firewalls Distributed Firewalls A central management node sets the security policy A central management node sets the security policy enforced by individual hosts enforced by individual hosts  Combination of high-level policy specification with file Combination of high-level policy specification with file distribution mechanism distribution mechanism  Advantages: Advantages:  Lack of central point of failure Lack of central point of failure  Ability to protect machines outside topologically isolated Ability to protect machines outside topologically isolated space space  Great for laptops Great for laptops  Disadvantage: Disadvantage:  Harder to allow in certain services, whereas it’s easy to block Harder to allow in certain services, whereas it’s easy to block
  • 47.
    Distributed Firewalls Drawback DistributedFirewalls Drawback  Allowing in certain services works if and only if Allowing in certain services works if and only if you’re sure the address can’t be spoofed you’re sure the address can’t be spoofed  Requires anti-spoofing protection Requires anti-spoofing protection  Must maintain ability to roam safely Must maintain ability to roam safely  Solution: IPsec Solution: IPsec  A machine is trusted if and only if it can perform A machine is trusted if and only if it can perform proper cryptographic authentication proper cryptographic authentication
  • 48.
    Where to Filter? Whereto Filter?  Balance between risk and costs Balance between risk and costs  Always a higher layer that is hard to filter Always a higher layer that is hard to filter  Humans Humans
  • 49.
    Dynamic Packet FilterImplementation Dynamic Packet Filter Implementation  Dynamically update packet filter’s ruleset Dynamically update packet filter’s ruleset  Changes may not be benign due to ordering Changes may not be benign due to ordering  Redialing method offers greater assurance of Redialing method offers greater assurance of security security  No special-case code necessary No special-case code necessary  FTP handled with user-level daemon FTP handled with user-level daemon  UDP handled just as TCP except for tear down UDP handled just as TCP except for tear down  ICMP handled with pseudoconnections and ICMP handled with pseudoconnections and synthesized packets synthesized packets
  • 50.
    Per-Interface Tables Consultedby Per-Interface Tables Consulted by Dynamic Packet Filter Dynamic Packet Filter  Active Connection Table Active Connection Table  Socket structure decides whether data is copied to Socket structure decides whether data is copied to outside socket or sent to application proxy outside socket or sent to application proxy  Ordinary Filter Table Ordinary Filter Table  Specifies which packets may pass in stateless manner Specifies which packets may pass in stateless manner  Dynamic Table Dynamic Table  Forces creation of local socket structures Forces creation of local socket structures

Editor's Notes

  • #15 A traditional packet filter makes filtering decisions on an individual packet basis and does not take into consideration any higher layer context. A stateful inspection packet filter tightens up the rules for TCP traffic by creating a directory of outbound TCP connections, and will allow incoming traffic to high-numbered ports only for those packets that fit the profile of one of the entries in this directory. Hence they are better able to detect bogus packets sent out of context.
  • #18 Gateway is like a NAT box, ie, a home router.
  • #25 One advantage over normal packet filters: the IP addr is changed. So no internal IP addr is leaked out. A circuit-level gateway relays two TCP connections, one between itself and an inside TCP user, and the other between itself and a TCP user on an outside host. Once the two connections are established, it relays TCP data from one connection to the other without examining its contents. The security function consists of determining which connections will be allowed. It is typically used when internal users are trusted to decide what external services to access. One of the most common circuit-level gateways is SOCKS, defined in RFC 1928. It consists of a SOCKS server on the firewall, and a SOCKS library & SOCKS-aware applications on internal clients.