SlideShare uma empresa Scribd logo

Firewalls

Transferir como PPT, PDF
Akhil Sharma
Akhil Sharma

introduction to firewalls

EducaçãoTecnologia
1 de 52
FirewallsFirewalls by Akhil Sharmaby Akhil Sharma akhil.sharma.ak@gmail.comakhil.sharma.ak@gmail.com
What is a Firewall?What is a Firewall?  AA choke pointchoke point of control and monitoringof control and monitoring  Interconnects networks with differing trustInterconnects networks with differing trust  Imposes restrictions on network servicesImposes restrictions on network services  only authorized traffic is allowedonly authorized traffic is allowed  Auditing and controlling accessAuditing and controlling access  can implement alarms for abnormal behaviorcan implement alarms for abnormal behavior  Itself immune to penetrationItself immune to penetration  ProvidesProvides perimeter defenceperimeter defence
Classification of FirewallClassification of Firewall Characterized by protocol level it controls inCharacterized by protocol level it controls in  Packet filteringPacket filtering  Circuit gatewaysCircuit gateways  Application gatewaysApplication gateways  Combination of above is dynamic packet filterCombination of above is dynamic packet filter
Firewalls – Packet FiltersFirewalls – Packet Filters
Firewalls – Packet FiltersFirewalls – Packet Filters  Simplest of componentsSimplest of components  Uses transport-layer information onlyUses transport-layer information only  IP Source Address, Destination AddressIP Source Address, Destination Address  Protocol/Next Header (TCP, UDP, ICMP, etc)Protocol/Next Header (TCP, UDP, ICMP, etc)  TCP or UDP source & destination portsTCP or UDP source & destination ports  TCP Flags (SYN, ACK, FIN, RST, PSH, etc)TCP Flags (SYN, ACK, FIN, RST, PSH, etc)  ICMP message typeICMP message type  ExamplesExamples  DNS uses port 53DNS uses port 53  No incoming port 53 packets except known trusted serversNo incoming port 53 packets except known trusted servers
Usage of Packet FiltersUsage of Packet Filters  Filtering with incoming or outgoing interfacesFiltering with incoming or outgoing interfaces  E.g., Ingress filtering of spoofed IP addressesE.g., Ingress filtering of spoofed IP addresses  Egress filteringEgress filtering  Permits or denies certain servicesPermits or denies certain services  Requires intimate knowledge of TCP and UDP portRequires intimate knowledge of TCP and UDP port utilization on a number of operating systemsutilization on a number of operating systems
How to Configure a Packet FilterHow to Configure a Packet Filter  Start with a security policyStart with a security policy  Specify allowable packets in terms of logicalSpecify allowable packets in terms of logical expressions on packet fieldsexpressions on packet fields  Rewrite expressions in syntax supported by yourRewrite expressions in syntax supported by your vendorvendor  General rules - least privilegeGeneral rules - least privilege  All that is not expressly permitted is prohibitedAll that is not expressly permitted is prohibited  If you do not need it, eliminate itIf you do not need it, eliminate it
Every ruleset is followed by an implicit ruleEvery ruleset is followed by an implicit rule reading like this.reading like this. Example 1:Example 1: Suppose we want to allow inbound mailSuppose we want to allow inbound mail (SMTP, port 25) but only to our gateway(SMTP, port 25) but only to our gateway machine. Also suppose that mail from somemachine. Also suppose that mail from some particular site SPIGOT is to be blocked.particular site SPIGOT is to be blocked.
Solution 1:Solution 1: Example 2:Example 2: Now suppose that we want to implement theNow suppose that we want to implement the policy “any inside host can send mail to thepolicy “any inside host can send mail to the outside”.outside”.
Solution 2:Solution 2: This solution allows calls to come from anyThis solution allows calls to come from any port on an inside machine, and will direct themport on an inside machine, and will direct them to port 25 on the outside. Simple enough…to port 25 on the outside. Simple enough… So why is it wrong?So why is it wrong?
 Our defined restriction is based solely on theOur defined restriction is based solely on the outside host’s port number, which we have nooutside host’s port number, which we have no way of controlling.way of controlling.  Now an enemy can access any internal machinesNow an enemy can access any internal machines and port by originating his call from port 25 onand port by originating his call from port 25 on the outside machine.the outside machine. What can be a better solution ?What can be a better solution ?
 The ACK signifies that the packet is part of anThe ACK signifies that the packet is part of an ongoing conversationongoing conversation  Packets without the ACK are connectionPackets without the ACK are connection establishment messages, which we are onlyestablishment messages, which we are only permitting from internal hostspermitting from internal hosts
Security & Performance of Packet FiltersSecurity & Performance of Packet Filters  IP address spoofingIP address spoofing  Fake source address to be trustedFake source address to be trusted  Add filters on router to blockAdd filters on router to block  Tiny fragment attacksTiny fragment attacks  Split TCP header info over several tiny packetsSplit TCP header info over several tiny packets  Either discard or reassemble before checkEither discard or reassemble before check  Degradation depends on number of rules applied atDegradation depends on number of rules applied at any pointany point  Order rules so that most common traffic is dealt withOrder rules so that most common traffic is dealt with firstfirst  Correctness is more important than speedCorrectness is more important than speed
Port NumberingPort Numbering  TCP connectionTCP connection  Server port is number less than 1024Server port is number less than 1024  Client port is number between 1024 and 16383Client port is number between 1024 and 16383  Permanent assignmentPermanent assignment  Ports <1024 assigned permanentlyPorts <1024 assigned permanently  20,21 for FTP 23 for Telnet20,21 for FTP 23 for Telnet  25 for server SMTP 80 for HTTP25 for server SMTP 80 for HTTP  Variable useVariable use  Ports >1024 must be available for client to make anyPorts >1024 must be available for client to make any connectionconnection  This presents a limitation for stateless packet filteringThis presents a limitation for stateless packet filtering  IfIf client wants to use port 2048, firewall must allowclient wants to use port 2048, firewall must allow incomingincoming traffic on this porttraffic on this port  Better: stateful filtering knows outgoing requestsBetter: stateful filtering knows outgoing requests
Firewalls – Stateful Packet FiltersFirewalls – Stateful Packet Filters  Traditional packet filters do not examine higherTraditional packet filters do not examine higher layer contextlayer context  ie matching return packets with outgoing flowie matching return packets with outgoing flow  Stateful packet filters address this needStateful packet filters address this need  They examine each IP packet in contextThey examine each IP packet in context  Keep track of client-server sessionsKeep track of client-server sessions  Check each packet validly belongs to oneCheck each packet validly belongs to one  Hence are better able to detect bogus packetsHence are better able to detect bogus packets out of contextout of context
Stateful FilteringStateful Filtering
Firewall OutlinesFirewall Outlines  Packet filteringPacket filtering  Application gatewaysApplication gateways  Circuit gatewaysCircuit gateways  Combination of above is dynamic packet filterCombination of above is dynamic packet filter
Firewall GatewaysFirewall Gateways  Firewall runs set of proxy programsFirewall runs set of proxy programs  Proxies filter incoming, outgoing packetsProxies filter incoming, outgoing packets  All incoming traffic directed to firewallAll incoming traffic directed to firewall  All outgoing traffic appears to come from firewallAll outgoing traffic appears to come from firewall  Policy embedded in proxy programsPolicy embedded in proxy programs  Two kinds of proxiesTwo kinds of proxies  Application-level gateways/proxiesApplication-level gateways/proxies  Tailored to http, ftp, smtp, etc.Tailored to http, ftp, smtp, etc.  Circuit-level gateways/proxiesCircuit-level gateways/proxies  Working on TCP levelWorking on TCP level
Firewalls -Firewalls - Application LevelApplication Level Gateway (or Proxy)Gateway (or Proxy)
Application-Level FilteringApplication-Level Filtering  Has full access to protocolHas full access to protocol  user requests service from proxyuser requests service from proxy  proxy validates request as legalproxy validates request as legal  then actions request and returns result to userthen actions request and returns result to user  Need separate proxies for each serviceNeed separate proxies for each service  E.g., SMTP (E-Mail)E.g., SMTP (E-Mail)  NNTP (Net news)NNTP (Net news)  DNS (Domain Name System)DNS (Domain Name System)  NTP (Network Time Protocol)NTP (Network Time Protocol)  custom services generally not supportedcustom services generally not supported
App-level Firewall ArchitectureApp-level Firewall Architecture Daemon spawns proxy when communication detectedDaemon spawns proxy when communication detected …… Network Connection Telnet daemon SMTP daemon FTP daemon Telnet proxy FTP proxy SMTP proxy
Enforce policy for specific protocolsEnforce policy for specific protocols  E.g., Virus scanning for SMTPE.g., Virus scanning for SMTP  Need to understand MIME, encoding, Zip archivesNeed to understand MIME, encoding, Zip archives
Firewall OutlinesFirewall Outlines  Packet filteringPacket filtering  Application gatewaysApplication gateways  Circuit gatewaysCircuit gateways  Combination of above is dynamic packet filterCombination of above is dynamic packet filter
Firewalls -Firewalls - Circuit Level GatewayCircuit Level Gateway
Figure 9.7: A typical SOCKS connection through interface A, and rogue connection through the external interface, B.
Bastion HostBastion Host  Highly secure host systemHighly secure host system  Potentially exposed to "hostile" elementsPotentially exposed to "hostile" elements  Hence is secured to withstand thisHence is secured to withstand this  Disable all non-required services; keep it simpleDisable all non-required services; keep it simple  Trusted to enforce trusted separation betweenTrusted to enforce trusted separation between network connectionsnetwork connections  Runs circuit / application level gatewaysRuns circuit / application level gateways  Install/modify services you wantInstall/modify services you want  Or provides externally accessible servicesOr provides externally accessible services
Screened Host ArchitectureScreened Host Architecture
Screened Subnet Using Two RoutersScreened Subnet Using Two Routers
Firewalls Aren’t Perfect?Firewalls Aren’t Perfect?  Useless against attacks from the insideUseless against attacks from the inside  Evildoer exists on insideEvildoer exists on inside  Malicious code is executed on an internal machineMalicious code is executed on an internal machine  Organizations with greater insider threatOrganizations with greater insider threat  Banks and MilitaryBanks and Military  Protection must exist at each layerProtection must exist at each layer  Assess risks of threats at every layerAssess risks of threats at every layer  Cannot protect against transfer of all virusCannot protect against transfer of all virus infected programs or filesinfected programs or files  because of huge range of O/S & file typesbecause of huge range of O/S & file types
QuizQuiz  In this question, we explore some applications andIn this question, we explore some applications and limitations of a stateless packet filtering firewall. Forlimitations of a stateless packet filtering firewall. For each of the question, briefly explain how the firewalleach of the question, briefly explain how the firewall should be configured to defend against the attack, orshould be configured to defend against the attack, or why the firewall cannot defend against the attack.why the firewall cannot defend against the attack.  Can the firewall prevent a SYN flood denial-of-serviceCan the firewall prevent a SYN flood denial-of-service attack from the external network?attack from the external network?  Can the firewall prevent a Smurf attack from the externalCan the firewall prevent a Smurf attack from the external network? Recall that as we discussed in the class before,network? Recall that as we discussed in the class before, the Smurf attack uses the broadcast IP address of thethe Smurf attack uses the broadcast IP address of the subnet.subnet.
 Can the firewall prevent external users from exploiting aCan the firewall prevent external users from exploiting a security bug in a CGI script on an internal web server (thesecurity bug in a CGI script on an internal web server (the web server is serving requests from the Internet)?web server is serving requests from the Internet)?  Can the firewall prevent an online password dictionaryCan the firewall prevent an online password dictionary attack from the external network on the telnet port of anattack from the external network on the telnet port of an internal machine?internal machine?  Can the firewall prevent a user on the external networkCan the firewall prevent a user on the external network from opening a window on an X server in the internalfrom opening a window on an X server in the internal network? Recall that by default an X server listens fornetwork? Recall that by default an X server listens for connections on port 6000connections on port 6000  Can the firewall block a virus embedded in an incomingCan the firewall block a virus embedded in an incoming email?email?  Can the firewall be used to block users on the internalCan the firewall be used to block users on the internal network from browsing a specific external IP address?network from browsing a specific external IP address?
Backup SlidesBackup Slides
Firewalls -Firewalls - Circuit Level GatewayCircuit Level Gateway  Relays two TCP connectionsRelays two TCP connections  Imposes security by limiting which suchImposes security by limiting which such connections are allowedconnections are allowed  Once created usually relays traffic withoutOnce created usually relays traffic without examining contentsexamining contents  Typically used when trust internal users byTypically used when trust internal users by allowing general outbound connectionsallowing general outbound connections  SOCKS commonly used for thisSOCKS commonly used for this
Firewall OutlinesFirewall Outlines  Packet filteringPacket filtering  Application gatewaysApplication gateways  Circuit gatewaysCircuit gateways  Combination of above is dynamic packet filterCombination of above is dynamic packet filter
Dynamic Packet FiltersDynamic Packet Filters  Most commonMost common  Provide good administrators protection and fullProvide good administrators protection and full transparencytransparency  Network given full control over trafficNetwork given full control over traffic  Captures semantics of a connectionCaptures semantics of a connection
1.2.3.4 Intended connection from 1.2.3.4 to 5.6.7.8 5.6.7.81.2.3.45.6.7.8 Firewall Redialing on a dynamic packet filter. The dashed arrow shows the intended connection; the solid arrows show the actual connections, to and from the relay in the firewall box. The Firewall impersonates each endpoint to the other.
1.2.3.4 5.6.7.810.11.12.135.6.7.8 Application Proxy Firewall Intended connection from 1.2.3.4 to 5.6.7.8 A dynamic packet filter with an application proxy. Note the change in source address
Figure 9.2: A firewall router with multiple internal networks. Filter Rule: Open access to Net 2 means source address from Net 3 • Why not spoof address from Net 3? Network TopologyNetwork Topology
Address-SpoofingAddress-Spoofing  Detection is virtually impossible unless source-Detection is virtually impossible unless source- address filtering and logging are doneaddress filtering and logging are done  One should not trust hosts outside of one’sOne should not trust hosts outside of one’s administrative controladministrative control
External Interface RulesetExternal Interface Ruleset Allow outgoing calls, permit incoming calls onlyAllow outgoing calls, permit incoming calls only for mail and only to gateway GWfor mail and only to gateway GW Note: Specify GW as destination host instead of Net 1 to prevent open access to Net 1
Net 1 Router Interface RulesetNet 1 Router Interface Ruleset  Gateway machine speaks directly only to otherGateway machine speaks directly only to other machines running trusted mail server softwaremachines running trusted mail server software  Relay machines used to call out to GW to pickRelay machines used to call out to GW to pick up waiting mailup waiting mail Note: Spoofing is avoided with the specification of GW
How Many Routers Do We Need?How Many Routers Do We Need?  If routers only support outgoing filtering, we need two:If routers only support outgoing filtering, we need two:  One to use ruleset that protects against compromisedOne to use ruleset that protects against compromised gatewaysgateways  One to use ruleset that guards against address forgery andOne to use ruleset that guards against address forgery and restricts access to gateway machinerestricts access to gateway machine  An input filter on one port is exactly equivalent to anAn input filter on one port is exactly equivalent to an output filter on the other portoutput filter on the other port  If you trust the network provider, you can go withoutIf you trust the network provider, you can go without input filtersinput filters  Filtering can be done on the output side of the routerFiltering can be done on the output side of the router
Routing FiltersRouting Filters  All nodes are somehow reachable from theAll nodes are somehow reachable from the InternetInternet  Routers need to be able to control what routesRouters need to be able to control what routes they advertise over various interfacesthey advertise over various interfaces  Clients who employ IP source routing make itClients who employ IP source routing make it possible to reach ‘unreachable’ hostspossible to reach ‘unreachable’ hosts  Enables address-spoofingEnables address-spoofing  Block source routing at borders, not at backboneBlock source routing at borders, not at backbone
Routing Filters (cont)Routing Filters (cont)  Packet filters obviate the need for route filtersPacket filters obviate the need for route filters  Route filtering becomes difficult or impossibleRoute filtering becomes difficult or impossible in the presence of complex technologiesin the presence of complex technologies  Route squatting – using unofficial IP addressesRoute squatting – using unofficial IP addresses inside firewalls that belong to someone elseinside firewalls that belong to someone else  Difficult to choose non-addressed address spaceDifficult to choose non-addressed address space
Dual Homed Host ArchitectureDual Homed Host Architecture
Asymmetric RoutesAsymmetric Routes  Both sides of the firewall know nothing of oneBoth sides of the firewall know nothing of one another’s topologyanother’s topology  Solutions:Solutions:  Maintain full knowledge of the topologyMaintain full knowledge of the topology  Not feasible, too much state to keepNot feasible, too much state to keep  Multiple firewalls share state informationMultiple firewalls share state information  Volume of messages may be prohibitive, code complexityVolume of messages may be prohibitive, code complexity
Are Dynamic Packet Filters Safe?Are Dynamic Packet Filters Safe?  Comparable to that of circuit gateways, as longComparable to that of circuit gateways, as long as the implementation strategy is simpleas the implementation strategy is simple  If administrative interfaces use physical networkIf administrative interfaces use physical network ports as the highest-level constructports as the highest-level construct  Legal connections are generally defined in terms ofLegal connections are generally defined in terms of the physical topologythe physical topology  Not if evildoers exist on the insideNot if evildoers exist on the inside  Circuit or application gateways demand userCircuit or application gateways demand user authentication for outbound traffic and are thereforeauthentication for outbound traffic and are therefore more resistant to this threatmore resistant to this threat
Distributed FirewallsDistributed Firewalls  A central management node sets the security policyA central management node sets the security policy enforced by individual hostsenforced by individual hosts  Combination of high-level policy specification with fileCombination of high-level policy specification with file distribution mechanismdistribution mechanism  Advantages:Advantages:  Lack of central point of failureLack of central point of failure  Ability to protect machines outside topologically isolatedAbility to protect machines outside topologically isolated spacespace  Great for laptopsGreat for laptops  Disadvantage:Disadvantage:  Harder to allow in certain services, whereas it’s easy to blockHarder to allow in certain services, whereas it’s easy to block
Distributed Firewalls DrawbackDistributed Firewalls Drawback  Allowing in certain services works if and only ifAllowing in certain services works if and only if you’re sure the address can’t be spoofedyou’re sure the address can’t be spoofed  Requires anti-spoofing protectionRequires anti-spoofing protection  Must maintain ability to roam safelyMust maintain ability to roam safely  Solution: IPsecSolution: IPsec  A machine is trusted if and only if it can performA machine is trusted if and only if it can perform proper cryptographic authenticationproper cryptographic authentication
Where to Filter?Where to Filter?  Balance between risk and costsBalance between risk and costs  Always a higher layer that is hard to filterAlways a higher layer that is hard to filter  HumansHumans
Dynamic Packet Filter ImplementationDynamic Packet Filter Implementation  Dynamically update packet filter’s rulesetDynamically update packet filter’s ruleset  Changes may not be benign due to orderingChanges may not be benign due to ordering  Redialing method offers greater assurance ofRedialing method offers greater assurance of securitysecurity  No special-case code necessaryNo special-case code necessary  FTP handled with user-level daemonFTP handled with user-level daemon  UDP handled just as TCP except for tear downUDP handled just as TCP except for tear down  ICMP handled with pseudoconnections andICMP handled with pseudoconnections and synthesized packetssynthesized packets
Per-Interface Tables Consulted byPer-Interface Tables Consulted by Dynamic Packet FilterDynamic Packet Filter  Active Connection TableActive Connection Table  Socket structure decides whether data is copied toSocket structure decides whether data is copied to outside socket or sent to application proxyoutside socket or sent to application proxy  Ordinary Filter TableOrdinary Filter Table  Specifies which packets may pass in stateless mannerSpecifies which packets may pass in stateless manner  Dynamic TableDynamic Table  Forces creation of local socket structuresForces creation of local socket structures

Recomendados

Firewalls
FirewallsFirewalls
FirewallsJyoti Akhter
 
firewalls
firewallsfirewalls
firewallsahmedOday
 
E firewalls
E firewallsE firewalls
E firewallsAbhiroop Ghatak
 
Firewalls
FirewallsFirewalls
Firewallsvaishnavi
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Securitylalithambiga kamaraj
 
Firewall
FirewallFirewall
FirewallSaurabh Chauhan
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewallCoder Tech
 
What is firewall
What is firewallWhat is firewall
What is firewallHarshana Jayarathna
 

Recomendados

Firewalls
FirewallsFirewalls
FirewallsJyoti Akhter
 
firewalls
firewallsfirewalls
firewallsahmedOday
 
E firewalls
E firewallsE firewalls
E firewallsAbhiroop Ghatak
 
Firewalls
FirewallsFirewalls
Firewallsvaishnavi
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Securitylalithambiga kamaraj
 
Firewall
FirewallFirewall
FirewallSaurabh Chauhan
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewallCoder Tech
 
What is firewall
What is firewallWhat is firewall
What is firewallHarshana Jayarathna
 
Lecture 4 firewalls
Lecture 4 firewallsLecture 4 firewalls
Lecture 4 firewallsrajakhurram
 
Firewall and its purpose
Firewall and its purposeFirewall and its purpose
Firewall and its purposeRohit Phulsunge
 
Network firewall function & benefits
Network firewall function & benefitsNetwork firewall function & benefits
Network firewall function & benefitsAnthony Daniel
 
Firewall configuration
Firewall configurationFirewall configuration
Firewall configurationNutan Kumar Panda
 
Firewalls
FirewallsFirewalls
FirewallsIGZ Software house
 
Firewall ppt
Firewall pptFirewall ppt
Firewall pptOECLIB Odisha Electronics Control Library
 
Firewall
FirewallFirewall
Firewalllmbriscoe
 
Firewalls
FirewallsFirewalls
FirewallsShreya Singireddy
 
Firewall and its types and function
Firewall and its types and functionFirewall and its types and function
Firewall and its types and functionNisarg Amin
 
FIREWALL
FIREWALL FIREWALL
FIREWALL Akash R
 
Hardware firewall
Hardware firewallHardware firewall
Hardware firewallSubrata Kumer Paul
 
firewall and its types
firewall and its typesfirewall and its types
firewall and its typesMohammed Maajidh
 
Firewalls
FirewallsFirewalls
FirewallsDr.Florence Dayana
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentationyogendrasinghchahar
 
Firewalls
FirewallsFirewalls
FirewallsUniversity of Central Punjab
 
Types Of Firewall Security
Types Of Firewall SecurityTypes Of Firewall Security
Types Of Firewall Securityiberrywifisecurity
 
Internetworking With Pix Firewall
Internetworking With Pix FirewallInternetworking With Pix Firewall
Internetworking With Pix FirewallSouvik Santra
 
Firewall & types of Firewall
Firewall & types of Firewall Firewall & types of Firewall
Firewall & types of Firewall BharathiKrishna6
 
Firewall
FirewallFirewall
FirewallNilkanth Shingala
 
Marrion Kujinga ; Firewalls
Marrion Kujinga ; FirewallsMarrion Kujinga ; Firewalls
Marrion Kujinga ; FirewallsMarrion Kujinga
 
Firewalls (6)
Firewalls (6)Firewalls (6)
Firewalls (6)Bhargu Bhargavi
 
firewalls.ppt
firewalls.pptfirewalls.ppt
firewalls.pptMohanLal141254
 

Mais conteúdo relacionado

Mais procurados

Lecture 4 firewalls
Lecture 4 firewallsLecture 4 firewalls
Lecture 4 firewallsrajakhurram
 
Firewall and its purpose
Firewall and its purposeFirewall and its purpose
Firewall and its purposeRohit Phulsunge
 
Network firewall function & benefits
Network firewall function & benefitsNetwork firewall function & benefits
Network firewall function & benefitsAnthony Daniel
 
Firewall and its types and function
Firewall and its types and functionFirewall and its types and function
Firewall and its types and functionNisarg Amin
 
FIREWALL
FIREWALL FIREWALL
FIREWALL Akash R
 
Internetworking With Pix Firewall
Internetworking With Pix FirewallInternetworking With Pix Firewall
Internetworking With Pix FirewallSouvik Santra
 
Firewall & types of Firewall
Firewall & types of Firewall Firewall & types of Firewall
Firewall & types of Firewall BharathiKrishna6
 

Mais procurados (19)

Lecture 4 firewalls
Lecture 4 firewallsLecture 4 firewalls
Lecture 4 firewalls
 
Firewall and its purpose
Firewall and its purposeFirewall and its purpose
Firewall and its purpose
 
Network firewall function & benefits
Network firewall function & benefitsNetwork firewall function & benefits
Network firewall function & benefits
 
Firewall configuration
Firewall configurationFirewall configuration
Firewall configuration
 
Firewalls
FirewallsFirewalls
Firewalls
 
Firewall ppt
Firewall pptFirewall ppt
Firewall ppt
 
Firewall
FirewallFirewall
Firewall
 
Firewalls
FirewallsFirewalls
Firewalls
 
Firewall and its types and function
Firewall and its types and functionFirewall and its types and function
Firewall and its types and function
 
FIREWALL
FIREWALL FIREWALL
FIREWALL
 
Hardware firewall
Hardware firewallHardware firewall
Hardware firewall
 
firewall and its types
firewall and its typesfirewall and its types
firewall and its types
 
Firewalls
FirewallsFirewalls
Firewalls
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentation
 
Firewalls
FirewallsFirewalls
Firewalls
 
Types Of Firewall Security
Types Of Firewall SecurityTypes Of Firewall Security
Types Of Firewall Security
 
Internetworking With Pix Firewall
Internetworking With Pix FirewallInternetworking With Pix Firewall
Internetworking With Pix Firewall
 
Firewall & types of Firewall
Firewall & types of Firewall Firewall & types of Firewall
Firewall & types of Firewall
 
Firewall
FirewallFirewall
Firewall
 

Semelhante a Firewalls

Marrion Kujinga ; Firewalls
Marrion Kujinga ; FirewallsMarrion Kujinga ; Firewalls
Marrion Kujinga ; FirewallsMarrion Kujinga
 
firewalls.ppt
firewalls.pptfirewalls.ppt
firewalls.pptRaj Kumar
 
Tech 101: Understanding Firewalls
Tech 101: Understanding FirewallsTech 101: Understanding Firewalls
Tech 101: Understanding FirewallsLikan Patra
 
Firewalls by Puneet Bawa
Firewalls by Puneet BawaFirewalls by Puneet Bawa
Firewalls by Puneet BawaPuneet Bawa
 
Firewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth FirewallsFirewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth Firewallsphanleson
 
The Complete Questionnaires About Firewall
The Complete Questionnaires About FirewallThe Complete Questionnaires About Firewall
The Complete Questionnaires About FirewallVishal Kumar
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentationgaurav96raj
 
Chapter_Five[1].ppt
Chapter_Five[1].pptChapter_Five[1].ppt
Chapter_Five[1].pptBachaSirata
 
Cyber security tutorial2
Cyber security tutorial2Cyber security tutorial2
Cyber security tutorial2sweta dargad
 
CSC437-Fall2013-Module-7-Firewalls-IDS.pdf
CSC437-Fall2013-Module-7-Firewalls-IDS.pdfCSC437-Fall2013-Module-7-Firewalls-IDS.pdf
CSC437-Fall2013-Module-7-Firewalls-IDS.pdfssuser1f1964
 

Semelhante a Firewalls (20)

Marrion Kujinga ; Firewalls
Marrion Kujinga ; FirewallsMarrion Kujinga ; Firewalls
Marrion Kujinga ; Firewalls
 
Firewalls (6)
Firewalls (6)Firewalls (6)
Firewalls (6)
 
firewalls.ppt
firewalls.pptfirewalls.ppt
firewalls.ppt
 
firewalls.ppt
firewalls.pptfirewalls.ppt
firewalls.ppt
 
Tech 101: Understanding Firewalls
Tech 101: Understanding FirewallsTech 101: Understanding Firewalls
Tech 101: Understanding Firewalls
 
Firewalls by Puneet Bawa
Firewalls by Puneet BawaFirewalls by Puneet Bawa
Firewalls by Puneet Bawa
 
Firewall
FirewallFirewall
Firewall
 
Firewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth FirewallsFirewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth Firewalls
 
The Complete Questionnaires About Firewall
The Complete Questionnaires About FirewallThe Complete Questionnaires About Firewall
The Complete Questionnaires About Firewall
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentation
 
firewall.ppt
firewall.pptfirewall.ppt
firewall.ppt
 
Chapter_Five[1].ppt
Chapter_Five[1].pptChapter_Five[1].ppt
Chapter_Five[1].ppt
 
Cyber security tutorial2
Cyber security tutorial2Cyber security tutorial2
Cyber security tutorial2
 
Firewall
FirewallFirewall
Firewall
 
Net Defender
Net DefenderNet Defender
Net Defender
 
Vpn
Vpn Vpn
Vpn
 
Firewalls
FirewallsFirewalls
Firewalls
 
100197
100197100197
100197
 
Netdefender
NetdefenderNetdefender
Netdefender
 
CSC437-Fall2013-Module-7-Firewalls-IDS.pdf
CSC437-Fall2013-Module-7-Firewalls-IDS.pdfCSC437-Fall2013-Module-7-Firewalls-IDS.pdf
CSC437-Fall2013-Module-7-Firewalls-IDS.pdf
 

Último

Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxPooja Bhuva
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSCeline George
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxDenish Jangid
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Jisc
 
Basic Intentional Injuries Health Education
Basic Intentional Injuries Health EducationBasic Intentional Injuries Health Education
Basic Intentional Injuries Health EducationNeilDeclaro1
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Pooja Bhuva
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfDr Vijay Vishwakarma
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024Elizabeth Walsh
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomPooky Knightsmith
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxDr. Sarita Anand
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Pooja Bhuva
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentationcamerronhm
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxmarlenawright1
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...Nguyen Thanh Tu Collection
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsMebane Rash
 
OSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & SystemsOSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & SystemsSandeep D Chaudhary
 
latest AZ-104 Exam Questions and Answers
latest AZ-104 Exam Questions and Answerslatest AZ-104 Exam Questions and Answers
latest AZ-104 Exam Questions and Answersdalebeck957
 
How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17Celine George
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsKarakKing
 

Último (20)

Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Basic Intentional Injuries Health Education
Basic Intentional Injuries Health EducationBasic Intentional Injuries Health Education
Basic Intentional Injuries Health Education
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
OSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & SystemsOSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & Systems
 
latest AZ-104 Exam Questions and Answers
latest AZ-104 Exam Questions and Answerslatest AZ-104 Exam Questions and Answers
latest AZ-104 Exam Questions and Answers
 
How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 

Firewalls

  • 1. FirewallsFirewalls by Akhil Sharmaby Akhil Sharma akhil.sharma.ak@gmail.comakhil.sharma.ak@gmail.com
  • 2. What is a Firewall?What is a Firewall?  AA choke pointchoke point of control and monitoringof control and monitoring  Interconnects networks with differing trustInterconnects networks with differing trust  Imposes restrictions on network servicesImposes restrictions on network services  only authorized traffic is allowedonly authorized traffic is allowed  Auditing and controlling accessAuditing and controlling access  can implement alarms for abnormal behaviorcan implement alarms for abnormal behavior  Itself immune to penetrationItself immune to penetration  ProvidesProvides perimeter defenceperimeter defence
  • 3. Classification of FirewallClassification of Firewall Characterized by protocol level it controls inCharacterized by protocol level it controls in  Packet filteringPacket filtering  Circuit gatewaysCircuit gateways  Application gatewaysApplication gateways  Combination of above is dynamic packet filterCombination of above is dynamic packet filter
  • 4. Firewalls – Packet FiltersFirewalls – Packet Filters
  • 5. Firewalls – Packet FiltersFirewalls – Packet Filters  Simplest of componentsSimplest of components  Uses transport-layer information onlyUses transport-layer information only  IP Source Address, Destination AddressIP Source Address, Destination Address  Protocol/Next Header (TCP, UDP, ICMP, etc)Protocol/Next Header (TCP, UDP, ICMP, etc)  TCP or UDP source & destination portsTCP or UDP source & destination ports  TCP Flags (SYN, ACK, FIN, RST, PSH, etc)TCP Flags (SYN, ACK, FIN, RST, PSH, etc)  ICMP message typeICMP message type  ExamplesExamples  DNS uses port 53DNS uses port 53  No incoming port 53 packets except known trusted serversNo incoming port 53 packets except known trusted servers
  • 6. Usage of Packet FiltersUsage of Packet Filters  Filtering with incoming or outgoing interfacesFiltering with incoming or outgoing interfaces  E.g., Ingress filtering of spoofed IP addressesE.g., Ingress filtering of spoofed IP addresses  Egress filteringEgress filtering  Permits or denies certain servicesPermits or denies certain services  Requires intimate knowledge of TCP and UDP portRequires intimate knowledge of TCP and UDP port utilization on a number of operating systemsutilization on a number of operating systems
  • 7. How to Configure a Packet FilterHow to Configure a Packet Filter  Start with a security policyStart with a security policy  Specify allowable packets in terms of logicalSpecify allowable packets in terms of logical expressions on packet fieldsexpressions on packet fields  Rewrite expressions in syntax supported by yourRewrite expressions in syntax supported by your vendorvendor  General rules - least privilegeGeneral rules - least privilege  All that is not expressly permitted is prohibitedAll that is not expressly permitted is prohibited  If you do not need it, eliminate itIf you do not need it, eliminate it
  • 8. Every ruleset is followed by an implicit ruleEvery ruleset is followed by an implicit rule reading like this.reading like this. Example 1:Example 1: Suppose we want to allow inbound mailSuppose we want to allow inbound mail (SMTP, port 25) but only to our gateway(SMTP, port 25) but only to our gateway machine. Also suppose that mail from somemachine. Also suppose that mail from some particular site SPIGOT is to be blocked.particular site SPIGOT is to be blocked.
  • 9. Solution 1:Solution 1: Example 2:Example 2: Now suppose that we want to implement theNow suppose that we want to implement the policy “any inside host can send mail to thepolicy “any inside host can send mail to the outside”.outside”.
  • 10. Solution 2:Solution 2: This solution allows calls to come from anyThis solution allows calls to come from any port on an inside machine, and will direct themport on an inside machine, and will direct them to port 25 on the outside. Simple enough…to port 25 on the outside. Simple enough… So why is it wrong?So why is it wrong?
  • 11.  Our defined restriction is based solely on theOur defined restriction is based solely on the outside host’s port number, which we have nooutside host’s port number, which we have no way of controlling.way of controlling.  Now an enemy can access any internal machinesNow an enemy can access any internal machines and port by originating his call from port 25 onand port by originating his call from port 25 on the outside machine.the outside machine. What can be a better solution ?What can be a better solution ?
  • 12.  The ACK signifies that the packet is part of anThe ACK signifies that the packet is part of an ongoing conversationongoing conversation  Packets without the ACK are connectionPackets without the ACK are connection establishment messages, which we are onlyestablishment messages, which we are only permitting from internal hostspermitting from internal hosts
  • 13. Security & Performance of Packet FiltersSecurity & Performance of Packet Filters  IP address spoofingIP address spoofing  Fake source address to be trustedFake source address to be trusted  Add filters on router to blockAdd filters on router to block  Tiny fragment attacksTiny fragment attacks  Split TCP header info over several tiny packetsSplit TCP header info over several tiny packets  Either discard or reassemble before checkEither discard or reassemble before check  Degradation depends on number of rules applied atDegradation depends on number of rules applied at any pointany point  Order rules so that most common traffic is dealt withOrder rules so that most common traffic is dealt with firstfirst  Correctness is more important than speedCorrectness is more important than speed
  • 14. Port NumberingPort Numbering  TCP connectionTCP connection  Server port is number less than 1024Server port is number less than 1024  Client port is number between 1024 and 16383Client port is number between 1024 and 16383  Permanent assignmentPermanent assignment  Ports <1024 assigned permanentlyPorts <1024 assigned permanently  20,21 for FTP 23 for Telnet20,21 for FTP 23 for Telnet  25 for server SMTP 80 for HTTP25 for server SMTP 80 for HTTP  Variable useVariable use  Ports >1024 must be available for client to make anyPorts >1024 must be available for client to make any connectionconnection  This presents a limitation for stateless packet filteringThis presents a limitation for stateless packet filtering  IfIf client wants to use port 2048, firewall must allowclient wants to use port 2048, firewall must allow incomingincoming traffic on this porttraffic on this port  Better: stateful filtering knows outgoing requestsBetter: stateful filtering knows outgoing requests
  • 15. Firewalls – Stateful Packet FiltersFirewalls – Stateful Packet Filters  Traditional packet filters do not examine higherTraditional packet filters do not examine higher layer contextlayer context  ie matching return packets with outgoing flowie matching return packets with outgoing flow  Stateful packet filters address this needStateful packet filters address this need  They examine each IP packet in contextThey examine each IP packet in context  Keep track of client-server sessionsKeep track of client-server sessions  Check each packet validly belongs to oneCheck each packet validly belongs to one  Hence are better able to detect bogus packetsHence are better able to detect bogus packets out of contextout of context
  • 17. Firewall OutlinesFirewall Outlines  Packet filteringPacket filtering  Application gatewaysApplication gateways  Circuit gatewaysCircuit gateways  Combination of above is dynamic packet filterCombination of above is dynamic packet filter
  • 18. Firewall GatewaysFirewall Gateways  Firewall runs set of proxy programsFirewall runs set of proxy programs  Proxies filter incoming, outgoing packetsProxies filter incoming, outgoing packets  All incoming traffic directed to firewallAll incoming traffic directed to firewall  All outgoing traffic appears to come from firewallAll outgoing traffic appears to come from firewall  Policy embedded in proxy programsPolicy embedded in proxy programs  Two kinds of proxiesTwo kinds of proxies  Application-level gateways/proxiesApplication-level gateways/proxies  Tailored to http, ftp, smtp, etc.Tailored to http, ftp, smtp, etc.  Circuit-level gateways/proxiesCircuit-level gateways/proxies  Working on TCP levelWorking on TCP level
  • 19. Firewalls -Firewalls - Application LevelApplication Level Gateway (or Proxy)Gateway (or Proxy)
  • 20. Application-Level FilteringApplication-Level Filtering  Has full access to protocolHas full access to protocol  user requests service from proxyuser requests service from proxy  proxy validates request as legalproxy validates request as legal  then actions request and returns result to userthen actions request and returns result to user  Need separate proxies for each serviceNeed separate proxies for each service  E.g., SMTP (E-Mail)E.g., SMTP (E-Mail)  NNTP (Net news)NNTP (Net news)  DNS (Domain Name System)DNS (Domain Name System)  NTP (Network Time Protocol)NTP (Network Time Protocol)  custom services generally not supportedcustom services generally not supported
  • 21. App-level Firewall ArchitectureApp-level Firewall Architecture Daemon spawns proxy when communication detectedDaemon spawns proxy when communication detected …… Network Connection Telnet daemon SMTP daemon FTP daemon Telnet proxy FTP proxy SMTP proxy
  • 22. Enforce policy for specific protocolsEnforce policy for specific protocols  E.g., Virus scanning for SMTPE.g., Virus scanning for SMTP  Need to understand MIME, encoding, Zip archivesNeed to understand MIME, encoding, Zip archives
  • 23. Firewall OutlinesFirewall Outlines  Packet filteringPacket filtering  Application gatewaysApplication gateways  Circuit gatewaysCircuit gateways  Combination of above is dynamic packet filterCombination of above is dynamic packet filter
  • 24. Firewalls -Firewalls - Circuit Level GatewayCircuit Level Gateway
  • 25. Figure 9.7: A typical SOCKS connection through interface A, and rogue connection through the external interface, B.
  • 26. Bastion HostBastion Host  Highly secure host systemHighly secure host system  Potentially exposed to "hostile" elementsPotentially exposed to "hostile" elements  Hence is secured to withstand thisHence is secured to withstand this  Disable all non-required services; keep it simpleDisable all non-required services; keep it simple  Trusted to enforce trusted separation betweenTrusted to enforce trusted separation between network connectionsnetwork connections  Runs circuit / application level gatewaysRuns circuit / application level gateways  Install/modify services you wantInstall/modify services you want  Or provides externally accessible servicesOr provides externally accessible services
  • 28. Screened Subnet Using Two RoutersScreened Subnet Using Two Routers
  • 29. Firewalls Aren’t Perfect?Firewalls Aren’t Perfect?  Useless against attacks from the insideUseless against attacks from the inside  Evildoer exists on insideEvildoer exists on inside  Malicious code is executed on an internal machineMalicious code is executed on an internal machine  Organizations with greater insider threatOrganizations with greater insider threat  Banks and MilitaryBanks and Military  Protection must exist at each layerProtection must exist at each layer  Assess risks of threats at every layerAssess risks of threats at every layer  Cannot protect against transfer of all virusCannot protect against transfer of all virus infected programs or filesinfected programs or files  because of huge range of O/S & file typesbecause of huge range of O/S & file types
  • 30. QuizQuiz  In this question, we explore some applications andIn this question, we explore some applications and limitations of a stateless packet filtering firewall. Forlimitations of a stateless packet filtering firewall. For each of the question, briefly explain how the firewalleach of the question, briefly explain how the firewall should be configured to defend against the attack, orshould be configured to defend against the attack, or why the firewall cannot defend against the attack.why the firewall cannot defend against the attack.  Can the firewall prevent a SYN flood denial-of-serviceCan the firewall prevent a SYN flood denial-of-service attack from the external network?attack from the external network?  Can the firewall prevent a Smurf attack from the externalCan the firewall prevent a Smurf attack from the external network? Recall that as we discussed in the class before,network? Recall that as we discussed in the class before, the Smurf attack uses the broadcast IP address of thethe Smurf attack uses the broadcast IP address of the subnet.subnet.
  • 31.  Can the firewall prevent external users from exploiting aCan the firewall prevent external users from exploiting a security bug in a CGI script on an internal web server (thesecurity bug in a CGI script on an internal web server (the web server is serving requests from the Internet)?web server is serving requests from the Internet)?  Can the firewall prevent an online password dictionaryCan the firewall prevent an online password dictionary attack from the external network on the telnet port of anattack from the external network on the telnet port of an internal machine?internal machine?  Can the firewall prevent a user on the external networkCan the firewall prevent a user on the external network from opening a window on an X server in the internalfrom opening a window on an X server in the internal network? Recall that by default an X server listens fornetwork? Recall that by default an X server listens for connections on port 6000connections on port 6000  Can the firewall block a virus embedded in an incomingCan the firewall block a virus embedded in an incoming email?email?  Can the firewall be used to block users on the internalCan the firewall be used to block users on the internal network from browsing a specific external IP address?network from browsing a specific external IP address?
  • 33. Firewalls -Firewalls - Circuit Level GatewayCircuit Level Gateway  Relays two TCP connectionsRelays two TCP connections  Imposes security by limiting which suchImposes security by limiting which such connections are allowedconnections are allowed  Once created usually relays traffic withoutOnce created usually relays traffic without examining contentsexamining contents  Typically used when trust internal users byTypically used when trust internal users by allowing general outbound connectionsallowing general outbound connections  SOCKS commonly used for thisSOCKS commonly used for this
  • 34. Firewall OutlinesFirewall Outlines  Packet filteringPacket filtering  Application gatewaysApplication gateways  Circuit gatewaysCircuit gateways  Combination of above is dynamic packet filterCombination of above is dynamic packet filter
  • 35. Dynamic Packet FiltersDynamic Packet Filters  Most commonMost common  Provide good administrators protection and fullProvide good administrators protection and full transparencytransparency  Network given full control over trafficNetwork given full control over traffic  Captures semantics of a connectionCaptures semantics of a connection
  • 36. 1.2.3.4 Intended connection from 1.2.3.4 to 5.6.7.8 5.6.7.81.2.3.45.6.7.8 Firewall Redialing on a dynamic packet filter. The dashed arrow shows the intended connection; the solid arrows show the actual connections, to and from the relay in the firewall box. The Firewall impersonates each endpoint to the other.
  • 37. 1.2.3.4 5.6.7.810.11.12.135.6.7.8 Application Proxy Firewall Intended connection from 1.2.3.4 to 5.6.7.8 A dynamic packet filter with an application proxy. Note the change in source address
  • 38. Figure 9.2: A firewall router with multiple internal networks. Filter Rule: Open access to Net 2 means source address from Net 3 • Why not spoof address from Net 3? Network TopologyNetwork Topology
  • 39. Address-SpoofingAddress-Spoofing  Detection is virtually impossible unless source-Detection is virtually impossible unless source- address filtering and logging are doneaddress filtering and logging are done  One should not trust hosts outside of one’sOne should not trust hosts outside of one’s administrative controladministrative control
  • 40. External Interface RulesetExternal Interface Ruleset Allow outgoing calls, permit incoming calls onlyAllow outgoing calls, permit incoming calls only for mail and only to gateway GWfor mail and only to gateway GW Note: Specify GW as destination host instead of Net 1 to prevent open access to Net 1
  • 41. Net 1 Router Interface RulesetNet 1 Router Interface Ruleset  Gateway machine speaks directly only to otherGateway machine speaks directly only to other machines running trusted mail server softwaremachines running trusted mail server software  Relay machines used to call out to GW to pickRelay machines used to call out to GW to pick up waiting mailup waiting mail Note: Spoofing is avoided with the specification of GW
  • 42. How Many Routers Do We Need?How Many Routers Do We Need?  If routers only support outgoing filtering, we need two:If routers only support outgoing filtering, we need two:  One to use ruleset that protects against compromisedOne to use ruleset that protects against compromised gatewaysgateways  One to use ruleset that guards against address forgery andOne to use ruleset that guards against address forgery and restricts access to gateway machinerestricts access to gateway machine  An input filter on one port is exactly equivalent to anAn input filter on one port is exactly equivalent to an output filter on the other portoutput filter on the other port  If you trust the network provider, you can go withoutIf you trust the network provider, you can go without input filtersinput filters  Filtering can be done on the output side of the routerFiltering can be done on the output side of the router
  • 43. Routing FiltersRouting Filters  All nodes are somehow reachable from theAll nodes are somehow reachable from the InternetInternet  Routers need to be able to control what routesRouters need to be able to control what routes they advertise over various interfacesthey advertise over various interfaces  Clients who employ IP source routing make itClients who employ IP source routing make it possible to reach ‘unreachable’ hostspossible to reach ‘unreachable’ hosts  Enables address-spoofingEnables address-spoofing  Block source routing at borders, not at backboneBlock source routing at borders, not at backbone
  • 44. Routing Filters (cont)Routing Filters (cont)  Packet filters obviate the need for route filtersPacket filters obviate the need for route filters  Route filtering becomes difficult or impossibleRoute filtering becomes difficult or impossible in the presence of complex technologiesin the presence of complex technologies  Route squatting – using unofficial IP addressesRoute squatting – using unofficial IP addresses inside firewalls that belong to someone elseinside firewalls that belong to someone else  Difficult to choose non-addressed address spaceDifficult to choose non-addressed address space
  • 45. Dual Homed Host ArchitectureDual Homed Host Architecture
  • 46. Asymmetric RoutesAsymmetric Routes  Both sides of the firewall know nothing of oneBoth sides of the firewall know nothing of one another’s topologyanother’s topology  Solutions:Solutions:  Maintain full knowledge of the topologyMaintain full knowledge of the topology  Not feasible, too much state to keepNot feasible, too much state to keep  Multiple firewalls share state informationMultiple firewalls share state information  Volume of messages may be prohibitive, code complexityVolume of messages may be prohibitive, code complexity
  • 47. Are Dynamic Packet Filters Safe?Are Dynamic Packet Filters Safe?  Comparable to that of circuit gateways, as longComparable to that of circuit gateways, as long as the implementation strategy is simpleas the implementation strategy is simple  If administrative interfaces use physical networkIf administrative interfaces use physical network ports as the highest-level constructports as the highest-level construct  Legal connections are generally defined in terms ofLegal connections are generally defined in terms of the physical topologythe physical topology  Not if evildoers exist on the insideNot if evildoers exist on the inside  Circuit or application gateways demand userCircuit or application gateways demand user authentication for outbound traffic and are thereforeauthentication for outbound traffic and are therefore more resistant to this threatmore resistant to this threat
  • 48. Distributed FirewallsDistributed Firewalls  A central management node sets the security policyA central management node sets the security policy enforced by individual hostsenforced by individual hosts  Combination of high-level policy specification with fileCombination of high-level policy specification with file distribution mechanismdistribution mechanism  Advantages:Advantages:  Lack of central point of failureLack of central point of failure  Ability to protect machines outside topologically isolatedAbility to protect machines outside topologically isolated spacespace  Great for laptopsGreat for laptops  Disadvantage:Disadvantage:  Harder to allow in certain services, whereas it’s easy to blockHarder to allow in certain services, whereas it’s easy to block
  • 49. Distributed Firewalls DrawbackDistributed Firewalls Drawback  Allowing in certain services works if and only ifAllowing in certain services works if and only if you’re sure the address can’t be spoofedyou’re sure the address can’t be spoofed  Requires anti-spoofing protectionRequires anti-spoofing protection  Must maintain ability to roam safelyMust maintain ability to roam safely  Solution: IPsecSolution: IPsec  A machine is trusted if and only if it can performA machine is trusted if and only if it can perform proper cryptographic authenticationproper cryptographic authentication
  • 50. Where to Filter?Where to Filter?  Balance between risk and costsBalance between risk and costs  Always a higher layer that is hard to filterAlways a higher layer that is hard to filter  HumansHumans
  • 51. Dynamic Packet Filter ImplementationDynamic Packet Filter Implementation  Dynamically update packet filter’s rulesetDynamically update packet filter’s ruleset  Changes may not be benign due to orderingChanges may not be benign due to ordering  Redialing method offers greater assurance ofRedialing method offers greater assurance of securitysecurity  No special-case code necessaryNo special-case code necessary  FTP handled with user-level daemonFTP handled with user-level daemon  UDP handled just as TCP except for tear downUDP handled just as TCP except for tear down  ICMP handled with pseudoconnections andICMP handled with pseudoconnections and synthesized packetssynthesized packets
  • 52. Per-Interface Tables Consulted byPer-Interface Tables Consulted by Dynamic Packet FilterDynamic Packet Filter  Active Connection TableActive Connection Table  Socket structure decides whether data is copied toSocket structure decides whether data is copied to outside socket or sent to application proxyoutside socket or sent to application proxy  Ordinary Filter TableOrdinary Filter Table  Specifies which packets may pass in stateless mannerSpecifies which packets may pass in stateless manner  Dynamic TableDynamic Table  Forces creation of local socket structuresForces creation of local socket structures

Notas do Editor

  1. A traditional packet filter makes filtering decisions on an individual packet basis and does not take into consideration any higher layer context. A stateful inspection packet filter tightens up the rules for TCP traffic by creating a directory of outbound TCP connections, and will allow incoming traffic to high-numbered ports only for those packets that fit the profile of one of the entries in this directory. Hence they are better able to detect bogus packets sent out of context.
  2. Gateway is like a NAT box, ie, a home router.
  3. One advantage over normal packet filters: the IP addr is changed. So no internal IP addr is leaked out. A circuit-level gateway relays two TCP connections, one between itself and an inside TCP user, and the other between itself and a TCP user on an outside host. Once the two connections are established, it relays TCP data from one connection to the other without examining its contents. The security function consists of determining which connections will be allowed. It is typically used when internal users are trusted to decide what external services to access. One of the most common circuit-level gateways is SOCKS, defined in RFC 1928. It consists of a SOCKS server on the firewall, and a SOCKS library &amp; SOCKS-aware applications on internal clients.