CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
firewall.ppt
1.
2. Introduction
• The Internet has made large amount of information available
to the average computer user at home, in business and
education.
• For many people, having access to this information is no
longer just an advantage; it is essential.
• Therefore, security of network is the main criteria here and
firewalls provide this security.
3. What is a Firewall?
Firewall defines a single choke point that keeps unauthorized users out of
the protected network
provides protection from various kinds of IP spoofing and routing
attack
provides a location for monitoring security-related events
is a convenient platform for several Internet functions that are not
security related, such as NAT and Internet usage audits or logs
can serve as the platform for IPSec to implement virtual private
networks.
must be immune to penetration, since it will be a target of attack
4. What is the difference between a host-based
firewall and a network-based firewall?
A host-based firewall is installed on an individual computer to protect it from
activity occurring on its network i.e. the Microsoft firewall that comes with a
Windows-based computer.
Host-based firewalls offer some
advantages over network-based
firewalls
• Flexibility – applications and VMs (virtual machines) can be moved
between cloud environments, taking their host-based firewalls along
with them.
• Customization – a single device can be configured for individual
circumstances using custom firewall rules.
• Mobility – a laptop or mobile device with a firewall provides security
for the device in different physical locations.
• Internal protection – a customized host-based firewall can prevent
attack from within an organization by only allowing authorized
employee access to particular devices.
5. What is the difference between a host-based
firewall and a network-based firewall?
A network-based firewall is implemented at a specified point in the network
path and protects all computers on the “internal” side of the firewall from all
computers on the “external” side of the firewall i.e. Amazon’s firewall in AWS
environments
• Greater security – if an attacker circumvents a host-based
firewall, they can gain direct access to the host (i.e. via a
Trojan) However, the detection and prevention systems
operating on a network-based firewall would be more likely to
notice suspicious traffic generated by a Trojan as it crosses the
network barrier.
• Scalability – network-based firewalls can be scaled up as
client bandwidth demands increase.
• Availability – network-based firewall providers offer high
availability (uptime) through fully redundant power, HVAC,
and network services,
• Affordability – network-based firewalls offer much better
value for money as they do not require individual installation
and maintenance on every server.
Network-based firewalls significant
advantages over host-based
firewalls
6. Hardware firewall vs Software firewall
• Hardware firewalls are integrated into the router that sits
between a computer and the Internet. Linksys routers are
an example of a hardware firewall.
• Software firewalls are installed on individual servers. They
intercept each connection request and then determine whether
the request is valid or not. Windows Firewall, an example of
a firewall software program included with Microsoft Windows
7. Design goals for a firewall
The first design goal for a
firewall is that
collectively the sum of all
the network traffic from
internal to external must
go through the firewall
physically cutting off all
access to the local
network except via the
firewall.
The second design goal
would be only authorized
traffic which is delineated
by the local security
policy will be allowed to
proceed.
Finally the last design
goal is that the firewall
itself is resistant to
penetration inclusive is a
solid trustworthy system
with a protected operating
system.
8. Basic Security Functions
• Packet filtering based on accept or deny
policy that is itself based on rules of the
security policy
• Application proxy gateways that provide
services to the inside users and at the
same time protect each individual host
from the “bad” outside users
9. Advantages of firewall
Advantages Concentration of security all modified software and
logging is located on the firewall system as opposed
to being distributed on many hosts
Protocol filtering, where the firewall filters protocols
and services that are either not necessary or that
cannot be adequately secured from exploitation
Information hiding, in which a firewall can ``hide''
names of internal systems or electronic mail
addresses, thereby revealing less information to
outside hosts
Application gateways, where the firewall requires
inside or outside users to connect first to the firewall
before connecting further, thereby filtering the
protocol
10. Firewall Limitations
Limitations cannot protect from attacks bypassing it eg sneaker net, utility
modems, trusted organisations, trusted services (eg SSL/SSH)
cannot protect against access via WLAN if improperly secured
against external use
cannot protect against malware imported via laptop, PDA,
storage infected outside
cannot protect against internal threats eg disgruntled or
colluding employees
12. Packet Filter Firewall
• A packet filtering firewall applies a set of rules to each
incoming and outgoing IP packet and then forwards or
discards the packet.
• Filtering rules are based on information contained in a network
packet.
• Source IP address
• Destination IP address
• Source and destination
transport level address
• IP protocol field
• Interface
13. Firewalls – Packet Filters
• Two default policies are there to take default action to
determine whether to forward or discard the packet.
• Default = discard
• Default = forward
• Some possible attacks on firewall :
– IP address spoofing
– Source routing attacks
– Tiny fragment attacks
14. Firewalls – Packet Filters
Advantages
• Cost
• Low resource usage
• Best suited for
smaller network
Limitations
• Can work only on the
network layer
• Do not support
complex rule based
support
• Vulnerable to
spoofing
15. How to Configure a Packet Filter
Start with a security policy
Specify allowable packets in terms of logical
expressions on packet fields
Rewrite expressions in syntax supported by your
vendor
• All that is not expressly permitted is prohibited
• If you do not need it, eliminate it
General rules - least privilege
16. Note: Every ruleset is followed by an implicit rule
reading like this.
Example 1:
Suppose we want to allow inbound mail (SMTP, port 25) but only to our
gateway machine. Also suppose that traffic from some particular site
SPIGOT is to be blocked.
Solution 1:
17. Example 2:
Now suppose that we want to implement the policy “any
inside host can send mail to the outside”.
Solution 2:
This solution allows calls to come from any port on an inside
machine, and will direct them to port 25 on the outside.
Simple enough…
So why is it wrong?
18. What can be a better solution ?
• Our defined restriction is based solely
on the outside host’s port number,
which we have no way of controlling
• Now an enemy can access any internal
machines and port by originating his
call from port 25 on the outside
machine.
19. The ACK signifies that the packet is part of an ongoing
conversation
Packets without the ACK are connection establishment
messages, which we are only permitting from internal hosts
20. Security & Performance of Packet Filters
Tiny fragment
attacks
Degradation depends
on number of rules
applied at any point
Order rules so that
most common traffic
is dealt with first
Correctness is more
important than speed
• Split TCP header info
over several tiny packets
• Either discard or
reassemble before check
21. Port Numbering
• TCP connection
– Server port is number less than 1024
– Client port is number between 1024 and 16383
• Permanent assignment
– Ports <1024 assigned permanently
• 20,21 for FTP 23 for Telnet
• 25 for server SMTP 80 for HTTP
• Variable use
– Ports >1024 must be available for client to make any connection
– This presents a limitation for stateless packet filtering
• If client wants to use port 2048, firewall must allow incoming
traffic on this port
– Better: stateful filtering knows outgoing requests
22. Firewalls - Application Level Gateway (or Proxy)
• have application specific gateway / proxy
• has full access to protocol
– user requests service from proxy
– proxy validates request as legal
– then actions request and returns result to user
– can log / audit traffic at application level
• need separate proxies for each service
– some services naturally support proxying
– others are more problematic
23. Firewalls - Application Level Gateway (or Proxy)
Advantages
More secure than packet filter
firewalls
Easy to log and audit incoming
traffic
Disadvantages
Additional processing overhead on
each connection
24. Firewalls - Circuit Level Gateway
• This can be a stand – alone system or it can be a specialized
functions performed by an application – level gateway for certain
applications.
• It does not permit an end – to – end TCP connection; rather, the
gateway sets two TCP connections.
• A typical use of the circuit – level gateway is a situation in which
the system administrator trusts the internal users.
• The gateway can be configured to support application – level or
proxy service on inbound connections and circuit – level functions
for outbound connections.
25. Firewalls - Circuit Level Gateway
Advantages
comparatively inexpensive and
provide Anonymity to the
private network.
Disadvantages
do not filter Individual Packets
26. Firewall Configurations
• Screened host firewall system (single-homed bastion host)
• Firewall consists of two systems:
– A packet-filtering router
– A bastion host
More Complex
Configurations
27. Henric Johnson 27
Firewall Configurations
• Greater security than single configurations because of two
reasons:
– This configuration implements both packet-level and
application-level filtering (allowing for flexibility in
defining security policy)
– An intruder must generally penetrate two separate systems.
• This configuration also affords flexibility in providing direct
Internet access (public information server, e.g. Web server
28. Firewall Configurations
• Screened host firewall system (dual-homed bastion host)
• The packet-filtering router is not completely compromised
• Traffic between the Internet and other hosts on the private network has
to flow through the bastion host
29. Firewall Configurations
• Screened host firewall, dual-homed
bastion configuration
– The packet-filtering router is not
completely compromised
– Traffic between the Internet and other
hosts on the private network has to flow
through the bastion host
30. Firewall Configurations
• Screened-subnet firewall system
– Most secure configuration of the three
– Two packet-filtering routers are used
– Creation of an isolated sub-network
31. Firewall Configurations
(Screened Subnet System Advantages)
Three levels of defense to thwart intruders
The outside router advertises only the existence of the
screened subnet to the Internet (internal network is invisible
to the Internet)
The inside router advertises only the existence of the screened
subnet to the internal network (the systems on the inside network
cannot construct direct routes to the Internet)
32. The Demilitarized Zone (DMZ)
• A DMZ is a segment of a network or a network between the
protected network and the “bad external network”. It is also
commonly referred to as a service network.
• Also Known as Data Management Zone or
• Demarcation Zone
• Perimeter Network
32
33. Purpose
• The purpose for a DMZ on an organization network is to
provide some insulation and extra security to servers that
provide the organization services for protocols like
HTTP/SHTTP, FTP, DNS, and SMTP to the general public.
• DMZ is required when any organization wants to make
available only one of its server to public and insulating
others.
34. Architecture of network DMZs
(Created using one or two Firewalls)
.
A single firewall with at least three network interfaces can be used to create a network
architecture containing a DMZ
The external network is
formed by connecting the
public internet -- via internet
service provider (ISP)
connection -- to the firewall
on the first network interface
Internal network is formed
from the second network
interface and the DMZ
network itself is connected to
the third network interface
Different sets of firewall rules
for traffic between the internet
and the DMZ, the LAN and
the DMZ, and the LAN and
the
internet
35. Dual-firewall Approach
Two firewalls are deployed with the DMZ network positioned between them
The first firewall -- also
called the perimeter
firewall -- is configured
to allow external traffic
destined to the DMZ
only
The second or internal
firewall only allows
traffic from the DMZ to
the internal network
considered more secure
since two devices would
need to be compromised
before an attacker could
access the internal LAN
Architecture of network DMZs
(Created using one or two Firewalls)
36.
37. Improving Security Through the Firewall
• For added security, sometimes it is usually
better to use two firewalls.
• Firewalls can also be equipped with intrusion
detection systems (IDS). Many newer firewalls
now have IDS software built into them.
• Some firewalls can be fenced by IDS sensors.
Kizza - Guide to Computer Network
Security
37
38. How does a firewall work?
38
Blocks packets
based on
• Source IP Address or range of addresses.
• Source IP Port
• Destination IP Address or range of addresses.
• Destination IP Port
• Some allow higher layers up the OSI model.
Common ports
used
• 80 HTTP
• 443 HTTPS
• 20 & 21 FTP
• 23 Telnet
• 22 SSH
• 25 SMTP
39. Sample firewall Rules
39
Protected server: 134.71.1.25
Protected subnet: 134.71.1.0/24
$internal refers to the internal network interface on the
firewall.
$external refers to the external network interface on the
firewall.
40. Sample Rules
40
Pass in on $external from any proto tcp to 134.71.1.25 port = 80
Pass in on $external from any proto tcp to 134.71.1.25 port = 53
Pass in on $external from any proto udp to 134.71.1.25 port = 53
Pass in on $external from any proto tcp to 134.71.1.25 port = 25
Block in log on $external from any to 134.71.1.25
Block in on $external from any to 134.71.1.0/24
Pass in on $external from any proto tcp to 134.71.1.25 port = 22
Pass out on $internal from 134.71.1.0/24 to any keep state
41. ..
41
State
When your computer makes a connection with another computer
on the network, several things are exchanged including the
source and destination ports
In a standard firewall configuration, most inbound ports are
blocked. This would normally cause a problem with return
traffic since the source port is randomly assigned (different from
the destination port).
A state is a dynamic rule created by the firewall containing the
source-destination port combination, allowing the desired return
traffic to pass the firewall
A single computer could have hundreds of states depending on
the number of established connections
Without state, your request for traffic would leave the firewall but
the reply would be blocked.