• No results found

Firewalls. Network Security. Firewalls Defined. Firewalls

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Firewalls. Network Security. Firewalls Defined. Firewalls"

Copied!
12
0
0

Loading.... (view fulltext now)

Download now ( 12 Page )

Full text

(1)

Network Security

Firewalls

2

Firewalls

• Types of Firewalls

– Screening router firewalls – Computer-based firewalls – Firewall appliances

– Host firewalls (firewalls on clients and servers)

• Inspection Methods

• Firewall Architecture

• Configuring, Testing, and Maintenance

Firewalls Defined

• Separate outside network and inside

network

• Selectively forward packets from one

network to another

• Keep the badguy's packets out

• Let the goodguy's packets in

• Let everybody's packets get out

• Prevent network mapping (NAT)

(2)

4

Firewall

Local Network Firewall Internet

5

Border

(ingress)

Firewall

Attack Packet

Internet (Not Trusted)

Attacker Hardened

Client PC

Hardened

Server Internal Corporate

Network (Trusted) Internet Border Firewall

Log File Passed Packet

(Ingress)

Dropped Packet (Ingress)

Passed Packet (Egress)

Proxy Function

• Store

• Filter

• Forward

(3)

7

Two Generic

Filter Categories

1.Circuit Filters

– Work at the Data Link and

Network OSI layers

2.Application Gateways

– Transport and Application

layers

8

Filtering Packets

•Some get through, some don't

•How do you pick

?

Depends on:

–What information is available?

–What you want to protect

against?

9

Types of Firewall Inspection

• Packet Inspection

– Examines IP, TCP,UDP, and ICMP header contents –Static packet filteringlooks at individual packets in

isolation.

Stateful inspectioninspects packets in the context of the packet’s role in an ongoing or incipient conversation – Stateful inspection is the preferred packet inspection

(4)

10

What Information Is

Available at the IP level?

• Always available

– Source and Destination Addresses

• Filter traffic from or to IP addresses or

ranges of addresses

– Packet size

• Can filter out large packets

– Port requested

• Can filter out ICMP or FTP, etc.

11

Ports to Block

• mail (25)

• http (80)

• ICMP (RFC 792)

– ping

– redirect

– traceroute

• finger (79)

• telnet (23)

• rlogin (513)

• ftp (21)

• X Windows (177)

12

Using Port Information

• If TCP port is requested, a

TCP-aware filter can use TCP info

• If ICMP is requested and allowed,

can filter by ICMP type, e.g. allow

ping

, but disallow

traceroute

(5)

13

Circuit Gateways

• State-ful filters

–Who originated?

–When?

• Where did the last packet

come from/go to (route)?

14

Info at the Application Layer

• Attachment Format

– File type

– Viruses

• Access to text in the payload

– Porn

– Sex

– Smack

– Weed

15

Pros and Cons

• Circuit Filters

– AdvantageSimplicity

– DisadvantageLimited scope

• Application Filters

– AdvantageWide Scope

– Disadvantages

• Complexity

• Performance

(6)

Some Commercial Firewalls

1. Altavista (DEC)

2. Borderware (

Secure Computing Corp

)

3. Cyberguard (Cyberguard Corp)

4. Eagle (Raptor Systems)

5. Firewall-1 (Checkpoint Software)

6. Gauntlet (Trusted Info Systems)

7. ON Guard (ON Technology Corp)

17

Firewalls Cannot:

• Be perfect.

–Bad stuff will get in/out

–Good stuff will get filtered

• Protect against insiders

18

Firewall Hardware and Software

• Screening Router Firewalls

– Add firewall software to router – Usually provide light filtering only

– Expensive for the processing power—usually must upgrade hardware, too

– Screens out incoming “noise” of simple scanning attacks to make the detection of serious attacks easier

– Good location for egress filtering—can eliminate scanning responses, even from the router

(7)

19

Software Firewalls

• Add firewall software to server with an

existing operating systemWindows or

UNIX

• Can be purchased with power to handle

any load

• Easy to use because known operating

system

20

Special Purpose Computer

• Bundle software with hardened hardware and

operating system software

• General-purpose operating systems may result in:

– Slower processing – Excess functionality – Wasted space

– Unnecessary vulnerabilities – Etc.

21

Host Firewalls

• Installed on hosts themselves (servers and clients) • May use host-specific knowledge

– For example, filter out everything but webserver transmissions on a webserver

• Client firewalls typically must be configured by users

– Might misconfigure or reject the firewall

(8)

22

Drivers of Performance

RequirementsTraffic Volume and

Complexity of Filtering

Performance Requirements

Traffic Volume (Packets per Second) Complexity of Filtering: Number of Filtering Rules, Complexity Of rules, etc.

23

Static IP Packet Filter Firewall

IP-H

IP-H TCP-H

UDP-H Application Message Application Message

IP-H ICMP Message

Arriving Packets Examined One at a Time, in Isolation

Only IP, TCP, UDP and ICMP Headers Examined Permit

(Pass)

Deny (Drop)

Corporate Network The Internet

Log File Static Packet Filter Firewall 24

Ingress Filtering

• Prevent attack packets from entering

the protected network

• Rules are applied in order

(9)

25

Ingress Filtering

• Deny Known Fallacious Source Addresses

– Private addresses

• 10.*.*.*

• 172.16.*.* to 172.31.*.*, • 192.168.*.*

– Internal Address Ranges

– Other obvious or known common addresses

• 1.2.3.4, 0.0.0.0, 0.0.0.1, etc.

26

Ingress Filtering

• Deny Known TCP Vulnerabilities

– Syn flood (TCP SYN=1 AND FIN=1) – FTP (TCP destination port = 20)

• Supervisory control connection (TCP destination port = 21)

– Telnet (TCP destination port = 23)

– NetBIOS (TCP destination port = 135 through 139) – UNIX rlogin (TCP destination port = 513)

– UNIX rsh launch shell without login (TCP port 514)

27

1. If UDP destination port=69,

DENY

[Trivial File Transfer

Protocol; no login necessary]

2. If ICMP Type = 0, PASS

[allow incoming echo reply

messages]

3. DENY ALL

(10)

28

Egress Filtering

• Deny Destinations

private IP address range

=

• 10.*.*.*

• 172.16.*.* to 172.31.*.*

• 192.168.*.*

not in internal address range

• 60.47.*.*

29

• Allow

– ICMP Type = 8, PASS [outgoing echo messages]

• Deny

– Protocol=ICMP[all other outgoing ICMP]

• Deny

– TCP RST=1[outgoing resets; used in host scanning]

Egress Filtering

30

Egress Filtering

• Deny Connections to Well-known

ports

– TCP source port=0 through 49151

– UDP source port=0 through 49151

• Allow Outgoing Client Connections

– UDP source port = 49152 … 65,536

– TCP source port =49152 through 65,536

(11)

31

Firewalls

• Types of Firewalls

• Inspection Methods

– Static Packet Inspection

– Stateful Packet Inspection

– NAT

– Application Firewalls

• Firewall Architecture

• Configuring, Testing, and Maintenance

32

Stateful Inspection Firewalls

• State of Connection

– Open or Closed

• State

– Order of packet within a dialog

– Often simply whether the packet is

part of an open connection

33

Stateful Inspection Firewalls

• By default, permit connections openings

from internal clients to external servers

• By default, deny connection openings from

the outside to inside servers

• Default behaviors can be changed with ACLs

• Accept future packets between hosts and

ports in open connections with little or no

more inspection

(12)

34

Stateful Inspection Firewalls

• Can prevent

– Syn flood

– Port switching

– Session hijacking

– Etc.

35

References

Download now ( PDF - 12 Page - 56.77 KB )

Related documents

SYSTEM ADMINISTRATION MTAT LECTURE 8 SECURITY

FIREWALLS LECTURE 8: SECURITY • Packets Filters Internet SECURITY PERIMETER PRIVATE NETWORK Packet- filtering

A10Gb/s Firewall System for Network Security in Photonic Era

The proposed distributed firewall architecture consists of firewalls located at the border of network, and orchestrates them to prevent malicious traffic from entering the

CS549: Cryptography and Network Security

Cryptography & Network Security Firewalls.

Lecture 23: Firewalls

Packet Filtering Firewalls Firewall/Router Data Link Network Internet Physical Input Filter Access Rules Data Link Network Router Internal Network Physical Output Filter

Firewalls. Firewall types. Packet filter. Proxy server. linux, iptables-based Windows XP s built-in router device built-ins single TCP conversation

© David Morgan 2011 Firewalls Firewalls David Morgan Firewall types Firewall types  Packet filter – linux, iptables-based – Windows XP’s built-in – router device built-ins

CSCI Firewalls and Packet Filtering

block inside * outside 80 TCP SYN This rule blocks all outgoing TCP connections to port 80. action source destination protocol flags IP address port IP

UNDERSTANDING FIREWALLS TECHNICAL NOTE 10/04

49. An important consideration with firewalls is the security of the firewall itself. Firewalls should only function as firewalls [9]; additional services are likely to make

How To Help A Child With A Disability

And we weren’t the first in the county, Colorado had a pediatric nurse practitioner program for a couple of years before then, but following that we were one of the first 3