CS155 Firewalls. Why Firewalls? Why Firewalls? Bugs, Bugs, Bugs

Similar documents
CS155 Firewalls. Simon Cooper CS155 - Firewalls 23 May of 30

Computer Security and Privacy

Protection of Communication Infrastructures

EE 610 Part 2: Encapsulation and network utilities

Internet Security: Firewall

Introduction to TCP/IP networking

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Packet Header Formats

TCP /IP Fundamentals Mr. Cantu

Protocol Layers & Wireshark TDTS11:COMPUTER NETWORKS AND INTERNET PROTOCOLS

Why Firewalls? Firewall Characteristics

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation

Introduction to Internet. Ass. Prof. J.Y. Tigli University of Nice Sophia Antipolis

Network Security: Firewalls. Tuomas Aura T Network security Aalto University, Nov-Dec 2013

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

Hands-On Ethical Hacking and Network Defense

20-CS Cyber Defense Overview Fall, Network Basics

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

CHAPTER-2 IP CONCEPTS

CSCI-GA Operating Systems. Networking. Hubertus Franke

Firewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense

ECE4110 Internetwork Programming. Introduction and Overview

Need For Protocol Architecture

Need For Protocol Architecture

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

b. Suppose the two packets are to be forwarded to two different output ports. Is it

Ref: A. Leon Garcia and I. Widjaja, Communication Networks, 2 nd Ed. McGraw Hill, 2006 Latest update of this lecture was on

ECE 358 Project 3 Encapsulation and Network Utilities

Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking

Software Engineering 4C03 Answer Key

Internet Security Firewalls

Guide To TCP/IP, Second Edition UDP Header Source Port Number (16 bits) IP HEADER Protocol Field = 17 Destination Port Number (16 bit) 15 16

CCNA 1 Chapter 7 v5.0 Exam Answers 2013

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Information Systems Security

TCP/IP Transport Layer Protocols, TCP and UDP

Transport Layer. <protocol, local-addr,local-port,foreign-addr,foreign-port> ϒ Client uses ephemeral ports /10 Joseph Cordina 2005

Lecture 18 Overview. Last Lecture. This Lecture. Next Lecture. Internet Protocol (1) Internet Protocol (2)

Introduction to Information Science and Technology 2017 Networking II. Sören Schwertfeger 师泽仁

Chapter 8 roadmap. Network Security

Sirindhorn International Institute of Technology Thammasat University

BIG-IP otse vastu internetti. Kas tulemüüri polegi vaja?

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)

Lesson 3. IPv4 and IPv6 Protocols. Chapter-4 L03: "Internet of Things ", Raj Kamal, Publs.: McGraw-Hill Education

CSE/EE 461 Lecture 13 Connections and Fragmentation. TCP Connection Management

RMIT University. Data Communication and Net-Centric Computing COSC 1111/2061. Lecture 2. Internetworking IPv4, IPv6

Computer Security Spring Firewalls. Aggelos Kiayias University of Connecticut

Transport Layer. Gursharan Singh Tatla. Upendra Sharma. 1

Networking Technologies and Applications

Configuring IPv6 ACLs

Network Protocols. Security. TDC375 Autuman 03/04 John Kristoff - DePaul University 1

Network Layer/IP Protocols

Introduction to Network. Topics

Prof. Bill Buchanan Room: C.63

network security s642 computer security adam everspaugh

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Introduction p. 1 The Need for Security p. 2 Public Network Threats p. 2 Private Network Threats p. 4 The Role of Routers p. 5 Other Security Devices

Lecture 17 Overview. Last Lecture. Wide Area Networking (2) This Lecture. Internet Protocol (1) Source: chapters 2.2, 2.3,18.4, 19.1, 9.

cs144 Midterm Review Fall 2010

Internet Networking recitation #2 IP Checksum, Fragmentation

Business Data Networks and Security 10th Edition by Panko Test Bank

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security

Router and ACL ACL Filter traffic ACL: The Three Ps One ACL per protocol One ACL per direction One ACL per interface

Network Security. Thierry Sans

Network Technology 1 5th - Transport Protocol. Mario Lombardo -

TSIN02 - Internetworking

Computer and Network Security

CyberP3i Course Module Series

Hashing on broken assumptions

TCP/IP Filtering. Main TCP/IP Filtering Dialog Box. Route Filters Button. Packet Filters Button CHAPTER

CSC 474/574 Information Systems Security

CS 3516: Computer Networks

Chapter 2 Advanced TCP/IP

Lesson 5 TCP/IP suite, TCP and UDP Protocols. Chapter-4 L05: "Internet of Things ", Raj Kamal, Publs.: McGraw-Hill Education

TRANSMISSION CONTROL PROTOCOL. ETI 2506 TELECOMMUNICATION SYSTEMS Monday, 7 November 2016

LOGICAL ADDRESSING. Faisal Karim Shaikh.

Configuring attack detection and prevention 1

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Unit 4: Firewalls (I)

Network Security Protocols and Defensive Mechanisms

Advanced Security and Mobile Networks

ARP, IP, TCP, UDP. CS 166: Introduction to Computer Systems Security 4/7/18 ARP, IP, TCP, UDP 1

Networking Theory CSCI 201 Principles of Software Development

6.1 Internet Transport Layer Architecture 6.2 UDP (User Datagram Protocol) 6.3 TCP (Transmission Control Protocol) 6. Transport Layer 6-1

Packetization Layer Path Maximum Transmission Unit Discovery (PLPMTU) For IPsec Tunnels

Chapter 5 OSI Network Layer

App. App. Master Informatique 1 st year 1 st term. ARes/ComNet Applications (7 points) Anonymous ID: stick number HERE

Network Layer: Control/data plane, addressing, routers

Interconnecting Networks with TCP/IP

Chapter 2 - Part 1. The TCP/IP Protocol: The Language of the Internet

Data & Computer Communication

Attack Prevention Technology White Paper

Support for policy-based routing applies to the Barracuda Web Security Gateway running version 6.x only.

Inexpensive Firewalls

Transport: How Applications Communicate

Concept Questions Demonstrate your knowledge of these concepts by answering the following questions in the space that is provided.

9th Slide Set Computer Networks

Introduction to Cisco ASA Firewall Services

Your Name: Your student ID number:

Fundamentals of Network Security v1.1 Scope and Sequence

Transcription:

CS155 - Firewalls Simon Cooper <sc@sgi.com> Why Firewalls? Need for the exchange of information; education, business, recreation, social and political Need to do something useful with your computer Drawbacks; unsolicited attention and bugs CS155 Firewalls 22 May 2003 1 2 Why Firewalls? There are a lot of people on the Internet Millions of people together -> bad things happen True for cities; it is true for the Internet With the Internet... Everyone is in your backyard! You can be scoped out at any time from anywhere The community discourages neighborhood watch like activities (a hot potato!) Bugs, Bugs, Bugs All programs contain bugs Larger programs contain more bugs! Network protocols contain; Design weaknesses (SSH CRC) Implementation flaws (SSL, NTP, FTP, SMTP...) Careful (defensive) programming & protocol design is hard 3 4

Literally? What is a Firewall? Prevents fire from spreading! The Castle & Moat Analogy Restricts access from the outside Prevents attackers from getting too close Restricts people from leaving <- Important!! Logically What is a Firewall? A separator, a restrictor and an analyzer Rarely a single physical object! Practically any place where internal and external data can meet 5 6 Where do you put a Firewall? Between insecure systems & the Internet To separate test or lab networks For networks with more sensitive data; Financial records Student grades Secret projects Partner or joint venture networks Firewall Design & Architecture Issues Least privilege Defense in depth (very important) Choke point Weakest links Fail-safe stance Universal participation Diversity of defense Simplicity 7 8

Packet Filtering: IPv4 Packet Header 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 Version IHL Type of Service Total Length Identification Flags Fragment Offset Time to Live Protocol Header Checksum Source Address Destination Address Options Padding Using a Screening Router to do Packet Filtering http://www.faqs.org/rfcs/rfc760.html 9 10 Packet Filtering: UDP Packets 0 7 8 15 16 23 24 31 +--------+--------+--------+--------+ Source Destination Port Port +--------+--------+--------+--------+ Length Checksum +--------+--------+--------+--------+ data octets... +----------------... User Datagram Header Format Packet Filtering: TCP packet structure 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 Source Port Destination Port Sequence Number Acknowledgment Number Data U A E R S F Offset Reserved R C O S Y I Window G K L T N N Checksum Urgent Pointer Options Padding data http://www.faqs.org/rfcs/rfc768.html 11 TCP Header Format http://www.faqs.org/rfcs/rfc761.html 12

Packet Filtering: Ipv6 Packet Header Version Prio. Flow Label Payload Length Next Header Hop Limit + + + Source Address + + + + + + Destination Address + + + http://www.faqs.org/rfcs/rfc1883.html Packet Filtering: Summary IP Source Address IP Destination Address Protocol/Next Header (TCP, UDP, ICMP, etc) TCP or UDP source & destination ports TCP Flags (SYN, ACK, FIN, RST, PSH, etc) ICMP message type Packet size Fragmentation 13 14 Router Knowledge Filtering Example: Inbound SMTP Interface packet arrives on Interface a packet will go out Is the packet in response to another one? How many packets have been seen recently? Is the packet a duplicate? Is the packet an IP fragment? 15 16

Filtering Example: Outbound SMTP Stateful or Dynamic Packet Filtering 17 18 Network Address Translation (NAT) Port & Address Translation (PAT) Normal Fragmentation 19 20

Abnormal Fragmentation Screened Host Architecture 21 22 Bastion Host A secured system (it will interact/accepts data from the Internet) Disable all non-required services; keep it simple Install/modify services you want Run security audit to establish baseline Connect system to network <- important Be prepared for the system to be compromised Screened Subnet Architecture Using Two Routers 23 24

Source/Destination Address Forgery Dual Homed Host Architecture 25 26 Proxies Application level; dedicated proxy (HTTP) Circuit level; generic proxy SOCKS WinSock almost generic proxy for Microsoft Some protocols are natural to proxy SMTP (E-Mail) NNTP (Net news) DNS (Domain Name System) NTP (Network Time Protocol) A Complex Firewall Setup 27 28

A web server using a database on a perimeter network 29 A web server and database server on an internal network 30 Problems with Firewalls They interfere with the Internet They don't solve the real problems; Elizabeth D. Zwicky, Simon Cooper D. Brent Chapman Questions? Buggy software Bad protocols Generally cannot prevent Denial of Service Are becoming more complicated Many commercial firewalls permit very, very complex configurations Simon Cooper <sc@sgi.com> 31 32

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback