Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Similar documents
Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Computer Security. 12. Firewalls & VPNs. Paul Krzyzanowski. Rutgers University. Spring 2018

Internet Security: Firewall

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation

Why Firewalls? Firewall Characteristics

CSE 565 Computer Security Fall 2018

CyberP3i Course Module Series

HP High-End Firewalls

Network Security. Thierry Sans

CSC Network Security

Broadcast Infrastructure Cybersecurity - Part 2

Chapter 8 roadmap. Network Security

Unit 4: Firewalls (I)

Attack Prevention Technology White Paper

COSC 301 Network Management

Introduction TELE 301. Routers. Firewalls. Gateways. Sample Large Network

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Computer Security and Privacy

COMPUTER NETWORK SECURITY

Spring 2010 CS419. Computer Security. Vinod Ganapathy Lecture 14. Chapters 6 and 9 Intrusion Detection and Prevention

Implementing Firewall Technologies

Three interface Router without NAT Cisco IOS Firewall Configuration

Intranets 4/4/17. IP numbers and Hosts. Dynamic Host Configuration Protocol. Dynamic Host Configuration Protocol. CSC362, Information Security

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

Chapter 9. Firewalls

Application Firewalls

ipro-04n Security Configuration Guide

HP High-End Firewalls

Computer Security Exam 3 Review. Paul Krzyzanowski. Rutgers University. Spring 2017

Firewalls, IDS and IPS. MIS5214 Midterm Study Support Materials

ASA Access Control. Section 3

Network Defenses 21 JANUARY KAMI VANIEA 1

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Internet Security Firewalls

Introduction to Cisco ASA Firewall Services

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

SecBlade Firewall Cards Attack Protection Configuration Example

Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras

Firewall Policy. Edit Firewall Policy/ACL CHAPTER7. Configure a Firewall Before Using the Firewall Policy Feature

Overview. Computer Network Lab, SS Security. Type of attacks. Firewalls. Protocols. Packet filter

Computer and Network Security

H3C SecPath Series High-End Firewalls

Global Information Assurance Certification Paper

Configuring attack detection and prevention 1

Network Security: Firewalls. Tuomas Aura T Network security Aalto University, Nov-Dec 2013

Filtering Trends Sorting Through FUD to get Sanity

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

Configuring Access Rules

Configuring attack detection and prevention 1

4. The transport layer

HP Load Balancing Module

Network Defenses KAMI VANIEA 1

10 Defense Mechanisms

Basic Concepts in Intrusion Detection

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

Indicate whether the statement is true or false.

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

Internet Technology 4/20/2016

SYN Flood Attack Protection Technology White Paper

Network Defenses 21 JANUARY KAMI VANIEA 1

Definition of firewall

20-CS Cyber Defense Overview Fall, Network Basics

Protection of Communication Infrastructures

Network Security Firewall Manual Building Networks for People

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

The DNS. Application Proxies. Circuit Gateways. Personal and Distributed Firewalls The Problems with Firewalls

CSE 565 Computer Security Fall 2018

CS155 Firewalls. Simon Cooper CS155 - Firewalls 23 May of 30

Introduction to Firewalls using IPTables

SE 4C03 Winter 2005 Network Firewalls

VG422R. User s Manual. Rev , 5

Chapter 7. Denial of Service Attacks

Network Security: Firewall, VPN, IDS/IPS, SIEM

Firewalls can be categorized by processing mode, development era, or structure.

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Configuring IP Session Filtering (Reflexive Access Lists)

NISCC Technical Note 06/02: Response to Distributed Denial of Service (DDoS) Attacks

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

CE Advanced Network Security

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

Advanced Security and Mobile Networks

Firewall and IDS/IPS. What is a firewall?

CISCO CONTEXT-BASED ACCESS CONTROL

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

Configuring Commonly Used IP ACLs

Information Systems Security

CSE 565 Computer Security Fall 2018

4.1.3 Filtering. NAT: basic principle. Dynamic NAT Network Address Translation (NAT) Public IP addresses are rare

Corrigendum 3. Tender Number: 10/ dated

Chapter 10: Denial-of-Services

CS155 Firewalls. Why Firewalls? Why Firewalls? Bugs, Bugs, Bugs

Configuring ARP attack protection 1

Configure Basic Firewall Settings on the RV34x Series Router

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

CSC 474/574 Information Systems Security

Fundamentals of Network Security v1.1 Scope and Sequence

Computer Network Vulnerabilities

Lab - Troubleshooting ACL Configuration and Placement Topology

Context Based Access Control (CBAC): Introduction and Configuration

MIS Weeks 11 & 12

Transcription:

Distributed Systems 29. Firewalls Paul Krzyzanowski Rutgers University Fall 2015 2013-2015 Paul Krzyzanowski 1

Network Security Goals Confidentiality: sensitive data & systems not accessible Integrity: data not modified during transmission Availability: systems should remain accessible Gateway Router Internal subnet Internet Dragon artwork by Jim Nelson. 2012 Paizo Publishing, LLC. Used with permission. 2

Firewall Separate your local network from the Internet Protect the border between trusted internal networks and the untrusted Internet Approaches Packet filters Application proxies Intrusion detection / intrusion protection systems 3

Screening router Border router (gateway router) Router between the internal network(s) and external network(s) Any traffic between internal & external networks passes through the border router Instead of just routing the packet, decide whether to route it Screening router = Packet filter Allow or deny packets based on Incoming interface, outgoing interface Source IP address, destination IP address Source TCP/UDP port, destination TCP/UDP port, ICMP command Protocol (e.g., TCP, UDP, ICMP, IGMP, RSVP, etc.) 4

Filter chaining An IP packet entering a router is matched against a set of rules (chain) Each rule contains criteria and an action Criteria: packet screening rule Actions Accept and stop processing additional rules Drop discard the packet and stop processing additional rules Reject and send an error to the sender (ICMP Destination Unreachable) Continue continue evaluating rules 5

Network Ingress Filtering Basic firewalling principle Never have a direct inbound connection from the originating host from the Internet to an internal host Determine which services you want to expose to the Internet e.g., HTTP & HTTPS: TCP ports 80 and 443 Create a list of services and allow only those inbound ports and protocols to the machines hosting the services. Default deny model - by default, deny all Anything not specifically permitted is dropped May want to log denies to identify who is attempting access 6

Network Ingress Filtering Disallow IP source address spoofing Restrict forged traffic (RFC 2827) At the ISP Filter upstream traffic - prohibit an attacker from sending traffic from forged IP addresses Attacker must use a valid, reachable source address Disallow incoming/outgoing traffic from private, non-routable IP addresses Helps with DDoS attacks such as SYN flooding from lots of invalid addresses access-list 199 deny ip 192.168.0.0 0.0.255.255 any log access-list 199 deny ip 224.0.0.0 0.0.0.255 any log... access-list 199 permit ip any any 7

Network Egress Filtering Usually we don t worry about outbound traffic. Communication from a higher security network (internal) to a lower security network (Internet) is fine Why might we want to restrict it? Consider: if a web server is compromised & all outbound traffic is allowed, it can connect to an external server and download more malicious code... or launch a DoS attack on the internal network Also, log which servers are trying to access external addresses 8

Stateful Inspection Retain state information about a stream of related packets Examples TCP connection tracking Disallow TCP data packets unless a connection is set up ICMP echo-reply Allow ICMP echo-reply only if a corresponding echo request was sent. Related traffic Identify & allow traffic that is related to a connection Example: related ports in FTP 9

Network Design: DMZ Screening Router Internal subnet Internet DMZ subnet Dragon artwork by Jim Nelson. 2012 Paizo Publishing, LLC. Used with permission. 10

Network Design: DMZ Screening Router Internal subnet Clients from the Internet: Can access allowed services in the DMZ Cannot access internal hosts The router: Blocks impersonated packets? DMZ subnet Internet Dragon artwork by Jim Nelson. 2012 Paizo Publishing, LLC. Used with permission. 11

Network Design: DMZ Screening Router Internal subnet Clients in the internal subnet: Can access the Internet Can access allowed services in the DMZ May access extra services in the DMZ DMZ subnet Internet Dragon artwork by Jim Nelson. 2012 Paizo Publishing, LLC. Used with permission. 12

Network Design: DMZ Screening Router Internal subnet?? Clients in the DMZ: Can access Internet services only to the extent required Can access internal services only to the extent required Goal: Limit possible damage if DMZ machines are compromised DMZ subnet Internet Dragon artwork by Jim Nelson. 2012 Paizo Publishing, LLC. Used with permission. 13

Application-Layer Filtering Deep packet inspection Look beyond layer 3 & 4 headers Need to know something about application protocols & formats to do this Example URL filtering Normal source/destination host/port filtering + URL pattern/keywords, rewrite/truncate rules, protocol content filters Detect ActiveX and Java applets; configure specific applets as trusted Filter others from the HTML code 14

IDS/IPS Intrusion Detection/Prevention Systems Identify threats and attacks Types of IDS Protocol-based Signature-based Anomaly-based 15

Protocol-Based IDS Reject packets that do not follow a prescribed protocol Permit return traffic as a function of incoming traffic Define traffic of interest (filter), filter on traffic-specific protocol/patterns Examples DNS inspection: prevent spoofing DNS replies: make sure they match IDs of DNS requests SMTP inspection: restrict SMTP command set (and command count, arguments, addresses) FTP inspection: restrict FTP command set (and file sizes and file names) 16

Signature-based IDS Don't search for protocol violations but for exploits in programming Match patterns of known bad behavior Viruses Malformed URLs Buffer overflow code 17

Anomaly-based IDS Search for statistical deviations from normal behavior Measure baseline behavior first Examples: Port scanning Imbalance in protocol distribution Imbalance in service access 18

Application proxies Proxy servers Intermediaries between clients and servers Stateful inspection and protocol validation External client Proxy server Real server Dual-homed host Bastion host 19

The End 2013-2015 Paul Krzyzanowski 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback