Internet Security Firewalls

Similar documents
Internet Security: Firewall

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation

Why Firewalls? Firewall Characteristics

10 Defense Mechanisms

Computer Security and Privacy

Chapter 9. Firewalls

Indicate whether the statement is true or false.

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

CSC Network Security

COMPUTER NETWORK SECURITY

Agenda of today s lecture. Firewalls in General Hardware Firewalls Software Firewalls Building a Firewall

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

CSC 474/574 Information Systems Security

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Spring 2010 CS419. Computer Security. Vinod Ganapathy Lecture 14. Chapters 6 and 9 Intrusion Detection and Prevention

Protection of Communication Infrastructures

CyberP3i Course Module Series

SE 4C03 Winter 2005 Network Firewalls

CS155 Firewalls. Simon Cooper CS155 - Firewalls 23 May of 30

COSC 301 Network Management

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

Information Systems Security

Advanced Security and Mobile Networks

CSE 565 Computer Security Fall 2018

Intranets 4/4/17. IP numbers and Hosts. Dynamic Host Configuration Protocol. Dynamic Host Configuration Protocol. CSC362, Information Security

Firewalls. IT443 Network Security Administration Slides courtesy of Bo Sheng

CHAPTER 8 FIREWALLS. Firewall Design Principles

Firewall and IDS/IPS. What is a firewall?

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

4.1.3 Filtering. NAT: basic principle. Dynamic NAT Network Address Translation (NAT) Public IP addresses are rare

Broadcast Infrastructure Cybersecurity - Part 2

CTS2134 Introduction to Networking. Module 08: Network Security

20-CS Cyber Defense Overview Fall, Network Basics

CS155 Firewalls. Why Firewalls? Why Firewalls? Bugs, Bugs, Bugs

What is a firewall? Firewall and IDS/IPS. Firewall design. Ingress vs. Egress firewall. The security index

Application Firewalls

Implementing Firewall Technologies

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

Configuring IP Session Filtering (Reflexive Access Lists)

Firewalls, Tunnels, and Network Intrusion Detection

Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Network Security: Firewalls. Tuomas Aura T Network security Aalto University, Nov-Dec 2013

Unit 4: Firewalls (I)

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Firewalls. Content. Location of firewalls Design of firewalls. Definitions. Forwarding. Gateways, routers, firewalls.

The DNS. Application Proxies. Circuit Gateways. Personal and Distributed Firewalls The Problems with Firewalls

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security

Network Security and Cryptography. 2 September Marking Scheme

Chapter 8 roadmap. Network Security

Introduction to Firewalls using IPTables

Network Security. Thierry Sans

Introduction p. 1 The Need for Security p. 2 Public Network Threats p. 2 Private Network Threats p. 4 The Role of Routers p. 5 Other Security Devices

Configuring NAT Policies

Overview. Computer Network Lab, SS Security. Type of attacks. Firewalls. Protocols. Packet filter

ipro-04n Security Configuration Guide

Attack Prevention Technology White Paper

Firewall Policy. Edit Firewall Policy/ACL CHAPTER7. Configure a Firewall Before Using the Firewall Policy Feature

TCP/IP Networking. Training Details. About Training. About Training. What You'll Learn. Training Time : 9 Hours. Capacity : 12

CSE 461 Midterm Winter 2018

IT Security Chapter 04: Security Architectures and Firewalls Joachim Charzinski

HP High-End Firewalls

Sample excerpt. Virtual Private Networks. Contents

Distributed Systems. Lecture 14: Security. Distributed Systems 1

Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues

DMZ Networks Virtual Private Networks Distributed Firewalls Summary of Firewall Locations and Topologies

CSE 565 Computer Security Fall 2018

Avaya Port Matrix: Avaya Proprietary Use pursuant to the terms of your signed agreement or Avaya policy.

Distributed Systems. Lecture 14: Security. 5 March,

INFS 766 Internet Security Protocols. Lecture 1 Firewalls. Prof. Ravi Sandhu INTERNET INSECURITY

Configuring NAT for IP Address Conservation

Introduction TELE 301. Routers. Firewalls. Gateways. Sample Large Network

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Finding Feature Information

while the LAN interface is in the DMZ. You can control access to the WAN port using either ACLs on the upstream router, or the built-in netfilter

Sirindhorn International Institute of Technology Thammasat University

Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,

Advanced Security and Forensic Computing

HP Load Balancing Module

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)

Network Security Fundamentals

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Fundamentals of Network Security v1.1 Scope and Sequence

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

IP Access List Overview

Networking IP filtering and network address translation

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Firewalls, IDS and IPS. MIS5214 Midterm Study Support Materials

Firewall Simulation COMP620

M2-R4: INTERNET TECHNOLOGY AND WEB DESIGN

Hands-On TCP/IP Networking

Global Information Assurance Certification Paper

Chapter 3 LAN Configuration

Network Control, Con t

Cisco IPS AIM Deployment, Benefits, and Capabilities

Firewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

Transcription:

Overview Internet Security Firewalls Ozalp Babaoglu Cryptographic technologies Secure Sockets Layer IPSec Exo-structures Firewalls Virtual Private Networks ALMA MATER STUDIORUM UNIVERSITA DI BOLOGNA 2 Firewall Firewall of a car that separates the passenger compartment from the engine More like a moat around a medieval castle restricts entry to carefully controlled points prevents attackers from getting close to defenses restricts exits to carefully controlled points Firewall Combination of hardware and software to regulate traffic between an internal network and an external network (Internet) Benefits of being connected while minimizing the risks of threats 3 4

Firewall Firewall What a firewall can do? Focus security decisions Enforce security policies Log Internet activity What a firewall can t do? Protect against malicious insiders Protect against connections that bypass it Protect against completely new threats Protect against viruses and worms Set itself up correctly Problems with firewalls Interfere with the Internet end-to-end communication model Create false sense of perfect security Increase inconvenience for users 5 6 Firewall Technologies Packet Filtering Packet filtering Proxy servers Network address translation Virtual Private Networks 7 8

Packet Filtering Packet Filtering Implemented through a screening router (packet filter) Router: can the packet be routed to its destination? Screening router: should the packet be routed to its destination? Applies a set of rules to each inbound/outbound packet and then forwards or discards it Decision based on information in the IP packet header IP source address IP destination address Protocol (TCP, UDP, ICMP) Source port number Destination port number Packet size Additional information Interface the packet arrives on Interface the packet will go out on 9 10 Stateful Packet Filtering Packet Filtering State information Is the packet a response to an earlier packet? Number of recent packets seen from the same host Is the packet identical to a recently seen packet? Is the packet a fragment? Advantages One screening router can protect the entire network Extremely efficient Widely available Disadvantages Hard to configure Reduces router performance Limited in the range of policies that can be implemented 11 12

Proxy Servers Dual-Homed Host Proxy Servers Specialized application programs for Internet services (HTTP, FTP, telnet, etc.) Proxy server Proxy client Need a mechanism to restrict direct communication between the internal and external networks Typically combined with caching for performance Effective only when used in conjunction with mechanisms that restrict direct communications between the internal and external hosts 13 14 Proxy Servers Network Address Translation Advantages Can perform user-level authentication Can do intelligent (application specific) filtering Can be combined with caching Can do good logging Disadvantages Require different servers for each service Require modifications to clients Allows a network to use a set of addresses internally and a different set of addresses externally Invented not for security but for conserving IP addresses Typically implemented within a router 15 16

Network Address Translation Network Address Translation Advantages Enforces firewall control over outbound traffic Restricts incoming traffic (no spontaneous connections) Hides structure and details of internal network Disadvantages Interferes with some encryption-based techniques Dynamic allocation of addresses interferes with logging Internal network cannot host externally-visible services (requires port mapping) 17 18 Network Address Translation with Port Forwarding Firewall Architectures Host-based and personal Screening Router Dual-Homed Host Screened Host Screened Subnet 19 20

Secures an individual host Available in many operating systems Commonly used to protect servers Advantages Highly customizable Host-based Firewalls Topology independent all (internal and external) attacks must go through the firewall Extensible new servers can be added to the network, with their own firewall, without the need of altering the network configuration Personal Firewalls (Incoming connections) Controls the traffic between a personal computer or workstation and a network (or Internet) 21 22 Personal Firewalls (Outgoing connections) Screening Router 23 24

Dual-Homed Host Screened Host 25 26 Bastion Host Bastion Host Basic rules to set up a bastion host: A computer on a network specifically designed and configured to resist attacks Great exposure to attacks All traffic crosses the bastion host, that can control and block/ forward it Generally runs only a few applications, mainly proxies No other hosts can be reached from outside Trusted operating system No unnecessary software (no compilers) Read-only file system (apart from strictly required write operations) Only strictly required services No user accounts Additional authentication mechanisms Extensive logging 27 28

Screened Subnet Screened Subnet Exterior router (access router) DMZ DMZ protects DMZ (De-Militarized Zone) and internal network from Internet allows incoming traffic only for bastion hosts/services. Interior router (or choke router) protects internal network from Internet and DMZ does most of packet filtering for firewall allows selected outbound services from internal network limits services between bastion host and internal network 29 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback