CSE543 - Computer and Network Security Module: Firewalls

Similar documents
Module: Firewalls. Professor Patrick McDaniel Fall CSE543 - Introduction to Computer and Network Security

CS Computer and Network Security: Firewalls

CSCI 680: Computer & Network Security

CSC 474/574 Information Systems Security

Agenda of today s lecture. Firewalls in General Hardware Firewalls Software Firewalls Building a Firewall

CyberP3i Course Module Series

CSE 565 Computer Security Fall 2018

Chapter 8 roadmap. Network Security

Chapter Three test. CompTIA Security+ SYO-401: Read each question carefully and select the best answer by circling it.

ASA Access Control. Section 3

Computer Security and Privacy

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Firewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense

CSC 4900 Computer Networks: Security Protocols (2)

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Configuring Access Rules

Indicate whether the statement is true or false.

IPv4 Firewall Rule configuration on Cisco SA540 Security Appliance

CSC Network Security

CSC 5930/9010 Offensive Security: Lateral Movement

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Network Security: Firewalls. Tuomas Aura T Network security Aalto University, Nov-Dec 2013

while the LAN interface is in the DMZ. You can control access to the WAN port using either ACLs on the upstream router, or the built-in netfilter

Network Security Terms. Based on slides from gursimrandhillon.files.wordpress.com

Firewalls, IDS and IPS. MIS5214 Midterm Study Support Materials

Modular Policy Framework. Class Maps SECTION 4. Advanced Configuration

Introduction to Firewalls using IPTables

CISCO EXAM QUESTIONS & ANSWERS

Implementing Firewall Technologies

CCNA Discovery 3 Chapter 8 Reading Organizer

CISNTWK-440. Chapter 5 Network Defenses

Automatic detection of firewall misconfigurations using firewall and network routing policies

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Introduction to Security

Computer Network Vulnerabilities

KillTest. 半年免费更新服务

ASA/PIX Security Appliance

NSG50/100/200 Nebula Cloud Managed Security Gateway

Network Control, Con t

Definition of firewall

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security

CompTIA Security+ CompTIA SY0-401 Dumps Available Here at:

Sample Defense in Depth White Paper

IC32E - Pre-Instructional Survey

Exam : SCNS_EN. Title : SCNS SCNS Tactical Perimeter Defense. Version : Demo

Detecting and Blocking Encrypted Anonymous Traffic using Deep Packet Inspection

SecBlade Firewall Cards Attack Protection Configuration Example

Intranets 4/4/17. IP numbers and Hosts. Dynamic Host Configuration Protocol. Dynamic Host Configuration Protocol. CSC362, Information Security

Deploying Cisco ASA Firewall Solutions (FIREWALL v1.0)

Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Network Defenses 21 JANUARY KAMI VANIEA 1

Stateless Firewall Implementation

Filtering Trends Sorting Through FUD to get Sanity

Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,

Configuring Firewall Access Rules

Network Address Translation Bindings

Computer Security Spring Firewalls. Aggelos Kiayias University of Connecticut

Pass4sure q. Cisco Securing Cisco Networks with Sourcefire IPS

Unit 4: Firewalls (I)

Routeros Firewall Mikrotik

CIS Top 20 #12 Boundary Defense. Lisa Niles: CISSP, Director of Solutions Integration

Linux Systems Security. Firewalls and Filters NETS1028 Fall 2016

Router and ACL ACL Filter traffic ACL: The Three Ps One ACL per protocol One ACL per direction One ACL per interface

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Topexam. 一番権威的な IT 認定試験ウェブサイト 最も新たな国際 IT 認定試験問題集

Internet Security: Firewall

Connection Logging. Introduction to Connection Logging

Network Security Fundamentals

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

NSG100 Nebula Cloud Managed Security Gateway

Security Device Roles

Features of a proxy server: - Nowadays, by using TCP/IP within local area networks, the relaying role that the proxy

Managing Zone-based Firewall Rules

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

Wired internetworking devices. Unit objectives Differentiate between basic internetworking devices Identify specialized internetworking devices

Firewall Stateful Inspection of ICMP

Network Security. Thierry Sans

Connection Logging. About Connection Logging

Exam Name: Implementing Cisco Edge Network Security Solutions

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

Training UNIFIED SECURITY. Signature based packet analysis

Firewalls. Content. Location of firewalls Design of firewalls. Definitions. Forwarding. Gateways, routers, firewalls.

Exam Actual. Higher Quality. Better Service! QUESTION & ANSWER

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Network Defenses 21 JANUARY KAMI VANIEA 1

Introduction to Network Security Missouri S&T University CPE 5420 Network Access Control

Activating Intrusion Prevention Service

Firewall Policy. Edit Firewall Policy/ACL CHAPTER7. Configure a Firewall Before Using the Firewall Policy Feature

Fundamentals of Network Security v1.1 Scope and Sequence

DC-228. ADSL2+ Modem/Router. User Manual. -Annex A- Version: 1.0

HikCentral V.1.1.x for Windows Hardening Guide

Firewalls. IT443 Network Security Administration Slides courtesy of Bo Sheng

Request for Proposal (RFP) for Supply and Implementation of Firewall for Internet Access (RFP Ref )

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)

Cisco Cloud Web Security Troubleshooting Guide

Transparent or Routed Firewall Mode

Transcription:

CSE543 - Computer and Network Security Module: Firewalls Professor Trent Jaeger 1

Problem All network flows were possible Into or out of our network To/from individual hosts and their processes We need to control access to protect confidentiality, integrity and secrecy What mechanism do we need? 2

Firewalls A firewall... is a physical barrier inside a building or vehicle, designed to limit the spread of fire, heat and structural collapse. 3

Filtering: Firewalls Filtering traffic based on policy Policy determines what is acceptable traffic Access control over traffic Accept or deny May perform other duties Logging (forensics, SLA) Flagging (intrusion detection) QoS (differentiated services) Application Network Link 4

X-Listing Blacklisting - specifying specific connectivity that is explicitly disallowed E.g., prevent connections from badguys.com Whitelisting - specifying specific connectivity that explicitly allowed E.g., allow connections from goodguys.com These is useful for IP filtering, SPAM mitigation, Q: What access control policies do these represent? 5

Stateful, Proxy, and Transparent Single packet may not contain sufficient data to make access control decision Stateful: allows historical context consideration Firewall collects data over time e.g., TCP packet is part of established session Firewalls can affect network traffic Transparent: appear as a single router (network) Proxy: receives, interprets, and reinitiates communication (application) Transparent good for speed (routers), proxies good for complex state (applications) 6

DMZ (De-militarized Zone) (servers) Internet LAN LAN Zone between LAN and Internet (public facing) 7

Practical Issues and Limitations Network layer firewalls are dominant DMZs allow multi-tiered fire-walling Tools are widely available and mature Personal firewalls gaining popularity Issues Network perimeters not quite as clear as before E.g., telecommuters, VPNs, wireless, Every access point must be protected E.g., this is why war-dialing/driving is effective Hard to debug, maintain consistency and correctness Often seen by non-security personnel as impediment E.g., Just open port X so I can use my wonder widget 8

IP Firewall Policy Specifies what traffic is (not) allowed Maps attributes to address and ports Example: HTTP should be allowed to any external host, but inbound only to web-server 9

Practical Firewall Implementations Primary task is to filter packets But systems and requirements are complex Consider All the protocols and services Stateless vs. stateful firewalls Network function: NAT, forwarding, etc. Practical implementation: Linux iptables http://www.netfilter.org/documentation/howto/packetfiltering-howto.html http://linux.web.cern.ch/linux/scientific3/docs/rhel-rg-en-3/chiptables.html 10

Deep Packet Inspection Deep packet inspection looks into the internals of a pack to look for some application/content context e.g., inspect HTTP for URLs that point to malicious websites Can have serious privacy issues if done by, say COMCAST To specify a match in iptables iptables -A INPUT -p tcp -m string --algo bm --string exe matches to packet with content containing exe iptables -A INPUT -p tcp -m length --length 10:100 matches to packet with length between 10 and 100 bytes Also, can specify greater than 10 by 10: 11

Firewall Policy Design So, what is the problem with the firewall rules... accept tcp 192.168.0.0/16 any deny tcp 192.168.1.0/24 any 3127 This may be a simple problem, but Rules now have complex actions 12

FIREMAN Static analysis tool for detecting incorrect, inefficient, or inconsistent firewall rules Using something called binary decision diagrams Finds real misconfigurations Classify misconfigurations Applies intra- and inter-firewalls 13

Misconfigurations Consider the following rules 1. deny tcp 10.1.1.0/25 any 2. accept udp any 192.168.1.0/24 3. deny tcp 10.1.1.128/25 any 4. deny udp 172.16.1.0/24 192.168.1.0/24 5. accept tcp 10.1.1.0/24 any 6. deny udp 10.1.1.0/24 192.168.0.0/16 7. accept udp 172.16.1.0/24 any Compare Rules 2 and 4 Compare Rules 1, 3, and 5 Compare Rules 4 and 7 Compare Rules 2 and 6 14

Misconfigurations Violations What is the security goal? Inconsistencies (possibly between firewalls) Shadowing: Accept (denies) all packets already denied (accepted) - E.g., 2 and 4 Generalization: Matches superset of preceding, but takes a different action - E.g., 4 and 7 Correlation: Matches subset of preceding, but takes a different action - E.g., 2 and 6 Inefficiencies Redundancy: Remove rule and no change Verbosity: Summarize with fewer rules 15

Analysis What is static analysis? Analyze without running program (firewall rules) Approximate all possible executions at once For a firewall Track all packets that have been accepted (A), denied (D), diverted (F) before this rule - remaining (R) is implied jth rule defines <Pj, actionj> Aj, Dj, Fj identify the packets accepted, denied, or diverted prior to rule j Analysis Update the state of A, D, F, R at each rule Evaluate for shadowing, generalization, correlation, etc. 16

Analysis Rules Problems detected by comparing sets (A, D, F, R, P) In a good rule, packets affected are only in remaining For an bad deny rule, suppose Pj and Rj have no intersection (always a problem) (Pj, Deny) where Pj subset Aj - shadowing Already accepted all the packets to be denied here (Pj, Deny) where Pj intersect Aj = NULL - redundant Already denied all the remaining For a maybe bad deny rule, if Pj and Rj are not related by subset or intersection Pj and Dj have an intersection - correlation 17

Analysis Example Consider the following rules 1. deny tcp 10.1.1.0/25 any 2. accept udp any 192.168.1.0/24 3. deny tcp 10.1.1.128/25 any 4. deny udp 172.16.1.0/24 192.168.1.0/24 5. accept tcp 10.1.1.0/24 any 6. deny udp 10.1.1.0/24 192.168.0.0/16 7. accept udp 172.16.1.0/24 any Rules for A: 2, 5, 7 Rules for D: 1, 3, 4, 6 At Rule 4: P4 has no intersection with remaining R4 any 192.168.1.0/24 in A4 (from Rule 2) P4 is a subset of A4 Shadowing At Rule 6: Traffic in P6 intersects of A6 (from Rule 2) Correlation 18

Take Away A firewall is an authorization mechanism for network flows Control packet flows to subnets, hosts, ports Scan a rulebase for matching rule for packet Like Windows ACLs, but with default accept We examined the Linux iptables firewall Netfilter hooks provide complete mediation Rule chains can be connected like subroutines However, firewall rules may be misconfigured FIREMAN detects violations, inconsistencies, and inefficiencies using static analysis of rule bases Compare sets of packets at rule with those accepted, denied, etc. 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback