CS155 Firewalls. Simon Cooper CS155 - Firewalls 23 May of 30

Similar documents
CS155 Firewalls. Why Firewalls? Why Firewalls? Bugs, Bugs, Bugs

Computer Security and Privacy

Protection of Communication Infrastructures

Internet Security: Firewall

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

Why Firewalls? Firewall Characteristics

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation

Internet Security Firewalls

Network Security: Firewalls. Tuomas Aura T Network security Aalto University, Nov-Dec 2013

Firewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense

Interconnecting Networks with TCP/IP

Information Systems Security

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

20-CS Cyber Defense Overview Fall, Network Basics

Inexpensive Firewalls

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Unit 4: Firewalls (I)

Guide To TCP/IP, Second Edition UDP Header Source Port Number (16 bits) IP HEADER Protocol Field = 17 Destination Port Number (16 bit) 15 16

Attack Prevention Technology White Paper

b. Suppose the two packets are to be forwarded to two different output ports. Is it

Computer Security Spring Firewalls. Aggelos Kiayias University of Connecticut

Introduction to TCP/IP networking

Chapter 8 roadmap. Network Security

Interconnecting Networks with TCP/IP. 2000, Cisco Systems, Inc. 8-1

Firewalls, IDS and IPS. MIS5214 Midterm Study Support Materials

CSE/EE 461 Lecture 13 Connections and Fragmentation. TCP Connection Management

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security

CSC Network Security

Ref: A. Leon Garcia and I. Widjaja, Communication Networks, 2 nd Ed. McGraw Hill, 2006 Latest update of this lecture was on

Intranets 4/4/17. IP numbers and Hosts. Dynamic Host Configuration Protocol. Dynamic Host Configuration Protocol. CSC362, Information Security

CSE 565 Computer Security Fall 2018

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Spring 2010 CS419. Computer Security. Vinod Ganapathy Lecture 14. Chapters 6 and 9 Intrusion Detection and Prevention

TCP/IP Filtering. Main TCP/IP Filtering Dialog Box. Route Filters Button. Packet Filters Button CHAPTER

4.1.3 Filtering. NAT: basic principle. Dynamic NAT Network Address Translation (NAT) Public IP addresses are rare

CE Advanced Network Security

Advanced Security and Mobile Networks

Filtering Trends Sorting Through FUD to get Sanity

EE 610 Part 2: Encapsulation and network utilities

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

CS 458 Internet Engineering Spring First Exam

10 Defense Mechanisms

Network Working Group. Updates: 1858 June 2001 Category: Informational. Protection Against a Variant of the Tiny Fragment Attack

Lecture 18 Overview. Last Lecture. This Lecture. Next Lecture. Internet Protocol (1) Internet Protocol (2)

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

IPv4 addressing, NAT. Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley.

Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking

CHAPTER 8 FIREWALLS. Firewall Design Principles

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

Computer and Network Security

Packet Header Formats

Introduction to Internet. Ass. Prof. J.Y. Tigli University of Nice Sophia Antipolis

TCP /IP Fundamentals Mr. Cantu

Advanced Security and Forensic Computing

DMZ Networks Virtual Private Networks Distributed Firewalls Summary of Firewall Locations and Topologies

CMPE 80N: Introduction to Networking and the Internet

CCNA Course Access Control Lists

Configuring ACLs. ACL overview. ACL categories. ACL numbering and naming

CSE 565 Computer Security Fall 2018

CSC 474/574 Information Systems Security

Unit 2.

Chapter 9. Firewalls

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

CSCE 813 Internet Security Network Access Control

Network Security. Thierry Sans

CyberP3i Course Module Series

Fundamentals of Network Security v1.1 Scope and Sequence

Protocol Layers & Wireshark TDTS11:COMPUTER NETWORKS AND INTERNET PROTOCOLS

Introduction p. 1 The Need for Security p. 2 Public Network Threats p. 2 Private Network Threats p. 4 The Role of Routers p. 5 Other Security Devices

COMPUTER NETWORK SECURITY

History Page. Barracuda NextGen Firewall F

Configuring attack detection and prevention 1

CS 3516: Advanced Computer Networks

Network Protocols. Security. TDC375 Autuman 03/04 John Kristoff - DePaul University 1

STEVEN R. BAGLEY PACKETS

Network Control, Con t

Network Interconnection

Overview. Computer Network Lab, SS Security. Type of attacks. Firewalls. Protocols. Packet filter

TCP/IP Transport Layer Protocols, TCP and UDP

CPSC156a: The Internet Co-Evolution of Technology and Society. Lecture 4: September 16, 2003 Internet Layers and the Web

Lecture 17 Overview. Last Lecture. Wide Area Networking (2) This Lecture. Internet Protocol (1) Source: chapters 2.2, 2.3,18.4, 19.1, 9.

BIG-IP otse vastu internetti. Kas tulemüüri polegi vaja?

Concept Questions Demonstrate your knowledge of these concepts by answering the following questions in the space that is provided.

CSc 466/566. Computer Security. 18 : Network Security Introduction

network security s642 computer security adam everspaugh

UMSSIA LECTURE II: NETWORKS?

ECE 358 Project 3 Encapsulation and Network Utilities

CSCI-GA Operating Systems. Networking. Hubertus Franke

Chapter 2 - Part 1. The TCP/IP Protocol: The Language of the Internet

Prof. Bill Buchanan Room: C.63

Network Security Protocols and Defensive Mechanisms

Introduction to Cisco ASA Firewall Services

Broadcast Infrastructure Cybersecurity - Part 2

Global Information Assurance Certification Paper

Indicate whether the statement is true or false.

Object Groups for ACLs

SecBlade Firewall Cards Attack Protection Configuration Example

LECTURE 8. Mobile IP

Transcription:

CS155 Firewalls Simon Cooper <sc@sgi.com> CS155 - Firewalls 23 May 2002 1 of 30

Plug! Building Internet Firewalls 2nd Edition, O Reilly Elizabeth D. Zwicky, Simon Cooper, D. Brent Chapman 2 of 30

What Is A Firewall? Literally? Prevents fire from spreading! The Castle Moat Analogy Restricts access from the outside Prevents attackers from getting too close Restricts people from leaving Logically; a separator, a restrictor and an analyzer Rarely a single physical object Any place where internal and external data can meet 3 of 30

Why Firewalls? There are a lot of people on the Internet Millions of people together; bad things happen True for cities; it is true for the Internet Exchange of information; Education, Business Recreation, Social and Political Want to do something useful with your computer However; Unsolicited attention and bugs 4 of 30

Bugs, Bugs, Bugs All programs contain bugs Larger programs contain more bugs Network protocols contain design weaknesses and implementation flaws Careful (defensive) programming & protocol design is hard 5 of 30

Where Do You Put A Firewall? Between insecure systems & the Internet To separate test or lab networks For networks with more sensitive data; Financial records Student grades Secret Projects Partner or joint venture networks 6 of 30

Firewall Design & Architecture Issues Least Privilege Defense in Depth Choke Point Weakest Link Fail-Safe Stance Universal Participation Diversity of Defense Simplicity 7 of 30

Firewall Architectures Internet Routes or blocks packets, as determined by site s security policy. Screening Router Internal Network Using A Screening Router to do Packet Filtering 8 of 30

Packet Filtering IP Packet version length type of service 16-bit total length (in bytes) 16-bit identification flags 13-bit fragmentation offset 8-bit Time To Live 8-bit protocol 16-bit header checksum 32-bit source IP address 32-bit destination IP address IP options (if any) 9 of 30

Packet Filtering UDP Packet Structure version length type of service 16-bit total length (in bytes) 16-bit identification flags 13-bit fragmentation offset 8-bit Time To Live 8-bit protocol 16-bit header checksum 32-bit source IP address 32-bit destination IP address IP options (if any) 16-bit source port number 16-bit destination port number 16-bit UDP length 16-bit UDP checksum Data (if any) 10 of 30

Packet Filtering TCP Packet Structure version length type of service 16-bit total length (in bytes) 16-bit identification flags 13-bit fragmentation offset 8-bit Time To Live 8-bit protocol 16-bit header checksum 32-bit source IP address 32-bit destination IP address IP options (if any) 16-bit source port number 16-bit destination port number 32-bit sequence number 32-bit acknowledgement number h length reserved Flags 16-bit window size 16-bit TCP checksum 16-bit urgent pointer 11 of 30

Packet Filtering Summary IP Source Address IP Destination Address Protocol (TCP, UDP, ICMP, etc.) TCP or UDP Source & Destination Ports TCP Flags (SYN, ACK, etc.) ICMP message type Packet Size 12 of 30

Router Knowledge Interface packet arrives on Interface packet will go out Is the packet in response to another one? How many packets have been seen recently? Is the packet a duplicate? Is the packet an IP fragment? 13 of 30

Filtering Example Inbound SMTP SMTP Client TCP 1234 1 Internet 192.168.3.4 Firewall Internal Network 2 SMTP Server TCP 25 172.16.1.1 Packet Direction Source Address Dest Address Protocol Dest Port 1 In 192.168.3.4 172.16.1.1 TCP 25 2 Out 172.16.1.1 192.168.3.4 TCP 1234 14 of 30

Filtering Example Outbound SMTP SMTP Server TCP 25 4 Internet 192.168.3.4 Firewall Internal Network 3 SMTP Client TCP 1357 172.16.1.1 Packet Direction Source Address Dest Address Protocol Dest Port 3 Out 172.16.1.1 192.168.3.4 TCP 25 4 In 192.168.3.4 172.16.1.1 TCP 1357 15 of 30

Stateful or Dynamic Packet Filtering Client Dynamic Packet Filter Server 192.168.51.50 Filter remembers this information 172.16.3.4 Matches outgoing, so allowed in No match, so not allowed in SP = source port SA = source address DP = destination port DA = destination address 16 of 30 UDP SP = 3264 SA = 192.168.51.50 DP = 1525 DA = 172.16.3.4 UDP SP = 1525 SA = 172.16.3.4 DP = 3264 DA = 192.168.51.50 UDP SP = 1525 SA = 172.16.3.4 DP = 2049 DA = 192.168.51.50

Network Address Translation (NAT) Port and Address Translation (PAT) Client 1 10.42.6.9: 1024 Client 2 Address Translation System 192.123.2.5: 2028 192.123.2.5: 2027 Server 10.42.7.1: 1024 Inside Outside 17 of 30

Normal Fragmentation IP TCP DATA DATA IP TCP DATA IP...DATA IP DATA 18 of 30

Abnormal Fragmentation Normal IP TCP DATA IP MORE DATA Overlapping data Overlap IP TCP DATA IP DATA Overlapping headers Overlap IP IP TCP Fake TCP DATA DATA 19 of 30

Firewall Architectures Internet Firewall Screening Router Internal Network Bastion Host Screened Host Architecture 20 of 30

Bastion Host A secured system Disable all non-required services; keep it simple Install/modify services you want Run security audit to establish baseline Connect system to the network Be prepared for system to be compromised 21 of 30

Firewall Architectures Internet Bastion Host Exterior Router Perimeter Network Firewall Interior Router Internal Network Screened Subnet Architecture Using Two Routers 22 of 30

Firewall Architectures Internet Bastion Host Attacker 172.16.42.9 192.168.3.2 Exterior Router 192.168.3.X Packet Source: 10.2.3.1 (claims to be) Destination: 10.2.3.2 192.168.3.1 10.2.3.4 Perimeter Network Interior Router 10.2.3.X Internal Network 10.2.3.1 10.2.3.2 Source/Destination Address Forgery 23 of 30

Firewall Architectures Internet Firewall Dualhomed Host Internal Network Dual Homed Host Architecture 24 of 30

Proxies Application level; Dedicated proxy Circuit level; generic proxy Some protocols are natural to proxy SMTP (E-Mail) NNTP (Netnews) DNS (Domain Name System) NTP (Network Time Protocol) SOCKS - a generic proxy WinSock - almost generic proxy for Microsoft 25 of 30

Firewall Architectures Customer traffic Internet Employee traffic Backup Exterior Router 1 Exterior Router 2 Bastion Host Perimeter Network Firewall Web Server Mail 1 Mail 2 Perimeter Network Interior Router 1 Firewall Perimeter Network Interior Router 2 Internal Network An Intricate Firewall Setup 26 of 30

Firewall Architectures Internet Web Server Firewall Real Database Server Database Server Internal Network A web server using a database on a perimeter network 27 of 30

Firewall Architectures Internet Firewall Warning: We recommend against this configuration. Web Server Database Server Internal Network A web and database server on an internal network 28 of 30

Problems With Firewalls They interfere with the Internet They don t solve the real problems; buggy software bad protocols Denial of Service They are becoming more complicated Many commercial firewalls permit very complex configurations 29 of 30

CS155 - Firewalls Simon Cooper <sc@sgi.com> Elizabeth D. Zwicky, Simon Cooper, D. Brent Chapman 30 of 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback