CSC 474/574 Information Systems Security

Similar documents
CSC Network Security

Internet Security: Firewall

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation

Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras

Computer Security and Privacy

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

Network Security Fundamentals

Firewalls. IT443 Network Security Administration Slides courtesy of Bo Sheng

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

Firewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense

IPtables and Netfilter

Configure Basic Firewall Settings on the RV34x Series Router

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

Why Firewalls? Firewall Characteristics

Internet Security Firewalls

Introduction to Firewalls using IPTables

Introduction TELE 301. Routers. Firewalls. Gateways. Sample Large Network

The Research and Application of Firewall based on Netfilter

Chapter 8 roadmap. Network Security

CS Computer and Network Security: Firewalls

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

CSE 565 Computer Security Fall 2018

Network security Exercise 9 How to build a wall of fire Linux Netfilter

Advanced Security and Forensic Computing

Linux Security & Firewall

CyberP3i Course Module Series

Module: Firewalls. Professor Patrick McDaniel Fall CSE543 - Introduction to Computer and Network Security

Certification. Securing Networks

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

while the LAN interface is in the DMZ. You can control access to the WAN port using either ACLs on the upstream router, or the built-in netfilter

Computer Security Spring Firewalls. Aggelos Kiayias University of Connecticut

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

CSE543 - Computer and Network Security Module: Firewalls

Indicate whether the statement is true or false.

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

COMPUTER NETWORK SECURITY

Context Based Access Control (CBAC): Introduction and Configuration

Firewalls, VPNs, and SSL Tunnels

Definition of firewall

CSCI 680: Computer & Network Security

How to Make the Client IP Address Available to the Back-end Server

This material is based on work supported by the National Science Foundation under Grant No

Firewall and IDS/IPS. What is a firewall?

SE 4C03 Winter 2005 Network Firewalls

Information Systems Security

Network Security: Firewalls. Tuomas Aura T Network security Aalto University, Nov-Dec 2013

CSE 461 Midterm Winter 2018

Advanced Security and Mobile Networks

CompTIA Security+ CompTIA SY0-401 Dumps Available Here at:

COSC 301 Network Management

sottotitolo A.A. 2016/17 Federico Reghenzani, Alessandro Barenghi

NAT Router Performance Evaluation

Support for policy-based routing applies to the Barracuda Web Security Gateway running version 6.x only.

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security

IPv6 NAT. Open Source Days 9th-10th March 2013 Copenhagen, Denmark. Patrick McHardy

Spring 2010 CS419. Computer Security. Vinod Ganapathy Lecture 14. Chapters 6 and 9 Intrusion Detection and Prevention

Firewalls. Content. Location of firewalls Design of firewalls. Definitions. Forwarding. Gateways, routers, firewalls.

Protection of Communication Infrastructures

Intranets 4/4/17. IP numbers and Hosts. Dynamic Host Configuration Protocol. Dynamic Host Configuration Protocol. CSC362, Information Security

What is a firewall? Firewall and IDS/IPS. Firewall design. Ingress vs. Egress firewall. The security index

Agenda of today s lecture. Firewalls in General Hardware Firewalls Software Firewalls Building a Firewall

20-CS Cyber Defense Overview Fall, Network Basics

Netfilter. Fedora Core 5 setting up firewall for NIS and NFS labs. June 2006

Overview of Firewalls. CSC 474 Network Security. Outline. Firewalls. Intrusion Detection System (IDS)

ipv6 hello-interval eigrp

Software. Linux. Squid Windows

Stateless Firewall Implementation

Information About NAT

4.1.3 Filtering. NAT: basic principle. Dynamic NAT Network Address Translation (NAT) Public IP addresses are rare

Network Address Translation (NAT) Background Material for Overlay Networks Course. Jan, 2013

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Implementing Firewall Technologies

Configuring IP Session Filtering (Reflexive Access Lists)

Configuring NAT Policies

10 Defense Mechanisms

Chapter 9. Firewalls

BIG-IP Local Traffic Management: Basics. Version 12.1

IPv6 Commands: ipv6 h to ipv6 mi

CS155 Firewalls. Why Firewalls? Why Firewalls? Bugs, Bugs, Bugs

Firewalls 1. Firewalls. Alexander Khodenko

Three interface Router without NAT Cisco IOS Firewall Configuration

Università Ca Foscari Venezia

Network Address Translation (NAT) Contents. Firewalls. NATs and Firewalls. NATs. What is NAT. Port Ranges. NAT Example

Design and Performance of the OpenBSD Stateful Packet Filter (pf)

CSC 4900 Computer Networks: Security Protocols (2)

Network Interconnection

Broadcast Infrastructure Cybersecurity - Part 2

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

Network Security. Thierry Sans

Network Address Translation

Web server Access Control Server

System i. Version 5 Release 4

ECE 435 Network Engineering Lecture 23

The DNS. Application Proxies. Circuit Gateways. Personal and Distributed Firewalls The Problems with Firewalls

CSCI 454/554 Computer and Network Security. Topic 8.4 Firewalls and Intrusion Detection Systems (IDS)

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Outline. Internet Security Mechanisms. Basic Terms. Example Attacks

AIT 682: Network and Systems Security

CSCE 813 Internet Security Network Access Control

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Transcription:

CSC 474/574 Information Systems Security Topic 7.4 Firewalls CSC 474/574 Dr. Peng Ning 1 Outline What are firewalls? Types Filtering Packet filtering Session filtering Proxy Circuit Level Application Level Brief introduction to Linux firewall CSC 474/574 Dr. Peng Ning 2

What is a firewall? Device that provides secure connectivity between networks (internal/external; varying levels of trust) Used to implement and enforce a security policy for communication between networks Trusted s Firewall Untrusted s & Servers Internet Untrusted Users Intranet Router DMZ Public Accessible Servers & s Trusted Users CSC 474/574 Dr. Peng Ning 3 Firewalls From Webster s Dictionary: a wall constructed to prevent the spread of fire Internet firewalls are more the moat around a castle than a building firewall Controlled access point CSC 474/574 Dr. Peng Ning 4

Firewalls can: Restrict incoming and outgoing traffic by IP address, ports, or users Block invalid packets CSC 474/574 Dr. Peng Ning 5 Convenient Give insight into traffic mix via logging Address Translation Encryption CSC 474/574 Dr. Peng Ning 6

Firewalls Cannot Protect traffic that does not cross it routing around Internal traffic when misconfigured CSC 474/574 Dr. Peng Ning 7 Access Control Corporate ALERT!! ALERT!! ALERT!! Internet DMZ Net Web Server Pool Security Requirement Control access to network information and resources Protect the network from attacks CSC 474/574 Dr. Peng Ning 8

Filtering Typically route packets Packets checked then passed Inbound & outbound affect when policy is checked Client Server CSC 474/574 Dr. Peng Ning 9 Filtering Packet filtering Access Control Lists Session filtering Dynamic Packet Filtering Stateful Inspection Smart packet filtering Context Based Access Control CSC 474/574 Dr. Peng Ning 10

Filtering Fragmentation/reassembly Sequence number checking ICMP CSC 474/574 Dr. Peng Ning 11 Packet Filtering Decisions made on a per-packet basis No state information saved CSC 474/574 Dr. Peng Ning 12

Typical Configuration Ports > 1024 left open If dynamic protocols are in use, entire ranges of ports must be allowed for the protocol to work. CSC 474/574 Dr. Peng Ning 13 Packet Filter Applications Presentations Sessions Transport Router Applications Presentations Sessions Transport CSC 474/574 Dr. Peng Ning 14

Session Filtering Packet decision made in the context of a connection If packet is a new connection, check against security policy If packet is part of an existing connection, match it up in the state table & update table CSC 474/574 Dr. Peng Ning 15 Typical Configuration All denied unless specifically allowed Dynamic protocols (FTP, H323, RealAudio, etc.) allowed only if supported CSC 474/574 Dr. Peng Ning 16

Session Filtering Screens ALL attempts, Protects All applications Extracts & maintains state information Makes an intelligent security / traffic decision Applications Presentations Sessions Transport Applications Presentations Sessions Transport Applications Presentations Sessions Transport Dynamic Dynamic State Dynamic State Tables State Tables Tables CSC 474/574 Dr. Peng Ning 17 Proxy Firewalls Relay for connections Client Proxy Server Two flavors Application level Circuit level CSC 474/574 Dr. Peng Ning 18

Application Gateways Understands specific applications Limited proxies available Proxy impersonates both sides of connection Resource intensive process per connection HTTP proxies may cache web pages CSC 474/574 Dr. Peng Ning 19 Application Gateways More appropriate to TCP ICMP difficult Block all unless specifically allowed Must write a new proxy application to support new protocols Not trivial! CSC 474/574 Dr. Peng Ning 20

Application Gateways Clients configured for proxy communication Transparent Proxies CSC 474/574 Dr. Peng Ning 21 Application Layer GW/proxy Telnet FTP HTTP Applications Presentations Sessions Transport Applications Presentations Sessions Transport Applications Presentations Sessions Transport Application Gateway CSC 474/574 Dr. Peng Ning 22

Circuit-Level Gateways Support more services than Application-level Gateway less control over data Hard to handle protocols like FTP Clients must be aware they are using a circutlevel proxy Protect against fragmentation problem CSC 474/574 Dr. Peng Ning 23 SOCKS Circuit level Gateway Support TCP SOCKS v5 supports UDP, earlier versions did not See http://www.socks.nec.com CSC 474/574 Dr. Peng Ning 24

Comparison Service Support Performance Security Packet Filter 3 1 No dynamic w/o holes Session Filter Circuit GW 2 2 2 3 Dependent on vendor for dynamic support App. GW 1 4 Typically < 20 Lower is better for security & performance CSC 474/574 Dr. Peng Ning 25 Comparison (Cont d) Modify Client Applications? Packet Filter Session Filter Circuit GW No No Typical, SOCKS-ify client applications App. GW Unless transparent, client application must be proxy-aware & configured CSC 474/574 Dr. Peng Ning 26

Comparison (Cont d) Fragmentation ICMP Packet Filter Session Filter Circuit GW App. GW Yes Yes (SOCKS v5) No No Maybe Yes Yes CSC 474/574 Dr. Peng Ning 27 Linux Firewall: iptables History ipfw ipfwadm ipchains iptables Based on the netfilter framework CSC 474/574 Dr. Peng Ning 28

The Netfilter Framework A framework for packet mangling Kernel Kernel modules Protocol stack netfilter hooks User space CSC 474/574 Dr. Peng Ning 29 The Netfilter Framework (Cont d) Current protocols IPv4, IPv6, and DECnet. Five hooks for IPv4 [1]: Pre-routing hook; [2]: Local-in hook; [3]: Forward hook; [4]: Local-out hook; [5]: Post-routing hook A packet traversing the netfilter system: [1] [ROUTE] [2] [3] [4] [ROUTE] [5] CSC 474/574 Dr. Peng Ning 30

Packet Filtering A packet traversing the netfilter system: [1] [ROUTE] [2] [3] [4] [ROUTE] [5] Packet filtering only uses these three hooks CSC 474/574 Dr. Peng Ning 31 IP Tables A packet selection system Direct descendent of ipchains Used for Packet filtering Address Translation (NAT) Masquerading, port forwarding, transparent proxying Packet mangling Actual changing of packet information CSC 474/574 Dr. Peng Ning 32

User Space Tool: iptables iptables Command to configure and communicate with the kernel modules iptables for packet filtering Three chains INPUT OUTPUT FORWARD CSC 474/574 Dr. Peng Ning 33 Iptables for Packet Filtering You need three things to configure a firewall rule Which chain? What packet pattern? What action to apply? Example Drop all packets from 200.200.200.1 iptables -A INPUT -s 200.200.200.1 -j DROP Use man iptables on Linux to get more information. CSC 474/574 Dr. Peng Ning 34

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback