What is a firewall? Firewall and IDS/IPS. Firewall design. Ingress vs. Egress firewall. The security index

Similar documents
Firewall and IDS/IPS. What is a firewall?

Firewall and IDS/IPS. What is a firewall?

Firewall and IDS/IPS. What is a firewall? Ingress vs. Egress firewall. M.Aime, A.Lioy - Politecnico di Torino ( ) 1

Internet Security: Firewall

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation

Why Firewalls? Firewall Characteristics

Chapter 9. Firewalls

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

COMPUTER NETWORK SECURITY

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

Spring 2010 CS419. Computer Security. Vinod Ganapathy Lecture 14. Chapters 6 and 9 Intrusion Detection and Prevention

CSE 565 Computer Security Fall 2018

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

Unit 4: Firewalls (I)

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

CyberP3i Course Module Series

CSC Network Security

Internet Security Firewalls

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

Advanced Security and Mobile Networks

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

Firewalls, IDS and IPS. MIS5214 Midterm Study Support Materials

Network Security: Firewalls. Tuomas Aura T Network security Aalto University, Nov-Dec 2013

Cisco IPS AIM Deployment, Benefits, and Capabilities

Computer Security and Privacy

CSC 474/574 Information Systems Security

Indicate whether the statement is true or false.

SRX als NGFW. Michel Tepper Consultant

10 Defense Mechanisms

Broadcast Infrastructure Cybersecurity - Part 2

WHITE PAPER A10 SSL INSIGHT & FIREWALL LOAD BALANCING WITH SONICWALL NEXT-GEN FIREWALLS

Agenda of today s lecture. Firewalls in General Hardware Firewalls Software Firewalls Building a Firewall

Chapter 8 roadmap. Network Security

Features of a proxy server: - Nowadays, by using TCP/IP within local area networks, the relaying role that the proxy

Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

All-in one security for large and medium-sized businesses.

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Network Security. Thierry Sans

Firewalls. Content. Location of firewalls Design of firewalls. Definitions. Forwarding. Gateways, routers, firewalls.

Security Engineering. Lecture 16 Network Security Fabio Massacci (with the courtesy of W. Stallings)

Information Systems Security

User Role Firewall Policy

Configuring attack detection and prevention 1

CSE 565 Computer Security Fall 2018

CSCE 813 Internet Security Network Access Control

What is New in Cisco ACE 4710 Application Control Engine Software Release 3.1

Networking interview questions

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Dynamic Datacenter Security Solidex, November 2009

Protection of Communication Infrastructures

Overview. Computer Network Lab, SS Security. Type of attacks. Firewalls. Protocols. Packet filter

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

Realtime Multimedia in Presence of Firewalls and Network Address Translation

Realtime Multimedia in Presence of Firewalls and Network Address Translation. Knut Omang Ifi/Oracle 9 Nov, 2015

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

The DNS. Application Proxies. Circuit Gateways. Personal and Distributed Firewalls The Problems with Firewalls

ET4254 Communications and Networking 1

INFS 766 Internet Security Protocols. Lecture 1 Firewalls. Prof. Ravi Sandhu INTERNET INSECURITY

Computer Security. 12. Firewalls & VPNs. Paul Krzyzanowski. Rutgers University. Spring 2018

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 12

Network Security: Firewall, VPN, IDS/IPS, SIEM

CS155 Firewalls. Why Firewalls? Why Firewalls? Bugs, Bugs, Bugs

IBM Zürich Research Laboratory. Billy Goat Overview. James Riordan Diego Zamboni Yann Duponchel IBM Research Zurich Switzerland IBM Corporation

ASA/PIX Security Appliance

CTS2134 Introduction to Networking. Module 08: Network Security

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

High Availability Synchronization PAN-OS 5.0.3

Computer Network Vulnerabilities

ASA Access Control. Section 3

HP High-End Firewalls

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

CISCO EXAM QUESTIONS & ANSWERS

Training UNIFIED SECURITY. Signature based packet analysis

Securing CS-MARS C H A P T E R

Who We Are.. ideras Features. Benefits

Application Firewalls

Overview of TCP/IP Overview of TCP/IP protocol: TCP/IP architectural models TCP protocol layers.

4. The transport layer

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Managing Latency in IPS Networks

NetDefend Firewall UTM Services

Introduction to Security

Managing SonicWall Gateway Anti Virus Service

A10 SSL INSIGHT & SONICWALL NEXT-GEN FIREWALLS

Introduction p. 1 The Need for Security p. 2 Public Network Threats p. 2 Private Network Threats p. 4 The Role of Routers p. 5 Other Security Devices

Firewalls. IT443 Network Security Administration Slides courtesy of Bo Sheng

Configuring attack detection and prevention 1

Unit 5. System Security

HP Load Balancing Module

Advanced Security and Forensic Computing

10 Key Things Your VoIP Firewall Should Do. When voice joins applications and data on your network

BOR3307: Intro to Cybersecurity

Understanding Cisco Cybersecurity Fundamentals

CHAPTER 8 FIREWALLS. Firewall Design Principles

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

CS System Security 2nd-Half Semester Review

Transcription:

What is a firewall? Firewall and IDS/IPS firewall = wall to protect against fire propagation controlled connection between s at different security levels = boundary protection ( filter) Antonio Lioy < lioy @ polito.it > Politecnico di Torino Dip. Automatica e Informatica at security level L1 INTERNAL NETWORK (TRUSTED) ( L1 > L2 ) at security level L2 EXTERNAL NETWORK (UNTRUSTED) Ingress vs. Egress firewall ingress firewall incoming connections typically to select the (public) services offered sometimes as part of an application exchange initiated by my users egress firewall outgoing connections typically to check the activity of my personnel (!) easy classification for channel-based services (e.g. TCP applications), but difficult for message-based services (e.g. ICMP, UDP applications) Firewall design You don t buy a firewall, you design it! (you can buy its components) we need to achieve an optimal trade-off...... between security and functionality... with minimum cost security functionality The security index 0 20 40 60 80 100 % 100 % 80 60 40 20 0 THE THREE COMMANDMENTS OF FIREWALL I. the FW must be the only contact point of the with the one II. only the authorized traffic can traverse the FW III. the FW must be a highly secure system itself D.Cheswick S.Bellovin

Authorization policies All that is not explictly permitted, is forbidden higher security more difficult to manage All that is not explictly forbidden, is permitted lower security (open gates) more easy to manage FW: basic components screening router ( choke ) router that filters traffic at level bastion host secure system, with auditing application gateway ( proxy ) service that works on behalf of an application, with access control dual-homed gateway system with two cards and routing disabled A which level the controls are made? "Screening router" architecture packet headers TCP stream UDP datagram application data application application gateway transport (TCP / UDP) circuit gateway (IP) packet filter datalink physical "Screening router" architecture "Dual-homed gateway" architecture exploits the router to filter the traffic both at IP and upper levels no need for dedicated hardware no need for a proxy and hence no need to modify the applications GW simple, easy, cheap and... insecure!

"Dual-homed gateway" architecture "Screened host" architecture easy to implement small additional hardware requirements the can be masqueraded unflexible large work overhead GW "Screened-host" architecture "Screened subnet" architecture router: blocks traffic INT > EXT unless from the bastion blocks traffic EXT > INT unless goes to the bastion exception: directly enabled services bastion host runs circuit/application gateway to control the authorized services more expensive and complex to manage (two systems rather one) more flexible (no control over some services / hosts) only the hosts/protocols passing through the bastion can be masked (unless the router uses NAT) GW "Screened subnet" architecture (De-Militarized Zone) the is home not only to the gateway but also to other hosts (tipically the public servers): Web remote access... the routing may be configured so that the is unknown expensive "Screened subnet" architecture (version 2) to reduce costs and simplify management often the routers are omitted (and their function incorporated into the gateway) AKA three-legged firewall GW

Firewall technologies different controls at various levels: (static) packet filter stateful (dynamic) packet filter cutoff proxy circuit-level gateway / proxy application-level gateway / proxy stateful inspection differences in terms of: performance protection of the firewall O.S. keeping or breaking the client-server model Packet filter historically available on routers packet inspection at level IP header transport header Packet filter: pros and cons independent of applications good scalability approximate controls: easy to fool (e.g. IP spoofing, fragmented packets) good performance low cost (available on routers and in many OS) difficult to support services with dynamically allocated ports (e.g. FTP) complex to configure difficult to perform user authentication Stateful (dynamic) packet filter similar to packet filter but state-aware state informations from the transport or application level (e.g. FTP PORT command) can distinguish new connections from those already open state tables for open connections packets matching one row in the table are passed without any further control better performance than packet filter SMP support still has many of the static packet filter limitations Application-level gateway composed by a set of proxies inspecting the packet payload at application level often requires modifications to the client application may optionally mask / renumber the IP addresses when used as part of a firewal, usually performs also peer authentication top security!! (e.g. against buffer overflow of the target application) difference between forward-proxy (egree) and reverse-proxy (ingress) Application-level gateway (1) rules are more fine-grained and simple than those of a packet filter every application needs a specific proxy delay in supporting new applications heavy on resources (many processes) low performance (user-mode processes) SMP may improve performance completely breaks the client/server model more protection for the server may authenticate the client not transparent to the client

Application-level gateway (2) the fw OS may be esposed to attacks problems with application-level security techniques (e.g. SSL) variants: transparent proxy less intrusive for the client more work (packet rerouting + dst extraction) strong application proxy (checking semantics, not just syntax) only some commands/data are forwarded this is the only correct configuration for a proxy Circuit-level gateway (1) a generic proxy (i.e. not application-aware ) creates a transport-level circuit between client and server but it doesn t understand or manipulate in any way the payload data Circuit-level gateway (2) breaks the TCP/UDP-level client/server model during the connection more protection for the server isolated from all attacks related to the TCP handshake isolated from all attacks related to the IP fragmentation may authenticate the client but this requires modification to the application still exhibits many limitations of the packet filter SOCKS is the most famous one HTTP (forward) proxy a HTTP server acting just as a front-end and then passing requests to the real server () benefits (besides ACL): shared cache of pages for all users authentication+authorization of users various controls (e.g. allowed sites, transfer direction, data types, ) (forward) proxy HTTP reverse proxy Reverse proxy: possible configurations HTTP server acting just as a front-end for the real server(s) which the requests are passed to benefits (besides ACL & content inspection): obfuscation (no info about the real server) SSL accelerator (with unprotected back-end connections ) load balancer web accelerator (=cache for static content) firewall reverse proxy firewall reverse proxy serv1 serv2 compression spoon feeding (gets from the server a whole dynamic page and feeds it to the client according to its speed, so unloading the application server) serv1 serv2 VPN

WAF (Web Application Firewall) large use of web applications = many threats WAF = module installed at a proxy (forward and/or reverse) to filter the application traffic HTTP commands header of HTTP request/response content of HTTP request/response ModSecurity plugin for Apache and NGINX (50% and 30% of worldwide HTTP servers) OWASP ModSecurity Core Rule Set (CRS) Stealth firewall firewall without an IP address, so that it cannot be directly attacked physical packet interception (by setting the interfaces in promiscuous mode) copies or discard traffic (based upon its security policy) but does not alter it in any way stealth firewall Local / personal firewall firewall directly installed at the node to be protected typically a packet filter w.r.t. a normal firewall, it may limit the processes that are allowed: to open channels towards other nodes (i.e. act as a client) to answer requests (i.e. act as a server) important to limit the diffusion of malware and trojans, or plain configuration mistakes! firewall management must be separated from system management Protection offered by a firewall a firewall is 100% effective only for attacks over/against blocked channels the other channels require other protection techniques: VPN semantic firewall / IDS application-level security F W Intrusion Detection System (IDS) definition: system to identify individuals using a computer or a without authorization extendable to identify authorized users violating their privileges hypothesis: the behavioural pattern of non-authorized users differs from that of authorized users passive IDS: IDS: functional features cryptographic checksum (e.g. tripwire) pattern matching ( attack signature ) active IDS: learning = statistical analysis of the system behaviour monitoring = active statistical info collection of traffic, data, sequences, actions reaction = comparison against statistical parameters (reaction when a threshold is exceeded)

IDS: topological features HIDS (host-based IDS) log analysis (OS, service or application) OS monitoring tools NIDS (-based IDS) traffic monitoring tools System Integrity Verifier SIV and LFM checks files / filesystems looking for changes e.g. changes to Windows registry, cron configuration, user privileges e.g. tripwire Log File Monitor checks the log files (OS and applications) looks for known patterns of successful attacks or attempts e.g. swatch NIDS components NIDS architecture sensor checks traffic and logs looking for suspect patterns generated the relevant security events interacts with the system (ACLs, TCP reset,... ) director (host) sensor(s) IDS director coordinates the sensors manages the security database IDS message system secure and reliable communication among the IDS components (net) sensor FW (host) sensor(s) (net) sensor(s) IPS Intrusion Prevention System to speed-up and automate the reaction to intrusions = IDS + distributed dynamic firewall a technology, not a product, with large impact on many elements of the protection system dangerous! may take the wrong decision and block innocent traffic often integrated in a single product IDPS Next-Generation Firewall (NGFW) application identification whatever port is used if possible, deciphering/re-ciphering the traffic user identification integration with captive portal, 802.1x, or end-point authn (Kerberos, Active Directory, LDAP, ) per-user and per-application policies filtering based also upon known vulnerabilities, threats, malware,

Unified Threat Management (UTM) integration of several products in a single device UTM- or security-appliance firewall, VPN, anti-malware, content-inspection, IDPS, the actual capabilities depend upon the manufacturer mainly targeted to reduce the number of different systems, hence the management complexity and the cost Honey pot / Honey net honey pot ( attacks) web server honey pot ( attacks) Decoy trusted host

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback