Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Firewall Modified


Published on

Published in: Technology
  • If you are looking for customer-oriented academic and research paper writing service try ⇒⇒⇒ ⇐⇐⇐ liked them A LOTTT Really nice solutions for the last-day papers
    Are you sure you want to  Yes  No
    Your message goes here

Firewall Modified

  1. 1. Firewalls
  2. 2. What is a Firewall? <ul><li>A firewall is a hardware or software (or a combination of hardware and software) that monitors the transmission of packets of digital information that attempt to pass through the perimeter of a network. </li></ul><ul><li>It is an effective means of protecting a local system or n/w from n/w related security threats </li></ul>
  3. 3. Firewall design goals <ul><li>All traffic from inside or outside must pass through the firewall </li></ul><ul><li>Only authorized traffic as defined by the local security policy, will be allowed to pass </li></ul><ul><li>The firewall itself is immune to penetration </li></ul>
  4. 4. Type of controls <ul><li>Service control </li></ul><ul><li>Direction control </li></ul><ul><li>User control </li></ul><ul><li>Behavior control </li></ul>
  5. 5. Firewall capabilities <ul><li>FW defines a single choke point </li></ul><ul><li>Provides a location for monitoring security-related events </li></ul><ul><li>Handles network related events </li></ul><ul><li>Serves as a platform for IPSec </li></ul>
  6. 6. Firewall Limitations <ul><li>cannot protect from attacks bypassing it </li></ul><ul><li>cannot protect against internal threats </li></ul><ul><ul><li>eg disgruntled employee </li></ul></ul><ul><li>cannot protect against transfer of all virus infected programs or files </li></ul><ul><ul><li>because of huge range of O/S & file types </li></ul></ul>
  7. 7. Types of Firewalls <ul><li>Packet Filters </li></ul><ul><li>Application-Level Gateways </li></ul><ul><li>Circuit-Level Gateways </li></ul>
  8. 8. Packet Filters
  9. 9. Packet Filters <ul><li>A packet filtering router applies a set of rules to each incoming IP packet and then forwards or discards the packet. </li></ul><ul><li>The router is typically configured to filter packets going in both directions (from and to the internal network). </li></ul><ul><li>possible default policies </li></ul><ul><ul><li>Discard </li></ul></ul><ul><ul><li>Forward </li></ul></ul>
  10. 10. Packet-Filtering Examples Connection to our SMTP port * * 25 OUR-GW Allow We don’t trust these people * SPIGOT * * Block comment Port Theirhost Port Ourhost Action
  11. 11. default * * * * Block comment Port Theirhost Port Ourhost Action Connection to their SMTP 25 * * * Allow comment Port Theirhost Port Ourhost Action
  12. 12. Attacks on Packet Filters <ul><li>IP address spoofing </li></ul><ul><ul><li>fake source address (internal) </li></ul></ul><ul><ul><li>add filters on router to block (external interface) </li></ul></ul><ul><li>source routing attacks </li></ul><ul><ul><li>attacker sets a route other than default </li></ul></ul><ul><ul><li>block source routed packets </li></ul></ul><ul><li>tiny fragment attacks </li></ul><ul><ul><li>split header info over several tiny packets </li></ul></ul><ul><ul><li>either discard or reassemble before check </li></ul></ul>
  13. 13. <ul><li>Advantages </li></ul><ul><ul><li>Simple </li></ul></ul><ul><ul><li>Transparent to users </li></ul></ul><ul><ul><li>Very fast </li></ul></ul><ul><li>Disadvantages </li></ul><ul><ul><li>Rule generation is difficult </li></ul></ul><ul><ul><li>Lack of authentication </li></ul></ul>
  14. 14. Application Level Gateway (Proxy server) Internal host (private n/w) Application level GW Inside connection External host (part of internet) Outside connection User’s illusion (HTTP,FTP,TELNET,SMTP)
  15. 15. <ul><li>Purpose </li></ul><ul><li>- monitor every connection </li></ul><ul><li>- provide end-to-end connection </li></ul><ul><li>Advantage </li></ul><ul><li>- more secure than packet filter </li></ul><ul><li>Disadvantage </li></ul><ul><ul><li>Additional processing overhead on each connections </li></ul></ul>
  16. 16. Circuit Level Gateway out out out in in in Inside host Inside connection Outside host Outside connection Circuit-level gateway
  17. 17. Circuit Level Gateway <ul><li>Relays two TCP connections </li></ul><ul><li>Imposes security by limiting which such connections are allowed </li></ul><ul><li>Once created usually relays traffic without examining contents </li></ul><ul><li>Typically used when trust internal users by allowing general outbound connections </li></ul><ul><li>Example: SOCKS package </li></ul>
  18. 18. Bastian Host <ul><li>It is a critical strong point in the network security </li></ul><ul><li>A Bastian host is a system which contains either application-level or circuit-level GW or both </li></ul><ul><li>Only the services that the n/w administrator considers essential are installed on the bastion host. These include proxies such as Telnet, DNS, FTP, SMTP and user authentication. </li></ul><ul><li>It executes secure version of it OS </li></ul>
  19. 19. Characteristics <ul><li>Most secured OS is included </li></ul><ul><li>Essential services are included </li></ul><ul><li>Requires additional authentication of user </li></ul><ul><li>Configured to support a subset of applications </li></ul><ul><li>Maintains detailed audit log </li></ul><ul><li>Allow access only to specific host system </li></ul><ul><li>Each proxy module is a very small s/w pkg sepcifically designed for n/w security </li></ul><ul><li>Each proxy is independent of other proxies on the bastion hosts </li></ul>
  20. 20. Firewall Configurations
  21. 21. Screened host firewall, single-homed bastion configuration <ul><li>Firewall consists of two systems: </li></ul><ul><ul><li>A packet-filtering router </li></ul></ul><ul><ul><li>A bastion host </li></ul></ul><ul><li>Configuration for the packet-filtering router: </li></ul><ul><ul><li>Only packets from and to the bastion host are allowed to pass through the router </li></ul></ul><ul><li>The bastion host performs authentication and proxy functions </li></ul>
  22. 22. <ul><li>Greater security than single configurations because of two reasons: </li></ul><ul><ul><li>This configuration implements both packet-level and application-level filtering (allowing for flexibility in defining security policy) </li></ul></ul><ul><ul><li>An intruder must generally penetrate two separate systems </li></ul></ul><ul><li>This configuration also affords flexibility in providing direct Internet access (public information server, e.g. Web server) </li></ul>
  23. 24. Screened host firewall, dual-homed bastion configuration <ul><ul><li>If the packet filtering router is compromised, traffic can’t flow directly through the router between Internet and other hosts on the private network. </li></ul></ul><ul><ul><li>Traffic between the Internet and other hosts on the private network has to flow through the bastion host </li></ul></ul>
  24. 26. Screened subnet firewall configuration <ul><ul><li>Most secure configuration of the three </li></ul></ul><ul><ul><li>Two packet-filtering routers are used </li></ul></ul><ul><ul><li>Creation of an isolated sub-network </li></ul></ul>
  25. 27. <ul><li>Advantages </li></ul><ul><li>The outside router advertises only the existence of the screened subnet to the internet </li></ul><ul><li>The inside router advertises only the existence of the screened subnet to the internal network </li></ul>
  26. 28. Trusted Systems <ul><li>One way to enhance the ability of a system to defend against intruders and malicious programs is to implement trusted system technology </li></ul>
  27. 29. Data Access Control <ul><li>Through the user access control procedure (log on), a user can be identified to the system </li></ul><ul><li>Associated with each user, there can be a profile that specifies permissible operations and file accesses </li></ul><ul><li>The operation system can enforce rules based on the user profile </li></ul>
  28. 30. <ul><li>General models of access control: </li></ul><ul><ul><li>Access matrix </li></ul></ul><ul><ul><li>Access control list </li></ul></ul><ul><ul><li>Capability list </li></ul></ul>
  29. 31. Access Control Matrix
  30. 32. <ul><li>Access Matrix: Basic elements of the model </li></ul><ul><ul><li>Subject: An entity capable of accessing objects (process) </li></ul></ul><ul><ul><li>Object: Anything to which access is controlled (e.g. files, programs) </li></ul></ul><ul><ul><li>Access right: The way in which an object is accessed by a subject (e.g. read, write, execute) </li></ul></ul>
  31. 33. Access control list Decomposition of the matrix by columns Access control list for Segment B: Process2(Read) Access control list for Segment A: Process1(Read,Write) Access control list for program1: Process1(Read,Executre)
  32. 34. <ul><li>Access Control List </li></ul><ul><ul><li>An access control list lists users and their permitted access right </li></ul></ul>
  33. 35. Capability list Decomposition of the matrix by rows Capability list for process2: Segment B (Read) Capability list for process1: Program1(Read,Executre) Segment A (Read, Write)
  34. 36. <ul><li>Capability list </li></ul><ul><ul><li>A capability ticket specifies authorized objects and operations for a user. </li></ul></ul><ul><ul><li>Each user have a number of tickets </li></ul></ul>