1 / 18

CSCI 530 Lab

CSCI 530 Lab. Firewalls. Overview. Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering Proxy Servers Firewall Architecture example netfilter & IPTables. Firewall.

lizbeth
Download Presentation

CSCI 530 Lab

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CSCI 530 Lab Firewalls

  2. Overview • Firewalls • Capabilities • Limitations • What are we limiting with a firewall? • General Network Security Strategies • Packet Filtering • Proxy Servers • Firewall Architecture example • netfilter & IPTables

  3. Firewall • Hardware and/or software device which prevents communication based on a particular policy • Basic task is to control traffic between “zones of trust” • Example: Filtering traffic between the internet and local intranet

  4. Firewall Capabilities • Separate your network into logical sections • Enforce Security policy • Many services are intermittently insecure • A firewall limits the amount of exposure of particular services • Logs Internet activity • Limits your network exposure

  5. Firewall limitations • Most cannot automatically adapt to new threats • Cannot stop a malicious user - IDS • Cannot limit traffic that does not pass through it • Cannot stop viruses from permeating the network

  6. What are you limiting? • Email • File Transfer • Remote Terminal Access and Command Execution • HTTP • Other information services • Information about people, • Finger whois • Real time conferencing • Domain Name Service • Network management services • Time Service • Network File System

  7. Network Security Strategies • Least Privilege • Most fundamental principal • User or service is given privileges just for performing specific tasks • Defense In depth • Don’t just depend on one security mechanism • Choke point • Forces the attacker to use a narrow channel • So now one can monitor activities closely

  8. Security Strategies • Weakest link or “low hanging fruit” • “ a chain is as strong as its weakest link” • Attacker is going to go after the weakest link • So if you cannot eliminate it, be cautious about it. • Fail Safe Stance • If a system fails, it should deny access to the attacker • Default Deny Stance • That which is not expressly permitted is prohibited • Default Permit Stance • That which is not expressly prohibited is Permitted • Universal Participation • Every system is involved in defense • Diversity of defense • Use different types of mechanisms

  9. Definitions • Host • A computer system attached to the network • Dual-Homed Host • A host with two network interfaces • Bastion Host • A host which is the portal to a network. It is normally extremely secure. This is normally also a dual-homed host. • Packet • The fundamental unit of data, used for communication on the internet

  10. Firewall – Packet Filtering • Set of rules that either allow or disallow traffic to flow through the firewall • Can filter based on any information in the Packet Header • IP Source Address • IP destination address • Protocol • Source Port • Destination Port • Message type • Interface the packets arrive on and leave

  11. Proxy Servers • Specialized application or server programs that run on a firewall host • Normally a bastion host • These programs sit in between the internal users and servers outside serving for internet applications like telnet, ftp, http… • So instead of talking directly to the external server the requests pass through the proxy • Also called as application level gateways

  12. Proxy servers • How do they work • Proxy server ‘Ps’ • Proxy client ‘Pc’ • Pc talks to the Ps which intern talks to the real server for it, • Before that it checks the security policy and decides whether to go ahead with the connection or not.

  13. Firewall ArchitecturesDual-Homed Bastion Host INTERNET Firewall Dual Homed Host

  14. Firewall ArchitecturesDual-Homed Bastion Host • Dual homed Host Firewall • Built around dual homed bastion host • Host are capable of routing packets between networks • The host sits between the networks, filtering the traffic between the two • It only provides services by proxy

  15. Netfilter http://www.netfilter.org/ • The software of the packet filtering framework inside the Linux 2.4.x and 2.6.x kernel series. • Enables packet filtering, network address [and port] translation (NA[P]T). • It is the re-designed and heavily improved successor of ipchains and ipfwadm • set of hooks inside the Linux kernel • allows kernel modules to register callback functions with the network stack • A registered callback function is then called back for every packet that traverses the respective hook within the network stack.

  16. IPtables • an interface to the kernel for firewall rules • inserts and deletes rules from the kernel's packet filtering table • IPtables and netfilter make the backbone of packet-filtering based linux firewalls

  17. Packet Filtering - IPtables • A packet is checked against the rule chains and its fate is decided by the chain • Three sets of rule Chains • INPUT • FORWARD • OUTPUT • A packet comes in, kernel checks for the destination (routing) • If it is for this host, it is passed to INPUT chain • If forwarding enabled, the packet is forwarded to the destination if it is ACCEPTED by the FORWARD chain • If packet is generated in the same box and is being issued out, the OUTPUT chain is referred. • Rules are matched in a chain in a chronological order looking for a match, • If no match is found till the end, decision is taken according to your security policy

  18. IPTables Example iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP • -A append the rule to the input chain • -s source ip • -p protocol • -j action to be taken

More Related