1 / 22

Firewalls

Firewalls. Firewalls. Most widely sold solution for Internet security Solution in a box appeal Not a substitute for proper configuration management Firewall needs to be configured properly for intended protection. Types of Firewalls. IP packet level Packet filtering TCP session level

more
Download Presentation

Firewalls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Firewalls CSE 5349/7349

  2. Firewalls • Most widely sold solution for Internet security • Solution in a box appeal • Not a substitute for proper configuration management • Firewall needs to be configured properly for intended protection CSE 5349/7349

  3. Types of Firewalls • IP packet level • Packet filtering • TCP session level • Circuit gateways • Application level • Application relays/gateway • Dynamic packet filtering • Combination of packet filtering and circuit-level gateways, often with application level semantics • NATs, IDSs, Logging • Ingress vs. Egress filtering CSE 5349/7349

  4. OSI Model Layer Firewall Functionality Packet filtering, Address filtering, packet filtering firewall 7 - Application Application Level Proxies, forward and reverse proxies 6 - Presentation 5 - Session Stateful Firewall 4 – Transport – TCP/UDP Port filtering, circuit level proxy 3 – Network - IP 2 – Data Link 1- Physical Firewalls and OSI Layers CSE 5349/7349

  5. Packet Filters • Read the header and filter by whether fields match specific rules • Administrator makes a list of acceptable/unacceptable field values • Ingress/Egress filtering • Come in standard, specialized, and stateful models • Weaknesses • Easy to botch rules • Logging difficult • Lack of authentication between end points CSE 5349/7349

  6. Network Topology and Address Spoofing • Consider a three network (N1, N2, and N3) system with one router firewall • N1 the DMZ net connecting the GW • Very limited connection between GW and outside • Very limited connection (different set) between GW and N2/N3 (Why?) • Anything can pass between N2 and N3 • Outgoing connections only from N2 or N3 • How to set the packet filter rules • External nodes can spoof internal addresses – block all the source addresses same as internal addresses CSE 5349/7349

  7. Routing Filters • Perfect security if the node is completely unreachable • Routers do not advertise internal routes • Output route filtering • Input route filtering ? • To prevent subversion by route confusion • Route leaks CSE 5349/7349

  8. Stateful Packet Filters (SPFs) • Track last few minutes of network activity. • If a packet doesn’t fit in, drop it • Stronger inspection engines search for information inside the packet’s data • Have to collect and assemble packets in order to have enough data • Examples: • Firewall One, SeattleLabs, ipfilter CSE 5349/7349

  9. Packet Filtering Performance • May affect the router optimization in handling packets • Still the serial link from the router to the Internet may be the bottleneck • Keep the rules simple and uniform • Ordering the rules to get the most common type traffic through, first CSE 5349/7349

  10. Proxy Firewalls • Pass data between two separate connections, one on each side of the firewall. • Types: • Circuit level proxy • Application proxy • Store and forward proxy • Higher latency and lower throughput CSE 5349/7349

  11. Circuit Level Proxy • Client asks connects to the relay host and request a connection to the server • FW connects to server • Server usually do not get details such as IP address of the client • All IP tricks are stopped at the relay host • Fragments • Fire walking probes CSE 5349/7349

  12. Application Proxy • FW transfers only acceptable information between the two connections • The proxy can understand the protocol and filter the data within • Example mail proxies • Usually sore-and-forward CSE 5349/7349

  13. Caching Proxies • Client asks firewall for document; the firewall downloads the document, saves it to disk, and provides the document to the client. The firewall may cache the document • Can do data filtering. • More administration time, hardware, and cost CSE 5349/7349

  14. Network Address Translation (NAT) • Changes ip addresses in a packet • Address of the client inside never shows up outside • Many IPs inside to many static IPs outside • Many IPs inside to many random IPs outside • Many IPs inside to one IP address outside • Examples: Cisco PIX, Linux Masquerading, Firewall One, ipfilter CSE 5349/7349

  15. Logging • Cheap solution to most behavioral problems • program logging • syslog /NT event log • sniffers • TCPdump, SSLdump Argus, Network General, HP Openview • Down side • Overhead intensive • Does not prevent damage (more reactive than proactive) CSE 5349/7349

  16. Firewall Pitfalls • Single point of failure • Useful ones are difficult to configure and integrate • Performance requirements tend to create back doors • False sense of security • May be 40% protection against the top attacks CSE 5349/7349

  17. Where to Put FW CSE 5349/7349

  18. Where (cont’d) CSE 5349/7349

  19. CSE 5349/7349

  20. DMZ • Neither internal nor external • Placed between the external router and the bastion host • Idea is to minimize the services and hence potential attacks • Example: For a web server stop everything but http • Multiple zones for increased availability/security CSE 5349/7349

  21. Distributed Firewalls (DFWs) • To avoid S-P-O-F • To distribute risks • Better scalability • Trend to use sophisticated protocols • IPSec • Instead of IP headers use authentication codes CSE 5349/7349

  22. Switched Firewalls (Air-gap Technology) CSE 5349/7349

More Related