* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Part I: Introduction
Survey
Document related concepts
Asynchronous Transfer Mode wikipedia , lookup
Computer security wikipedia , lookup
Net neutrality law wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Wireless security wikipedia , lookup
Computer network wikipedia , lookup
Internet protocol suite wikipedia , lookup
Airborne Networking wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Network tap wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Transcript
Lecture 25: Firewalls Introduce several types of firewalls Discuss their advantages and disadvantages Compare their performances Demonstrate their applications C. Ding -- COMP581 -- L25 1 What is a Firewall? A firewall is a system of hardware and software components designed to restrict access between or among networks, most often between the Internet and a private Internet. The firewall is part of an overall security policy that creates a perimeter defense designed to protect the information resources of the organization. C. Ding -- COMP581 -- L25 2 In other words… “A data sentry at the gateway to your network, combining the power of multiple firewall technologies to deliver powerful perimeter security” C. Ding -- COMP581 -- L25 3 What a Firewall does Implement security policies at a single point Monitor security-related events (audit, log) Provide strong authentication Allow virtual private networks C. Ding -- COMP581 -- L25 4 What a Firewall does not do Protect against attacks that bypass the firewall Dial-out from internal host to an ISP Protect against internal threats disgruntled employee Insider cooperates with an external attacker Protect against the transfer of virus- infected programs or files C. Ding -- COMP581 -- L25 5 Firewall - Typical layout A firewall denies or permits access based on policies and rules Protected Private Network Internet C. Ding -- COMP581 -- L25 6 Watching for attack Monitor Log Notify Protected Private Network Internet Attack C. Ding -- COMP581 -- L25 7 Firewall technologies Common firewall technologies: They may be classified into four categories: Packet Filtering Firewalls Circuit Level Firewalls Application Gateway Firewalls (or proxy servers) Stateful Inspection Firewalls (dynamic packet filtering firewalls) These technologies operate at different levels of detail, providing varying degrees of network access protection. These technologies are not mutually exclusive as some firewall products may implement several of these technologies simultaneously. C. Ding -- COMP581 -- L25 8 The Internet protocol stack Application TCP, UDP . . . IP Transport Network TCP, UDP . . . IP PPP, Frame Relay . . . Data Link Drivers, MAC Address Leased Line, ISDN, xDSL . . . Physical LAN Interface Card WAN LAN C. Ding -- COMP581 -- L25 9 Packet Filtering Firewalls C. Ding -- COMP581 -- L25 10 Packet Filtering firewalls The original firewall Works at the network level of the OSI model Applies packet filters based on access rules Source address Destination address Application or protocol Source port number Destination port number C. Ding -- COMP581 -- L25 11 Packet Filtering firewalls C. Ding -- COMP581 -- L25 12 Packet Filtering firewalls Packet Filtering is usually an integrated function of a router. Packet filtering relies on Network Layer and Transport Layer information contained in the headers of data packets to police traffic. This information includes source IP address and port number, destination IP address and port number, and protocol used (e.g., TCP, UDP, ICMP). This information is used as the criteria in network access rules. These rules are organized into several “filter sets” and each set handles traffic coming to the firewall over a specific interface. C. Ding -- COMP581 -- L25 13 Packet Filtering Policy Example My host Other host action name port name port comments block * * microsoft.com * Block everything from MS allow My-gateway 25 * * Allow incoming mail C. Ding -- COMP581 -- L25 14 Packet Filtering Policy Example Rule Direction Source Address Destination Protocol Address # Source # Destin. Port Port Action Slide 16 1 Out * 10.56.199* * * * Drop 2 Out 10.56* 10.122* TCP * 23 (Telnet) Pass 3 In 10.122* 10.56.199* TCP 23 (Telnet) * Pass 4 In & Out * 10.56.199* TCP * 25 (Mail) Pass 5 In * * TCP * 513 (rlogin) Drop 6 In 201.32.4.76 * * * * Drop 7 Out * * TCP * 20 (FTP) Pass 8 In * 10.56.199* TCP * 20 (FTP) Drop C. Ding -- COMP581 -- L25 15 Web Access Through a Packet Filter Firewall ACK: = positive acknowledgement message for the sender from the receiver. Typically just one bit. C. Ding -- COMP581 -- L25 16 Packet Filtering Firewalls Firewall/Router Internal Network Output Filter Input Filter Access Rules Access Rules Network Network Data Link Router Data Link Internet Physical Physical C. Ding -- COMP581 -- L25 17 Packet Filtering Firewalls: pros and cons Advantages: Simple, low cost, transparent to user Disadvantages: Hard to configure filtering rules Hard to test filtering rules Don’t hide network topology (due to transparency) May not be able to provide enough control over traffic C. Ding -- COMP581 -- L25 18 Circuit Level Firewalls (Circuit Level Gateways) C. Ding -- COMP581 -- L25 19 Circuit Level Firewalls Circuit level gateways work at the session layer of the OSI model, or the TCP layer of TCP/IP Monitor TCP handshaking between packets to determine whether a requested session is legitimate. C. Ding -- COMP581 -- L25 20 Circuit Level Firewalls C. Ding -- COMP581 -- L25 21 Application Gateway Firewalls (Proxy Firewalls) C. Ding -- COMP581 -- L25 22 Application Gateway firewalls Similar to circuit-level gateways except that they are application specific. Every connection between two networks is made via an application program called a proxy Proxies are application or protocol specific Only protocols that have specific proxies configured are allowed through the firewall; all other traffic is rejected. Gateway that is configured to be a web proxy will not allow any ftp, gopher, telnet or other traffic through C. Ding -- COMP581 -- L25 23 Application Gateway Firewalls Firewall Application Proxies Internal Network Application Application Transport Transport Network Network Data Link Data Link Internet Physical Physical Router C. Ding -- COMP581 -- L25 24 Application Gateway Firewalls C. Ding -- COMP581 -- L25 25 Application Gateway Strengths Very secure if used in conjunction with an intelligent packet filtering firewall Well designed proxies provide excellent security C. Ding -- COMP581 -- L25 26 Application Gateway weaknesses Very CPU intensive Requires high performance host computer Host operating system liable to attack Many proxies are transparent to application Not transparent to users Expensive C. Ding -- COMP581 -- L25 27 Stateful Inspection Firewalls C. Ding -- COMP581 -- L25 28 Stateful Inspection Firewalls Third generation firewall technology, often referred to as dynamic packet filtering Understands data in packets from the network layer (IP headers) up to the Application Layer Tracks the state of communication sessions C. Ding -- COMP581 -- L25 29 Stateful Inspection Firewalls Firewall/Router Application - State Table Transport - Access Rules Network - Access Rules Internal Network Inspection Module Network Data Link Physical Network Router Data Link Internet Physical C. Ding -- COMP581 -- L25 30 Dynamic Filtering Stateful Inspection firewalls dynamically open and close ports (application specific connection points) based on access policies. Protected Private Network Firewall checks policies to validate sending computer and allows traffic to pass to Public network Internet User initiates web session Return traffic for validated web session is permitted and the state of the flow is monitored Other traffic from public network is blocked C. Ding -- COMP581 -- L25 31 Stateful Inspection Strengths Monitors the state of all data flows Dynamically adapts filters based on defined policies and rules Easily adapted to new Internet applications Transparent to users Low CPU overheads C. Ding -- COMP581 -- L25 32 Stateful Inspection Weaknesses Need to provide new client program Might have problems with the availability of source code for various platforms C. Ding -- COMP581 -- L25 33 Stateful Inspection Firewalls These are among the most secure firewalls available today “fooling them can be a lot of work” Jon McCown, network security analyst for the - U.S. National Computer Security Agency (NCSA) C. Ding -- COMP581 -- L25 34 General Performance C. Ding -- COMP581 -- L25 35 Other Issues about Firewalls C. Ding -- COMP581 -- L25 36 RADIUS Support Remote Authentication Dial-In User Services A single, central security database for all system users Centralised management of access lists C. Ding -- COMP581 -- L25 37 Remote access security Dial-in user authenticated Head office Telephony Services Firewall policy assigned to dial-in user before completing connection to network Remote Dial-in user C. Ding -- COMP581 -- L25 38 Stateful Inspection Implementation Firewall checks policy rules to validate sender Return traffic for validated web session is permitted and the state of the flow is monitored Protected private network Internet User initiates web session Firewall opens required port and allows traffic to pass to public network C. Ding -- COMP581 -- L25 39 Network Address Translation Firewall substitutes private address to public address and forwards to the Internet Protected private network Internet User communicates with Internet using a private IP address Firewall translates return flow from Public to Private address C. Ding -- COMP581 -- L25 40 Application Level Gateway Example Application Level Gateway completes connection FTP Server Internet If connection is valid the state table is updated and connection to FTP Server established Access rules verified FTP connection initiated from public network C. Ding -- COMP581 -- L25 41 Session Logging The firewall can be configured to log an extensive range of events Including: All denied packets All allowed packets Selected allowed and denied packet types Etc. C. Ding -- COMP581 -- L25 42 Notification SNMP/SMTP Email sent to specified address Protected private network Firewall detects attack (Port Scan) Internet SNMP Trap message to management platform SNMP: simple network management protocol C. Ding -- COMP581 -- L25 43 Notification and Reconfiguration DMZ Web Server Protected private network Firewall detects attack (SYN Flood) Server Internet Email sent to System Manager Firewall automatically reconfigured to deny all External access to WEB Server C. Ding -- COMP581 -- L25 44 Secure management Secure encrypted and authenticated remote management Secure Shell “SSH” RSA encryption keys 512 - 2048 bits DES and Triple DES encryption for SSH sessions Can limit access to specific user addresses C. Ding -- COMP581 -- L25 45 Network configuration examples C. Ding -- COMP581 -- L25 46 Protected private network Allow all access from private network to the Internet Deny all access from the Internet to the private network Protected private network Internet C. Ding -- COMP581 -- L25 47 Semi-Militarised Zone Protected private network All Private network for unauthorised corporate servers traffic is and users blocked Internet WEB Server SMZ Mail Server Semi Militarised Zone All other SMZ Firewall policy limits incoming incoming access to traffic WEB and mail server blocked from public network C. Ding -- COMP581 -- L25 48 Private LAN stays secure Protected private network Internet WEB Login:hacker Server Password:please OK Then! SMZ Mail Server Semi-Militarised Zone C. Ding -- COMP581 -- L25 49 Demilitarised Zone Protected private network Open access between private LAN and DMZ WEB Server Internet Allow SMTP, From here to there only DMZ Mail Server Static filters between private LAN and DMZ used to control access Demilitarised Zone C. Ding -- COMP581 -- L25 50 Concluding Remarks All that a firewall can do it’s to control network activities between OSI levels 2 and 7. They cannot keep out data carried inside applications, such as viruses within email messages: there are just too many way of encoding data to be able to filter out this kind of threat. Although Firewalls provide a high level of security in today's Private Networks to the outside world we still need the assistance of other related Security components in order to guarantee proper network security. C. Ding -- COMP581 -- L25 51