Download Firewalls - Angelfire

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
Document related concepts

Access control wikipedia , lookup

Security-focused operating system wikipedia , lookup

Security and safety features new to Windows Vista wikipedia , lookup

Network tap wikipedia , lookup

Mobile security wikipedia , lookup

Wireless security wikipedia , lookup

Computer security wikipedia , lookup

Proxy server wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Unix security wikipedia , lookup

Deep packet inspection wikipedia , lookup

Distributed firewall wikipedia , lookup

Transcript 
Firewalls
By: Mohamed Saad
Sarah Shaaban
Agenda
•
•
•
•
•
•
•
•
•
Introduction
Firewalls Design Principles
Firewalls Characteristics
Firewalls Techniques
Firewalls Capabilities
Firewalls Limitations
Types of Firewalls
Firewalls Configuration
Trusted Systems
Introduction
 Firewall Definition:
It is an effective means of protecting a local
system or network of systems from security
threats and affording the access from LAN
to the outside world via WANs and the
Internet.
Firewall Design Principles
Information systems improvement:
• Centralized systems with central mainframe and number
of connected terminals.
• Local Area Network(LAN) interconnecting PCs and
terminals to each others.
• Premises network, consisting of a number of LANs,
PCs,Servers and maybe one or two mainframes.
• Enterprise-wide network consisting of multiple
distributed networks connected by a private Wide Area
Network(WAN).
• Internet Connectivity, in which WANs are hooked into
the internet.
Firewall Characteristics(Design Goals)
• All Traffic from inside to outside the network
and vice versa must pass through the firewall.
• Authorized traffic as local security policy
definition will be allowed to pass through the
firewall.
• The Firewall itself must be immune to
penetration.
Techniques of firewalls
[SMIT97] Defined four techniques that firewalls use to
control access and manage site security policy:
• Service Control:
Determines the types of internet services that can be
accessed either inbound or outbound,and this is done
by filtering the traffic on the basis of IP address and
TCP port number, and also may use proxy software to
manage each service request before passing it.
• Direction Control:
Determine the direction of service request initiation to
allow flow through the firewall.
Techniques of firewalls(Cont.)
• User Control:
According to which user is attempting access , the
control access to a service is determined.This
feature is applied either on local users or incoming
traffic from external users.
• Behavior Control:
Control how particular services are used(Example:
eliminating Spams from an e-mail).
Firewalls Capabilities
• Firewall defines a single choke point that keeps
unauthorized users out of the protected network, and
provides protection from various kinds of IP spoofing
and routing attacks.
• Firewall provides a location of monitoring security
events , So that audits and alarms can be
implemented on the firewall system.
• Firewall can be also used in non-security functions
like mapping local IP addresses into internet
addresses and also in network management function
that audits or logs internet usage.
• Firewall can be used to implement VPNs.
Firewalls Limitations
• Firewall can not protect against attacks that bypass
the firewall, this is done if the network have the
facility of dial-up.
• Firewall can not protect against internal threats ,
such as an employee who cooperate with external
attacker.
• Firewall can not protect against virus-infected
programs or files because of the variety of
operating systems and applications.
Types of Firewalls
• Packet filtering.
• Application Level Gateway(Application Proxy).
• Stateful Packet Inspection.
Packet Filter
•
•
•
•
A packet filter firewall is the simplest type of
firewall. Dealing with each individual packet, the
firewall applies its rule set to determine which
packet to allow or disallow. The firewall examines
each packet based on the following criteria:
Source IP address
Destination IP address
TCP/UDP source port
TCP/UDP destination port
Packet filter Advantages
• It is fast because it operates on IP addresses and
TCP/UDP port numbers alone, ignoring the data
contents (payload) of packets.
• Due to the fact that packet payload is ignored,
application independence exists.
• Least expensive of the three types of firewalls.
• Packet filtering rules are relatively easy to
configure.
• There are no configuration changes necessary to
the protected workstations.
Packet Filter Disadvantages
• This type offers the least security because they allow a direct
connection between endpoints through the firewall.
• There is no screening of packet payload available. It is
impossible to block users from visiting web sites deemed off
limits, for example.
• Logging of network traffic includes only IP addresses and
TCP/UDP port numbers, no packet payload information is
available, and IP spoofing can penetrate this firewall.
• Complex firewall policies are difficult to implement using
filtering rules alone.
• There is a reliance on the IP address for authentication rather
than user authentication.
• Dynamic IP addressing schemes such as DHCP may complicate
filtering rules involving IP addresses.
Application Proxy
• Application Proxy is a program running on the firewall
that emulates both ends of a network connection.
• Each computer communicates with the other by passing all
network traffic through the proxy program. The proxy
program evaluates data sent from the client and decides
which to pass on and which to drop.
• Each different application has its own proxy program that
emulates the application's protocol. For example, a telnet
proxy program emulates the telnet protocol, an http proxy
program emulates the hypertext transfer protocol, and an
ftp proxy emulates the file transfer protocol.
Application Proxy Advantages
• It offers the highest degree of security because the
firewall does not let end points communicate directly
with one another, instead the firewall intervenes in the
communication.
• Has the best content filtering capability.
• Can hide private systems.
• Robust user authentication.
• Offers the best logging of activities.
• Policy rules are usually easier than packet filtering rules.
Application Proxy Disadvantages
• Performance around 100Mbps, which tends to be
the worst type of firewalls.
• Must have a proxy for every protocol. Failure to
have a proxy may prevent a protocol from being
handled correctly by the firewall.
• TCP is the preferred transport. UDP may not be
supported.
• Limited transparency, clients may need to be
modified. Setting up the proxy server in a browser,
for example.
• No protection from all protocol weaknesses.
Stateful Packet Inspection
• This approach examines the contents of packets rather than just
filtering them, that is, to consider their contents as well as their
addresses.
• This type employ an inspection module, applicable to all
protocols, that understands data in the packet intended for other
layers, from the network layer (IP headers) up to the application
layer.
• Intelligent filtering can effectively combine with the ability to
do network-session tracking, to use information about the
beginning and end of sessions in filtering decisions and this is
known as session filtering.
• The filter uses smart rules, thus enhancing the filtering process
and controlling the network session rather than controlling the
individual packets.
Stateful Packet Inspection Advantages
• Offers improved security over basic packet filters due to
packet examination.
• Offers a degree of application independence, based on
level of stateful packet examination.
• Better logging of activities over basic packet filters.
• Good performance.
• Configuration changes to the protected workstations are
unnecessary.
Stateful Packet Inspection Disadvantages
• It allows a direct connection between endpoints through
the firewall.
• No hiding of private systems.
• Setting up stateful packet examination rules is more
complicated.
• Only supported protocols at the application layer.
• No user authentication. If it’s provided, it’s done with an
application proxy.
Firewall Configuration
• Single Firewall System

Single Firewall, Behind a DMZ.
Single Firewall, In Front of DMZ
 Dual or Multi Tier Firewall
 More Complex Configuration
Screen host firewall, single-homed bastion
only IP packets destined for bastion host are
allowed in.
only IP packets from bastion host are allowed
out.
The bastion host performs authentication and
proxy functions
Advantages & Disadvantages
• This configuration implements both packet level
and application level filtering.
• An intruder must generally penetrate two
separate system before the security of the
internal network is compromised.
• If the packet filtering router is completely
compromised, traffic could flow directly
through the router between internet and other
hosts on private network
 Screened host firewall ,dual homed bastion.
Screened Subnet firewall.
This configuration creates an isolated subnetwork
Advantages:
• There are three levels of defense.
• The outside router advertises only the existence of the screened
subnet to the internet ; therefore the internal network is invisible
to the internet.
• The inside router advertises only the existence of the screened
subnet to the internal network ; therefore ,the system on the
inside network cannot construct direct routes to the internet.
Trusted System
• Data Access Control
Following successful login ,the user has been
granted access to one or set of hosts and
applications. This is generally not sufficient
for system that includes sensitive data in its
database.
Access Matrix
Subject: An entity capable of accessing objects (user
,application)
Object: Anything to which access is controlled (files, programs,
memory segments ).
Access Right: The way in which an object is accessed by a
subject (read, write, execute)
Access Control lists
 For each object, an access control list lists users
and their permitted access rights.
 Access control list may contain a default or
public entry.
Capability tickets
 Each user has a number of tickets and may be authorized to
loan or give them to others.
 For security the OS may hold all tickets on behalf of users.
 These tickets would have to be held in a region of memory
inaccessible to users.
The concept of trusted system
• Multiple levels or categories of data are
defined as Multilevel Security.
Multilevel secure system must enforce
No read up:
A subject can only read an object of less or
equal security level Simple security property
No write down:
A subject can only write into an object of greater
or equal security level *Property
Reference Monitor Concept
• The reference monitor is a controlling element in the
hardware and OS of a computer that regulates the
access of subjects to objects on basis of security
parameters of the subject and object.
Reference Monitor Properties
The reference monitor enforces the security rules (no
read up, no write down) and has the following
properties.
• Complete mediation: The security rules are enforced
on every access, not just when file is opened.
• Isolation: The reference monitor and database are
protected from unauthorized modification.
• Verification: The reference monitor correctness must
be provable. it must be possible to demonstrate
mathematically that reference monitor enforces
security rules and provides complete mediation and
isolation
Trojan Horse Defense
Related documents
Firewall Configuration
Firewall Configuration
Understanding and Installing Firewalls
Understanding and Installing Firewalls
Cisco Discovery 1 Module 08 Quiz Picture Descriptions
Cisco Discovery 1 Module 08 Quiz Picture Descriptions
Deployed and Emerging Security Systems for the Internet
Deployed and Emerging Security Systems for the Internet
Firewalls - Eastern Michigan University
Firewalls - Eastern Michigan University
Firewall
Firewall
Read more
Read more
homework 8
homework 8
View File
View File
CS572: Computer Security
CS572: Computer Security