Firewall Modified
-
Upload
ritesh-verma -
Category
Technology
-
view
841 -
download
0
Transcript of Firewall Modified
![Page 1: Firewall Modified](https://reader035.fdocuments.us/reader035/viewer/2022062418/5562bf6fd8b42a09618b4eff/html5/thumbnails/1.jpg)
Firewalls
![Page 2: Firewall Modified](https://reader035.fdocuments.us/reader035/viewer/2022062418/5562bf6fd8b42a09618b4eff/html5/thumbnails/2.jpg)
What is a Firewall?
A firewall is a hardware or software (or a combination of hardware and software) that monitors the transmission of packets of digital information that attempt to pass through the perimeter of a network.
It is an effective means of protecting a local system or n/w from n/w related security threats
![Page 3: Firewall Modified](https://reader035.fdocuments.us/reader035/viewer/2022062418/5562bf6fd8b42a09618b4eff/html5/thumbnails/3.jpg)
Firewall design goals
• All traffic from inside or outside must pass through the firewall• Only authorized traffic as defined by the local security policy, will be
allowed to pass• The firewall itself is immune to penetration
![Page 4: Firewall Modified](https://reader035.fdocuments.us/reader035/viewer/2022062418/5562bf6fd8b42a09618b4eff/html5/thumbnails/4.jpg)
Type of controls
1. Service control
2. Direction control
3. User control
4. Behavior control
![Page 5: Firewall Modified](https://reader035.fdocuments.us/reader035/viewer/2022062418/5562bf6fd8b42a09618b4eff/html5/thumbnails/5.jpg)
Firewall capabilities
1. FW defines a single choke point
2. Provides a location for monitoring security-related events
3. Handles network related events
4. Serves as a platform for IPSec
![Page 6: Firewall Modified](https://reader035.fdocuments.us/reader035/viewer/2022062418/5562bf6fd8b42a09618b4eff/html5/thumbnails/6.jpg)
Firewall Limitations
• cannot protect from attacks bypassing it• cannot protect against internal threats
– eg disgruntled employee• cannot protect against transfer of all virus infected programs or files
– because of huge range of O/S & file types
![Page 7: Firewall Modified](https://reader035.fdocuments.us/reader035/viewer/2022062418/5562bf6fd8b42a09618b4eff/html5/thumbnails/7.jpg)
Types of Firewalls
1. Packet Filters
2. Application-Level Gateways
3. Circuit-Level Gateways
![Page 8: Firewall Modified](https://reader035.fdocuments.us/reader035/viewer/2022062418/5562bf6fd8b42a09618b4eff/html5/thumbnails/8.jpg)
Packet Filters
![Page 9: Firewall Modified](https://reader035.fdocuments.us/reader035/viewer/2022062418/5562bf6fd8b42a09618b4eff/html5/thumbnails/9.jpg)
Packet Filters
• A packet filtering router applies a set of rules to each incoming IP packet and then forwards or discards the packet.
• The router is typically configured to filter packets going in both directions (from and to the internal network).
• possible default policies– Discard– Forward
![Page 10: Firewall Modified](https://reader035.fdocuments.us/reader035/viewer/2022062418/5562bf6fd8b42a09618b4eff/html5/thumbnails/10.jpg)
Packet-Filtering Examples
Action Ourhost Port Theirhost Port comment
Block * * SPIGOT * We don’t trust these people
Allow OUR-GW 25 * * Connection to our SMTP port
![Page 11: Firewall Modified](https://reader035.fdocuments.us/reader035/viewer/2022062418/5562bf6fd8b42a09618b4eff/html5/thumbnails/11.jpg)
Action Ourhost Port Theirhost Port comment
Block * * * * default
Action Ourhost Port Theirhost Port comment
Allow * * * 25 Connection to their SMTP
![Page 12: Firewall Modified](https://reader035.fdocuments.us/reader035/viewer/2022062418/5562bf6fd8b42a09618b4eff/html5/thumbnails/12.jpg)
Attacks on Packet Filters
• IP address spoofing– fake source address (internal)– add filters on router to block (external interface)
• source routing attacks– attacker sets a route other than default– block source routed packets
• tiny fragment attacks– split header info over several tiny packets– either discard or reassemble before check
![Page 13: Firewall Modified](https://reader035.fdocuments.us/reader035/viewer/2022062418/5562bf6fd8b42a09618b4eff/html5/thumbnails/13.jpg)
• Advantages– Simple– Transparent to users– Very fast
• Disadvantages– Rule generation is difficult– Lack of authentication
![Page 14: Firewall Modified](https://reader035.fdocuments.us/reader035/viewer/2022062418/5562bf6fd8b42a09618b4eff/html5/thumbnails/14.jpg)
Application Level Gateway (Proxy server)
Internal host (private n/w)
Application level GW
Inside connection
External host (part of internet)
Outside connection
User’s illusion
(HTTP,FTP,TELNET,SMTP)
![Page 15: Firewall Modified](https://reader035.fdocuments.us/reader035/viewer/2022062418/5562bf6fd8b42a09618b4eff/html5/thumbnails/15.jpg)
Purpose- monitor every connection- provide end-to-end connection
Advantage- more secure than packet filter
Disadvantage– Additional processing overhead on each connections
![Page 16: Firewall Modified](https://reader035.fdocuments.us/reader035/viewer/2022062418/5562bf6fd8b42a09618b4eff/html5/thumbnails/16.jpg)
Circuit Level Gateway
out
out
out
in
in
in
Inside host
Inside connection
Outside host
Outside connection
Circuit-level gateway
![Page 17: Firewall Modified](https://reader035.fdocuments.us/reader035/viewer/2022062418/5562bf6fd8b42a09618b4eff/html5/thumbnails/17.jpg)
Circuit Level Gateway
• Relays two TCP connections• Imposes security by limiting which such connections are allowed• Once created usually relays traffic without examining contents• Typically used when trust internal users by allowing general
outbound connections• Example: SOCKS package
![Page 18: Firewall Modified](https://reader035.fdocuments.us/reader035/viewer/2022062418/5562bf6fd8b42a09618b4eff/html5/thumbnails/18.jpg)
Bastian Host
It is a critical strong point in the network security
A Bastian host is a system which contains either application-level or circuit-level GW or both
Only the services that the n/w administrator considers essential are installed on the bastion host. These include proxies such as Telnet, DNS, FTP, SMTP and user authentication.
It executes secure version of it OS
![Page 19: Firewall Modified](https://reader035.fdocuments.us/reader035/viewer/2022062418/5562bf6fd8b42a09618b4eff/html5/thumbnails/19.jpg)
Characteristics
• Most secured OS is included• Essential services are included• Requires additional authentication of user• Configured to support a subset of applications• Maintains detailed audit log• Allow access only to specific host system• Each proxy module is a very small s/w pkg sepcifically designed for n/w
security• Each proxy is independent of other proxies on the bastion hosts
![Page 20: Firewall Modified](https://reader035.fdocuments.us/reader035/viewer/2022062418/5562bf6fd8b42a09618b4eff/html5/thumbnails/20.jpg)
Firewall Configurations
![Page 21: Firewall Modified](https://reader035.fdocuments.us/reader035/viewer/2022062418/5562bf6fd8b42a09618b4eff/html5/thumbnails/21.jpg)
Screened host firewall, single-homed bastion configuration
• Firewall consists of two systems:– A packet-filtering router– A bastion host
• Configuration for the packet-filtering router:– Only packets from and to the bastion host are
allowed to pass through the router• The bastion host performs authentication and proxy
functions
![Page 22: Firewall Modified](https://reader035.fdocuments.us/reader035/viewer/2022062418/5562bf6fd8b42a09618b4eff/html5/thumbnails/22.jpg)
• Greater security than single configurations because of two reasons:– This configuration implements both packet-level and
application-level filtering (allowing for flexibility in defining security policy)
– An intruder must generally penetrate two separate systems• This configuration also affords flexibility in providing
direct Internet access (public information server, e.g. Web server)
![Page 23: Firewall Modified](https://reader035.fdocuments.us/reader035/viewer/2022062418/5562bf6fd8b42a09618b4eff/html5/thumbnails/23.jpg)
![Page 24: Firewall Modified](https://reader035.fdocuments.us/reader035/viewer/2022062418/5562bf6fd8b42a09618b4eff/html5/thumbnails/24.jpg)
Screened host firewall, dual-homed bastion configuration
– If the packet filtering router is compromised, traffic can’t flow directly through the router between Internet and other hosts on the private network.
– Traffic between the Internet and other hosts on the private network has to flow through the bastion host
![Page 25: Firewall Modified](https://reader035.fdocuments.us/reader035/viewer/2022062418/5562bf6fd8b42a09618b4eff/html5/thumbnails/25.jpg)
![Page 26: Firewall Modified](https://reader035.fdocuments.us/reader035/viewer/2022062418/5562bf6fd8b42a09618b4eff/html5/thumbnails/26.jpg)
Screened subnet firewall configuration
– Most secure configuration of the three– Two packet-filtering routers are used– Creation of an isolated sub-network
![Page 27: Firewall Modified](https://reader035.fdocuments.us/reader035/viewer/2022062418/5562bf6fd8b42a09618b4eff/html5/thumbnails/27.jpg)
Advantages
• The outside router advertises only the existence of the screened subnet to the internet
• The inside router advertises only the existence of the screened subnet to the internal network
![Page 28: Firewall Modified](https://reader035.fdocuments.us/reader035/viewer/2022062418/5562bf6fd8b42a09618b4eff/html5/thumbnails/28.jpg)
Trusted SystemsTrusted Systems
One way to enhance the ability of a system to defend against intruders and malicious programs is to implement trusted system technology
![Page 29: Firewall Modified](https://reader035.fdocuments.us/reader035/viewer/2022062418/5562bf6fd8b42a09618b4eff/html5/thumbnails/29.jpg)
Data Access ControlData Access Control
• Through the user access control procedure (log on), a user can be identified to the system
• Associated with each user, there can be a profile that specifies permissible operations and file accesses
• The operation system can enforce rules based on the user profile
![Page 30: Firewall Modified](https://reader035.fdocuments.us/reader035/viewer/2022062418/5562bf6fd8b42a09618b4eff/html5/thumbnails/30.jpg)
General models of access control:– Access matrix– Access control list– Capability list
![Page 31: Firewall Modified](https://reader035.fdocuments.us/reader035/viewer/2022062418/5562bf6fd8b42a09618b4eff/html5/thumbnails/31.jpg)
Access Control Matrix
![Page 32: Firewall Modified](https://reader035.fdocuments.us/reader035/viewer/2022062418/5562bf6fd8b42a09618b4eff/html5/thumbnails/32.jpg)
Access Matrix: Basic elements of the model
– Subject: An entity capable of accessing objects (process)– Object: Anything to which access is controlled (e.g. files,
programs)– Access right: The way in which an object is accessed by a
subject (e.g. read, write, execute)
![Page 33: Firewall Modified](https://reader035.fdocuments.us/reader035/viewer/2022062418/5562bf6fd8b42a09618b4eff/html5/thumbnails/33.jpg)
Access control list
Access control list for program1:
Process1(Read,Executre)
Access control list for Segment A:
Process1(Read,Write)
Access control list for Segment B:
Process2(Read)
Decomposition of the matrix by columns
![Page 34: Firewall Modified](https://reader035.fdocuments.us/reader035/viewer/2022062418/5562bf6fd8b42a09618b4eff/html5/thumbnails/34.jpg)
• Access Control List
– An access control list lists users and their permitted access right
![Page 35: Firewall Modified](https://reader035.fdocuments.us/reader035/viewer/2022062418/5562bf6fd8b42a09618b4eff/html5/thumbnails/35.jpg)
Capability list
Decomposition of the matrix by rows
Capability list for process1:
Program1(Read,Executre)
Segment A (Read, Write)
Capability list for process2:
Segment B (Read)
![Page 36: Firewall Modified](https://reader035.fdocuments.us/reader035/viewer/2022062418/5562bf6fd8b42a09618b4eff/html5/thumbnails/36.jpg)
Capability list
A capability ticket specifies authorized objects and operations for a user.Each user have a number of tickets