authorization firewalls
play

Authorization: Firewalls Prof. Tom Austin San Jos State University - PowerPoint PPT Presentation

Dec 23, 2022 •187 likes •839 views

CS 166: Information Security Authorization: Firewalls Prof. Tom Austin San Jos State University Networking Basics Network Includes Computers Servers Routers Wireless devices Etc. Purpose is to transmit data

  1. CS 166: Information Security Authorization: Firewalls Prof. Tom Austin San José State University

  2. Networking Basics

  3. Network • Includes – Computers – Servers – Routers – Wireless devices – Etc. • Purpose is to transmit data

  4. Network Edge • Network edge includes • Hosts – Computers – Laptops – Servers – Cell phones – Etc., etc.

  5. Network Core • Network core consists of – Interconnected mesh of routers • Purpose is to move data from host to host

  6. Packet Switched Network • Telephone network is/was circuit switched – For each call, a dedicated circuit established – Dedicated bandwidth • Modern data networks are packet switched – Data is chopped up into discrete packets – Packets are transmitted independently – No dedicated circuit is established – More efficient bandwidth usage – But more complex than circuit switched

  7. Network Protocols • Study of networking focused on protocols • Networking protocols precisely specify “communication rules” • Details are given in RFC s – RFC is essentially an Internet standard • Stateless protocols don’t remember • Stateful protocols do remember • Many security problems related to “state” – E.g., DoS is a problem with stateful protocols

  8. Protocol Stack • Application layer protocols – HTTP, FTP, SMTP, etc. user application • Transport layer protocols space – TCP, UDP transport OS • Network layer protocols network – IP, routing protocols link • Link layer protocols NIC card – Ethernet, PPP physical • Physical layer

  9. Layering in Action router data data application application transport transport network network network link link link physical host physical physical host • At source, data goes “down” the protocol stack • Each router processes packet “up” to network layer – That’s where routing info lives • Router then passes packet down the protocol stack • Destination processes up to application layer – That’s where the data lives

  10. Encapsulation data X • X = application data at source application • As X goes down protocol stack, each layer adds header information: transport – Application layer: ( H , X) network – Transport layer: ( H , ( H , X)) – Network layer: ( H , ( H , ( H , X))) link – Link layer: ( H , ( H , ( H , ( H , X)))) physical • Header has info required by layer • Note that app data is on the inside packet ( H ,( H ,( H ,( H ,X))))

  11. Application Layer • Applications – Web browsing, email, P2P, etc. – Running on hosts – Hosts want network to be transparent • Application layer protocols – HTTP, SMTP, IMAP, Gnutella, etc. • Protocol is only one part of an application – For example, HTTP only a part of web browsing

  12. Client-Server Model • Client – “speaks first” • Server – tries to respond to request • Hosts are clients and/or servers • Example: Web browsing – You are the client (request web page) – Web server is the server

  13. Peer-to-Peer Model • Hosts act as clients and servers • For example, when sharing music – You are client when requesting a file – You are a server when someone downloads a file from you • In P2P, how does client find server? – Many different P2P models for this

  14. HTTP Example HTTP request HTTP response • HTTP --- H yper T ext T ransfer P rotocol • Client (you) requests a web page • Server responds to your request

  15. Web Cookies cookie initial HTTP request session H T T P r e s p o n s e , c o o k i e Cookie database HTTP request, cookie cookie e s n o p s e r P T T H later session • HTTP is stateless ¾ cookies used to add state • Initially, cookie sent from server to browser • Browser manages cookie, sends it to server • Server looks in cookie database to “remember” you

  16. Web Cookies • Web cookies used for… – Shopping carts – Recommendations, etc., etc. – A very, very, very weak form of authentication • Privacy concerns – Web site can learn a lot about you – Multiple web sites could learn even more

  17. SMTP • SMTP used to send email from sender to recipient’s mail server • Then use POP3, IMAP or HTTP (Web mail) to get messages from server • As with many application protocols, SMTP commands are human readable Recipient Sender SMTP SMTP POP3

  18. Spoofed email with SMTP User types the red lines: > telnet eniac.cs.sjsu.edu 25 220 eniac.sjsu.edu HELO ca.gov 250 Hello ca.gov, pleased to meet you MAIL FROM: <arnold@ca.gov> 250 arnold@ca.gov... Sender ok RCPT TO: <stamp@cs.sjsu.edu> 250 stamp@cs.sjsu.edu ... Recipient ok DATA 354 Enter mail, end with "." on a line by itself It is my pleasure to inform you that you are terminated . 250 Message accepted for delivery QUIT 221 eniac.sjsu.edu closing connection

  19. Application Layer • DNS --- Domain Name Service – Convert human-friendly names such as www.google.com into 32-bit IP address – A distributed hierarchical database • Only 13 “root” DNS server clusters – Almost a single point of failure for Internet – Attacks on root servers have succeeded – But, attacks have not lasted long enough

  20. NY Times SpamHaus attack article

  21. Transport Layer • The network layer offers unreliable, “best effort” delivery of packets • Any improved service must be provided by the hosts • Transport layer: two protocols of interest – TCP ¾ more service, more overhead – UDP ¾ less service, less overhead • TCP and UDP runs on hosts, not routers

  22. TCP • TCP assures that packets… – Arrive at destination – Are processed in order – Are not sent too fast for receiver: flow control • TCP also provides… – Network-wide congestion control • TCP is connection-oriented – TCP contacts server before sending data – Orderly setup and take down of “connection” – No true connection, only a logical connection

  23. TCP Header • Source and destination port • Sequence number • Flags (ACK, SYN, RST, etc.) • Usually 20 bytes (if no options)

  24. TCP Three-Way Handshake SYN request SYN-ACK ACK (and data) • SYN : synchronization requested • SYN-ACK : acknowledge SYN request • ACK : acknowledge msg 2 and send data • Then TCP “connection” established – Connection terminated by FIN or RST

  25. Denial of Service Attack • The TCP 3-way handshake makes denial of service (DoS) attacks possible • Whenever SYN packet is received, server must remember “half-open” connection – Remembering consumes resources – Too many half-open connections and server’s resources will be exhausted, and then… – …server can’t respond to legitimate connections

  26. UDP • UDP is minimalist, “no frills” service – No assurance that packets arrive – No assurance packets are in order, etc., etc. • Why does UDP exist? – More efficient (smaller header) – No flow control to slow down sender – No congestion control to slow down sender • Packets sent too fast, they will be dropped – Either at intermediate router or at destination – But in some apps this is OK (audio/video)

  27. Network Layer • Core of network/Internet – Interconnected mesh of routers • Purpose of network layer – Route packets through this mesh • Network layer protocol is known as IP – Follows a best effort approach • IP runs in every host and every router • Routers also run routing protocols – Used to determine the path to send packets – Routing protocols: RIP, OSPF, BGP, …

  28. IP Addresses • IP address is 32 bits • Every host has an IP address • Not enough IP addresses! – Lots of tricks used to extend address space • IP addresses given in dotted decimal notation – For example: 195.72.180.27 – Each number is between 0 and 255 • Usually, host’s IP address can change

  29. Socket • Each host has a 32 bit IP address • But many processes on one host – You can browse web, send email at same time • How to distinguish processes on a host? • Each process has a 16 bit port number – Port numbers < 1024 are “well-known” ports (HTTP is port 80, POP3 is port 110, etc.) – Port numbers above 1024 are dynamic (as needed) • IP address and port number define a socket – Socket uniquely identifies process, Internet-wide

  30. Network Address Translation • Network Address Translation ( NAT ) • Used to extend IP address space • Use one IP address, different port numbers, for multiple hosts – “Translates” outside packet (based on port number) to IP for inside host

  31. NAT-less Example source 11.0.0.1:1025 destination 12.0.0.1:80 source 12.0.0.1:80 destination 11.0.0.1:1025 Web Alice server IP: 12.0.0.1 IP: 11.0.0.1 Port: 80 Port: 1025

  32. NAT Example src 11.0.0.1:4000 src 10.0.0.1:1025 dest 12.0.0.1:80 dest 12.0.0.1:80 src 12.0.0.1:80 src 12.0.0.1:80 dest 11.0.0.1:4000 dest 10.0.0.1:1025 Web Firewall Alice server IP: 11.0.0.1 IP: 12.0.0.1 IP: 10.0.0.1 NAT Table 4000 10.0.0.1:1025

  33. NAT: The Last Word • Advantage(s)? – Extends IP address space – One (or a few) IP address(es) can be shared by many users • Disadvantage(s)? – Makes end-to-end security difficult – Might make IPSec less effective (IPSec discussed in Chapter 10)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls? Network Address Translation Types of Firewalls Linux/Windows Firewalls pfSense Blue Team Activity Brief History Firewall

348 views • 30 slides
Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple firewall using Netfilter Iptables firewall in Linux Stateful Firewall Application Firewall Evading Firewalls 2 Firewalls

811 views • 55 slides
FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls

FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls

FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls (Categories) Implementation Best practices What are Firewalls? Internet Firewall Client/Host Network Network Security

585 views • 39 slides
Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential however

Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential however

Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential however it creates a threat Effective means of protecting LANs Inserted between the premises network and the Internet to establish a controlled

699 views • 34 slides
Firewalls Why do people want a firewall? [...] a firewalls purpose is to keep the jerks

Firewalls Why do people want a firewall? [...] a firewalls purpose is to keep the jerks

Firewalls Why do people want a firewall? [...] a firewalls purpose is to keep the jerks out of your network while still letting you get your job done. [Limiting] what kinds of connectivity is allowed between different

538 views • 30 slides
Firewalls Computer Center, CS, NCTU Firewalls Firewall A piece of hardware and/or

Firewalls Computer Center, CS, NCTU Firewalls Firewall A piece of hardware and/or

Firewalls Computer Center, CS, NCTU Firewalls Firewall A piece of hardware and/or software which functions in a networked environment to prevent some communications forbidden by the security policy. Choke point between secured

613 views • 34 slides
Firewalls jnlin Computer Center, CS, NCTU Firewalls q Firewall hardware/software

Firewalls jnlin Computer Center, CS, NCTU Firewalls q Firewall hardware/software

Firewalls jnlin Computer Center, CS, NCTU Firewalls q Firewall hardware/software choke point between secured and unsecured network filter incoming and outgoing traffic prevent communications which are forbidden by the

1.06k views • 57 slides
Firewalls Firewalls October 16, 2020 Administrative Administrative submittal

Firewalls Firewalls October 16, 2020 Administrative Administrative submittal

Firewalls Firewalls October 16, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments questions in written report form, as a text, pdf, or Word document file (no obscure

585 views • 21 slides
Authorization the permission or power given to sb to do sth: enter a security area without

Authorization the permission or power given to sb to do sth: enter a security area without

Authorization the permission or power given to sb to do sth: enter a security area without authorization Authorization in Oxford Advanced Learner's Dictionary Object-oriented Databases authorization is the concept of allowing

70 views • 6 slides
Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and

Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and

Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and Honeypots that enforces a boundary between two CS 239 or more networks - NCSA Firewall Functional Summary Computer Security Usually, a

271 views • 10 slides
Firewalls, IPsec and Linux by Harald Welte &lt;laforge@netfilter.org&gt; Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte &lt;laforge@netfilter.org&gt; Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte &lt;laforge@netfilter.org&gt; Firewalls, IPsec and Linux Contents Introduction Highly Scalable Linux Network Stack Netfilter Hooks Packet selection based on IP Tables The Connection Tracking

444 views • 9 slides
Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network

Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network

Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network from the Internet Trusted hosts and networks Firewall Router Intranet Demilitarized Zone: DMZ publicly accessible servers and networks

746 views • 31 slides
Authorization We will use the terms authorization and access control interchangeably

Authorization We will use the terms authorization and access control interchangeably

Authorization We will use the terms authorization and access control interchangeably Authorization answers the question who is allowed to do what ? A first step in the development of an access control system is the

651 views • 53 slides
Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy

Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy

1 Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy firewalls Stateful inspection Deep packet inspection 2 Packet filter (Access Control Lists) Treats each packet in isolation

510 views • 30 slides
1 Travel Authorization and Expense Process 1. Introduction 2. Travel Authorization 3. Travel

1 Travel Authorization and Expense Process 1. Introduction 2. Travel Authorization 3. Travel

1 Travel Authorization and Expense Process 1. Introduction 2. Travel Authorization 3. Travel Expense 4. Travel Regulations 2 Travel Authorization (See Next Slide for Detailed Steps) 2. Trip Information goes here 1. Budgetary Coding goes

319 views • 11 slides
Firewalls and intrusion detection systems Markus Peuhkuri 2005-03-22 Lecture topics Firewalls

Firewalls and intrusion detection systems Markus Peuhkuri 2005-03-22 Lecture topics Firewalls

Firewalls and intrusion detection systems Markus Peuhkuri 2005-03-22 Lecture topics Firewalls Security model with firewalls Intrusion detection systems Intrusion prevention systems

644 views • 7 slides
Address Resolution ARP, RARP, Proxy ARP (C) Herbert Haas 2005/03/11 Agenda IP Forwarding

Address Resolution ARP, RARP, Proxy ARP (C) Herbert Haas 2005/03/11 Agenda IP Forwarding

Address Resolution ARP, RARP, Proxy ARP (C) Herbert Haas 2005/03/11 Agenda IP Forwarding Principle Address Resolution Protocol (ARP) IP Routing Basics IP Forwarding and ARP RARP Proxy ARP ICMP IP Forwarding and

1.03k views • 74 slides
The Network Network Security Secure against what/whom Security goals Attacker model Same

The Network Network Security Secure against what/whom Security goals Attacker model Same

The Network Network Security Secure against what/whom Security goals Attacker model Same hub `trusted LAN Internet Eavesdrop / block messages / insert messages / ... Typical attacker model security protocol analysis: Attacker

780 views • 63 slides
Joint Agencies Vehicle-Grid Integration (VGI) Working Group Two WO WORKSHOP #2 10 AM 5 PM

Joint Agencies Vehicle-Grid Integration (VGI) Working Group Two WO WORKSHOP #2 10 AM 5 PM

Joint Agencies Vehicle-Grid Integration (VGI) Working Group Two WO WORKSHOP #2 10 AM 5 PM SEPTEMBER 26, 2019 SAN FRANCISCO, CA https://gridworks.org/initiatives/rule-21-working-group-3/ Agenda 10:00-10:15 Participant Introductions and

273 views • 24 slides
ECPE / COMP 177 Fall 2016 Some slides from Kurose and Ross, Computer Networking , 5 th Edition

ECPE / COMP 177 Fall 2016 Some slides from Kurose and Ross, Computer Networking , 5 th Edition

ECPE / COMP 177 Fall 2016 Some slides from Kurose and Ross, Computer Networking , 5 th Edition Course Organization Top-Down! Starting with Applications / App programming Then Transport Layer (TCP/UDP) Then Network Layer (IP)

695 views • 31 slides
B u i l d i n g I P v 6 i n t o y o u r s c h o o l ' s n e t w o

B u i l d i n g I P v 6 i n t o y o u r s c h o o l ' s n e t w o

B u i l d i n g I P v 6 i n t o y o u r s c h o o l ' s n e t w o r k A I S I C T M a n a g e m e n t a n d L e a d e r s h i p C o n f e r e n c e C a n b e r r a 2

1.39k views • 95 slides
Lab 1: Packet Sniffing and Wireshark Fengwei Zhang SUSTech CS 315 Computer Security 1 Packet

Lab 1: Packet Sniffing and Wireshark Fengwei Zhang SUSTech CS 315 Computer Security 1 Packet

Lab 1: Packet Sniffing and Wireshark Fengwei Zhang SUSTech CS 315 Computer Security 1 Packet Sniffer Packet sniffer is a basic tool for observing network packet exchanges in a computer Capturing (sniffs) packets being

485 views • 13 slides
MAC Addresses and ARP 32-bit IP address: network-layer address Mac Addressing, Ethernet,

MAC Addresses and ARP 32-bit IP address: network-layer address Mac Addressing, Ethernet,

MAC Addresses and ARP 32-bit IP address: network-layer address Mac Addressing, Ethernet, and used to get datagram to destination IP subnet MAC (or LAN or physical or Ethernet) Interconnections address: used to get datagram

424 views • 6 slides
Medium Access Protocols Summary of MAC protocols What do you do with a shared media?

Medium Access Protocols Summary of MAC protocols What do you do with a shared media?

Medium Access Protocols Summary of MAC protocols What do you do with a shared media? Channel Partitioning, by time, frequency or code Time Division,Code Division, Frequency Division Random partitioning (dynamic), ALOHA,

754 views • 40 slides

More recommend