Computer Security DD2395 - - PowerPoint PPT Presentation

computer security dd2395
SMART_READER_LITE
LIVE PREVIEW

Computer Security DD2395 - - PowerPoint PPT Presentation

Sep 27, 2022 180 likes •543 views

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak12/ Fall 2012 Sonja Buchegger buc@kth.se Lecture 9 Firewalls (maybe start on Multilevel Security) DD2395 Sonja Buchegger 1 Catch-up Labs l Labbvecka in June

slide-1
SLIDE 1

Computer Security DD2395

http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak12/

Fall 2012 Sonja Buchegger buc@kth.se Lecture 9 Firewalls (maybe start on Multilevel Security)

1 DD2395 Sonja Buchegger

slide-2
SLIDE 2

DD2395 Sonja Buchegger 2

Catch-up Labs

l Labbvecka in June 2013 l csc.kth.se/labbvecka l http://www.csc.kth.se/labbvecka/ l Extra mini-version for this course in December

slide-3
SLIDE 3

DD2395 Sonja Buchegger 3

Firewall/Iptables Lab

l Preparation at home, fill out form in instructions l Lab at CSC, be there at start of lab slot l Lab exercise takes 4 hours

slide-4
SLIDE 4

Seminar

l Demo for bonus point: in the widest sense,

physical, software, animation, etc.

l Registration deadline on Friday l Roles DD2395 Sonja Buchegger 4

slide-5
SLIDE 5

Firewalls

l History l What they do l Where to put them

  • On the network layers
  • On the network topology

DD2395 Sonja Buchegger 5

slide-6
SLIDE 6

Bruce Schneier:

l Coal-powered trains had a large furnace in the

engine room, along with a pile of coal. The engineer would shovel coal into the engine. This process created coal dust, which was highly flammable. Occasionally the coal dust would catch fire, causing an engine fire that sometimes spread into the passenger cars. Since dead passengers reduced revenue, train engines were built with iron walls right behind the engine compartment. This stopped fires from spreading into the passenger cars, but didn’t protect the engineer between the coal pile and the furnace. DD2395 Sonja Buchegger

6

slide-7
SLIDE 7

Network Security

l Ross Anderson: l System security l Filtering l Intrusion detection l Cryptography, securing links DD2395 Sonja Buchegger 7

slide-8
SLIDE 8

Firewalls and Intrusion Prevention Systems

l Individual: secure workstations and servers l Whole network: also use firewall as perimeter

defence

  • single choke point to impose security
slide-9
SLIDE 9

Principle ¡of ¡Complete ¡Media2on ¡

l It ¡is ¡required ¡that ¡all ¡accesses ¡to ¡objects ¡be ¡checked ¡

to ¡ensure ¡that ¡they ¡are ¡allowed. ¡

9

slide-10
SLIDE 10

Reference Monitor

l In operating systems:

  • All requests are checked, only authorized go

through

  • Monitor itself is tamper-proof
  • And verifiable

DD2395 Sonja Buchegger 10

slide-11
SLIDE 11

Ingress and Egress filtering

l Incoming, outgoing traffic DD2395 Sonja Buchegger 11

slide-12
SLIDE 12

Firewall Capabilities & Limits

l capabilities:

  • defines a single choke point
  • provides a location for monitoring security events
  • convenient platform for some Internet functions such as

NAT, usage monitoring, IPSEC VPNs

l limitations?

slide-13
SLIDE 13

Firewall Capabilities & Limits

l capabilities:

  • defines a single choke point
  • provides a location for monitoring security events
  • convenient platform for some Internet functions such as

NAT, usage monitoring, IPSEC VPNs

l limitations:

  • cannot protect against attacks bypassing firewall
  • may not protect fully against internal threats
  • improperly secure wireless LAN
  • laptop, PDA, portable storage device infected outside

then used inside

slide-14
SLIDE 14

Types of Firewalls

External (untrusted) network (e.g. Internet) Internal (protected) network (e.g. enterprise network) Firewall

Figure 9.1 Types of Firewalls

(a) General model (d) Application proxy firewall

Physical Network access Internet Transport Application Physical Network access Internet Transport Application Application proxy External transport connection Internal transport connection

(b) Packet filtering firewall

Physical Network access Internet Transport Application End-to-end transport connection End-to-end transport connection

(c) Stateful inspection firewall

Physical Network access Internet Transport Application End-to-end transport connection End-to-end transport connection

(e) Circuit-level proxy firewall

Physical Network access Internet Transport Application Physical Network access Internet Transport Application Circuit-level proxy External transport connection Internal transport connection State info

slide-15
SLIDE 15

Packet Filtering Firewall

l applies rules to packets in/out of firewall l based on information in packet header

  • src/dest IP addr & port, IP protocol, interface

l typically a list of rules of matches on fields

  • if match rule says if forward or discard packet

l two default policies:

  • discard - prohibit unless expressly permitted

l more conservative, controlled, visible to users

  • forward - permit unless expressly prohibited

l easier to manage/use but less secure

slide-16
SLIDE 16

DD2395 Sonja Buchegger 16

slide-17
SLIDE 17

Packet Filter Rules

slide-18
SLIDE 18

Packet Filter Weaknesses

l weaknesses

  • cannot prevent attack on application bugs
  • limited logging functionality
  • do no support advanced user authentication
  • vulnerable to attacks on TCP/IP protocol bugs
  • improper configuration can lead to breaches
slide-19
SLIDE 19

Stateful Inspection Firewall

l reviews packet header information but also keeps

info on TCP connections

  • typically have low, “known” port no for server
  • and high, dynamically assigned client port no
  • simple packet filter must allow all return high port

numbered packets back in

  • stateful inspection packet firewall tightens rules for TCP

traffic using a directory of TCP connections

  • only allow incoming traffic to high-numbered ports for

packets matching an entry in this directory

  • may also track TCP seq numbers as well
slide-20
SLIDE 20

Application-Level Gateway

l acts as a relay of application-level traffic

  • user contacts gateway with remote host name
  • authenticates themselves
  • gateway contacts application on remote host and

relays TCP segments between server and user

l must have proxy code for each application

  • may restrict application features supported

l more secure than packet filters l but have higher overheads

slide-21
SLIDE 21

Circuit-Level Gateway

l sets up two TCP connections, to an inside user

and to an outside host

l relays TCP segments from one connection to

the other without examining contents

  • hence independent of application logic
  • just determines whether relay is permitted

l typically used when inside users trusted

  • may use application-level gateway inbound and

circuit-level gateway outbound

  • hence lower overheads
slide-22
SLIDE 22

Firewall Basing

l several options for locating firewall: l bastion host l individual host-based firewall l personal firewall

slide-23
SLIDE 23

Bastion Hosts

l critical strongpoint in network l hosts application/circuit-level gateways l common characteristics:

  • runs secure O/S, only essential services
  • may require user auth to access proxy or host
  • each proxy can restrict features, hosts accessed
  • each proxy small, simple, checked for security
  • each proxy is independent, non-privileged
  • limited disk use, hence read-only code
slide-24
SLIDE 24

Host-Based Firewalls

l used to secure individual host l available in/add-on for many O/S l filter packet flows l often used on servers l advantages:

  • taylored filter rules for specific host needs
  • protection from both internal / external attacks
  • additional layer of protection to org firewall
slide-25
SLIDE 25

Personal Firewall

l controls traffic flow to/from PC/workstation l for both home or corporate use l may be software module on PC l or in home cable/DSL router/gateway l typically much less complex l primary role to deny unauthorized access l may also monitor outgoing traffic to detect/block

worm/malware activity

slide-26
SLIDE 26

Firewall Topologies

l host-resident firewall l screening router: packet filtering l single bastion inline between routers l single bastion T, with DMZ l double bastion inline: DMZ between bastions l double bastion T l distributed firewall configuration

slide-27
SLIDE 27

Firewall Locations

slide-28
SLIDE 28

Firewall Locations: Advantages, Disadvantages ?

slide-29
SLIDE 29

Virtual Private Networks

slide-30
SLIDE 30

Distributed Firewalls

slide-31
SLIDE 31

Intrusion Prevention Systems (IPS)

l recent addition to security products which

  • inline net/host-based IDS that can block traffic
  • functional addition to firewall that adds IDS

capabilities

l can block traffic like a firewall l using IDS algorithms l may be network or host based

slide-32
SLIDE 32

Host-Based IPS

l identifies attacks using both:

  • signature techniques

l malicious application packets

  • anomaly detection techniques

l behavior patterns that indicate malware

l can be tailored to the specific platform

  • e.g. general purpose, web/database server specific

l can also sandbox applets to monitor behavior l may give desktop file, registry, I/O protection

slide-33
SLIDE 33

Network-Based IPS

l inline NIDS that can discard packets or

terminate TCP connections

l uses signature and anomaly detection l may provide flow data protection

  • monitoring full application flow content

l can identify malicious packets using:

  • pattern matching, stateful matching, protocol

anomaly, traffic anomaly, statistical anomaly

l cf. SNORT inline can drop/modify packets

slide-34
SLIDE 34

Unified Threat Management Products

slide-35
SLIDE 35

Summary

l introduced need for & purpose of firewalls l types of firewalls

  • packet filter, stateful inspection, application and

circuit gateways

l firewall hosting, locations, topologies l intrusion prevention systems