cs 5410 computer and network security firewalls
play

CS 5410 - Computer and Network Security: Firewalls Professor Kevin - PowerPoint PPT Presentation

Jun 15, 2023 •321 likes •555 views

CS 5410 - Computer and Network Security: Firewalls Professor Kevin Butler Fall 2015 Southeastern Security for Enterprise and Infrastructure (SENSEI) Center Firewalls A firewall ... is a physical barrier inside a building or vehicle,

  1. CS 5410 - Computer and Network Security: Firewalls Professor Kevin Butler Fall 2015 Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

  2. Firewalls • A firewall ... is a physical barrier inside a building or vehicle, designed to limit the spread of fire, heat and structural collapse. Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 2

  3. Filtering: Firewalls • Filtering traffic based on policy ‣ Policy determines what is acceptable traffic ‣ Access control over traffic ‣ Accept or deny Application • May perform other duties Network ‣ Logging (forensics, SLA) ‣ Flagging (intrusion detection) Link ‣ QoS (differentiated services) Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 3

  4. IP Firewall Policy • Specifies what traffic is (not) allowed • Maps attributes to address and ports • Example: HTTP should be allowed to any external host, but inbound only to web- server Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 4

  5. X-Listing • Blacklisting - specifying specific connectivity that is explicitly disallowed ‣ E.g., prevent connections from badguys.com • Whitelisting - specifying specific connectivity that 
 is explicitly allowed ‣ E.g., allow connections from goodguys.com • These is useful for IP filtering, SPAM mitigation, … Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 5

  6. Stateful, Proxy, and Transparent • Single packet contains insufficient data to make access control decision ‣ Stateful: allows historical context consideration ‣ Firewall collects data over time • e.g., TCP packet is part of established session • Firewalls can affect network traffic ‣ Transparent: appear as a single router (network) ‣ Proxy: receives, interprets, and reinitiates communication (application) ‣ Transparent good for speed (routers), proxies good for complex state (applications) Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 6

  7. DMZ (De-militarized Zone) • Zone between LAN and Internet ( public facing ) Mail Server Accounting LAN LAN Internet Customer Database Web Server Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 7

  8. Practical Issues and Limitations • Network layer firewalls are dominant • DMZs allow multi-tiered fire-walling • Tools are widely available and mature • Personal firewalls gaining popularity • Issues • Network perimeters not quite as clear as before • E.g., telecommuters, VPNs, wireless, … • Every access point must be protected • E.g., this is why war-dialing/war-driving is effective • Hard to debug, maintain consistency and correctness • Often seen by non-security personnel as impediment • E.g., Just open port X so I can use my wonder widget … • SOAP - why is this protocol an issue? Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 8

  9. The Wool firewall study .. • 12 error classes • No default policy, automatic broad tools • NetBIOS (the very use of the Win protocol deemed error) • Portmapper protocols • Use of “any wildcards” • Lack of egress rules • Interesting questions: • Is the violation of Wool’s errors really a problem? • ICMP comments? • Why do you think more expensive firewalls had a higher occurrence of errors? • Take away: configurations are bad Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 9

  10. Practical Firewall Implementations • Primary task is to filter packets ‣ But systems and requirements are complex • Consider ‣ All the protocols and services ‣ Stateless vs. stateful firewalls ‣ Network function: NAT, forwarding, etc. • Practical implementation: Linux iptables ‣ http://www.netfilter.org/documentation/HOWTO/packet- filtering-HOWTO.html ‣ http://linux.web.cern.ch/linux/scientific3/docs/rhel-rg-en-3/ch- iptables.html Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 10

  11. Netfilter hook • Series of hooks in Linux network protocol stack • An iptable rule set is evaluated at each ‣ “PREROUTING”: before routing ‣ “INPUT”: inbound to local destination ‣ “FORWARD”: inbound but routed off host ‣ “OUTPUT”: outbound to remote destination ‣ “POSTROUTING”: after routing Preroute Routing Forward Postroute Input Output Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 11

  12. iptables Concepts The iptables firewall looks in the firewall table to seek if the chain associated with the current hook matches a packet, and executes the target if it does. • Table : allows policies to be cleanly separated by purpose 
 (default: “-t filter”, also: “-t nat”, “-t mangle” and “-t raw”) 
 Each table as a set of default chains. • Chain : list of rules associated with the chain identifier, e.g., hook name (INPUT, OUTPUT, etc) • Match : when all a rule’s field match the packet • Target : operation to execute on a packet given a match Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 12

  13. Table/Chain Traversal http://www.linuxtopia.org/Linux_Firewall_iptables/c951.html Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 13

  14. iptables Commands iptables [-t <table_name>] <cmd> <chain> <plist> • Commands • Append rule to end or specific location in chain (-A) • Delete a specific rule in a chain (-D) • Replace a rule (-R) • Flush a chain (-F) • List a chain (-L) • Set a default chain policy (-P) • Create a new user-specified chain (-N) • Remove an empty (user-specified) chain (-X) Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 14

  15. iptables Rule Parameters • Things you can match on • Destination/Source • IP address range and netmask • Protocol of packet • ICMP , TCP , etc • Fragmented only • Incoming/outgoing interface • Target on rule match Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 15

  16. Test it out • PING on localhost ‣ ping -c 1 127.0.0.1 • Add iptables rule to block ‣ iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP • Try ping • Delete the rule ‣ iptables -D INPUT 1 ‣ iptables -D INPUT -s 127.0.0.1 -p icmp -j DROP ‣ iptables -F INPUT Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 16

  17. Testing • Use loopback to test the rules locally on your machine • IP address 127.0.0.1 • ICMP • submit ping requests to 127.0.0.1 as above • TCP • submit requests to 127.0.0.1 at specific port • server • nc -l 3750 • listen at port 3750 • client • nc -p 3000 localhost 3750 • send from port 3000 to localhost at port 3750 Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 17

  18. Per Protocol Options • Specialized matching options for rules ‣ Specific to protocol • TCP ‣ Source/destination ports ‣ SYN ‣ TCP flags Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 18

  19. Targets • Define what to do with the packet at this time • ACCEPT/DROP • QUEUE for user-space application • LOG any packet that matches • REJECT drops and returns error packet • RETURN enables packet to return to previous chain • <user-specified> passes packet to that chain ## Create chain which blocks new connections, except if coming from inside. # iptables -N block # iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT # iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT # iptables -A block -j DROP ## Jump to that chain from INPUT and FORWARD chains. # iptables -A INPUT -j block # iptables -A FORWARD -j block Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 19

  20. Examples iptables -A INPUT -s 200.200.200.2 -j ACCEPT iptables -A INPUT -s 200.200.200.1 -j DROP iptables -A INPUT -s 200.200.200.1 -p tcp -j DROP iptables -A INPUT -s 200.200.200.1 -p tcp --dport telnet -j DROP iptables -A INPUT -p tcp --destination-port telnet -i ppp0 -j DROP Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 20

  21. Example: Host Firewall • Assume you have a host with one network interface (eth0). You are running SSH (port 22) and want to allow access by external hosts. You are also running Apache for Web development, and only want it to be accessed by other hosts on the LAN (10.0.2.0/24) # iptables -F INPUT # iptables -F OUTPUT # iptables -F FORWARD # iptables -P INPUT DROP # iptables -P OUTPUT ACCEPT # iptables -P FORWARD DROP # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # iptables -A INPUT -i eth0 -m state --state NEW --dport 22 -j ACCEPT # iptables -A INPUT -i eth0 -m state --state NEW -s 10.0.2.0/24 --dport 80 -j ACCEPT Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 21

  22. Example: Gateway/DMZ Firewalls • Assume you have two firewalls 
 (FW1 and FW2), each with 
 two ethernet interfaces 
 FW2 FW1 (eth0 and eth1). eth0 eth1 • FW1 protects the DMZ, and FW2 
 eth0 eth1 protects the LAN • Define an iptables policy for FW1 that: • Allows new Internet traffic to reach port 80 on 10.0.1.13 • Does not allow traffic to reach the LAN (10.0.2.0/24) • Define an iptables policy for FW2 that • Allows internal hosts to reach the webserver, but nothing else in the DMZ (10.0.1.0/24), and can reach the larger Internet • Prevents DMZ hosts from initiating connections to LAN Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CS 5410 - Computer and Network Security: Cellular Network Security Professor Kevin Butler Fall

CS 5410 - Computer and Network Security: Cellular Network Security Professor Kevin Butler Fall

CS 5410 - Computer and Network Security: Cellular Network Security Professor Kevin Butler Fall 2015 Southeastern Security for Enterprise and Infrastructure (SENSEI) Center Reminders Poster showcase next Monday For final project: turn

533 views • 34 slides
Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and

Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and

Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and Honeypots that enforces a boundary between two CS 239 or more networks - NCSA Firewall Functional Summary Computer Security Usually, a

271 views • 10 slides
CNT 5410 - Computer and Network Security: Denial of Service Professor Kevin Butler Fall 2015

CNT 5410 - Computer and Network Security: Denial of Service Professor Kevin Butler Fall 2015

CNT 5410 - Computer and Network Security: Denial of Service Professor Kevin Butler Fall 2015 Southeastern Security for Enterprise and Infrastructure (SENSEI) Center Mandate &quot; The art of war teaches us to rely not on the likelihood of

623 views • 26 slides
CS 5410 - Computer and Network Security: Intrusion Detection Professor Kevin Butler Fall 2015

CS 5410 - Computer and Network Security: Intrusion Detection Professor Kevin Butler Fall 2015

CS 5410 - Computer and Network Security: Intrusion Detection Professor Kevin Butler Fall 2015 Southeastern Security for Enterprise and Infrastructure (SENSEI) Center Locked Down Youre using all the techniques we will talk about over the

577 views • 19 slides
CNT 5410 - Computer and Network Security: Web Security Professor Kevin Butler Fall 2015

CNT 5410 - Computer and Network Security: Web Security Professor Kevin Butler Fall 2015

CNT 5410 - Computer and Network Security: Web Security Professor Kevin Butler Fall 2015 Southeastern Security for Enterprise and Infrastructure (SENSEI) Center Network vs. Web Security Southeastern Security for Enterprise and Infrastructure

710 views • 58 slides
CS 5410 - Computer and Network Security: Malware and Botnets Professor Kevin Butler Fall 2015

CS 5410 - Computer and Network Security: Malware and Botnets Professor Kevin Butler Fall 2015

CS 5410 - Computer and Network Security: Malware and Botnets Professor Kevin Butler Fall 2015 Southeastern Security for Enterprise and Infrastructure (SENSEI) Center Final Posters Final posters are your chance to show myself and your peers

730 views • 33 slides
CNT 5410 - Computer and Network Security: Privacy/Anonymity Professor Kevin Butler Fall 2015

CNT 5410 - Computer and Network Security: Privacy/Anonymity Professor Kevin Butler Fall 2015

CNT 5410 - Computer and Network Security: Privacy/Anonymity Professor Kevin Butler Fall 2015 Southeastern Security for Enterprise and Infrastructure (SENSEI) Center When Confidentiality is Insufficient Southeastern Security for Enterprise and

582 views • 25 slides
Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network

Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network

Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network from the Internet Trusted hosts and networks Firewall Router Intranet Demilitarized Zone: DMZ publicly accessible servers and networks

746 views • 31 slides
Network Control: Firewalls CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman,

Network Control: Firewalls CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman,

Network Control: Firewalls CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman, Mobin Javed, Antonio Lupher, Paul Pearce &amp; Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ February 14, 2013 Game Plan Network

734 views • 38 slides
The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

CS 640: Introduction to Computer Networks Aditya Akella Lecture 25 Network Security The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security Vulnerabilities Security Problems in the TCP/IP Protocol

1.29k views • 13 slides
CS 5410 - Computer and Network Security: Cloud Security Professor Kevin Butler Fall 2015

CS 5410 - Computer and Network Security: Cloud Security Professor Kevin Butler Fall 2015

CS 5410 - Computer and Network Security: Cloud Security Professor Kevin Butler Fall 2015 Southeastern Security for Enterprise and Infrastructure (SENSEI) Center Imagine Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

663 views • 24 slides
CSE 543 - Computer Security Lecture 20 - Firewalls November 8, 2007 URL:

CSE 543 - Computer Security Lecture 20 - Firewalls November 8, 2007 URL:

CSE 543 - Computer Security Lecture 20 - Firewalls November 8, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 Midterm Grades (High is 83) 77-94 -- A (4)

930 views • 29 slides
FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls

FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls

FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls (Categories) Implementation Best practices What are Firewalls? Internet Firewall Client/Host Network Network Security

585 views • 39 slides
Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls? Network Address Translation Types of Firewalls Linux/Windows Firewalls pfSense Blue Team Activity Brief History Firewall

348 views • 30 slides
Firewalls Computer Center, CS, NCTU Firewalls Firewall A piece of hardware and/or

Firewalls Computer Center, CS, NCTU Firewalls Firewall A piece of hardware and/or

Firewalls Computer Center, CS, NCTU Firewalls Firewall A piece of hardware and/or software which functions in a networked environment to prevent some communications forbidden by the security policy. Choke point between secured

613 views • 34 slides
Network Security Computer Security Peter Reiher November 4, 2014 Lecture 9 Page 1 CS 136,

Network Security Computer Security Peter Reiher November 4, 2014 Lecture 9 Page 1 CS 136,

Network Security Computer Security Peter Reiher November 4, 2014 Lecture 9 Page 1 CS 136, Fall 2014 Outline Network security characteristics and threats Denial of service attacks Traffic control mechanisms Firewalls

797 views • 67 slides
Quantitative Cyber-Security Colorado State University Yashwant K Malaiya CS559 Midterm Review

Quantitative Cyber-Security Colorado State University Yashwant K Malaiya CS559 Midterm Review

Quantitative Cyber-Security Colorado State University Yashwant K Malaiya CS559 Midterm Review CSU Cybersecurity Center Computer Science Dept 1 1 Midterm coming Tuesday Will use canvas. Will need proper laptop/pc with camera. Update: Both

789 views • 37 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 6 Firewalls &amp; VPNs Topics Firewall Fundamentals Case study: Linux iptables

778 views • 46 slides
Networking 101.101.101.101 The Internet The Internet is governed by a series of protocols

Networking 101.101.101.101 The Internet The Internet is governed by a series of protocols

Networking 101.101.101.101 The Internet The Internet is governed by a series of protocols that form the rules for how communications should happen The Internet is a network of networks. There is no centralized point. There are no

763 views • 34 slides
Network Firewalls the outside world is a poten7al aCack

Network Firewalls the outside world is a poten7al aCack

4/29/14 CSE/ISE 311: Systems Administra5on CSE/ISE 311: Systems Administra5on Firewalls: An Essen7al Tool Previous Lectures: Every service on a system visible

400 views • 4 slides
Firewalls CS461/ECE422 Spring 2012 Reading Material Text

Firewalls CS461/ECE422 Spring 2012 Reading Material Text

Firewalls CS461/ECE422 Spring 2012 Reading Material Text chapter 9 Firewalls and Internet Security: Repelling the Wily Hacker, Cheswick, Bellovin,

501 views • 34 slides
CSE543 - Computer and Network Security Module: Firewalls Professor Trent Jaeger CMPSC443 -

CSE543 - Computer and Network Security Module: Firewalls Professor Trent Jaeger CMPSC443 -

532 views • 19 slides
You can keep your firewall (if you want to ) Practical, simple and cost saving applications

You can keep your firewall (if you want to ) Practical, simple and cost saving applications

You can keep your firewall (if you want to ) Practical, simple and cost saving applications of OpenDaylight you can implement today John Sobanski, Engineer, Solers Inc. July 2015 @OpenDaylightSDN #OpenSDN What You Will Learn today (By

872 views • 66 slides
Com puter Security Part Four Last tim e Cryptography Authentication Threats

Com puter Security Part Four Last tim e Cryptography Authentication Threats

Com puter Security Part Four Last tim e Cryptography Authentication Threats Key Management KDC Policy Symmetric keys Specification Asymmetric keys PKI Design Security Protocols Kerberos

617 views • 39 slides

More recommend