distributed systems
play

Distributed Systems Firewalls: Defending the Network Paul - PowerPoint PPT Presentation

Sep 04, 2022 •368 likes •581 views

Distributed Systems Firewalls: Defending the Network Paul Krzyzanowski pxk@cs.rutgers.edu Except as otherwise noted, the content of this presentation is licensed under the Creative Commons Attribution 2.5 License. inetd Most U NIX systems ran

  1. Distributed Systems Firewalls: Defending the Network Paul Krzyzanowski pxk@cs.rutgers.edu Except as otherwise noted, the content of this presentation is licensed under the Creative Commons Attribution 2.5 License.

  2. inetd Most U NIX systems ran a large number of tcp services as dæmons – e.g., rlogin, rsh, telnet, ftp, finger, talk, … Later, one process, inetd , was created to listen to a set of ports and then spawn the service on demand – pass sockets as standard in/standard out file descriptors – servers don’t run unless they are in use

  3. TCP wrappers ( tcpd ) • Plug-in replacement to inetd • Restrict access to TCP services – Allow only specified machines to execute authorized services – Monitor and log requests • Specify rules in two files: – hosts.allow and hosts.deny – access: • grant access if service:client in /etc/hosts.allow • deny access if service:client in /etc/hosts.deny • otherwise allow access • support for booby traps ( honeypots )

  4. Firewalls Isolate trusted domain of machines from the rest of the untrusted world – move all machines into a private network – disconnect all other systems – untrusted users not allowed not acceptable – we want to be connected Solution: protect the junction between a trusted internal network of computers from an external network with a firewall

  5. Firewalls Two major approaches to building firewalls: packet filtering proxies

  6. Packet filtering • Selective routing of packets – Between internal and external hosts • By routers, kernel modules, or firewall software • Allow or block certain types of packets Screening router – determine route and decide whether the packet should be routed

  7. Packet filtering: screening router IP packet data Filter by – IP source address, IP destination address – TCP/UDP source port, TCP/UDP destination port – Protocol (TCP, UDP, ICMP, …) – ICMP message type – interface packet arrives on – destination interface Allow or block packets based on any/all fields – Block any connections from certain systems – Disallow access to “dangerous services”

  8. Packet filtering Stateless inspection – filter maintains no state – each packet examined on its own

  9. Packet filtering Stateful inspection – keep track of TCP connections (SYN, SYN/ACK packets) – e.g. no rogue packets when connection has not been established – “related” ports: allow data ports to be opened for FTP sessions – Port triggering (outbound port triggers other port access to be redirected to the originating system) • Generally used with NAT (Network Address Translation) – limit rates of SYN packets • avoid SYN flood attacks – Other application-specific filtering • Drop connections based on pattern matching • Rewrite port numbers in data stream

  10. Packet filtering Screening router – allows/denies access to a service – cannot protect operations within a service

  11. Packet filtering: rules Src addr=42.15.0.0/16, dest port=* Reject Reject everything from 42.15.*.* Src addr=192.168.1.0/24, dest port=25 Accept Accept email (port 25) requests from 192.168.1.* Dest addr=192.168.1.0/24, dest port=* Reject Reject all other requests from 192.168.1.* Src addr=128.6.0.0/16, Dest addr=192.168.2.3, Accept dest port=22 Accept ssh (port 22) requests from 128.6.*.* to 192.168.2.3 Dest addr=192.168.2.2, dest port=80 Accept Accept web (port 80) requests to a server at 192.168.2.2 * Reject

  12. Proxy services • Application or server programs that run on firewall host – dual-homed host – bastion host • Take requests for services and forward them to actual services • provide replacement connections and act as gateway services • Application-level gateway Stateful inspection and protocol validation

  13. Proxy services Proxies are effective in environments where direct communication is restricted between internal and external hosts – dual-homed machines and packet filtering

  14. Proxy example Checkpoint Software Technologies’ Firewall -1 mail proxy: – mail address translation: rewrite From: – redirect To: – drop mail from given address – strip certain mime attachments – strip Received info on outbound mail – drop mail above given size – perform anti-virus checks on attachments does not allow outsiders direct connection to a local mailer

  15. Dual-homed host architecture • Built around dual-homed host computer • Disable ability to route between networks – packets from Internet are not routed directly to the internal network – services provided by proxy – users log into dual-homed host to access Internet – user accounts present security problems Internet dual-homed host internal network internal machines

  16. Screened host architecture • Provides services from a host attached to internal network • Security provided by packet filtering – only certain operations allowed (e.g. deliver email) – outside connections can only go to bastion host • allow internal hosts to originate connections over Internet • if bastion host is compromised… Internet screening router internal network bastion host internal machines

  17. Screened subnet architecture Add extra level of isolation for internal network – Place any externally visible machines on a separate perimeter network (DMZ) Internet exterior router DMZ network bastion hosts externally-visible interior router services internal network internal machines

  18. Screened subnet architecture Exterior router (access router) – protects DMZ and internal network from Internet – generally… allow anything outbound … that you need – block incoming packets from Internet that have forged source addresses – allow incoming traffic only for bastion hosts/services. Interior router (choke router) – protects internal network from Internet and DMZ – does most of packet filtering for firewall – allows selected outbound services from internal network – limit services between bastion host and internal network

  19. Single router DMZ Internet Interface 2 DMZ exterior router DMZ network Interface 1 bastion hosts Internal externally-visible services internal network internal machines

  20. Firewalling principles • It is easier to secure one or a few machines than a huge number of machines on a LAN • Focus effort on bastion host(s) since only they are accessible from the external network • All traffic between outside and inside must pass through a firewall • Deny overall – Turn everything off, then allow only what you need • Private network should never see security attacks • Be prepared for attacks from within – Infected machines

  21. The end

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges

Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges

5/17/2017 Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges scalability and performance apps require more resources than one computer has 13B. Distributed Systems: Communication grow

572 views • 7 slides
Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges

Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges

5/19/2018 Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges scalability and performance apps require more resources than one computer has 13B. Distributed Systems: Communication grow

131 views • 9 slides
Distributed Systems Reasons for distributed systems Resource sharing sharing and

Distributed Systems Reasons for distributed systems Resource sharing sharing and

CSC 4103 - Operating Systems Motivation Spring 2007 Distributed system is collection of loosely coupled processors that do not share memory Lecture - XXII interconnected by a communications network Distributed Systems

477 views • 4 slides
Distributed File Systems Distributed File Systems A distributed file system (DFS) is a

Distributed File Systems Distributed File Systems A distributed file system (DFS) is a

Distributed File Systems Distributed File Systems A distributed file system (DFS) is a distributed Definitions implementation of a classical time-sharing model of a file Distributed system - A number of loosely coupled system. machines

997 views • 8 slides
Introduction to Distributed Systems Material adapted from Distributed Systems: Concepts &

Introduction to Distributed Systems Material adapted from Distributed Systems: Concepts &

Introduction to Distributed Systems Material adapted from Distributed Systems: Concepts & Design , George Coulouris, et al. and Engineering Distributed Objects , Wolfgang Emmerich Outline What is a Distributed System? Examples of

961 views • 36 slides
Introduction to Distributed Systems Material adapted from Distributed Systems: Concepts &

Introduction to Distributed Systems Material adapted from Distributed Systems: Concepts &

Introduction to Distributed Systems Material adapted from Distributed Systems: Concepts & Design , George Coulouris, et al. and Engineering Distributed Objects , Wolfgang Emmerich Outline What is a Distributed System? Examples of

565 views • 18 slides
Distributed Systems of distributed systems Types of Distributed Describe various

Distributed Systems of distributed systems Types of Distributed Describe various

Objectives/Outline (selected topics from chapter 16 & 18) Objectives Outline Provide a high-level overview Introduction Distributed Systems of distributed systems Types of Distributed Describe various methods for

436 views • 9 slides
Coordinating distributed systems Marko Vukoli Distributed Systems and Cloud Computing Previous

Coordinating distributed systems Marko Vukoli Distributed Systems and Cloud Computing Previous

Coordinating distributed systems Marko Vukoli Distributed Systems and Cloud Computing Previous lectures Distributed Storage Systems CAP Theorem Amazon Dynamo Cassandra 2 Today Distributed systems coordination Apache

1.57k views • 62 slides
Distributed Systems - III What about distributed systems? No common clock or memory

Distributed Systems - III What about distributed systems? No common clock or memory

CSC 4103 - Operating Systems Distributed Coordination Spring 2007 Ordering events and achieving synchronization in centralized systems is easier. Lecture - XXIV We can use common clock and memory Distributed Systems - III What

286 views • 4 slides
Towards a Theory of Formal Distributed Systems Why and how distributed systems can solve

Towards a Theory of Formal Distributed Systems Why and how distributed systems can solve

Towards a Theory of Formal Distributed Systems Why and how distributed systems can solve distributed problems ? Towards = immature or not ready for presenting Formal = unrealistic or useless Masafumi Yamashita (Kyushu Univ.) Table of

578 views • 33 slides
CSE 452 Distributed Systems Tom Anderson Distributed Systems How to make a set of computers

CSE 452 Distributed Systems Tom Anderson Distributed Systems How to make a set of computers

CSE 452 Distributed Systems Tom Anderson Distributed Systems How to make a set of computers work together Reliably Efficiently At (huge) scale With high availability Despite messages being lost and/or taking a variable

833 views • 40 slides
CSE 452 Distributed Systems Arvind Krishnamurthy Distributed Systems How to make a set of

CSE 452 Distributed Systems Arvind Krishnamurthy Distributed Systems How to make a set of

CSE 452 Distributed Systems Arvind Krishnamurthy Distributed Systems How to make a set of computers work together Correctly Efficiently At (huge) scale With high availability Despite messages being lost and/or taking a

779 views • 29 slides
Distributed File Systems: An Overview of Peer-to-Peer Architectures Distributed File Systems

Distributed File Systems: An Overview of Peer-to-Peer Architectures Distributed File Systems

Distributed File Systems: An Overview of Peer-to-Peer Architectures Distributed File Systems Data is distributed among many sources Ex. Distributed database systems Frequently utilize a centralized lookup server for addressing

500 views • 15 slides
WHAT WE TALK ABOUT WHEN WE TALK ABOUT DISTRIBUTED SYSTEMS ALVARO VIDELA DISTRIBUTED SYSTEMS

WHAT WE TALK ABOUT WHEN WE TALK ABOUT DISTRIBUTED SYSTEMS ALVARO VIDELA DISTRIBUTED SYSTEMS

WHAT WE TALK ABOUT WHEN WE TALK ABOUT DISTRIBUTED SYSTEMS ALVARO VIDELA DISTRIBUTED SYSTEMS FOR THE IKEA FAMILY ALVARO VIDELA HTTP://BIT.LY/DIST-SYS101 @HINTJENS DISTRIBUTED SYSTEMS A DISTRIBUTED SYSTEM IS ONE IN WHICH THE FAILURE

1.58k views • 118 slides
Distributed Systems How does the OS ensure security? 13C. Distributed Systems: Security all

Distributed Systems How does the OS ensure security? 13C. Distributed Systems: Security all

5/20/2018 Distributed Systems How does the OS ensure security? 13C. Distributed Systems: Security all key resources are kept inside of the OS protected by hardware (mode, memory management) 13I. Secure sessions processes cannot

129 views • 9 slides
Distributed Systems How does the OS ensure security? 13C. Security for Distributed Systems

Distributed Systems How does the OS ensure security? 13C. Security for Distributed Systems

5/27/2017 Distributed Systems How does the OS ensure security? 13C. Security for Distributed Systems all key resources are kept inside of the OS protected by hardware (mode, memory management) 13I. Secure Sessions processes cannot

253 views • 9 slides
Grid Grid to Grid Grid-to to Ports Clock Routing for to-Ports Clock Routing for Ports Clock

Grid Grid to Grid Grid-to to Ports Clock Routing for to-Ports Clock Routing for Ports Clock

Grid Grid to Grid Grid-to to Ports Clock Routing for to-Ports Clock Routing for Ports Clock Routing for Ports Clock Routing for High Performance High Performance Microprocessor Designs Microprocessor Designs Haitong Tian # , Wai-Chung

310 views • 29 slides
Urban Truck Ports Unlocking the Benefits of High-efficiency Truck Operations SSTI Community of

Urban Truck Ports Unlocking the Benefits of High-efficiency Truck Operations SSTI Community of

Urban Truck Ports Unlocking the Benefits of High-efficiency Truck Operations SSTI Community of Practice Meeting October 9, 2014 Salt Lake City, UT Steve Viscelli Bill Holloway Visiting Assistant Professor Transportation Policy Analyst

452 views • 21 slides
JERSEY LAUNCH DAY 17 JAN 2019 Lydia Chambers Coordinator Running Order Welcome Working

JERSEY LAUNCH DAY 17 JAN 2019 Lydia Chambers Coordinator Running Order Welcome Working

JERSEY LAUNCH DAY 17 JAN 2019 Lydia Chambers Coordinator Running Order Welcome Working with mentors Mentors Q&A Teamwork Lunch Break Social media Marketing Branding Selling Before your first

1.27k views • 89 slides
Ma rke d to pic s a nd c o ntra st in Ava time Sa skia va n Putte n MPI fo r Psyc ho ling

Ma rke d to pic s a nd c o ntra st in Ava time Sa skia va n Putte n MPI fo r Psyc ho ling

Ma rke d to pic s a nd c o ntra st in Ava time Sa skia va n Putte n MPI fo r Psyc ho ling uistic s I nfo rma tio n struc ture : e mpiric a l pe rspe c tive s o n the o ry, De c e mb e r 2-3, Po tsda m Ava time Ava time Nig e

547 views • 23 slides
CS 457 Lecture 20 Transport Layer: UDP and TCP Fall 2011 Topics Principles underlying

CS 457 Lecture 20 Transport Layer: UDP and TCP Fall 2011 Topics Principles underlying

CS 457 Lecture 20 Transport Layer: UDP and TCP Fall 2011 Topics Principles underlying transport-layer services Demultiplexing Detecting corruption Reliable delivery Flow control Transport-layer protocols User

329 views • 28 slides
SirepRAT Windows IoT Core Abusing a Windows service for RCE About Me 7+ years in InfoSec

SirepRAT Windows IoT Core Abusing a Windows service for RCE About Me 7+ years in InfoSec

SirepRAT Windows IoT Core Abusing a Windows service for RCE About Me 7+ years in InfoSec Security Researcher @Safebreach Presented at DEFCON, DEEPSEC, Hackfest @bemikre Contents 1. Windows IoT Core 2. Live SirepRAT

967 views • 74 slides
Lecture 10: S Parameters Matthew Spencer Harvey Mudd College E157 Radio Frequency Circuit

Lecture 10: S Parameters Matthew Spencer Harvey Mudd College E157 Radio Frequency Circuit

Department of Engineering Lecture 10: S Parameters Matthew Spencer Harvey Mudd College E157 Radio Frequency Circuit Design 1 1 Department of Engineering Two-Port Networks Matthew Spencer Harvey Mudd College E157 Radio Frequency

482 views • 27 slides
Outline Firewalls and NAT boxes CSci 5271 Introduction to Computer Security Announcements

Outline Firewalls and NAT boxes CSci 5271 Introduction to Computer Security Announcements

Outline Firewalls and NAT boxes CSci 5271 Introduction to Computer Security Announcements intermission Day 22: Firewalls, NATs, and IDSes Stephen McCamant Intrusion detection systems University of Minnesota, Computer Science &

308 views • 4 slides

More recommend