firewall and ids ips what is a firewall
play

Firewall and IDS/IPS What is a firewall? firewall = wall to protect - PDF document

Dec 20, 2023 •375 likes •1.07k views

Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation controlled connection between networks at different security levels = boundary protection ( L1 > L2 ) network at network at security

  1. Firewall and IDS/IPS What is a firewall?  firewall = wall to protect against fire propagation  controlled connection between networks at different security levels = boundary protection ( L1 > L2 ) network at network at security security level L1 level L2 INTERNAL NETWORK EXTERNAL NETWORK 1

  2. Ingress vs. Egress firewall  ingress firewall  incoming connections  typically to protect my public services  sometimes as part of an application exchange initiated by my users  egress firewall  outgoing connections  typically to check the activity of my personnel (!)  easy classification for channel-based services (e.g. TCP applications), but difficult for message-based services (e.g. ICMP, UDP applications) Firewall design ou don ’t “bu y ” a firewall, you design it! Y (you can buy its components)  we need to achieve an optimal trade-off ...  ... between security and functionality  ... with minimum cost 2

  3. The security index 0 20 40 60 80 100 security functionality 100 % 80 60 40 20 0 THE THREE COMMANDMENTS OF FIREWALL I. the FW must be the only contact point of the internal network with the external one II. only the “authorized” traffic can traverse the FW III. the FW must be a highly secure system itself D.Cheswick S.Bellovin 3

  4. Authorization policies “All that is not explictly permitted, is forbidden”  higher security  more difficult to manage “ All that is not explictly forbidden, is permitted”  lower security (open gates)  more easy to manage General concepts  the bigger an object, the more difficult to verify it  if a process has not been activated, its bugs are not relevant  “big is NOT beatiful” = minimal configuration  a FW is not a general-purpose machine:  minimal sw  no users  …  everybody is guilty unless he proves his innocence 4

  5. FW: basic components  screening router ( choke ) router that filters traffic at IP level  bastion host secure system, with auditing  application gateway ( proxy ) service that works on behalf of an application, with access control  dual-homed gateway system with two network cards and routing disabled A which level the controls are made? packet TCP stream application data headers UDP datagram application application gateway transport (TCP / UDP) circuit gateway network (IP) packet filter datalink physical 5

  6. "Screening router" architecture external network "Screening router" architecture  exploits the router to filter the traffic both at IP and upper levels  no need for dedicated hardware  no need for a proxy and hence no need to modify the applications  simple, easy, cheap and ... insecure! 6

  7. "Dual-homed gateway" architecture external network GW "Dual-homed gateway" architecture  easy to implement  small additional hardware requirements  the internal network can be masqueraded  unflexible  large work overhead 7

  8. "Screened host" architecture external network GW "Screened-host" architecture  router:  blocks the packets from INT to EXT unless they come from the bastion host  blocks the packets from EXT to INT unless they go to the bastion host  exception: directly enabled protocols  bastion host:  circuit/application level gateway to selectively enable some services 8

  9. "Screened-host" architecture  more expensive  more flexible  complex to manage: two systems rather one  possible selectively relax the controls over some services / hosts  only the hosts/protocols passing through the bastion can be masqueraded (unless the router offers the NAT functionality) "Screened subnet" architecture external network GW DMZ 9

  10. "Screened subnet" architecture  DMZ (De-Militarized Zone)  the DMZ is home not only to the gateway but also to other hosts (tipically the public servers):  Web  remote access  . . .  the routing may be configured so that the internal network is unknown  expensive "Screened subnet" architecture (version 2)  to reduce costs and simplify management often the routers are omitted (and their function incorporated into the gateway)  “three -legged firewall” GW internal network external network DMZ 10

  11. Filters at network level (I)  address checking (ingress / egress filtering)  disable incoming services (with exceptions):  e.g. TELNET only towards INET  e.g. incoming HTTP only to the DMZ web server  problem with FTP (the data transfer channel is always created by the server)  ICMP  is dangerous (used for denial-of-service) but useful (ping, traceroute) so don’t disable it, just rate -limit it  closely monitor REDIRECT packets Problem with FTP across a firewall firewall open FTP client FTP server (S,TCP ,21) (OK) put 21 (OK) 20 21 (???) open (C,TCP ,20) 11

  12. Passive FTP firewall open FTP client FTP server (S,tcp,21) (OK) pasv 21 (OK) (OK) port(1040) open (S,tcp,1040) (OK) 1040 20 (OK) file Filters at network level (II)  UDP  is a datagram service, not a virtual circuit (so its checking poses a higher load)  RPC uses random ports  it is suggested to completely disable it (but DNS)  distinguish internal and external interfaces  pay attention to the number of filtering rules and their order: this may drastically change performance 12

  13. Filtering points firewall filter outgoing forwarding packets engine incoming filter packets filter filter Filters on a router: an example  policy: mail for network 130.193 managed only by 130.193.2.1  sintax of CISCO router:  access-list 100 permit tcp 0.0.0.0 255.255.255.255 130.193.2.1 0.0.0.0 eq 25  access-list 101 deny tcp 0.0.0.0 255.255.255.255 130.193.0.0 0.0.255.255 eq 25 13

  14. Bastion host - configuration  should run only the relevant processes  must log (securely!) all its activities  network log onto an internal secure system  must have source routing disabled  must have IP forwarding disabled  should have “mouse traps” (e.g. fake ls ) Firewall technologies  different controls at various network levels:  (static) packet filter  stateful (dynamic) packet filter  cutoff proxy  circuit-level gateway / proxy  application-level gateway / proxy  stateful inspection  differences in terms of:  performance  protection of the firewall O.S.  keeping or breaking the client-server model 14

  15. Packet filter  historically available on routers  packet inspection at network level  IP header  transport header Packet filter: pros and cons  independent of applications  good scalability  approximate controls: easy to “fool” (e.g. IP spoofing, fragmented packets)  good performance  low cost (available on routers and in many OS)  difficult to support services with dynamically allocated ports (e.g. FTP)  complex to configure 15

  16. Packet filter & FTP  two choices available:  leave open all dynamic ports (>1024)  close all dynamic ports  difficult trade-off between security and support to FTP!! internal network open (S,tcp,21) pasv port(1040) open (S,tcp,1040) FTP client FTP server Stateful (dynamic) packet filter  similar to packet filter but “state - aware”  state informations from the transport or application level (e.g. FTP PORT command)  can distinguish new connections from those already open  state tables for open connections  packets matching one row in the table are passed without any further control  better performance than packet filter  still has many of the static packet filter limitations 16

  17. Application-level gateway  composed by a set of proxies inspecting the packet payload at application level  often requires modifications to the client application  may optionally mask / renumber the internal IP addresses  when used as part of a firewal, usually performs also peer authentication  top security!! (e.g. against buffer overflow of the target application) Application-level gateway (1)  rules are more fine-grained and simple than those of a packet filter  every application needs a specific proxy  delay in supporting new applications  heavy on resources (many processes)  low performance (user-mode processes)  completely breaks the client/server model  more protection for the server  may authenticate the client  not transparent to the client 17

  18. Application-level gateway (2)  the fw OS may be esposed to attacks  problems with application-level security techniques (e.g. SSL)  variants:  transparent proxy  less intrusive for the client  strong application proxy  only some commands/data are forwarded  this is the only correct configuration for an application proxy Application-level gateway & FTP  total control of the application session application space FTP proxy control control connection connection kernel space data data firewall OS connection connection server FTP client FTP 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall

Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall

Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall Overview Todays top firewall problems What IT managers say about their existing firewall Firewall Satisfaction Survey (Spiceworks 2017) Top

548 views • 52 slides
Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts

Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts

Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts and networks connected to other hosts and networks against attacks from the outside and from the inside. a firewall is a network security system

440 views • 30 slides
Lane ESD Technology Services Core Firewall Overview Districts Behind Firewall Blachly

Lane ESD Technology Services Core Firewall Overview Districts Behind Firewall Blachly

Lane ESD Technology Services Core Firewall Overview Districts Behind Firewall Blachly Creswell Crow-Applegate-Lorane Fern Ridge Junction City Lowell Mapleton Screened, but exempt from policies Marcola

539 views • 15 slides
Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3

Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3

Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3 State-independent interior operators Interior operator from HP recovery 6 5 Resolution of the puzzle Effect of infalling observer 7 Discussions Beni

1.61k views • 106 slides
FIREMAN: A Toolkit for FIREwall Modeling and ANalysis Michael Lin All about firewalls A

FIREMAN: A Toolkit for FIREwall Modeling and ANalysis Michael Lin All about firewalls A

FIREMAN: A Toolkit for FIREwall Modeling and ANalysis Michael Lin All about firewalls A firewall is only as good as its configuration Big deal, it should be easy to configure a firewall, right? Basically... no. A Quantitative

507 views • 14 slides
Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple firewall using Netfilter Iptables firewall in Linux Stateful Firewall Application Firewall Evading Firewalls 2 Firewalls

811 views • 55 slides
Overview Firewall Security Perimeter Security Devices H/W vs. S/W Packet Filtering vs.

Overview Firewall Security Perimeter Security Devices H/W vs. S/W Packet Filtering vs.

Overview Firewall Security Perimeter Security Devices H/W vs. S/W Packet Filtering vs. Stateful Inspection Firewall Topologies Chapter 8 Firewall Rulebases Lecturer: Pei-yih Ting 1 2 Perimeter Security Devices Routers

291 views • 7 slides
Java Card Applet Firewall Java Card Applet Firewall Exploration and Exploitation Exploration and

Java Card Applet Firewall Java Card Applet Firewall Exploration and Exploitation Exploration and

Java Card Applet Firewall Java Card Applet Firewall Exploration and Exploitation Exploration and Exploitation Wojciech Mostowski and Erik Poll Digital Security Radboud University Nijmegen The Netherlands http://www.cs.ru.nl/~{woj,erikpoll}/

818 views • 42 slides
Firewall What is it? Do we need one? Oxford Hills School District March 5, 2018 What is a

Firewall What is it? Do we need one? Oxford Hills School District March 5, 2018 What is a

Firewall What is it? Do we need one? Oxford Hills School District March 5, 2018 What is a firewall? Term first used in 1851 Henry Ford used them to protect passengers from engine fires, smoke and heat. Computer networks: a part of a

500 views • 21 slides
Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls? Network Address Translation Types of Firewalls Linux/Windows Firewalls pfSense Blue Team Activity Brief History Firewall

348 views • 30 slides
Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between

Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between

Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between NGFW and classic firewalls: Classic Firewall Next Generation Firewall Traffic filtering using Port, IP, and protocol Supported Supported VPN

1.23k views • 26 slides
Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between

Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between

Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between NGFW and classic firewalls: Classic Firewall Next Generation Firewall Traffic filtering using Port, IP, and protocol Supported Supported VPN

533 views • 25 slides
Firewall Builder Vadim Kurland vadim@fwbuilder.org http://www.fwbuilder.org Challenges of

Firewall Builder Vadim Kurland vadim@fwbuilder.org http://www.fwbuilder.org Challenges of

Firewall Builder Vadim Kurland vadim@fwbuilder.org http://www.fwbuilder.org Challenges of firewall configuration complexity leads to errors coordinated changes on many devices are hard multi-vendor environments make the job even

314 views • 28 slides
1 Four general techniques: Design goals: All traffic from inside to outside must pass

1 Four general techniques: Design goals: All traffic from inside to outside must pass

Firewall Design Principles Firewall Characteristics Types of Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for these slides . Fall 2008 CS 334: Computer Security 1

546 views • 5 slides
Firewall Architectures for High-Speed Networks Errin W. Fulp DOE Network Research PI Meeting

Firewall Architectures for High-Speed Networks Errin W. Fulp DOE Network Research PI Meeting

Firewall Architectures for High-Speed Networks Errin W. Fulp DOE Network Research PI Meeting September 28, 2005 1 Project Objectives Methods that improve network firewall performance 1. Develop policy optim ization techniques Formal

221 views • 9 slides
Firewall-On-Demand Service Andreas Polyrakis, GRNET 15-16 February 2012, 5 th TF-NOC meeting,

Firewall-On-Demand Service Andreas Polyrakis, GRNET 15-16 February 2012, 5 th TF-NOC meeting,

GRNET Firewall-On-Demand Service Andreas Polyrakis, GRNET 15-16 February 2012, 5 th TF-NOC meeting, Dubrovnik, Croatia Contents 2 Firewall-On-Demand Motivation & Technology background Implementation Future plans &

470 views • 26 slides
Weak State Routing for Large Scale Dynamic Networks Utku Gnay Acer, Shivkumar Kalyanaraman,

Weak State Routing for Large Scale Dynamic Networks Utku Gnay Acer, Shivkumar Kalyanaraman,

Weak State Routing for Large Scale Dynamic Networks Utku Gnay Acer, Shivkumar Kalyanaraman, Alhussein A. Abouzeid Rensselaer Polytechnic Institute Department of Electrical, Computer & Systems Engineering q Which area should we NOT be

625 views • 28 slides
Network Data Plane Network Data Plane Network Data Plane (S. S. Lam) 3/23/2017 1 Network layer

Network Data Plane Network Data Plane Network Data Plane (S. S. Lam) 3/23/2017 1 Network layer

Network Data Plane Network Data Plane Network Data Plane (S. S. Lam) 3/23/2017 1 Network layer d li delivers segments from s s ts f sending to receiving host application transport network sender encapsulates segments p g

912 views • 44 slides
Border Gateway Protocol: The Good, Bad, and Ugly of Internet Routing Jim Cowie, Chief Scientist

Border Gateway Protocol: The Good, Bad, and Ugly of Internet Routing Jim Cowie, Chief Scientist

Border Gateway Protocol: The Good, Bad, and Ugly of Internet Routing Jim Cowie, Chief Scientist @jimcowie / @DynResearch Stanford EE Computer Systems Colloquium 11 February 2015 On the menu today The Core Problem: Attribution and Belief on

1.68k views • 84 slides
IPv6 Deployment at Monash University John Mann Agenda IPv6 is Coming IPv6 is Already

IPv6 Deployment at Monash University John Mann Agenda IPv6 is Coming IPv6 is Already

IPv6 Deployment at Monash University John Mann Agenda IPv6 is Coming IPv6 is Already Here Monash IPv6 Progress Addressing End Systems Monitoring Network Address Usage Traffic Monitoring Problems IPv6 is Coming

779 views • 41 slides
Issues Jonathan Flintoft, Baker & McKenzie Rebecca Bedford, Minter Ellison 1 Introduction

Issues Jonathan Flintoft, Baker & McKenzie Rebecca Bedford, Minter Ellison 1 Introduction

Social Media and Advertising Issues Jonathan Flintoft, Baker & McKenzie Rebecca Bedford, Minter Ellison 1 Introduction 1. Contractual issues Addressing social media advertising in the franchise agreement Impact of permitting

843 views • 39 slides
My ste tep p by ste tep p system stem th that t generates new client enquiries and

My ste tep p by ste tep p system stem th that t generates new client enquiries and

My ste tep p by ste tep p system stem th that t generates new client enquiries and without expensive advertising or having to sell or cold calling HOW TO ASK QUESTIONS HOW TO ASK QUESTIONS HOW TO ASK QUESTIONS HOW TO ASK

1.44k views • 78 slides
Validating a technique for post-hoc estimation of a listener's focus in music structure analysis

Validating a technique for post-hoc estimation of a listener's focus in music structure analysis

Validating a technique for post-hoc estimation of a listener's focus in music structure analysis Jordan B. L. Smith National Institute of Advanced Industrial Science and Technology (AIST), Japan Elaine Chew Queen Mary University of London

442 views • 30 slides
ABUSING WEB APIS THROUGH SCRIPTED ANDROID APPLICATIONS DANIEL PECK Barracuda Labs Principle

ABUSING WEB APIS THROUGH SCRIPTED ANDROID APPLICATIONS DANIEL PECK Barracuda Labs Principle

ABUSING WEB APIS THROUGH SCRIPTED ANDROID APPLICATIONS DANIEL PECK Barracuda Labs Principle Researcher Studying Malicious Messaging (Email/Social Networks/etc) Data/Trend Analysis in Security @ramblinpeck @barracudalabs Past Lives SCADA,

879 views • 75 slides

More recommend