firewalls
play

Firewalls David Parter University of Wisconsin Computer Sciences - PowerPoint PPT Presentation

Mar 11, 2023 •132 likes •965 views

Firewalls David Parter University of Wisconsin Computer Sciences Department Computer Systems Lab dparter@cs.wisc.edu November 11, 2010 1 Topics Firewall basics Types of Firewalls Deployment scenarios Related Technologies

  1. Firewalls David Parter University of Wisconsin Computer Sciences Department Computer Systems Lab dparter@cs.wisc.edu November 11, 2010 1

  2. Topics ● Firewall basics ● Types of Firewalls ● Deployment scenarios ● Related Technologies ● Real World Experience ● Summary ● Questions 2

  3. Firewall Basics ● Security model ● Types of firewalls ● Firewall rules 3

  4. Security Model ● Perimeter security ● Like a guard at the gate, checking ID badges ● Assumes that “inside” is trusted, “outside” is not ● Larger area inside perimeter -> more complexity, weaker security ● Smaller perimeter -> more specific security ● Applies predefined access rules 4

  5. Why Use a Firewall? ● Protect vulnerable services ● Poorly designed protocols ● Poorly implemented protocols/services ● Protect vulnerable computers/devices ● Poorly configured ● Can't be configured ● Can't be patched 5

  6. Why Use a Firewall? ● To protect an “appliance” ● Protect a system that can not be upgraded ● Version/upgrade restrictions from vendor ● ex: printers; data acquisition devices; scientific “instruments”; devices with customized & embedded versions of popular operating systems; devices with embedded web servers for configuration or control ... 6

  7. Why Use a Firewall? ● Defeat some denial of service (DOS) attacks ● If the firewall has enough bandwidth ● Considered an “easy” solution ● Satisfy “check-box” requirements ● Only need to deal with security in one place (not really an advantage from a total security point of view) 7

  8. Perimeter Security and Defense in Depth 8

  9. Improved Security: Reduced Perimeters 9

  10. Types of Firewalls ● Basic Technology Options: ● Packet Filtering (screening) ● Application Proxy ● Other Factors: ● State full vs. Stateless ● Router vs. Bridge ● Configuration/Security model 10

  11. Packet Filtering ● Acts like a router or bridge ● Does not modify network connections or packet headers ● Allow/Deny packets based on packet data ● Source, destination, port, etc ● Allow/Deny packets based on Input/Output interfaces ● physical or logical network topology 11

  12. Filter on packet data ● Layer 2: ● Source or Destination MAC addresses ● Layer 3: ● Source or Destination addresses, ports ● Protocol or Protocol details ● ex: disallow IP Source Routing ● disallow ICMP redirect packets ● disallow common “malicious” packet signatures 12

  13. Filter on packet data ● Layer 4: ● Service-specific (ex: by URL) ● Structured application data (URL) ● Unstructured application data (content) ● Full-text scan ● Example: email attachment types 13

  14. Packet Filtering 14

  15. Packet Filtering Rules ● Typically applied in a specific order ● First match applies ● One filter per rule ● Default rule? ● “Default Deny” safest ● Warning: implied default rule: Deny or Allow? 15

  16. Example Packet Filtering Rules: ● Protect 128.105.0.0 network with Cisco router access control lists ● Apply rules from top to bottom: deny ip 128.105.0.0 0.0.255.255 any permit tcp any 128.105.1.1 eq 25 permit tcp any 128.105.1.2 eq 80 permit tcp any 128.105.1.3 eq 22 deny icmp any any redirect log permit icmp any 128.105.1.4 echo deny icmp any any echo log deny ip any any log 16

  17. Example Packet Filtering Rules: ● Protect 128.105.0.0 network with OpenBSD pf: block in log all block in log quick on $campus_if from 128.105.0.0/16 to any pass in quick on $campus_if proto tcp from any to 128.105.1.1/32 port = 25 ... pass in quick on $cs_if proto tcp from 128.105.0.0/16 to any keep state 17

  18. Packet Filtering Advantages ● Can be placed at a few “strategic” locations ● Internet/Internal network border ● To isolate critical servers ● Efficient ● Simple concept 18

  19. Packet Filtering Advantages ● Widely available ● Implemented in most routers ● Implemented in most broadband modems and home devices ● Implemented in some network switches ● Firewall appliances ● Operating systems and software ● Specialized network interface cards with filtering capabilities 19

  20. Packet Filtering Disadvantages ● Hard to configure ● Rules can get complex ● Hard to test and verify rules ● Incomplete implementations ● Bugs often “fail unsafe” -- allowing unintended traffic to pass 20

  21. Packet Filtering Disadvantages ● Reduces router performance ● Some policies don't map to packet filtering 21

  22. Proxy Firewalls ● Specialized application to handle specific traffic ● Protocol gateways ● Creates new network connection, forwards data between “inside” and “outside” connection ● May apply service-specific rules and policies 22

  23. Transparent Proxies ● Not visible to sender or receiver ● Implement by intercepting and/or redirecting traffic to/from specific ports ● May complicate debugging of user problems (because proxy isn't visible to users) 23

  24. Non-Transparent Proxies ● Visible to sender and receiver ● most likely rewrites IP headers ● Requires client reconfiguration ● May require reconfiguration at “other” end too ● ex: change access lists to allow proxy IP, etc ● Example: Web caches/proxies 24

  25. Semi-transparent Proxies ● Not visible to client ● no client reconfiguration necessary ● Visible to “other” end ● all connections from proxy IP address ● Example: some web caches, load balancers ● Problems: servers that restrict access or keep state by [shared] client IP address 25

  26. Proxy Firewall 26

  27. Proxy Advantages ● Can do “intelligent” filtering ● Can perform user-level authentication ● Can use information from outside the connection or packet stream ● Can protect weak/faulty IP implementations ● Separate network connections to source, destination 27

  28. Proxy Advantages ● Can provide application/service-specific services or actions: ● data caching ● data/connection logging ● data filtering/selection or server selection based on source/destination or other status visible to proxy ● add or apply routing/bandwidth policy 28

  29. Proxy Disadvantages ● Need to write/install proxy for each service ● Lag time to develop proxy for new service ● May need dedicated proxy servers for each service ● Often need cooperation of clients, servers 29

  30. Dealing with Connections ● Typical scenario: ● Restrict incoming connections to specific services and servers ● Allow traffic to public web site ● Allow inbound e-mail to mail gateway ● Allow unlimited outgoing connections ● Employees can browse the web, send e-mail, etc 30

  31. TCP Connections ● Outbound new connections often from dynamic (unpredictable) source port ● Can't use firewall rule based on source port ● Destination may initiate another connection ● Can't use firewall rule based on source port ● Destination may be “well-known” port ● But not always 31

  32. TCP Connections ● Destination may move to dynamic port during connection establishment ● Issues for multi-homed servers: ● Make sure services are listening/replying with the correct address ● Either policy, or based on inbound packet destination address 32

  33. UDP “Connections” ● UDP is stateless ● “Connection” or “Session” implied by one or more packets from SRC to DST, one or more packets back ● May or may not be on “well-known” port ● May or may not be on same port as original traffic 33

  34. Handle TCP Connections Without Keeping State ● How to detect “established” TCP connections without keeping state? ● TCP is statefull, use TCP state information ● Established connections have ACK flag set ● “Established” keyword in many stateless firewalls allows incoming packets if ACK flag set ● Can be exploited by faking packets with ACK flag set 34

  35. Handle UDP Connections Without Keeping State? ● Can't be done ● UDP is stateless, not enough information in UDP packets 35

  36. Keeping State ● Stateless firewalls easy to implement ● memory/CPU requirements are low ● no routing impact ● but can only act on information from the packet 36

  37. Keeping State ● Statefull/Dynamic firewalls have more information to use in decision making ● Keeping state is more complicated, requires more CPU and memory ● Proxy Firewalls often keep state ● But packet filtering firewalls can be statefull too 37

  38. Using State Information: TCP ● Keep Track of outbound TCP packets: ● If match on existing session, update session data ● If session setup packet (SYN, no ACK), create new session in state table ● keep until session ended ● If session shutdown packet ● delete session from state table 38

  39. Using State Information: TCP ● Inbound TCP packets: ● match to existing TCP session: allow packet ● Otherwise, reject packet ● Track TCP session state, delete session from state table when finished 39

  40. Using State Information: UDP ● Keep track of outbound UDP packets: ● If match on existing “session”, update session data ● Otherwise, create new “session” in state table ● Keep session state for some time interval ● Inbound UDP packets: ● Match to existing “session” -> allow packet ● Otherwise, reject packet 40

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls? Network Address Translation Types of Firewalls Linux/Windows Firewalls pfSense Blue Team Activity Brief History Firewall

348 views • 30 slides
Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple firewall using Netfilter Iptables firewall in Linux Stateful Firewall Application Firewall Evading Firewalls 2 Firewalls

811 views • 55 slides
FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls

FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls

FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls (Categories) Implementation Best practices What are Firewalls? Internet Firewall Client/Host Network Network Security

585 views • 39 slides
Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential however

Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential however

Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential however it creates a threat Effective means of protecting LANs Inserted between the premises network and the Internet to establish a controlled

699 views • 34 slides
Firewalls Why do people want a firewall? [...] a firewalls purpose is to keep the jerks

Firewalls Why do people want a firewall? [...] a firewalls purpose is to keep the jerks

Firewalls Why do people want a firewall? [...] a firewalls purpose is to keep the jerks out of your network while still letting you get your job done. [Limiting] what kinds of connectivity is allowed between different

538 views • 30 slides
Firewalls Computer Center, CS, NCTU Firewalls Firewall A piece of hardware and/or

Firewalls Computer Center, CS, NCTU Firewalls Firewall A piece of hardware and/or

Firewalls Computer Center, CS, NCTU Firewalls Firewall A piece of hardware and/or software which functions in a networked environment to prevent some communications forbidden by the security policy. Choke point between secured

613 views • 34 slides
Firewalls jnlin Computer Center, CS, NCTU Firewalls q Firewall hardware/software

Firewalls jnlin Computer Center, CS, NCTU Firewalls q Firewall hardware/software

Firewalls jnlin Computer Center, CS, NCTU Firewalls q Firewall hardware/software choke point between secured and unsecured network filter incoming and outgoing traffic prevent communications which are forbidden by the

1.06k views • 57 slides
Firewalls Firewalls October 16, 2020 Administrative Administrative submittal

Firewalls Firewalls October 16, 2020 Administrative Administrative submittal

Firewalls Firewalls October 16, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments questions in written report form, as a text, pdf, or Word document file (no obscure

585 views • 21 slides
Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and

Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and

Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and Honeypots that enforces a boundary between two CS 239 or more networks - NCSA Firewall Functional Summary Computer Security Usually, a

271 views • 10 slides
Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and Linux Contents Introduction Highly Scalable Linux Network Stack Netfilter Hooks Packet selection based on IP Tables The Connection Tracking

444 views • 9 slides
Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network

Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network

Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network from the Internet Trusted hosts and networks Firewall Router Intranet Demilitarized Zone: DMZ publicly accessible servers and networks

746 views • 31 slides
Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy

Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy

1 Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy firewalls Stateful inspection Deep packet inspection 2 Packet filter (Access Control Lists) Treats each packet in isolation

510 views • 30 slides
Firewalls and intrusion detection systems Markus Peuhkuri 2005-03-22 Lecture topics Firewalls

Firewalls and intrusion detection systems Markus Peuhkuri 2005-03-22 Lecture topics Firewalls

Firewalls and intrusion detection systems Markus Peuhkuri 2005-03-22 Lecture topics Firewalls Security model with firewalls Intrusion detection systems Intrusion prevention systems

644 views • 7 slides
Firewalls CS461/ECE422 Spring 2012 Reading Material Text

Firewalls CS461/ECE422 Spring 2012 Reading Material Text

Firewalls CS461/ECE422 Spring 2012 Reading Material Text chapter 9 Firewalls and Internet Security: Repelling the Wily Hacker, Cheswick, Bellovin,

501 views • 34 slides
Firewalls Summary ITS335: IT Security Sirindhorn International Institute of Technology

Firewalls Summary ITS335: IT Security Sirindhorn International Institute of Technology

ITS335 Firewalls Characteristics Types Locations Firewalls Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 25 October 2013 its335y13s2l08,

245 views • 23 slides
Network Firewalls Don Porter CSE/ISE 311: Systems Administra5on

Network Firewalls Don Porter CSE/ISE 311: Systems Administra5on

CSE/ISE 311: Systems Administra5on Network Firewalls Don Porter CSE/ISE 311: Systems Administra5on Firewalls: An Essen2al Tool Previous Lectures: Every service

469 views • 20 slides
Zero Trust & The Flaming Sword of Justice Dave Lewis, Global Advisory CISO September 26th,

Zero Trust & The Flaming Sword of Justice Dave Lewis, Global Advisory CISO September 26th,

Zero Trust & The Flaming Sword of Justice Dave Lewis, Global Advisory CISO September 26th, 2018 Please Allow Me To Introduce Myself.. #WHOAMI Dave Lewis, Global Advisory CISO Castles Dont Scale Dont trust something just because

880 views • 44 slides
About Me CEO & Co-Founder at Snyk Find & Fix vulnerabilities in open source

About Me CEO & Co-Founder at Snyk Find & Fix vulnerabilities in open source

Developer as a Malware Distribution Vehicle Guy Podjarny (@guypod) @guypod About Me CEO & Co-Founder at Snyk Find & Fix vulnerabilities in open source dependencies! Founder @Blaze, CTO @Akamai Security work since

1.41k views • 119 slides
Web 2.0 Securing the Brave New World May 23, 2007 Agenda Web 2.0 What Is It?

Web 2.0 Securing the Brave New World May 23, 2007 Agenda Web 2.0 What Is It?

Web 2.0 Securing the Brave New World May 23, 2007 Agenda Web 2.0 What Is It? Security Implications, and an Example Some Emerging Use of Technology Whats Needed Web 2.0 Non-Technical Issues A Modest

395 views • 18 slides
Soteria: Offline Software Protection within Low-cost Embedded Devices Johannes Gtzfried ,

Soteria: Offline Software Protection within Low-cost Embedded Devices Johannes Gtzfried ,

Dagstuhl16: Adaptive Isolation for Predictability and Security Wadern, Germany Soteria: Offline Software Protection within Low-cost Embedded Devices Johannes Gtzfried , Tilo Mller , Ruan de Clercq , Pieter Maene , Felix

581 views • 20 slides
Client Puzzles Defending Against Denial-of- Service Attacks with Puzzle Auctions Outline

Client Puzzles Defending Against Denial-of- Service Attacks with Puzzle Auctions Outline

Client Puzzles Defending Against Denial-of- Service Attacks with Puzzle Auctions Outline Motivation Auction Protocol TCP Puzzle Auction TCP Client Puzzle Implementation Experiment Results Questions Defending Against

761 views • 30 slides
Advanced SSH(1) Advanced SSH(1) Prerequisites We wont cover these anymore ~/.ssh/config

Advanced SSH(1) Advanced SSH(1) Prerequisites We wont cover these anymore ~/.ssh/config

Advanced SSH(1) Advanced SSH(1) Prerequisites We wont cover these anymore ~/.ssh/config public-key authentication Ed25519 or RSA Port Forwardings scp(1), sftp(1) tar cf - ./files | xz | pv | \ ssh $host cat ">"

1.01k views • 72 slides
Session 6 Network Protections: DoS, Firewall and IDS Sbastien Combfis Fall 2019 This work

Session 6 Network Protections: DoS, Firewall and IDS Sbastien Combfis Fall 2019 This work

I5020 Computer Security Session 6 Network Protections: DoS, Firewall and IDS Sbastien Combfis Fall 2019 This work is licensed under a Creative Commons Attribution NonCommercial NoDerivatives 4.0 International License. Objectives

1.08k views • 53 slides
AM-2 NIE API Gateway in NIE Who uses the APIs now and how is the adoption rate? The APIs are used

AM-2 NIE API Gateway in NIE Who uses the APIs now and how is the adoption rate? The APIs are used

AM-2 NIE API Gateway in NIE Who uses the APIs now and how is the adoption rate? The APIs are used by our faculty, our corporate mobile app users, corporate systems and students, the adoption rate is growing healthy at a steady rate. We are moving

452 views • 17 slides

More recommend