firewalls
play

Firewalls Computer Center, CS, NCTU Firewalls Firewall A piece - PowerPoint PPT Presentation

Aug 21, 2022 •263 likes •613 views

Firewalls Computer Center, CS, NCTU Firewalls Firewall A piece of hardware and/or software which functions in a networked environment to prevent some communications forbidden by the security policy. Choke point between secured

  1. Firewalls

  2. Computer Center, CS, NCTU Firewalls  Firewall • A piece of hardware and/or software which functions in a networked environment to prevent some communications forbidden by the security policy. • Choke point between secured and unsecured network • Filter incoming and outgoing traffic that flows through your system  What it can be used to do • To protect and insulate the applications, services and machines of your internal network from unwanted traffic coming in from the public Internet  Such as telnet, NetBIOS • To limit or disable access from hosts of the internal network to services of the public Internet  Such as MSN, ssh, ftp • To support NAT (Network Address Translation) 2

  3. Computer Center, CS, NCTU Firewalls – Layers of Firewalls  Network Layer Firewalls • Operate at a low level of TCP/IP stack as IP-packet filters. • Filter attributes  Source/destination IP  Source/destination port  TTL  Protocols  …  Application Layer Firewalls • Work on the application level of the TCP/IP stack. • Inspect all packets for improper content, a complex work!  Application Firewalls • The access control implemented by applications. 3

  4. Computer Center, CS, NCTU Firewall Rules  Two ways to create firewall rulesets • Exclusive  Allow all traffic through except for the traffic matching the rulesets • Inclusive  Allow traffic matching the rulesets and blocks everything else  Offer much better control of the outgoing traffic  Control the type of traffic originating from the public Internet that can gain access to your private network  Safer than exclusive one – reduce the risk of allowing unwanted traffic to pass – Increase the risk to block yourself with wrong configuration  Stateful firewall • Keep track of which connections are opened through the firewall • Be vulnerable to Denial of Service (DoS) attacks 4

  5. Computer Center, CS, NCTU Firewall Packages  FreeBSD • IPFILTER (known as IPF) • IPFIREWALL (known as IPFW) + Dummynet • Packet Filter (known as PF)+ ALTQ  Solaris • IPF  Linux • ipchains • iptables 5

  6. Computer Center, CS, NCTU Packet Filter (PF)  Introduction • Packet filtering • Translation (NAT) • Alternate Queuing (ALTQ) for QoS , bandwidth limit • Load balance • Failover (pfsync + carp) • Firewall migrated from OpenBSD  http://www.openbsd.org/faq/pf/ ADSL 1 Gateway ADSL 2 LAN ADSL 3 Round-robin 6

  7. Computer Center, CS, NCTU PF in FreeBSD (1) – enabling pf  Enable pf in /etc/rc.conf (pf.ko loaded automatically) pf_enable= " YES "  Rebuild Kernel (if pfsync, ALTQ is needed) # Enable “Packet Filter” firewall device pf device pflog # pseudo device to log traffic # pseudo device to monitor “state changes” # device pfsync options ALTQ options ALTQ_CBQ # Class based queueing options ALTQ_PRIQ # Priority queueing options ALTQ_{RED | RIO} # Avoid network congestion options ALTQ_HFSC # Hierarchical Fair Service Curve Ref: http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html 7

  8. Computer Center, CS, NCTU PF in FreeBSD (2) – enabling pflog  Enable pflog in /etc/rc.conf (pflog.ko loaded automatically) • pflog_enable="YES“  Log to pflog0 interface  tcpdump – i pflog0 • pflog_logfile="/var/log/pflog“  tcpdump -r /var/log/pflog  Create firewall rules • Default configuration rules  pf_rules="/etc/pf.conf" • Sample files  /usr/share/examples/pf/* 8

  9. Computer Center, CS, NCTU PF in FreeBSD (3) – related commands  PF rc script: /etc/rc.d/pf • start / stop / restart / status / check / reload  PF command: pfctl • -e / -d • - F {nat | rulse | state | info | Tables | all | …} • -v - s {nat | rules | state | info | all | Anchors | Tables | …} • -v -n -f /etc/pf.conf • {-f | -A | -O | -N | -R} /etc/pf.conf • -t <table> - T {add | delete| test} {ip …} • -t <table> - T {show | kill | flush | …} • -k {host | network} [-k {host | network}] • - a {anchor} …  Ex. - a „*‟ , - a „ftp - proxy/*‟ 9

  10. Computer Center, CS, NCTU PF in FreeBSD (4) – config ordering  Macros • user-defined variables, so they can be referenced and changed easily.  Tables “table” • similar to macros, but efficient and more flexible for many addresses.  Options “ set ” • tune the behavior of pf, default values are given.  Normalization “ scrub ” • reassemble fragments and resolve or reduce traffic ambiguities.  Queueing “ altq ” , “ queue ” • rule-based bandwidth control.  Translation (NAT) “ rdr ” , “ nat ” , “ binat ” • specify how addresses are to be mapped or redirected to other addresses • First match rules  Filtering “ antispoof ” , “ block ” , “ pass ” • rule-based blocking or passing packets • Last match rules 10

  11. Computer Center, CS, NCTU PF in FreeBSD (5) – Lists  Lists • Allow the specification of multiple similar criteria within a rule  multiple protocols, port numbers, addresses, etc. • defined by specifying items within { } brackets. • eg.  pass out on rl0 proto { tcp, udp } from { 192.168.0.1, 10.5.32.6 } to any  pass in on fxp0 proto tcp to port { 22 80 } • Pitfall  pass in on fxp0 from { 10.0.0.0/8, !10.1.2.3 }  You mean (It means) 1. pass in on fxp0 from 10.0.0.0/8 2. block in on fxp0 from 10.1.2.3 2. pass in on fxp0 from !10.1.2.3  Use table, instead. 11

  12. Computer Center, CS, NCTU PF in FreeBSD (6) – Macros  Macros • user-defined variables that can hold IP addresses, port numbers, interface names, etc. • reduce the complexity of a pf ruleset and also make maintaining a ruleset much easier. • Naming: start with [a-zA-Z] and may contain [a-zA-Z0-9_] • eg.  ext_if = "fxp0“  block in on $ext_if from any to any • Macro of macros  host1 = "192.168.1.1“  host2 = "192.168.1.2“  all_hosts = "{" $host1 $host2 "}" 12

  13. Computer Center, CS, NCTU PF in FreeBSD (7) – Tables  Tables • used to hold a group of IPv4 and/or IPv6 addresses  hostname, inteface name, and keyword self • Lookups against a table are very fast and consume less memory and processor time than lists • Two attributes  persist: keep the table in memory even when no rules refer to it  const: cannot be changed once the table is created • eg.  table <private> const { 10/8, 172.16/12, 192.168/16 }  table <badhosts> persist  block on fxp0 from { <private>, <badhosts> } to any  table <spam> persist file "/etc/spammers" file "/etc/openrelays" 13

  14. Computer Center, CS, NCTU PF in FreeBSD (8) – Tables  Tables – Address Matching • An address lookup against a table will return the most narrowly matching entry • eg.  table <goodguys> { 172.16.0.0/16, !172.16.1.0/24, 172.16.1.100 }  block in on dc0  pass in on dc0 from <goodguys> • Result  172.16.50.5 passed  172.16.1.25 blocked  172.16.1.100 passed  10.1.4.55 blocked 14

  15. Computer Center, CS, NCTU PF in FreeBSD (9) – Options  Format • control pf's operation, and specified in pf.conf using “set”  Format: set option [sub-ops] value  Options • loginterface – collect packets and gather byte count statistics • ruleset-optimization – ruleset optimizer  none, basic, profile  basic: remove dups, remove subs, combine into a table, re-order rules • block-policy – default behavior for blocked packets  drop, return • skip on {ifname} – interfaces for which packets should not be filtered.  eg. set skip on lo0 • timeout, limit, optimization, state-policy, hostid, require-order, fingerprints, debug 15

  16. Computer Center, CS, NCTU PF in FreeBSD (10) – Normalization  Traffic Normalization • IP fragment reassembly  scrub in all • Default behavior  Fragments are buffered until they form a complete packet, and only the completed packet is passed on to the filter.  Advantage: filter rules have to deal only with complete packets, and ignore fragments.  Disadvantage: caching fragments is the additional memory cost  The full reassembly method is the only method that currently works with NAT. 16

  17. Computer Center, CS, NCTU PF in FreeBSD (11) – Queueing  altq on dc0 cbq bandwidth 5Mb queue {std, http}  queue std bandwidth 10% cbq(default)  queue http bandwidth 60% priority 2 cbq(borrow) {employee,developer}  queue developers bandwidth 75% cbq(borrow)  queue employees bandwidth 15%  block return out on dc0 inet all queue std  pass out on dc0 inet proto tcp from $developerhosts to any port 80 queue developers  pass out on dc0 inet proto tcp from $employeehosts to any port 80 queue employees  pass out on dc0 inet proto tcp from any to any port 22  pass out on dc0 inet proto tcp from any to any port 25 17

  18. Computer Center, CS, NCTU PF in FreeBSD (12) – Translation  Translation • Modify either the source or destination address of the packets • The translation engine modifies the specified address and/or port in the packet, and then passes it to the packet filter for evaluation. • Filter rules filter based on the translated address and port number • Packets passed directly if the pass modifier is given in the rule 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls? Network Address Translation Types of Firewalls Linux/Windows Firewalls pfSense Blue Team Activity Brief History Firewall

348 views • 30 slides
Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple firewall using Netfilter Iptables firewall in Linux Stateful Firewall Application Firewall Evading Firewalls 2 Firewalls

811 views • 55 slides
FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls

FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls

FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls (Categories) Implementation Best practices What are Firewalls? Internet Firewall Client/Host Network Network Security

585 views • 39 slides
Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential however

Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential however

Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential however it creates a threat Effective means of protecting LANs Inserted between the premises network and the Internet to establish a controlled

699 views • 34 slides
Firewalls Why do people want a firewall? [...] a firewalls purpose is to keep the jerks

Firewalls Why do people want a firewall? [...] a firewalls purpose is to keep the jerks

Firewalls Why do people want a firewall? [...] a firewalls purpose is to keep the jerks out of your network while still letting you get your job done. [Limiting] what kinds of connectivity is allowed between different

538 views • 30 slides
Firewalls jnlin Computer Center, CS, NCTU Firewalls q Firewall hardware/software

Firewalls jnlin Computer Center, CS, NCTU Firewalls q Firewall hardware/software

Firewalls jnlin Computer Center, CS, NCTU Firewalls q Firewall hardware/software choke point between secured and unsecured network filter incoming and outgoing traffic prevent communications which are forbidden by the

1.06k views • 57 slides
Firewalls Firewalls October 16, 2020 Administrative Administrative submittal

Firewalls Firewalls October 16, 2020 Administrative Administrative submittal

Firewalls Firewalls October 16, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments questions in written report form, as a text, pdf, or Word document file (no obscure

585 views • 21 slides
Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and

Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and

Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and Honeypots that enforces a boundary between two CS 239 or more networks - NCSA Firewall Functional Summary Computer Security Usually, a

271 views • 10 slides
Firewalls, IPsec and Linux by Harald Welte &lt;laforge@netfilter.org&gt; Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte &lt;laforge@netfilter.org&gt; Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte &lt;laforge@netfilter.org&gt; Firewalls, IPsec and Linux Contents Introduction Highly Scalable Linux Network Stack Netfilter Hooks Packet selection based on IP Tables The Connection Tracking

444 views • 9 slides
Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network

Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network

Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network from the Internet Trusted hosts and networks Firewall Router Intranet Demilitarized Zone: DMZ publicly accessible servers and networks

746 views • 31 slides
Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy

Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy

1 Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy firewalls Stateful inspection Deep packet inspection 2 Packet filter (Access Control Lists) Treats each packet in isolation

510 views • 30 slides
Firewalls and intrusion detection systems Markus Peuhkuri 2005-03-22 Lecture topics Firewalls

Firewalls and intrusion detection systems Markus Peuhkuri 2005-03-22 Lecture topics Firewalls

Firewalls and intrusion detection systems Markus Peuhkuri 2005-03-22 Lecture topics Firewalls Security model with firewalls Intrusion detection systems Intrusion prevention systems

644 views • 7 slides
Firewalls CS461/ECE422 Spring 2012 Reading Material Text

Firewalls CS461/ECE422 Spring 2012 Reading Material Text

Firewalls CS461/ECE422 Spring 2012 Reading Material Text chapter 9 Firewalls and Internet Security: Repelling the Wily Hacker, Cheswick, Bellovin,

501 views • 34 slides
Firewalls Summary ITS335: IT Security Sirindhorn International Institute of Technology

Firewalls Summary ITS335: IT Security Sirindhorn International Institute of Technology

ITS335 Firewalls Characteristics Types Locations Firewalls Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 25 October 2013 its335y13s2l08,

245 views • 23 slides
Network Firewalls Don Porter CSE/ISE 311: Systems Administra5on

Network Firewalls Don Porter CSE/ISE 311: Systems Administra5on

CSE/ISE 311: Systems Administra5on Network Firewalls Don Porter CSE/ISE 311: Systems Administra5on Firewalls: An Essen2al Tool Previous Lectures: Every service

469 views • 20 slides
Network Firewalls the outside world is a poten7al aCack

Network Firewalls the outside world is a poten7al aCack

4/29/14 CSE/ISE 311: Systems Administra5on CSE/ISE 311: Systems Administra5on Firewalls: An Essen7al Tool Previous Lectures: Every service on a system visible

400 views • 4 slides
User G r Grou oup ly Me e ting Ma rc h 9, 2017 Quar te r Webcast and audio inform rmation

User G r Grou oup ly Me e ting Ma rc h 9, 2017 Quar te r Webcast and audio inform rmation

User G r Grou oup ly Me e ting Ma rc h 9, 2017 Quar te r Webcast and audio inform rmation The call-in phone number is: 1-719 719-867-1571 571 &amp; &amp; enter 7 72543 5437# a 7# at the p prompt Your phone l line w will b

813 views • 60 slides
Range of graph database use cases broadens and new application requirements emerge One

Range of graph database use cases broadens and new application requirements emerge One

Range of graph database use cases broadens and new application requirements emerge One such requirement: solutions to specify rigid forms of logical schemas What does a valid instance has to look like? What constraints does it have

587 views • 26 slides
CONFLICT MINERAL LEGISLATION IN EUROPE AND THE UNITED STATES: HOW IT IMPACTS ON BOTH THE DOMESTIC

CONFLICT MINERAL LEGISLATION IN EUROPE AND THE UNITED STATES: HOW IT IMPACTS ON BOTH THE DOMESTIC

FIERA DI VICENZA 20/01/2014 SEMINAR ON CONFLICT MINERAL LEGISLATION IN EUROPE AND THE UNITED STATES: HOW IT IMPACTS ON BOTH THE DOMESTIC AND EXPORT JEWELRY BUSINESS ORGANISED BY FIERA DI VICENZA, CIBJO, RJC, AND FEDERORAFI Maria Benedetta

911 views • 44 slides
1 new module C100 Cryomodule Seven cell Cavity, 0.7 m long (high Q L ) 8 Cavities per

1 new module C100 Cryomodule Seven cell Cavity, 0.7 m long (high Q L ) 8 Cavities per

1 new module C100 Cryomodule Seven cell Cavity, 0.7 m long (high Q L ) 8 Cavities per Cryomodule Fits the existing Cryomodule footprint Fundamental frequency f 0 1497 MHz Accelerating gradient E acc &gt; 20 MV/m 3.2 x 10 7 Input

602 views • 33 slides
Fast Prototyping Network Data Mining Applications Gianluca Iannaccone Intel Research Berkeley

Fast Prototyping Network Data Mining Applications Gianluca Iannaccone Intel Research Berkeley

Fast Prototyping Network Data Mining Applications Gianluca Iannaccone Intel Research Berkeley Motivation Developing new network monitoring apps is unnecessarily time-consuming Familiar development steps Need deep understanding of

874 views • 44 slides
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Jan 31, 2018 Announcements Project 1 is out, due Feb 14 midnight Recall: Block cipher A function E : {0, 1} k {0, 1} n

553 views • 32 slides
Block ciphers CS 161: Computer Security Prof. Raluca Ada Popa February 26, 2016 Announcements

Block ciphers CS 161: Computer Security Prof. Raluca Ada Popa February 26, 2016 Announcements

Block ciphers CS 161: Computer Security Prof. Raluca Ada Popa February 26, 2016 Announcements Last time Syntax of encryption: Keygen, Enc, Dec Security definition for known plaintext attack: attacker provides two messages m0, m1

993 views • 43 slides
IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee Research Seminar in

IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee Research Seminar in

MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 1 Overview Notion of

396 views • 20 slides

More recommend