firewalls
play

Firewalls Chester Rebeiro IIT Madras Some of the slides borrowed - PowerPoint PPT Presentation

Mar 05, 2023 •299 likes •898 views

Firewalls Chester Rebeiro IIT Madras Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du Firewall Block unauthorized traffic flowing from one network to another Separate trusted and

  1. Firewalls Chester Rebeiro IIT Madras Some of the slides borrowed from the book ‘Computer Security: A Hands on Approach’ by Wenliang Du

  2. Firewall • Block unauthorized traffic flowing from one network to another • Separate trusted and untrusted components of a network • Main functionalities • Filtering data • Redirecting traffic • Protecting against network attacks 2

  3. Two schools of thought ● That which is not expressly forbidden is permitted ● That which is not expressly permitted is forbidden 3

  4. Firewall (less strict rules) Block these … firewall Protected Network Network That which is not expressly forbidden is permitted 4

  5. Firewall (strict rules) Permit these firewall Protected Network Network That which is not expressly permitted is forbidden 5

  6. An Ideal Firewall Requirements • All traffic between two trust zones should pass through the firewall. • Only authorized traffic, as designed by the security policy, should be allowed to pass through • The firewall itself must be immune to penetration, which implies using a hardened system with secured OS Actions • Accepted: Allowed to enter the protected network • Denied: Not permitted to enter the other side of the firewall • Rejected: Similar to `denied’, but tells the source about the decision through an ICMP packet 6

  7. Firewall Policy A firewall is as good as the rules that are being enforced by it. Rules are defined to provide the following controls for the traffic on the network: Examples: “Prevent any access from outside but allow traffic to flow from inside to the outside” “Allow traffic to enter from certain places, users, or for specific activities”

  8. Firewall Controls ● Service Control ○ Determines which services on internal hosts are accessible from outside ○ Reject all other incoming services ○ Outgoing service requests and corresponding responses may also be controlled ○ Filtering is based on the contents of IP packets and the type of requests ○ Example: Reject all HTTP requests unless directed to an official web server 8

  9. Firewall Control ● Behavior Control ○ Infringing organizational policy ○ Anti-social activities on a network ○ Suspected attack ○ Filtering action: ■ May be applicable at IP or TCP level ■ May require further interpretation of messages at a higher level ○ Example: Filtering of spam emails. Would require sender’s email address in message headers. May require to scan through the message contents. 9

  10. Firewall Control ● User Control ○ Discriminate between users ■ Some users can access external services, others can’t ■ Inhibit some users from gaining access to services 10

  11. Egress and Ingress Filtering Ingress Filtering Egress Filtering 11

  12. Types of Filters • Packet Filter • Stateful Filter • Application / Proxy Firewall 12

  13. Types of Filters • Packet Filter (aka Stateless firewall) • Stateful Filter ● Controls traffic based on the • Application / Proxy Firewall information in packet headers, without looking into the payload that contains application data. ● Doesn’t pay attention if the packet is a part of existing stream or traffic. ● Doesn’t maintain the states about packets. ● Also called Stateless Firewall. 13

  14. Types of Filters • Packet Filter (aka Stateless firewall) ● Tracks the state of traffic by monitoring all the connection • Stateful Filter interactions until closed. • Application / Proxy Firewall ● Connection state table is maintained to understand the context of packets. ● Example : Connections are only allowed through the ports that hold open connections. 14

  15. Types of Filters • Packet Filter (aka Stateless firewall) ● Controls input, output and access from/to an application or service. • Stateful Filter ● The client’s connection terminates at the • Application / Proxy Firewall proxy and a separate connection is initiated from the proxy to the destination host. ● Data on the connection is analyzed up to the application layer to determine if the packet should be allowed or rejected. ● Advantage : Ability to authenticate users directly rather than depending on network addresses of the system 15

  16. Netfilter: Linux Firewall Support • Each protocol stack in the Kernel defines a series of hooks along the packet’s traversal path in the stack • Kernel modules can be used to register callback functions to these hooks • Callbacks are appropriately invoked as a packet passes through the network stack • Callbacks take decisions to forward or drop packets 16

  17. Netfilter Hooks for IPv4 Packet forwarded to Other network Packet meant for local machine Packet generated by the local machine 17

  18. Netfilter Hooks for IPv4 Packet forwarded to Other network Packet meant for local machine Packet generated by the local machine 18

  19. Netfilter: Verdict on Packets (Return Values) NF_ACCEPT : Let the packet flow through the stack. NF_DROP : Discard the packet. NF_QUEUE : Pass the packet to the user space. Can be used to perform packet handling in user space. NF_STOLEN : Inform the netfilter to forget about this packet, The packet is further processed by the module. Typically use for stateful filtering, the module can store the packet fragments and analyze in a single context. NF_REPEAT : Request the netfilter to call this module again. 19

  20. Implementing a Simple Packet Filter Firewall The entire packet is provided here. The filtering logic is hardcoded here. Drop the packet if the destination TCP port is 23 (telnet) Decisions 20

  21. Implementing a Simple Packet Filter Firewall Hook this callback function Use this Netfilter hook Priority order for calling the hooks. Used Register the hook For example, when there are multiple modules connected to the same NF hook. 21

  22. Testing Our Firewall 22

  23. iptables Firewall in Linux ● iptables is a built-in firewall based on netfilter. ● Kernel part: Xtables; User-space program: iptables ● iptables use table to organize rules ○ Filters, nat, mangle, raw (stateful), security ● Chains are used to within a table and signify various hooks present in netfilter: PREROUTING: Triggered by the NF_IP_PRE_ROUTING hook. INPUT: Triggered by the NF_IP_LOCAL_IN hook. FORWARD: Triggered by the NF_IP_FORWARD hook. OUTPUT: Triggered by the NF_IP_LOCAL_OUT hook. POSTROUTING: Triggered by the NF_IP_POST_ROUTING hook. Chains control, where in the delivery path a rule will be evaluated. Each table has multiple chains, therefore one table can influence multiple points in the processing stack. 23

  24. Tables and Chains https://www.digitalocean.com/community/tutorials/a-deep-dive-into-iptables-and-netfilter-architecture#what-are- iptables-and-netfilter 24

  25. Tables and Chains Path taken for input packets Destined for the local machine Local socket https://www.digitalocean.com/community/tutorials/a-deep-dive-into-iptables-and-netfilter-architecture#what-are- iptables-and-netfilter 25

  26. Tables and Chains Path taken for input packets Destined for another machine Protected network https://www.digitalocean.com/community/tutorials/a-deep-dive-into-iptables-and-netfilter-architecture#what-are- iptables-and-netfilter 26

  27. iptable rules ● Each chain will have rules ● Each rule comprises of two parts: ○ Match: criteria that a packet must meet in order for the associated action to be executed ○ Target: action to be taken once if match is successful. ■ Terminating target: eg. Drop the packet ■ Non-terminating target: perform an action then continue further in the chain 27

  28. An example Add a rule to block the IP address 59.45.175.62 (-t is the table; filter is the default, therefore, here need not be specified) (-A is ADD to INPUT chain) Add a rule to drop packets going to IP 31.13.78.35 28

  29. Example continued … List the rules that are currently specified … 29 29

  30. Traversing Chains and Rule Matching Increase the TTL field of all packets by 5. Solution: Add a rule to the mangle table and choose a chain provided by netfilter hooks. We choose PREROUTING chain so the changes can be applied to all packets, regardless they are for the current host or for others. 30

  31. Modules (-m options) iptables – m option can be used to add specific modules, and there by creating user specific rules. owner: To specify rules based on user ids. Ex: To prevent user Alice from sending out telnet packets. Owner module can match packets based on the user/group id of the process that created them. Restricted only where uid/gid for a process can be determined. 31

  32. Iptables modules: Block a Specific User Option specific to module owner This rule drops the packets generated by any program owned by user seed. Other users are not affected. 32

  33. iptables modules Block ssh from certain IP addresses Block ssh and VNC (port 5901) from certain IP addresses https://www.booleanworld.com/depth-guide-iptables-linux-firewall/ 33

  34. Managing rules in a firewall ● In iptables, packets are sequentially compared against the rules until a match is found ○ Then appropriate target action is executed ● This does not scale with ○ Traffic speed ○ Number of rules 34

  35. Building a Simple Firewall Permit only ssh and http Packets to enter into the system Network No restriction on the outbound packets 35

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls? Network Address Translation Types of Firewalls Linux/Windows Firewalls pfSense Blue Team Activity Brief History Firewall

348 views • 30 slides
Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple firewall using Netfilter Iptables firewall in Linux Stateful Firewall Application Firewall Evading Firewalls 2 Firewalls

811 views • 55 slides
FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls

FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls

FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls (Categories) Implementation Best practices What are Firewalls? Internet Firewall Client/Host Network Network Security

585 views • 39 slides
Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential however

Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential however

Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential however it creates a threat Effective means of protecting LANs Inserted between the premises network and the Internet to establish a controlled

699 views • 34 slides
Firewalls Why do people want a firewall? [...] a firewalls purpose is to keep the jerks

Firewalls Why do people want a firewall? [...] a firewalls purpose is to keep the jerks

Firewalls Why do people want a firewall? [...] a firewalls purpose is to keep the jerks out of your network while still letting you get your job done. [Limiting] what kinds of connectivity is allowed between different

538 views • 30 slides
Firewalls Computer Center, CS, NCTU Firewalls Firewall A piece of hardware and/or

Firewalls Computer Center, CS, NCTU Firewalls Firewall A piece of hardware and/or

Firewalls Computer Center, CS, NCTU Firewalls Firewall A piece of hardware and/or software which functions in a networked environment to prevent some communications forbidden by the security policy. Choke point between secured

613 views • 34 slides
Firewalls jnlin Computer Center, CS, NCTU Firewalls q Firewall hardware/software

Firewalls jnlin Computer Center, CS, NCTU Firewalls q Firewall hardware/software

Firewalls jnlin Computer Center, CS, NCTU Firewalls q Firewall hardware/software choke point between secured and unsecured network filter incoming and outgoing traffic prevent communications which are forbidden by the

1.06k views • 57 slides
Firewalls Firewalls October 16, 2020 Administrative Administrative submittal

Firewalls Firewalls October 16, 2020 Administrative Administrative submittal

Firewalls Firewalls October 16, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments questions in written report form, as a text, pdf, or Word document file (no obscure

585 views • 21 slides
Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and

Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and

Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and Honeypots that enforces a boundary between two CS 239 or more networks - NCSA Firewall Functional Summary Computer Security Usually, a

271 views • 10 slides
Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and Linux Contents Introduction Highly Scalable Linux Network Stack Netfilter Hooks Packet selection based on IP Tables The Connection Tracking

444 views • 9 slides
Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network

Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network

Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network from the Internet Trusted hosts and networks Firewall Router Intranet Demilitarized Zone: DMZ publicly accessible servers and networks

746 views • 31 slides
Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy

Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy

1 Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy firewalls Stateful inspection Deep packet inspection 2 Packet filter (Access Control Lists) Treats each packet in isolation

510 views • 30 slides
Firewalls and intrusion detection systems Markus Peuhkuri 2005-03-22 Lecture topics Firewalls

Firewalls and intrusion detection systems Markus Peuhkuri 2005-03-22 Lecture topics Firewalls

Firewalls and intrusion detection systems Markus Peuhkuri 2005-03-22 Lecture topics Firewalls Security model with firewalls Intrusion detection systems Intrusion prevention systems

644 views • 7 slides
Firewalls CS461/ECE422 Spring 2012 Reading Material Text

Firewalls CS461/ECE422 Spring 2012 Reading Material Text

Firewalls CS461/ECE422 Spring 2012 Reading Material Text chapter 9 Firewalls and Internet Security: Repelling the Wily Hacker, Cheswick, Bellovin,

501 views • 34 slides
Firewalls Summary ITS335: IT Security Sirindhorn International Institute of Technology

Firewalls Summary ITS335: IT Security Sirindhorn International Institute of Technology

ITS335 Firewalls Characteristics Types Locations Firewalls Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 25 October 2013 its335y13s2l08,

245 views • 23 slides
Network Firewalls Don Porter CSE/ISE 311: Systems Administra5on

Network Firewalls Don Porter CSE/ISE 311: Systems Administra5on

CSE/ISE 311: Systems Administra5on Network Firewalls Don Porter CSE/ISE 311: Systems Administra5on Firewalls: An Essen2al Tool Previous Lectures: Every service

469 views • 20 slides
GASPP: A GPU-Accelerated Stateful Packet Processing Framework

GASPP: A GPU-Accelerated Stateful Packet Processing Framework

GASPP: A GPU-Accelerated Stateful Packet Processing Framework Giorgos Vasiliadis, FORTH-ICS, Greece Lazaros Koromilas, FORTH-ICS, Greece Michalis Polychronakis,

949 views • 56 slides
Using a firewall to control traffic in networks 1 Example Network .35 .12 .36 .11 3.3.3.0/24

Using a firewall to control traffic in networks 1 Example Network .35 .12 .36 .11 3.3.3.0/24

Using a firewall to control traffic in networks 1 Example Network .35 .12 .36 .11 3.3.3.0/24 1.1.1.0/24 Rd .1 Ra .4.1 .4.4 1.1.0.0/16 Rc 2.2.2.0/24 .1 .4.2 .1 .23 Rb .47 Re .15.6 .99 1.1.2.0/24 4.4.4.0/24 .24 2 Firewall

708 views • 13 slides
Adaptive and Proactive Security Assessment on Energy Delivery Systems Carlos Rubio-Medrano, Vu

Adaptive and Proactive Security Assessment on Energy Delivery Systems Carlos Rubio-Medrano, Vu

Adaptive and Proactive Security Assessment on Energy Delivery Systems Carlos Rubio-Medrano, Vu Coughlin , Josephine Lamp, Ziming Zhao, Gail-Joon Ahn and Anna Scaglione Outline Activity Current/ OntoEDS ExSol EDSGuard Refresher Future Work

1.38k views • 41 slides
A seman(c firewall for Content Centric Networking IFIP/IEEE

A seman(c firewall for Content Centric Networking IFIP/IEEE

A seman(c firewall for Content Centric Networking IFIP/IEEE Integrated Network Management Symposium (IM 2013) - MC2: Security Management and Recovery May 27 - 31, 2013 David Goergen Thibault Cholez Jrme

665 views • 39 slides
Composition of SDN applications: Options/challenges for real implementations Arne Schwabe Pedro

Composition of SDN applications: Options/challenges for real implementations Arne Schwabe Pedro

Composition of SDN applications: Options/challenges for real implementations Arne Schwabe Pedro A. Aranda Gutirrez Holger Karl Computer Networks Group Universitt Paderborn Modernizing the setup Simple standard network setup

409 views • 21 slides
Security CS 4720 Web & Mobile Systems CS 4720

Security CS 4720 Web & Mobile Systems CS 4720

Security CS 4720 Web & Mobile Systems CS 4720 The Tradi/onal Security Model The Firewall Approach Keep the good guys in and the

442 views • 25 slides
Class Session 4 Firewalls Exercise 1 You are asked to design the firewall policy for the

Class Session 4 Firewalls Exercise 1 You are asked to design the firewall policy for the

Class Session 4 Firewalls Exercise 1 You are asked to design the firewall policy for the following network. Note that these are stateful , bidirectional firewalls . The only flags you need to worry about are SYN and SYN-ACK. The following

415 views • 3 slides
Using Modular Arithmetic to Reliably Encode Authentication Information Within Messages Consisting

Using Modular Arithmetic to Reliably Encode Authentication Information Within Messages Consisting

Using Modular Arithmetic to Reliably Encode Authentication Information Within Messages Consisting of Port Connection Sequences Patrick F. Wilbur - wilburpf@clarkson.edu Department of Mathematics & Computer Science, Clarkson University

229 views • 9 slides

More recommend