Network Security: Continued CS 236 On-Line MS Program Networks and - - PowerPoint PPT Presentation

network security continued cs 236 on line ms program
SMART_READER_LITE
LIVE PREVIEW

Network Security: Continued CS 236 On-Line MS Program Networks and - - PowerPoint PPT Presentation

Nov 30, 2022 210 likes •379 views

Network Security: Continued CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 10 Page 1 CS 236 Online Firewall Configuration and Administration Again, the firewall is the point of attack for intruders

slide-1
SLIDE 1

Lecture 10 Page 1 CS 236 Online

Network Security: Continued CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

slide-2
SLIDE 2

Lecture 10 Page 2 CS 236 Online

Firewall Configuration and Administration

  • Again, the firewall is the point of

attack for intruders

  • Thus, it must be extraordinarily secure
  • How do you achieve that level of

security?

slide-3
SLIDE 3

Lecture 10 Page 3 CS 236 Online

Firewall Location

  • Clearly, between you and the bad guys
  • But you may have some different types of

machines/functionalities

  • Sometimes makes sense to divide your

network into segments – Typically, less secure public network and more secure internal network – Using separate firewalls

slide-4
SLIDE 4

Lecture 10 Page 4 CS 236 Online

Firewalls and DMZs

  • A standard way to configure multiple

firewalls for a single organization

  • Used when organization runs machines

with different openness needs – And security requirements

  • Basically, use firewalls to divide your

network into segments

slide-5
SLIDE 5

Lecture 10 Page 5 CS 236 Online

A Typical DMZ Organization

Your production LAN Your web server The Internet Firewall set up to protect your LAN Firewall set up to protect your web server DMZ

slide-6
SLIDE 6

Lecture 10 Page 6 CS 236 Online

Advantages of DMZ Approach

  • Can customize firewalls for different

purposes

  • Can customize traffic analysis in

different areas of network

  • Keeps inherently less safe traffic away

from critical resources

slide-7
SLIDE 7

Lecture 10 Page 7 CS 236 Online

Dangers of a DMZ

  • Things in the DMZ aren’t well protected

– If they’re compromised, provide a foothold into your network

  • One problem in DMZ might compromise all

machines there

  • Vital that main network doesn’t treat

machines in DMZ as trusted

  • Must avoid back doors from DMZ to

network

slide-8
SLIDE 8

Lecture 10 Page 8 CS 236 Online

Firewall Hardening

  • Devote a special machine only to

firewall duties

  • Alter OS operations on that machine

– To allow only firewall activities – And to close known vulnerabilities

  • Strictly limit access to the machine

– Both login and remote execution

slide-9
SLIDE 9

Lecture 10 Page 9 CS 236 Online

Keep Your Firewall Current

  • New vulnerabilities are discovered all the

time

  • Must update your firewall to fix them
  • Even more important, sometimes you have

to open doors temporarily – Make sure you shut them again later

  • Can automate some updates to firewalls
  • How about getting rid of old stuff?
slide-10
SLIDE 10

Lecture 10 Page 10 CS 236 Online

Closing the Back Doors

  • Firewall security is based on assumption that all

traffic goes through the firewall

  • So be careful with:

– Wireless connections – Portable computers – Sneakernet mechanisms and other entry points

  • Put a firewall at every entry point to your network
  • And make sure all your firewalls are up to date
slide-11
SLIDE 11

Lecture 10 Page 11 CS 236 Online

What About Portable Computers?

Local Café

Bob Carol Xavier Alice

slide-12
SLIDE 12

Lecture 10 Page 12 CS 236 Online

Now Bob Goes To Work . . .

Bob’s Office

Worker Worker Worker Worker Bob

slide-13
SLIDE 13

Lecture 10 Page 13 CS 236 Online

How To Handle This Problem?

  • Essentially quarantine the portable

computer until it’s safe

  • Don’t permit connection to wireless access

point until you’re satisfied that the portable is safe – Or put them in constrained network

  • Common in Cisco, Microsoft, and other

companies’ products – Network access control

slide-14
SLIDE 14

Lecture 10 Page 14 CS 236 Online

Single Machine Firewalls

  • Instead of separate machine protecting

network,

  • A machine puts software between the
  • utside world and the rest of machine
  • Under its own control
  • To protect itself
  • Available on most modern systems
slide-15
SLIDE 15

Lecture 10 Page 15 CS 236 Online

Pros and Cons of Individual Firewalls

+ Customized to particular machine – Specific to local software and usage + Under machine owner’s control + Can use in-machine knowledge for its decisions + May be able to do deeper inspection + Provides defense in depth

slide-16
SLIDE 16

Lecture 10 Page 16 CS 236 Online

Cons of Personal Firewalls

− Only protects that machine − Less likely to be properly configured − Since most users don’t understand security well − And/or don’t view it as their job − Probably set to the default

  • On the whole, generally viewed as

valuable