Scribd
Upload
46 views24 pages

Lect 8

Uploaded by

kmf6004
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
46 views24 pages

Lect 8

Uploaded by

kmf6004
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 24

Information Security &

Privacy
AlBaha University
Faculty of Computer Science and Information Technology
Department of Computer Science

Dr. Sonia ABDELKARIM

1.1
Network Security
Firewalls
Chapter 8

AlBaha University Faculty of Computer Science and Information Technology Dr. Sonia Abdelkarim 1.2
Introduction

• Functionality and design principals


• Firewall characteristics
• Security of Firewall
• Concept of trusted system or secure
operating system

3
Firewalls and Network
Defense
•Firewalls can be an effective means of
protecting a local system or network from
network based security threats
•At the same time it offers access to the
outside world via WANS and the Internet
4
Information System Evolution
• Central mainframe with directly connected terminals
• LANs interconnecting PCs and a mainframe
• Networks consisting of several LANs, PCs Servers, and a
mainframe or two
• Enterprise wide network with multiple distributed
networks, connected through WAN
• Internet connectivity - all networks connected through
internet and may or may not be connected by a private
WAN
5
Firewall Design Principles
• Internet connectivity - no longer appropriate
for most organizations
• provides benefits but also threats
• Can equip each workstation with intrusion
protection - but not practical
• An alternative is a firewall- used to protect the
network form Internet based attacks.
6
Firewalls
• Idea: separate local network from the Internet

Trusted hosts and


networks Firewall

Router
Intranet

DMZ Demilitarized Zone:


publicly accessible
servers and networks

7
Firewall Characteristics
• All traffic in both directions (inside <->
outside) must pass through the firewall
• Only authorized traffic, allowed by local
security policy, is allowed to pass
• The firewall is immune to penetration and
provides perimeter defense

8
Castle and Moat Analogy
• More like the moat around a castle than a firewall
• Restricts access from the outside
• Restricts outbound connections, too (!!)
• Important: filter out undesirable activity from internal hosts!
9
Firewall Limitations
• Cannot protect from attacks bypassing it
• eg sneaker net, utility modems, trusted organizations, trusted
services (eg SSL/SSH)
• Cannot protect against internal threats
• eg disgruntled employee
• Cannot protect against transfer of all virus infected
programs or files
• because of huge range of OS and file types
10
Firewall Locations
in the Network
• Between internal LAN and external network
• At the gateways of sensitive sub-networks within the
organizational LAN
• Payroll’s network must be protected separately within the
corporate network
• On end-user machines
• “Personal firewall”
• Microsoft’s Internet Connection
Firewall (ICF) comes standard
with Windows XP
11
Firewall Types
• Packet- filtering Routers
• Application level gateways
• Circuit level Gateways

12
Firewalls – Packet Filters
OSI Layers Addressed 13
Firewall Types:
Packet Filters
• Packet- or session-filtering router (filter)
• filters packets in both directions, based on IP address, IP protocol and interface
• set up as a list of rules, based on matches to fields
• if there is a match the rule is invoked
• otherwise a default action is taken
• default = discard anything not permitted is prohibited OR
• default = forward anything not expressly prohibited
• Advantages - simplicity and speed
• Weaknesses : cannot prevent attacks that employ application specific vulnerabilities;
they have limited logging functionality; do not support advanced user
authentication; vulnerable to network layer address spoofing and security breaches
caused by improper configuration
14
Packet Filtering

• For each packet, firewall decides whether to allow it to


proceed
• Decision must be made on per-packet basis
• Stateless; cannot examine packet’s context (TCP connection, application
to which it belongs, etc.)
• To decide, use information available in the packet
• IP source and destination addresses, ports
• Protocol identifier (TCP, UDP, ICMP, etc.)
• TCP flags (SYN, ACK, RST, PSH, FIN)
• ICMP message type
• Filtering rules are based on pattern-matching
15
Packet Filtering Examples
16
Stateless Filtering Is Not Enough
• In TCP connections, ports with numbers less than 1024 are
permanently assigned to servers
• 20, 21 for FTP, 23 for telnet, 25 for SMTP, 80 for HTTP…
• Clients use ports numbered from 1024 to 16383
• They must be available for clients to receive responses
• What should a firewall do if it sees, say, an incoming request
to some client’s port 5612?
• It must allow it: this could be a server’s response in a previously
established connection…
• …OR it could be malicious traffic
• Can’t tell without keeping state for each connection
17
Firewalls – Stateful Packet Filters
• examine each IP packet in context
• keeps tracks of client-server sessions
• checks each packet validly belongs to one
• better able to detect bogus packets out of
context

18
Example: Variable Port Use

Inbound SMTP Outbound SMTP


19
Session Filtering
• Decision is still made separately for each packet, but in the
context of a connection
• If new connection, then check against security policy
• If existing connection, then look it up in the table and update the table, if
necessary
• Only allow incoming traffic to a high-numbered port if there is an
established connection to that port
• Hard to filter stateless protocols (UDP) and ICMP
• Typical filter: deny everything that’s not allowed
• Must be careful filtering out service traffic such as ICMP
• Filters can be bypassed with IP tunneling
20
Example: Connection State Table
21
Example: FTP
(borrowed from Wenke Lee)
FTP server FTP client
20 21 Connection from
Data Command a random port on 5150 5151
 Client opens an external host
command
channel to 
server; tells
server second

port number 
 Server
acknowledges
 Server opens
data channel to
client’s second 
port
 Client
acknowledges
22
FTP Packet Filter
The following filtering rules allow a user to FTP from any IP
address to the FTP server at 172.168.10.12
access-list 100 permit tcp any gt 1023 host 172.168.10.12 eq 21
access-list 100 permit tcp any gt 1023 host 172.168.10.12 eq 20
! Allows packets from any client to the FTP control and data ports
access-list 101 permit tcp host 172.168.10.12 eq 21 any gt 1023
access-list 101 permit tcp host 172.168.10.12 eq 20 any gt 1023
! Allows the FTP server to send packets back to any IP address with TCP ports > 1023
interface Ethernet 0
access-list 100 in ! Apply the first rule to inbound traffic
access-list 101 out ! Apply the second rule to outbound traffic
!
Anything not explicitly permitted
by the access list is denied!
23
Thank You

You might also like