8: network management1 firewalls. 8: network management2 firewalls two firewall types: m packet...
TRANSCRIPT
![Page 1: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/1.jpg)
8: Network Management 1
Firewalls
![Page 2: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/2.jpg)
8: Network Management 2
Firewalls
Two firewall types: packet filter application
gateways
To prevent denial of service attacks: SYN flooding: attacker
establishes many bogus TCP connections. Attacked host alloc’s TCP buffers for bogus connections, none left for “real” connections.
To prevent illegal modification of internal data. e.g., attacker replaces
CIA’s homepage with something else
To prevent intruders from obtaining secret info.
isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others.
firewall
![Page 3: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/3.jpg)
8: Network Management 3
Packet Filtering
Internal network is connected to Internet through a router.
Router manufacturer provides options for filtering packets, based on: source IP address destination IP address TCP/UDP source and
destination port numbers
ICMP message type TCP SYN and ACK bits
Example 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23. All incoming and outgoing
UDP flows and telnet connections are blocked.
Example 2: Block inbound TCP segments with ACK=0. Prevents external clients
from making TCP connections with internal clients, but allows internal clients to connect to outside.
![Page 4: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/4.jpg)
8: Network Management 4
Application gateways
Filters packets on application data as well as on IP/TCP/UDP fields.
Example: allow select internal users to telnet outside.
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1. Require all telnet users to telnet through gateway.2. For authorized users, gateway sets up telnet
connection to dest host. Gateway relays data between 2 connections
3. Router filter blocks all telnet connections not originating from gateway.
![Page 5: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/5.jpg)
8: Network Management 5
Limitations of firewalls and gateways
IP spoofing: router can’t know if data “really” comes from claimed source
If multiple app’s. need special treatment, each has own app. gateway.
Client software must know how to contact gateway. e.g., must set IP address
of proxy in Web browser
Filters often use all or nothing policy for UDP.
Tradeoff: degree of communication with outside world, level of security
Many highly protected sites still suffer from attacks.
![Page 6: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/6.jpg)
8: Network Management 6
참고자료 : Firewalls
![Page 7: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/7.jpg)
8: Network Management 7
Acknowledgements
Professor Insup Lee
Department of Computer and Information Science
University of Pennsylvania [email protected] www.cis.upenn.edu/~lee
![Page 8: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/8.jpg)
8: Network Management 8
Why do we need firewalls?
![Page 9: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/9.jpg)
8: Network Management 9
![Page 10: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/10.jpg)
8: Network Management 10
![Page 11: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/11.jpg)
8: Network Management 11
BEFORE AFTER (your results may vary)
![Page 12: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/12.jpg)
8: Network Management 12
What is a firewall?
Two goals: To provide the people in your organization with
access to the WWW without allowing the entire world to peak in;
To erect a barrier between an untrusted piece of software, your organization’s public Web server, and the sensitive information that resides on your private network.
Basic idea: Impose a specifically configured gateway machine
between the outside world and the site’s inner network.
All traffic must first go to the gateway, where software decide whether to allow or reject.
![Page 13: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/13.jpg)
8: Network Management 13
What is a firewall
A firewall is a system of hardware and software components designed to restrict access between or among networks, most often between the Internet and a private Internet.
The firewall is part of an overall security policy that creates a perimeter defense designed to protect the information resources of the organization.
![Page 14: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/14.jpg)
8: Network Management 14
Firewalls DO
Implement security policies at a single point Monitor security-related events (audit, log) Provide strong authentication Allow virtual private networks Have a specially hardened/secured operating
system
![Page 15: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/15.jpg)
8: Network Management 15
Firewalls DON’T
Protect against attacks that bypass the firewall Dial-out from internal host to an ISP
Protect against internal threats disgruntled employee Insider cooperates with and external attacker
Protect against the transfer of virus-infected programs or files
![Page 16: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/16.jpg)
8: Network Management 16
Types of Firewalls
Packet-Filtering Router Application-Level Gateway Circuit-Level Gateway Hybrid Firewalls
![Page 17: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/17.jpg)
8: Network Management 17
Packet Filtering Routers
• Forward or discard IP packet according a set of rules
• Filtering rules are based on fields in the IP and transport header
![Page 18: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/18.jpg)
8: Network Management 18
What information is used for filtering decision?
Source IP address (IP header) Destination IP address (IP header) Protocol Type Source port (TCP or UDP header) Destination port (TCP or UDP header) ACK. bit
![Page 19: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/19.jpg)
8: Network Management 19
Web Access Through a Packet Filter Firewall
[Stein]
![Page 20: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/20.jpg)
8: Network Management 20
Packet Filtering Routerspros and cons Advantages:
Simple Low cost Transparent to user
Disadvantages: Hard to configure filtering rules Hard to test filtering rules Don’t hide network topology(due to transparency) May not be able to provide enough control over traffic Throughput of a router decreases as the number of filters
increases
![Page 21: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/21.jpg)
8: Network Management 21
Application Level Gateways (Proxy Server)
![Page 22: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/22.jpg)
8: Network Management 22
A Telnet Proxy
![Page 23: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/23.jpg)
8: Network Management 23
A sample telnet session
![Page 24: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/24.jpg)
8: Network Management 24
Application Level Gateways (Proxy Server) Advantages:
complete control over each service (FTP/HTTP…) complete control over which services are permitted Strong user authentication (Smart Cards etc.) Easy to log and audit at the application level Filtering rules are easy to configure and test
Disadvantages: A separate proxy must be installed for each
application-level service Not transparent to users
![Page 25: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/25.jpg)
8: Network Management 25
Circuit Level Gateways
![Page 26: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/26.jpg)
8: Network Management 26
Circuit Level Gateways (2)
Often used for outgoing connections where the system administrator trusts the internal users
The chief advantage is that a firewall can be configured as a hybrid gateway supporting application-level/proxy services for inbound connections and circuit-level functions for outbound connections
![Page 27: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/27.jpg)
8: Network Management 27
Hybrid Firewalls
In practice, many of today's commercial firewalls use a combination of these techniques.
Examples: A product that originated as a packet-
filtering firewall may since have been enhanced with smart filtering at the application level.
Application proxies in established areas such as FTP may augment an inspection-based filtering scheme.
![Page 28: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/28.jpg)
8: Network Management 28
Firewall Configurations
Bastion host a system identified by firewall administrator as a
critical strong point in the network’s security typically serves as a platform for an application-level or
circuit-level gateway extra secure O/S, tougher to break into
Dual homed gateway Two network interface cards: one to the outer network
and the other to the inner A proxy selectively forwards packets
Screened host firewall system Uses a network router to forward all traffic from the
outer and inner networks to the gateway machine Screened-subnet firewall system
![Page 29: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/29.jpg)
8: Network Management 29
Dual-homed gateway
![Page 30: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/30.jpg)
8: Network Management 30
Screened-host gateway
![Page 31: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/31.jpg)
8: Network Management 31
Screened Host Firewall
![Page 32: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/32.jpg)
8: Network Management 32
Screened Subnet Firewall
![Page 33: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/33.jpg)
8: Network Management 33
Screened subnet gateway
![Page 34: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/34.jpg)
8: Network Management 34
Selecting a firewall system
Operating system Protocols handled Filter types Logging Administration Simplicity Tunneling
![Page 35: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/35.jpg)
8: Network Management 35
Commercial Firewall Systems
0%5%
10%15%20%25%30%35%40%45%
Chec
k
Poin
t
Cis
co
Axen
t
Net
wor
k
Ass
ocia
tes
Cyb
er
Gua
rd
Oth
ers
![Page 36: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/36.jpg)
8: Network Management 36
Widely used commercial firewalls AltaVista BorderWare (Secure Computing
Corporation) CyberGurad Firewall (CyberGuard
Corporation) Eagle (Raptor Systems) Firewall-1 (Checkpoint Software
Technologies) Gauntlet (Trusted Information Systems) ON Guard (ON Technology Corporation)
![Page 37: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/37.jpg)
8: Network Management 37
Firewall’s security policy
Embodied in the filters that allow or deny passages to network traffic
Filters are implemented as proxy programs. Application-level proxies
• one for particular communication protocol• E.g., HTTP, FTP, SM• Can also filter based on IP addresses
Circuit-level proxies• Lower-level, general purpose programs that treat
packets as black boxes to be forward or not• Only looks at header information• Advantages: speed and generality• One proxy can handle many protocols
![Page 38: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/38.jpg)
8: Network Management 38
Configure a Firewall (1)
Outgoing Web Access Outgoing connections through a packet
filter firewall Outgoing connections through an
application-level proxy Outgoing connections through a circuit
proxy
![Page 39: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/39.jpg)
8: Network Management 39
Firewall Proxy
Configuring Netscape to use a firewall proxy involves enteringthe address and port number for each proxied service. [Stein]
![Page 40: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/40.jpg)
8: Network Management 40
Configure a Firewall (2)
Incoming Web Access The “Judas” server The “Sacrificial Lamb” The “Private Affair” server The doubly fortified server
![Page 41: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/41.jpg)
8: Network Management 41
The “Judas” Server (not recommended)
[Stein]
![Page 42: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/42.jpg)
8: Network Management 42
The “sacrificial lamb”
[Stein]
![Page 43: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/43.jpg)
8: Network Management 43
The “private affair” server
[Stein]
![Page 44: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/44.jpg)
8: Network Management 44
Internal Firewall
An Internal Firewall protects the Web server from insider threats.
[Stein]
![Page 45: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/45.jpg)
8: Network Management 45
Placing the sacrificial lamb in
the demilitarized zone.
[Stein]
![Page 46: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/46.jpg)
8: Network Management 46
Poking holes in the firewall
If you need to support a public Web server, but no place to put other than inside the firewall.
Problem: if the server is compromised, then you are cooked.
![Page 47: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/47.jpg)
8: Network Management 47
Simplified Screened-Host Firewall Filter Rules
[Stein]
![Page 48: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/48.jpg)
8: Network Management 48
Filter Rule Exceptions for Incoming Web Services
[Stein]
![Page 49: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/49.jpg)
8: Network Management 49
Screened subnetwork
Placing the Web server on its own screened subnetwork insulatesit from your organization while granting the outside world limitedaccess to it. [Stein]
![Page 50: 8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e8a5503460f94b90167/html5/thumbnails/50.jpg)
8: Network Management 50
Filter Rules for a Screened Public Web Server
[Stein]