8: network management1 firewalls. 8: network management2 firewalls two firewall types: m packet...
Post on 30-Dec-2015
233 Views
Preview:
TRANSCRIPT
8: Network Management 1
Firewalls
8: Network Management 2
Firewalls
Two firewall types: packet filter application
gateways
To prevent denial of service attacks: SYN flooding: attacker
establishes many bogus TCP connections. Attacked host alloc’s TCP buffers for bogus connections, none left for “real” connections.
To prevent illegal modification of internal data. e.g., attacker replaces
CIA’s homepage with something else
To prevent intruders from obtaining secret info.
isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others.
firewall
8: Network Management 3
Packet Filtering
Internal network is connected to Internet through a router.
Router manufacturer provides options for filtering packets, based on: source IP address destination IP address TCP/UDP source and
destination port numbers
ICMP message type TCP SYN and ACK bits
Example 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23. All incoming and outgoing
UDP flows and telnet connections are blocked.
Example 2: Block inbound TCP segments with ACK=0. Prevents external clients
from making TCP connections with internal clients, but allows internal clients to connect to outside.
8: Network Management 4
Application gateways
Filters packets on application data as well as on IP/TCP/UDP fields.
Example: allow select internal users to telnet outside.
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1. Require all telnet users to telnet through gateway.2. For authorized users, gateway sets up telnet
connection to dest host. Gateway relays data between 2 connections
3. Router filter blocks all telnet connections not originating from gateway.
8: Network Management 5
Limitations of firewalls and gateways
IP spoofing: router can’t know if data “really” comes from claimed source
If multiple app’s. need special treatment, each has own app. gateway.
Client software must know how to contact gateway. e.g., must set IP address
of proxy in Web browser
Filters often use all or nothing policy for UDP.
Tradeoff: degree of communication with outside world, level of security
Many highly protected sites still suffer from attacks.
8: Network Management 6
참고자료 : Firewalls
8: Network Management 7
Acknowledgements
Professor Insup Lee
Department of Computer and Information Science
University of Pennsylvania lee@cis.upenn.edu www.cis.upenn.edu/~lee
8: Network Management 8
Why do we need firewalls?
8: Network Management 9
8: Network Management 10
8: Network Management 11
BEFORE AFTER (your results may vary)
8: Network Management 12
What is a firewall?
Two goals: To provide the people in your organization with
access to the WWW without allowing the entire world to peak in;
To erect a barrier between an untrusted piece of software, your organization’s public Web server, and the sensitive information that resides on your private network.
Basic idea: Impose a specifically configured gateway machine
between the outside world and the site’s inner network.
All traffic must first go to the gateway, where software decide whether to allow or reject.
8: Network Management 13
What is a firewall
A firewall is a system of hardware and software components designed to restrict access between or among networks, most often between the Internet and a private Internet.
The firewall is part of an overall security policy that creates a perimeter defense designed to protect the information resources of the organization.
8: Network Management 14
Firewalls DO
Implement security policies at a single point Monitor security-related events (audit, log) Provide strong authentication Allow virtual private networks Have a specially hardened/secured operating
system
8: Network Management 15
Firewalls DON’T
Protect against attacks that bypass the firewall Dial-out from internal host to an ISP
Protect against internal threats disgruntled employee Insider cooperates with and external attacker
Protect against the transfer of virus-infected programs or files
8: Network Management 16
Types of Firewalls
Packet-Filtering Router Application-Level Gateway Circuit-Level Gateway Hybrid Firewalls
8: Network Management 17
Packet Filtering Routers
• Forward or discard IP packet according a set of rules
• Filtering rules are based on fields in the IP and transport header
8: Network Management 18
What information is used for filtering decision?
Source IP address (IP header) Destination IP address (IP header) Protocol Type Source port (TCP or UDP header) Destination port (TCP or UDP header) ACK. bit
8: Network Management 19
Web Access Through a Packet Filter Firewall
[Stein]
8: Network Management 20
Packet Filtering Routerspros and cons Advantages:
Simple Low cost Transparent to user
Disadvantages: Hard to configure filtering rules Hard to test filtering rules Don’t hide network topology(due to transparency) May not be able to provide enough control over traffic Throughput of a router decreases as the number of filters
increases
8: Network Management 21
Application Level Gateways (Proxy Server)
8: Network Management 22
A Telnet Proxy
8: Network Management 23
A sample telnet session
8: Network Management 24
Application Level Gateways (Proxy Server) Advantages:
complete control over each service (FTP/HTTP…) complete control over which services are permitted Strong user authentication (Smart Cards etc.) Easy to log and audit at the application level Filtering rules are easy to configure and test
Disadvantages: A separate proxy must be installed for each
application-level service Not transparent to users
8: Network Management 25
Circuit Level Gateways
8: Network Management 26
Circuit Level Gateways (2)
Often used for outgoing connections where the system administrator trusts the internal users
The chief advantage is that a firewall can be configured as a hybrid gateway supporting application-level/proxy services for inbound connections and circuit-level functions for outbound connections
8: Network Management 27
Hybrid Firewalls
In practice, many of today's commercial firewalls use a combination of these techniques.
Examples: A product that originated as a packet-
filtering firewall may since have been enhanced with smart filtering at the application level.
Application proxies in established areas such as FTP may augment an inspection-based filtering scheme.
8: Network Management 28
Firewall Configurations
Bastion host a system identified by firewall administrator as a
critical strong point in the network’s security typically serves as a platform for an application-level or
circuit-level gateway extra secure O/S, tougher to break into
Dual homed gateway Two network interface cards: one to the outer network
and the other to the inner A proxy selectively forwards packets
Screened host firewall system Uses a network router to forward all traffic from the
outer and inner networks to the gateway machine Screened-subnet firewall system
8: Network Management 29
Dual-homed gateway
8: Network Management 30
Screened-host gateway
8: Network Management 31
Screened Host Firewall
8: Network Management 32
Screened Subnet Firewall
8: Network Management 33
Screened subnet gateway
8: Network Management 34
Selecting a firewall system
Operating system Protocols handled Filter types Logging Administration Simplicity Tunneling
8: Network Management 35
Commercial Firewall Systems
0%5%
10%15%20%25%30%35%40%45%
Chec
k
Poin
t
Cis
co
Axen
t
Net
wor
k
Ass
ocia
tes
Cyb
er
Gua
rd
Oth
ers
8: Network Management 36
Widely used commercial firewalls AltaVista BorderWare (Secure Computing
Corporation) CyberGurad Firewall (CyberGuard
Corporation) Eagle (Raptor Systems) Firewall-1 (Checkpoint Software
Technologies) Gauntlet (Trusted Information Systems) ON Guard (ON Technology Corporation)
8: Network Management 37
Firewall’s security policy
Embodied in the filters that allow or deny passages to network traffic
Filters are implemented as proxy programs. Application-level proxies
• one for particular communication protocol• E.g., HTTP, FTP, SM• Can also filter based on IP addresses
Circuit-level proxies• Lower-level, general purpose programs that treat
packets as black boxes to be forward or not• Only looks at header information• Advantages: speed and generality• One proxy can handle many protocols
8: Network Management 38
Configure a Firewall (1)
Outgoing Web Access Outgoing connections through a packet
filter firewall Outgoing connections through an
application-level proxy Outgoing connections through a circuit
proxy
8: Network Management 39
Firewall Proxy
Configuring Netscape to use a firewall proxy involves enteringthe address and port number for each proxied service. [Stein]
8: Network Management 40
Configure a Firewall (2)
Incoming Web Access The “Judas” server The “Sacrificial Lamb” The “Private Affair” server The doubly fortified server
8: Network Management 41
The “Judas” Server (not recommended)
[Stein]
8: Network Management 42
The “sacrificial lamb”
[Stein]
8: Network Management 43
The “private affair” server
[Stein]
8: Network Management 44
Internal Firewall
An Internal Firewall protects the Web server from insider threats.
[Stein]
8: Network Management 45
Placing the sacrificial lamb in
the demilitarized zone.
[Stein]
8: Network Management 46
Poking holes in the firewall
If you need to support a public Web server, but no place to put other than inside the firewall.
Problem: if the server is compromised, then you are cooked.
8: Network Management 47
Simplified Screened-Host Firewall Filter Rules
[Stein]
8: Network Management 48
Filter Rule Exceptions for Incoming Web Services
[Stein]
8: Network Management 49
Screened subnetwork
Placing the Web server on its own screened subnetwork insulatesit from your organization while granting the outside world limitedaccess to it. [Stein]
8: Network Management 50
Filter Rules for a Screened Public Web Server
[Stein]
top related