1 / 15

CS682

CS682. Session 6 Prof. Katz. Firewalls. An intelligent router? Used as a traffic control mechanism Based on information in the Layer 3 and 4 headers Administrator builds tables of what is and is not allowed For NCSA compliance, anything which is not specifically allowed is denied.

Download Presentation

CS682

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CS682 Session 6 Prof. Katz

  2. Firewalls • An intelligent router? • Used as a traffic control mechanism • Based on information in the Layer 3 and 4 headers • Administrator builds tables of what is and is not allowed • For NCSA compliance, anything which is not specifically allowed is denied

  3. Classifications • Packet-Filtering • Stateful Inspection • Proxies

  4. Packet-filtering Firewalls • Each packet is compared to a static list of rules defined by the administrator • No information is stored from one packet to the next

  5. Implementing a Packet Filter • Sections • Input - Packets are checked against these rules when they arrive at the interface • Forward (not always implemented) – Packets are checked against these rules when they need to be routed by the kernel • Output – Packets are checked against these rules when they being outputted to the Interface.

  6. Implementing (cont) • Rules • Each rule will specify one authorized connection • The most used rules should be first

  7. Proxy firewall • Proxy: to do something on behalf of someone else (I.e. voting by proxy) • Operate at Layer 7 only • Require software to specifically support the proxy • Can be made somewhat transparent through the rewriting or winsock.dll

  8. Proxy implementation • Request from client is made to proxy server • Proxy server makes request to remote server • Proxy server routes data back (through layer 3) to client • (Client only ever talks to proxy!)

  9. Proxy diagram (courtesy of Ucalgary)

  10. Proxy servers • Socks common proxy: can proxy any protocol that supports SOCKS protocol • HTTP proxies can only proxy HTTP and HTTPS data • Specific proxies required for all other protocols (POP3, SMTP, NNTP, telnet

  11. Protects the secure network from direct attack Allows for filtering based on Layer 7 rules Usually an inexpensive solution Slows down the network because data must travel to layer 7 Software must support the proxies Requires additional protection for the proxy server itself Advantages Vs. Disadvantages

  12. Stateful Inspection • Keeps information on the state of the connection (SYN sent, SYN/ACK received, etc) • Rules need to be setup only to allow the first packet (SYN), the rest are assumed to be allowed

  13. State Table • Maintained to hold the information on the connections • Contains socket information as well as sequence and acknowledgement numbers • If a packet which was not expected is received it will be dropped and the connection will be closed

  14. Benefits of Stateful inspection • Less rules = less administrative headache • Usually can simplify NAT and Layer 7 rules as well • Can protect against SYN floods and other attacks • Faster than Proxies

  15. Disadvantages of SI • Usually very expensive • Difficult to maintain in a cluster • Slower than packet filtering • Requires more RAM to maintain the state tables

More Related