1 / 14

Controlling access with packet filters and firewalls

Controlling access with packet filters and firewalls. Security vulnarabilities of the TCP/IP protocols. IP packets are transmitted in the clear and without authentication facilities Can routers trust routing updates received from others?

gaia
Download Presentation

Controlling access with packet filters and firewalls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Controlling access with packet filters and firewalls

  2. Security vulnarabilities of the TCP/IP protocols • IP packets are transmitted in the clear and without authentication facilities • Can routers trust routing updates received from others? • TCP and UDP segments are transmitted in clear and without authentication facilities • Auxiliary protocols have similar problems (ICMP, DNS, ARP, BOOTP, TFTP) • Application protocols are without protection or use weak password protection (TELNET, FTP) • Specific protection applied as “add ons” (NFS, SNMP, X11)

  3. Methods of access control • Physical protection of entities (devices, cables) • Packet Filter • Network Relay • Firewalls • visible • invisible • Security mechanisms of individual computers or applications („personal firewall“, „personal internet security“, e-mail security, telebanking)

  4. Physical security • Protection against physical access to power distribution or network cables • Protection of internal or external access points (distributors, patch panels) • Protection of active devices (routers, bridges) against physical access (lock them up) Problems: • How to support mobile users • How to protect a wireless infrastructure • How to allow secure access to external resources

  5. Access control using packet filters • Operates primarily on IP layer, however also peeking into transport layer information • Filtering based on • IP address of the source • IP address of the receiver • Port number of receiver • Sometimes port number of the source • Type of transport protocol used (TCP/UDP) • Uses set of filter rules • Pure packet filters do not have information on connection states

  6. Filter rules 123.45.6.0 123.45.0.0 Rule Source Destination Action A 135.79.0.0/16 123.45.6.0/24 Permit B 135.79.99.0/24 123.45.0.0/16 Deny C 0.0.0.0/0 0.0.0.0/0 Deny PF 135.79.0.0 135.79.99.0

  7. Access control using network relay External connections Monitoring and controlling host Router Configuration and logging database Invisible private subnet Internal connections

  8. Access control by visible firewall • Users use the Internet exclusively from the firewall • All users need to have a user account on the firewall • The firewall terminates DNS, e-mail, http • User authentication must be secure (with cryptographic means) • Reduced user friendliness

  9. Access control by invisible firewall • Termination of all store-and-forward services (DNS, e-mail) with servers on the firewall • Selective forwarding of connections (stateful) • Authentication of external and internal peers • Logging and intrusion detection • Network Address Translation • Proxy functions Protectedinternal network Internet Firewall 1 Firewall 2 D N S D N S publicservers Variant 1 (DMZ – „de-militarized zone“)

  10. Access control by invisible firewall(Variant 2) • Uses only one physical firewall unit Ruleset 2 Protectedinternal network Firewall Internet Ruleset 1 D N S D N S publicservers (DMZ – „de-militarized zone“)

  11. User or application is “proxy aware” Netscape Navigator Internet Explorer

  12. Proxy-based firewall services

  13. Some applications are not “proxy aware” • talk, ping, … • Specific implementation of such applications • Offering replacement applications • Such appliations may also not be accessible to normal users at all

  14. Literature • B. Chapman, E. Zwicky, “Building Internet Firewalls”, O’Reilly & Associates, 1995 • W. Cheswick, S. Bellovin, „Firewalls and Internet Security“, Addison-Wesley, 1994

More Related