1 / 63

Information Security: Firewalls & VPNs

Information Security: Firewalls & VPNs. Dr. Shahriar Bijani Shahed University. Slides References. M. E. Whitman & H. J. Mattord , Principles of Information Security, 2nd Edition . Firewalls.

harris
Download Presentation

Information Security: Firewalls & VPNs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security:Firewalls & VPNs Dr. ShahriarBijani Shahed University

  2. Slides References • M. E. Whitman & H. J. Mattord, Principles of Information Security, 2nd Edition.

  3. Firewalls • Prevent specific types of information from moving between the outside world (untrusted network) and the inside world (trusted network) • May be a separate computer system; a software service running on existing router or server; or a separate network containing supporting devices

  4. Firewall Types By: • Processing mode • Development era • Architectural implementation

  5. Firewalls Categorized by Processing Modes • Packet filtering • Application gateways • Circuit gateways • MAC layer firewalls • Hybrids

  6. Packet Filtering • Packet filtering firewalls examine header information of data packets • Most often based on combination of: • Internet Protocol (IP) source and destination address • Direction (inbound or outbound) • Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source and destination port requests • Simple firewall models enforce rules designed to prohibit packets with certain addresses or partial addresses

  7. Packet Filtering (continued) • Three subsets of packet filtering firewalls: • Static filtering: requires that filtering rules governing how the firewall decides which packets are allowed and which are denied are developed and installed • Dynamic filtering: allows firewall to react to emergent event and update or create rules to deal with event • Stateful inspection: firewalls that keep track of each network connection between internal and external systems using a state table

  8. How to Configure a Packet Filter • Start with a security policy • Specify allowable packets in terms of logical expressions on packet fields • Rewrite expressions in syntax supported by your vendor • General rules - least privilege • All that is not expressly permitted is prohibited • If you do not need it, eliminate it

  9. Every ruleset is followed by an implicit rule reading like this. Example 1: Suppose we want to allow inbound mail (SMTP, port 25) but only to our gateway machine. Also suppose that mail from some particular site SPIGOT is to be blocked.

  10. Solution 1: Example 2: Now suppose that we want to implement the policy “any inside host can send mail to the outside”.

  11. Solution 2: This solution allows calls to come from any port on an inside machine, and will direct them to port 25 on the outside. Simple enough… So why is it wrong?

  12. Our defined restriction is based solely on the outside host’s port number, which we have no way of controlling. • Now an enemy can access any internal machines and port by originating his call from port 25 on the outside machine. What can be a better solution ?

  13. The ACK signifies that the packet is part of an ongoing conversation • Packets without the ACK are connection establishment messages, which we are only permitting from internal hosts

  14. Application Gateways • Frequently installed on a dedicated computer; also known as a proxy server • Since proxy server is often placed in unsecured area of the network (e.g., DMZ), it is exposed to higher levels of risk from less trusted networks • Additional filtering routers can be implemented behind the proxy server, further protecting internal systems

  15. App-level Firewall Architecture Daemon spawns proxy when communication detected … FTP proxy Telnet proxy SMTP proxy Telnet daemon FTP daemon SMTP daemon Network Connection

  16. Circuit Gateways • Circuit gateway firewall operates at transport layer • It provides UDP and TCP connection security. • It implements circuit (i.e. connection) level filtering rather than packet level filtering. • It checks the validity of connections at the transport layer against a table of allowed connections, before a session can be opened and data exchanged.

  17. Circuit Gateways • Circuit gateways are rarely used as a stand-alone firewall solution; instead, they are typically used in combination with application layer proxy services and packet filtering features • Circuit gateways are rarely used as a stand-alone firewall solution; instead, they are typically used in combination with application layer and packet filtering firewalls • Disadvantages: • the absence of content filtering • the requirement for software modifications relating to the transport function.

  18. MAC Layer Firewalls • Designed to operate at the media access control layer of OSI network model • Able to consider specific host computer’s identity in its filtering decisions • MAC addresses of specific host computers are linked to access control list (ACL) entries that identify specific types of packets that can be sent to each host; all other traffic is blocked

  19. Hybrid Firewalls • Combine elements of other types of firewalls; i.e., elements of packet filtering and proxy services, or of packet filtering and circuit gateways • Alternately, may consist of two separate firewall devices

  20. Firewalls Categorized by Development Era • First generation: static packet filtering firewalls • Second generation: application-level firewalls or proxy servers • Third generation: stateful inspection firewalls • Fourth generation: dynamic packet filtering firewalls; allow only packets with particular source, destination and port addresses to enter • Fifth generation: kernel proxies; specialized form working under kernel of Windows NT

  21. Firewalls Categorized by Architectural Implementation • Firewall devices can be configured in a number of network connection architectures • Four common architectural implementations of firewalls: • Packet filtering routers • Screened host firewalls • Dual-homed firewalls • Screened subnet firewalls

  22. Packet Filtering Routers • Most organizations with Internet connection have a router serving as interface to Internet • Many of these routers can be configured to reject packets that organization does not allow into network • Drawbacks include a lack of auditing and strong authentication

  23. Screened Host Firewalls • Combines packet filtering router with separate, dedicated firewall such as an application proxy server • Allows router to pre-screen packets to minimize traffic/load on internal proxy • Separate host is often referred to as bastion host; can be rich target for external attacks, and should be very thoroughly secured

  24. Dual-Homed Host Firewalls • Bastion host contains two network interface cards (NICs): one connected to external network, one connected to internal network • Implementation of this architecture often makes use of network address translation (NAT), creating another barrier to intrusion from external attackers

  25. Screened Subnet Firewalls (with DMZ) • Dominant architecture used today is the screened subnet firewall • Commonly consists of two or more internal bastion hosts behind packet filtering router, with each host protecting trusted network: • Connections from outside (untrusted network) routed through external filtering router • Connections from outside (untrusted network) are routed into and out of routing firewall to separate network segment known as DMZ • Connections into trusted internal network allowed only from DMZ bastion host servers

  26. Screened Subnet Firewalls (with DMZ) • Screened subnet performs two functions: • Protects DMZ systems and information from outside threats • Protects the internal networks by limiting how external connections can gain access to internal systems • Another facet of DMZs: extranets

  27. Selecting the Right Firewall • When selecting firewall, consider a number of factors: • What firewall offers right balance between protection and cost for needs of organization? • What features are included in base price and which are not? • Ease of setup and configuration? How accessible are staff technicians who can configure the firewall? • Can firewall adapt to organization’s growing network? • Second most important issue is cost

  28. Configuring and Managing Firewalls • Each firewall device must have own set of configuration rules regulating its actions • Firewall policy configuration is usually complex and difficult • Configuring firewall policies both an art and a science • When security rules conflict with the performance of business, security often loses

  29. Best Practices for Firewalls • All traffic from trusted network is allowed out • Firewall device never directly accessed from public network • Simple Mail Transport Protocol (SMTP) data allowed to pass through firewall • Internet Control Message Protocol (ICMP) data denied • Telnet access to internal servers should be blocked • When Web services offered outside firewall, HTTP traffic should be denied from reaching internal networks

  30. Firewall Rules • Operate by examining data packets and performing comparison with predetermined logical rules (a.k.a.: firewall rules, rule base, or firewall logic) • Most firewalls use packet header information to determine whether specific packet should be allowed or denied

  31. prevent direct communications to/from the firewall SMTP ICMP (Ping ) Telnet Http

  32. Virtual Private Networks (VPNs) • Private and secure network connection between systems; uses data communication capability of unsecured and public network • Securely extends organization’s internal network connections to remote locations beyond trusted network

  33. Virtual Private Networks (VPNs) • VPN must do: • Encapsulation of incoming and outgoing data • Encryption of incoming and outgoing data • Authentication of remote computer and (perhaps) remote user as well • A classification of VPN technologies: • Trusted VPN: uses leased circuits from a service provider. • Secure VPN: use security protocols and encrypt traffic transmitted across unsecured public networks like the Internet. • Hybrid VPN: combines 1&2; encrypted transmissions (secure VPN) over some or all of a trusted VPN network.

  34. Some Common Uses of VPN • Provide users with secured remote access over the Internet to corporate resources • Connect two computer networks securely over the Internet • Example: Connect a branch office network to the network in the head office • Secure part of a corporate network for security and confidentiality purpose

  35. Basic VPN Requirements • User Authentication • Address Management • Data Encryption • Key Management • Multi-protocol Support

  36. User Authentication • VPN must be able to verify user authentication and allow only authorized users to access the network

  37. Address Management • Assign addresses to clients and ensure that private addresses are kept private on the VPN

  38. Data Encryption • Encrypt and decrypt the data to ensure that others on the not have access to the data

  39. Key Management • Keys must be generated and refreshed for encryption at the server and the client • Note that keys are required for encryption

More Related