1 / 24

Firewalls

Mahalingam Ramkumar. Firewalls. Evolution of Networks. Centralized data processing LANs Premises network – interconnection of LANs and mainframes Enterprise-wide network – interconnection of LANs in a private WAN LANs interconnected using the Internet and using virtual private networks.

Download Presentation

Firewalls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Mahalingam Ramkumar Firewalls

  2. Evolution of Networks • Centralized data processing • LANs • Premises network – interconnection of LANs and mainframes • Enterprise-wide network – interconnection of LANs in a private WAN • LANs interconnected using the Internet and using virtual private networks

  3. What is a Firewall? • A “choke point” • A location for monitoring security related events • Audits and alarms • Non-security related functions • NAT, network management • An end-point for IPSec

  4. Firewall Limitations • Cannot protect from attacks bypassing it • eg sneaker net, utility modems, trusted organisations, trusted services (eg SSL/SSH) • Cannot protect against internal threats • eg disgruntled employee • Cannot protect against transfer of virus infected programs or files • because of huge range of O/S & file types

  5. Firewall – Basic Types • Packet-Filtering Router • Stateful Inspection Firewalls • Application Level Gateway • Circuit Level Gateway

  6. Packet Filters

  7. Packet Filters • Filtering based on • Source IP address • Destination IP address • Source and Destination transport-level address • IP protocol field • Interface (physical) • Rules! • Configuration files • Explicit allow / block

  8. Packet Filtering Example

  9. Attacks on Packet Filtering • IP address spoofing • Source routing attacks • Tiny fragment attacks

  10. Firewalls – Stateful Packet Filters • Examine each IP packet in context • keeps tracks of client-server sessions • checks each packet belongs to a valid session • Better ability to detect bogus packets “out of context” • A session might be pinned down by • Source IP and Port, • Dest IP and Port, • Protocol, and • Connection State

  11. Firewalls - Application Level Gateway (or Proxy)

  12. Application Level Gateway • Application specific gateway / proxy • has full access to protocol • user requests service from proxy • proxy validates request as legal • acts on behalf of the user, • returns result to user • need to separate proxies for each service • some services naturally support proxying • others are more problematic • custom services generally not supported

  13. Firewalls - Circuit Level Gateway

  14. Circuit Level Gateway • Relays two TCP connections • Imposes security by limiting types of connections that are allowed • Once created, usually relays traffic without examining contents • Typically used with trusted internal users (by allowing general outbound connections) • SOCKS (RFC 1928) • SOCKS server • SOCKS client library • SOCKSified versions of application programs

  15. SOCKS

  16. Bastion Host • Highly secure host system • Exposed to "hostile" elements • hence secured to withstand attacks • Trusted System • May be single or multi-homed • Enforce trusted separation between network connections • Run circuit / application level gateways • Provide externally accessible services

  17. Firewall Configurations • Screened Host – Single Homed Bastion Host • Screened Host – Dual Homed Bastion Host • Screened Subnet

  18. Screened Host – Single Homed Bastion Host

  19. Screened Host – Dual Homed Bastion Host

  20. Screened-subnet Firewall

  21. Access Control • Given that system has identified a user • Determine what resources they can access • General model - access matrix • subject - active entity (user, process) • object - passive entity (file or resource) • access right – way object can be accessed • can decompose by • columns as access control lists • rows as capability tickets

  22. Access Control Matrix

  23. Trusted Computer Systems • Varying degrees of sensitivity of information • military classifications: confidential, secret, TS, etc • Subjects (people or programs) have varying rights of access to objects (information) • Need to consider ways of increasing confidence in systems to enforce these rights • Multilevel security • subjects have maximum & current security level • objects have a fixed security level classification

  24. Bell LaPadula (BLP) Model • One of the well-known security models • Implemented as mandatory policies on system • Two key policies: • no read up (simple security property) • a subject can only read/write an object if the current security level of the subject dominates (>=) the classification of the object • no write down (*-property) • a subject can only append/write to an object if the current security level of the subject is dominated by (<=) the classification of the object

More Related