1 / 25

PIS Unit 5- Introduction to Firewalls

PIS Unit 5- Introduction to Firewalls. Sanjay Rawat Sanjay_r@vnrvjiet.in. Overview. Introduction to Firewall Types of Firewalls Firewall configuration and deployment Trusted Systems –Securing the firewall Common criterion for Information security evaluation. Firewalls.

mabyn
Download Presentation

PIS Unit 5- Introduction to Firewalls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PISUnit 5- Introduction to Firewalls Sanjay Rawat Sanjay_r@vnrvjiet.in PIS Unit5 Sanjay Rawat

  2. Overview • Introduction to Firewall • Types of Firewalls • Firewall configuration and deployment • Trusted Systems –Securing the firewall • Common criterion for Information security evaluation. PIS Unit5 Sanjay Rawat

  3. Firewalls • A mechanism used to protect a trusted network from an untrusted network. • A mechanism to enforce access control policy. • Software or Hardware based. • Deployed as gatekeeper. • Examples: Ipchain/Iptable, Cisco PIX, Juniper, MS ISA. PIS Unit5 Sanjay Rawat

  4. Firewall’s (in)capabilities • Provide a focal point for monitoring. • Log Internet activity efficiently. • Limit the damage that a network security problem can do to the overall network. • Protect against malicious insiders. • Protect a connection that doesn’t go through it!! • Protect against completely new threats. • Protect against viruses, Trojansetc. PIS Unit5 Sanjay Rawat

  5. Firewall Deployment • All traffic from inside to outside, and vice versa, must pass through the firewall. • Only authorized traffic, as defined by the local security policy, will be allowed to pass • Ideal Assumption: The firewall itself is immune to penetration. E.g. Cisco iOS vulnerabilities, Juniper Junos vulnerabilities. PIS Unit5 Sanjay Rawat

  6. Typical Deployment All images are taken from doc at http://www.vicomsoft.com/learning-center/firewalls/ PIS Unit5 Sanjay Rawat

  7. Generic Techniques for Enforcing policy • Service control: Determines the types of Internet services that can be accessed. • Direction control: Determines the direction in which particular service requests are allowed. • User control: Controls access to a service according to which user is attempting to access it. IP based filtering or authentication with IPSec. • Behavior control: Controls how particular services are used PIS Unit5 Sanjay Rawat

  8. illustration PIS Unit5 Sanjay Rawat

  9. Types of firewalls • Packet Filtering Firewall • Stateful Inspection Firewall • Application Level Gateway • Circuit-level gateway • Bastion Host PIS Unit5 Sanjay Rawat

  10. Packet filters • Works at most up to transport layer. • Fast processing PIS Unit5 Sanjay Rawat

  11. Example packet filters PIS Unit5 Sanjay Rawat

  12. Flow PIS Unit5 Sanjay Rawat

  13. Problems with Packet filters • Less visibility in the network stack -> less control. • Limited logging • ? PIS Unit5 Sanjay Rawat

  14. Stateful Inspection • Keeps session information • Decision is based on the established connections -> a table of established connection is maintained. • Fast processing of subsequent packets. PIS Unit5 Sanjay Rawat

  15. Application Level Gateway Also called as Proxy PIS Unit5 Sanjay Rawat

  16. Application gateway • Filters traffic at application layer • Specific to applications which are configured. • Works at client-server mode • Not transparent to clients • Offer High level of security • Have significant impact on network performance PIS Unit5 Sanjay Rawat

  17. Circuit Level gateway • Client-server mode. • Always two connections (NAT/PAT). • Hides internal network! • Uses SOCKS protocol for client server connection. • Often used with application gateway. PIS Unit5 Sanjay Rawat

  18. Bastion Host • Most outside system with minimum services • Your public presence on the Internet • Faces most of the traffic -> attacks also. • Pseudo for gateway machine. PIS Unit5 Sanjay Rawat

  19. Firewall configuration • Bastion host works as proxy. • Traffic is only to-n-fro proxy. • If router is compromised, it is open! PIS Unit5 Sanjay Rawat

  20. Firewall configuration • No direct connection between internet and LAN. PIS Unit5 Sanjay Rawat

  21. Firewall configuration • Includes DMZ • More secure as there are multiple zones with variable security level. PIS Unit5 Sanjay Rawat

  22. Our generic design DMZ Internet WAN firewall router Switch LAN PIS Unit5 Sanjay Rawat

  23. Trusted Systems Objects • Access Matrix • Subject: who the doer • Object: on whom • Access right • Capability List (w.r.t. subject) • Access control list (w.r.t object) • Multilevel security requirement • No Read Up • No Write Down • E.g. Non-interferenc model Subjects PIS Unit5 Sanjay Rawat

  24. Reference Monitor • Controller for accessing objects by subjects • Implemented in hardware and OS • Keeps access information in security kernel DB • Properties: • Complete mediation: The security rules are enforced on every access. • Isolation: The reference monitor and database are protected from unauthorized modification. • Verifiability: The reference monitor's correctness must be provable Formally (mathematically). PIS Unit5 Sanjay Rawat

  25. TS conti.. • A system that can provide such a verification is termed as Trusted System. However.. • “….Programs have now got very large and very critical -- well beyond the scale which can be comfortably tackled by formal methods… “ • Thought expressed by Prof. Tony Hoare, which implies it is very difficult to have trusted system. • TS provides security, e.g., against Trojan horse PIS Unit5 Sanjay Rawat

More Related