1 / 45

CSCE 522 Firewalls

Learn about firewalls, their objectives, advantages, and disadvantages. Understand how they provide controlled access, enhanced privacy, and policy enforcement. Discover the limitations and potential risks associated with firewalls.

scorrales
Download Presentation

CSCE 522 Firewalls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CSCE 522 Firewalls

  2. Readings • Pfleeger: 6.7 CSCE 522 - Farkas

  3. Traffic Control – Firewall • Brick wall placed between apartments to prevent the spread of fire from one apartment to the next • Single, narrow checkpoint placed between two or more networks where security and audit can be imposed on traffic which passes through it CSCE 522 - Farkas

  4. Firewall Private Network security wall between private (protected) network and outside word Firewall External Network CSCE 522 - Farkas

  5. PrivateNetwork External Network Firewall Objectives Keep intruders, malicious code and unwanted traffic or information out • Keep proprietary and sensitive information in Proprietary data External attacks CSCE 522 - Farkas

  6. Without firewalls, nodes: • Are exposed to insecure services • Are exposed to probes and attacks from outside • Can be defenseless against new attacks • Network security totally relies on host security and all hosts must communicate to achieve high level of security – almost impossible CSCE 522 - Farkas

  7. Common firewall features • Routing information about the private network can't be observed from outside • traceroute and ping -o can't “see” internal hosts • Users wishing to log on to an internal host must first log onto a firewall machine CSCE 522 - Farkas

  8. Trade-Off between accessibility and Security Service Access Policy Accessibility Security CSCE 522 - Farkas

  9. Firewall Advantages • Protection for vulnerable services • Controlled access to site systems • Concentrated security • Enhanced Privacy • Logging and statistics on network use, misuse • Policy enforcement CSCE 522 - Farkas

  10. Controlled Access • A site could prevent outside access to its hosts except for special cases (e.g., mail server). • Do not give access to a host that does not require access • Some hosts can be reached from outside, some can not. • Some hosts can reach outside, some can not. CSCE 522 - Farkas

  11. Concentrated Security • Firewall less expensive than securing all hosts • All or most modified software and additional security software on firewall only (no need to distribute on many hosts) • Other network security (e.g., Kerberos) involves modification at each host system. CSCE 522 - Farkas

  12. Enhanced Privacy • Even innocuous information may contain clues that can be used by attackers • E.g., finger: • information about the last login time, when e-mail was read, etc. • Infer: how often the system is used, active users, whether system can be attacked without drawing attention CSCE 522 - Farkas

  13. Logging and Statistics on Network Use, Misuse • If all access to and from the Internet passes through the firewall, the firewall can theoretically log accesses and provide statistics about system usage • Alarm can be added to indicate suspicious activity, probes and attacks – double duty as IDS on smaller networks CSCE 522 - Farkas

  14. Policy enforcement • Means for implementing and enforcing a network access policy • Access control for users and services • Can’t replace a good education/awareness program, however: • Knowledgeable users could tunnel traffic to bypass policy enforcement on a firewall CSCE 522 - Farkas

  15. Firewall Disadvantages • Restricted access to desirable services • Large potential for back doors • No protection from insider attacks • No protection against data-driven attacks • Cannot protect against newly discovered attacks – policy/situation dependent • Large learning curve CSCE 522 - Farkas

  16. Restricted Access to Desirable Services • May block services that users want • E.g., telnet, ftp, X windows, NFS, etc. • Need well-balanced security policy • Similar problems would occur with host access control • Network topology may not fit the firewall design • E.g., using insecure services across major gateways • Need to investigate other solutions (e.g., Kerberos) CSCE 522 - Farkas

  17. Back Doors • Firewalls DO NOT protect against back doors into the site • e.g., if unrestricted modem access is still permitted into a site the attacker could jump around the firewall • Legacy network topology in large networks CSCE 522 - Farkas

  18. Little Protection from Insider Attacks • Generally does not provide protection from insider threats • Sneaker Net - insider may copy data onto tape or print it and take it out of the facility CSCE 522 - Farkas

  19. Data-Driven Attacks • Viruses: • users downloading virus-infected personal computer programs • Executable Content: • Java applets • ActiveX Controls • JavaScript, VBScript • End to End Encryption • Tunneling/Encapsulation CSCE 522 - Farkas

  20. Other Issues • Throughput: potential bottleneck (all connections must pass through firewall) • Single point of failure: concentrates security in one spot => compromised firewall is disaster • Complexity - feature bloat • Some services do not work well with firewalls • Lack of standard performance measurements or techniques CSCE 522 - Farkas

  21. Firewall Components • Firewall Administrator • Firewall policy • Packet filters • transparent • does not change traffic, only passes it • Proxies • Active • Intercepts traffic and acts as an intermediary CSCE 522 - Farkas

  22. Firewall Administrator • Knowledge of underpinnings of network protocols (e.g., TCP/IP, ICMP) • Knowledge of workings of applications that run over the lower level protocols • Knowledge of interaction between firewall implementation and traffic • Vendor specific knowledge CSCE 522 - Farkas

  23. Firewall Policy • High-level policy: service access policy • Low-level policy: firewall design policy Firewall policy should be flexible! CSCE 522 - Farkas

  24. Service Access Policy • Part of the Network Security Policy • Goal: Keep outsiders out • Must be realistic and reflect required security level • Full security vs. full accessibility CSCE 522 - Farkas

  25. Firewall Design Policy • Refinement of service access policy for specific firewall configuration • Defines: • How the firewall achieves the service access policy • Unique to a firewall configuration • Difficult! CSCE 522 - Farkas

  26. Firewall Design Policy Approaches: • Open system: Permit any service unless explicitly denied (maximal accessibility) • Closed system: Deny any service unless explicitly permitted (maximal security) CSCE 522 - Farkas

  27. Simple Packet Filters • Applies a set of rules to each incoming IP packet to decide whether it should be forwarded or discarded. • Header information is used for filtering ( e.g, Protocol number, source and destination IP, source and destination port numbers, etc.) • Stateless: each IP packet is examined isolated from what has happened in the past. • Often implemented by a router (screening router). CSCE 522 - Farkas

  28. Simple Packet Filter Private Network Placing a simple router (or similar hardware) between internal network and “outside” Allow/prohibit packets from certain services Packet-level rules Packet Filter Outside CSCE 522 - Farkas

  29. Simple Packet Filters • Advantages: • Does not change the traffic flow or characteristics –passes it through or doesn’t • Simple • Cheap • Flexible: filtering is based on current rules CSCE 522 - Farkas

  30. Simple Packet Filters • Disadvantages: • Direct communication between multiple hosts and internal network • Unsophisticated (protects against simple attacks) • Calibrating rule set may be tricky • Limited auditing • Single point of failure CSCE 522 - Farkas

  31. Stateful Packet Filters • Called Stateful Inspection or Dynamic Packet Filtering • Checkpoint patented this technology in 1997 • Maintains a history of previously seen packets to make better decisions about current and future packets • Check out: • CheckPoint, Stateful Inspection Technology, http://www.tchk.net/download/Stateful_Inspection.pdf CSCE 522 - Farkas

  32. Bastion Host Proxy Firewalls View Reality Private Network Private Network Proxy Server Outside Outside CSCE 522 - Farkas

  33. Proxy Firewalls • Application Gateways • Works at the application layer  must understand and implement application protocol • Called Application-level gateway or proxy server • Circuit-Level Gateway • Works at the transport layer CSCE 522 - Farkas

  34. Application Gateways • Interconnects one network to another for a specific application • Understands and implements application protocol • Good for higher-level restrictions Server Client Application Gateway CSCE 522 - Farkas

  35. Application Gateways • Advantages: by permitting application traffic directly to internal hosts • Information hiding: names of internal systems are not known to outside systems • Can limit capabilities within an application • Robust authentication and logging: application traffic can be pre-authenticated before reaching host and can be logged • Cost effective: third-party software and hardware for authentication and logging only on gateway • Less-complex filtering rules for packet filtering routers: need to check only destination • Most secure CSCE 522 - Farkas

  36. Application Gateways • Disadvantages: • Keeping up with new applications • Need to know all aspects of protocols • May need to modify application client/protocols CSCE 522 - Farkas

  37. Circuit-Level Gateways • Is basically a generic proxy server for TCP • Works like an application-level gateway, but at a lower level CSCE 522 - Farkas

  38. Circuit-Level Gateways • Advantages: • Don’t need a separate proxy server for each application • Provides an option for applications for which proxy servers don’t yet exist • Simpler to implement than application specific proxy servers CSCE 522 - Farkas

  39. Circuit-Level Gateways • Disadvantages: • No knowledge of higher level protocols – can’t scan for active content or disallowed commands • Can only handle TCP connections – new extensions proposed for UDP • Proprietary packages, TCP/IP stacks must be modified by vendor to use circuit-level gateways CSCE 522 - Farkas

  40. Home Users • Home routers: • Come with built-in firewall • Generally simple packet filters • Can block all incoming connections on all ports if desired • Open connections as needed • Examples: • Download files from outside using FTP: allow incoming connections on Port 21 CSCE 522 - Farkas

  41. Windows Firewall Functionality: • Help block computer viruses and worms from reaching your computer • Ask for your permission to block or unblock certain connection requests • Allow to create a record (a security log), if you want one, that records successful and unsuccessful attempts to connect to your computer CSCE 522 - Farkas

  42. Windows Firewall What it does not support: • Detect or disable computer viruses and worms if they are already on your computer • Stop you from opening e-mail with dangerous attachments • Block spam or unsolicited e-mail from appearing in your inbox CSCE 522 - Farkas

  43. Third Party Firewall • Ranging in price between FREE and $50 on average • ZoneAlarm Pro 5 • PC-Cillin 2004 Internet Security • Norton Personal Firewall 2005 • McAfee Personal Firewall 6.0 2005 CSCE 522 - Farkas

  44. Firewall Evaluation • Level of protection on the private network ? • Prevented attacks • Missed attacks • Amount of damage to the network • How well the firewall is protected? • Possibility of compromise • Detection of the compromise • Effect of compromise on the protected network • Ease of use • Efficiency, scalability, redundancy • Expense CSCE 522 - Farkas

  45. Next class: Intrusion Detection CSCE 522 - Farkas

More Related