FIREWALLS - PowerPoint PPT Presentation

1 / 48
About This Presentation
Title:

FIREWALLS

Description:

Bastion host : A bastion host is a secured computer that allows an untrusted ... Screening host structure with Bastion host. RUNNING HEADER, 14 PT. ... – PowerPoint PPT presentation

Number of Views:488
Avg rating:3.0/5.0
Slides: 49
Provided by: simond7
Category:

less

Transcript and Presenter's Notes

Title: FIREWALLS


1
FIREWALLS
  • Presentation by Gökhan AYDIN
  • 2004800233

CMPE 526 Operating System and Network Security
Bogazici University, 05/05/2005
2
INTRODUCTION
  • A security system that acts as a protective
    boundary between a network or a computer and the
    outside world
  • Using a wall of code , they isolate
  • private networks from Internet as in Perimeter
    Firewalls
  • a single computer from the network it is
    connected as in Personal Firewalls
  • Their primary goal was to provide traffic control
    and monitoring
  • By enforcing the security policy represented by a
    set of rules, specifying what is explicitly
    permitted/denied

3
INTRODUCTION (cont.)
  • Firewalls are used to create security checkpoints
    at the boundaries of private networks or personal
    computer
  • As a result, firewalls are first line of defense
    against outside attacks
  • Firewalls emerged in the early 1990s and they
    became particularly popular around 1996 - the
    time where some new attack techniques emerged
    (buffer overflows, remote exploits)

4
INTRODUCTION (cont.)
5
CAPABILITIES of FIREWALLS
  • A firewall, defining a single choke point,
    simplifies security management because security
    capabilities are consolidated on a single system
    or set of systems.
  • They provide a location for monitoring
    security-related events. Audit and alarms can be
    implemented on the firewalls.
  • A firewall is a convenient platform for several
    function that are not security related such as
    Network Address Translation
  • A firewall can be used to implement VPNs.
  • They can authenticate users with the use of
    different authentication methods in order users
    reach certain resources

6
TECHNIQUES USED by FIREWALLS
  • Service Control
  • Allows or blocks certain types of Internet
    services
  • Direction Control
  • Initiate and allow certain direction in which
    particular service requests
  • User Control
  • Controls access to a service according to which
    user is attempting to access it.
  • Behavior Control
  • Controls how particular services are used.
  • Time Control
  • Controls when some services can be used

7
TYPES of FIREWALLS
  • Firewalls can be classified according to
    different criterions
  • Places at where they are deployed
  • Perimeter Firewalls
  • Internal firewalls
  • Personal Firewalls
  • Distributed Firewalls
  • The layer in a network protocol stack at which
    they are filtering and what they are doing
  • Packet Filtering Firewalls _at_
  • Circuit Gateways _at_ Transport Layer
  • Application Gateways _at_ Application Layer
  • Dynamic Packet Filtering Firewalls

8
PACKET FILTERING FIREWALLS
  • One of the oldest type of firewalls
  • Packet filters, historically implemented on
    routers, filter user-defined content, such as IP
    addresses.
  • They examine a packet a the Network or Transport
    Layers
  • They are cheap and useful.

9
PACKET FILTERING FIREWALLS (cont.)
  • They are application independent this feature is
    advantageous in terms of performance
  • Since they are not application-aware and can not
    understand the context of a given communication,
    they are least secure type of firewalls and are
    good targets for intruders.
  • Packet filter is a three-step process
  • One must decide on what should and should not be
    permitted based on a pre-defined security policy
  • The allowable types of packets must be specified
    formally in terms of logical expressions on
    packet fields.
  • The expression should be rewritten in whatever
    syntax the vendor of the firewall supports.

10
PACKET FILTERING FIREWALLS (cont.)
  • Packet filtering is typically set up as a list of
    rules based on matches to fileds in the IP or TCP
    header.
  • If there is a match to one of the rules, that
    rule is invoked and predefined action is taken,
    such as dropping that packet or forwarding it but
    also warning user or admin.
  • The rules are evaluated from top rule to bottom
    rule, that is also an important issue that should
    be carefully considered.
  • Rules are created according to two different
    policies
  • Default Discard That which is not expressly
    permitted is prohibited
  • Default Pass That which is not expressly
    prohibited is permitted
  • Default Discard policiy is more conservative
    initially everything is blocked, and services are
    added on a case-by-case basis.

11
CIRCUIT GATEWAYS
  • The idea of a circuit gateway is fundamentally
    different from packet filtering.
  • Circuit gateways do not permit an end-to-end TCP
    connection.
  • Circuit gateway works on TCP level and takes a
    TCP connection request from a client,
    authenticates and authorizes the client, and
    establishes a second connection to the origin
    server on clients behalf.
  • After establishment of the connection, circuit
    gateways simply relays data forth and back
    between two connections.
  • It does not interfere with data stream.
  • The single circuit gateway that is actually
    widely used is SOCKS.

12
CIRCUIT GATEWAYS (cont.)
  • Circuit gateways can bridge two networks that
    do not share any IP connectivity or DNS
    processing.

13
APPLICATION GATEWAY
  • Application gateways are also called proxy
    servers.
  • Application gateways are deal with the details of
    the particular service they are checking.
  • Since they are dealing with details, they are
    usually more complex than packet filters.
  • Rather than using a general-purpose mechanism to
    allow many different kinds of traffic to flow,
    special purpose code is used for each desired
    application.
  • Application gateways have another advantage that
    since they are controlling the content, they can
    be used as content filters.

14
APPLICATION GATEWAY (cont.)
  • The main disadvantage is the need for a
    specialized program or user interfaces for
    different services. This results in supporting
    only basic services.

15
DYNAMIC PACKET FILTERING FWs (cont.)
  • New approach to packet filtering is Dynamic
    Packet Filtering based on Stateful Inspection.
  • What is new with this approach is that beside the
    functionalities that stateless packet filters
    have such as looking header information is that
    stateful inspection maintains state information
    about past IP packages.
  • If the first packet in TCP connection is
    permitted, state information is added to the
    state table on an internal database.
  • Then the other packets of this connection can
    pass quickly trough the firewall.

16
PERIMETER FIREWALLS
  • Traditional firewall in a box
  • Inserted between trusted and untrusted network
    segments
  • Can support multiple networks (e.g. a Server farm
    and a separate DMZ)
  • Mature product, many vendors to choose from
  • Local control over firewall policy
  • Support VPNs and user authentication
  • All devices behind firewall are protected
  • but only from stuff on the outside!
  • Users dont need to manage anything
  • An outage affects only the systems behind the
    firewall

17
PERIMETER FIREWALLS (cont.)
Perimeter Firewall Structure
18
INTERNAL FIREWALLS
You may also be protecting parts of your internal
network from other parts.
Like the perimeter firewalls they allow a
limited set of traffic through the network
segments.
19
PERSONAL FIREWALLS
  • Personal firewalls are software-only firewalls
    that run on the computer they protect.
  • Designed for individual users or small networks.
  • (eg.Windows XP comes with a personal firewall)
  • Inexpensive and easy to install and use, would
    offer clearly explained configuration options.
  • Allow the user to access all necessary network
    and web resources, protect from external
    "hacking" and alert the user to malicious
    activity.

20
PERSONAL FIREWALLS (cont.)
Personal Firewall Structure
DEMO
21
DISTRIBUTED FIREWALLS
  • With distributed firewalls, each individual host
    enforces the security policy however the policy
    itself is set by a central management node.
  • Rather than have a separate box on the edge of
    the network, a rule to reject such connection
    attempts is created by the admininistrator and
    shipped out to every host within its management
    domain.
  • Advantages
  • Eliminates the risk of central failure
  • Suitable for mobile users
  • Easy to customize some special connections

22
DEPLOYEMENT OF FIREWALLS
  • Firewalls can be deployed in different structures
  • Screening router structure
  • Screening host structure with Bastion host
  • Screening host structure with dual-homed Bastion
    host
  • DMZ structure
  • Bastion host A bastion host is a secured
    computer that allows an untrusted network (such
    as the Internet) access to a trusted network
    (your internal network). It is typically placed
    between the two networks and is often referred to
    as an application level gateway.
  • Demilitarized zone (DMZ)A DMZ sits between an
    internal network and the outside world, and it's
    the best place to put your public servers.
    Examples of systems to place on a DMZ include Web
    servers, FTP servers, SMTP servers and log
    servers.

23
DEPLOYEMENT OF FIREWALLS (cont.)
Screening router
24
DEPLOYEMENT OF FIREWALLS (cont.)
Screening host structure with Bastion host
25
DEPLOYEMENT OF FIREWALLS (cont.)
Screening host structure with dual-homed Bastion
host
26
DEPLOYEMENT OF FIREWALLS
DMZ Demilitarized Zone structure
27
CONFIGURING FIREWALLS
  • Standart rules for firewalls
  • Clean up rule (None of the above rule) This rule
    drops all the all communation attemps that are
    not allowed by an upper rule.
  • Stealth rule (Lockdown rule) This rule is the
    rule that prevents any users from connecting
    directly to the firewall.
  • Always place the most frequently used rules in
    the top to bottom order in the policy
  • Always place the lockdown rule in the top and the
    cleanup rule in the bottom.
  • Always enable the application intelligence/intrusi
    on prevention rules
  • Always log the access rules, anti-spoof rules and
    cleanup rule
  • Always place a subset rule above the superset rule

DEMO
28
NAT OPERATION on FIREWALLS
  • NAT - Network Address Translation effectively
    hides all TCP/IP level information about your
    internal hosts from hackers on the Internet by
    making all your traffic appear to come from a
    single IP address.
  • This operation enables
  • To overcome IP addressing limitations
  • To allow private IP-address allocation
  • Unregistered internal addressing schemes.
  • As the packets routed through firewall, all the
    internal host addresses are converted to the
    address of the firewall.
  • NAT is fundamentally a proxy a single host makes
    requests on behalf of local hosts.
  • NAT is implemented at transport layer.

29
NAT OPERATION on FIREWALLS (cont)
  • To perform NAT operation, firewall maintain a
    table of interior sockets matched to exterior
    sockets.
  • Many firewalls support different types of NAT
    modes
  • Static Translation An internal network resource
    has a fixed translation.
  • Dynamic Translation A group of internal
    clients share a single or a small group of IP
    adresses.
  • Load Balancing Translation A single IP address
    and port is translated to a pool of identically
    configured servers so that a single public
    address can be served by a number of servers.
  • Network Redundancy Translation Multiple
    Internet connections are attached to a single NAT
    firewall and client requests are routed through
    an Internet connection based on load and
    availability.

30
VPNs
  • The Internet offers the potential for IP
    connectivity between almost any pair of
    computers, however communicating parties need a
    connectivity platform that is not only fast,
    scalable, and resilient but also provides
    confidentiality, authentication and integrity
  • A Virtual Private Network (VPN) is a secure
    connectivity platform that both connects networks
    and protects the data passing between them. For
    example, an organization may have geographically
    spaced networks connected via the Internet the
    company has connectivity but no privacy.
  • VPN provides privacy by encrypting those
    connections
  • that need to be secure.
  • VPN offers an easy connectivity solution by
    connecting the different parts of the network via
    the public Internet.

31
VPNs (cont.)
  • VPN provides privacy by encrypting those
    connections
  • that need to be secure.
  • VPN offers an easy connectivity solution by
    connecting the different parts of the network via
    the public Internet.
  • A Virtual Private Network is a network that
    employs encrypted tunnels to exchange securely
    protected data. VPN-1 creates encrypted tunnels
    by using the Internet Key Exchange (IKE) and
    security protocols. IKE creates the VPN tunnel,
    and this tunnel is used to transfer IPSec or SSL
    encoded data.

32
VPNs (cont.)
  • Host 1 and host 6 need to communicate.
  • Path is as follows
  • Host 1 Gateway 1 Internet
  • Gateway 2 Host 6

33
VPNs (cont.)
  • A packet leaves the source host and reaches the
    Gateway.
  • The Gateway encrypts the packet.
  • The packet goes down the VPN tunnel to the second
    Gateway. In actual fact, the packets are standard
    IP packets passing through the Internet. However,
    because the packets are encrypted, they can be
    considered as passing through a private virtual
    tunnel.
  • The second Gateway decrypts the packet.
  • The packet is delivered in the clear to the
    destination host. From the hosts perspective,
    they are connecting directly.

34
VPNs (cont.)
  • VPNs are mostly service independent, so all kind
    information exchaged between two hosts is
    transmitted along this enrypted channel.
  • VPNs require some issues
  • Each site should have VPN-capable device or
    program
  • Each site must know their IP subnet addresses
  • Both sites must agree on a method of
    authentication and exchange digital certificates
    if required.
  • Both sites must agree on a method of encryption
    and exchange keys

35
IPSEC and SSL BASED VPNs
  • Initially, Internet Protocol Security (IPSec)
    Virtual Private Networks (VPNs) were developed
    and have been widely used.
  • New kind of VPNSSL VPNs, based on the Secure
    Sockets Layer (SSL) protocol that secures the
    world of e-commercehas emerged as the leading
    solution for remote access and extranet VPNs.
  • SSL VPNs are replacing IPSec VPNs for remote
    access, leaving IPSec VPNs for their original
    purposesite-to-site VPNs.

36
IPSEC and SSL BASED VPNs
  • IPSec works by establishing a tunnel over the
    Internet to connect users outside a corporate
    firewall or gateway to internal corporate
    resources. It requires compatible hardware or
    software, almost always from a single vendor, on
    both ends of the tunnel.

IPSec based VPN structure
37
IPSEC and SSL BASED VPNs
  • An SSL VPN uses SSL and proxies to provide
    authorized and secure access for end-users to
    HTTP, client/server, and file sharing resources.
  • Adding proxy technology to SSL offers companies
    greater security, because it prevents users from
    making a direct connection into a secured
    network.
  • SSL VPNs deliver user-level authentication,
    ensuring that only authorized users have access
    to the specific resources as allowed by the
    security policies.
  • A key benefit of choosing an SSL VPN solution is
    its ability to provide clientless access.
  • Because SSL is included in standard browsers like
    Microsoft Internet Explorer and Netscape, SSL
    VPNs eliminates some difficulties like managing
    IPSec clients.

38
IPSEC and SSL BASED VPNs
SSL based VPN structure
39
OPERATING SYSTEMS and FIREWALLS
  • Historically, firewalls ran on top of a
    general-purpose operating system such as Windows
    NT or Unix. They functioned by modifying the
    system kernel and TCP/IP stack to monitor
    traffic. Therefore, these firewalls were at the
    mercy of problems present in the operating
    systems they ran on top of.
  • To achieve a high level of security, it was
    necessary to harden, patch, and maintain the
    operating system (as described in the previous
    section). This could be a time-consuming and
    difficult task especially if there was a lack of
    expertise or time to adequately secure and
    maintain a fully functional operating system.
  • Appliances integrate the operating system and the
    firewall software to create a fully hardened,
    dedicated firewall device. The integration
    process removes any and all functionality not
    required to screen and firewall packets. In
    addition, a fully functional administrative
    interface is provided to further simplify
    configuration and maintenance of the firewall.
    Firewall appliances do not require a significant
    amount of host hardening when being deployed
    (usually changing default passwords is all that
    is required).

40
FIREWALL ATTACK TECHNIQUES
  • Attacks through external systems
  • The goal to use some trust relationship between
    the internal networks systems and systems from
    the outside in order to get access to the
    internal network.
  • Attacks through content (passive attacks)
  • The goal to provide user with a content that
    when dealt with (opened) will execute attackers
    provided code
  • Man in the middle attacks
  • The goal to inject content into user traffic in
    such a way so that attack through content will
    occur

41
FIREWALL ATTACK TECHNIQUES (cont)
  • Attacks through external systems
  • Getting in through trusted external systems can
    be accomplished by first compromising the
    machines from which access to the internal
    network is permitted.
  • This might include
  • home machine of the workers of the company
  • the network of the 3rd party that does remote
    administration/outsourcing for the attacked
    company
  • the network of the companys office in some other
    location/country
  • Getting in through non trusted external systems
    can be accomplished in several ways
  • throughout the exploitation of a vulnerability in
    a client software (SecureCRT, ftp, ...)
  • by obtaining user credential information/other
    sensitive data from the user X screen grabbing
  • throughout the combination of the above,
    Netscape/Mozilla remote control capabilities and
    a JVM vulnerability

42
FIREWALL ATTACK TECHNIQUES (cont)
  • Attacks through content
  • Sending mail to the victim user containing
  • an executable file
  • Microsoft Office document exploiting the macro
    bypass vulnerability
  • HTML mail body exploiting a flaw in Internet
    Explorer/Outlook Express or Netscape leading to
    the code execution
  • There are many file formats used for holding
    text, graphics or multimedia data that can be
    used as a carrier of a malicious content.

43
FIREWALL ATTACK TECHNIQUES (cont)
  • Attacks through content (cont.)
  • Hacking some highly popular WWW/FTP server and
    putting a trojan horse file on it
  • software installation files (RealPlayer, Winamp,
    web browsers, ...)
  • software for mobile phones
  • screen savers
  • funny content in an executable form
  • Backdooring source code of some very popular and
    critical Internet service (apache, bind,
    sendmail, ...)

44
FIREWALL ATTACK TECHNIQUES (cont)
  • Man in the middle attacks
  • You cannot look at the security of your network
    only from the LAN/firewall perspective
  • There are also many other things you should take
    into account because they may influence the
    security of your network
  • DNS service
  • routing/security of routes

45
COMMERCIAL PUBLIC DOMAIN FIREWALLS
  • Public-Domain Firewalls
  • ZoneAlarm Free v5.5
  • Sygate Personal Firewall v5.6
  • WyvernWorks Firewall v1.15
  • AnalogX PortBlocker
  • Commercial Firewalls
  • CheckPoint VPN-1/Firewall-1
  • Cisco PIX 7.0
  • NetGuard GuardianPro
  • Nai Gauntlet
  • Axent Raptor
  • Microsoft Proxy Server
  • AltaVista Firewall
  • Unicenter TNG Network Security Option

46
RISKS with FIREWALLS
  • They are pretty complex piece of software!!!
  • Commercial firewall systems are closed software,
    which means that no one has really put them under
    the glass in a search for security problems...
  • Over the last couple of years there has been just
    several bugs found in them...
  • They just filter traffic coming from/to your
    network
  • They can handle dozens of application protocols,
    but unfortunately cannot protect you against
    malicious content
  • Security level of a network protected by a
    firewall system depends on many factors (DNS,
    routing infrastructure, security of client
    software...)
  • There is always a great risk associated with the
    so called human error

47
WEAKNESSES of FIREWALLS
  • Common firewall weaknesses include
  • Firewalls cannot protect against what is
    authorized. Firewalls protect applications and
    permit the normal communications traffic to those
    applications. If the applications themselves have
    flaws, a firewall will not stop the attack
    because, to the firewall, the communication is
    authorized.
  • Firewalls are only as effective as the rules they
    are configured to enforce. An overly permissive
    rule set will diminish the effectiveness of the
    firewall.
  • Firewalls cannot fix poor administrative
    practices or a poorly designed security policy.
  • Firewalls cannot stop attacks in which traffic
    does not pass through them.
  • Firewalls are bottlenecks, Internet connections
    are getting faster, and the techniques for
    detecting potential issues are getting more
    complicated. More and more processing power is
    required just to stand still and the technologies
    already exist to do all this stuff. So it may
    just be the way forward, for large enterprise
    security systems at least.

48
presented by Gökhan AYDIN
  • Thank you for your attention !
  • Questions
  • ?????????????????????????????????????
Write a Comment
User Comments (0)
About PowerShow.com