Lecture 20: Firewalls - PowerPoint PPT Presentation

1 / 10

About This Presentation

Title:

Lecture 20: Firewalls

Description:

Number of Views:526

Avg rating:3.0/5.0

Slides: 11

Provided by: Charlie138

Category:

Tags: bastion | firewalls | lecture

Transcript and Presenter's Notes

Title: Lecture 20: Firewalls

1
Lecture 20 Firewalls

the pictures are from Cryptography and Network
Security by William Stallings
2
Why Firewalls

a firewall is a security located between the
private network and the Internet regulating
traffic between two networks
reasons
eliminate unwanted traffic inside the private
network
hard/expensive to enforce end-to-end security
users on the inside do not have to concern with
security
a number of standard programs are a potential
security risk and turned on by default finger,
telnet, rlogin/rsh, X Windows, ICMP
convenient point to combine security with
unrelated services like NAT (whats that?)

3
Packet Filtering Router

router applies a set of rules on the fields of
the header of (typically incoming) IP packet and
either lets it through or discards it
rules examine the fields and prescribe the action
(allow or discard)
fields to use
source/destination IP address
transport layer protocol port number (which
defines the application telnet, ftp, web, etc)
interface (router has many)
can be
stateless examines each packet individually
stateful takes communication context into
account some outside packets are allowed to
proceed if the inside and outside machine are in
active communication
attacks and countermeasures
IP address spoofing attacker puts IP address of
the internal host drop the packets with internal
IP coming from external interface
source routing origin is internal address
whats the countermeasure?

4
Stateless Packet FilterTable Example

5
Packet Filtering Router

6
Application Level Gateway

(also called proxy server)
connections outside are allowed only through
proxy
internal host contact proxy, requests connection
with the outside, after authenticating the user
and if it is configured to provide service for
this type of connection (ftp, web, telnet, etc.)
proxy relays packets to the outside
adv easy to monitor traffic and configure
security, only allow allow traffic of specified
kind
disadv additional processing time and connection
delays

7
Bastion Host and DMZ

bastion host a secured machine that is allowed
external access
must be made made secure runs secure versions of
the OS, inessential services are disabled,
authentication before initiating connection, logs
auditing and traffic information
implements application-level gateway
DMZ (demilitarized zone) the portion of the
network where (partially screened) external
traffic is allowed usually contains the bastion
host

8
FirewallSetupExamples

the combination of packet filtering and
application layer gateway makes firewall more
effective
multiple layers of defense protect against the
compromise of one router/gateway
multiple routers allow NAT-based network hiding

9
Tunneling and VPNs

tunnel a point-to-point connection over which
the communication takes of machines (not located
at the endpoints of this connection) takes place
secure tunnel can be used to connect several
parts of network of the same organization over
(insecure) internet
such configuration is called virtual private
network
Alice (in one portion of the network) sends an IP
packet to Bob (in another), When the packet
reaches Alices gateway, the gateway tunnels the
packet to Bobs gateway
IPsec is frequently used for this purpose, how?

10
Problems with Firewalls

firewalls without end-to-end security are not
ideal
they do not protect from the attack from the
inside (what kind of attack?)
once the security has been breached the network
is vulnerable
firewall usually lets email and web traffic
through and a number of attacks can be launched
through that (think which?)
users are inconvenienced and think of ways of
bypassing the security
IP over HTTP (why is that a threat)?