Firewalls - PowerPoint PPT Presentation

1 / 24
About This Presentation
Title:

Firewalls

Description:

Network security totally relies on host security and all hosts must communicate ... MBONE Multicast IP transmissions for video and voice are encapsulated in other ... – PowerPoint PPT presentation

Number of Views:19
Avg rating:3.0/5.0
Slides: 25
Provided by: engi79
Category:
Tags: firewalls

less

Transcript and Presenter's Notes

Title: Firewalls


1
Firewalls
  • CSCE 590 - Farkas
  • November 13, 2000

2
Internet Connectivity
  • Increased availability and access to information
  • NOT ALWAYS A GOOD THING!
  • Sites with low level of security
  • Number of hosts increases
  • Good private networks enabled to reach and
    communicate with the outside word
  • Bad outside world can also reach and interact
    with the private network

3
Firewall
  • Buildings brick walls built between buildings in
    apartment complexes gt fire could not spread from
    one building to another
  • Computers security wall (intermediate system)
    between private (protected) network and outside
    word

4
Firewall
  • Firewall (guarded gateway)
  • network monitor (or collection of monitors)
    placed between
  • An organizations internal network (subnet) and
    the Internet
  • Or
  • Two local area networks
  • Single, narrow checkpoint
  • Objectives
  • Keep intruders, malicious codes and unwanted
    information out
  • Keep proprietary and sensitive information in

5
Why Firewalls?
  • Without firewalls, subnet systems are
  • Exposed to insecure services (e.g., NFS, NIS)
  • Exposed to probes and attacks from outside
  • Network security totally relies on host security
    and all hosts must communicate to achieve high
    level of security

6
Trade-Off between accessibility and Security
Service Access Policy
Accessibility
Security
7
Firewall Advantages
  • Protection from vulnerable services
  • Controlled access to site systems
  • Concentrated security
  • Enhanced Privacy
  • Logging and statistics on network use, misuse
  • Policy enforcement

8
Protection From Vulnerable Services
  • Filtering inherently insecure services gt fewer
    risks. For example,
  • NFS services
  • Cannot leave subnet
  • Cannot enter subnet
  • Can be used within subnet
  • Routing-based attacks
  • Source routing
  • Attempts to redirect routing paths
  • Rejecting these messages and notify SSO

Cannot be exploited by outside attackers
9
Controlled Access
  • A site could prevent outside access to its hosts
    except for special cases (e.g., mail server)
  • Why to provide access to a host that do not
    require access?
  • Some hosts can be reached from outside, some do
    not

10
Concentrated Security
  • Firewall less expensive than secure all hosts
  • All or most modified software and additional
    security software on firewall only (no need to
    distribute on many hosts
  • E.g., authentication software
  • Other network security (e.g., Kerberos) involves
    modification at each host system

11
Enhanced Privacy
  • Even innocuous information may contain clues that
    can be used by attackers
  • E.g., finger
  • information about the last login time, when
    e-mail was read, etc.
  • Infer how often the system is used, active
    users, whether system can be attacked without
    drawing attention

12
Logging and Statistics on Network Use, Misuse
  • If all access to and from the Internet passes
    through the firewall, the firewall can log
    accesses and provide statistics about system
    usage
  • Alarm can be added to indicate suspicious
    activity, probes and attacks

13
Policy enforcement
  • Means for implementing and enforcing a network
    access policy
  • Access control to users and services

14
Firewall Disadvantages
  • Restricted access to desirable services
  • Large potential for back doors
  • Little protection from insider attacks
  • Other

15
Restricted Access to Desirable Services
  • May block services that users want
  • E.g., telnet, ftp, X windows, NFS, etc.
  • Need well-balanced security policy
  • Similar problems would occur at host access
    control
  • Network topology may not fit with firewall design
  • E.g., using insecure services across major
    gateways
  • Need to investigate other solutions (e.g.,
    Kerberos)

16
Back Doors
  • Firewalls DO NOT protect against back doors into
    the site
  • E.g., if unrestricted modem access is still
    permitted into a site, and attacker could jump
    around the firewall
  • SLIP (Serial Line IP) and PPP (Point-to-Point
    Protocol) connection inside the protected subnet

17
Little Protection from Insider Attacks
  • Generally do not provide protection from insider
    threats
  • Insider may copy data onto tape and taking it out
    of facility

18
Other Issues
  • Viruses users downloading virus-infected
    personal computer programs
  • Throughput potential bottleneck (all connections
    must pass through firewall)
  • All eggs in a single basket concentrates
    security in one spot gt compromised firewall is
    disaster
  • Some Web services do not work well with firewalls
  • MBONE Multicast IP transmissions for video and
    voice are encapsulated in other packets.
    Firewall generally do not examine packet contents.

19
Firewall Components
  • Firewall policy
  • Packet filters
  • Application gateways

20
Firewall Policy
  • High-level policy service access policy
  • TCP/IP protocols
  • Services that are allowed or denied
  • Service usage
  • Exception handling
  • Low-level policy firewall design policy
  • How the firewall achieves the service access
    policy
  • Unique to a firewall configuration
  • Difficult!
  • Approaches
  • Permit any service unless it is explicitly denied
  • Deny any service unless it is explicitly permitted

21
Packet Filters
  • Multi-ported internetworking device that applies
    a set of rules to each incoming IP packet to
    decide whether it should be forwarded or
    discarded
  • Header information is used for filtering ( e.g,
    Protocol number, source and destination IP,
    source and destination port numbers, etc.)
  • Stateless each IP packet is examined isolated
    from what has happened in the past

22
Application Gateways
  • Internetworking device that interconnects one
    network to another for a specific application
  • Must understand and implement application protocol

Server
Client
Application Gateway
23
Application Gateways
  • Incoming telnet and ftp connections
  • User telnets to the application gateway and
    enters the name of the internal host
  • Gateway checks the users source IP address and
    accepts or rejects it accordingly to access
    criteria
  • User may need to authenticate herself
  • Proxy service creates a telnet connection between
    the gateway and internal host
  • Proxy service passes bytes between the two
    connections
  • Application gateway logs the connection

24
Advantages of Application Gateways
  • Advantages over permitting application traffic
    directly to internal hosts
  • Information hiding names of internal systems are
    not known to outside systems
  • Robust authentication and logging application
    traffic can be pre-authenticated before reaching
    host and can be logged
  • Cost effective third-party software and hardware
    for authentication and logging only on gateway
  • Less-complex filtering rules for packet filtering
    routers need to check only destination
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Firewalls" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!