Firewalls (1056778990099000000000000).ppt
TamilArasan564275
15 views
37 slides
Jun 14, 2024
Slide 1 of 37
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
About This Presentation
Igcgicfvcfvjcivdglblgblbtbltontnktblynlyybynlyjynnp um Igcgicfvcfvjcivdglblgblbtbltontnktblynlyybynlyjynnp um nohlnlyolbblnlbkbiglbybltbbkgbkbtlIgcgicfvcfvjcivdglblgblbtbltontnktblynlyybynlyjynnp um Igcgicfvcfvjcivdglblgblbtbltontnktblynlyybynlyjynnp um nohlnlyolbblnlbkbiglbybltbbkgbkbtlIgcgicfvcfvj...
Slide Content
Firewalls
Introduction
seen evolution of information systems
now everyone want to be on the Internet
and to interconnect networks
has persistent security concerns
can’t easily secure every system in org
typically use a Firewall
to provide perimeter defence
as part of comprehensive security strategy
seen evolution of information systems
now everyone want to be on the Internet
and to interconnect networks
has persistent security concerns
can’t easily secure every system in org
typically use a Firewall
to provide perimeter defence
as part of comprehensive security strategy
What is a Firewall?
a choke pointof control and monitoring
interconnects networks with differing trust
imposes restrictions on network services
only authorized traffic is allowed
auditing and controlling access
can implement alarms for abnormal behavior
provide NAT & usage monitoring
implement VPNs using IPSec
must be immune to penetration
a choke pointof control and monitoring
interconnects networks with differing trust
imposes restrictions on network services
only authorized traffic is allowed
auditing and controlling access
can implement alarms for abnormal behavior
provide NAT & usage monitoring
implement VPNs using IPSec
must be immune to penetration
Firewall Limitations
cannot protect from attacks bypassing it
eg sneaker net, utility modems, trusted
organisations, trusted services (eg SSL/SSH)
cannot protect against internal threats
eg disgruntled or colluding employees
cannot protect against transfer of all virus
infected programs or files
because of huge range of O/S & file types
cannot protect from attacks bypassing it
eg sneaker net, utility modems, trusted
organisations, trusted services (eg SSL/SSH)
cannot protect against internal threats
eg disgruntled or colluding employees
cannot protect against transfer of all virus
infected programs or files
because of huge range of O/S & file types
Firewalls –Packet Filters
simplest, fastest firewall component
foundation of any firewall system
examine each IP packet (no context) and
permit or deny according to rules
hence restrict access to services (ports)
possible default policies
that not expressly permitted is prohibited
that not expressly prohibited is permitted
simplest, fastest firewall component
foundation of any firewall system
examine each IP packet (no context) and
permit or deny according to rules
hence restrict access to services (ports)
possible default policies
that not expressly permitted is prohibited
that not expressly prohibited is permitted
Firewalls –Packet Filters
7
Screeing policy actions
Forward
The package is forwarded to the intended recipient
Drop
The packages is dropped (without notification)
Reject
The package is rejected (with notification)
Log
The packages appearance is logged (to be combined)
Alarm
The packages appearance triggers an alarm (to be combined)
Screeing policy actions
Forward
The package is forwarded to the intended recipient
Drop
The packages is dropped (without notification)
Reject
The package is rejected (with notification)
Log
The packages appearance is logged (to be combined)
Alarm
The packages appearance triggers an alarm (to be combined)
8
Screening policies
There should always be some default
rules
The last rule should be „Drop everything from
everyone“ which enforce a defensive strategy
Network monitoring and control messages
should be considered
Screening policies
There should always be some default
rules
The last rule should be „Drop everything from
everyone“ which enforce a defensive strategy
Network monitoring and control messages
should be considered
Firewalls –Packet Filters
Attacks on Packet Filters
IP address spoofing
fake source address to be trusted
add filters on router to block
source routing attacks
attacker sets a route other than default
block source routed packets
tiny fragment attacks
split header info over several tiny packets
either discard or reassemble before check
IP address spoofing
fake source address to be trusted
add filters on router to block
source routing attacks
attacker sets a route other than default
block source routed packets
tiny fragment attacks
split header info over several tiny packets
either discard or reassemble before check
Firewalls –Stateful Packet
Filters
traditional packet filters do not examine
higher layer context
ie matching return packets with outgoing flow
stateful packet filters address this need
they examine each IP packet in context
keep track of client-server sessions
check each packet validly belongs to one
hence are better able to detect bogus
packets out of context
Filters
traditional packet filters do not examine
higher layer context
ie matching return packets with outgoing flow
stateful packet filters address this need
they examine each IP packet in context
keep track of client-server sessions
check each packet validly belongs to one
hence are better able to detect bogus
packets out of context
12
Advantage/Disadvantage
One screening router
can protect a whole
network
Packet filtering is
extremely efficient
Packet filtering is
widely available
Current filtering tools
are not perfect
Some policies are
difficult to enforce
Packet filtering
generates extra load
for the router
+ -
Advantage/Disadvantage
One screening router
can protect a whole
network
Packet filtering is
extremely efficient
Packet filtering is
widely available
Current filtering tools
are not perfect
Some policies are
difficult to enforce
Packet filtering
generates extra load
for the router
+ -
Firewalls -Application Level
Gateway (or Proxy)
have application specific gateway / proxy
has full access to protocol
user requests service from proxy
proxy validates request as legal
then actions request and returns result to user
can log / audit traffic at application level
need separate proxies for each service
some services naturally support proxying
others are more problematic
Gateway (or Proxy)
have application specific gateway / proxy
has full access to protocol
user requests service from proxy
proxy validates request as legal
then actions request and returns result to user
can log / audit traffic at application level
need separate proxies for each service
some services naturally support proxying
others are more problematic
14
Different modes
Proxy-aware application software
The application software knows how to connect to the proxy
and forward the final destination
Proxy-aware operating system software
The operating system checks and eventually modify the IP
addresses to use the proxy
Proxy-aware user procedures
The user has to follow some procedures. He tells the client
software where to connect and also the proxy the destination
address
Proxy-aware router
The client attempts to make connections as usual and the
router intercepts and redirects packages to the proxy
Different modes
Proxy-aware application software
The application software knows how to connect to the proxy
and forward the final destination
Proxy-aware operating system software
The operating system checks and eventually modify the IP
addresses to use the proxy
Proxy-aware user procedures
The user has to follow some procedures. He tells the client
software where to connect and also the proxy the destination
address
Proxy-aware router
The client attempts to make connections as usual and the
router intercepts and redirects packages to the proxy
Firewalls -Application Level
Gateway (or Proxy)
Gateway (or Proxy)
Firewalls -Circuit Level Gateway
relays two TCP connections
imposes security by limiting which such
connections are allowed
once created usually relays traffic without
examining contents
typically used when trust internal users by
allowing general outbound connections
SOCKS is commonly used
relays two TCP connections
imposes security by limiting which such
connections are allowed
once created usually relays traffic without
examining contents
typically used when trust internal users by
allowing general outbound connections
SOCKS is commonly used
Firewalls -Circuit Level Gateway
18
Advantage/Disadvantage
Proxies can do
intelligent filtering
Proxies can provide
logging and caching
Proxies can provide
user-level
authentication
Proxies cause a delay
Proxies can require
modifications to clients
Proxies may require a
different server for
each service
+ -
Advantage/Disadvantage
Proxies can do
intelligent filtering
Proxies can provide
logging and caching
Proxies can provide
user-level
authentication
Proxies cause a delay
Proxies can require
modifications to clients
Proxies may require a
different server for
each service
+ -
19
Network Adress Transalation
NAT allows to use a set of
network addresses internally
and a different set externally
Do not generate security itself
but force connection over one
point
Network Adress Transalation
NAT allows to use a set of
network addresses internally
and a different set externally
Do not generate security itself
but force connection over one
point
20
Modes
Static allocation
The translation scheme is static
Dynamic allocation of addresses
The connection addresses are determined on
a per session base
Dynamic allocation of addresses and ports
Both addresses and ports are dynamic
Modes
Static allocation
The translation scheme is static
Dynamic allocation of addresses
The connection addresses are determined on
a per session base
Dynamic allocation of addresses and ports
Both addresses and ports are dynamic
21
Advantage/Disadvantage
NAT helps to enforce the
firewalls control over
outbound traffic
NAT helps to restrict
incoming traffic
NAT hides the internal
network configuration
Embedded IP can become
a problem
Dynamic allocation may
interfere with encryption
and authentication
Dynamic allocation of port
may interfere with package
filters
+ -
Advantage/Disadvantage
NAT helps to enforce the
firewalls control over
outbound traffic
NAT helps to restrict
incoming traffic
NAT hides the internal
network configuration
Embedded IP can become
a problem
Dynamic allocation may
interfere with encryption
and authentication
Dynamic allocation of port
may interfere with package
filters
+ -
Bastion Host
highly secure host system
runs circuit / application level gateways
or provides externally accessible services
potentially exposed to "hostile" elements
hence is secured to withstand this
hardened O/S, essential services, extra auth
proxies small, secure, independent, non-privileged
may support 2 or more net connections
may be trusted to enforce policy of trusted
separation between these net connections
highly secure host system
runs circuit / application level gateways
or provides externally accessible services
potentially exposed to "hostile" elements
hence is secured to withstand this
hardened O/S, essential services, extra auth
proxies small, secure, independent, non-privileged
may support 2 or more net connections
may be trusted to enforce policy of trusted
separation between these net connections
Firewall Configurations
Firewall Configurations
Firewall Configurations
26
Mulitple Screened Subnets
Split-Screened subnet
Multiple networks between the exterior and
interior router. The networks are usually
connected by dual-homed hosts.
Independent Screened Subnets
n Screened Subnets
Mulitple Screened Subnets
Split-Screened subnet
Multiple networks between the exterior and
interior router. The networks are usually
connected by dual-homed hosts.
Independent Screened Subnets
n Screened Subnets
27
Hybrid -Example Structure
DMZ
DMZ
DMZ
DMZ
Internet
Supplier
Net
DMZEmployee Lan
Back End
Application
Database
DMZ
Hybrid -Example Structure
DMZ
DMZ
DMZ
DMZ
Internet
Supplier
Net
DMZEmployee Lan
Back End
Application
Database
DMZ
28
Evaluating a Firewall
Scalability
Reliability and Redundancy
Auditability
Price (Hardware, Software, Setup,
Maintenance)
Management and Configuration
Evaluating a Firewall
Scalability
Reliability and Redundancy
Auditability
Price (Hardware, Software, Setup,
Maintenance)
Management and Configuration
29
Firewalls and Malware
Should preferably control both ingoingand
outgoingtraffic
Windows XP firewall controls only ingoing traffic
Trojans can start up servers on the inside
Firewall should preferable inspect packets
on the application layer
Network layer based packet filters do not
provide adequate protection
Firewalls and Malware
Should preferably control both ingoingand
outgoingtraffic
Windows XP firewall controls only ingoing traffic
Trojans can start up servers on the inside
Firewall should preferable inspect packets
on the application layer
Network layer based packet filters do not
provide adequate protection
30
Firewalls and Malware
New worms/viruses often tries to kill firewall
and anti virus processes
“Tunneled Worms”
Tunnel IP packet within other IP packet to hide
real IP header
Tunneling program can be built in in Trojans
Tunneled IP packet
Firewalls and Malware
New worms/viruses often tries to kill firewall
and anti virus processes
“Tunneled Worms”
Tunnel IP packet within other IP packet to hide
real IP header
Tunneling program can be built in in Trojans
Tunneled IP packet
31
IP-Tables
IP Tables is the
standard kernel firewall
system for Linux since
Kernel 2.4.x
Packet Filtering and
NAT for linux
IP-Tables
IP Tables is the
standard kernel firewall
system for Linux since
Kernel 2.4.x
Packet Filtering and
NAT for linux
32
Rule
-t table
Nat (PREROUTING, POSTROUTING)
Mangle (PREROUTING, POSTROUTING)
Filter (default) (FORWARD, INPUT, OUTPUT)
iptables [-t table] command [match] [traget/jump]
Rule
-t table
Nat (PREROUTING, POSTROUTING)
Mangle (PREROUTING, POSTROUTING)
Filter (default) (FORWARD, INPUT, OUTPUT)
iptables [-t table] command [match] [traget/jump]
33
Rule
Command
-P, --policy
-A, --append
-D, --delete
-R, --replace
-L, --list
...
iptables [-t table] command [match] [traget/jump]
Rule
Command
-P, --policy
-A, --append
-D, --delete
-R, --replace
-L, --list
...
iptables [-t table] command [match] [traget/jump]
34
Rule
Match (generic)
-p, --protocoll (TCP, UDP, ICMP)
-s, --source (IP Adresse/port)
-d, --destination (IP Adresse/port)
-i, --in-interface (eth0, eth1, ppp1)
-o, --out-interface (eth0, eth1, ppp1)
-m, --match (special commands)
iptables [-t table] command [match] [traget/jump]
Rule
Match (generic)
-p, --protocoll (TCP, UDP, ICMP)
-s, --source (IP Adresse/port)
-d, --destination (IP Adresse/port)
-i, --in-interface (eth0, eth1, ppp1)
-o, --out-interface (eth0, eth1, ppp1)
-m, --match (special commands)
iptables [-t table] command [match] [traget/jump]
35
Rule
Target/jump
-j ACCEPT
-j DROP
-j LOG
-j MAQUERADE
...
iptables [-t table] command [match] [traget/jump]
Rule
Target/jump
-j ACCEPT
-j DROP
-j LOG
-j MAQUERADE
...
iptables [-t table] command [match] [traget/jump]
36
Example Rules
iptable –P FORWARD DROP
Introduce the general policy to drop all packages
Iptable –t nat –P PREROUTING ACCEPT
Accept prerouting nat traffic
iptable –A FORWARD -i eth1 –p TCP
–d 193.10.221.184 -–dport 80 –j ACCEPT
Accept all tcp connections to port 80 coming in at my second
network interface to my ip
iptables –A FORWARD –m limit –-limit 3/minutes –j
LOG
Log all refused connections but max. 3 per minute
Example Rules
iptable –P FORWARD DROP
Introduce the general policy to drop all packages
Iptable –t nat –P PREROUTING ACCEPT
Accept prerouting nat traffic
iptable –A FORWARD -i eth1 –p TCP
–d 193.10.221.184 -–dport 80 –j ACCEPT
Accept all tcp connections to port 80 coming in at my second
network interface to my ip
iptables –A FORWARD –m limit –-limit 3/minutes –j
LOG
Log all refused connections but max. 3 per minute
37
Additional Literature
Building Internet Firewalls
Zwicky, Cooper
ISBN 1565928717; O‘Reilly
iptables Tutorial 1.1.16
Oskar Andreasson
http://iptables-tutorial.frozentux.net/iptables-tutorial.html
Additional Literature
Building Internet Firewalls
Zwicky, Cooper
ISBN 1565928717; O‘Reilly
iptables Tutorial 1.1.16
Oskar Andreasson
http://iptables-tutorial.frozentux.net/iptables-tutorial.html
Tags
#reels #reelsinstagram #instag
social media
#reem #instag
#mobile
#mobileadvertisement
#+
#7jj
#reehls #reelsinstagramn #inst
#rgeels #reelsinsgtagram #inst
#reelcs #reelsindstagram #inst
#reecls #reelsifnstagram #inst
#rveels #reelsinstafgram #inst
#reecls #cf #insta
#reels #g #instag
#rgeels #reelsinstagram #insta
#reels #reelsinstagram #insh
#reels #reelsinstagram #instmv
#reels #reelsinstagram #i
#reels #reelstagram #instag
#reels #reelsinstalgram #insh
Categories
MarketingDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 15
- Slides 37
- Age 536 days
Related Slideshows
83
The Ins and Outs of Sports Sponsorship: What Characterizes the Best Deals and Activations
NeilHorowitz
35 views
50
Commerce at the Limit - Marketecture - October 2025_v5.pptx
EricSeufert
369 views
13
Marketing Environment and navigating changes
neetinaag
29 views
34
FAMILY_PLANNING_METHODS available for women
Isaiah47
26 views
8
himani .8.pptx this is about marketing presentation that how marketing control works
sakshi287109
28 views
54
GAT NEW.pptxfgjjkkkbhhhjjjjiiiuuuuuu8uy4rr
SirajudinAkmel1
25 views