firewalls
DESCRIPTION
FirewallsTRANSCRIPT
![Page 1: Firewalls](https://reader033.vdocument.in/reader033/viewer/2022051415/55cf933f550346f57b9d22ea/html5/thumbnails/1.jpg)
Firewalls
Mahalingam Ramkumar
![Page 2: Firewalls](https://reader033.vdocument.in/reader033/viewer/2022051415/55cf933f550346f57b9d22ea/html5/thumbnails/2.jpg)
Evolution of Networks
● Centralized data processing● LANs● Premises network – interconnection of LANs
and mainframes● Enterprise-wide network – interconnection of
LANs in a private WAN● LANs interconnected using the Internet and
using virtual private networks
![Page 3: Firewalls](https://reader033.vdocument.in/reader033/viewer/2022051415/55cf933f550346f57b9d22ea/html5/thumbnails/3.jpg)
What is a Firewall?
● A “ choke point”● A location for monitoring security related
events– Audits and alarms
● Non-security related functions– NAT, network management
● An end-point for IPSec
![Page 4: Firewalls](https://reader033.vdocument.in/reader033/viewer/2022051415/55cf933f550346f57b9d22ea/html5/thumbnails/4.jpg)
Firewall Limitations
● Cannot protect from attacks bypassing it– eg sneaker net, utility modems, trusted
organisations, trusted services (eg SSL/SSH)
● Cannot protect against internal threats– eg disgruntled employee
● Cannot protect against transfer of virus infected programs or files– because of huge range of O/S & file types
![Page 5: Firewalls](https://reader033.vdocument.in/reader033/viewer/2022051415/55cf933f550346f57b9d22ea/html5/thumbnails/5.jpg)
Firewall – Basic Types
● Packet-Filtering Router● Stateful Inspection Firewalls● Application Level Gateway● Circuit Level Gateway
![Page 6: Firewalls](https://reader033.vdocument.in/reader033/viewer/2022051415/55cf933f550346f57b9d22ea/html5/thumbnails/6.jpg)
Packet Filters
![Page 7: Firewalls](https://reader033.vdocument.in/reader033/viewer/2022051415/55cf933f550346f57b9d22ea/html5/thumbnails/7.jpg)
Packet Filters
● Filtering based on– Source IP address– Destination IP address– Source and Destination transport-level address– IP protocol field– Interface (physical)
● Rules!– Configuration files– Explicit allow / block
![Page 8: Firewalls](https://reader033.vdocument.in/reader033/viewer/2022051415/55cf933f550346f57b9d22ea/html5/thumbnails/8.jpg)
Packet Filtering Example
![Page 9: Firewalls](https://reader033.vdocument.in/reader033/viewer/2022051415/55cf933f550346f57b9d22ea/html5/thumbnails/9.jpg)
Attacks on Packet Filtering
● IP address spoofing● Source routing attacks● Tiny fragment attacks
![Page 10: Firewalls](https://reader033.vdocument.in/reader033/viewer/2022051415/55cf933f550346f57b9d22ea/html5/thumbnails/10.jpg)
Firewalls – Stateful Packet Filters
● Examine each IP packet in context– keeps tracks of client-server sessions– checks each packet belongs to a valid session
● Better ability to detect bogus packets “ out of context”
● A session might be pinned down by – Source IP and Port,
– Dest IP and Port, – Protocol, and
– Connection State
![Page 11: Firewalls](https://reader033.vdocument.in/reader033/viewer/2022051415/55cf933f550346f57b9d22ea/html5/thumbnails/11.jpg)
Firewalls - Application Level Gateway (or Proxy)
![Page 12: Firewalls](https://reader033.vdocument.in/reader033/viewer/2022051415/55cf933f550346f57b9d22ea/html5/thumbnails/12.jpg)
Application Level Gateway
● Application specific gateway / proxy ● has full access to protocol
– user requests service from proxy – proxy validates request as legal – acts on behalf of the user, – returns result to user
● need to separate proxies for each service – some services naturally support proxying – others are more problematic – custom services generally not supported
![Page 13: Firewalls](https://reader033.vdocument.in/reader033/viewer/2022051415/55cf933f550346f57b9d22ea/html5/thumbnails/13.jpg)
Firewalls - Circuit Level Gateway
![Page 14: Firewalls](https://reader033.vdocument.in/reader033/viewer/2022051415/55cf933f550346f57b9d22ea/html5/thumbnails/14.jpg)
Circuit Level Gateway
● Relays two TCP connections● Imposes security by limiting types of connections
that are allowed● Once created, usually relays traffic without
examining contents● Typically used with trusted internal users (by
allowing general outbound connections)● SOCKS (RFC 1928)
– SOCKS server
– SOCKS client library
– SOCKSified versions of application programs
![Page 15: Firewalls](https://reader033.vdocument.in/reader033/viewer/2022051415/55cf933f550346f57b9d22ea/html5/thumbnails/15.jpg)
SOCKS
![Page 16: Firewalls](https://reader033.vdocument.in/reader033/viewer/2022051415/55cf933f550346f57b9d22ea/html5/thumbnails/16.jpg)
Bastion Host
● Highly secure host system ● Exposed to "hostile" elements
– hence secured to withstand attacks– Trusted System
● May be single or multi-homed● Enforce trusted separation between network
connections● Run circuit / application level gateways ● Provide externally accessible services
![Page 17: Firewalls](https://reader033.vdocument.in/reader033/viewer/2022051415/55cf933f550346f57b9d22ea/html5/thumbnails/17.jpg)
Firewall Configurations
● Screened Host – Single Homed Bastion Host● Screened Host – Dual Homed Bastion Host● Screened Subnet
![Page 18: Firewalls](https://reader033.vdocument.in/reader033/viewer/2022051415/55cf933f550346f57b9d22ea/html5/thumbnails/18.jpg)
Screened Host – Single Homed Bastion Host
![Page 19: Firewalls](https://reader033.vdocument.in/reader033/viewer/2022051415/55cf933f550346f57b9d22ea/html5/thumbnails/19.jpg)
Screened Host – Dual Homed Bastion Host
![Page 20: Firewalls](https://reader033.vdocument.in/reader033/viewer/2022051415/55cf933f550346f57b9d22ea/html5/thumbnails/20.jpg)
Screened-subnet Firewall
![Page 21: Firewalls](https://reader033.vdocument.in/reader033/viewer/2022051415/55cf933f550346f57b9d22ea/html5/thumbnails/21.jpg)
Access Control
● Given that system has identified a user ● Determine what resources they can access● General model - access matrix
– subject - active entity (user, process) – object - passive entity (file or resource) – access right – way object can be accessed
● can decompose by– columns as access control lists– rows as capability tickets
![Page 22: Firewalls](https://reader033.vdocument.in/reader033/viewer/2022051415/55cf933f550346f57b9d22ea/html5/thumbnails/22.jpg)
Access Control Matrix
![Page 23: Firewalls](https://reader033.vdocument.in/reader033/viewer/2022051415/55cf933f550346f57b9d22ea/html5/thumbnails/23.jpg)
Trusted Computer Systems
● Varying degrees of sensitivity of information– military classifications: confidential, secret, TS, etc
● Subjects (people or programs) have varying rights of access to objects (information)
● Need to consider ways of increasing confidence in systems to enforce these rights
● Multilevel security– subjects have maximum & current security level – objects have a fixed security level classification
![Page 24: Firewalls](https://reader033.vdocument.in/reader033/viewer/2022051415/55cf933f550346f57b9d22ea/html5/thumbnails/24.jpg)
Bell LaPadula (BLP) Model
● One of the well-known security models● Implemented as mandatory policies on system ● Two key policies:
– no read up (simple security property)● a subject can only read/write an object if the current
security level of the subject dominates (>=) the classification of the object
– no write down (*-property)● a subject can only append/write to an object if the
current security level of the subject is dominated by (<=) the classification of the object