lecture 9 - firewalls

lecture 9 - firewalls - Firewalls and Perimeter Security CS...

Info iconThis preview shows pages 1–8. Sign up to view the full content.

View Full Document Right Arrow Icon
CS 6823 - Network Security Firewalls and Perimeter Security CS 6823 – Lecture 8 Cryptography Keith O’Brien keith@keithobrien.org 1
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
CS 6823 - Network Security Firewall 2 Internet privately administered 222.22/16 By conventional definition, a firewall is a partition made of fireproof material designed ot prevent the spread of firew from one part of a building to another Data firewall isolates an organization’s internal net from an untrusted network such as the Internet, allowing some packets to pass and blocking others.
Background image of page 2
CS 6823 - Network Security Firewall Goals: All traffic from outside to inside and vice-versa passes through the firewall Only authorized traffic, as defined by local security policy, will be allowed to pass The firewall itself is immune to penetration 3
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
CS 6823 - Network Security Firewalls: Taxonomy Traditional packet filters - filters often combined with router creating a firewall Stateful filters Application gateways Proxies 4
Background image of page 4
CS 6823 - Network Security Traditional Packet Filters Analyzes each datagram going through it; makes drop decision based on: - Source ip address - Destination ip address - Source port - Destination port - TCP flag bits - SYN bit set: datagram for connection initiation - ACK bit set: part of established connection - TCP, UDP or ICMP - Firewalls often configured to block all UDP - Direction - Is the datagram leaving or entering the internal network - Router Interface - Decisions can be different for different interfaces 5
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
CS 6823 - Network Security Filtering Rules - Examples 6 Cortesty: Wikipedia Policy Firewall Setting No outside Web access Drop all outgoing packet to any IP address on port 80 External connections to public Web server only. Drop all incoming TCP SYN packets to any IP except 222.22.44.203 port 80 Prevent IPTV from eating up the available bandwidth Drop all incoming UDP packets except DNS and router briadcasts Prevent your network from being used for a SMURF DoS attack Drop all ICMP packets going to a broadcast address (eg 222.22.255.255) Prevent your network from being tracerouted Drop all outgoing ICMP
Background image of page 6
CS 6823 - Network Security Access control lists – Apply rules from top to bottom 7 Action Source Address Destination Address Protocol Source Port Destination Port Flag Bit Allow 222.22/16 Outside of 222.22/16 TCP >1023 80 Any Allow Outside of 222.22/16 222.22/16 TCP 80 >1023 ACK Allow 222.22/16 Outside of 222.22/16 UDP >1023 53 -- Allow Outside of 222.22/16 222.22/16 UDP 53 >1023 __ Deny All All All All All All
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 8
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 31

lecture 9 - firewalls - Firewalls and Perimeter Security CS...

This preview shows document pages 1 - 8. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online