CPE549_L7v2 - Firewalls What is a Firewall? A choke point...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Firewalls What is a Firewall? A choke point of control and monitoring choke Interconnects Interconnects networks with differing trust Imposes Imposes restrictions on network services – only authorized traffic is allowed Auditing Auditing and controlling access – can implement alarms for abnormal behavior Itself Itself immune to penetration Provides perimeter Provides perimeter defense Firewalls should: Implement Implement a security policy Log Log activity Limit Limit your network exposure 1 Firewall Types Packet Filtering Stateful Inspection Application Level Gateway Host based (Personal) Firewalls Firewalls – Packet Filters Packet Filters Simplest Simplest of components Uses transportUses transport-layer information only – – – – – IP Source Address, Destination Address Protocol/Next Header (TCP, UDP, ICMP, etc) TCP or UDP source & destination ports TCP Flags (SYN, ACK, FIN, RST, PSH, etc) ICMP message type Examples Examples – DNS uses port 53 No No incoming port 53 packets except known trusted servers 2 Usage of Packet Filters Filtering Filtering with incoming or outgoing interfaces – E.g., Ingress filtering of spoofed IP addresses – Egress filtering Permits Permits or denies certain services – Requires intimate knowledge of TCP and UDP port utilization on a number of operating systems Stateful Inspection Enhancement Enhancement to packet filtering Examines Examines the state of any active network connections Accept Accept or reject based on state FTP Telnet SMTP TCP Other UDP IP Ether net FDDI X.25 Other Stateful Filtering 3 Application Gateways Firewall Firewall runs set of proxy programs – Proxies filter incoming, outgoing packets – All incoming traffic directed to firewall – All outgoing traffic appears to come from firewall Policy Policy embedded in proxy programs Two Two kinds of proxies – Application-level gateways/proxies ApplicationTailored Tailored to http, ftp, smtp, etc. – Circuit-level gateways/proxies CircuitWorking Working on TCP level Firewalls - Application Level Gateway (or Proxy) ApplicationApplication-Level Filtering Has full access to protocol – user requests service from proxy – proxy validates request as legal – then actions request and returns result to user Need separate proxies for each service – – – – – E.g., SMTP (E-Mail) NNTP (Net news) DNS (Domain Name System) NTP (Network Time Protocol) custom services generally not supported 4 AppApp-level Firewall Architecture Telnet proxy Telnet daemon FTP proxy FTP daemon SMTP proxy SMTP daemon Network Connection Daemon spawns proxy when communication detected … Enforce policy for specific protocols E.g., E.g., Virus scanning for SMTP – Need to understand MIME, encoding, Zip archives Host-based Firewalls 5 Selecting a Firewall Ease Ease of installation/configuration Does Does the firewall run without user intervention? Are Are there parameters that have to be set, and is it easy to do? Is Is there online help or technical support available? Does Does the firewall provide audit reports identifying time, location and type of attack? Is Is the cost of the firewall appropriate to the size of your business/office? Are Are maintenance/ monitoring requirements suitable for the size and type of business? What What will be the training requirements for the firewall? Will Will the firewall have a significant impact on the operation of the system as a whole? Bastion Bastion Host Highly Highly secure host system Potentially Potentially exposed to "hostile" elements Hence Hence is secured to withstand this – Disable all non-required services; keep it simple non- Trusted Trusted to enforce trusted separation between network connections Runs Runs circuit / application level gateways – Install/modify services you want Or Or provides externally accessible services Firewall Topology Screening Router Dual-Homed Screened Subnet 6 Screened Host Architecture Dual-Homed Gateway 2 NICs, one addressed on Trusted Net, the other addressed on UnTrusted Net, no routing, all traffic must pass through a proxy firewall Screened Subnet Using Two Routers 7 ZoneAlarm Firewall Uses Uses fingerprints to identify components of a program as well as the program itself – Prevents malicious code from gaining control of computer Stops Stops potentially malicious active content ZoneAlarm Firewall Application Application Control – Allows users to decide which applications can or cannot use the Internet Internet Internet Lock – Blocks all Internet traffic while computer is unattended or while Internet is not being used Zones Zones – Monitors all activities on the computer; sends an alert when a new application tries to access the Internet Shut off all Internet access 8 Zone Security What is a zone? Zone Zone Alarm classifies computer and networks that you communicate with into good, bad, and unknown zones. 3 types: types: – Internet Zone: is the “unknown” zone. All computers and networks belong to this zone until you move them to one of the other zones. – Trusted Zone: is the “good” zone. Contains all computers you trust. – Blocked Zone: is the “bad” zone. Contains all computers you distrust (only available in Zone Alarm Pro and Zone Alarm Plus version). What is a zone? (cont.) When When another computer wants to communicate with your computer – Zone Alarm looks at what zone it belongs to and decides what to do. 9 Program Control Antivirus Monitoring Email Protection 10 Alerts and Logs Alerts Several Several types of alerts: – New program alerts: Accept/deny programs to access the internet. – Repeat program alerts: grant access permission to program that has already requested before. – Server program alerts: grant server permission to a program. Caution: Some Trojan horses require server access to execute. – Changed program alerts: If a program has been changed since the last time it access the internet. Sample Log File Default: C:\WINDOWS\Internet Logs\ZALog.txt 11 Firewalls can: Block packets of certain types Limit the amount of communication through it Focused choke point for security decisions Enforce security policies Provide centralized logging facility Limit network exposure Firewalls can’t: Solve all of a company’s security issues Protect what does not go through them Prevent all attacks by all intruders Protect from malicious insider attacks Eliminate the need for good internal system and network security Protect against tunnelling on authorized protocols or services 12 ...
View Full Document

This note was uploaded on 12/14/2011 for the course CPE 549 taught by Professor Sparks during the Fall '11 term at University of Alabama - Huntsville.

Ask a homework question - tutors are online