Scribd Logo
Upload

Welcome to Scribd!

  • 5 views

    Firewalls

    Uploaded by

    Harsh Nirmal

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Firewalls

    Uploaded by

    Harsh Nirmal
    5 views24 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    5 views24 pages

    Firewalls

    Uploaded by

    Harsh Nirmal

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 24

    Firewalls

    Mahalingam Ramkumar
    Evolution of Networks
    ● Centralized data processing
    ● LANs
    ● Premises network – interconnection of LANs
    and mainframes
    ● Enterprise-wide network – interconnection of
    LANs in a private WAN
    ● LANs interconnected using the Internet and
    using virtual private networks
    What is a Firewall?
    ● A “ choke point”
    ● A location for monitoring security related
    events
    – Audits and alarms
    ● Non-security related functions
    – NAT, network management
    ● An end-point for IPSec
    Firewall Limitations
    ● Cannot protect from attacks bypassing it
    – eg sneaker net, utility modems, trusted
    organisations, trusted services (eg SSL/SSH)
    ● Cannot protect against internal threats
    – eg disgruntled employee
    ● Cannot protect against transfer of virus
    infected programs or files
    – because of huge range of O/S & file types
    Firewall – Basic Types
    ● Packet-Filtering Router
    ● Stateful Inspection Firewalls
    ● Application Level Gateway
    ● Circuit Level Gateway
    Packet Filters
    Packet Filters
    ● Filtering based on
    – Source IP address
    – Destination IP address
    – Source and Destination transport-level address
    – IP protocol field
    – Interface (physical)
    ● Rules!
    – Configuration files
    – Explicit allow / block
    Packet Filtering Example
    Attacks on Packet Filtering
    ● IP address spoofing
    ● Source routing attacks
    ● Tiny fragment attacks
    Firewalls – Stateful Packet Filters
    ● Examine each IP packet in context
    – keeps tracks of client-server sessions
    – checks each packet belongs to a valid session
    ● Better ability to detect bogus packets “ out of
    context”
    ● A session might be pinned down by
    – Source IP and Port,
    – Dest IP and Port,
    – Protocol, and
    – Connection State
    Firewalls - Application Level
    Gateway (or Proxy)
    Application Level Gateway
    ● Application specific gateway / proxy
    ● has full access to protocol
    – user requests service from proxy
    – proxy validates request as legal
    – acts on behalf of the user,
    – returns result to user
    ● need to separate proxies for each service
    – some services naturally support proxying
    – others are more problematic
    – custom services generally not supported
    Firewalls - Circuit Level Gateway
    Circuit Level Gateway
    ● Relays two TCP connections
    ● Imposes security by limiting types of connections
    that are allowed
    ● Once created, usually relays traffic without
    examining contents
    ● Typically used with trusted internal users (by
    allowing general outbound connections)
    ● SOCKS (RFC 1928)
    – SOCKS server
    – SOCKS client library
    – SOCKSified versions of application programs
    SOCKS
    Bastion Host
    ● Highly secure host system
    ● Exposed to "hostile" elements
    – hence secured to withstand attacks
    – Trusted System
    ● May be single or multi-homed
    ● Enforce trusted separation between network
    connections
    ● Run circuit / application level gateways
    ● Provide externally accessible services
    Firewall Configurations
    ● Screened Host – Single Homed Bastion Host
    ● Screened Host – Dual Homed Bastion Host
    ● Screened Subnet
    Screened Host – Single
    Homed Bastion Host
    Screened Host – Dual
    Homed Bastion Host
    Screened-subnet Firewall
    Access Control
    ● Given that system has identified a user
    ● Determine what resources they can access
    ● General model - access matrix
    – subject - active entity (user, process)
    – object - passive entity (file or resource)
    – access right – way object can be accessed
    ● can decompose by
    – columns as access control lists
    – rows as capability tickets
    Access Control Matrix
    Trusted Computer Systems
    ● Varying degrees of sensitivity of information
    – military classifications: confidential, secret, TS, etc
    ● Subjects (people or programs) have varying rights of
    access to objects (information)
    ● Need to consider ways of increasing confidence in
    systems to enforce these rights
    ● Multilevel security
    – subjects have maximum & current security level
    – objects have a fixed security level classification
    Bell LaPadula (BLP) Model
    ● One of the well-known security models
    ● Implemented as mandatory policies on system
    ● Two key policies:
    – no read up (simple security property)
    ● a subject can only read/write an object if the current
    security level of the subject dominates (>=) the
    classification of the object
    – no write down (*-property)
    ● a subject can only append/write to an object if the
    current security level of the subject is dominated by
    (<=) the classification of the object

    You might also like