Professional Documents
Culture Documents
Cs PPT CHP 4 Part 1
Cs PPT CHP 4 Part 1
Security
FIREWALLS- What is firewall?
Is hardware, software, or a combination of both
used to prevent unauthorized programs or Internet
users from accessing a private network and/or a single
computer
Hardware vs. Software Firewalls
Hardware Firewalls
Protect an entire network
Implemented on the router level
Usually more expensive, harder to configure
Software Firewalls
Protect a single computer
Usually less expensive, easier to configure
Firewall Rules
Allow – traffic that flows automatically because it has
been deemed
Hybrid
Firewalls fall into four broad categories: packet
filters, circuit level gateways, application level
gateways and stateful multilayer inspection
firewalls.
Packet filtering firewalls work at the network
level of the OSI model, or the IP layer of TCP/IP
They are usually part of a router. A router is a
device that receives packets from one network
and forwards them to another network. In a
packet filtering firewall each packet is compared
to a set of criteria before it is forwarded
Packet Filtering Firewall
Packet-filtering Router
Packet Filtering Firewall
Packet-filtering Router
Applies a set of rules to each incoming IP packet
and then forwards or discards the packet
Filter packets going in both directions
The packet filter is typically set up as a list of
rules based on matches to fields in the IP or TCP
header
Two default policies (discard or forward)
Types of Firewalls
Advantages:
Simplicity
Transparency to users
High speed
Disadvantages:
Difficulty of setting up packet filter rules
Lack of Authentication
Types of Firewalls
Application-level Gateway
Types of Firewalls
Application-level Gateway
Also called proxy server
Acts as a relay of application-level traffic
Types of Firewalls
Advantages:
Higher security than packet filters
Only need to scrutinize a few allowable applications
Easy to log and audit all incoming traffic
Disadvantages:
Additional processing overhead on each connection
(gateway as splice point)
These applications, which represent the second-
generation of firewall technology, monitor TCP
handshaking between packets to make sure a session
is legitimate. Traffic is filtered based on specified
session rules and may be restricted to recognized
computers only. Circuit-level firewalls hide the
network itself from the outside, which is useful for
denying access to intruders. But they don't filter
individual packets. Applies security mechanism when
a TCP or UDP connection is established. Once the
connection has been made, packets can flow
between the hosts without further checking. Circuit
gateways firewalls function at the network transport
layer. They allow or deny connections based on
addresses and prevent direct connection between
networks
Types of Firewalls
Circuit-level Gateway
Stand-alone system or
Specialized function performed by an Application-
level Gateway
Sets up two TCP connections
The gateway typically relays TCP segments from
one connection to the other without examining the
contents
Types of Firewalls
Circuit-level Gateway
The security function consists of determining
which connections will be allowed
Typically use is a situation in which the system
administrator trusts the internal users
Hybrid firewall
A hybrid is a firewall that combines features and
functions from other types of firewalls that is, the
elements of packet filtering and proxy services.
Types of Firewalls
Kerberos
Kerberos is a network-based authentication and access control
system designed to support secure access over hostile networks.
Kerberos was developed at MIT as part of the Athena project.
The Kerberos system uses a server called the Key Distribution
Center (KDC) to manage the key distribution process. The
Kerberos authentication process results from a relationship of
three entities:
The client— A computer requesting access to a server
The server— A computer offering a service on the network
The KDC— A computer designated to provide keys for network
communication
Kerberos Authentication Process
Kerberos Authentication Process
(Step by Step):
Kerberos uses conventional (symmetric) encryption
rather than public key (asymmetric) encryption. In
other words, the same key is used at both ends of each
exchange:
Step 1: The client wants to access a service on Server A.
The client sends the KDC a request for access to the
service on Server A. (In some cases, the client has
already undergone an authentication process and
received a separate session key for encrypting
communication with the ticket granting service on the
KDC.)
Kerberos Authentication Process (Step
by Step):
Step 2:The KDC performs the following steps:
A:The KDC generates a session key that will be used to encrypt
communication between the client and Server A.
B:The KDC creates a session ticket. The session ticket includes a
copy of the session key generated in step 2a. The ticket also contains
time stamp information and information about the client that is
requesting access, such as client security settings.
C:The KDC encrypts the session ticket using Server A's long-term
key.
D:The KDC bundles the encrypted session ticket, a copy of the
session key, and other response parameters for the client and
encrypts the whole package using the client's key. The response is
then sent to the client.
Kerberos Authentication Process (Step
by Step):
Step 3:The client receives the response from the KDC
and decrypts it. The client obtains the session key
necessary for communicating with Server A.
Also included in the package is the session ticket,
which is encrypted with the server's long-term key.
The client cannot read the session ticket, but it knows it
must send the ticket to the server in order to be
authenticated.
The client creates an authenticator (a string of
authentication parameters) and encrypts it with the
session key.
Kerberos Authentication Process (Step
by Step):
Step 4:The client sends Server A an access request. The
request includes the session ticket (encrypted with the
server's long-term key) and the authenticator
(encrypted with the session key). The authenticator
includes the user's name, network address, time stamp
information, and so forth.
Kerberos Authentication Process (Step
by Step):
Step 5:Server A receives the request. Server A uses its
long-term key to decrypt the session ticket (see step
2c). Server A extracts the session key from the session
ticket and uses the session key to decrypt the
authenticator. Server A verifies that the information in
the authenticator matches the information included in
the session ticket. If so, access to the service is granted.
Kerberos Authentication Process (Step
by Step):
Step 6:As an optional final step, if the client wants to
verify the credentials of Server A, Server A encrypts an
authenticator with the session key and returns this
authenticator to the client.
Kerberos Authentication Pro
cess