Академический Документы
Профессиональный Документы
Культура Документы
Firewalls
Slides modified with permission from original by Arun Sood
References
Firewall
Interface between networks
Usually external (internet) and internal
Single Sign On
Firewall
Internal
Internet
Firewall as Secretary
A firewall is like a secretary
To meet with an executive
Coming up: Security Strategies
5
[1]
Security Strategies
Least privilege
Objects have the lowest privilege to perform assigned task
Defense in depth
Use multiple mechanisms
Best if each is independent: minimal overlap
Choke point
Facilitates monitoring and control
6
[2]
Security Strategies - 2
Weakest link Fail-safe
If firewall fails, it should go to fail-safe that denies access to avoid
intrusions
Coming up: Security Strategies
-3
Default deny
Default permit
Universal participation
Everyone has to accept the rules
7
[2]
Security Strategies - 3
Diversity of defense
Inherent weaknesses
Multiple technologies to compensate for inherent weakness of
one technology
Coming up: Security Strategies
-4
Common heritage
If systems configured by the same person, may have the same
weakness
Simplicity
Security through obscurity
8
[2]
Security Strategies - 4
Configuration errors can be devastating
Testing is not perfect
Ongoing trial and error will identify weaknesses
Enforcing a sound policy is critical
9
[2]
Types of Firewall
No Standard Terminology
Simplest firewall
Filter packets based on specified criteria
IP addresses, subnets, TCP or UDP ports
10
Types of Firewall - 2
Application Based Firewall (application layer)
Allows data into/out of a process based on that process type
Can act on a single computer or at the network layer
e.g. allowing only HTTP traffic to a website
Coming up: Types of Firewall - 3
11
[2]
Types of Firewall - 3
Proxy
Intermediate connection between servers on internet and
internal servers.
For incoming data
Coming up: Types of Firewall - 4
Very secure
Less efficient versus packet filters
12
[2]
Types of Firewall - 4
Network Address Translation
13
[2]
Packet Filter
Advantages
Disadvantages
Can be compromised by many attacks
Source spoofing
14
15
[2]
16
[2]
17
18
[2]
19
[2]
Attack fails, because the ACK bit is not set. ACK bit is set if the connection
originated from inside.
20
Incoming TCP packets must have ACK bit set. If this started outside, then
no matching data, and packet will be rejected.
Note: This rule means we allow no services other than request that we
originate.
21
[1]
22
[1]
application
transport
network
link
physical
23
[1]
Application Proxy
Con
Speed
24
[1]
IP address of firewall
IP address of one system in internal network
Number of hops to the firewall
25
[1]
Router
Router
Packet
filter
Router
26
WWW server
FTP server
DNS server
Internet
Packet
Filter
Application
Proxy
Intranet with
Personal
Firewalls 27
[1]
Gouda, M.G.; Liu, X.-Y.A., "Firewall design: consistency, completeness, and compactness,"
Distributed Computing Systems, 2004. Proceedings. 24th International Conference on , vol.,
no., pp.320,327, 2004
28
29
iptables - chains
30
31
32
iptables - examples
Lets stop all http access
33
State matching:
-m state state ESTABLISHED, RELATED
34
35
34
iptables - Tunneling
In our network we have one outward facing server, so to get in
from home we must travel (tunnel) through that server.
We really use SSH tunnels:
ssh -f -L 10024:sr1s4.mesa.gmu.edu:22 dslsrv.gmu.edu -N ; ssh -X -p
10024 localhost
36
End of presentation
Lessons
37
35
29