Академический Документы
Профессиональный Документы
Культура Документы
Topic 07:
Firewalls and Network Security
Computer Networks
A computer network is set of communications channels that interconnects computing
devices and enables them to exchange data electronically
The simplest network connects a single client to a single server:
3
Port Scanning
A port scanner is a software program that is designed to examine one or
more IP addresses and record which ports are open and which known
vulnerabilities are present
High-quality port scanners are freely available to both white-hats and black-
hats alike!
4
Segmenting Networks
One way of controlling threats from port scanners is to implement a segmented network architecture
In a segmented network, many hosts belong to protected sub-networks that are not directly visible to the outside
world
5
Firewalls
A firewall is a device (hardware, software, or both) that is designed to:
Prevent unauthorized outside users from accessing a network or workstation
Prevent inside users from transmitting sensitive information or accessing unsecured
resources
A firewall protects a local network (or sub-network) from the outside global
network
Firewalls work by inspecting each inbound or outbound packet and determining
whether it should be blocked or allowed to pass through
Firewalls keep “bad things” out, but can also be used to keep sensitive data in
Properly implemented firewalls can reduce or eliminate many network
threats
6
Firewall Security Policies
A firewall security policy is a set of rules that a firewall relies upon to determine which
traffic should be allowed to pass through a network boundary
How to remember the OSI layers in order: “Please Do Not Touch Steve’s Pet Alligator”
Maps to “Physical, Data link, Network, Transport, Session, Presentation, Application”
8
Packet Filtering Gateways
A packet filtering gateway (or screening router) is a type of firewall that
regulates network boundary access by:
Examining the source and/or destination IP address for each packet
Examining the type of transport protocol for each packet (e.g., HTTP, FTP, telnet, etc.)
Port filtering
Packets that are not acceptable in light of the firewall’s security policy are
discarded
Packet filtering gateways are the simplest and often most effective type of
firewall
9
Packet Filtering Gateway
10
Stateful Inspection Firewalls
Unlike a packet filtering gateway, a stateful inspection firewall considers the
state or context of the packets that it evaluates
Stateful inspection firewalls “remember” the network activities of hosts
11
Stateful Inspection Firewall
12
Application Proxy Gateways
An application proxy gateway (or bastion host) is a type of firewall that runs
pseudo-applications which mimic the proper behavior of real applications
These pseudo-applications examine the contents of the packets traveling between
applications inside the network boundary and application users outside of the
network boundary
13
Application Proxy Gateway
14
Circuit-Level Gateways
A circuit-level gateway is a type of firewall that enables one network to
become a virtual extension of another network
15
Circuit-Level Gateway
16
Guard Firewalls
A guard is an advanced type of firewall that examines the contents of
packets while they are in transit across the network boundary
The guard can modify the contents of packets or drop packets altogether
Guards are conceptually similar to application proxy firewalls, but are much
more sophisticated
A guard can be programmed to perform any sort of packet filtering, scanning, or
modification that is deemed necessary
17
Personal Firewalls
In contrast to a firewall that is implemented as a separate hardware device,
a personal firewall is a firewall that is implemented as a software program
18
Encryption and Network Security
Encryption is the most powerful single tool for protecting network security.
Network encryption techniques include:
Link encryption
End-to-end encryption
Virtual private networks (VPNs)
Secure shell (SSH) encryption
Transport Layer Security (TLS)
IP security protocol (IPSec)
Signed code
Encrypted Email
19
Six Truths about Firewalls
1. Firewalls can protect an environment only if they control the entire perimeter
2. Firewalls do not protect data outside of the perimeter
3. From the outside, firewalls are the most visible component of a network, and are hence
attractive targets for attack
4. Firewalls must be properly configured, and their configuration settings must be
periodically evaluated and updated
5. Firewall systems should not contain any tools that could help an attacker who
penetrates the firewall in subsequent exploits
6. Firewalls exert only narrow control over the content that they allow to cross the
network boundary
20
Network Address Translation
Hosts inside of a network boundary often expose their IP addresses to the
outside world in order to enable communication
A clever attacker can use the IP addresses of the hosts in a network to infer the
network’s typological layout and architecture
22
Establishing a Network Security Perimeter
The goal of network architecture design and implementing firewalls should
be to establish a security perimeter which surrounds and protects internal
information assets
A properly designed network security perimeter will minimize the number of outside
points of attack
23
Multiple Network Security Perimeters
24