Firewals in Network Security NS10
-
Upload
koolkampus -
Category
Business
-
view
3.881 -
download
0
Transcript of Firewals in Network Security NS10
![Page 1: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/1.jpg)
Henric Johnson 1
Chapter 10Chapter 10
FirewallsFirewalls
Blekinge Institute of Technology, Sweden
http://www.its.bth.se/staff/hjo/
+46-708-250375
![Page 2: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/2.jpg)
Henric Johnson 2
OutlineOutline
• Firewall Design Principles– Firewall Characteristics– Types of Firewalls– Firewall Configurations
• Trusted Systems– Data Access Control– The Concept of Trusted systems– Trojan Horse Defense
![Page 3: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/3.jpg)
Henric Johnson 3
FirewallsFirewalls
• Effective means of protection a local system or network of systems from network-based security threats while affording access to the outside world via WAN`s or the Internet
![Page 4: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/4.jpg)
Henric Johnson 4
Firewall DesignFirewall DesignPrinciplesPrinciples
• Information systems undergo a steady evolution (from small LAN`s to Internet connectivity)
• Strong security features for all workstations and servers not established
![Page 5: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/5.jpg)
Henric Johnson 5
Firewall DesignFirewall DesignPrinciplesPrinciples
• The firewall is inserted between the premises network and the Internet
• Aims:– Establish a controlled link– Protect the premises network from
Internet-based attacks– Provide a single choke point
![Page 6: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/6.jpg)
Henric Johnson 6
Firewall CharacteristicsFirewall Characteristics
• Design goals:– All traffic from inside to outside must
pass through the firewall (physically blocking all access to the local network except via the firewall)
– Only authorized traffic (defined by the local security police) will be allowed to pass
![Page 7: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/7.jpg)
Henric Johnson 7
Firewall CharacteristicsFirewall Characteristics
• Design goals:– The firewall itself is immune to
penetration (use of trusted system with a secure operating system)
![Page 8: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/8.jpg)
Henric Johnson 8
Firewall CharacteristicsFirewall Characteristics
• Four general techniques:• Service control
– Determines the types of Internet services that can be accessed, inbound or outbound
• Direction control– Determines the direction in which
particular service requests are allowed to flow
![Page 9: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/9.jpg)
Henric Johnson 9
Firewall CharacteristicsFirewall Characteristics
• User control– Controls access to a service according
to which user is attempting to access it
• Behavior control– Controls how particular services are
used (e.g. filter e-mail)
![Page 10: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/10.jpg)
Henric Johnson 10
Types of FirewallsTypes of Firewalls
• Three common types of Firewalls:– Packet-filtering routers– Application-level gateways– Circuit-level gateways– (Bastion host)
![Page 11: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/11.jpg)
Henric Johnson 11
Types of FirewallsTypes of Firewalls
• Packet-filtering Router
![Page 12: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/12.jpg)
Henric Johnson 12
Types of FirewallsTypes of Firewalls
• Packet-filtering Router– Applies a set of rules to each incoming
IP packet and then forwards or discards the packet
– Filter packets going in both directions– The packet filter is typically set up as a
list of rules based on matches to fields in the IP or TCP header
– Two default policies (discard or forward)
![Page 13: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/13.jpg)
Henric Johnson 13
Types of FirewallsTypes of Firewalls
• Advantages:– Simplicity– Transparency to users– High speed
• Disadvantages:– Difficulty of setting up packet filter
rules– Lack of Authentication
![Page 14: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/14.jpg)
Henric Johnson 14
Types of FirewallsTypes of Firewalls
• Possible attacks and appropriate countermeasures– IP address spoofing– Source routing attacks– Tiny fragment attacks
![Page 15: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/15.jpg)
Henric Johnson 15
Types of FirewallsTypes of Firewalls
• Application-level Gateway
![Page 16: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/16.jpg)
Henric Johnson 16
Types of FirewallsTypes of Firewalls
• Application-level Gateway– Also called proxy server– Acts as a relay of application-level
traffic
![Page 17: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/17.jpg)
Henric Johnson 17
Types of FirewallsTypes of Firewalls
• Advantages:– Higher security than packet filters– Only need to scrutinize a few allowable
applications– Easy to log and audit all incoming traffic
• Disadvantages:– Additional processing overhead on each
connection (gateway as splice point)
![Page 18: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/18.jpg)
Henric Johnson 18
Types of FirewallsTypes of Firewalls
• Circuit-level Gateway
![Page 19: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/19.jpg)
Henric Johnson 19
Types of FirewallsTypes of Firewalls
• Circuit-level Gateway– Stand-alone system or– Specialized function performed by an
Application-level Gateway– Sets up two TCP connections– The gateway typically relays TCP
segments from one connection to the other without examining the contents
![Page 20: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/20.jpg)
Henric Johnson 20
Types of FirewallsTypes of Firewalls
• Circuit-level Gateway– The security function consists of
determining which connections will be allowed
– Typically use is a situation in which the system administrator trusts the internal users
– An example is the SOCKS package
![Page 21: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/21.jpg)
Henric Johnson 21
Types of FirewallsTypes of Firewalls
• Bastion Host– A system identified by the firewall
administrator as a critical strong point in the network´s security
– The bastion host serves as a platform for an application-level or circuit-level gateway
![Page 22: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/22.jpg)
Henric Johnson 22
Firewall ConfigurationsFirewall Configurations
• In addition to the use of simple configuration of a single system (single packet filtering router or single gateway), more complex configurations are possible
• Three common configurations
![Page 23: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/23.jpg)
Henric Johnson 23
Firewall ConfigurationsFirewall Configurations
• Screened host firewall system (single-homed bastion host)
![Page 24: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/24.jpg)
Henric Johnson 24
Firewall ConfigurationsFirewall Configurations
• Screened host firewall, single-homed bastion configuration
• Firewall consists of two systems:– A packet-filtering router– A bastion host
![Page 25: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/25.jpg)
Henric Johnson 25
Firewall ConfigurationsFirewall Configurations
• Configuration for the packet-filtering router:– Only packets from and to the bastion
host are allowed to pass through the router
• The bastion host performs authentication and proxy functions
![Page 26: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/26.jpg)
Henric Johnson 26
Firewall ConfigurationsFirewall Configurations
• Greater security than single configurations because of two reasons:– This configuration implements both
packet-level and application-level filtering (allowing for flexibility in defining security policy)
– An intruder must generally penetrate two separate systems
![Page 27: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/27.jpg)
Henric Johnson 27
Firewall ConfigurationsFirewall Configurations
• This configuration also affords flexibility in providing direct Internet access (public information server, e.g. Web server)
![Page 28: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/28.jpg)
Henric Johnson 28
Firewall ConfigurationsFirewall Configurations
• Screened host firewall system (dual-homed bastion host)
![Page 29: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/29.jpg)
Henric Johnson 29
Firewall ConfigurationsFirewall Configurations
• Screened host firewall, dual-homed bastion configuration– The packet-filtering router is not
completely compromised– Traffic between the Internet and other
hosts on the private network has to flow through the bastion host
![Page 30: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/30.jpg)
Henric Johnson 30
Firewall ConfigurationsFirewall Configurations
• Screened-subnet firewall system
![Page 31: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/31.jpg)
Henric Johnson 31
Firewall ConfigurationsFirewall Configurations
• Screened subnet firewall configuration– Most secure configuration of the three– Two packet-filtering routers are used– Creation of an isolated sub-network
![Page 32: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/32.jpg)
Henric Johnson 32
Firewall ConfigurationsFirewall Configurations
• Advantages:– Three levels of defense to thwart
intruders– The outside router advertises only the
existence of the screened subnet to the Internet (internal network is invisible to the Internet)
![Page 33: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/33.jpg)
Henric Johnson 33
Firewall ConfigurationsFirewall Configurations
• Advantages:– The inside router advertises only the
existence of the screened subnet to the internal network (the systems on the inside network cannot construct direct routes to the Internet)
![Page 34: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/34.jpg)
Henric Johnson 34
Trusted SystemsTrusted Systems
• One way to enhance the ability of a system to defend against intruders and malicious programs is to implement trusted system technology
![Page 35: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/35.jpg)
Henric Johnson 35
Data Access ControlData Access Control
• Through the user access control procedure (log on), a user can be identified to the system
• Associated with each user, there can be a profile that specifies permissible operations and file accesses
• The operation system can enforce rules based on the user profile
![Page 36: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/36.jpg)
Henric Johnson 36
Data Access ControlData Access Control
• General models of access control:– Access matrix– Access control list– Capability list
![Page 37: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/37.jpg)
Henric Johnson 37
Data Access ControlData Access Control
• Access Matrix
![Page 38: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/38.jpg)
Henric Johnson 38
Data Access ControlData Access Control
• Access Matrix: Basic elements of the model– Subject: An entity capable of accessing
objects, the concept of subject equates with that of process
– Object: Anything to which access is controlled (e.g. files, programs)
– Access right: The way in which an object is accessed by a subject (e.g. read, write, execute)
![Page 39: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/39.jpg)
Henric Johnson 39
Data Access ControlData Access Control
• Access Control List: Decomposition of the matrix by columns
![Page 40: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/40.jpg)
Henric Johnson 40
Data Access ControlData Access Control
• Access Control List– An access control list lists users and
their permitted access right– The list may contain a default or
public entry
![Page 41: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/41.jpg)
Henric Johnson 41
Data Access ControlData Access Control
• Capability list: Decomposition of the matrix by rows
![Page 42: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/42.jpg)
Henric Johnson 42
Data Access ControlData Access Control
• Capability list– A capability ticket specifies
authorized objects and operations for a user
– Each user have a number of tickets
![Page 43: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/43.jpg)
Henric Johnson 43
The Concept ofThe Concept ofTrusted SystemsTrusted Systems
• Trusted Systems– Protection of data and resources on
the basis of levels of security (e.g. military)
– Users can be granted clearances to access certain categories of data
![Page 44: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/44.jpg)
Henric Johnson 44
The Concept ofThe Concept ofTrusted SystemsTrusted Systems
• Multilevel security– Definition of multiple categories or levels of
data
• A multilevel secure system must enforce:– No read up: A subject can only read an
object of less or equal security level (Simple Security Property)
– No write down: A subject can only write into an object of greater or equal security level (*-Property)
![Page 45: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/45.jpg)
Henric Johnson 45
The Concept ofThe Concept ofTrusted SystemsTrusted Systems
• Reference Monitor Concept: Multilevel security for a data processing system
![Page 46: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/46.jpg)
Henric Johnson 46
The Concept ofThe Concept ofTrusted SystemsTrusted Systems
![Page 47: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/47.jpg)
Henric Johnson 47
The Concept ofThe Concept ofTrusted SystemsTrusted Systems
• Reference Monitor– Controlling element in the hardware
and operating system of a computer that regulates the access of subjects to objects on basis of security parameters
– The monitor has access to a file (security kernel database)
– The monitor enforces the security rules (no read up, no write down)
![Page 48: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/48.jpg)
Henric Johnson 48
The Concept ofThe Concept ofTrusted SystemsTrusted Systems
• Properties of the Reference Monitor– Complete mediation: Security rules are
enforced on every access– Isolation: The reference monitor and
database are protected from unauthorized modification
– Verifiability: The reference monitor’s correctness must be provable (mathematically)
![Page 49: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/49.jpg)
Henric Johnson 49
The Concept ofThe Concept ofTrusted SystemsTrusted Systems
• A system that can provide such verifications (properties) is referred to as a trusted system
![Page 50: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/50.jpg)
Henric Johnson 50
Trojan Horse DefenseTrojan Horse Defense
• Secure, trusted operating systems are one way to secure against Trojan Horse attacks
![Page 51: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/51.jpg)
Henric Johnson 51
Trojan Horse DefenseTrojan Horse Defense
![Page 52: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/52.jpg)
Henric Johnson 52
Trojan Horse DefenseTrojan Horse Defense
![Page 53: Firewals in Network Security NS10](https://reader036.fdocuments.in/reader036/viewer/2022070313/5549285eb4c905b44c8bcf2f/html5/thumbnails/53.jpg)
Henric Johnson 53
Recommended ReadingRecommended Reading
• Chapman, D., and Zwicky, E. Building Internet Firewalls. O’Reilly, 1995
• Cheswick, W., and Bellovin, S. Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley, 2000
• Gasser, M. Building a Secure Computer System. Reinhold, 1988
• Pfleeger, C. Security in Computing. Prentice Hall, 1997