Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration...

Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher August, 2014

Transcript of Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration...

Page 1: Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15Page 1Advanced Network Security

Perimeter Defense in Networks: Firewalls Configuration and

ManagementAdvanced Network Security

Peter ReiherAugust, 2014

Page 2: Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15Page 2Advanced Network Security


• Shortcomings of firewalls

• How do we properly manage firewalls?

• Firewalls and mobile computing

Page 3: Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15Page 3Advanced Network Security

So Firewalls Are the Answer?

• Not by themselves

• Relying exclusively on firewalls runs into problems

• Why?

Page 4: Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15Page 4Advanced Network Security


Problem #1


Local network

Is there a way around the firewall?

No firewall


Page 5: Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15Page 5Advanced Network Security

Problem #2


ISPCan you properly

identify all bad traffic?

Great, no back doors

But . . .

It looks OK . . .

Page 6: Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15Page 6Advanced Network Security

Problem #3



Let’s say you’ve

closed all the back doors

And you’ve somehow

recognized all bad traffic

What about this?

If the bad traffic comes from inside, the

firewall doesn’t help

Page 7: Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15Page 7Advanced Network Security

Weaknesses of Perimeter Defense

Page 8: Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15Page 8Advanced Network Security

Defense in Depth

• An old principle in warfare

• Don’t rely on a single defensive mechanism or defense at a single point

• Combine different defenses

• Defeating one defense doesn’t defeat your entire plan

Page 9: Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15Page 9Advanced Network Security

So What Should Happen?

Page 10: Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15Page 10Advanced Network Security

Or, Better

Page 11: Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15Page 11Advanced Network Security

Or, Even Better

Page 12: Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15Page 12Advanced Network Security

Firewall Configuration and Administration

• Again, the firewall is the point of attack for intruders

• Thus, it must be extraordinarily secure

• How do you achieve that level of security?

Page 13: Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15Page 13Advanced Network Security

Firewall Location

• Clearly, between you and the bad guys

• But you may have some different types of machines/functionalities

• Sometimes makes sense to divide your network into segments

– Typically, less secure public network and more secure internal network

– Using separate firewalls

Page 14: Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15Page 14Advanced Network Security

Firewalls and DMZs

• A standard way to configure multiple firewalls for a single organization

• Used when organization runs machines with different openness needs

– And security requirements

• Basically, use firewalls to divide your network into segments

Page 15: Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15Page 15Advanced Network Security

A Typical DMZ Organization

Your production


Your web serverThe Internet

Firewall set up to protect your


Firewall set up to protect your

web server


Page 16: Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15Page 16Advanced Network Security

Advantages of DMZ Approach

• Can customize firewalls for different purposes

• Can customize traffic analysis in different areas of network

• Keeps inherently less safe traffic away from critical resources

Page 17: Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15Page 17Advanced Network Security

Dangers of a DMZ• Things in the DMZ aren’t well protected

– If they’re compromised, provide a foothold into your network

• One problem in DMZ might compromise all machines there

• Vital that main network doesn’t treat machines in DMZ as trusted

• Must avoid back doors from DMZ to network

Page 18: Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15Page 18Advanced Network Security

Firewall Hardening

• Devote a special machine only to firewall duties

• Alter OS operations on that machine– To allow only firewall activities– And to close known vulnerabilities

• Strictly limit access to the machine– Both login and remote execution

Page 19: Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15Page 19Advanced Network Security

Keep Your Firewall Current

• New vulnerabilities are discovered all the time

• Must update your firewall to fix them• Even more important, sometimes you have

to open doors temporarily– Make sure you shut them again later

• Can automate some updates to firewalls• How about getting rid of old stuff?

Page 20: Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15Page 20Advanced Network Security

Closing the Back Doors

• Firewall security is based on assumption that all traffic goes through the firewall

• So be careful with:– Wireless connections– Portable computers– Sneakernet mechanisms and other entry points

• Put a firewall at every entry point to your network• And make sure all your firewalls are up to date

Page 21: Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15Page 21Advanced Network Security

Firewalls and Mobile Computing

• The firewall concept comes from the world before mobile computing

• Firewalls assume machines are safe behind their protections

• Which is only true if network traffic to the machine goes through the firewall

• What happens with mobile computers?

Page 22: Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15Page 22Advanced Network Security

Consider Bob’s Office

Bob’s Office




So far, so good

Page 23: Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15Page 23Advanced Network Security

Now Bob Goes to a Cafe

Local Café





Page 24: Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15Page 24Advanced Network Security

Now Bob Returns To Work . . .

Bob’s Office




The firewall didn’t help at


Page 25: Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15Page 25Advanced Network Security

How Bad Could This Be?

• Depends on how much mobility occurs

– Nowadays, a lot

• Wireless connectivity makes it worse

– Especially if wireless used in untrusted locations

• Smart phones in store windows have been infected by malware passing by

Page 26: Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15Page 26Advanced Network Security

Handling the Problem• Single machine firewalls on mobile

devices help

– But usually aren’t powerful or sophisticated

• Safe use practices help

– But are usually trumped by convenience

• So mobile devices will get infected

Page 27: Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15Page 27Advanced Network Security

The Next Best Thing

• It was bad that the mobile device got infected

• It was worse that it got behind the firewall and infected everyone else

• Can we at least stop that step?

Page 28: Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15Page 28Advanced Network Security

How To Handle This Problem?

• Essentially quarantine the portable computer until it’s safe

• Don’t permit connection to wireless access point until you’re satisfied that the portable is safe– Or put them in constrained network

• Common in Cisco, Microsoft, and other companies’ products– Network access control

Page 29: Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15Page 29Advanced Network Security

Conclusion • Important to recognize the

shortcomings of firewalls

• Proper organization and management of firewalls can help

• Mobile computing limits the value of firewalls further

– Requiring extra caution