Download Firewalls - Integrated Computer Security - Lecture Slides and more Slides Computer Security in PDF only on Docsity!
Lecture 12
Firewalls and Intrusion Prevention
The Need For Firewalls
- Internet connectivity is essential
- however it creates a threat
- effective means of protecting LANs
- inserted between the premises network and the
Internet to establish a controlled link
- can be a single computer or a set of two or more systems working together
- used as a perimeter defense
- single choke point to impose security and auditing
- insulates internal systems from external networks
Firewall Capabilities And Limits
- capabilities:
- defines a single choke point
- provides a location for monitoring security events
- convenient platform for several Internet functions that are not security related
- can serve as the platform for IPSec
- limitations:
- cannot protect against attacks bypassing firewall
- may not protect fully against internal threats
- improperly secured wireless LAN can be accessed from outside the organization
- laptop, PDA, or portable storage device may be infected outside the corporate network then used internally
Types of Firewalls
Packet Filtering Firewall
- filtering rules are based on information
contained in a network packet
- source IP address
- destination IP address
- source and destination transport-level address
- IP protocol field
- interface
Packet Filter
Rules
Source Address Source Port Destination Address Destination Port Connection State
192.168.1.100 1030 210.9.88.29 80 Established 192.168.1.102 1031 216.32.42.123 80 Established 192.168.1.101 1033 173.66.32.122 25 Established 192.168.1.106 1035 177.231.32.12 79 Established 223.43.21.231 1990 192.168.1.6 80 Established 219.22.123.32 2112 192.168.1.6 80 Established 210.99.212.18 3321 192.168.1.6 80 Established 24.102.32.23 1025 192.168.1.6 80 Established 223.21.22.12 1046 192.168.1.6 80 Established
Stateful Firewall Connection State
Stateful Inspection Firewall
- tightens rules for TCP traffic by creating a directory of outbound TCP connections - there is an entry for each currently established connection - packet filter allows incoming traffic to high numbered ports - only for those packets that fit the profile of one of the entries
- reviews packet information but also records information about TCP connections - keeps track of TCP sequence numbers to prevent attacks that depend on the sequence number - inspects data for protocols like FTP, IM and SIPS commands
Circuit-Level Gateway
- circuit level proxy
- sets up two TCP connections, one between itself and a TCP user on an inner host and one on an outside host
- relays TCP segments from one connection to the other without examining contents
- security function consists of determining which connections will be allowed
- typically used when inside users are trusted
- may use application-level gateway inbound and circuit-level gateway outbound
- lower overheads
SOCKS Circuit-Level Gateway
- SOCKS v5 defined in RFC
- provide a framework for client- server applications to conveniently and securely use the services of a network firewall
- client application contacts SOCKS server, authenticates, sends relay request - server evaluates and either establishes or denies the connection
SOCKS server
SOCKS client library
SOCKS-ified client applications
components
Host-Based Firewalls
- used to secure an individual host
- available in operating systems
- or can be provided as an add-on package
- filter and restrict packet flows
- common location is a server
- advantages:
- filtering rules can be tailored to the host environment
- protection is provided independent of topology
- provides an additional layer of protection
Personal Firewall
- controls traffic between a personal computer or workstation and the Internet or enterprise network
- typically is a software module
- can be housed in a router that connects all of the home computers to Internet - such as a DSL or cable modem
- typically much less complex than server-based or stand-alone firewalls
- primary role is to deny unauthorized remote access
- may also monitor outgoing traffic to detect and block worms and malware activity
Firewall
Configuration
Virtual Private Networks (VPNs)