Scribd
Upload
27 views24 pages

Firewalls

Uploaded by

Harsh Nirmal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
27 views24 pages

Firewalls

Uploaded by

Harsh Nirmal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 24

Firewalls

Mahalingam Ramkumar
Evolution of Networks
● Centralized data processing
● LANs
● Premises network – interconnection of LANs
and mainframes
● Enterprise-wide network – interconnection of
LANs in a private WAN
● LANs interconnected using the Internet and
using virtual private networks
What is a Firewall?
● A “ choke point”
● A location for monitoring security related
events
– Audits and alarms
● Non-security related functions
– NAT, network management
● An end-point for IPSec
Firewall Limitations
● Cannot protect from attacks bypassing it
– eg sneaker net, utility modems, trusted
organisations, trusted services (eg SSL/SSH)
● Cannot protect against internal threats
– eg disgruntled employee
● Cannot protect against transfer of virus
infected programs or files
– because of huge range of O/S & file types
Firewall – Basic Types
● Packet-Filtering Router
● Stateful Inspection Firewalls
● Application Level Gateway
● Circuit Level Gateway
Packet Filters
Packet Filters
● Filtering based on
– Source IP address
– Destination IP address
– Source and Destination transport-level address
– IP protocol field
– Interface (physical)
● Rules!
– Configuration files
– Explicit allow / block
Packet Filtering Example
Attacks on Packet Filtering
● IP address spoofing
● Source routing attacks
● Tiny fragment attacks
Firewalls – Stateful Packet Filters
● Examine each IP packet in context
– keeps tracks of client-server sessions
– checks each packet belongs to a valid session
● Better ability to detect bogus packets “ out of
context”
● A session might be pinned down by
– Source IP and Port,
– Dest IP and Port,
– Protocol, and
– Connection State
Firewalls - Application Level
Gateway (or Proxy)
Application Level Gateway
● Application specific gateway / proxy
● has full access to protocol
– user requests service from proxy
– proxy validates request as legal
– acts on behalf of the user,
– returns result to user
● need to separate proxies for each service
– some services naturally support proxying
– others are more problematic
– custom services generally not supported
Firewalls - Circuit Level Gateway
Circuit Level Gateway
● Relays two TCP connections
● Imposes security by limiting types of connections
that are allowed
● Once created, usually relays traffic without
examining contents
● Typically used with trusted internal users (by
allowing general outbound connections)
● SOCKS (RFC 1928)
– SOCKS server
– SOCKS client library
– SOCKSified versions of application programs
SOCKS
Bastion Host
● Highly secure host system
● Exposed to "hostile" elements
– hence secured to withstand attacks
– Trusted System
● May be single or multi-homed
● Enforce trusted separation between network
connections
● Run circuit / application level gateways
● Provide externally accessible services
Firewall Configurations
● Screened Host – Single Homed Bastion Host
● Screened Host – Dual Homed Bastion Host
● Screened Subnet
Screened Host – Single
Homed Bastion Host
Screened Host – Dual
Homed Bastion Host
Screened-subnet Firewall
Access Control
● Given that system has identified a user
● Determine what resources they can access
● General model - access matrix
– subject - active entity (user, process)
– object - passive entity (file or resource)
– access right – way object can be accessed
● can decompose by
– columns as access control lists
– rows as capability tickets
Access Control Matrix
Trusted Computer Systems
● Varying degrees of sensitivity of information
– military classifications: confidential, secret, TS, etc
● Subjects (people or programs) have varying rights of
access to objects (information)
● Need to consider ways of increasing confidence in
systems to enforce these rights
● Multilevel security
– subjects have maximum & current security level
– objects have a fixed security level classification
Bell LaPadula (BLP) Model
● One of the well-known security models
● Implemented as mandatory policies on system
● Two key policies:
– no read up (simple security property)
● a subject can only read/write an object if the current
security level of the subject dominates (>=) the
classification of the object
– no write down (*-property)
● a subject can only append/write to an object if the
current security level of the subject is dominated by
(<=) the classification of the object

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy