Computer Security: Principles and Practice. Firewalls and Intrusion Prevention Systems. Chapter 9

Содержание

Слайд 2

Firewalls and Intrusion Prevention Systems Effective means of protecting LANs Internet

Firewalls and Intrusion Prevention Systems

Effective means of protecting LANs
Internet connectivity is

essential
For organization and individuals
But creates a threat (enabling the outside world to reach and interact with local network assets)
Could secure all workstations and servers (but this is not a practical approach)
Also use firewall as perimeter defence
Single choke point to impose security
Слайд 3

Firewall Access Policy A critical component in the planning and implementation

Firewall Access Policy

A critical component in the planning and implementation of

a firewall is specifying a suitable access policy
Types of traffic authorized to pass through the firewall
Includes address ranges, protocols, applications and content types
The policy should be developed from the organization’s security risk assessment and policy
Should be developed from a broad specification of which traffic types the organization needs to support
Then refined to detail the filter elements which can then be implemented within an appropriate firewall topology
Слайд 4

Firewall Capabilities & Limits Capabilities Defines a single choke point Provides

Firewall Capabilities & Limits

Capabilities
Defines a single choke point
Provides a location for

monitoring security events
Convenient platform for some Internet functions such as NAT, usage monitoring, IPSEC, VPNs
Limitations
Cannot protect against attacks bypassing firewall (from dial-out, or a modem pool dial-in capability for traveling employees and telecommuters)
May not protect fully against internal threats
Improperly secure wireless LAN
Laptop, PDA, portable storage device infected outside then used inside
Слайд 5

Firewall Filter Characteristics

Firewall Filter Characteristics

Слайд 6

Types of Firewalls Positive (negative) filter: Allow (reject) packets that meet

Types of Firewalls

Positive (negative) filter:
Allow (reject) packets that
meet a criteria

Stateful inspection:

Keeps track of
TCP connections
Слайд 7

Packet Filtering Firewall Applies rules to packets in/out of firewall based

Packet Filtering Firewall

Applies rules to packets in/out of firewall
based on information

in packet header
src/dest IP addr & port, IP protocol, interface
Typically a list of rules of matches on fields
If match rule says if forward or discard packet
Two default policies:
Discard: prohibit unless expressly permitted
more conservative, controlled, visible to users
Forward: permit unless expressly prohibited
easier to manage/use but less secure
Слайд 8

Packet Filter Rules Default rule (usually the last rule) Inside hosts

Packet Filter Rules

Default rule (usually
the last rule)

Inside hosts can
send email

A

way of handling
FTP
Слайд 9

Packet Filter Rules

Packet Filter Rules

Слайд 10

Packet Filter Weaknesses Weaknesses Cannot prevent attack on application bugs Limited

Packet Filter Weaknesses

Weaknesses
Cannot prevent attack on application bugs
Limited logging functionality
Do no

support advanced user authentication
Vulnerable to attacks on TCP/IP protocol bugs (e.g., IP address spoofing)
Improper configuration can lead to breaches
Attacks
IP address spoofing
Source route attacks (srs dictates the pkt route)
Tiny fragment attacks (to circumvent filtering rules that depend on TCP header info)
Слайд 11

Stateful Inspection Firewall Reviews packet header information but also keeps info

Stateful Inspection Firewall

Reviews packet header information but also keeps info on

TCP connections
Typically have low, “known” port # for server and high, dynamically assigned (ephemeral) client port #
Stateful inspection packet firewall tightens rules for TCP traffic using a directory of TCP connections
only allow incoming traffic to high-numbered ports for packets matching an entry in this directory
may also track TCP seq numbers as well
Слайд 12

Connection State Table

Connection State Table

Слайд 13

Application-Level (Proxy) Gateway Acts as a relay of application-level traffic User

Application-Level (Proxy) Gateway

Acts as a relay of application-level traffic
User contacts gateway

with remote host name
Authenticates themselves
Gateway contacts application on remote host and relays TCP segments between server and user
Must have proxy code for each application
May restrict application features supported
Some services may not be available
More secure than packet filters
But have higher overheads
Слайд 14

Circuit-Level Gateway Sets up two TCP connections, to an inside user

Circuit-Level Gateway

Sets up two TCP connections, to an inside user and

to an outside host
Once connection is established, relays TCP segments from one connection to the other without examining contents
Hence independent of application logic
Just determines whether relay is permitted
Typically used when inside users trusted
May use application-level gateway inbound and circuit-level gateway outbound
Hence lower overheads
Слайд 15

Packet Filtering vs Gateway vs Application-Level Firewall

Packet Filtering vs Gateway vs Application-Level Firewall

Слайд 16

SOCKS Circuit-Level Gateway SOCKS v5 defined as RFC1928 to allow TCP/UDP

SOCKS Circuit-Level Gateway

SOCKS v5 defined as RFC1928 to allow TCP/UDP

applications to use firewall
Components:
SOCKS server on firewall
SOCKS client library on all internal hosts
SOCKS-ified client applications
Client app contacts SOCKS server, authenticates, sends relay request
Server evaluates & establishes relay connection
UDP handled with parallel TCP control channel
Слайд 17

Firewall Basing Several options for locating firewall: Bastion host Individual host-based firewall Personal firewall

Firewall Basing

Several options for locating firewall:
Bastion host
Individual host-based firewall
Personal firewall

Слайд 18

Bastion Hosts Critical strongpoint in network Hosts application/circuit-level gateways Common characteristics:

Bastion Hosts

Critical strongpoint in network
Hosts application/circuit-level gateways
Common characteristics:
Runs secure O/S, only

essential services
May require user auth to access proxy or host
There may be many proxy services
Each proxy can restrict features, hosts accessed
Each proxy small, simple, checked for security
Each proxy is independent, can be uninstalled
Слайд 19

Host-Based Firewalls Used to secure individual host Available in/add-on for many

Host-Based Firewalls

Used to secure individual host
Available in/add-on for many O/S
Filter packet

flows
Often used on servers
Advantages:
Tailored filter rules for specific host needs
Protection from both internal/external attacks
Additional layer of protection to org firewall when used with a standalone firewall
Слайд 20

Personal Firewall Controls traffic flow to/from PC/workstation For both home or

Personal Firewall

Controls traffic flow to/from PC/workstation
For both home or corporate use
May

be software module on PC
Or in home cable/DSL router/gateway
Typically much less complex
Primary role to deny unauthorized access
May also monitor outgoing traffic to detect/block worm/malware activity
Слайд 21

Firewall Locations Internal firewall: more stringent filtering capability to provide protection

Firewall Locations

Internal firewall:
more stringent filtering capability
to provide protection from external
attacks
(b)

provides two way protection wrt
the DMZ network

External firewall: protection for the
DMZ consistent with their need for
external connectivity

Слайд 22

Virtual Private Networks Encryption and similar services but transparent to the user

Virtual Private Networks

Encryption and similar services
but transparent to the user

Слайд 23

Distributed Firewalls A combination of earlier firewalls Host-resident firewall on 100s

Distributed Firewalls

A combination of earlier firewalls
Host-resident firewall on 100s of
PCs plus

standalone firewalls under
a central administration
Слайд 24

Firewall Topologies Host-resident firewall: personal firewall and firewall on servers (used

Firewall Topologies

Host-resident firewall: personal firewall and firewall on servers (used alone

or part of a defense in-depth)
Screening router: a single router between internal and external networks, e.g., SOHO apps)
Single bastion inline: single firewall device between an internal and external router (stateful or app proxies)
Single bastion T: similar to above but has a 3rd NIC on bastion to a DMZ (for medium to large organizations)
Double bastion inline: DMZ is between (for large organizations)
Distributed firewall configuration
Слайд 25

Intrusion Prevention Systems (IPS) Recent addition to security products which Inline

Intrusion Prevention Systems (IPS)

Recent addition to security products which
Inline network-/host-based IDS

that can block traffic
Functional addition to firewall that adds IDS capabilities
Using IDS algorithms but can block or reject packets like a firewall
May be network or host based
Слайд 26

Host-Based IPS Identifies attacks using both: Signature techniques malicious application packets

Host-Based IPS

Identifies attacks using both:
Signature techniques
malicious application packets
Anomaly detection techniques
behavior patterns

that indicate malware
Example of malicious behavior: buffer overflow, access to email contacts, directory traversal
Can be tailored to the specific platform
e.g. general purpose, web/database server specific
Can also sandbox applets to monitor behavior
May give desktop file, registry, I/O protection
Слайд 27

Network-Based IPS inline NIDS that can discard packets or terminate TCP

Network-Based IPS

inline NIDS that can discard packets or terminate TCP connections
uses

signature and anomaly detection
may provide flow data protection
monitoring full application flow content
can identify malicious packets using:
pattern matching (for specific byte seq)
stateful matching (to stop attack streams rather than a single pkts)
protocol anomaly (deviations from stds)
traffic anomaly (unusual traffic like a UDP floods)
Слайд 28

Unified Threat Management Products Reduce admin burden by replacing network products

Unified Threat Management Products

Reduce admin burden by replacing
network products (firewall, IDS,

IPS, …)
With a single device
- Предыдущая
Ароморфозы позвоночных животных
Следующая -
Правовий статус та особливості ЄС

Похожие презентации

Атрибуты тэгов.
Определение количества информации
Программа «Paint» Создала руководитель объединения «Мой друг – компьютер» Львова Н.В. 2006
Базы данных и система управления базами данных (СУБД)
Tensilica Xtensa
Ветвящаяся алгоритмическая конструкция
Діджиталізація публічного управління театральною справою в україні
Презентация "Компьютерные сети 8 класс" - скачать презентации по Информатике
Электронные таблицы Excel
Структуры данных. Система непересекающихся множеств
Автоматическая система отчетности для хостесс
Камешки в начальной школе
Основы объектно-ориентированного визуального программирования Visual Basic (VB)
Компьютерные технологии в области электроэнергетики
Основные понятия базы данных
Принятие решений с помощью моделей, описываемых нелинейными, недифференцируемыми уравнениями
Анализ ПО
Разработка программных модулей программного обеспечения для компьютерных систем
Информационные агентства, как особый тип СМИ
Творческие источники. Архитектура
Устройство компьютера. 7 класс
Инструментальные средства автоматизированного проектирования баз данных
История создания и развития языка Паскаль Урок – семинар
Системы управления базами данных (СУБД)
Обобщенные задачи коммивояжера и планарные графы
Служба виртуализации на базе VMware vSphere 5 и VMware vCenter Server
Дистрибутивы Linux
Алгоритмы
Вы можете прислать нам Вашу презентацию и мы опубликуем ее на сайте.
Обратная связь
Для правообладателей
Email: Нажмите что бы посмотреть