Lecture Computer Networks
advertisement
Lecture Computer Networks Prof. Dr. Hans Peter Großmann mit M. Rabel sowie H. Hutschenreiter und T. Nau | Sommersemester 2012 | Institut für Organisation und Management von Informationssystemen Security / Firewall Page 2 Computer Networks | Security | Sommersemester 2012 Types of Attacks • General Intrusion • Compromise reputation • Denial of service • Information theft • Corruption of data, deletion of files Page 3 Computer Networks | Security | Sommersemester 2012 Security Steps • No security • Security through obscurity • Host security • Network security Page 4 Computer Networks | Security | Sommersemester 2012 The Zone of Risk I • All hosts on the LAN are directly accessible through the Internet • Every host on the Internet can attack every host on the LAN Intranet Internet Page 5 Computer Networks | Security | Sommersemester 2012 The Zone of Risk II All hosts on the LAN are only indirectly accessible through the Internet via the Firewall system Intranet Firewall Internet An Internet Firewall • Forces people to enter at a controlled point • Prevents attackers from getting in contact with all hosts • Forces people to leave at a controlled point Page 6 Computer Networks | Security | Sommersemester 2012 Types of Firewalls Proxy Server 7. Application 6. Presentation 5. Session Packet Filter Application 4. Transport TCP or UDP TCP or UDP 3. Network IP IP 2. Data Link Data Link Data Link 1. Physical Physical Physical Page 7 Computer Networks | Security | Sommersemester 2012 Packet Filter TCP / UDP IP Data Link filter rules can be based on incoming and outgoing interfaces IP Addresses Layer 4 Protocols Port Numbers Physical packets Page 8 Computer Networks | Security | Sommersemester 2012 Proxy Server Proxy Server filter rules can be based on incoming and outgoing interfaces IP Addresses Layer 4 Protocols Port Numbers User-Permissions TCP or UDP IP Data Link Physical traffic Page 9 Computer Networks | Security | Sommersemester 2012 Types of Proxy Servers • circuit-level proxy Check if new connection request meets filter rules requirements Proxy Server TCP or UDP when connection is permitted Application TCP or UDP IP IP Data Link Data Link Physical Physical new connection request Page 10 Computer Networks | Security | Sommersemester 2012 Types of Proxy Servers II • application-level proxy Application Protocol TCP or UDP IP Data Link Physical whole connection Page 11 Computer Networks | Security | Sommersemester 2012 Firewall Architectures I • Packet Filter Architecture Screening Router Firewall Internet Page 12 Computer Networks | Security | Sommersemester 2012 Firewall Architectures II • Dual-homed Host Architecture Dual-homed Host Internet Firewall Page 13 Computer Networks | Security | Sommersemester 2012 Firewall Architectures III • Screened Host Architecture Bastion Host Screening Router Firewall Internet Page 14 Computer Networks | Security | Sommersemester 2012 Firewall Architectures IV • Screened Subnet Architecture Bastion Host Interior Router Exterior Router Firewall Internet Page 15 Computer Networks | Security | Sommersemester 2012 What a Firewall cannot do A firewall cannot protect an intranet against • insiders • connections that do not go through it (e.g. dial-up modem connections) • completely new threats • viruses
