Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Firewalls - Application Level Gateway

advertisement 
Firewalls
Mahalingam Ramkumar
Evolution of Networks
●
●
●
●
●
Centralized data processing
LANs
Premises network – interconnection of LANs
and mainframes
Enterprise-wide network – interconnection of
LANs in a private WAN
LANs interconnected using the Internet and
using virtual private networks
What is a Firewall?
●
●
A “choke point”
A location for monitoring security related
events
–
●
Non-security related functions
–
●
Audits and alarms
NAT, network management
An end-point for IPSec
Firewall Limitations
●
Cannot protect from attacks bypassing it
–
●
Cannot protect against internal threats
–
●
eg sneaker net, utility modems, trusted
organisations, trusted services (eg SSL/SSH)
eg disgruntled employee
Cannot protect against transfer of virus
infected programs or files
–
because of huge range of O/S & file types
Firewall – Basic Types
●
●
●
●
Packet-Filtering Router
Stateful Inspection Firewalls
Application Level Gateway
Circuit Level Gateway
Packet Filters
Packet Filters
●
Filtering based on
–
–
–
–
–
●
Source IP address
Destination IP address
Source and Destination transport-level address
IP protocol field
Interface (physical)
Rules!
–
–
Configuration files
Explicit allow / block
Packet Filtering Example
Attacks on Packet Filtering
●
●
●
IP address spoofing
Source routing attacks
Tiny fragment attacks
Firewalls – Stateful Packet Filters
●
●
●
Examine each IP packet in context
–
keeps tracks of client-server sessions
–
checks each packet belongs to a valid session
Better ability to detect bogus packets “out of
context”
A session might be pinned down by
–
Source IP and Port,
–
Dest IP and Port,
–
Protocol, and
–
Connection State
Firewalls - Application Level
Gateway (or Proxy)
Application Level Gateway
●
●
Application specific gateway / proxy
has full access to protocol
–
–
–
–
●
user requests service from proxy
proxy validates request as legal
acts on behalf of the user,
returns result to user
need to separate proxies for each service
–
–
–
some services naturally support proxying
others are more problematic
custom services generally not supported
Firewalls - Circuit Level Gateway
Circuit Level Gateway
●
●
●
●
●
Relays two TCP connections
Imposes security by limiting types of connections
that are allowed
Once created, usually relays traffic without
examining contents
Typically used with trusted internal users (by
allowing general outbound connections)
SOCKS
(RFC 1928)
–
SOCKS server
–
SOCKS client library
–
SOCKSified versions of application programs
SOCKS
Bastion Host
●
●
Highly secure host system
Exposed to "hostile" elements
–
–
●
●
●
●
hence secured to withstand attacks
Trusted System
May be single or multi-homed
Enforce trusted separation between network
connections
Run circuit / application level gateways
Provide externally accessible services
Firewall Configurations
●
●
●
Screened Host – Single Homed Bastion Host
Screened Host – Dual Homed Bastion Host
Screened Subnet
Screened Host – Single Homed
Bastion Host
Screened Host – Dual Homed
Bastion Host
Screened-subnet Firewall
Access Control
●
●
●
Given that system has identified a user
Determine what resources they can access
General model - access matrix
–
–
–
●
subject - active entity (user, process)
object - passive entity (file or resource)
access right – way object can be accessed
can decompose by
–
–
columns as access control lists
rows as capability tickets
Access Control Matrix
Trusted Computer Systems
●
Varying degrees of sensitivity of information
–
●
●
●
military classifications: confidential, secret, TS, etc
Subjects (people or programs) have varying rights
of access to objects (information)
Need to consider ways of increasing confidence in
systems to enforce these rights
Multilevel security
–
–
subjects have maximum & current security level
objects have a fixed security level classification
Bell LaPadula (BLP) Model
●
●
●
One of the well-known security models
Implemented as mandatory policies on system
Two key policies:
– no read up (simple security property)
●
–
a subject can only read/write an object if the current
security level of the subject dominates (>=) the
classification of the object
no write down (*-property)
●
a subject can only append/write to an object if the
current security level of the subject is dominated by
(<=) the classification of the object
Related documents
andrew mweene firewall article(3)
andrew mweene firewall article(3)
Warriors of the net questions 1. What three things are put on the
Warriors of the net questions 1. What three things are put on the
1-07 ICS2O3C - Warriors of the Net
1-07 ICS2O3C - Warriors of the Net
William Stallings, Cryptography and Network Security 5/e
William Stallings, Cryptography and Network Security 5/e
WS#5solution - WordPress.com
WS#5solution - WordPress.com
Firewalls and NW Security Basics
Firewalls and NW Security Basics
Guide to Firewalls and Network Security
Guide to Firewalls and Network Security
Security Firewall
Security Firewall
Algebra 1 Preparing for Success Packet
Algebra 1 Preparing for Success Packet
Firewall
Firewall
Skr4200_Chapter 10
Skr4200_Chapter 10
Firewalls Dr.P.V.Lakshmi
Firewalls Dr.P.V.Lakshmi
Download
advertisement