Home> Schools> North Carolina State University> Computer Science (CSC) > CSC (ECE) 574> Firewalls
DOC PREVIEW
NCSU CSC (ECE) 574 - Firewalls
School name North Carolina State University
Course Csc (Ece) 574- Computer and Network Security
Pages 17

This preview shows page 1-2-3-4-5-6 out of 17 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 17 pages.
Access to all documents
Download any document
Ad free experience
Subscribe for instant access Get instant access
View full document
Premium Document
Do you want full access? Go Premium and unlock all 17 pages.
Access to all documents
Download any document
Ad free experience
Subscribe for instant access Get instant access
View full document
Premium Document
Do you want full access? Go Premium and unlock all 17 pages.
Access to all documents
Download any document
Ad free experience
Subscribe for instant access Get instant access
View full document
Premium Document
Do you want full access? Go Premium and unlock all 17 pages.
Access to all documents
Download any document
Ad free experience
Subscribe for instant access Get instant access
View full document
Premium Document
Do you want full access? Go Premium and unlock all 17 pages.
Access to all documents
Download any document
Ad free experience
Subscribe for instant access Get instant access
View full document
Premium Document
Do you want full access? Go Premium and unlock all 17 pages.
Access to all documents
Download any document
Ad free experience
Subscribe for instant access Get instant access
Premium Document
Do you want full access? Go Premium and unlock all 17 pages.
Access to all documents
Download any document
Ad free experience
Subscribe for instant access Get instant access

Unformatted text preview:

CSC 474/574 Dr. Peng Ning 1Computer ScienceCSC 474/574Information Systems SecurityTopic 7.4 FirewallsCSC 474/574 Dr. Peng Ning 2Computer ScienceOutline• What are firewalls?• Types– Filtering• Packet filtering• Session filtering– Proxy• Circuit Level• Application Level• Brief introduction to Linux firewallCSC 474/574 Dr. Peng Ning 3Computer ScienceWhat is a firewall?• Device that provides secure connectivity betweennetworks (internal/external; varying levels of trust)• Used to implement and enforce a security policy forcommunication between networksTrusted NetworksUntrusted Networks& ServersFirewallRouterInternetIntranetDMZPublic AccessibleServers & NetworksTrusted UsersUntrusted UsersCSC 474/574 Dr. Peng Ning 4Computer ScienceFirewalls• From Webster’s Dictionary: a wallconstructed to prevent the spread of fire• Internet firewalls are more the moat around acastle than a building firewall• Controlled access pointCSC 474/574 Dr. Peng Ning 5Computer ScienceFirewalls can:• Restrict incoming and outgoing traffic by IPaddress, ports, or users• Block invalid packetsCSC 474/574 Dr. Peng Ning 6Computer ScienceConvenient• Give insight into traffic mix via logging• Network Address Translation• EncryptionCSC 474/574 Dr. Peng Ning 7Computer ScienceFirewalls Cannot Protect…• traffic that does not cross it– routing around– Internal traffic• when misconfiguredCSC 474/574 Dr. Peng Ning 8Computer ScienceInternetInternetDMZ NetWeb Server PoolCorporateNetworkALERT!!ALERT!!ALERT!!Security Requirement• Control access to network information and resources• Protect the network from attacksAccess ControlCSC 474/574 Dr. Peng Ning 9Computer ScienceFiltering• Typically route packets• Packets checked then passed• Inbound & outbound affect when policy ischecked• Client  ServerCSC 474/574 Dr. Peng Ning 10Computer ScienceFiltering• Packet filtering– Access Control Lists• Session filtering– Dynamic Packet Filtering– Stateful Inspection– Smart packet filtering– Context Based Access ControlCSC 474/574 Dr. Peng Ning 11Computer ScienceFiltering• Fragmentation/reassembly• Sequence number checking• ICMPCSC 474/574 Dr. Peng Ning 12Computer SciencePacket Filtering• Decisions made on a per-packet basis• No state information savedCSC 474/574 Dr. Peng Ning 13Computer ScienceTypical Configuration• Ports > 1024 left open• If dynamic protocols are in use, entire rangesof ports must be allowed for the protocol towork.CSC 474/574 Dr. Peng Ning 14Computer ScienceApplicationsApplicationsPresentationsPresentationsSessionsSessionsTransportTransportDataLinkDataLinkPhysicalPhysicalDataLinkDataLinkPhysicalPhysicalRouterRouterApplicationsApplicationsPresentationsPresentationsSessionsSessionsTransportTransportDataLinkDataLinkPhysicalPhysicalPacket FilterNetworkNetwork NetworkNetworkCSC 474/574 Dr. Peng Ning 15Computer ScienceSession Filtering• Packet decision made in the context of aconnection• If packet is a new connection, check againstsecurity policy• If packet is part of an existing connection,match it up in the state table & update tableCSC 474/574 Dr. Peng Ning 16Computer ScienceTypical Configuration• All denied unless specifically allowed• Dynamic protocols (FTP, H323, RealAudio,etc.) allowed only if supportedCSC 474/574 Dr. Peng Ning 17Computer ScienceApplicationsPresentationsSessionsTransportDataLinkPhysicalDataLinkPhysicalApplicationsPresentationsSessionsTransportDataLinkPhysicalNetwork NetworkNetworkPresentationsSessionsTransportApplicationsApplicationsDynamicDynamicState TablesState TablesDynamicDynamicState TablesState TablesDynamicState Tables Screens ALL attempts, Protects All applications Extracts & maintains ‘state’ information Makes an intelligent security / traffic decisionSession FilteringCSC 474/574 Dr. Peng Ning 18Computer ScienceProxy Firewalls• Relay for connections• Client  Proxy  Server• Two flavors– Application level– Circuit levelCSC 474/574 Dr. Peng Ning 19Computer ScienceApplication Gateways• Understands specific applications– Limited proxies available– Proxy ‘impersonates’ both sides of connection• Resource intensive– process per connection• HTTP proxies may cache web pagesCSC 474/574 Dr. Peng Ning 20Computer ScienceApplication Gateways• More appropriate to TCP• ICMP difficult• Block all unless specifically allowed• Must write a new proxy application tosupport new protocols– Not trivial!CSC 474/574 Dr. Peng Ning 21Computer ScienceApplication Gateways• Clients configured for proxy communication• Transparent ProxiesCSC 474/574 Dr. Peng Ning 22Computer ScienceApplicationsApplicationsPresentationsPresentationsSessionsSessionsTransportTransportDataLinkDataLinkPhysicalPhysicalNetworkNetworkDataLinkDataLinkPhysicalPhysicalApplicationsApplicationsPresentationsPresentationsSessionsSessionsTransportTransportDataLinkDataLinkPhysicalPhysicalApplication GatewayApplication GatewayApplicationsApplicationsPresentationsPresentationsSessionsSessionsTransportTransportNetworkNetwork NetworkNetworkTelnetTelnetTelnetHTTPHTTPHTTPFTPFTPFTPApplication Layer GW/proxyCSC 474/574 Dr. Peng Ning 23Computer ScienceCircuit-Level Gateways• Support more services than Application-levelGateway– less control over data• Hard to handle protocols like FTP• Clients must be aware they are using a circut-level proxy• Protect against fragmentation problemCSC 474/574 Dr. Peng Ning 24Computer ScienceSOCKS• Circuit level Gateway• Support TCP• SOCKS v5 supports UDP, earlier versions didnot• See http://www.socks.nec.comCSC 474/574 Dr. Peng Ning 25Computer ScienceComparisonTypically < 20Dependent on vendor fordynamic supportNo dynamic w/o holesServiceSupport41App. GW32Circuit GW22Session Filter13Packet FilterPerformanceSecurityLower is better for security & performanceCSC 474/574 Dr. Peng Ning 26Computer ScienceComparison (Cont’d)Unless transparent, client applicationmust be proxy-aware & configuredApp. GWTypical, SOCKS-ify client applicationsCircuit GWNoSession FilterNoPacket FilterModify Client Applications?CSC 474/574 Dr. Peng Ning 27Computer ScienceComparison (Cont’d)YesNoApp. GWYes(SOCKS v5)Circuit GWMaybeYesSession FilterNoYesPacket FilterFragmentationICMPCSC 474/574 Dr. Peng Ning 28Computer ScienceLinux Firewall: iptables• History– ipfw– ipfwadm– ipchains– iptables• Based on the netfilter frameworkCSC 474/574 Dr. Peng Ning 29Computer ScienceThe

View Full Document

NCSU CSC (ECE) 574 - Firewalls

School: North Carolina State University
Course: Csc (Ece) 574- Computer and Network Security
Pages: 17
Documents in this Course
Securing VM Images in Mirage Image Format

Securing VM Images in Mirage Image Format

3 pages

User Authentication

User Authentication

17 pages

Topic 5.2 Public Key Cryptography

Topic 5.2 Public Key Cryptography

10 pages

Topic 7 - Trusted Intermediaries

Topic 7 - Trusted Intermediaries

17 pages

TOPIC - IPsec

TOPIC - IPsec

17 pages

TOPIC - SSL/TLS

TOPIC - SSL/TLS

14 pages

Number Theory

Number Theory

12 pages

Computer and Network Security

Computer and Network Security

7 pages

Basic Number Theory -- Foundation of Public Key Cryptograph

Basic Number Theory -- Foundation of Public Key Cryptograph

10 pages

Basic Number Theory

Basic Number Theory

12 pages

Introduction to Cryptography

Introduction to Cryptography

9 pages

Malicious Logic

Malicious Logic

11 pages

Hash Functions

Hash Functions

11 pages

Identification and Authentication

Identification and Authentication

18 pages

SYLLABUS

SYLLABUS

8 pages

Secret Key Cryptography – Algorithms

Secret Key Cryptography – Algorithms

13 pages

Authentication Protocols

Authentication Protocols

8 pages

Topic 2.5 Hash Functions

Topic 2.5 Hash Functions

11 pages

Lattice Based Access Control Models

Lattice Based Access Control Models

18 pages

Trusted Intermediaries

Trusted Intermediaries

9 pages

Secret Key Cryptography – Algorithms

Secret Key Cryptography – Algorithms

26 pages

Introduction to Cryptography

Introduction to Cryptography

17 pages

Secret Key Cryptography – Modes of Operation

Secret Key Cryptography – Modes of Operation

9 pages

Topic 4.2 - Lattice Based Access Control Models

Topic 4.2 - Lattice Based Access Control Models

18 pages

Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC)

16 pages

Topic 8.1 Malicious Logic

Topic 8.1 Malicious Logic

11 pages

Topic 8.1 - IPsec

Topic 8.1 - IPsec

6 pages

Public Key Infrastructure

Public Key Infrastructure

11 pages

Multilevel Databases

Multilevel Databases

5 pages

Authentication

Authentication

16 pages

Cryptographic Hash Functions

Cryptographic Hash Functions

10 pages

MIRAGE

MIRAGE

2 pages

Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems

10 pages

Transport Layer Security

Transport Layer Security

14 pages

Secret Key Cryptography

Secret Key Cryptography

30 pages

Information Systems Security

Information Systems Security

22 pages

Introduction to Cryptography

Introduction to Cryptography

14 pages

Authentication

Authentication

8 pages

Evaluation of secure information systems

Evaluation of secure information systems

18 pages

Load more
Download Firewalls
Our administrator received your request to download this document. We will send you the file to your email shortly.

Please select your school

Login

Join to view Firewalls and access 3M+ class-specific study document.

Continue Continue
or
We will never post anything without your permission.
Don't have an account?

We couldn't create a GradeBuddy account using Facebook because there is no email address associated with your Facebook account.

Link an email address with your Facebook below or create a new account.

Sign Up

Join to view Firewalls 2 2 and access 3M+ class-specific study document.

Continue Continue
or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?

We couldn't create a GradeBuddy account using Facebook because there is no email address associated with your Facebook account.

Link an email address with your Facebook below or create a new account.