Cryptography and Network Security Chapter 22Chapter 20 – FirewallsIntroductionWhat is a Firewall?Slide 5Firewall LimitationsFirewalls – Packet FiltersSlide 8Slide 9Attacks on Packet FiltersFirewalls – Stateful Packet FiltersFirewalls - Application Level Gateway (or Proxy)Slide 13Firewalls - Circuit Level GatewaySlide 15Bastion HostHost-Based FirewallsPersonal FirewallsSlide 19Firewall ConfigurationsSlide 21Slide 22DMZ NetworksVirtual Private NetworksDistributed FirewallsSummary of Firewall Locations and TopologiesSummaryCryptography and Cryptography and Network SecurityNetwork SecurityChapter 22Chapter 22Fifth EditionFifth Editionby William Stallingsby William StallingsLecture slides by Lawrie BrownLecture slides by Lawrie BrownChapter 20 – FirewallsChapter 20 – FirewallsThe function of a strong position is to make The function of a strong position is to make the forces holding it practically the forces holding it practically unassailableunassailable——On War, On War, Carl Von ClausewitzCarl Von ClausewitzIntroductionIntroductionseen evolution of information systemsseen evolution of information systemsnow everyone want to be on the Internet now everyone want to be on the Internet and to interconnect networks and to interconnect networks has persistent security concernshas persistent security concernscan’t easily secure every system in orgcan’t easily secure every system in orgtypically use a typically use a FirewallFirewallto provide to provide perimeter defenceperimeter defenceas part of comprehensive security strategyas part of comprehensive security strategyWhat is a Firewall?What is a Firewall?a a choke pointchoke point of control and monitoring of control and monitoring interconnects networks with differing trustinterconnects networks with differing trustimposes restrictions on network servicesimposes restrictions on network servicesonly authorized traffic is allowed only authorized traffic is allowed auditing and controlling accessauditing and controlling accesscan implement alarms for abnormal behaviorcan implement alarms for abnormal behaviorprovide NAT & usage monitoringprovide NAT & usage monitoringimplement VPNs using IPSecimplement VPNs using IPSecmust be immune to penetrationmust be immune to penetrationWhat is a Firewall?What is a Firewall?Firewall LimitationsFirewall Limitationscannot protect from attacks bypassing itcannot protect from attacks bypassing iteg sneaker net, utility modems, trusted eg sneaker net, utility modems, trusted organisations, trusted services (eg SSL/SSH)organisations, trusted services (eg SSL/SSH)cannot protect against internal threatscannot protect against internal threatseg disgruntled or colluding employeeseg disgruntled or colluding employeescannot protect against access via WLANcannot protect against access via WLANif improperly secured against external useif improperly secured against external usecannot protect against malware imported cannot protect against malware imported via laptop, PDA, storage infected outsidevia laptop, PDA, storage infected outsideFirewalls – Packet FiltersFirewalls – Packet Filterssimplest, fastest firewall component simplest, fastest firewall component foundation of any firewall system foundation of any firewall system examine each IP packet (no context) and examine each IP packet (no context) and permit or deny according to rules permit or deny according to rules hence restrict access to services (ports)hence restrict access to services (ports)possible default policiespossible default policiesthat not expressly permitted is prohibited that not expressly permitted is prohibited that not expressly prohibited is permittedthat not expressly prohibited is permittedFirewalls – Packet FiltersFirewalls – Packet FiltersFirewalls – Packet FiltersFirewalls – Packet FiltersAttacks on Packet FiltersAttacks on Packet FiltersIP address spoofingIP address spoofingfake source address to be trustedfake source address to be trustedadd filters on router to blockadd filters on router to blocksource routing attackssource routing attacksattacker sets a route other than defaultattacker sets a route other than defaultblock source routed packetsblock source routed packetstiny fragment attackstiny fragment attackssplit header info over several tiny packetssplit header info over several tiny packetseither discard or reassemble before checkeither discard or reassemble before checkFirewalls – Stateful Packet FiltersFirewalls – Stateful Packet Filterstraditional packet filters do not examine traditional packet filters do not examine higher layer contexthigher layer contextie matching return packets with outgoing flowie matching return packets with outgoing flowstateful packet filters address this needstateful packet filters address this needthey examine each IP packet in contextthey examine each IP packet in contextkeep track of client-server sessionskeep track of client-server sessionscheck each packet validly belongs to onecheck each packet validly belongs to onehence are better able to detect bogus hence are better able to detect bogus packets out of contextpackets out of contextmay even inspect limited application datamay even inspect limited application dataFirewalls - Firewalls - Application Level Application Level Gateway (or Proxy)Gateway (or Proxy)have application specific gateway / proxy have application specific gateway / proxy has full access to protocol has full access to protocol user requests service from proxy user requests service from proxy proxy validates request as legal proxy validates request as legal then actions request and returns result to userthen actions request and returns result to usercan log / audit traffic at application level can log / audit traffic at application level need separate proxies for each service need separate proxies for each service some services naturally support proxying some services naturally support proxying others are more problematic others are more problematicFirewalls - Firewalls - Application Level Application Level Gateway (or Proxy)Gateway (or Proxy)Firewalls - Firewalls - Circuit Level GatewayCircuit Level Gatewayrelays two TCP connectionsrelays two TCP connectionsimposes security by limiting which such imposes security by limiting which such connections are