Transcript Screened-host firewall

Firewalls
Oluwatosin Oguntola
07034067944
[email protected]
Firewall Security systems
 Perimeter security for networks
 Internal separation of critical data
 Device installed at the point where network connections
enter a site
 Organizations typically deploy a deny-all methodology
 The flip-side is the accept-all methodology
General features
General features
General features
 Block access to particular sites on the internet
 Limit traffic to relevant addresses and ports
 Prevent certain users from accessing certain servers or
services
 Monitor communication between an internal and external
network
 Can be extended to protect against viruses and OS
exploitation attacks
Types
 Router Packet filtering
 Application firewall systems
 Stateful inspection
Router Packet Filtering Firewalls
 First generation firewalls
 Here, a screening router examines packet header travelling
between the internet and corporate network
 Packet headers have information in them such as the IP of
sender and receiver and port numbers.
 Based on this, the router knows what kind of internet service
e.g. Web based or ftp is being used to send the data.
 And using this information can prevent certain packets from
being sent between the internet and corporate network
Packet Filtering Firewalls – adv.
 Very simple and stable
 Performs at the network layer of the OSI
 Simplicity is also a disadvantage as it’s very vulnerable to
attacks from improperly configured filters
 Also, if a single packet filtering router is compromised, every
system on the private network may be compromised
Attacks against packet filtering.
 IP Spoofing;
 Attacker fakes the IP address of either an internal network host
or a trusted network host
 Source routing specification;
 Defining the route the packets would take and to bypass the
firewall rule. To do this, one must know IP address, subnet mask
and default gateway settings at the firewall routing station.
Attacks against packet filtering.
 Miniature fragment attack;
 The attacker fragments the IP packet into smaller ones and
pushes it through the firewall hoping that the first of the
sequence would be examined and the others bypassed.
Application Level Firewalls
 Application and Circuit level firewalls
 Provide greater protection capabilities
 Where packet filtering allows direct flow of packets between
internal and external systems, A&C firewalls allow
information to flow but not the direct exchange of packets
 Both work at the application layer of the OSI
 Application level gateway analyzes packets through a set of
proxies – one for each service
Application Level Firewalls
 Circuit level are generally more efficient
 Both employ the concept of bastion hosting – heavily
fortified and having a single host handling incoming requests
thus making it easier to maintain security and track attacks.
Pretty much like a fuse.
 Application level firewalls are set up as proxies
 Advantages include; hiding the internal network.
 Disadvantages are poor performance and scalability as
internet usage grows
Stateful Inspection Firewalls
 Keeps track of destination IP address of each packet that
leaves the organizations network
 When a message is received, it references what was sent to
confirm it is a response
 Advantages are; control the flow of IP traffic by matching
information contained in the headers of connection-oriented
or connectionless IP packets at the transport layer
 Disadvantages include being difficult to administer
Firewall implementations
Firewall issues
 Creates a false sense of security
 Misconfigured firewalls may allow unknown and dangerous
services to pass freely
 Policies may not be appropriately applied and reviewed
 Can be circumvented through the use of modems which
connect users directly to ISPs
 As most operate at network layer, they cannot stop
application based attacks
Firewall platforms
 Hardware based firewalls provide better performance and
minimal system overload
 Software based firewalls are more flexible and scalable
although they are slower and have significant overload
 Appliance type firewalls are faster and easier to recover being
that they are hardened operating system based.
Intrusion detection systems
 Works in conjunction with firewalls by monitoring network
usage anomalies.
 Notifies an administrator of perceived threats
Categories of IDS
 Network Based – identify attacks within the monitored
network and issue warnings to the operator. Can be placed
between the internet and firewall or between the firewall and
corporate network. It is not a substitute for a firewall, but
complements the firewall.
Categories of IDS
 Host Based – configured for a specific environment and to
monitor internal resources. They can detect the modification
of an executable program, deletion of files and issue a
warning when a privileged command is being run.
Components of an IDS
 Signature based – protect against detected intrusion patterns
and the patterns they detect are stored in the form of
signatures.
 Statistical based – need a comprehensive definition of the
known and expected behaviour of systems.
 Neural networks – monitors the general patterns of activity
and traffic on a network and creates a database. Similar to
statistical but has a self-learning functionality.
Features
 Intrusion detection
 Evidence collection on intrusive activity
 Automated response
 Security policy
 Interfaces with system tools
 Security policy management
Limitations
 An IDS can’t help with the ffg weaknesses;
 Policy definition weaknesses
 Application level vulnerabilities
 Back-doors into applications
 Weaknesses in Identification and Authentication schemes
Intrusion Prevention Systems
 Closely related to IDS
 Not only detect, but also prevent
 Helps in limiting damage done to systems that are attacked
 Must be properly configured and tuned to be effective
 Threshold settings too high or low will lead to limited
effectiveness
 Could be subject to fake attacks which leaves them
dysfunctional.
Examples of Firewall Implementations
 Screened-host firewall: this uses a packet filtering router and
a bastion host i.e. Implementing network layer as well as
application level security. This means that an intruder would
have to penetrate 2 separate systems before reaching the
private network.
 It’s configured thus:
Bastion Host
 A bastion host is a special purpose computer on a network
specifically designed and configured to withstand attacks. The
computer generally hosts a single application, for example a
proxy server, and all other services are removed or limited to
reduce the threat to the computer. It is hardened in this
manner primarily due to its location and purpose, which is
either on the outside of the firewall or in the DMZ and
usually involves access from untrusted networks or
computers
Screened Host
 Bastion host connected to the private network with a packet
filtering router between the internet and the bastion host.
 Router filtering rules allow inbound traffic to access only the
bastion which blocks access to internal systems
Examples of Firewall Implmtns
 Dual-homed Firewall:
firewall system that has 2 or more network interfaces for the
separate networks they are facing – it is a more restrictive
form of a screened-host firewall in which a dual homed
bastion host is configured with one interface established for
information servers and another for the private network
Examples of Firewall Implmtns
 DMZ or screened subnet firewall:
uses 2 packet filtering routers and a bastion host, it creates
the most secure firewall system.
The DMZ acts as a small isolated network for an
organization’s public servers, bastion host information
servers and modem pools.
key benefits are – intruder must penetrate 3 separate devices
and private network addresses are not disclosed to the
internet plus internal systems do not have direct access to the
www
Honeypots and Honeynets
 Software application that pretends to be an unfortunate
server on the internet and not setup actively to prevent
breakins.
 Rather acts a decoy to lure hackers and is more valuable
when targeted.
Types of honeypots
 High-interaction – Give hackers a real environment to attack
 Low-interaction – Emulate production environments and as
such provide limited information.
 An IDS triggers a virtual alarm when an attacker breaches
security of any networked computer.
Some Terms
 Data Owner – generally managers and directors responsible
for using the information to run and control the business.
Security responsibilities include;
 Authorizing access
 Ensuring access rules are updated when personnel changes
occur
 Regularly reviewing access rules for their data
Some Terms
 Data Custodians – responsible for storing and safeguarding
the data and include ITS personnel such as systems analysts
and computer operators
 Security Admin – provides adequate physical and logical
security for IS programs, data and equipment
 New Users – Pg 370
Some Terms
 Data Users – including the internal and external users. Their
access level should be authorized by a --------------- and
restricted/monitored by a ---------------