Transcript Types of Firewalls

UNIT -5
Password Management
Firewall Design Principles.
NETWORK SECURITY By: Homera
Durani
2
PASSWORD PROTECTION
User ID and password:
User authorized to gain access to the system

Privileges accorded to the user

Discretionary access control
NETWORK SECURITY By: Homera
Durani

3
PASSWORD PROTECTION

Unix system (user ID, cipher text password, plain
text salt)




password 8 printable characters - 56-bit value (7-bit
ASCII)
encryption routine (crypt(3)) based on DES
modified DES algorithm with 12-bit salt value
(related to time of password assignment)
25 encryptions with 64-bit block of zeros input
64-bit - 11 character sequence
NETWORK SECURITY By: Homera
Durani

4
LOADING A NEW PASSWORD
NETWORK SECURITY By: Homera
Durani
5
PASSWORD PROTECTION
Purposes of salt:
Prevents duplicate passwords from being visible
Effectively increases password length without the
user needing to remember additional 2
characters (possible passwords increased by
4096)
Prevent use of hardware DES implementation for
a brute-force guessing attack


NETWORK SECURITY By: Homera
Durani

6
OBSERVED PASSWORD LENGTHS
IN A PURDUE STUDY
NETWORK SECURITY By: Homera
Durani
7
PASSWORDS CRACKED FROM A SAMPLE
SET
NETWORK SECURITY By: Homera
Durani
easy pickin’s
8
ACCESS CONTROL
NETWORK SECURITY By: Homera
Durani
One Method: Deny access to password file
 Systems susceptible to unanticipated break-ins
 An accident in protection may render the password file
readable compromising all accounts
 Users have accounts in other protection domains using
the same passwords
9
ACCESS CONTROL

Goal:
Eliminate guessable passwords while allowing
the user to select a password that is
memorable
NETWORK SECURITY By: Homera
Durani

Answer:
Force users to select passwords that are
difficult to guess
10
PASSWORD SELECTION STRATEGIES
(BASIC TECHNIQUES)
User education


Users may ignore the guidelines
Computer-generated passwords

Poor acceptance by users

Difficult to remember passwords
NETWORK SECURITY By: Homera
Durani

11
PASSWORD SELECTION STRATEGIES

Reactive password checking



Proactive password checking
NETWORK SECURITY By: Homera
Durani

System runs its own password cracker
Resource intensive
Existing passwords remain vulnerable until reactive
checker finds them
Password selection is guided by the system
 Strike a balance between user accessibility and
strength
 May provide guidance to password crackers (what not
to try)
 Dictionary of bad passwords (space and time problem)
12

PROACTIVE PASSWORD CHECKER


Markov Model – search for guessable
password
Bloom Filter – search in password
dictionary
NETWORK SECURITY By: Homera
Durani
There are two techniques currently in use:
13
MARKOV MODEL
Probability that b follows a
M = {states, alphabet, prob, order}
NETWORK SECURITY By: Homera
Durani
14
MARKOV MODEL



“Was this password generated by this Markov
model?”
Passwords that are likely to be generated by the
model are rejected
Good results for a second-order model
NETWORK SECURITY By: Homera
Durani

“Is this a bad password?”…same as…
15
BLOOM FILTER
NETWORK SECURITY By: Homera
Durani
A probabilistic algorithm to quickly test
membership in a large set using multiple hash
functions into a single array of bits
Developed in 1970 but not used for about 25
years
Used to find words in a dictionary also used for
web caching
Small probability of false positives which can be
reduced for different values of k, # hash funcs
16
BLOOM FILTER





A vector v of N bits
k independent hash
functions. Range 0 to N-1
For each element x,
compute hash functions
H1(x), H2(x)…Hk(x)
Set corresponding bits to 1
Note: A bit in the resulting
vector may be set to 1
multiple times
Bit Vector: v
Element: x
H1(x)=P1
H2(x)=P2
H3(x)=P3
H4(x)=P4
NETWORK SECURITY By: Homera
Durani
1
1
1
1
17
N bits
BLOOM FILTER


NETWORK SECURITY By: Homera
Durani

To query for existence of an entry x, compute
H1(x), H2(x)…Hk(x) and check if the bits at
the corresponding locations are 1
If not, x is definitely not a member
Otherwise there may be a false positive
(passwords not in the dictionary but that
produce a match in the hash table). The
probability of a false positive can be reduced
by choosing k and N
18
PERFORMANCE OF BLOOM FILTER
NETWORK SECURITY By: Homera
Durani
Dictionary of 1 million
words with 0.01 probability
of rejecting a password
We need a hash table of
9.6 X 106 bits
19
20
NETWORK SECURITY By: Homera Durani
FIREWALL
OUTLINE

Firewall Design Principles


NETWORK SECURITY By: Homera
Durani

Firewall Characteristics
Types of Firewalls
Firewall Configurations
21
FIREWALLS

NETWORK SECURITY By: Homera
Durani
Effective means of protection a local system or
network of systems from network-based
security threats while affording access to the
outside world via WAN`s or the Internet
22
FIREWALL DESIGN
PRINCIPLES
Information systems undergo a steady evolution
(from small LAN`s to Internet connectivity)
 Strong security features for all workstations
and servers not established

NETWORK SECURITY By: Homera
Durani
23
FIREWALL DESIGN
PRINCIPLES
The firewall is inserted between the premises
network and the Internet
 Aims:

NETWORK SECURITY By: Homera
Durani
Establish a controlled link
 Protect the premises network from Internet-based
attacks
 Provide a single choke point

24
FIREWALL CHARACTERISTICS

Design goals:
All traffic from inside to outside must pass through
the firewall (physically blocking all access to the
local network except via the firewall)
 Only authorized traffic (defined by the local
security police) will be allowed to pass

NETWORK SECURITY By: Homera
Durani
25
FIREWALL CHARACTERISTICS

Design goals:

NETWORK SECURITY By: Homera
Durani
The firewall itself is immune to penetration (use of
trusted system with a secure operating system)
26
FIREWALL CHARACTERISTICS
Four general techniques:
 Service control


Determines the types of Internet services that can
be accessed, inbound or outbound
Direction control

Determines the direction in which particular service
requests are allowed to flow
NETWORK SECURITY By: Homera
Durani

27
FIREWALL CHARACTERISTICS

User control

Behavior control

Controls how particular services are used (e.g. filter
e-mail)
NETWORK SECURITY By: Homera
Durani

Controls access to a service according to which user
is attempting to access it
28
TYPES

OF
FIREWALLS
Three common types of Firewalls:
Packet-filtering routers
 Application-level gateways
 Circuit-level gateways
 (Bastion host)

NETWORK SECURITY By: Homera
Durani
29
TYPES

OF
FIREWALLS
Packet-filtering Router
NETWORK SECURITY By: Homera
Durani
30
TYPES

OF
FIREWALLS
Packet-filtering Router



NETWORK SECURITY By: Homera
Durani

Applies a set of rules to each incoming IP packet and
then forwards or discards the packet
Filter packets going in both directions
The packet filter is typically set up as a list of rules
based on matches to fields in the IP or TCP header
Two default policies (discard or forward)
31
TYPES

FIREWALLS
Advantages:


Simplicity
Transparency to users
High speed
Disadvantages:


Difficulty of setting up packet filter rules
Lack of Authentication
NETWORK SECURITY By: Homera
Durani


OF
32
TYPES

OF
FIREWALLS
Possible attacks and appropriate
countermeasures
NETWORK SECURITY By: Homera
Durani
IP address spoofing
 Source routing attacks
 Tiny fragment attacks

33
TYPES

OF
FIREWALLS
Application-level Gateway
NETWORK SECURITY By: Homera
Durani
34
TYPES

OF
FIREWALLS
Application-level Gateway
Also called proxy server
 Acts as a relay of application-level traffic

NETWORK SECURITY By: Homera
Durani
35
TYPES

OF
FIREWALLS
Advantages:
Higher security than packet filters
 Only need to scrutinize a few allowable applications
 Easy to log and audit all incoming traffic

Disadvantages:

Additional processing overhead on each connection
(gateway as splice point)
NETWORK SECURITY By: Homera
Durani

36
TYPES

OF
FIREWALLS
Circuit-level Gateway
NETWORK SECURITY By: Homera
Durani
37
TYPES

OF
FIREWALLS
Circuit-level Gateway
Stand-alone system or
 Specialized function performed by an Applicationlevel Gateway
 Sets up two TCP connections
 The gateway typically relays TCP segments from one
connection to the other without examining the
contents

NETWORK SECURITY By: Homera
Durani
38
TYPES

OF
FIREWALLS
Circuit-level Gateway
The security function consists of determining which
connections will be allowed
 Typically use is a situation in which the system
administrator trusts the internal users
 An example is the SOCKS package

NETWORK SECURITY By: Homera
Durani
39
TYPES

OF
FIREWALLS
Bastion Host
A system identified by the firewall administrator as
a critical strong point in the network´s security
 The bastion host serves as a platform for an
application-level or circuit-level gateway

NETWORK SECURITY By: Homera
Durani
40
FIREWALL CONFIGURATIONS
In addition to the use of simple configuration of
a single system (single packet filtering router or
single gateway), more complex configurations are
possible
 Three common configurations

NETWORK SECURITY By: Homera
Durani
41
FIREWALL CONFIGURATIONS

Screened host firewall system (single-homed
bastion host)
NETWORK SECURITY By: Homera
Durani
42
FIREWALL CONFIGURATIONS
Screened host firewall, single-homed bastion
configuration
 Firewall consists of two systems:

NETWORK SECURITY By: Homera
Durani
A packet-filtering router
 A bastion host

43
FIREWALL CONFIGURATIONS

Configuration for the packet-filtering router:

The bastion host performs authentication and
proxy functions
NETWORK SECURITY By: Homera
Durani

Only packets from and to the bastion host are
allowed to pass through the router
44
FIREWALL CONFIGURATIONS

Greater security than single configurations
because of two reasons:
NETWORK SECURITY By: Homera
Durani
This configuration implements both packet-level and
application-level filtering (allowing for flexibility in
defining security policy)
 An intruder must generally penetrate two separate
systems

45
FIREWALL CONFIGURATIONS

NETWORK SECURITY By: Homera
Durani
This configuration also affords flexibility in
providing direct Internet access (public
information server, e.g. Web server)
46
FIREWALL CONFIGURATIONS

Screened host firewall system (dual-homed
bastion host)
NETWORK SECURITY By: Homera
Durani
47
FIREWALL CONFIGURATIONS

Screened host firewall, dual-homed bastion
configuration
NETWORK SECURITY By: Homera
Durani
The packet-filtering router is not completely
compromised
 Traffic between the Internet and other hosts on the
private network has to flow through the bastion host

48
FIREWALL CONFIGURATIONS

Screened-subnet firewall system
NETWORK SECURITY By: Homera
Durani
49
FIREWALL CONFIGURATIONS

Screened subnet firewall configuration
Most secure configuration of the three
 Two packet-filtering routers are used
 Creation of an isolated sub-network

NETWORK SECURITY By: Homera
Durani
50
FIREWALL CONFIGURATIONS

Advantages:
Three levels of defense to thwart intruders
 The outside router advertises only the existence of
the screened subnet to the Internet (internal
network is invisible to the Internet)

NETWORK SECURITY By: Homera
Durani
51
FIREWALL CONFIGURATIONS

Advantages:

NETWORK SECURITY By: Homera
Durani
The inside router advertises only the existence of
the screened subnet to the internal network (the
systems on the inside network cannot construct
direct routes to the Internet)
52