When the tides of life turn against you... And the current upsets your boat... Don't waste those tears on what might have been... Just lay on your back and float!...

Lecture 8 ~Firewall~

Assalamualaikum w.b.t...

Lecture 8 nie da byk kali gak kot blajar mender alah nie.. ermm... Bab Firewall.. Encek zaki cakap dinding berapi... nnt biler dia nk wat soklan exam musti kiter akan jumper dinding berapi lam versi bm la... biaser gak la blajar before2 nie... huhuhuhu... berapi benau dinding tue... Topic yg der lam lecture nie antarenyer...
~Firewall Capabilities & Limits
~Types of firewall
•Packet Filtering Firewall
•Stateful Inspection Firewall
•Application-Level Gateway(Application Proxy)
•Circuit-Level Gateway
~Firewall Basing
~Firewall location

Introduction to Firewall
~effective means of protecting LANs
~internet connectivity essential
•for organization and individuals
•but creates a threat
~could secure workstations and servers
~also use firewall as perimeter defence
•single choke point to impose security

Firewall Capabilities & Limits
~defines a single choke point that keeps unauthorized users out of the protected
~provides a location for monitoring security events
~convenient platform for some Internet functions such as NAT, usage monitoring,
~cannot protect against attacks bypassing firewall
~may not protect fully against internal threats
~improperly secure wireless LAN may be accessed from outside the org
~laptop, PDA, portable storage device infected outside then used inside

Types of firewall

Type 1- Packet Filtering Firewall
•applies rules to packets in/out of firewall
•based on information in packet header
~src/dest IP addr & port, IP protocol, interface
•typically a list of rules of matches on fields
~if match rule says if forward or discard packet
•two default policies:
~discard - prohibit unless expressly permitted
•more conservative, controlled, visible to users
~forward - permit unless expressly prohibited
•easier to manage/use but less secure

Packet Filter Rules

A. Inbound mail is allowed (port 25 is for SMTP incoming), but only to a gateway
host. However, packets from a particular external host, SPIGOT, are blocked.
B. This is an explicit statement of the default policy, usually implicitly the last

C. This rule set is intended to specify that any inside host can send mail to the
outside. A TCP packet with a destination port of 25 is routed to the SMTP server
on the destination machine. Problem is that 25 as SMTP is only a default; an
outside machine could be configured to have some other application linked to port

D. This rule set achieves the intended result that was not achieved in C. This rule
set allows IP packets where the source IP address is one of a list of designated
internal hosts and the destination TCP port number is 25. It also allows incoming
packets with a source port number of 25 that include the ACK flag. This takes
advantage of a feature of TCP connections that once set up, the ACK flag of a TCP
segment is set to acknowledge segments sent from the other side.

E. This rule set is one approach to handling FTP which uses two TCP connections: a
control connection and a data connection for the actual file transfer. The data
connection uses a different dynamically assigned port number for the transfer.
Most servers, and hence most attack targets, live on low-numbered ports; most
outgoing calls tend to use a higher-numbered port, typically above 1023. Rule
set E points out the difficulty in dealing with applications at the packet
filtering level.

Packet Filter Weaknesses
~cannot prevent attack on application bugs
~limited logging functionality
~do no support advanced user authentication
~vulnerable to attacks on TCP/IP protocol bugs (network address spoofing)
~improper configuration can lead to breaches

Packet Filter Attacks
~IP address spoofing: The intruder transmits packets from the outside with a source
IP address field containing an address of an internal(assumed trusted) host. The
countermeasure is to discard external packets with an inside source address

~source route attacks: specifies the route that a packet should take as it crosses
the Internet. The countermeasure is to discard all packets that use this option.

~tiny fragment attacks: intruder uses the IP fragmentation option to create
extremely small fragments and force the TCP header information into a separate
packet fragment, filter rules that specify patterns for those fields of header will
not match. It can be defeated by requiring that the first fragment contain most of
the transport header.

Type 2 - Stateful Inspection Firewall
~reviews packet header information but also keeps info on TCP connections
•applications use TCP and create sessions and typically have low, “well-known” port
no (<1024) for connecting a server
•and high, dynamically assigned port no (1024-65535) for the hosts that make the
•simple packet filter must allow all return high port numbered packets back in

•stateful inspection packet firewall tightens rules for TCP traffic using a
directory of TCP connections
•only allow incoming traffic to high-numbered ports for packets matching an entry
in this directory
•may also track TCP seq numbers as well

Only allow incoming traffic to high-numbered ports for packets matching an entry in this directory

Type 3 - Application-Level Gateway(Application Proxy)
~acts as a relay of application-level traffic
•user contacts gateway with remote host name
•authenticates the users (valid user id & password)
•gateway contacts application on remote host and relays TCP segments between server
and user
~must have proxy code for each application
•is installed on the gateway for each desired application
•may configure to restrict application features supported
•frequent software updating to ensure that they are running latest versions of the
proxy code
~more secure than packet filters
~but have higher overheads

Type 4 - Circuit-Level Gateway
•a circuit-level gateway does not permit an end to end TCP connection
•sets up two TCP connections, between itself to an inside user and between itself
to an outside host
•The security function consists of determining which connections will be allowed.
•relays TCP segments from one connection to the other without examining contents
~hence independent of application logic
~just determines whether relay is permitted
•typically used when inside users trusted
~may use application-level gateway inbound and circuit-level gateway outbound
~hence lower overheads

Firewall Basing
•bastion host
•host-based firewall
•personal firewall

Bastion Hosts
•critical strongpoint in network’s security
•hosts application-level/circuit-level gateways
•common characteristics:
~runs secure O/S, only essential services
~may require user auth to access proxy or host
~each proxy can restrict features, hosts accessed
~each proxy small, simple, checked for security
~each proxy is independent, non-privileged
~limited disk use, hence read-only code

Host-Based Firewalls
•used to secure individual host
•available in/add-on for many O/S
•filter packet flows
•often used on servers
~taylored filter rules for specific host needs
~protection from both internal / external attacks
~additional layer of protection to org firewall

Personal Firewall
~controls traffic flow to/from PC/workstation
~for both home or corporate use
~may be software module on PC
~or in home cable/DSL router/gateway
~typically much less complex
~primary role to deny unauthorized access
~may also monitor outgoing traffic to detect/block worm/malware activity

Firewall Locations
• An external firewall is placed at the edge of a local or enterprise network.
• One or more internal firewalls protect the bulk of the enterprise network.
• Between these two types of firewalls are one or more networked devices in a region
referred to as a DMZ (demilitarized zone) network. Systems that are externally
accessible but need some protections are usually located on DMZ networks.

Virtual Private Networks (VPNs)

• In essence, a VPN consists of a set of computers that interconnect by means of a
relatively unsecure network.
• Use of a public network exposes corporate traffic to eavesdropping and provides an
entry point for unauthorized users. To counter this problem, a VPN is needed.
• In essence, a VPN uses encryption and authentication in the lower protocol layers
to provide a secure connection through an otherwise insecure network, typically
the Internet.
• VPNs are generally cheaper than real private networks using private lines but rely
on having the same encryption and authentication system at both ends.
• The encryption may be performed by firewall software or possibly by routers.
• The most common protocol mechanism used for this purpose is at the IP level and is
known as IPSec.

Distributed Firewalls
• A distributed firewall configuration involves standalone firewall devices plus
host-based firewalls, personal firewall working together under a central
administrative control.
• Administrators can configure host-resident firewalls on hundreds of servers and
workstation as well as configuring personal firewalls on local and remote user
systems. Tools let the network administrator set policies and monitor security
across the entire network.

Yuhuuu.. tue jer laa yg kami blajar pasal firewall.. utk keterangan lanjut surf la lagi tenet.. musti byk lg infoo.. yihiiii...


"Kindness is a language which the deaf can hear and the blind can see.."

0 komplen:

Post a Comment

Related Posts with Thumbnails