SlideShare une entreprise Scribd logo

Myles firewalls

Télécharger en tant que PPT, PDF
Shmulik Avidan
Shmulik Avidan

This document discusses firewalls and network security. It begins by outlining common firewall topics and risks to networks like data theft and denial of service attacks. It then examines why firewalls are needed to secure networks and assets. The document outlines different types of firewalls like packet filters, proxy firewalls, and network address translation. It discusses strengths and weaknesses of each approach. Finally, it covers best practices for firewall deployment, configuration, auditing and trends in firewall technologies.

1  sur  58
Where firewalls fit in the corporate landscape
Firewall topics • Why firewall? • What is a firewall? • What is the perfect firewall? • What types of firewall are there? • How do I defeat these firewalls? • How should I deploy firewalls? • What is good firewall architecture? • Firewall trends.
What are the risks? • Theft or disclosure of internal data • Unauthorized access to internal hosts • Interception or alteration of data • Vandalism & denial of service • Wasted employee time • Bad publicity, public embarassment, and law suits
What needs to be secured? • Crown jewels: patent work, source code, market analysis; information assets • Any way into your network • Any way out of your network • Information about your network
Why do I need a firewall? • Peer pressure. • One firewall is simpler to administer than many hosts. • It’s easier to be security conscientious with a firewall.
What is a firewall? • As many machines as it takes to: – be the sole connection between inside and outside. – test all traffic against consistent rules. – pass traffic that meets those rules. – contain the effects of a compromised system.
Firewall components • All of the machines in the firewall – are immune to penetration or compromise. – retain enough information to recreate their actions.
The Perfect firewall • Lets you do your business • Works with existing security measures • has the security “margin of error” that your company needs.
The security continuum • Ease of use vs. degree of security • Cheap, secure, feature packed, easy to administer? Choose three. • Default deny or default accept Easy to use Secure
Policy for the firewall – Who gets to do what via the Internet? – What Internet usage is not allowed? – Who makes sure the policy works and is being complied with? – When can changes be made to policy/rules? – What will be done with the logs? – Will we cooperate with law enforcement?
What you firewall matters more than which firewall you use. • Internal security policy should show what systems need to be guarded. • How you deploy your firewall determines what the firewall protects. • The kind of firewall is how much insurance you’re buying.
How to defeat firewalls • Take over the firewall. • Get packets through the firewall. • Get the information without going through the firewall.
A partial list of back doors. • personal modems • vendor modems • partner networks • home networks • loose cannon experts • employee hacking • reusable passwords • viruses • “helpful” employees • off-site backup & hosting
Even perfect firewalls can’t fix: • Tunneled traffic. • Holes, e.g. telnet, opened in the firewall. • WWW browser attacks / malicious Internet servers.
Priorities in hacking through a firewall • Collect information. • Look for weaknesses behind the firewall. • Try to get packets through the firewall. • Attack the firewall itself. • Subvert connections through the firewall.
Information often leaked through firewalls • DNS host information • network configuration • e-mail header information • intranet web pages on the Internet
“Ground-floor windows” • mail servers • web Servers • old buggy daemons • account theft • vulnerable web browsers
Attacking the firewall • Does this firewall pass packets when it’s crashed? • Is any software running on the firewall?
A fieldtrip through an IP packet • Important fields are: – source, destination, ports, TCP status . . TOS . . .. . . SRC DEST opt SPORT DPORT DATA SEQ# ACK# ..ACK,URG,SYN ….
Types of firewall • Packet filters • Proxy gateways • Network Address Translation (NAT) • Intrusion Detection • Logging
Packet filters • How Packet filters work – Read the header and filter by whether fields match specific rules. – SYN flags allow the router to tell if connection is new or ongoing. • Packet filters come in dumb, standard, specialized, and stateful models
Standard packet filter – allows connections as long as the ports are OK – denies new inbound connections, using the SYN flag – Examples: Cisco & other routers, Karlbridge, Unix hosts, steelhead.
Packet filter weaknesses – It’s easy to botch the rules. – Good logging is hard. – Stealth scanning works well. – Packet fragments, IP options, and source routing work by default. – Routers usually can’t do authentication of end points.
Stateful packet filters – SPFs track the last few minutes of network activity. If a packet doesn’t fit in, they drop it. – Stronger inspection engines can search for information inside the packet’s data. – SPFs have to collect and assemble packets in order to have enough data. – Examples: Firewall One, ON Technologies, SeattleLabs, ipfilter
Weaknesses in SPF – All the flaws of standard filtering can still apply. – Default setups are sometimes insecure. – The packet that leaves the remote site is the same packet that arrives at the client. – Data inside an allowed connection can be destructive. – Traditionally SPFs have poor logging.
Proxy firewalls • Proxy firewalls pass data between two separate connections, one on each side of the firewall. – Proxies should not route packets between interfaces. • Types: circuit level proxy, application proxy, store and forward proxy.
General proxy weaknesses • The host is now involved, and accessible to attack. – The host must be hardened. • State is being kept by the IP stack. • Spoofing IP & DNS still works if authentication isn’t used. • Higher latency & lower throughput.
Circuit level proxy – Client asks FW for document. FW connects to remote site. FW transfers all information between the two connections. – Tends to have better logging than packet filters – Data passed inside the circuit could be dangerous. – Examples: Socks, Cycom Labyrinth
Application proxy – FW transfers only acceptable information between the two connections. – The proxy can understand the protocol and filter the data within. – Examples: TIS Gauntlet and FWTK, Raptor, Secure Computing
Application proxy weaknesses • Some proxies on an “application proxy” firewall may not be application aware. • Proxies have to be written securely.
Store and forward , or caching, proxies – Client asks firewall for document; the firewall downloads the document, saves it to disk, and provides the document to the client. The firewall may cache the document. – Can do data filtering. – Examples: Microsoft, Netscape, CERN, Squid proxies; SMTP mail
Weaknesses of store & forward proxies – Store and forward proxies tend to be big new programs. Making them your primary connection to the internet is dangerous. – These applications don’t protect the underlying operating system at all. – Caching proxies can require more administrator time and hardware.
Network Address Translation (NAT) – NAT changes the ip addresses in a packet, so that the address of the client inside never shows up on the internet. – Examples: Cisco PIX, Linux Masquerading, Firewall One, ipfilter
Types of NAT • Many IPs inside to many static IPs outside • Many IPs inside to many random IPs outside • Many IPs inside to one IP address outside • Transparent diversion of connections
Weaknesses of NAT • Source routing & other router holes • Can be stupid about complex protocols – ICMP, IP options, FTP, fragments • Can give out a lot of information about your network. • May need a lot of horsepower
Intrusion detection – Watches ethernet or router for trigger events, then tries to interrupt connections. Logs synopsis of all events. – Can log suspicious sessions for playback – Tend to be very good at recognizing attacks, fair at anticipating them – Products: Abirnet, ISS Real Secure, SecureNetPro, Haystack Netstalker
Weaknesses of intrusion detection – Can only stop tcp connections – Sometimes stops things too late – Can trigger alarms too easily – Doesn’t work on switched networks
Logging • Pros: – Very cheap – Solves most behavioral problems – Logfiles are crucial for legal recourse • Cons: – Very programmer or administrator intensive – Doesn’t prevent damage – needs a stable environment to be useful
Types of logging • program logging • syslog /NT event log • sniffers – Argus, Network General, HP Openview, TCPdump • router debug mode – A very good tool for tracking across your network
Commercial Logging • Logging almost all commercial firewall packages stinks – No tripwires – No pattern recognition – No smart/expert distillation – No way to change firewall behavior based on log information – No good way to integrate log files from multiple machines
Firewall Tools • All types of firewall are useful sometimes. • The more compartments on the firewall, the greater the odds of security. • Belt & suspenders
Firewall topology • Webserver placement • RAS server placement • Partner network placement • Internal information protection (intranet firewalling)
Firewall deployment checklist • Have list of what needs to be protected. • Have all of the networks configured for the firewall • All rules are in place • Logging is on.
What steps are left? • What is the firewall allowing access to? – Internal machines receiving data had better be secure. – If these services can’t be secured, what do you have to lose?
Last checks • Day 0 Backups made? • Are there any gaps between our stated policy and the rules the firewall is enforcing?
Auditing • A firewall works when an audit finds no deviations from policy. • Scanning tools are good for auditing conformance to policy, not so good for auditing security.
Sample configurations • Good configurations should: – limit Denial of Service. – minimize complexity for inside users. – be auditable. – allow outside to connect to specific resources.
Minimal restriction, good security • Stateful packet filter, dmz, packet filter, intrusion detection. S Inside
The Multimedia Nightmare • secure multimedia & database content to provided to multiple Internet destinations. • Web server is acting as authentication & security for access to the Finance server. Proxy CACHE Inside
Firewalls in multiple locations – Identical proxies on both sides. VPN over internal LAN
Low end, good security, for low threat environments • Packet filter, “Sacrificial Goat” web server, Application Firewall, bastion host running logging & Store & Forward proxies Store & Forward Inside
High end firewalls • ATM switching firewalls • Round robin gateways – Don’t work with transparent proxies • High availability
Firewall Trends – “Toaster” firewalls – Call-outs / co-processing firewalls – VPNs – Dumb protocols – LAN equipment & protocols showing up on the Internet – Over-hyped content filtering
More Firewall Trends – blurring between packet filters & application proxies – more services running on the firewall – High availability, fail-over and hot swap ability – GUI’s – Statistics for managers
Firewall trends & “religious” issues. • Underlying OS for firewalls – Any firewall OS should have little in common with the retail versions. • Firewall certification – Buy your own copy of ISS and “certify” firewalls yourself.
Source vs. Shrink-wrap • Low end shrinkwrap solutions • The importance of source – Can you afford 1.5 programmer/administrators? – Are you willing to have a non-employee doing your security? (Whose priorities win?)
Downside of firewalls • single point of failure • difficult to integrate into a mesh network • highlights flaws in network architecture • can focus politics on the firewall administrator
Interesting firewall products – Checkpoint Firewall-1 http://www.checkpoint.com – SecureNetPro http://www.mimestar.com – IP Filter http://coombs.anu.edu.au/~avalon/ip-filter.html – Seattle Labs http://www.sealabs.com – Karlnet Karlbridge http://www.karlnet.com – V-One inc http://www.v-one.com – ISS Realsecure http://www.iss.net

Recommandé

Unified Threat Management
Unified Threat ManagementUnified Threat Management
Unified Threat ManagementTapas Shome
 
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...Positive Hack Days
 
PLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PLNOG 8: Merike Kaeo - Guide to Building Secure InfrastructuresPLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PLNOG 8: Merike Kaeo - Guide to Building Secure InfrastructuresPROIDEA
 
IT infrastructure security 101
IT infrastructure security 101IT infrastructure security 101
IT infrastructure security 101April Mardock CISSP
 
Attacking and Securing WPA Enterprise Networks
Attacking and Securing WPA Enterprise NetworksAttacking and Securing WPA Enterprise Networks
Attacking and Securing WPA Enterprise NetworksNortheast Ohio Information Security Forum
 
Hardware firewall
Hardware firewallHardware firewall
Hardware firewallSubrata Kumer Paul
 
IDS Evasion Techniques
IDS Evasion TechniquesIDS Evasion Techniques
IDS Evasion TechniquesTudor Damian
 
Network Forensic Tools & Techniques Workshop
Network Forensic Tools & Techniques WorkshopNetwork Forensic Tools & Techniques Workshop
Network Forensic Tools & Techniques WorkshopPriyanka Aash
 

Recommandé

Unified Threat Management
Unified Threat ManagementUnified Threat Management
Unified Threat ManagementTapas Shome
 
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...Positive Hack Days
 
PLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PLNOG 8: Merike Kaeo - Guide to Building Secure InfrastructuresPLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PLNOG 8: Merike Kaeo - Guide to Building Secure InfrastructuresPROIDEA
 
IT infrastructure security 101
IT infrastructure security 101IT infrastructure security 101
IT infrastructure security 101April Mardock CISSP
 
Attacking and Securing WPA Enterprise Networks
Attacking and Securing WPA Enterprise NetworksAttacking and Securing WPA Enterprise Networks
Attacking and Securing WPA Enterprise NetworksNortheast Ohio Information Security Forum
 
Hardware firewall
Hardware firewallHardware firewall
Hardware firewallSubrata Kumer Paul
 
IDS Evasion Techniques
IDS Evasion TechniquesIDS Evasion Techniques
IDS Evasion TechniquesTudor Damian
 
Network Forensic Tools & Techniques Workshop
Network Forensic Tools & Techniques WorkshopNetwork Forensic Tools & Techniques Workshop
Network Forensic Tools & Techniques WorkshopPriyanka Aash
 
Dncybersecurity
DncybersecurityDncybersecurity
DncybersecurityAnne Starr
 
Network traffic analysis with cyber security
Network traffic analysis with cyber securityNetwork traffic analysis with cyber security
Network traffic analysis with cyber securityKAMALI PRIYA P
 
FireWall
FireWallFireWall
FireWallrubal_9
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Pathshibaehed
 
Wired and Wireless Network Forensics
Wired and Wireless Network ForensicsWired and Wireless Network Forensics
Wired and Wireless Network ForensicsSavvius, Inc
 
What is firewall
What is firewallWhat is firewall
What is firewallHarshana Jayarathna
 
Industrial Training - Network Intrusion Detection System Using Snort
Industrial Training - Network Intrusion Detection System Using SnortIndustrial Training - Network Intrusion Detection System Using Snort
Industrial Training - Network Intrusion Detection System Using SnortDisha Bedi
 
Secure your network - Segmentation and segregation
Secure your network - Segmentation and segregationSecure your network - Segmentation and segregation
Secure your network - Segmentation and segregationMagnus Jansson
 
Capturing Malicious Bots using a beneficial bot and wiki
Capturing Malicious Bots using a beneficial bot and wikiCapturing Malicious Bots using a beneficial bot and wiki
Capturing Malicious Bots using a beneficial bot and wikiTakashi Yamanoue
 
Introduction to Snort
Introduction to SnortIntroduction to Snort
Introduction to SnortHossein Yavari
 
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting programBhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting programAPNIC
 
Firewall Architecture
Firewall Architecture Firewall Architecture
Firewall Architecture Yovan Chandel
 
How to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikHow to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikPositive Hack Days
 
CNIT 50: 9. NSM Operations
CNIT 50: 9. NSM OperationsCNIT 50: 9. NSM Operations
CNIT 50: 9. NSM OperationsSam Bowne
 
Firewall girija ppt
Firewall girija pptFirewall girija ppt
Firewall girija pptGirija Sankar Dash
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentationgaurav96raj
 
Firewall management introduction
Firewall management introductionFirewall management introduction
Firewall management introductionRaghava Sharma
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentationTayabaZahid
 
Lec 1 apln security(4pd)
Lec 1 apln security(4pd)Lec 1 apln security(4pd)
Lec 1 apln security(4pd)Santosh Khadsare
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentationyogendrasinghchahar
 
Fall 2010fashiontrends-101006035457-phpapp02
Fall 2010fashiontrends-101006035457-phpapp02Fall 2010fashiontrends-101006035457-phpapp02
Fall 2010fashiontrends-101006035457-phpapp02Debra Pape
 
Menyusun sop
Menyusun sopMenyusun sop
Menyusun sopRBudiS
 

Contenu connexe

Tendances

Dncybersecurity
DncybersecurityDncybersecurity
DncybersecurityAnne Starr
 
Network traffic analysis with cyber security
Network traffic analysis with cyber securityNetwork traffic analysis with cyber security
Network traffic analysis with cyber securityKAMALI PRIYA P
 
FireWall
FireWallFireWall
FireWallrubal_9
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Pathshibaehed
 
Wired and Wireless Network Forensics
Wired and Wireless Network ForensicsWired and Wireless Network Forensics
Wired and Wireless Network ForensicsSavvius, Inc
 
Industrial Training - Network Intrusion Detection System Using Snort
Industrial Training - Network Intrusion Detection System Using SnortIndustrial Training - Network Intrusion Detection System Using Snort
Industrial Training - Network Intrusion Detection System Using SnortDisha Bedi
 
Secure your network - Segmentation and segregation
Secure your network - Segmentation and segregationSecure your network - Segmentation and segregation
Secure your network - Segmentation and segregationMagnus Jansson
 
Capturing Malicious Bots using a beneficial bot and wiki
Capturing Malicious Bots using a beneficial bot and wikiCapturing Malicious Bots using a beneficial bot and wiki
Capturing Malicious Bots using a beneficial bot and wikiTakashi Yamanoue
 
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting programBhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting programAPNIC
 
Firewall Architecture
Firewall Architecture Firewall Architecture
Firewall Architecture Yovan Chandel
 
How to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikHow to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikPositive Hack Days
 
CNIT 50: 9. NSM Operations
CNIT 50: 9. NSM OperationsCNIT 50: 9. NSM Operations
CNIT 50: 9. NSM OperationsSam Bowne
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentationgaurav96raj
 
Firewall management introduction
Firewall management introductionFirewall management introduction
Firewall management introductionRaghava Sharma
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentationTayabaZahid
 

Tendances (20)

Dncybersecurity
DncybersecurityDncybersecurity
Dncybersecurity
 
Network traffic analysis with cyber security
Network traffic analysis with cyber securityNetwork traffic analysis with cyber security
Network traffic analysis with cyber security
 
FireWall
FireWallFireWall
FireWall
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths
 
Wired and Wireless Network Forensics
Wired and Wireless Network ForensicsWired and Wireless Network Forensics
Wired and Wireless Network Forensics
 
What is firewall
What is firewallWhat is firewall
What is firewall
 
Industrial Training - Network Intrusion Detection System Using Snort
Industrial Training - Network Intrusion Detection System Using SnortIndustrial Training - Network Intrusion Detection System Using Snort
Industrial Training - Network Intrusion Detection System Using Snort
 
Secure your network - Segmentation and segregation
Secure your network - Segmentation and segregationSecure your network - Segmentation and segregation
Secure your network - Segmentation and segregation
 
Capturing Malicious Bots using a beneficial bot and wiki
Capturing Malicious Bots using a beneficial bot and wikiCapturing Malicious Bots using a beneficial bot and wiki
Capturing Malicious Bots using a beneficial bot and wiki
 
Introduction to Snort
Introduction to SnortIntroduction to Snort
Introduction to Snort
 
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting programBhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
 
Firewall Architecture
Firewall Architecture Firewall Architecture
Firewall Architecture
 
How to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikHow to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey Gordeychik
 
CNIT 50: 9. NSM Operations
CNIT 50: 9. NSM OperationsCNIT 50: 9. NSM Operations
CNIT 50: 9. NSM Operations
 
Firewall girija ppt
Firewall girija pptFirewall girija ppt
Firewall girija ppt
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentation
 
Firewall management introduction
Firewall management introductionFirewall management introduction
Firewall management introduction
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentation
 
Lec 1 apln security(4pd)
Lec 1 apln security(4pd)Lec 1 apln security(4pd)
Lec 1 apln security(4pd)
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentation
 

En vedette

Fall 2010fashiontrends-101006035457-phpapp02
Fall 2010fashiontrends-101006035457-phpapp02Fall 2010fashiontrends-101006035457-phpapp02
Fall 2010fashiontrends-101006035457-phpapp02Debra Pape
 
Menyusun sop
Menyusun sopMenyusun sop
Menyusun sopRBudiS
 
Utilización de las herramientas de búsqueda avanzada
Utilización de las herramientas de búsqueda avanzadaUtilización de las herramientas de búsqueda avanzada
Utilización de las herramientas de búsqueda avanzadaAGROCALIDAD
 
Real Trick Or Treaters
Real Trick Or TreatersReal Trick Or Treaters
Real Trick Or Treatersgonzalem08
 
La distribuzione urbana delle merci nella ZTL romana
La distribuzione urbana delle merci nella ZTL romanaLa distribuzione urbana delle merci nella ZTL romana
La distribuzione urbana delle merci nella ZTL romanaVivivanne Diaferia
 
[Rossella derickson, krista_henley,_almaz_negash,_(book_fi.org)
[Rossella derickson, krista_henley,_almaz_negash,_(book_fi.org)[Rossella derickson, krista_henley,_almaz_negash,_(book_fi.org)
[Rossella derickson, krista_henley,_almaz_negash,_(book_fi.org)Mad Monk
 
[Panel on research_and_development_priorities_for_(book_fi.org)
[Panel on research_and_development_priorities_for_(book_fi.org)[Panel on research_and_development_priorities_for_(book_fi.org)
[Panel on research_and_development_priorities_for_(book_fi.org)Mad Monk
 
Business Model Innovation by Experimentation
Business Model Innovation by ExperimentationBusiness Model Innovation by Experimentation
Business Model Innovation by ExperimentationYoav Aviram
 
Presentasi seminar regional [compatibility mode]
Presentasi seminar regional [compatibility mode]Presentasi seminar regional [compatibility mode]
Presentasi seminar regional [compatibility mode]Ridwan Centuri
 
Climate change impact on se aagric-070511 [compatibility mode]-3
Climate change impact on se aagric-070511 [compatibility mode]-3Climate change impact on se aagric-070511 [compatibility mode]-3
Climate change impact on se aagric-070511 [compatibility mode]-3Ridwan Centuri
 
Pss airbus a320 flight tutorial
Pss airbus a320 flight tutorialPss airbus a320 flight tutorial
Pss airbus a320 flight tutorialLuisa Ardila
 
Mobilink strategic management report
Mobilink strategic management reportMobilink strategic management report
Mobilink strategic management reportNoorulain Adnan
 

En vedette (19)

Fall 2010fashiontrends-101006035457-phpapp02
Fall 2010fashiontrends-101006035457-phpapp02Fall 2010fashiontrends-101006035457-phpapp02
Fall 2010fashiontrends-101006035457-phpapp02
 
Menyusun sop
Menyusun sopMenyusun sop
Menyusun sop
 
Dominique
DominiqueDominique
Dominique
 
problem
problemproblem
problem
 
Utilización de las herramientas de búsqueda avanzada
Utilización de las herramientas de búsqueda avanzadaUtilización de las herramientas de búsqueda avanzada
Utilización de las herramientas de búsqueda avanzada
 
Real Trick Or Treaters
Real Trick Or TreatersReal Trick Or Treaters
Real Trick Or Treaters
 
La distribuzione urbana delle merci nella ZTL romana
La distribuzione urbana delle merci nella ZTL romanaLa distribuzione urbana delle merci nella ZTL romana
La distribuzione urbana delle merci nella ZTL romana
 
[Rossella derickson, krista_henley,_almaz_negash,_(book_fi.org)
[Rossella derickson, krista_henley,_almaz_negash,_(book_fi.org)[Rossella derickson, krista_henley,_almaz_negash,_(book_fi.org)
[Rossella derickson, krista_henley,_almaz_negash,_(book_fi.org)
 
Youneededme 4
Youneededme 4Youneededme 4
Youneededme 4
 
[Panel on research_and_development_priorities_for_(book_fi.org)
[Panel on research_and_development_priorities_for_(book_fi.org)[Panel on research_and_development_priorities_for_(book_fi.org)
[Panel on research_and_development_priorities_for_(book_fi.org)
 
Business Model Innovation by Experimentation
Business Model Innovation by ExperimentationBusiness Model Innovation by Experimentation
Business Model Innovation by Experimentation
 
Yc presentation
Yc presentationYc presentation
Yc presentation
 
Presentasi seminar regional [compatibility mode]
Presentasi seminar regional [compatibility mode]Presentasi seminar regional [compatibility mode]
Presentasi seminar regional [compatibility mode]
 
Mikenopa company
Mikenopa companyMikenopa company
Mikenopa company
 
Climate change impact on se aagric-070511 [compatibility mode]-3
Climate change impact on se aagric-070511 [compatibility mode]-3Climate change impact on se aagric-070511 [compatibility mode]-3
Climate change impact on se aagric-070511 [compatibility mode]-3
 
Pss airbus a320 flight tutorial
Pss airbus a320 flight tutorialPss airbus a320 flight tutorial
Pss airbus a320 flight tutorial
 
Analysis
AnalysisAnalysis
Analysis
 
Matrixes
MatrixesMatrixes
Matrixes
 
Mobilink strategic management report
Mobilink strategic management reportMobilink strategic management report
Mobilink strategic management report
 

Similaire à Myles firewalls

Firewall, Router and Switch Configuration Review
Firewall, Router and Switch Configuration ReviewFirewall, Router and Switch Configuration Review
Firewall, Router and Switch Configuration ReviewChristine MacDonald
 
Introduction to firewalls
Introduction to firewallsIntroduction to firewalls
Introduction to firewallsDivya Jyoti
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementationajeet singh
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementationajeet singh
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveIKT-Norge
 
Science DMZ security
Science DMZ securityScience DMZ security
Science DMZ securityJisc
 
Module 7 Firewalls Part - 2 Presentation
Module 7 Firewalls Part - 2 PresentationModule 7 Firewalls Part - 2 Presentation
Module 7 Firewalls Part - 2 Presentation9921103075
 
Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Radhika Talaviya
 
Network security chapter 6 and 7 internet architecture
Network security chapter 6 and 7 internet architectureNetwork security chapter 6 and 7 internet architecture
Network security chapter 6 and 7 internet architectureMuhammad ismail Shah
 
Firewall ( Cyber Security)
Firewall ( Cyber Security)Firewall ( Cyber Security)
Firewall ( Cyber Security)Jainam Shah
 
Section c group2_firewall_ final
Section c group2_firewall_ finalSection c group2_firewall_ final
Section c group2_firewall_ finalpg13tarun_g
 
Network defenses
Network defensesNetwork defenses
Network defensesG Prachi
 
Network security and protocols
Network security and protocolsNetwork security and protocols
Network security and protocolsOnline
 

Similaire à Myles firewalls (20)

firewall.ppt
firewall.pptfirewall.ppt
firewall.ppt
 
Firewall, Router and Switch Configuration Review
Firewall, Router and Switch Configuration ReviewFirewall, Router and Switch Configuration Review
Firewall, Router and Switch Configuration Review
 
Introduction to firewalls
Introduction to firewallsIntroduction to firewalls
Introduction to firewalls
 
Firewall
FirewallFirewall
Firewall
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementation
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementation
 
Network security
Network security Network security
Network security
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspective
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Security
 
Linux and firewall
Linux and firewallLinux and firewall
Linux and firewall
 
Coporate Espionage
Coporate EspionageCoporate Espionage
Coporate Espionage
 
Seminar
SeminarSeminar
Seminar
 
Science DMZ security
Science DMZ securityScience DMZ security
Science DMZ security
 
Module 7 Firewalls Part - 2 Presentation
Module 7 Firewalls Part - 2 PresentationModule 7 Firewalls Part - 2 Presentation
Module 7 Firewalls Part - 2 Presentation
 
Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters
 
Network security chapter 6 and 7 internet architecture
Network security chapter 6 and 7 internet architectureNetwork security chapter 6 and 7 internet architecture
Network security chapter 6 and 7 internet architecture
 
Firewall ( Cyber Security)
Firewall ( Cyber Security)Firewall ( Cyber Security)
Firewall ( Cyber Security)
 
Section c group2_firewall_ final
Section c group2_firewall_ finalSection c group2_firewall_ final
Section c group2_firewall_ final
 
Network defenses
Network defensesNetwork defenses
Network defenses
 
Network security and protocols
Network security and protocolsNetwork security and protocols
Network security and protocols
 

Myles firewalls

  • 1. Where firewalls fit in the corporate landscape
  • 2. Firewall topics • Why firewall? • What is a firewall? • What is the perfect firewall? • What types of firewall are there? • How do I defeat these firewalls? • How should I deploy firewalls? • What is good firewall architecture? • Firewall trends.
  • 3. What are the risks? • Theft or disclosure of internal data • Unauthorized access to internal hosts • Interception or alteration of data • Vandalism & denial of service • Wasted employee time • Bad publicity, public embarassment, and law suits
  • 4. What needs to be secured? • Crown jewels: patent work, source code, market analysis; information assets • Any way into your network • Any way out of your network • Information about your network
  • 5. Why do I need a firewall? • Peer pressure. • One firewall is simpler to administer than many hosts. • It’s easier to be security conscientious with a firewall.
  • 6. What is a firewall? • As many machines as it takes to: – be the sole connection between inside and outside. – test all traffic against consistent rules. – pass traffic that meets those rules. – contain the effects of a compromised system.
  • 7. Firewall components • All of the machines in the firewall – are immune to penetration or compromise. – retain enough information to recreate their actions.
  • 8. The Perfect firewall • Lets you do your business • Works with existing security measures • has the security “margin of error” that your company needs.
  • 9. The security continuum • Ease of use vs. degree of security • Cheap, secure, feature packed, easy to administer? Choose three. • Default deny or default accept Easy to use Secure
  • 10. Policy for the firewall – Who gets to do what via the Internet? – What Internet usage is not allowed? – Who makes sure the policy works and is being complied with? – When can changes be made to policy/rules? – What will be done with the logs? – Will we cooperate with law enforcement?
  • 11. What you firewall matters more than which firewall you use. • Internal security policy should show what systems need to be guarded. • How you deploy your firewall determines what the firewall protects. • The kind of firewall is how much insurance you’re buying.
  • 12. How to defeat firewalls • Take over the firewall. • Get packets through the firewall. • Get the information without going through the firewall.
  • 13. A partial list of back doors. • personal modems • vendor modems • partner networks • home networks • loose cannon experts • employee hacking • reusable passwords • viruses • “helpful” employees • off-site backup & hosting
  • 14. Even perfect firewalls can’t fix: • Tunneled traffic. • Holes, e.g. telnet, opened in the firewall. • WWW browser attacks / malicious Internet servers.
  • 15. Priorities in hacking through a firewall • Collect information. • Look for weaknesses behind the firewall. • Try to get packets through the firewall. • Attack the firewall itself. • Subvert connections through the firewall.
  • 16. Information often leaked through firewalls • DNS host information • network configuration • e-mail header information • intranet web pages on the Internet
  • 17. “Ground-floor windows” • mail servers • web Servers • old buggy daemons • account theft • vulnerable web browsers
  • 18. Attacking the firewall • Does this firewall pass packets when it’s crashed? • Is any software running on the firewall?
  • 19. A fieldtrip through an IP packet • Important fields are: – source, destination, ports, TCP status . . TOS . . .. . . SRC DEST opt SPORT DPORT DATA SEQ# ACK# ..ACK,URG,SYN ….
  • 20. Types of firewall • Packet filters • Proxy gateways • Network Address Translation (NAT) • Intrusion Detection • Logging
  • 21. Packet filters • How Packet filters work – Read the header and filter by whether fields match specific rules. – SYN flags allow the router to tell if connection is new or ongoing. • Packet filters come in dumb, standard, specialized, and stateful models
  • 22. Standard packet filter – allows connections as long as the ports are OK – denies new inbound connections, using the SYN flag – Examples: Cisco & other routers, Karlbridge, Unix hosts, steelhead.
  • 23. Packet filter weaknesses – It’s easy to botch the rules. – Good logging is hard. – Stealth scanning works well. – Packet fragments, IP options, and source routing work by default. – Routers usually can’t do authentication of end points.
  • 24. Stateful packet filters – SPFs track the last few minutes of network activity. If a packet doesn’t fit in, they drop it. – Stronger inspection engines can search for information inside the packet’s data. – SPFs have to collect and assemble packets in order to have enough data. – Examples: Firewall One, ON Technologies, SeattleLabs, ipfilter
  • 25. Weaknesses in SPF – All the flaws of standard filtering can still apply. – Default setups are sometimes insecure. – The packet that leaves the remote site is the same packet that arrives at the client. – Data inside an allowed connection can be destructive. – Traditionally SPFs have poor logging.
  • 26. Proxy firewalls • Proxy firewalls pass data between two separate connections, one on each side of the firewall. – Proxies should not route packets between interfaces. • Types: circuit level proxy, application proxy, store and forward proxy.
  • 27. General proxy weaknesses • The host is now involved, and accessible to attack. – The host must be hardened. • State is being kept by the IP stack. • Spoofing IP & DNS still works if authentication isn’t used. • Higher latency & lower throughput.
  • 28. Circuit level proxy – Client asks FW for document. FW connects to remote site. FW transfers all information between the two connections. – Tends to have better logging than packet filters – Data passed inside the circuit could be dangerous. – Examples: Socks, Cycom Labyrinth
  • 29. Application proxy – FW transfers only acceptable information between the two connections. – The proxy can understand the protocol and filter the data within. – Examples: TIS Gauntlet and FWTK, Raptor, Secure Computing
  • 30. Application proxy weaknesses • Some proxies on an “application proxy” firewall may not be application aware. • Proxies have to be written securely.
  • 31. Store and forward , or caching, proxies – Client asks firewall for document; the firewall downloads the document, saves it to disk, and provides the document to the client. The firewall may cache the document. – Can do data filtering. – Examples: Microsoft, Netscape, CERN, Squid proxies; SMTP mail
  • 32. Weaknesses of store & forward proxies – Store and forward proxies tend to be big new programs. Making them your primary connection to the internet is dangerous. – These applications don’t protect the underlying operating system at all. – Caching proxies can require more administrator time and hardware.
  • 33. Network Address Translation (NAT) – NAT changes the ip addresses in a packet, so that the address of the client inside never shows up on the internet. – Examples: Cisco PIX, Linux Masquerading, Firewall One, ipfilter
  • 34. Types of NAT • Many IPs inside to many static IPs outside • Many IPs inside to many random IPs outside • Many IPs inside to one IP address outside • Transparent diversion of connections
  • 35. Weaknesses of NAT • Source routing & other router holes • Can be stupid about complex protocols – ICMP, IP options, FTP, fragments • Can give out a lot of information about your network. • May need a lot of horsepower
  • 36. Intrusion detection – Watches ethernet or router for trigger events, then tries to interrupt connections. Logs synopsis of all events. – Can log suspicious sessions for playback – Tend to be very good at recognizing attacks, fair at anticipating them – Products: Abirnet, ISS Real Secure, SecureNetPro, Haystack Netstalker
  • 37. Weaknesses of intrusion detection – Can only stop tcp connections – Sometimes stops things too late – Can trigger alarms too easily – Doesn’t work on switched networks
  • 38. Logging • Pros: – Very cheap – Solves most behavioral problems – Logfiles are crucial for legal recourse • Cons: – Very programmer or administrator intensive – Doesn’t prevent damage – needs a stable environment to be useful
  • 39. Types of logging • program logging • syslog /NT event log • sniffers – Argus, Network General, HP Openview, TCPdump • router debug mode – A very good tool for tracking across your network
  • 40. Commercial Logging • Logging almost all commercial firewall packages stinks – No tripwires – No pattern recognition – No smart/expert distillation – No way to change firewall behavior based on log information – No good way to integrate log files from multiple machines
  • 41. Firewall Tools • All types of firewall are useful sometimes. • The more compartments on the firewall, the greater the odds of security. • Belt & suspenders
  • 42. Firewall topology • Webserver placement • RAS server placement • Partner network placement • Internal information protection (intranet firewalling)
  • 43. Firewall deployment checklist • Have list of what needs to be protected. • Have all of the networks configured for the firewall • All rules are in place • Logging is on.
  • 44. What steps are left? • What is the firewall allowing access to? – Internal machines receiving data had better be secure. – If these services can’t be secured, what do you have to lose?
  • 45. Last checks • Day 0 Backups made? • Are there any gaps between our stated policy and the rules the firewall is enforcing?
  • 46. Auditing • A firewall works when an audit finds no deviations from policy. • Scanning tools are good for auditing conformance to policy, not so good for auditing security.
  • 47. Sample configurations • Good configurations should: – limit Denial of Service. – minimize complexity for inside users. – be auditable. – allow outside to connect to specific resources.
  • 48. Minimal restriction, good security • Stateful packet filter, dmz, packet filter, intrusion detection. S Inside
  • 49. The Multimedia Nightmare • secure multimedia & database content to provided to multiple Internet destinations. • Web server is acting as authentication & security for access to the Finance server. Proxy CACHE Inside
  • 50. Firewalls in multiple locations – Identical proxies on both sides. VPN over internal LAN
  • 51. Low end, good security, for low threat environments • Packet filter, “Sacrificial Goat” web server, Application Firewall, bastion host running logging & Store & Forward proxies Store & Forward Inside
  • 52. High end firewalls • ATM switching firewalls • Round robin gateways – Don’t work with transparent proxies • High availability
  • 53. Firewall Trends – “Toaster” firewalls – Call-outs / co-processing firewalls – VPNs – Dumb protocols – LAN equipment & protocols showing up on the Internet – Over-hyped content filtering
  • 54. More Firewall Trends – blurring between packet filters & application proxies – more services running on the firewall – High availability, fail-over and hot swap ability – GUI’s – Statistics for managers
  • 55. Firewall trends & “religious” issues. • Underlying OS for firewalls – Any firewall OS should have little in common with the retail versions. • Firewall certification – Buy your own copy of ISS and “certify” firewalls yourself.
  • 56. Source vs. Shrink-wrap • Low end shrinkwrap solutions • The importance of source – Can you afford 1.5 programmer/administrators? – Are you willing to have a non-employee doing your security? (Whose priorities win?)
  • 57. Downside of firewalls • single point of failure • difficult to integrate into a mesh network • highlights flaws in network architecture • can focus politics on the firewall administrator
  • 58. Interesting firewall products – Checkpoint Firewall-1 http://www.checkpoint.com – SecureNetPro http://www.mimestar.com – IP Filter http://coombs.anu.edu.au/~avalon/ip-filter.html – Seattle Labs http://www.sealabs.com – Karlnet Karlbridge http://www.karlnet.com – V-One inc http://www.v-one.com – ISS Realsecure http://www.iss.net

Notes de l'éditeur

  1. Assume all these firewalls block the outside from creating new connections unless specifically allowed in the FW’s rules