Sie sind auf Seite 1von 114

Introduction to Firewalls

N. Ganesan, Ph.D.

Firewall

Overview of Firewalls
As the name implies, a firewall acts to
provide secured access between two
networks
A firewall may be implemented as a
standalone hardware device or in the
form of a software on a client computer
The two types of firewall are generally
known as the hardware firewall and the
software firewall

Firewalls in Practice
A computer may be protected by
both a hardware and a software
firewall

H/W vs S/W Firewall


Hardware firewall
Protect entire network
Implemented in router
Harder to configure
Software firewall
Protect single computer
Easy to install and configure

Hardware Firewall

What is it?
What it does.
An example.
Firewall use.
What it protects you from.

Hardware Firewall (Cont.)


What is it?

Basically, it is a barrier to keep


destructive forces away from your
property.
You can use a firewall to protect your
home network and family from
offensive Web sites and potential
hackers.

Hardware Firewall (Cont.)


What it does !
It is a hardware device that filters the
information coming through the Internet
connection into your private network or
computer system.
An incoming packet of information is
flagged by the filters, it is not allowed
through.

Hardware Firewall (Cont.)


An example !

Hardware Firewall (Cont.)


Firewalls use:
Firewalls use one or more of three
methods to control traffic flowing
in and out of the network:
Packet filtering
Proxy service

Software Firewall (Cont.)


Benefit of using application firewalls:

equipped with a certain level of logic


Make intelligent decisions
configured to check for a known Vulnerability
large amount of logging

S/W Firewall or Application Firewall


(Cont.)

How does software firewall


works ?

Software Firewall (Cont.)


Benefit of application firewalls

(Cont.)

easier to track when a potential vulnerability


happens
protect against new vulnerabilities before they
are found and exploited
ability to "understand" applications specific
information structure

Software Firewall (Cont.)


Disadvantage of Firewall:
slow down network access dramatically
more susceptible to distributed denial of service
(DDOS) attacks.
not transparent to end users
require manual configuration of each client
computer

Mode of Operation
A firewall that stands in between
two networks will inspect a packet
that is ready to pass between the
networks and allow or block the
packet based on the rules set for
the firewall to operate

Viruses and Firewalls


In general, firewalls cannot protect
against viruses
An anti-virus software is needed for that
purpose

However, many security suites such as


those offered by MacAfee and Norton
offer the complete protection
Some software firewalls such as Zone
Alarm Pro may contain limited virus
protection features

Types of Firewall
Packet Filter
Application Gateway

Packet filter firewall


Packets: discrete blocks of data; basic unit of
data handled by a network
Packet filter: hardware or software designed
to block or allow transmission of packets
based on criteria such as port, IP address,
protocol
To control movement of traffic through the
network perimeter, know how packets are
structured and what goes into packet
headers
18

Understanding Packets and


Packet Filtering
Packet filter inspects packet headers
before sending packets on to specific
locations within the network
A variety of hardware devices and software
programs perform packet filtering:
Routers: probably most common packet filters
Operating systems: some have built-in utilities
to filter packets on TCP/IP stack of the server
software

19

Anatomy of a Packet
Header
Contains IP source and destination
addresses
Not visible to end users

Data
Contains the information that it is
intending to send (e.g., body of an e-mail
message)
Visible to the recipient
20

Anatomy of a Packet
(continued)

21

Anatomy of a Packet
(continued)

22

Packet-Filtering Rules

Packet filtering: procedure by which


packet headers are inspected by a
router or firewall to make a decision on
whether to let the packet pass
Header information is evaluated and
compared to rules that have been set
up (Allow or Deny)
Packet filters examine only the header
of the packet (application proxies
examine data in the packet)
23

Packet-Filtering Rules
(continued)
Drop all inbound connections; allow only
outbound connections on Ports 80 (HTTP), 25
(SMTP), and 21 (FTP)
Eliminate packets bound for ports that should
not be available to the Internet (e.g., NetBIOS)
Filter out ICMP redirect or echo (ping) messages
(may indicate hackers are attempting to locate
open ports or host IP addresses)
Drop packets that use IP header source routing
feature

24

Packet-Filtering Rules
(continued)

Set up an access list that includes all


computers in the local network by
name or IP address so
communications can flow between
them
Allow all traffic between trusted hosts
Set up rules yourself

25

Application Level Gateways

Application Level Gateways


Also called a Proxy Firewall
Typical applications:
Telnet
FTP
SMTP
HTTP

More secure than packet filters


Bad packets won't get through the gateway
Only has to deal with application level
packets

Simplifies rules needed in packet filter

Application gateway (Cont)


It works as follows:
1. An internal user connects the application gateway
using telnet or http
2. The application gateway ask the user about the
remote host with which the user wants to set up a
connection for actual communication.It also uses
3.The user provide this information to application
gateway
4. The application gateway now access the remote
host on behalf of user and passes the packet of the
user to remote host

ISO/OSI Network Model


(Dont need to know this)
Seven network layers
Layer 1 : Physical cables
Layer 2 : Data Link ethernet
Layer 3 : Network IP
Layer 4 : Transport TCP/UDP
Layer 5 : Session
Layer 6 : Presentation
Layer 7 : Application
You dont need to know the layers just the idea that it is layered

TCP/IP Network Model


Different view 4 layers
Layer 1 : Link (we did not look at details)
Layer 2 : Network
Layer 3 : Transport
Layer 4 : Application

Routing
How does a device know where to send
a packet?
All devices need to know what IP
addresses are on directly attached
networks
If the destination is on a local network,
send it directly there

VPN(Virtual Private Network)

Traditional Connectivity

[From Gartner Consulting]

What is VPN?
Virtual Private Network is a type of private
network that uses public telecommunication,
such as the Internet, instead of leased lines
to communicate.
Became popular as more employees worked
in remote locations.
Terminologies to understand how VPNs work.

Employees can access the network (Intranet)


from remote locations.

Private Network
Secured networks
The Internet is used as the backbone for VPNs
vs
Virtual Private Networks

Saves cost tremendously from reduction of


equipment and maintenance costs.
Scalability

Brief Overview of How it Works


Two connections one is made to the
Internet and the second is made to
the VPN.
Datagrams contains data,
destination and source information.
Firewalls VPNs allow authorized
users to pass through the firewalls.
Protocols protocols create the VPN
tunnels.

Four Critical Functions


Authentication validates that the data
was sent from the sender.
Access control limiting unauthorized
users from accessing the network.
Confidentiality preventing the data to
be read or copied as the data is being
transported.
Data Integrity ensuring that the data
has not been altered

Encryption
Encryption -- is a method of
scrambling data before
transmitting it onto the Internet.
Public Key Encryption Technique
Digital signature for
authentication

Tunneling
A virtual point-to-point connection
made through a public network. It
transports
Original Datagram Datagram
encapsulated datagrams.
Encrypted Inner Datagram
Datagram Header

Outer Datagram Data Area

Data Encapsulation [From Comer]

Two types of end points:


Remote Access
Site-to-Site

What is Cryptography
Cryptography

In a narrow sense

Mangling information into apparent unintelligibility


Allowing a secret method of un-mangling

In a broader sense

Mathematical techniques related to information security


About secure communication in the presence of
adversaries

Cryptanalysis

The study of methods for obtaining the meaning


of encrypted information without accessing the
secret information

Cryptology

Cryptography + cryptanalysis

Objectives of Information Security


Confidentiality (secrecy)

Only the sender and intended receiver should be able


to understand the contents of the transmitted message

Authentication

Both the sender and receiver need to confirm the


identity of other party involved in the communication

Data integrity

The content of their communication is not altered,


either maliciously or by accident, in transmission.

Availability

Timely accessibility of data to authorized entities.

Objectives of Information Security


Non-repudiation
An entity is prevented from denying its previous
commitments or actions

Access control
An entity cannot access any entity that it is not
authorized to.

Anonymity
The identity of an entity if protected from others.

Types of Cryptography
Asymetric key Cryptography
Symmetric key Cryptography

Secret Key Cryptography


plaintext

encryption

ciphertext

key
ciphertext

plaintext
decryption

Using a single key for encryption/decryption.


The plaintext and the ciphertext having the same size.
Also called symmetric key cryptography

Public Key Cryptography


plaintext

encryption

ciphertext

Public key
Private key
ciphertext

plaintext
decryption

Each individual has two keys


a private key (d): need not be reveal to anyone
a public key (e): preferably known to the entire world

Public key crypto is also called asymmetric crypto.

DIGITAL SIGNATURE

131COMPARISON
131

13.47

13.1.1 Inclusion

A conventional signature is included in the document; it is


part of the document. But when we sign a document
digitally, we send the signature as a separate document.

13.48

13.1.2 Verification Method

For a conventional signature, when the recipient receives a


document, she compares the signature on the document
with the signature on file. For a digital signature, the
recipient receives the message and the signature. The
recipient needs to apply a verification technique to the
combination of the message and the signature to verify the
authenticity.

13.49

132PROCESS
132

Figure 13.1 shows the digital signature process. The


sender uses a signing algorithm to sign the message.
The message and the signature are sent to the receiver.
The receiver receives the message and the signature and
applies the verifying algorithm to the combination. If
the result is true, the message is accepted; otherwise, it
is rejected.

13.50

132Continued
132

Figure 13.1 Digital signature process

13.51

13.2.1 Need for Keys


Figure 13.2 Adding key to the digital signature process

Note
A digital signature needs a public-key system.
The signer signs with her private key; the verifier
verifies with the signers public key.
13.52

13.2.1 Continued

Note
A cryptosystem uses the private and public keys of the
receiver: a digital signature uses
the private and public keys of the sender.

13.53

13.3.1 Message Authentication

A secure digital signature scheme, like a secure


conventional
signature
can
provide
message
authentication.
Note
A digital signature provides message authentication.

13.54

13.3.2 Message Integrity

The integrity of the message is preserved even if we sign


the whole message because we cannot get the same
signature if the message is changed.

Note
A digital signature provides message integrity.

13.55

13.3.3 Nonrepudiation
Figure 13.4 Using a trusted center for nonrepudiation

Note
Nonrepudiation can be provided using a trusted party.
13.56

13.3.4 Confidentiality
Figure 13.5 Adding confidentiality to a digital signature scheme

Note
A digital signature does not provide privacy.
If there is a need for privacy, another layer of
encryption/decryption must be applied.
13.57

What is E-commerce
Distributing, buying, selling and marketing
products and services over electronic systems
E-business for commercial transactions
Involves supply chain management, emarketing, online marketing, EDI(Electronic data
Interchange)
Uses electronic technology such as:
- Internet
- Extranet/Intranet
- Protocols

58

Examples
B2C:
C2C:
B2B:
C2B:

www.amazon.com
www.eBay.com
www.tpn.com
www.priceline.com

Lets visit these web sites in turn and


discuss its features.

B2C

C2C

B2B

C2B

Architecture of Webbased E-Commerce


System
Service system

Web Server

Application Server

Database

Internet

Firewall

Client side

Backend system

Intranet
(Secure)

Server side

Security Threats in the


E-commerce Environment
Three key points of vulnerability
the client
communications pipeline
the server

E-payment System
E payment is a subset of an ecommerce transaction to include
electronic payment for buying and
selling goods or services offered
through the Internet
66

Credit Card - Business Model


Logical Money Flow
3. Clearance/Settlement

Customer
Bank

Visa
(3rd Party)

Stores
Bank
2. Credit
Authorization

4. Payment
Store

Customer
1. Charge

What can you do if your statement shows


a fraudulent purchase?
67

Electronic Payment Systems


E-cash--------
smart card etc

credit card, debit card,

Credit Cards
A very common method of payment
Cards are issued by a bank
Unique 16-digit number (including
check digits) and an expiration date
Third party authorization companies
verify purchases

69

Processing a Payment Card Order

Payment Acceptance and Processing


Merchants must set up merchant accounts to
accept payment cards
Law prohibits charging payment card until
merchandise is shipped
Payment card transaction requires:
Merchant to authenticate payment card
Merchant must check with card issuer to ensure
funds are available and to put hold on funds
needed to make current charge
Settlement occurs in a few days when funds
travel through banking system into merchants
account

71

Intrusion

Definitions

A set of actions aimed to compromise the


security goals, namely
Integrity, confidentiality, or availability, of a
computing and networking resource

Intrusion detection
The process of identifying and responding
to intrusion activities

Intrusion prevention
Extension of ID with exercises of access
control to protect computers from
exploitation

Different ways to intrude


Buffer overflows
Unexpected combinations
Unhandled input
Race conditions

Components of IDS

Intrusion Detection Systems


(IDS)
Different ways of classifying an IDS
IDS based on

network based
host based
anomaly detection
signature based misuse

Network based IDS


This IDS looks for attack signatures
in network traffic
A filter is usually applied to
determine which traffic will be
discarded or passed on to an
attack recognition module. This
helps to filter out known unmalicious traffic.

Strengths of Network based IDS


Cost of ownership reduced
Packet analysis
Evidence removal
Real time detection and response
Malicious intent detection

Host/Applications based IDS


The host operating system or the
application logs in the audit
information.
These audit information includes
events like the use of identification
and authentication mechanisms
(logins etc.) , file opens and program
executions, admin activities etc.
This audit is then analyzed to detect
trails of intrusion.

Strengths of the host based IDS


Attack verification
System specific activity
Encrypted and switch environments
Monitoring key components
Near Real-Time detection and
response.
No additional hardware

Drawbacks of the host based IDS


The kind of information needed to be
logged in is a matter of experience.
Unselective logging of messages
may greatly increase the audit and
analysis burdens.
Selective logging runs the risk that
attack manifestations could be
missed.

Anomaly based IDS


This IDS models the normal usage of
the network as a noise
characterization.
Anything distinct from the noise is
assumed to be an intrusion activity.
E.g flooding a host with lots of packet.

The primary strength is its ability to


recognize novel attacks.

Drawbacks of Anomaly detection


IDS
Assumes that intrusions will be
accompanied by manifestations that are
sufficiently unusual so as to permit
detection.
These generate many false alarms and
hence compromise the effectiveness of
the IDS.

Signature based IDS


This IDS possess an attacked
description that can be matched to
sensed attack manifestations.
The question of what information is
relevant to an IDS depends upon
what it is trying to detect.
E.g DNS, FTP etc.

Signature based IDS (contd.)


ID system is programmed to interpret a certain
series of packets, or a certain piece of data
contained in those packets,as an attack. For
example, an IDS that watches web servers might
be programmed to look for the string phf as an
indicator of a CGI program attack.
Most signature analysis systems are based off of
simple pattern matching algorithms. In most cases,
the IDS simply looks for a sub string within a
stream of data carried by network packets. When it
finds this sub string (for example, the ``phf'' in
``GET /cgi-bin/phf?''), it identifies those network
packets as vehicles of an attack.

Drawbacks of Signature based


IDS
They are unable to detect novel
attacks.
Suffer from false alarms
Have to programmed again for
every new pattern to be detected.

Digital Signatures
digital signatures provide the ability
to:
verify author, date & time of signature
authenticate message contents
be verified by third parties to resolve
disputes

hence include authentication function


with additional capabilities

Digital Signature Model

Digital
Signature
Model

Digital Signature Requirements


must depend on the message signed
must use information unique to sender
to prevent both forgery and denial

must be relatively easy to produce


must be relatively easy to recognize & verify
be computationally infeasible to forge
with new message for existing digital signature
with fraudulent digital signature for given message

be practical save digital signature in storage

What is E-commerce
Distributing, buying, selling and marketing
products and services over electronic systems
E-business for commercial transactions
Involves supply chain management, emarketing, online marketing, EDI(Electronic data
Interchange)
Uses electronic technology such as:
- Internet
- Extranet/Intranet
- Protocols

91

Examples
B2C:
C2C:
B2B:
C2B:

www.amazon.com
www.eBay.com
www.tpn.com
www.priceline.com

Lets visit these web sites in turn and


discuss its features.

E-commerce scenarios
Retailing
Servicing
Publishing
Supply chain management
Discussion: How are they changing?

Security Threats in the


E-commerce Environment
Three key points of vulnerability
the client
communications pipeline
the server

E-payment System
E payment is a subset of an ecommerce transaction to include
electronic payment for buying and
selling goods or services offered
through the Internet
95

Credit Card - Business Model


Logical Money Flow
3. Clearance/Settlement

Customer
Bank

Visa
(3rd Party)

Stores
Bank
2. Credit
Authorization

4. Payment
Store

Customer
1. Charge

What can you do if your statement shows


a fraudulent purchase?
96

Credit Cards
A very common method of payment
Cards are issued by a bank
Unique 16-digit number (including
check digits) and an expiration date
Third party authorization companies
verify purchases

97

Credit Card Processing

Processing of Debit Card

Data Back Up
Data BackUp
Data Archival
Data Disposal

Data Backup
To manage data properly we consider
data backup which is primarily used
for purpose of data security
Data backup is storage of data
snapshot at certain point of time
Some of the reasons for data lost is:

Reasons for data lost


Failure of hardware
Fault bin software
Hacking of data
Human error
Power failure

How to make a backup strategy


Should you consider backing up
your entire system or specified
files
How frequently your data to be
backed up
Which storage media you use for
data backup

Continued.
Should you backup files full or incrementally or
differential
The backup software looks at which files have changed
since you last did a full backup. Then creates copies of
all the files that are different from the ones in the full
backup. For restoring all the data, you will only need
the the last full backup, and the last differential backup

Continued..
The backup software creates copies of all the files, or parts of
files that have changed since previous backups of any type
(full, differential or incremental).
For example if you did a full backup on Sunday. An incremental
backup made on Monday, would only contain files changed
since Sunday, and an incremental backup on Tuesday, would
only contain files changed since Monday, an
This method is the fastest when creating a backup.
Restoring from incremental backups is the slowest For
example if you had a full backup and six incremental backups.
To restore the data would require you to process the full
backup and all six incremental backups.

Continued
Where should you store your
backups
How should you validate your
backup copies
In which way should your backup
be organized

Data Archival
Data which is the most valuable asset in an
organization may not be in use completely.
Some part may be moved for future reference
but may not be actively used anymore
Most organization move currently inactive part
of the data to separate storage location
The separated older data is moved to
separate storage location in order so that data
can be retained for longer period of time

Continued
The process of data archival require
moving selected part of data to a
different storage media to improve
system performance
Archived data is indexed so that
finding them in future become easy
You can use archived data for
historical evidences

Selection of Data Archival


solutions
Longetivity of storage solution
Managebility of storage solution
Amount of focus on intelligent
content
Optimization of total cost of
ownership
Type of available solution

Data Disposal
Act of permanently deleting or destroying data
stored in a media
Whenver legacy system or devices are replaced
removal of data stored in such system is must
Also its a federal policy legeslatiion that you
should delete your data after some interval of
time
National Institute of Standards and Technology
describe three primary ways in which data can
be deleted.

Continued.
Overwriting hard drives:According to NIST
recommendation harddrives should be
written thrice to erase previous records
Degaussing hard drives and backup tapes:
DeMagnetize your hard drives and magnetic
tapes so as to permanently delete the data
Destroying Storage Media:There are large
shredding machines avialble which can
grind up the media into metal scrap

Some Points to Consider while


disposal of data
Deletion to erase data is not reliable
becoz deleted data can be recovered
from hard drives
Formatting your disk is also not secure as
data recovery software are available to
retrieve data from formatted hard drives
Breaking your hard drives is also not safe
becoz some of the sectors can still be
read out

Processing a Payment Card Order

Payment Acceptance and Processing


Merchants must set up merchant accounts to
accept payment cards
Law prohibits charging payment card until
merchandise is shipped
Payment card transaction requires:
Merchant to authenticate payment card
Merchant must check with card issuer to ensure
funds are available and to put hold on funds
needed to make current charge
Settlement occurs in a few days when funds
travel through banking system into merchants
account

114

Das könnte Ihnen auch gefallen