Académique Documents
Professionnel Documents
Culture Documents
4 25/11/2018
That which is not expressly permitted is prohibited
5 25/11/2018
That which is not expressly prohibited is permitted
6 25/11/2018
Firewall Characteristics
limitations:
• cannot protect against attacks bypassing
firewall
• may not protect fully against internal threats
• improperly secured wireless LAN can be
accessed from outside the organization
• laptop, PDA, or portable storage device may
be infected outside the corporate network
then used internally
Types of
Firewalls
Types of Firewalls
1. Packet-filtering routers
2. Stateful inspection firewalls
3. Application-level gateways or application
proxy firewalls
4. Circuit-level gateways or circuit-level proxy
firewalls
11 25/11/2018
Packet Filtering Firewall
Applies rules to packets in/out of firewall
Based on information in packet header
Source IP address , destination IP address, source and destination port numbers
IP protocol field,
Router interface
Two default policies:
1. Discard - prohibit unless expressly permitted
more conservative, controlled, visible to users
2. Forward - permit unless expressly prohibited
easier to manage/use but less secure
12 25/11/2018
Firewalls – Packet Filters
13 25/11/2018
Packet Filter Rules
Default
=
Discard policy
Top-to- Bottom
application of rules
14 25/11/2018
Firewall Rules
1. First entry: packets from SPIGOT are blocked
2. Inbound mail is allowed only to OUR-GW host
15 25/11/2018
Firewall Rules
Explicit statement of the default policy.
All rule sets include this rule explicitly as the last
rule.
16 25/11/2018
Firewall Rules
Any inside host can send mail to outside
A TCP packet with destination port 25 is routed to the
SMTP sever of the destination machine
Any problem with this rule?
18 25/11/2018
Firewall Rules - ftp connections
FTP: two TCP connections: one for control, one for data
transfer
Data transfer: use different port, dynamically assigned
Most servers use low numbered ports
Most out going calls use a higher-numbered port > 1023
Attacks
IP address spoofing, source route attacks, tiny fragment
attacks
20 25/11/2018
IP address Spoofing
Countermeasure:
Discard packets with an inside address if packet arrive son an
external interface
21 25/11/2018
Source Routing
22 25/11/2018
Tiny fragment attacks
How:
Creates extremely small fragments
Force the tcp header info into a separate fragement
Aim:
Circumvent filtering rules based on TCP header info
Usually decision is based on first fragment of a packet, the other
fragments are either accepted or rejected based solely on the first
fragment.
Attacker hopes only the first fragment is examined and the others are
let through
Countermeasures:
First fragment must contain a predefined minimum amount of the
transport header
23 25/11/2018
IP and
TCP
24 25/11/2018
Tiny fragment attack The first fragment contains
only eight octets of data
(the minimum fragment
size).
In the case of TCP, this is
sufficient to contain the
source and destination port
numbers, but it will force
the TCP flags field into the
second fragment.
Filters that attempt to drop
connection requests (TCP
datagrams having SYN=1
& ACK=0) will be unable to
test these flags in the first
octet,
and will typically ignore
them in subsequent
fragments.
25 11/25/2018
Stateful Inspection Firewall
Reviews packet header information but also keeps info on TCP connections
Simple packet filter must allow all return high port numbered packets back in ----
vulnerabilities
Stateful inspection packet firewall tightens rules for TCP traffic using a directory of
TCP connections
26 25/11/2018
27 25/11/2018
Stateful Inspection Firewall
29 25/11/2018
Circuit-Level Gateway
Sets up two TCP connections, one
to an inside user and one to an
outside host
Relays TCP segments from one
connection to the other without
examining contents
Typically used when inside users
trusted
may use application-level gateway
inbound and circuit-level gateway
outbound
Hence lower overheads
30 25/11/2018
Application-Level Gateway
also called an application proxy
acts as a relay of application-level traffic
user contacts gateway using a TCP/IP application
user is authenticated
gateway contacts application on remote host and relays TCP
segments between server and user
must have proxy code for each application
may restrict application features supported
33 25/11/2018
Bastion Hosts
advantages:
• filtering rules can be tailored to the host
environment
• protection is provided independent of topology
• provides an additional layer of protection
Personal Firewall
controls traffic between a personal computer or workstation
and the Internet or enterprise network
for both home or corporate use