Network and System Security Risk Assessment（PPT讲稿）Firewall

Network and System Security Risk assessment Firewall

Network and System Security Risk Assessment --Firewall 1

About redirect again Compare the attacking effect of netwox and our redirect Network unreachable caused by the missing gateway We can have a little more control over our system and network

About redirect again ◼ Compare the attacking effect of netwox and our redirect ◼ Network unreachable caused by the missing gateway ◼ We can have a little more control over our system and network

For example Give the attacking machine the ability to forward packet Su a echo 1 >/proc/sys/net/ipv4/ip forward a sudo service networking restart 口 For the victim Route add default gw* etho a The machine reaches network again

For example: ◼ Give the attacking machine the ability to forward packet ❑ Su ❑ echo 1 >/proc/sys/net/ipv4/ip_forward ❑ sudo service networking restart ❑ For the victim ◼ Route add default gw * eth0 ❑ The machine reaches network again!

Firewalls By conventional definition, a firewall is a partition made of fireproof material designed to prevent the spread of fire from one part of a building to another. firewall isolates organization's internal net from larger Internet, allowing some packets to pass, blocking others privately administered Internet 222.22/16

Firewalls 4 isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others. firewall privately administered Internet 222.22/16 By conventional definition, a firewall is a partition made of fireproof material designed to prevent the spread of fire from one part of a building to another

Firewall goals all traffic from outside to inside and vice versa passes through the firewall Only authorized traffic, as defined by local security policy, will be allowed to pass a The firewall itself is immune to penetration

Firewall goals: ◼ All traffic from outside to inside and vice￾versa passes through the firewall. ◼ Only authorized traffic, as defined by local security policy, will be allowed to pass. ◼ The firewall itself is immune to penetration. 5

Firewalls: taxonomy 1. Traditional packet filters a filters often combined with Major firewall vendors router, creating a firewall Checkpoint ciscoⅨ 2 Stateful filters 3. Application gateways

Firewalls: taxonomy 1. Traditional packet filters ❑ filters often combined with router, creating a firewall 2. Stateful filters 3. Application gateways 6 Major firewall vendors: Checkpoint Cisco PIX

Traditional packet filters Analyzes each datagram going through it; makes drop decision based on source IP address tcP or udP or ICMP destination IP address a Firewalls often configured to block all UDP source port destination port direction a Is the datagram leaving or TCP flag bits entering the internal D syn bit set: datagram for network? connection initiation router interface ACK bit set: part of o decisions can be different established connection for different interfaces

Traditional packet filters ◼ source IP address ◼ destination IP address ◼ source port ◼ destination port ◼ TCP flag bits ❑ SYN bit set: datagram for connection initiation ❑ ACK bit set: part of established connection ◼ TCP or UDP or ICMP ❑ Firewalls often configured to block all UDP ◼ direction ❑ Is the datagram leaving or entering the internal network? ◼ router interface ❑ decisions can be different for different interfaces 7 Analyzes each datagram going through it; makes drop decision based on:

Filtering Rules- Examples Policy Firewall Setting No outside Web access. Drop all outgoing packets to any IP address, port 80 External connections to Drop all incoming TCP SyN public Web server only packets to any IP except 2222244.203,por+80 Prevent IPTV from eating Drop all incoming UDP packets up the available except dN and router bandwidth broadcasts Prevent your network Drop all ICMP packets going from being used for a to a"broadcast"address(eg Smurf dos attack 22222255255) Prevent your network Drop all outgoing ICMP from being traceroute

Filtering Rules - Examples 8 Policy Firewall Setting No outside Web access. Drop all outgoing packets to any IP address, port 80 External connections to public Web server only. Drop all incoming TCP SYN packets to any IP except 222.22.44.203, port 80 Prevent IPTV from eating up the available bandwidth. Drop all incoming UDP packets - except DNS and router broadcasts. Prevent your network from being used for a Smurf DoS attack. Drop all ICMP packets going to a “broadcast” address (eg 222.22.255.255). Prevent your network from being tracerouted Drop all outgoing ICMP

Access control lists Apply rules from top to bottom source dest source dest flag action address address protocol portport bit alw|2222216 outside of iny TCP 1023 80 22222/16 allow outside of|222.22/16 TCP 80 >1023ACK 222.22/16 allow222.22/16 outside of UDP|>102353 22222/16 allow outside of/222.22/16 UDP 53 >1023 22222/16 del

Access control lists action source address dest address protocol source port dest port flag bit allow 222.22/16 outside of 222.22/16 TCP > 1023 80 any allow outside of 222.22/16 222.22/16 TCP 80 > 1023 ACK allow 222.22/16 outside of 222.22/16 UDP > 1023 53 --- allow outside of 222.22/16 222.22/16 UDP 53 > 1023 ---- deny all all all all all all 9 Apply rules from top to bottom:

Access control lists each router/firewall interface can have its own ACL Most firewall vendors provide both command line and graphical configuration interface 10

Access control lists ◼ Each router/firewall interface can have its own ACL ◼ Most firewall vendors provide both command￾line and graphical configuration interface 10