Embed Size (px)
Citation preview
FirewallsFirewalls FirewallFirewall sits between the corporate sits between the corporate
network and the Internetnetwork and the Internet• Prevents unauthorized access from the Prevents unauthorized access from the
InternetInternet• Facilitates internal users’ access to the Facilitates internal users’ access to the
InternetInternet
OKNo
Firewall
Access only ifAuthenticated
FirewallsFirewalls Packet FilterPacket Filter Firewalls Firewalls
• Examine each incoming IP packetExamine each incoming IP packet
• Examine IP and TCP header fieldsExamine IP and TCP header fields
• If bad behavior is detected, reject the If bad behavior is detected, reject the packetpacket
• No sense of previous communication: No sense of previous communication: analyzes each packet in isolationanalyzes each packet in isolation
IPFirewall
IP Packet
FirewallsFirewalls Application (Proxy) FirewallsApplication (Proxy) Firewalls
• Filter based on Filter based on applicationapplication behavior behavior• Do Do notnot examine packets in isolation: use examine packets in isolation: use
historyhistory In HTTP, for example, do not accept a In HTTP, for example, do not accept a
response unless an HTTP request has just response unless an HTTP request has just gone out to that sitegone out to that site
Application
FirewallsFirewalls Application (Proxy) FirewallsApplication (Proxy) Firewalls
• Hide internal internet addressesHide internal internet addresses• Internal user sends an HTTP requestInternal user sends an HTTP request• HTTP proxy program replaces user HTTP proxy program replaces user
internet address with proxy server’s IP internet address with proxy server’s IP address, sends to the webserveraddress, sends to the webserver
HTTPRequest
Request with Proxy
Server’s IP Address
FirewallsFirewalls Application (Proxy) FirewallsApplication (Proxy) Firewalls
• Webserver sends response to proxy Webserver sends response to proxy server, to proxy server IP addressserver, to proxy server IP address
• HTTP proxy server sends the IP packet HTTP proxy server sends the IP packet to the originating hostto the originating host
• Overall, proxy program acts on behalf of Overall, proxy program acts on behalf of the internal userthe internal user
Response toProxy Server’s
IP Address
HTTPResponse
FirewallsFirewalls Why Hide Internal IP Addresses?Why Hide Internal IP Addresses?
• The first step in an attack usually is to The first step in an attack usually is to find potential victim hostsfind potential victim hosts
• Sniffer programsSniffer programs read IP packet streams read IP packet streams for IP addresses of potential target hostsfor IP addresses of potential target hosts
• With proxy server, sniffers will not learn With proxy server, sniffers will not learn IP addresses of internal hostsIP addresses of internal hosts
False IP Address
HostIP Address
Sniffer
FirewallsFirewalls
Application FirewallsApplication Firewalls
• Need a separate program (proxy) for Need a separate program (proxy) for each applicationeach application
• Not all applications have rules that allow Not all applications have rules that allow filteringfiltering
Intrusion DetectionIntrusion Detection Intrusion detection softwareIntrusion detection software to to
detect and report intrusions as they detect and report intrusions as they are occurringare occurring
• Lets organization stop intruders so that Lets organization stop intruders so that intruders do not have unlimited time to intruders do not have unlimited time to probe for weaknessesprobe for weaknesses
• Helps organization assess security Helps organization assess security threatsthreats
• Audit logs list where intruder has been: Audit logs list where intruder has been: vital in legal prosecutionvital in legal prosecution
Intrusion DetectionIntrusion Detection Signature-based IDS – performs Signature-based IDS – performs
simple pattern-matching and report simple pattern-matching and report situtations that match a pattern situtations that match a pattern corresponding to a known attack corresponding to a known attack typetype
Heuristic IDS (anomaly based) – build Heuristic IDS (anomaly based) – build model of acceptable behavior and model of acceptable behavior and flag exceptions to that modelflag exceptions to that model
Intrusion DetectionIntrusion Detection Network-based IDS – stand-alone Network-based IDS – stand-alone
device attached to the network to device attached to the network to monitor traffic throughout networkmonitor traffic throughout network
Host-based IDS – runs on a single Host-based IDS – runs on a single workstation or client or host, to workstation or client or host, to protect that one hostprotect that one host
Default-Deny PostureDefault-Deny Posture
Perimeter Settings: Perimeter Settings: block all protocols except block all protocols except those expressly permitted [i.e. SMTP(25), those expressly permitted [i.e. SMTP(25), DNS(53), HTTP(80), SSL(443),…]DNS(53), HTTP(80), SSL(443),…]
Internal Settings: Internal Settings: block all unnecessary traffic block all unnecessary traffic between internal network segments, remote & between internal network segments, remote & VPN connectionsVPN connections
Security Configurations: Security Configurations: harden servers & harden servers & workstations to run only necessary services and workstations to run only necessary services and applicationsapplications
Segment NetworksSegment Networks Patch ManagementPatch Management
