Scribd
Upload
61 views

6.firewall and Trusted Systems

Firewalls serve as a control point between networks, allowing only authorized traffic while monitoring and auditing access. They provide perimeter defense but cannot fully protect against all internal or external threats. The simplest type of firewall is a packet filter, which examines packets but lacks context. More advanced stateful packet filters and application proxies add context awareness but require custom support for specific services. Bastion hosts and access control matrices help enforce separation of trusted networks and control access to resources.

Uploaded by

Datta Rajendra
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
61 views

6.firewall and Trusted Systems

Firewalls serve as a control point between networks, allowing only authorized traffic while monitoring and auditing access. They provide perimeter defense but cannot fully protect against all internal or external threats. The simplest type of firewall is a packet filter, which examines packets but lacks context. More advanced stateful packet filters and application proxies add context awareness but require custom support for specific services. Bastion hosts and access control matrices help enforce separation of trusted networks and control access to resources.

Uploaded by

Datta Rajendra
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 19

What is a Firewall?

• a choke point of control and monitoring


• interconnects networks with differing trust
• imposes restrictions on network services
– only authorized traffic is allowed
• auditing and controlling access
– can implement alarms for abnormal behavior
• is itself immune to penetration
• provides perimeter defence
Firewall Limitations
• cannot protect from attacks bypassing it
– eg sneaker net, utility modems, trusted
organisations, trusted services (eg SSL/SSH)
• cannot protect against internal threats
– eg disgruntled employee
• cannot protect against transfer of all virus
infected programs or files
– because of huge range of O/S & file types
Firewalls – Packet Filters
Firewalls – Packet Filters
• simplest of components
• foundation of any firewall system
• examine each IP packet (no context) and
permit or deny according to rules
• hence restrict access to services (ports)
• possible default policies
– that not expressly permitted is prohibited
– that not expressly prohibited is permitted
Firewalls – Packet Filters
Attacks on Packet Filters
• IP address spoofing
– fake source address to be trusted
– add filters on router to block
• source routing attacks
– attacker sets a route other than default
– block source routed packets
• tiny fragment attacks
– split header info over several tiny packets
– either discard or reassemble before check
Firewalls – Stateful Packet Filters

• examine each IP packet in context


– keeps tracks of client-server sessions
– checks each packet validly belongs to one
• better able to detect bogus packets out of
context
Firewalls - Application Level
Gateway (or Proxy)
Firewalls - Application Level
Gateway (or Proxy)
• use an application specific gateway / proxy
• has full access to protocol
– user requests service from proxy
– proxy validates request as legal
– then actions request and returns result to user
• need separate proxies for each service
– some services naturally support proxying
– others are more problematic
– custom services generally not supported
Firewalls - Circuit Level Gateway
Firewalls - Circuit Level Gateway
• relays two TCP connections
• imposes security by limiting which such
connections are allowed
• once created usually relays traffic without
examining contents
• typically used when trust internal users by
allowing general outbound connections
• SOCKS commonly used for this
Bastion Host
• highly secure host system
• potentially exposed to "hostile" elements
• hence is secured to withstand this
• may support 2 or more net connections
• may be trusted to enforce trusted
separation between network connections
• runs circuit / application level gateways
• or provides externally accessible services
Firewall Configurations
Firewall Configurations
Firewall Configurations
Access Control
• given system has identified a user
• determine what resources they can access
• general model is that of access matrix with
– subject - active entity (user, process)
– object - passive entity (file or resource)
– access right – way object can be accessed
• can decompose by
– columns as access control lists
– rows as capability tickets
Access Control Matrix
Trusted Computer Systems
• information security is increasingly important
• have varying degrees of sensitivity of information
– cf military info classifications: confidential, secret etc
• subjects (people or programs) have varying rights
of access to objects (information)
• want to consider ways of increasing confidence in
systems to enforce these rights
• known as multilevel security
– subjects have maximum & current security level
– objects have a fixed security level classification
Reference Monitor

You might also like