הגנה במערכות מתוכנתות חורף תשס"ד הרצאה 7 Firewalls ספרות : Chapman, Zwicki. Building Internet Firewalls. O’Reilly, 1995. Cheswick, Bellovin. Firewalls

  • View
    232

  • Download
    15

Embed Size (px)

Text of הגנה במערכות מתוכנתות חורף תשס"ד הרצאה 7 Firewalls ספרות :...

  • Slide 1
  • Slide 2
  • " 7 Firewalls : Chapman, Zwicki. Building Internet Firewalls. OReilly, 1995. Cheswick, Bellovin. Firewalls and Internet Security. Addison Wesley, 1994.
  • Slide 3
  • - " - 72 ? ( / ) , , , , "
  • Slide 4
  • - " - 73 Firewalls : Firewall , ( ) . : -Firewall (choke point). . -firewall " ",
  • Slide 5
  • - " - 74 private network HUB Server Router Internet Server Router
  • Slide 6
  • - " - 75 Firewall? Firewall : / . ( ). Firewall
  • Slide 7
  • - " - 76 Firewall - Firewall , , '. Firewall, ( ), multi-homed host ( ) : -Firewall . Firewall,
  • Slide 8
  • - " - 77 Firewalls Choke point - . -Firewall Fail safe -
  • Slide 9
  • - " - 78 Firewall? . -Firewall: - -Firewall . -Firewall .
  • Slide 10
  • - " - 79 -Firewall private network Server HUB Router Internet
  • Slide 11
  • - " - 710 Bastion Host (BH) Bastion host ( " , ). . : , . -BH . Bastion Hosts .
  • Slide 12
  • - " - 711 Bastion hosts private network Server HUB Router Internet
  • Slide 13
  • - " - 712 Bastion Hosts 1.Non-routing dual-homed host ( ), , . 2.BH : " . . . 3.BH : . . -BH .
  • Slide 14
  • - " - 713 (DMZ) ( Perimeter Network). , , . (Bastion hosts). DMZ . - proxies.
  • Slide 15
  • - " - 714 DMZ 1 private network Server HUB Router Internet
  • Slide 16
  • - " - 715 DMZ - 2 private network Server HUB Router Internet
  • Slide 17
  • - " - 716 ( -clients ) ( ) , , , " ( web server )
  • Slide 18
  • - " - 717 - : , sessions . ( ) . -DMZ proxy servers
  • Slide 19
  • - " - 718 Firewall : Proxy server a.k.a. Application level relays Packet filters
  • Slide 20
  • - " - 719 -IP datagram MAC IP TCPUDP Application MAC IP TCPUDP Application Host AHost B MAC IP MAC IP Gateway G 2 Gateway G 1
  • Slide 21
  • - " - 720 Packet filtering MAC IP TCPUDP Application MAC IP TCPUDP Application Host AHost B MAC IP Packet filtering Firewall
  • Slide 22
  • - " - 721 Packet Filter Packet filter , -Packet filter (to forward) "
  • Slide 23
  • - " - 722 : IP . (TCP, UDP). . -ACK (in/out) . -Packet filter TCP/UDP header IP header TCP header
  • Slide 24
  • - " - 723 , . . , .
  • Slide 25
  • - " - 724 -Ack TCP. TCP session, -session, ack=0. session, ack=1. , ack=0, session . sessions .
  • Slide 26
  • - " - 725 : Packet filter : telnet . , .
  • Slide 27
  • - " - 726 Packet filter ()
  • Slide 28
  • - " - 727 : FTP FTP TCP, port- : port 21 - command port, -port 20 -FTP, -client - command session -port -data session. -data session -port 20 -port -client. FTP .
  • Slide 29 1023) -client session -port , -port -server FTP .">
  • - " - 728 FTP -Firewalls -FTP firewall, -server -data session -firewalls, -client pasv -command session port (>1023) -client session -port , -port -server FTP .
  • Slide 30
  • - " - 729 FTP -Firewalls () Firewalls -session. . Firewall Stateful inspection -packet filter -command session -data session ( - packet filter )
  • Slide 31
  • - " - 730 ( ) -FTP ( RTP, H323) : - port- . TCP , UDP
  • Slide 32
  • - " - 731 Proxy server MAC IP TCPUDP Application MAC IP TCPUDP Application Host AHost B Proxy server MAC IP TCPUDP Application
  • Slide 33
  • - " - 732 Proxy Servers -Firewall -Client -Server , - client -proxy server, / -server Server Client Proxy Server
  • Slide 34
  • - " - 733 Proxy servers () -Proxy server -Proxy applications Proxy server TCP TCP -Proxy server , " Packet filter. :
  • Slide 35
  • - " - 734 : telnet ( Proxy server) sara_pc.radguard.com tx.technion.ac.il 1778 23
  • Slide 36
  • - " - 735 : telnet ( Proxy server) sara_pc.radguard.com 1778 proxy.radguard.com 8023 c tx.technion.ac.il tx.technion.ac.il 23 1889
  • Slide 37
  • - " - 736 Proxy servers : -access control ( - -telnet - ftp) tcp client -server : , proxy ( )
  • Slide 38
  • - " - 737 Packet filters : routers : ( Stateful inspection )
  • Slide 39
  • - " - 738 -Proxy server : , -Packet filter : - -IP . : Authentication -firewall ( -session)
  • Slide 40
  • - " - 739 Packet Filtering
  • Slide 41
  • - " - 740 Packet filtering , sessions , -session session .
  • Slide 42 session, " session . " session . session - session , .">
  • - " - 741 Session context -Session - session, " session . " session . session - session , .
  • Slide 43
  • - " - 742 Stateful inspection Packet filter , . -packet filter " -gateway, . . -packet filter , -session, stateful inspection.
  • Slide 44
  • - " - 743 Stateful inspection Stateful inspection session context FTP ( ) -packet filters. -command session, -data session. -stateful inspection . , -data session .
  • Slide 45
  • - " - 744 -Firewalls - Firewall. . , -Firewall . "" : FTP active mode firewall-friendly protocols. .
  • Slide 46
  • - " - 745 -Firewall ProxyStateful Inspection Packet Filtering Packet Filtering (stateless)
  • Slide 47
  • - " - 746 Firewalls - firewalls -5 Firewall: - firewalls: 80