הגנה במערכות מתוכנתות חורף תשס"ד הרצאה 7 Firewalls ספרות : Chapman, Zwicki. Building Internet Firewalls. O’Reilly, 1995. Cheswick, Bellovin. Firewalls

  • Published on
    19-Dec-2015

  • View
    232

  • Download
    15

Embed Size (px)

Transcript

<ul><li> Slide 1 </li> <li> Slide 2 </li> <li> " 7 Firewalls : Chapman, Zwicki. Building Internet Firewalls. OReilly, 1995. Cheswick, Bellovin. Firewalls and Internet Security. Addison Wesley, 1994. </li> <li> Slide 3 </li> <li> - " - 72 ? ( / ) , , , , " </li> <li> Slide 4 </li> <li> - " - 73 Firewalls : Firewall , ( ) . : -Firewall (choke point). . -firewall " ", </li> <li> Slide 5 </li> <li> - " - 74 private network HUB Server Router Internet Server Router </li> <li> Slide 6 </li> <li> - " - 75 Firewall? Firewall : / . ( ). Firewall </li> <li> Slide 7 </li> <li> - " - 76 Firewall - Firewall , , '. Firewall, ( ), multi-homed host ( ) : -Firewall . Firewall, </li> <li> Slide 8 </li> <li> - " - 77 Firewalls Choke point - . -Firewall Fail safe - </li> <li> Slide 9 </li> <li> - " - 78 Firewall? . -Firewall: - -Firewall . -Firewall . </li> <li> Slide 10 </li> <li> - " - 79 -Firewall private network Server HUB Router Internet </li> <li> Slide 11 </li> <li> - " - 710 Bastion Host (BH) Bastion host ( " , ). . : , . -BH . Bastion Hosts . </li> <li> Slide 12 </li> <li> - " - 711 Bastion hosts private network Server HUB Router Internet </li> <li> Slide 13 </li> <li> - " - 712 Bastion Hosts 1.Non-routing dual-homed host ( ), , . 2.BH : " . . . 3.BH : . . -BH . </li> <li> Slide 14 </li> <li> - " - 713 (DMZ) ( Perimeter Network). , , . (Bastion hosts). DMZ . - proxies. </li> <li> Slide 15 </li> <li> - " - 714 DMZ 1 private network Server HUB Router Internet </li> <li> Slide 16 </li> <li> - " - 715 DMZ - 2 private network Server HUB Router Internet </li> <li> Slide 17 </li> <li> - " - 716 ( -clients ) ( ) , , , " ( web server ) </li> <li> Slide 18 </li> <li> - " - 717 - : , sessions . ( ) . -DMZ proxy servers </li> <li> Slide 19 </li> <li> - " - 718 Firewall : Proxy server a.k.a. Application level relays Packet filters </li> <li> Slide 20 </li> <li> - " - 719 -IP datagram MAC IP TCPUDP Application MAC IP TCPUDP Application Host AHost B MAC IP MAC IP Gateway G 2 Gateway G 1 </li> <li> Slide 21 </li> <li> - " - 720 Packet filtering MAC IP TCPUDP Application MAC IP TCPUDP Application Host AHost B MAC IP Packet filtering Firewall </li> <li> Slide 22 </li> <li> - " - 721 Packet Filter Packet filter , -Packet filter (to forward) " </li> <li> Slide 23 </li> <li> - " - 722 : IP . (TCP, UDP). . -ACK (in/out) . -Packet filter TCP/UDP header IP header TCP header </li> <li> Slide 24 </li> <li> - " - 723 , . . , . </li> <li> Slide 25 </li> <li> - " - 724 -Ack TCP. TCP session, -session, ack=0. session, ack=1. , ack=0, session . sessions . </li> <li> Slide 26 </li> <li> - " - 725 : Packet filter : telnet . , . </li> <li> Slide 27 </li> <li> - " - 726 Packet filter () </li> <li> Slide 28 </li> <li> - " - 727 : FTP FTP TCP, port- : port 21 - command port, -port 20 -FTP, -client - command session -port -data session. -data session -port 20 -port -client. FTP . </li> <li> Slide 29 1023) -client session -port , -port -server FTP ."&gt; </li><li> - " - 728 FTP -Firewalls -FTP firewall, -server -data session -firewalls, -client pasv -command session port (&gt;1023) -client session -port , -port -server FTP . </li> <li> Slide 30 </li> <li> - " - 729 FTP -Firewalls () Firewalls -session. . Firewall Stateful inspection -packet filter -command session -data session ( - packet filter ) </li> <li> Slide 31 </li> <li> - " - 730 ( ) -FTP ( RTP, H323) : - port- . TCP , UDP </li> <li> Slide 32 </li> <li> - " - 731 Proxy server MAC IP TCPUDP Application MAC IP TCPUDP Application Host AHost B Proxy server MAC IP TCPUDP Application </li> <li> Slide 33 </li> <li> - " - 732 Proxy Servers -Firewall -Client -Server , - client -proxy server, / -server Server Client Proxy Server </li> <li> Slide 34 </li> <li> - " - 733 Proxy servers () -Proxy server -Proxy applications Proxy server TCP TCP -Proxy server , " Packet filter. : </li> <li> Slide 35 </li> <li> - " - 734 : telnet ( Proxy server) sara_pc.radguard.com tx.technion.ac.il 1778 23 </li> <li> Slide 36 </li> <li> - " - 735 : telnet ( Proxy server) sara_pc.radguard.com 1778 proxy.radguard.com 8023 c tx.technion.ac.il tx.technion.ac.il 23 1889 </li> <li> Slide 37 </li> <li> - " - 736 Proxy servers : -access control ( - -telnet - ftp) tcp client -server : , proxy ( ) </li> <li> Slide 38 </li> <li> - " - 737 Packet filters : routers : ( Stateful inspection ) </li> <li> Slide 39 </li> <li> - " - 738 -Proxy server : , -Packet filter : - -IP . : Authentication -firewall ( -session) </li> <li> Slide 40 </li> <li> - " - 739 Packet Filtering </li> <li> Slide 41 </li> <li> - " - 740 Packet filtering , sessions , -session session . </li> <li> Slide 42 session, " session . " session . session - session , ."&gt; </li><li> - " - 741 Session context -Session - session, " session . " session . session - session , . </li> <li> Slide 43 </li> <li> - " - 742 Stateful inspection Packet filter , . -packet filter " -gateway, . . -packet filter , -session, stateful inspection. </li> <li> Slide 44 </li> <li> - " - 743 Stateful inspection Stateful inspection session context FTP ( ) -packet filters. -command session, -data session. -stateful inspection . , -data session . </li> <li> Slide 45 </li> <li> - " - 744 -Firewalls - Firewall. . , -Firewall . "" : FTP active mode firewall-friendly protocols. . </li> <li> Slide 46 </li> <li> - " - 745 -Firewall ProxyStateful Inspection Packet Filtering Packet Filtering (stateless) </li> <li> Slide 47 </li> <li> - " - 746 Firewalls - firewalls -5 Firewall: - firewalls: 80 </li> </ul>