1 / 36

Internet Firewalls

Internet Firewalls. What it is all about. Concurrency System Lab, EE, National Taiwan University http://cobra.ee.ntu.edu.tw R355. Outline. Firewall Design Principles Firewall Characteristics Components of Firewalls Firewall Configurations. Firewalls.

ashby
Download Presentation

Internet Firewalls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Internet Firewalls What it is all about Concurrency System Lab, EE, National Taiwan University http://cobra.ee.ntu.edu.tw R355

  2. Outline • Firewall Design Principles • Firewall Characteristics • Components of Firewalls • Firewall Configurations

  3. Firewalls • Protecting a local network from security threats while affording access to the Internet

  4. Firewall DesignPrinciples • The firewall is inserted between the private network and the Internet • Aims: • Establish a controlled link • Protect the local network from Internet-based attacks • Provide a single choke point

  5. Firewall Characteristics • Design goals for a firewall • All traffic (in or out) must pass through the firewall • Only authorized traffic will be allowed to pass • The firewall itself is immune to penetration

  6. Firewall Characteristics • Four general techniques: • Service control • The type of Internet services that can be accessed • Direction control • Inbound or outbound • User control • Which user is attempting to access the service • Behavior control • e.g., Filter email to eliminate spam

  7. Components of Firewalls • Three common components of Firewalls: • Packet-filtering routers • Application-level gateways • Circuit-level gateways • (Bastion host)

  8. Components of Firewalls(I) • Packet-filtering Router

  9. Packet-filtering Router • Packet-filtering Router • Applies a set of rules to each incoming IP packet and then forwards or discards the packet • Filter packets going in both directions • The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header • Two default policies (discard or forward)

  10. TCP/IP header

  11. Packet-filtering Router • Advantages: • Simplicity • Transparency to users • High speed • Disadvantages: • Difficulty of setting up packet filter rules • Lack of Authentication

  12. Packet-filtering Router • Open-source under UNIX: • IP firewall • IPFilter • IPchain

  13. Components of Firewalls(II) • Application-level Gateway

  14. Application-level Gateway • Application-level Gateway • Also called proxy server • Acts as a relay of application-level traffic

  15. Application-level Gateway • Advantages: • Higher security than packet filters • Only need to check a few allowable applications • Easy to log and audit all incoming traffic • Disadvantages: • Additional processing overhead on each connection (gateway as splice point)

  16. Application-level Gateway • Open-source under UNIX: • squid (WWW), • delegate (general purpose), • osrtspproxy (RTSP), • smtpproxy (SMTP), • …

  17. Components of Firewalls(III) • Circuit-level Gateway

  18. Circuit-level Gateway • Similar to Application-level Gateway • However • it typically relays TCP segments from one connection to the other without examining the contents • Determines onlywhich connections will be allowed • Typical usage is a situation in which the system administrator trusts the internal users

  19. In other words • Korean custom • Circuit-level gateway only checks your nationality • Application-level gateway checks your baggage content in addition to your nationality

  20. Components of Firewalls • Open-source under UNIX • SOCKS • dante

  21. Components of Firewalls(II) U (III) • Bastion Host • serves as • application-level gateway • circuit-level gateway • both

  22. Firewall Configurations • In addition to the use of simple configuration of a single system (single packet filtering router or single gateway), more complex configurations are possible • Three common configurations

  23. Configurations(I) • Screened host firewall system (single-homed bastion host)

  24. Configurations(I) • Consists of two systems: • A packet-filtering router & a bastion host • Only packets from and to the bastion host are allowed to pass through the router • The bastion host performs authentication and proxy functions

  25. More secure • More secure than each single component because : • offers both packet-level and application-level filtering

  26. Firewall Configurations • This configuration also affords flexibility in providing direct Internet access (public information server, e.g. Web server)

  27. Configurations(II) • Screened host firewall system (dual-homed bastion host)

  28. Configurations(II) • Consists of two systems just as config (I) does. • However, the bastion host separates the network into two subnets.

  29. Even more secure • An intruder must generally penetrate two separate systems

  30. Configurations(III) • Screened-subnet firewall system

  31. Configurations(III) • Three-level defense • Most secure • Two packet-filtering routers are used • Creates an isolated sub-network • Private network is invisible to the Internet • Computers inside the private network cannot construct direct routes to the Internet

  32. Demo

  33. Conclusion

  34. Capabilities of firewall • Defines a single choke point at which security features are applied • Security management is simplified • Provides a location for monitoring, audits and alarms • A convenient platform for several non-security-related Internet functions • e.g., NAT, network management • Can serve as the platform for IPSec • Implement VPN with tunnel mode capability

  35. What firewalls cannot protect against • Attacks that bypass the firewall • e.g., dial-in or dial-out capabilities that internal systems provide • Internal threats • e.g., disgruntled employee or employee who cooperates with external attackers • The transfer of virus-infected programs or files

  36. Recommended Reading • Chapman, D., and Zwicky, E. Building Internet Firewalls. O’Reilly, 1995 • Cheswick, W., and Bellovin, S. Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley, 2000 • Gasser, M. Building a Secure Computer System. Reinhold, 1988 • Pfleeger, C. Security in Computing. Prentice Hall, 1997

More Related