360 likes | 505 Views
Internet Firewalls. What it is all about. Concurrency System Lab, EE, National Taiwan University http://cobra.ee.ntu.edu.tw R355. Outline. Firewall Design Principles Firewall Characteristics Components of Firewalls Firewall Configurations. Firewalls.
E N D
Internet Firewalls What it is all about Concurrency System Lab, EE, National Taiwan University http://cobra.ee.ntu.edu.tw R355
Outline • Firewall Design Principles • Firewall Characteristics • Components of Firewalls • Firewall Configurations
Firewalls • Protecting a local network from security threats while affording access to the Internet
Firewall DesignPrinciples • The firewall is inserted between the private network and the Internet • Aims: • Establish a controlled link • Protect the local network from Internet-based attacks • Provide a single choke point
Firewall Characteristics • Design goals for a firewall • All traffic (in or out) must pass through the firewall • Only authorized traffic will be allowed to pass • The firewall itself is immune to penetration
Firewall Characteristics • Four general techniques: • Service control • The type of Internet services that can be accessed • Direction control • Inbound or outbound • User control • Which user is attempting to access the service • Behavior control • e.g., Filter email to eliminate spam
Components of Firewalls • Three common components of Firewalls: • Packet-filtering routers • Application-level gateways • Circuit-level gateways • (Bastion host)
Components of Firewalls(I) • Packet-filtering Router
Packet-filtering Router • Packet-filtering Router • Applies a set of rules to each incoming IP packet and then forwards or discards the packet • Filter packets going in both directions • The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header • Two default policies (discard or forward)
Packet-filtering Router • Advantages: • Simplicity • Transparency to users • High speed • Disadvantages: • Difficulty of setting up packet filter rules • Lack of Authentication
Packet-filtering Router • Open-source under UNIX: • IP firewall • IPFilter • IPchain
Components of Firewalls(II) • Application-level Gateway
Application-level Gateway • Application-level Gateway • Also called proxy server • Acts as a relay of application-level traffic
Application-level Gateway • Advantages: • Higher security than packet filters • Only need to check a few allowable applications • Easy to log and audit all incoming traffic • Disadvantages: • Additional processing overhead on each connection (gateway as splice point)
Application-level Gateway • Open-source under UNIX: • squid (WWW), • delegate (general purpose), • osrtspproxy (RTSP), • smtpproxy (SMTP), • …
Components of Firewalls(III) • Circuit-level Gateway
Circuit-level Gateway • Similar to Application-level Gateway • However • it typically relays TCP segments from one connection to the other without examining the contents • Determines onlywhich connections will be allowed • Typical usage is a situation in which the system administrator trusts the internal users
In other words • Korean custom • Circuit-level gateway only checks your nationality • Application-level gateway checks your baggage content in addition to your nationality
Components of Firewalls • Open-source under UNIX • SOCKS • dante
Components of Firewalls(II) U (III) • Bastion Host • serves as • application-level gateway • circuit-level gateway • both
Firewall Configurations • In addition to the use of simple configuration of a single system (single packet filtering router or single gateway), more complex configurations are possible • Three common configurations
Configurations(I) • Screened host firewall system (single-homed bastion host)
Configurations(I) • Consists of two systems: • A packet-filtering router & a bastion host • Only packets from and to the bastion host are allowed to pass through the router • The bastion host performs authentication and proxy functions
More secure • More secure than each single component because : • offers both packet-level and application-level filtering
Firewall Configurations • This configuration also affords flexibility in providing direct Internet access (public information server, e.g. Web server)
Configurations(II) • Screened host firewall system (dual-homed bastion host)
Configurations(II) • Consists of two systems just as config (I) does. • However, the bastion host separates the network into two subnets.
Even more secure • An intruder must generally penetrate two separate systems
Configurations(III) • Screened-subnet firewall system
Configurations(III) • Three-level defense • Most secure • Two packet-filtering routers are used • Creates an isolated sub-network • Private network is invisible to the Internet • Computers inside the private network cannot construct direct routes to the Internet
Capabilities of firewall • Defines a single choke point at which security features are applied • Security management is simplified • Provides a location for monitoring, audits and alarms • A convenient platform for several non-security-related Internet functions • e.g., NAT, network management • Can serve as the platform for IPSec • Implement VPN with tunnel mode capability
What firewalls cannot protect against • Attacks that bypass the firewall • e.g., dial-in or dial-out capabilities that internal systems provide • Internal threats • e.g., disgruntled employee or employee who cooperates with external attackers • The transfer of virus-infected programs or files
Recommended Reading • Chapman, D., and Zwicky, E. Building Internet Firewalls. O’Reilly, 1995 • Cheswick, W., and Bellovin, S. Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley, 2000 • Gasser, M. Building a Secure Computer System. Reinhold, 1988 • Pfleeger, C. Security in Computing. Prentice Hall, 1997