160 likes | 335 Views
Telecommunications Networking II. Lecture 41e Firewalls. Firewalls Ref: Firewalls and Internet Security, W.R. Cheswick and S.M. Bellovin. Firewall.
E N D
Telecommunications Networking II Lecture 41e Firewalls
FirewallsRef: Firewalls and Internet Security, W.R. Cheswick and S.M. Bellovin
Firewall • A firewall is a mechanism through which we can attempt to protect a collection of computers and networks within an enclave from attacks launched from outside of the protected enclave • Firewalls can also be used to provide barriers between subsets of computers and networks within an enclave
Firewalls Gateway computer ENCLAVE The rest of cyberspace
The rest of cyberspace Subnet 2 Subnet 1 Enclave Firewalls
Packet Filterref: Firewalls and Internet Security action ourhost port theirhost port comment block * * spigot * block these guys allow our GW 25 * * our GW’s mail allow * * * 25 ???
Packet Filters • In the previous slide, we filter packets on the basis of which of “our hosts” (inside the firewall) and which our “their hosts” (outside the firewall), and which ports are involved in a TCP connection, independent of which end established the connection • The first rule keeps spigot from participating in TCP connections with our hosts (we block packets to/from spigot)
Packet Filters • The second rule allows any host to establish a connection to port 25 (SMTP =mail) on our gateway machine • The last rule says that any of our hosts can participate in a port 25 (SMTP =mail) TCP connection with any other host. This is dangerous, because an exterior host could use its port 25 to initiate a connection to one of our hosts for a purpose other than mail
Packet Filterref: Firewalls and Internet Security action source port dest port flags allow {ourhosts} * * * allow * * * * ACK allow * * * >1023
Packet Filters • In the previous slide, we implement filtering based on which host has originated the TCP session • In particular, if a packet is a initial request to open up a TCP session, it does not have the TCP “ACK” bit set. All other packets have the “ACK” bit set. Therefore, we can block TCP connections that are initiated by “their host” (outside of the firewall)
Packet Filters • We assume that our hosts will reject packets with the ACK bit set, if the corresponding TCP connection has not been initiated • Thus a host that is not one of our hosts cannot establish a TCP connection under either of the first two rules • The last rule allows external hosts to establish a TCP connection to our hosts if the target port number is higher than 1023
The rest of cyberspace Subnet 2 Subnet 1 Enclave Where to put the filters
Where to put the filters • The location of the filters is critical for-catching problems as close to the source as possible-identifying the link on which a packet has arrived
Comments • The lack of authentication of packet sources and of routes taken by packets…as well as opportunities to modify packets in transit make the packet filtering problem much harder
Application Level Gateways • This type of gateway acts as an intermediary between outside hosts and inside hosts (their hosts and our hosts) by accepting packets associated with a specific application (e.g., Email) and scrutinizing the contents of those packets (or sets of related packets) at the application level. • An application level gateway can also provide useful functions, such as mail forwarding and reformatting
Circuit Level Gateways • A circuit level gateway acts as an intermediary between two hosts that wish to establish a TCP connection between them. The TCP connection is established host-to-gateway-to-host. Since the gateway is in the middle of the TCP connection (not just looking at isolated packets) it can monitor and control some aspects of the connection (e.g., the number of bytes that are transferred, and how fast bytes can move through the connection)