450 likes | 732 Views
EMTM 553: E-commerce Systems Lecture 7b: Firewalls. Insup Lee Department of Computer and Information Science University of Pennsylvania lee@cis.upenn.edu www.cis.upenn.edu/~lee. Why do we need firewalls ?. BEFORE AFTER (your results may vary). What is a firewall?. Two goals:
E N D
EMTM 553: E-commerce SystemsLecture 7b: Firewalls Insup Lee Department of Computer and Information Science University of Pennsylvania lee@cis.upenn.edu www.cis.upenn.edu/~lee EMTM 553
Why do we need firewalls? EMTM 553
BEFORE AFTER (your results may vary) EMTM 553
What is a firewall? • Two goals: • To provide the people in your organization with access to the WWW without allowing the entire world to peak in; • To erect a barrier between an untrusted piece of software, your organization’s public Web server, and the sensitive information that resides on your private network. • Basic idea: • Impose a specifically configured gateway machine between the outside world and the site’s inner network. • All traffic must first go to the gateway, where software decide whether to allow or reject. EMTM 553
What is a firewall • A firewall is a system of hardware and software components designed to restrict access between or among networks, most often between the Internet and a private Internet. • The firewall is part of an overall security policy that creates a perimeter defense designed to protect the information resources of the organization. EMTM 553
Firewalls DO • Implement security policies at a single point • Monitor security-related events (audit, log) • Provide strong authentication • Allow virtual private networks • Have a specially hardened/secured operating system EMTM 553
Firewalls DON’T • Protect against attacks that bypass the firewall • Dial-out from internal host to an ISP • Protect against internal threats • disgruntled employee • Insider cooperates with and external attacker • Protect against the transfer of virus-infected programs or files EMTM 553
Types of Firewalls • Packet-Filtering Router • Application-Level Gateway • Circuit-Level Gateway • Hybrid Firewalls EMTM 553
Packet Filtering Routers • Forward or discard IP packet according a set of rules • Filtering rules are based on fields in the IP and transport header EMTM 553
What information is used for filtering decision? • Source IP address (IP header) • Destination IP address (IP header) • Protocol Type • Source port (TCP or UDP header) • Destination port (TCP or UDP header) • ACK. bit EMTM 553
Web Access Through a Packet Filter Firewall [Stein] EMTM 553
Packet Filtering Routerspros and cons • Advantages: • Simple • Low cost • Transparent to user • Disadvantages: • Hard to configure filtering rules • Hard to test filtering rules • Don’t hide network topology(due to transparency) • May not be able to provide enough control over traffic • Throughput of a router decreases as the number of filters increases EMTM 553
A Telnet Proxy EMTM 553
A sample telnet session EMTM 553
Application Level Gateways (Proxy Server) • Advantages: • complete control over each service (FTP/HTTP…) • complete control over which services are permitted • Strong user authentication (Smart Cards etc.) • Easy to log and audit at the application level • Filtering rules are easy to configure and test • Disadvantages: • A separate proxy must be installed for each application-level service • Not transparent to users EMTM 553
Circuit Level Gateways EMTM 553
Circuit Level Gateways (2) • Often used for outgoing connections where the system administrator trusts the internal users • The chief advantage is that a firewall can be configured as a hybrid gateway supporting application-level/proxy services for inbound connections and circuit-level functions for outbound connections EMTM 553
Hybrid Firewalls • In practice, many of today's commercial firewalls use a combination of these techniques. • Examples: • A product that originated as a packet-filtering firewall may since have been enhanced with smart filtering at the application level. • Application proxies in established areas such as FTP may augment an inspection-based filtering scheme. EMTM 553
Firewall Configurations • Bastion host • a system identified by firewall administrator as a critical strong point in the network’s security • typically serves as a platform for an application-level or circuit-level gateway • extra secure O/S, tougher to break into • Dual homed gateway • Two network interface cards: one to the outer network and the other to the inner • A proxy selectively forwards packets • Screened host firewall system • Uses a network router to forward all traffic from the outer and inner networks to the gateway machine • Screened-subnet firewall system EMTM 553
Dual-homed gateway EMTM 553
Screened-host gateway EMTM 553
Screened Host Firewall EMTM 553
Screened Subnet Firewall EMTM 553
Screened subnet gateway EMTM 553
Selecting a firewall system • Operating system • Protocols handled • Filter types • Logging • Administration • Simplicity • Tunneling EMTM 553
Commercial Firewall Systems EMTM 553
Widely used commercial firewalls • AltaVista • BorderWare (Secure Computing Corporation) • CyberGurad Firewall (CyberGuard Corporation) • Eagle (Raptor Systems) • Firewall-1 (Checkpoint Software Technologies) • Gauntlet (Trusted Information Systems) • ON Guard (ON Technology Corporation) EMTM 553
Firewall’s security policy • Embodied in the filters that allow or deny passages to network traffic • Filters are implemented as proxy programs. • Application-level proxies • one for particular communication protocol • E.g., HTTP, FTP, SM • Can also filter based on IP addresses • Circuit-level proxies • Lower-level, general purpose programs that treat packets as black boxes to be forward or not • Only looks at header information • Advantages: speed and generality • One proxy can handle many protocols EMTM 553
Configure a Firewall (1) • Outgoing Web Access • Outgoing connections through a packet filter firewall • Outgoing connections through an application-level proxy • Outgoing connections through a circuit proxy EMTM 553
Firewall Proxy Configuring Netscape to use a firewall proxy involves entering the address and port number for each proxied service. [Stein] EMTM 553
Configure a Firewall (2) • Incoming Web Access • The “Judas” server • The “Sacrificial Lamb” • The “Private Affair” server • The doubly fortified server EMTM 553
The “Judas” Server (not recommended) [Stein] EMTM 553
The “sacrificial lamb” [Stein] EMTM 553
The “private affair” server [Stein] EMTM 553
Internal Firewall An Internal Firewall protects the Web server from insider threats. [Stein] EMTM 553
Placing the sacrificial lamb in the demilitarized zone. [Stein] EMTM 553
Poking holes in the firewall • If you need to support a public Web server, but no place to put other than inside the firewall. • Problem: if the server is compromised, then you are cooked. EMTM 553
Simplified Screened-Host Firewall Filter Rules [Stein] EMTM 553
Filter Rule Exceptions for Incoming Web Services [Stein] EMTM 553
Screened subnetwork Placing the Web server on its own screened subnetwork insulates it from your organization while granting the outside world limited access to it. [Stein] EMTM 553
Filter Rules for a Screened Public Web Server [Stein] EMTM 553
Q&A EMTM 553