Security Firewall Firewall design principle. Firewall Characteristics. Types of Firewalls. Firewall Components & Configurations. Firewall Design Principles . • Information System undergo a steady evolution( from small LAN’s to Internet connectivity). • Strong security features for all workstations and servers not established. Firewalls • Effective means of protection a local system or network of systems from network_based security threats while affording access to the outside world via WAN’s or the Internet. Firewall Design Principles • The firewall is interested between the permission network and internet. • Aims : 1. Establish a controlled link. 2. Protect the premises network from internet_based attacks. 3. Provide a single choke point. Firewalls Characteristics • Design goals: 1. All traffic form the inside to outside must pass through the firewall (physically blocking all access to the local network except via firewall). 2. Only Authorized traffic ( defined by the local security policy) will be allowed to pass. Firewall Characteristics • Design goals: 3. The firewall itself is immune to penetration ( use of trusted systems with secure operating systems). Firewall Characteristics • Four General Technologies: 1. Service Control: determines the types of the internet services that can be accessed, in bounded or out bounded. 2. Direction Control: determines the direction in which particular services requests are allowed to flow. Firewall Characteristics 3. User Control: controls access to a service according to which user is attempting to access it. 4. Behavior Control: controls how particular service are used (e.g. filter e-mail) Types of Firewalls • 1. 2. 3. 4. Three common types of firewalls: Packet-filtering-router. Application-level-Gateways. Circuit-level-Gateways. (Bastion Host). Packet-Filtering-Router • Packet Filtering Router firewalls. Internet Private Network Packet Filtering Router Figure ( Packet Filtering Router Firewall). Packet-Filtering-Router • Applies a set of rules to each incoming IP packet and then forwards or discards the packet. • Filter packets going in both directions. • The packet filter is typically set up as a list of rule based on matches to fields in the IP or TCP header. • Two default polices( discards or forwards). Packet-Filtering-Router • 1. 2. 3. • 1. 2. Advantages: Simplicity. Transparency to users. High speed Disadvantages: Difficulty of setting up packet filter walls. Lack of Authentication. Application-Level-Gateway • Application Level Gateway Firewall. Inside Host TELNET Outside Host FTP SMTP Outside Connection HTTP Inside Connection Figure (Application Level Gateway). Application-Level-Gateway • Also called (Proxy Server). • Acts as relay of application level traffic. Application-Level-Gateway • Advantages: 1. Higher security than packet filter 2. Only need securitize a few allowable applications. 3. Easy to log and audit all incoming traffic. • Disadvantages: Additional processing overhead on each connection (Gateway as splice point). Circuit Level Gateway • Circuit Level Gateway. OUT Outside host & outside connection IN OUT IN OUT IN OUT IN Inside host & inside connection Circuit Level Gateway • Stand-alone system or specialized function performed by Application level gateway. • Sets up two TCP connections. • The gateway typically relays TCP segments from one connection to the other without examining the contents. Circuit Level Gateway • The security function consists of which connections to be allowed. • Typically use is a situation in which the system administrators trusts the internal users. • An example is the SOCKS package. Bastion Host • A system identified by the firewall administrator as critical strong point in the networks security. • The Bastion host serves as a platform for an application-level or circuit-level gateway. Bastion Host • In addition to the use of simple configuration of single system ( single packet filtering router or single gateway), more complex configurations are possible. • Three common configurations Screened host firewall system • Also called single homed bastion host Internet Information Server Bastion Host Private Network Screened host firewall (1) • Configuration: - Consists of two systems which are: 1. Packet filtering router. -Only packets from and to the bastion host are allowed to pass through server. 2. Bastion Host. - Authentication and Proxy functions. Screened host firewall (2) • Greater security that the single configuration because of two reasons: 1. This configuration implements both packet level and application level filtering ( allowing for flexibility in defining security policy). 2. An intruder must generally penetrate two separate systems. Screened host firewall (3) • This configuration also affords flexibility in providing direct internet access ( public information server, e.g. web server). Dual Homed Bastion Host • Dual Homed Bastion Host. INTERNET Information Server Bastion Host Private Network Dual Homed Bastion Host • The packet filtering router is not completely compromised. • Traffic between the internet and other hosts on the private network has to flow through the Bastion host. Screened Subnet Firewall System • See Figure. Information Server Modem Private Network INTERNET Bastion Host Screened Subnet Firewall System • Most secured configuration of all the three known techniques in the bastion host. • Two packet filtering routers are used. • Creation of an isolated sub-network. Screened Subnet Firewall System • Advantages: - Three levels of defense to thwart intruders. - The outside router advertises only the existence of the screened sub-net to the internet ( Internal network is invisible to the internet). Screened Subnet Firewall System • Advantages: - The inside router advertises only the existence of the screened sub-net to the internal network ( the systems on the inside cannot construct direct routes to the internet.