EMTM 553: E-commerce Systems Lecture 7b: Firewalls Insup Lee Department of Computer and Information Science University of Pennsylvania lee@cis.upenn.edu www.cis.upenn.edu/~lee 5/4/01 EMTM 553 1 Why do we need firewalls 5/4/01 EMTM 553 ? 2 5/4/01 EMTM 553 3 5/4/01 EMTM 553 4 BEFORE 5/4/01 AFTER EMTM 553 (your results may vary) 5 What is a firewall? • Two goals: – To provide the people in your organization with access to the WWW without allowing the entire world to peak in; – To erect a barrier between an untrusted piece of software, your organization’s public Web server, and the sensitive information that resides on your private network. • Basic idea: – Impose a specifically configured gateway machine between the outside world and the site’s inner network. – All traffic must first go to the gateway, where software decide whether to allow or reject. 5/4/01 EMTM 553 6 What is a firewall • A firewall is a system of hardware and software components designed to restrict access between or among networks, most often between the Internet and a private Internet. • The firewall is part of an overall security policy that creates a perimeter defense designed to protect the information resources of the organization. 5/4/01 EMTM 553 7 Firewalls DO • • • • • Implement security policies at a single point Monitor security-related events (audit, log) Provide strong authentication Allow virtual private networks Have a specially hardened/secured operating system 5/4/01 EMTM 553 8 Firewalls DON’T • Protect against attacks that bypass the firewall – Dial-out from internal host to an ISP • Protect against internal threats – disgruntled employee – Insider cooperates with and external attacker • Protect against the transfer of virus-infected programs or files 5/4/01 EMTM 553 9 Types of Firewalls • • • • Packet-Filtering Router Application-Level Gateway Circuit-Level Gateway Hybrid Firewalls 5/4/01 EMTM 553 10 Packet Filtering Routers 5/4/01 • Forward or discard IP packet according a set of rules • Filtering rules are based on fields in the IP and transport header EMTM 553 11 What information is used for filtering decision? • • • • • • Source IP address (IP header) Destination IP address (IP header) Protocol Type Source port (TCP or UDP header) Destination port (TCP or UDP header) ACK. bit 5/4/01 EMTM 553 12 Web Access Through a Packet Filter Firewall [Stein] 5/4/01 EMTM 553 13 Packet Filtering Routers pros and cons • Advantages: – – – • Simple Low cost Transparent to user Disadvantages: – – – – – 5/4/01 Hard to configure filtering rules Hard to test filtering rules Don’t hide network topology(due to transparency) May not be able to provide enough control over traffic Throughput of a router decreases as the number of filters increases EMTM 553 14 Application Level Gateways (Proxy Server) 5/4/01 EMTM 553 15 A Telnet Proxy 5/4/01 EMTM 553 16 A sample telnet session 5/4/01 EMTM 553 17 Application Level Gateways (Proxy Server) • Advantages: – – – – – complete control over each service (FTP/HTTP…) complete control over which services are permitted Strong user authentication (Smart Cards etc.) Easy to log and audit at the application level Filtering rules are easy to configure and test • Disadvantages: – A separate proxy must be installed for each applicationlevel service – Not transparent to users 5/4/01 EMTM 553 18 Circuit Level Gateways 5/4/01 EMTM 553 19 Circuit Level Gateways (2) • Often used for outgoing connections where the system administrator trusts the internal users • The chief advantage is that a firewall can be configured as a hybrid gateway supporting application-level/proxy services for inbound connections and circuit-level functions for outbound connections 5/4/01 EMTM 553 20 Hybrid Firewalls • In practice, many of today's commercial firewalls use a combination of these techniques. • Examples: – A product that originated as a packet-filtering firewall may since have been enhanced with smart filtering at the application level. – Application proxies in established areas such as FTP may augment an inspection-based filtering scheme. 5/4/01 EMTM 553 21 Firewall Configurations • Bastion host – a system identified by firewall administrator as a critical strong point in the network’s security – typically serves as a platform for an application-level or circuitlevel gateway – extra secure O/S, tougher to break into • Dual homed gateway – Two network interface cards: one to the outer network and the other to the inner – A proxy selectively forwards packets • Screened host firewall system – Uses a network router to forward all traffic from the outer and inner networks to the gateway machine • Screened-subnet firewall system 5/4/01 EMTM 553 22 Dual-homed gateway 5/4/01 EMTM 553 23 Screened-host gateway 5/4/01 EMTM 553 24 Screened Host Firewall 5/4/01 EMTM 553 25 Screened Subnet Firewall 5/4/01 EMTM 553 26 Screened subnet gateway 5/4/01 EMTM 553 27 Selecting a firewall system • • • • • • • Operating system Protocols handled Filter types Logging Administration Simplicity Tunneling 5/4/01 EMTM 553 28 Commercial Firewall Systems 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% ck e h C nt i Po co s i C t n xe A e N 5/4/01 k or tw A es t ia c o ss EMTM 553 e b y C rd a u G r O rs e th 29 Widely used commercial firewalls • • • • • • • AltaVista BorderWare (Secure Computing Corporation) CyberGurad Firewall (CyberGuard Corporation) Eagle (Raptor Systems) Firewall-1 (Checkpoint Software Technologies) Gauntlet (Trusted Information Systems) ON Guard (ON Technology Corporation) 5/4/01 EMTM 553 30 Firewall’s security policy • Embodied in the filters that allow or deny passages to network traffic • Filters are implemented as proxy programs. – Application-level proxies o one for particular communication protocol o E.g., HTTP, FTP, SM o Can also filter based on IP addresses – Circuit-level proxies o Lower-level, general purpose programs that treat packets as black boxes to be forward or not o Only looks at header information o Advantages: speed and generality o One proxy can handle many protocols 5/4/01 EMTM 553 31 Configure a Firewall (1) • Outgoing Web Access – Outgoing connections through a packet filter firewall – Outgoing connections through an application-level proxy – Outgoing connections through a circuit proxy 5/4/01 EMTM 553 32 Firewall Proxy Configuring Netscape to use a firewall proxy involves entering the address and port numberEMTM for 553 each proxied service. [Stein]33 5/4/01 Configure a Firewall (2) • Incoming Web Access – – – – 5/4/01 The “Judas” server The “Sacrificial Lamb” The “Private Affair” server The doubly fortified server EMTM 553 34 The “Judas” Server (not recommended) [Stein] 5/4/01 EMTM 553 35 The “sacrificial lamb” [Stein] 5/4/01 EMTM 553 36 The “private affair” server [Stein] 5/4/01 EMTM 553 37 Internal Firewall An Internal Firewall protects the Web server from insider threats. 5/4/01 EMTM 553 38 [Stein] Placing the sacrificial lamb in the demilitarized zone. [Stein] 5/4/01 EMTM 553 39 Poking holes in the firewall • If you need to support a public Web server, but no place to put other than inside the firewall. • Problem: if the server is compromised, then you are cooked. 5/4/01 EMTM 553 40 Simplified Screened-Host Firewall Filter Rules [Stein] 5/4/01 EMTM 553 41 Filter Rule Exceptions for Incoming Web Services [Stein] 5/4/01 EMTM 553 42 Screened subnetwork Placing the Web server on its own screened subnetwork insulates it from your organization while granting the outside world limited access to it. [Stein] 5/4/01 EMTM 553 43 Filter Rules for a Screened Public Web Server [Stein] 5/4/01 EMTM 553 44 Q&A 5/4/01 EMTM 553 45