Firewalls - the Department of Computer and Information Science

advertisement
EMTM 553: E-commerce Systems
Lecture 7b: Firewalls
Insup Lee
Department of Computer and Information Science
University of Pennsylvania
lee@cis.upenn.edu
www.cis.upenn.edu/~lee
5/4/01
EMTM 553
1
Why do we need firewalls
5/4/01
EMTM 553
?
2
5/4/01
EMTM 553
3
5/4/01
EMTM 553
4
BEFORE
5/4/01
AFTER
EMTM 553
(your results may vary)
5
What is a firewall?
• Two goals:
– To provide the people in your organization with access to
the WWW without allowing the entire world to peak in;
– To erect a barrier between an untrusted piece of
software, your organization’s public Web server, and the
sensitive information that resides on your private
network.
• Basic idea:
– Impose a specifically configured gateway machine
between the outside world and the site’s inner network.
– All traffic must first go to the gateway, where software
decide whether to allow or reject.
5/4/01
EMTM 553
6
What is a firewall
• A firewall is a system of hardware and software
components designed to restrict access between
or among networks, most often between the
Internet and a private Internet.
• The firewall is part of an overall security policy
that creates a perimeter defense designed to
protect the information resources of the
organization.
5/4/01
EMTM 553
7
Firewalls DO
•
•
•
•
•
Implement security policies at a single point
Monitor security-related events (audit, log)
Provide strong authentication
Allow virtual private networks
Have a specially hardened/secured operating
system
5/4/01
EMTM 553
8
Firewalls DON’T
• Protect against attacks that bypass the firewall
– Dial-out from internal host to an ISP
• Protect against internal threats
– disgruntled employee
– Insider cooperates with and external attacker
• Protect against the transfer of virus-infected
programs or files
5/4/01
EMTM 553
9
Types of Firewalls
•
•
•
•
Packet-Filtering Router
Application-Level Gateway
Circuit-Level Gateway
Hybrid Firewalls
5/4/01
EMTM 553
10
Packet Filtering Routers
5/4/01
•
Forward or discard IP packet according a
set of rules
•
Filtering rules are based on fields in the IP
and transport header
EMTM 553
11
What information is used for
filtering decision?
•
•
•
•
•
•
Source IP address (IP header)
Destination IP address (IP header)
Protocol Type
Source port (TCP or UDP header)
Destination port (TCP or UDP header)
ACK. bit
5/4/01
EMTM 553
12
Web Access Through a Packet
Filter Firewall
[Stein]
5/4/01
EMTM 553
13
Packet Filtering Routers
pros and cons
•
Advantages:
–
–
–
•
Simple
Low cost
Transparent to user
Disadvantages:
–
–
–
–
–
5/4/01
Hard to configure filtering rules
Hard to test filtering rules
Don’t hide network topology(due to transparency)
May not be able to provide enough control over traffic
Throughput of a router decreases as the number of filters increases
EMTM 553
14
Application Level Gateways
(Proxy Server)
5/4/01
EMTM 553
15
A Telnet Proxy
5/4/01
EMTM 553
16
A sample telnet session
5/4/01
EMTM 553
17
Application Level Gateways
(Proxy Server)
• Advantages:
–
–
–
–
–
complete control over each service (FTP/HTTP…)
complete control over which services are permitted
Strong user authentication (Smart Cards etc.)
Easy to log and audit at the application level
Filtering rules are easy to configure and test
• Disadvantages:
– A separate proxy must be installed for each applicationlevel service
– Not transparent to users
5/4/01
EMTM 553
18
Circuit Level Gateways
5/4/01
EMTM 553
19
Circuit Level Gateways (2)
• Often used for outgoing connections where the system
administrator trusts the internal users
• The chief advantage is that a firewall can be configured as a
hybrid gateway supporting application-level/proxy services
for inbound connections and circuit-level functions for
outbound connections
5/4/01
EMTM 553
20
Hybrid Firewalls
• In practice, many of today's commercial firewalls
use a combination of these techniques.
• Examples:
– A product that originated as a packet-filtering firewall
may since have been enhanced with smart filtering at the
application level.
– Application proxies in established areas such as FTP may
augment an inspection-based filtering scheme.
5/4/01
EMTM 553
21
Firewall Configurations
• Bastion host
– a system identified by firewall administrator as a critical
strong point in the network’s security
– typically serves as a platform for an application-level or circuitlevel gateway
– extra secure O/S, tougher to break into
• Dual homed gateway
– Two network interface cards: one to the outer network and the
other to the inner
– A proxy selectively forwards packets
• Screened host firewall system
– Uses a network router to forward all traffic from the outer
and inner networks to the gateway machine
• Screened-subnet firewall system
5/4/01
EMTM 553
22
Dual-homed gateway
5/4/01
EMTM 553
23
Screened-host gateway
5/4/01
EMTM 553
24
Screened Host Firewall
5/4/01
EMTM 553
25
Screened Subnet Firewall
5/4/01
EMTM 553
26
Screened subnet gateway
5/4/01
EMTM 553
27
Selecting a firewall system
•
•
•
•
•
•
•
Operating system
Protocols handled
Filter types
Logging
Administration
Simplicity
Tunneling
5/4/01
EMTM 553
28
Commercial Firewall Systems
45%
40%
35%
30%
25%
20%
15%
10%
5%
0%
ck
e
h
C
nt
i
Po
co
s
i
C
t
n
xe
A
e
N
5/4/01
k
or
tw
A
es
t
ia
c
o
ss
EMTM 553
e
b
y
C
rd
a
u
G
r
O
rs
e
th
29
Widely used commercial firewalls
•
•
•
•
•
•
•
AltaVista
BorderWare (Secure Computing Corporation)
CyberGurad Firewall (CyberGuard Corporation)
Eagle (Raptor Systems)
Firewall-1 (Checkpoint Software Technologies)
Gauntlet (Trusted Information Systems)
ON Guard (ON Technology Corporation)
5/4/01
EMTM 553
30
Firewall’s security policy
• Embodied in the filters that allow or deny passages to
network traffic
• Filters are implemented as proxy programs.
– Application-level proxies
o one for particular communication protocol
o E.g., HTTP, FTP, SM
o Can also filter based on IP addresses
– Circuit-level proxies
o Lower-level, general purpose programs that treat packets
as black boxes to be forward or not
o Only looks at header information
o Advantages: speed and generality
o One proxy can handle many protocols
5/4/01
EMTM 553
31
Configure a Firewall (1)
• Outgoing Web Access
– Outgoing connections through a packet filter firewall
– Outgoing connections through an application-level proxy
– Outgoing connections through a circuit proxy
5/4/01
EMTM 553
32
Firewall Proxy
Configuring Netscape to use a firewall proxy involves entering
the address and port numberEMTM
for 553
each proxied service. [Stein]33
5/4/01
Configure a Firewall (2)
• Incoming Web Access
–
–
–
–
5/4/01
The “Judas” server
The “Sacrificial Lamb”
The “Private Affair” server
The doubly fortified server
EMTM 553
34
The “Judas” Server (not recommended)
[Stein]
5/4/01
EMTM 553
35
The “sacrificial lamb”
[Stein]
5/4/01
EMTM 553
36
The “private affair” server
[Stein]
5/4/01
EMTM 553
37
Internal Firewall
An Internal Firewall protects the Web server from insider threats.
5/4/01
EMTM 553
38
[Stein]
Placing the sacrificial lamb in
the demilitarized zone.
[Stein]
5/4/01
EMTM 553
39
Poking holes in the firewall
• If you need to support a public Web server, but no
place to put other than inside the firewall.
• Problem: if the server is compromised, then you
are cooked.
5/4/01
EMTM 553
40
Simplified Screened-Host
Firewall Filter Rules
[Stein]
5/4/01
EMTM 553
41
Filter Rule Exceptions for
Incoming Web Services
[Stein]
5/4/01
EMTM 553
42
Screened subnetwork
Placing the Web server on its own screened subnetwork insulates
it from your organization while granting the outside world limited
access to it. [Stein]
5/4/01
EMTM 553
43
Filter Rules for a
Screened Public Web Server
[Stein]
5/4/01
EMTM 553
44
Q&A
5/4/01
EMTM 553
45
Download