Firewall
advertisement
Internet Firewalls What it is all about Concurrency System Lab, EE, National Taiwan University http://cobra.ee.ntu.edu.tw R355 1 Outline • • • • Firewall Design Principles Firewall Characteristics Components of Firewalls Firewall Configurations 2 Firewalls • Protecting a local network from security threats while affording access to the Internet 3 Firewall Design Principles • The firewall is inserted between the private network and the Internet • Aims: – Establish a controlled link – Protect the local network from Internet-based attacks – Provide a single choke point 4 Firewall Characteristics • Design goals for a firewall – All traffic (in or out) must pass through the firewall – Only authorized traffic will be allowed to pass – The firewall itself is immune to penetration 5 Firewall Characteristics • Four general techniques: – Service control • The type of Internet services that can be accessed – Direction control • Inbound or outbound – User control • Which user is attempting to access the service – Behavior control • e.g., Filter email to eliminate spam 6 Components of Firewalls • Three common components of Firewalls: – – – – Packet-filtering routers Application-level gateways Circuit-level gateways (Bastion host) 7 Components of Firewalls (I) • Packet-filtering Router 8 Packet-filtering Router • Packet-filtering Router – Applies a set of rules to each incoming IP packet and then forwards or discards the packet – Filter packets going in both directions – The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header – Two default policies (discard or forward) 9 TCP/IP header 10 Packet-filtering Router • Advantages: – Simplicity – Transparency to users – High speed • Disadvantages: – Difficulty of setting up packet filter rules – Lack of Authentication 11 Packet-filtering Router • Open-source under UNIX: – IP firewall – IPFilter – IPchain 12 Components of Firewalls (II) • Application-level Gateway 13 Application-level Gateway • Application-level Gateway – Also called proxy server – Acts as a relay of application-level traffic 14 Application-level Gateway • Advantages: – Higher security than packet filters – Only need to check a few allowable applications – Easy to log and audit all incoming traffic • Disadvantages: – Additional processing overhead on each connection (gateway as splice point) 15 Application-level Gateway • Open-source under UNIX: – squid (WWW), – delegate (general purpose), – osrtspproxy (RTSP), – smtpproxy (SMTP), –… 16 Components of Firewalls (III) • Circuit-level Gateway 17 Circuit-level Gateway • Similar to Application-level Gateway • However – it typically relays TCP segments from one connection to the other without examining the contents – Determines only which connections will be allowed – Typical usage is a situation in which the system administrator trusts the internal 18 users In other words • Korean custom – Circuit-level gateway only checks your nationality – Application-level gateway checks your baggage content in addition to your nationality 19 Components of Firewalls • Open-source under UNIX – SOCKS – dante 20 Components of Firewalls (II) U (III) • Bastion Host – serves as • application-level gateway • circuit-level gateway • both 21 Firewall Configurations • In addition to the use of simple configuration of a single system (single packet filtering router or single gateway), more complex configurations are possible • Three common configurations 22 Configurations (I) • Screened host firewall system (single-homed bastion host) 23 Configurations (I) • Consists of two systems: – A packet-filtering router & a bastion host • Only packets from and to the bastion host are allowed to pass through the router • The bastion host performs authentication and proxy functions 24 More secure • More secure than each single component because : – offers both packet-level and application-level filtering 25 Firewall Configurations • This configuration also affords flexibility in providing direct Internet access (public information server, e.g. Web server) 26 Configurations (II) • Screened host firewall system (dualhomed bastion host) 27 Configurations (II) • Consists of two systems just as config (I) does. • However, the bastion host separates the network into two subnets. 28 Even more secure • An intruder must generally penetrate two separate systems 29 Configurations (III) • Screened-subnet firewall system 30 Configurations (III) • Three-level defense – Most secure – Two packet-filtering routers are used – Creates an isolated sub-network • Private network is invisible to the Internet • Computers inside the private network cannot construct direct routes to the Internet 31 Demo 32 Conclusion 33 Capabilities of firewall • Defines a single choke point at which security features are applied – Security management is simplified • Provides a location for monitoring, audits and alarms • A convenient platform for several nonsecurity-related Internet functions – e.g., NAT, network management • Can serve as the platform for IPSec – Implement VPN with tunnel mode capability 34 What firewalls cannot protect against • Attacks that bypass the firewall – e.g., dial-in or dial-out capabilities that internal systems provide • Internal threats – e.g., disgruntled employee or employee who cooperates with external attackers • The transfer of virus-infected programs or files 35 Recommended Reading • Chapman, D., and Zwicky, E. Building Internet Firewalls. O’Reilly, 1995 • Cheswick, W., and Bellovin, S. Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley, 2000 • Gasser, M. Building a Secure Computer System. Reinhold, 1988 • Pfleeger, C. Security in Computing. Prentice Hall, 1997 36
