Part I: Introduction

Download Report

Transcript Part I: Introduction

Lecture 25: Firewalls
 Introduce several types of firewalls
 Discuss their advantages and
disadvantages
 Compare their performances
 Demonstrate their applications
C. Ding -- COMP581 -- L25
1
What is a Firewall?
 A firewall is a system of hardware and
software components designed to restrict
access between or among networks, most
often between the Internet and a private
Internet.
 The firewall is part of an overall security
policy that creates a perimeter defense
designed to protect the information
resources of the organization.
C. Ding -- COMP581 -- L25
2
In other words…
“A data sentry at the
gateway to your network,
combining the power of
multiple firewall
technologies to deliver
powerful perimeter
security”
C. Ding -- COMP581 -- L25
3
What a Firewall does
 Implement security policies at a single
point
 Monitor security-related events (audit, log)
 Provide strong authentication
 Allow virtual private networks
C. Ding -- COMP581 -- L25
4
What a Firewall does not do
 Protect against attacks that bypass the
firewall

Dial-out from internal host to an ISP
 Protect against internal threats
 disgruntled
employee
 Insider cooperates with an external attacker
 Protect against the transfer of virus-
infected programs or files
C. Ding -- COMP581 -- L25
5
Firewall - Typical layout
A firewall denies or permits access
based on policies and rules
Protected Private Network
Internet
C. Ding -- COMP581 -- L25
6
Watching for attack
Monitor
Log
Notify
Protected Private Network
Internet
Attack
C. Ding -- COMP581 -- L25
7
Firewall technologies
Common firewall technologies:
 They may be classified into four categories:




Packet Filtering Firewalls
Circuit Level Firewalls
Application Gateway Firewalls (or proxy servers)
Stateful Inspection Firewalls (dynamic packet filtering
firewalls)
These technologies operate at different levels of
detail, providing varying degrees of network
access protection.
These technologies are not mutually exclusive as
some firewall products may implement several of
these technologies simultaneously.
C. Ding -- COMP581 -- L25
8
The Internet protocol stack
Application
TCP, UDP . . .
IP
Transport
Network
TCP, UDP . . .
IP
PPP, Frame Relay . . .
Data Link
Drivers, MAC Address
Leased Line, ISDN, xDSL . . .
Physical
LAN Interface Card
WAN
LAN
C. Ding -- COMP581 -- L25
9
Packet Filtering Firewalls
C. Ding -- COMP581 -- L25
10
Packet Filtering firewalls
 The original firewall
 Works at the network level of the OSI
model
 Applies packet filters based on access
rules
Source address
 Destination address
 Application or protocol
 Source port number
 Destination port number

C. Ding -- COMP581 -- L25
11
Packet Filtering firewalls
C. Ding -- COMP581 -- L25
12
Packet Filtering firewalls
 Packet Filtering is usually an integrated function
of a router.
 Packet filtering relies on Network Layer and
Transport Layer information contained in the
headers of data packets to police traffic.
 This information includes source IP address and
port number, destination IP address and port
number, and protocol used (e.g., TCP, UDP, ICMP).
This information is used as the criteria in network
access rules. These rules are organized into
several “filter sets” and each set handles traffic
coming to the firewall over a specific interface.
C. Ding -- COMP581 -- L25
13
Packet Filtering Policy Example
My host
Other host
action
name
port
name
port
comments
block
*
*
microsoft.com
*
Block everything
from MS
allow
My-gateway
25
*
*
Allow incoming
mail
C. Ding -- COMP581 -- L25
14
Packet Filtering Policy Example
Rule
Direction
Source
Address
Destination Protocol
Address
# Source
# Destin.
Port
Port
Action
Slide 16
1
Out
*
10.56.199*
*
*
*
Drop
2
Out
10.56*
10.122*
TCP
*
23 (Telnet)
Pass
3
In
10.122*
10.56.199*
TCP
23 (Telnet)
*
Pass
4
In & Out
*
10.56.199*
TCP
*
25 (Mail)
Pass
5
In
*
*
TCP
*
513 (rlogin)
Drop
6
In
201.32.4.76
*
*
*
*
Drop
7
Out
*
*
TCP
*
20 (FTP)
Pass
8
In
*
10.56.199*
TCP
*
20 (FTP)
Drop
C. Ding -- COMP581 -- L25
15
Web Access Through a Packet
Filter Firewall
ACK: = positive acknowledgement message for the sender from the receiver.
Typically just one bit.
C. Ding -- COMP581 -- L25
16
Packet Filtering Firewalls
Firewall/Router
Internal
Network
Output
Filter
Input
Filter
Access Rules
Access Rules
Network
Network
Data Link
Router
Data Link
Internet
Physical
Physical
C. Ding -- COMP581 -- L25
17
Packet Filtering Firewalls:
pros and cons
 Advantages:

Simple, low cost, transparent to user
 Disadvantages:
 Hard to configure filtering rules
 Hard to test filtering rules
 Don’t hide network topology (due to
transparency)
 May not be able to provide enough control over
traffic
C. Ding -- COMP581 -- L25
18
Circuit Level Firewalls
(Circuit Level Gateways)
C. Ding -- COMP581 -- L25
19
Circuit Level Firewalls
 Circuit level gateways work at the session
layer of the OSI model, or the TCP layer
of TCP/IP
 Monitor TCP handshaking between packets
to determine whether a requested session
is legitimate.
C. Ding -- COMP581 -- L25
20
Circuit Level Firewalls
C. Ding -- COMP581 -- L25
21
Application Gateway Firewalls
(Proxy Firewalls)
C. Ding -- COMP581 -- L25
22
Application Gateway firewalls
 Similar to circuit-level gateways except that they




are application specific.
Every connection between two networks is made
via an application program called a proxy
Proxies are application or protocol specific
Only protocols that have specific proxies
configured are allowed through the firewall; all
other traffic is rejected.
Gateway that is configured to be a web proxy will
not allow any ftp, gopher, telnet or other traffic
through
C. Ding -- COMP581 -- L25
23
Application Gateway Firewalls
Firewall
Application Proxies
Internal
Network
Application
Application
Transport
Transport
Network
Network
Data Link
Data Link
Internet
Physical
Physical
Router
C. Ding -- COMP581 -- L25
24
Application Gateway Firewalls
C. Ding -- COMP581 -- L25
25
Application Gateway Strengths
 Very secure if used in conjunction with an
intelligent packet filtering firewall
 Well designed proxies provide excellent
security
C. Ding -- COMP581 -- L25
26
Application Gateway weaknesses
 Very CPU intensive
 Requires high performance host computer
 Host operating system liable to attack
 Many proxies are transparent to
application
 Not transparent to users
 Expensive
C. Ding -- COMP581 -- L25
27
Stateful Inspection Firewalls
C. Ding -- COMP581 -- L25
28
Stateful Inspection Firewalls
 Third generation firewall technology, often
referred to as dynamic packet filtering
 Understands data in packets from the
network layer (IP headers) up to the
Application Layer
 Tracks the state of communication
sessions
C. Ding -- COMP581 -- L25
29
Stateful Inspection Firewalls
Firewall/Router
Application - State Table
Transport - Access Rules
Network - Access Rules
Internal
Network
Inspection Module
Network
Data Link
Physical
Network
Router
Data Link
Internet
Physical
C. Ding -- COMP581 -- L25
30
Dynamic Filtering
Stateful Inspection firewalls
dynamically open and close
ports (application specific
connection points) based
on access policies.
Protected Private Network
Firewall checks policies to
validate sending computer
and allows traffic to pass to
Public network
Internet
User initiates web session
Return traffic for validated
web session is permitted and the
state of the flow is monitored
Other traffic
from public
network
is blocked
C. Ding -- COMP581 -- L25
31
Stateful Inspection Strengths
 Monitors the state of all data flows
 Dynamically adapts filters based on
defined policies and rules
 Easily adapted to new Internet applications
 Transparent to users
 Low CPU overheads
C. Ding -- COMP581 -- L25
32
Stateful Inspection
Weaknesses
 Need to provide new client program
 Might have problems with the availability
of source code for various platforms
C. Ding -- COMP581 -- L25
33
Stateful Inspection Firewalls
These are among the most
secure firewalls available today
“fooling them can be a lot of work”
Jon McCown, network security analyst for
the - U.S. National Computer Security
Agency (NCSA)
C. Ding -- COMP581 -- L25
34
General Performance
C. Ding -- COMP581 -- L25
35
Other Issues about Firewalls
C. Ding -- COMP581 -- L25
36
RADIUS Support
 Remote Authentication Dial-In User
Services
A single, central security database for all
system users
 Centralised management of access lists

C. Ding -- COMP581 -- L25
37
Remote access security
Dial-in user
authenticated
Head office
Telephony
Services
Firewall policy assigned
to dial-in user before
completing connection
to network
Remote Dial-in user
C. Ding -- COMP581 -- L25
38
Stateful Inspection Implementation
Firewall checks
policy rules to
validate sender
Return traffic for validated
web session is permitted
and the state of the flow is
monitored
Protected private network
Internet
User initiates
web session
Firewall opens
required port
and allows traffic
to pass to
public network
C. Ding -- COMP581 -- L25
39
Network Address Translation
Firewall substitutes
private address
to public address
and forwards
to the Internet
Protected private network
Internet
User communicates
with Internet
using a private
IP address
Firewall translates
return flow from
Public to
Private address
C. Ding -- COMP581 -- L25
40
Application Level Gateway Example
Application Level
Gateway completes
connection
FTP Server
Internet
If connection is valid
the state table is
updated
and connection to
FTP Server
established
Access rules
verified
FTP connection
initiated from
public network
C. Ding -- COMP581 -- L25
41
Session Logging
 The firewall can be configured to log an
extensive range of events Including:
All denied packets
 All allowed packets
 Selected allowed and denied packet types
 Etc.

C. Ding -- COMP581 -- L25
42
Notification SNMP/SMTP
Email sent to
specified
address
Protected private network
Firewall detects
attack
(Port Scan)
Internet
SNMP Trap
message
to management
platform
SNMP: simple network management protocol
C. Ding -- COMP581 -- L25
43
Notification and Reconfiguration
DMZ
Web Server
Protected private network
Firewall detects
attack
(SYN Flood)
Server
Internet
Email sent to
System
Manager
Firewall automatically
reconfigured to deny all
External access to WEB
Server
C. Ding -- COMP581 -- L25
44
Secure management
 Secure encrypted and authenticated
remote management
Secure Shell “SSH”
 RSA encryption keys 512 - 2048 bits
 DES and Triple DES encryption for SSH
sessions
 Can limit access to specific user addresses

C. Ding -- COMP581 -- L25
45
Network configuration examples
C. Ding -- COMP581 -- L25
46
Protected private network
 Allow all access from private network to the
Internet
 Deny all access from the Internet to the private
network
Protected private network
Internet
C. Ding -- COMP581 -- L25
47
Semi-Militarised Zone
Protected private network
All
Private network for
unauthorised
corporate servers
traffic is
and users
blocked
Internet
WEB
Server
SMZ
Mail
Server
Semi Militarised Zone
All other
SMZ
Firewall policy limits incoming
incoming access to traffic
WEB and mail server blocked
from public network
C. Ding -- COMP581 -- L25
48
Private LAN stays secure
Protected private network
Internet
WEB
Login:hacker
Server
Password:please
OK Then!
SMZ
Mail
Server
Semi-Militarised Zone
C. Ding -- COMP581 -- L25
49
Demilitarised Zone
Protected private network
Open access
between
private LAN
and DMZ
WEB
Server
Internet
Allow
SMTP,
From here
to there
only
DMZ
Mail
Server
Static filters
between private LAN
and DMZ used to
control access
Demilitarised Zone
C. Ding -- COMP581 -- L25
50
Concluding Remarks
 All that a firewall can do it’s to control network
activities between OSI levels 2 and 7.
 They cannot keep out data carried inside
applications, such as viruses within email messages:
there are just too many way of encoding data to
be able to filter out this kind of threat.
 Although Firewalls provide a high level of security
in today's Private Networks to the outside world
we still need the assistance of other related
Security components in order to guarantee proper
network security.
C. Ding -- COMP581 -- L25
51