Transcript Firewall - theodoros christophides site

1.1
The Firewall Concept
• Purpose of firewall :
– Control access to or from a protected network;
– Implements network access policy
• connections pass through firewall and are examined /
evaluated.
• May be implemented in :
– router; PC; host; collection of hosts.
• Normally located at a high-level gateway
– e.g. site’s Internet connection
• Firewall system AKA “Bastion Host”
1
1.2
The Firewall Concept (cont.)
Internet
(hostile)
Policy
2
Intranet
(trusted)
1.3
The need for Firewalls
• Traditionally rely on security of individual
hosts
• As number of hosts increases :
» less manageable;
» more chance of administrative mistakes / lapses.
• reduced likelihood of uniform security
• Firewall helps to increase overall security
of the internal network
3
1.4
Firewall Advantages
•
•
•
•
Protection for vulnerable services
Controlled access to site systems
Concentrated security
Enhance privacy (hide internal network
structure)
• Logging and statistics on network use
• Security policy enforcement
4
1.5
Firewall Disadvantages
• Restricted access to desirable services
– likely to block services that users want (e.g.
TELNET, FTP etc.)
• Implementation may demand major
restructuring
– topology may not lend itself to firewall
– cost of introducing firewall may exceed cost
of vulnerabilities
– alternative solutions may be appropriate
1.6
Firewall Disadvantages (cont)
• Potential for back doors
– e.g. unrestricted modem access
– administration should ensure no means to
bypass firewall
• Little protection from insider attacks
– firewall designed to prevent outsiders from
accessing sensitive data
– many attacks would not need to use the
firewall
1.7
Firewall Disadvantages (cont.)
• Viruses
– May be downloaded in program files or
incoming emails
• Throughput
– Firewall represent a potential bottleneck as
all connections must pass through it
• “All eggs in one basket”
– security concentrated in one spot
– compromise could be disastrous
1.8
Firewall Hardware
• Routers
– Many come equipped with basic packet-filtering
capabilities; others come with fully-functioning
firewalls
• Appliances (firewall products)
– Perform same basic tasks (packet filtering,
application-level gateways, and logging)
8
1.9
Software-Only Packages
• Many free firewall tools on the Internet
– Some also run on a free operating system
• Personal/small business firewalls
– Located between Ethernet adapter driver of machine
on which they are installed and the TCP/IP stack,
where they inspect traffic between the driver and the
stack
– Considered lightweight protection
• Enterprise firewall systems
– Full-featured, full-powered packages
9
1.10
Software-Only Packages
• Advantages
– Convenient, simple, and inexpensive
• Drawbacks
– Personal/SME product logging capabilities not as robust as
commercial products
– Usually no way to monitor firewall in real-time
– Most guard only against IP threats
– Some don’t do outbound connection blocking
– Some are inconvenient to configure
10