Transcript Firewalls
Firewalls : usage
•
•
•
•
•
•
•
•
•
•
Data encryption
Access control : usage restriction on some protocols/ports/services
Authentication : only authorized users and hosts (machines)
Monitoring for further auditing
Packet filtering
Compliance with the specified protocols
Virus detection
Isolation of the internal network from the Internet
Connection proxies (masking of the internal network)
Application proxies (masking of the « real » software)
Firewalls : basics
• All packets exchanged between the internal and the external
domains go through the FW that acts as a gatekeeper
– external hosts « see » the FW only
– internal and external hosts do not communicate directly
– the FW can take very sophisticated decisions based on the protocol
implemented by the messages
– the FW is the single access point => authentication + monitoring site
– a set of “flow rules” allows decision taking
Firewalls : architecture (I)
servers
Interior router
Exterior router
Outside world
Firewall
DMZ
(DeMilitarized Zone)
Internal network
Firewalls : architecture (II) :
merging exterior and interior
FW
servers
DMZ
Outside world
Exterior/Interior
Firewall
Internal network
Firewalls : architecture (III) :
merging exterior FW and
servers
Outside world
External Firewall
+
servers
DMZ
Internal Firewall
Internal network
Bof…
Firewalls : architecture (IV) :
managing multiple subnetworks
servers
DMZ
Firewall
Outside world
Internal
subnetwork A
Exterior/Interior
Firewall
Firewall
Backbone
Internal
subnetwork B
Firewalls : architecture (V) :
managing multiple exterior FW
E.g. supplier
network
Exterior
Firewall A
Sub-DMZ A
Exterior
Firewall B
Interior Firewall
Internal network
Sub-DMZ B
Internet
servers
DMZ
Firewalls : architecture (VI) :
managing multiple DMZ
E.g. supplier
network
Servers A
DMZ A
Exterior/Interior
Firewall A
Servers B
DMZ B
Exterior/Interior
Firewall B
Internet
Internal
network
Firewalls : architecture (VII) :
internal FW
servers
DMZ
Outside world
Exterior/Interior
Firewall
Internal network
Sensitive
area
Firewall
Sensitive
area
Firewalls : some
recommendations
• Bastion hosts
–
–
–
–
–
–
–
better to put the bastions in a DMZ than in an internal network
disable non-required services
do not allow user accounts
fix all OS bugs
safeguard the logs
run a security audit
do secure backups
• Avoid to put in the same area entities which
have very different security requirements
Using proxies (I)
• Proxies can be used to « hide » the real servers
• Interior => Exterior traffic
– Give the internal user the illusion that she/he accesses to the exterior
server
– But intercept the traffic to/from the server, analyze the packets (check
the compliance with the protocol, search for keywords, etc.), log the
requests
• Exterior => Interior traffic
– Give the external user the illusion that she/he accesses to the interior
server
– But intercept the traffic to the server, analyze the packets (check the
compliance with the protocol, search for keywords, etc.), log the
requests
Using proxies (II)
• Advantage
– knowledge of the service/protocol => efficiency and « intelligent »
filtering
– Ex : session tracking, stateful connection
• Disadvantages
– one proxy per service !
– may require modifications of the client
– do not exist for all services
Static Network Address Translation (NAT) (I)
xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxx
yyy.yyy.yyy.yyy
yyy.yyy.yyy.yyy
Internal network
From Arkoon Inc. tutorial
Static Network Address Translation (NAT) (II)
• The FW maintains an address translation table
• The FW transforms address xxx.xxx.xxx.xxx into
yyy.yyy.yyy.yyy in the field « source address »
xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxx
• The FW transforms
addressyyy.yyy.yyy.yyy
yyy.yyy.yyy.yyy into
address xxx.xxx.xxx.xxx in the field « destination
address »
xxx.xxx.xxx.xxx
• This operation
is transparent for both the exterior
Internal network
and the interior hosts
yyy.yyy.yyy.yyy
Internal network
yyy.yyy.yyy.yyy
Applications
•
•
•
•
•
Non TCP/UDP based protocols
Pre-defined partnership addresses
Web server, mail….(traffic to Internet)
Application server (hidden behind a FW)
Host known/authenticated outside with a specific
address
• …
PAT : Port Address Translation (I)
Internal network
From Arkoon Inc. tutorial
PAT : Port Address Translation (II)
• Connections are open from an exterior host
• Translation table
• Use of lesser public addresses
• Flexible management of server ports
PAT : Port Address Translation (III)
FW, @IP 'P'
U→P:80
U → IP1:80
P:80 → U
IP1:80 → U
Web
Webserver
server
@IP1, port 80
U → P:81
U → IP2:80
P:8 → U
user, @IP'U'
IP2:80 → U
Web server
@IP2, port 80
Internal network
Translation Table @IP « P »
port 80 → @IP1 : port 80
port 81 → @IP2 : port 80
From Arkoon Inc. tutorial
Masking (I)
Internal network
From Arkoon Inc. tutorial
Masking (II)
• Connections are open by internal hosts
• Dynamic connection table (IP address + source port number)
• One single address is known outside (the FW address)
• Spare IP addresses
FW, @IP 'M'
Arkoon, @IP 'M'
M:10000->W
1:1025->W
W->1:1025
user
@IP1
W->M:10000
2:1025->W
W->2:1025
2:1026->W2
user
@IP2
Internal network
W2->2:1026
M:10001->W
W->M:10001
M:10000->W2
W2->M:10000
Translation table @IP « M »
1:1025(10000)->W
2:1025(10001)->W
2:1026(10000)->W2
Web server
@IP'W'
Web server
@IP 'W2'
From Arkoon Inc. tutorial