Transcript lecture 13
Security Firewall
Firewall design principle.
Firewall Characteristics.
Types of Firewalls.
Firewall Components & Configurations.
Firewall Design Principles .
• Information System undergo a steady
evolution( from small LAN’s to Internet
connectivity).
• Strong security features for all
workstations and servers not established.
Firewalls
• Effective means of protection a local
system or network of systems from
network_based security threats while
affording access to the outside world via
WAN’s or the Internet.
Firewall Design Principles
•
The firewall is interested between the
permission network and internet.
• Aims :
1. Establish a controlled link.
2. Protect the premises network from
internet_based attacks.
3. Provide a single choke point.
Firewalls Characteristics
• Design goals:
1. All traffic form the inside to outside must
pass through the firewall (physically
blocking all access to the local network
except via firewall).
2. Only Authorized traffic ( defined by the
local security policy) will be allowed to
pass.
Firewall Characteristics
• Design goals:
3. The firewall itself is immune to penetration
( use of trusted systems with secure
operating systems).
Firewall Characteristics
• Four General Technologies:
1. Service Control: determines the types of
the internet services that can be
accessed, in bounded or out bounded.
2. Direction Control: determines the
direction in which particular services
requests are allowed to flow.
Firewall Characteristics
3. User Control: controls access to a service
according to which user is attempting to
access it.
4. Behavior Control: controls how particular
service are used (e.g. filter e-mail)
Types of Firewalls
•
1.
2.
3.
4.
Three common types of firewalls:
Packet-filtering-router.
Application-level-Gateways.
Circuit-level-Gateways.
(Bastion Host).
Packet-Filtering-Router
• Packet Filtering Router firewalls.
Internet
Private Network
Packet
Filtering
Router
Figure ( Packet Filtering Router Firewall).
Packet-Filtering-Router
• Applies a set of rules to each incoming IP
packet and then forwards or discards the
packet.
• Filter packets going in both directions.
• The packet filter is typically set up as a list
of rule based on matches to fields in the IP
or TCP header.
• Two default polices( discards or forwards).
Packet-Filtering-Router
•
1.
2.
3.
•
1.
2.
Advantages:
Simplicity.
Transparency to users.
High speed
Disadvantages:
Difficulty of setting up packet filter walls.
Lack of Authentication.
Application-Level-Gateway
• Application Level
Gateway Firewall.
Inside Host
TELNET
Outside Host
FTP
SMTP
Outside
Connection
HTTP
Inside
Connection
Figure (Application Level Gateway).
Application-Level-Gateway
• Also called (Proxy Server).
• Acts as relay of application level traffic.
Application-Level-Gateway
• Advantages:
1. Higher security than packet filter
2. Only need securitize a few allowable
applications.
3. Easy to log and audit all incoming traffic.
• Disadvantages:
Additional processing overhead on each
connection (Gateway as splice point).
Circuit Level Gateway
• Circuit Level
Gateway.
OUT
Outside host &
outside
connection
IN
OUT
IN
OUT
IN
OUT
IN
Inside host &
inside
connection
Circuit Level Gateway
• Stand-alone system or specialized
function performed by Application level
gateway.
• Sets up two TCP connections.
• The gateway typically relays TCP
segments from one connection to the
other without examining the contents.
Circuit Level Gateway
• The security function consists of which
connections to be allowed.
• Typically use is a situation in which the
system administrators trusts the internal
users.
• An example is the SOCKS package.
Bastion Host
• A system identified by the firewall
administrator as critical strong point in the
networks security.
• The Bastion host serves as a platform for
an application-level or circuit-level
gateway.
Bastion Host
• In addition to the use of simple
configuration of single system ( single
packet filtering router or single gateway),
more complex configurations are possible.
• Three common configurations
Screened host firewall system
• Also called single
homed bastion host
Internet
Information
Server
Bastion
Host
Private
Network
Screened host firewall (1)
• Configuration:
- Consists of two systems which are:
1. Packet filtering router.
-Only packets from and to the bastion host
are allowed to pass through server.
2. Bastion Host.
- Authentication and Proxy functions.
Screened host firewall (2)
•
Greater security that the single
configuration because of two reasons:
1. This configuration implements both
packet level and application level filtering
( allowing for flexibility in defining security
policy).
2. An intruder must generally penetrate two
separate systems.
Screened host firewall (3)
• This configuration also affords flexibility in
providing direct internet access ( public
information server, e.g. web server).
Dual Homed Bastion Host
• Dual Homed Bastion Host.
INTERNET
Information
Server
Bastion
Host
Private
Network
Dual Homed Bastion Host
• The packet filtering router is not
completely compromised.
• Traffic between the internet and other
hosts on the private network has to flow
through the Bastion host.
Screened Subnet Firewall System
• See Figure.
Information
Server
Modem
Private
Network
INTERNET
Bastion
Host
Screened Subnet Firewall System
• Most secured configuration of all the three
known techniques in the bastion host.
• Two packet filtering routers are used.
• Creation of an isolated sub-network.
Screened Subnet Firewall System
• Advantages:
- Three levels of defense to thwart intruders.
- The outside router advertises only the
existence of the screened sub-net to the
internet ( Internal network is invisible to the
internet).
Screened Subnet Firewall System
• Advantages:
- The inside router advertises only the
existence of the screened sub-net to the
internal network ( the systems on the
inside cannot construct direct routes to the
internet.