First Line of Defense: The Firewall

Download Report

Transcript First Line of Defense: The Firewall

Network Firewalls
CSCI 5931 - Web Security
Spring 2003
Presented By
Yasir Zahur
1
Agenda
• Reference Monitor
• Introduction
• Types of Firewalls
• Screening Routers
• Proxy Gateways
• Guard
• Sample Configurations
2
Reference Monitor
• Kernel is the heart of operating system
• Security Kernel is responsible for enforcing
security mechanisms of entire operating
system
• Portion of security kernel that controls
accesses to objects is called reference
monitor
• Reference Monitor must be
• Tamperproof
• Always invoked
• Small and simple enough for rigorous analysis
3
Reference Monitor (…cont)
4
First Line of Defense:
The Firewall
• Special form of reference monitor
• Primary means of securing a private network against
penetration from a public network
• An access control device, performing perimeter
security by deciding which packets are allowed or
denied, and which must be modified before passing
• Core of enterprise’s comprehensive security policy
• Can monitor all traffic entering and leaving the
private network, and alert the IT staff to any
attempts to circumvent security or patterns of
inappropriate use
5
Network Firewall Concept
Violations
Firewall
System
Legitimate Activity
Your
Domain
6
Types of Firewalls
• Screening Routers (Packet Level Filters)
• Proxy Gateways (Bastion Host)
• Guards
7
Screening Routers
• Simplest and in some cases most effective type of
firewall. Most simple form includes Access control
Lists (ACLs) and Network Address Translation (NAT)
• Also called Packet Filter since filtering mechanism
does not keep a record of interaction or a history of
previous datagrams
• A manager can list any combination of source IP
address, destination IP address, protocol, source
protocol port number, destination port protocol
number as packet filter specification
8
Routers Screening Outside
Addresses
9
Security Policy in Packet Filtering
• A packet filter that allows a manager to
specify which datagrams to block
• Requires continuous monitoring and updates as
number of well known ports are large and rapidly
growing in number
• Certain services can assign port numbers
dynamically e.g. RPC (Remote Procedure Call)
• Listing ports of well-known services leaves the
firewall vulnerable to tunneling
• The answer
• Block all datagrams except those explicitly
specified
10
Consequence Of Restricted
Access For Clients
• Each server operates at a well known port, a client
•
•
•
•
does not
A client attempts to communicate with a server
outside the organization.
Each outgoing datagram has client’s protocol port as
source port and server’s protocol port as destination
port.
Firewall will not block such datagrams as they leave
However, when response reaches back to firewall
from outside, (with destination port now being
client’s port) it will be blocked by the firewall since
destination port is not approved
11
Proxy Gateway
• A firewall that simulates the effects of an application
•
•
•
•
by running “pseudo-applications”
Because the firewall computer must be strongly
fortified to serve as a secure communication channel,
it is also called BASTION HOST
To the inside it implements part of the application
protocol to make itself look as if it is the outside
connection
To the outside it implements part of the application
protocol to act just like the inside process would
It also examines the contents, not just the header of
the packet
12
Proxy Gateway Example. 1
• Consider Web access from an inside host
• User cannot use a browser for direst access since
firewall prevents user’s computer from receiving
incoming datagrams
• However organization uses web proxy server on
Bastion Host
• Browser on each host is configured to use proxy
• Thus whenever user requests a URL, browser
contacts proxy which in turn contacts outside server,
obtains the page and delivers it to the inside host
13
Proxy Gateway Example. 2
• Consider a site that blocks all incoming TELNET and FTP
•
•
•
•
•
•
•
connections using a packet filtering router.
The router allows TELNET and FTP packets to go to one host
only, the TELNET/FTP application gateway.
An outside user first telnets to the application gateway and
enters the name of an internal host,
Gateway checks the user's source IP address and accepts or
rejects it according to any access criteria in place,
User may need to authenticate
The proxy service creates a TELNET connection between the
gateway and the internal host,
The proxy service then passes bytes between the two
connections, and
The application gateway logs the connection
14
Proxy Gateway - Advantages
• proxy services allow only those services through for which there
•
•
•
•
is a proxy
protocol can be filtered. Some firewalls, for example, can filter
FTP connections and deny use of the FTP put command
information hiding, in which the names of internal systems need
not necessarily be made known via DNS to outside systems,
only application gateway’s name must be known
cost-effectiveness, because third-party software or hardware for
authentication or logging need be located only at the application
gateway
application traffic can be pre-authenticated before it reaches
internal hosts and can be logged more effectively than if logged
with standard host logging
15
Guard
• More “sophisticated” and “complex” proxy
•
•
•
•
firewall
Since it is more complex, code is more prone
to error
Can examine and interpret the contents of a
packet
Usually implements and enforces certain
business policies
E.g. enforcing email quota on proxy etc
16
Firewall Configuration .. 1
17
Firewall Configuration .. 2
18
References
• Firewalls
•
•
•
•
http://www.cyber.ust.hk/fw-report1/index.html
Security In Computing, 2nd Ed
By Charles P. Pfleeger. Prentice Hall
Internetworking with TCP/IP, Vol:1
By Douglas E. Comer. Prentice Hall
Network Security Presentation Slides
By Andrew Yang
http://nas/yang/teaching/csci5233fall02/index.htm#topicsNotes
Presentation on Firewalls by Tom Longstaff
Cert Coordination Center - Carnegie Mellon University
http://www.andrew.cmu.edu/course/95750/yihudoc/Lecture6.ppt
19