Transcript Firewall

Internet Firewalls
What it is all about
Concurrency System Lab, EE, National Taiwan University
http://cobra.ee.ntu.edu.tw
R355
1
Outline
•
•
•
•
Firewall Design Principles
Firewall Characteristics
Components of Firewalls
Firewall Configurations
2
Firewalls
• Protecting a local
network from
security threats
while affording
access to the
Internet
3
Firewall Design
Principles
• The firewall is inserted between the
private network and the Internet
• Aims:
– Establish a controlled link
– Protect the local network from
Internet-based attacks
– Provide a single choke point
4
Firewall Characteristics
• Design goals for a firewall
– All traffic (in or out) must pass through
the firewall
– Only authorized traffic will be allowed
to pass
– The firewall itself is immune to
penetration
5
Firewall Characteristics
• Four general techniques:
– Service control
• The type of Internet services that can be accessed
– Direction control
• Inbound or outbound
– User control
• Which user is attempting to access the service
– Behavior control
• e.g., Filter email to eliminate spam
6
Components of Firewalls
• Three common components of
Firewalls:
–
–
–
–
Packet-filtering routers
Application-level gateways
Circuit-level gateways
(Bastion host)
7
Components of Firewalls
(I)
• Packet-filtering Router
8
Packet-filtering Router
• Packet-filtering Router
– Applies a set of rules to each incoming
IP packet and then forwards or discards
the packet
– Filter packets going in both directions
– The packet filter is typically set up as a
list of rules based on matches to fields
in the IP or TCP header
– Two default policies (discard or
forward)
9
TCP/IP header
10
Packet-filtering Router
• Advantages:
– Simplicity
– Transparency to users
– High speed
• Disadvantages:
– Difficulty of setting up packet filter
rules
– Lack of Authentication
11
Packet-filtering Router
• Open-source under UNIX:
– IP firewall
– IPFilter
– IPchain
12
Components of Firewalls
(II)
• Application-level Gateway
13
Application-level Gateway
• Application-level Gateway
– Also called proxy server
– Acts as a relay of application-level
traffic
14
Application-level Gateway
• Advantages:
– Higher security than packet filters
– Only need to check a few allowable
applications
– Easy to log and audit all incoming traffic
• Disadvantages:
– Additional processing overhead on each
connection (gateway as splice point)
15
Application-level Gateway
• Open-source under UNIX:
– squid (WWW),
– delegate (general purpose),
– osrtspproxy (RTSP),
– smtpproxy (SMTP),
–…
16
Components of Firewalls
(III)
• Circuit-level Gateway
17
Circuit-level Gateway
• Similar to Application-level Gateway
• However
– it typically relays TCP segments from
one connection to the other without
examining the contents
– Determines only which connections will
be allowed
– Typical usage is a situation in which the
system administrator trusts the internal
18
users
In other words
• Korean custom
– Circuit-level gateway only checks your
nationality
– Application-level gateway checks your
baggage content in addition to your
nationality
19
Components of Firewalls
• Open-source under UNIX
– SOCKS
– dante
20
Components of Firewalls
(II) U (III)
• Bastion Host
– serves as
• application-level gateway
• circuit-level gateway
• both
21
Firewall Configurations
• In addition to the use of simple
configuration of a single system
(single packet filtering router or
single gateway), more complex
configurations are possible
• Three common configurations
22
Configurations
(I)
• Screened host firewall system
(single-homed bastion host)
23
Configurations
(I)
• Consists of two systems:
– A packet-filtering router & a bastion
host
• Only packets from and to the bastion
host are allowed to pass through the
router
• The bastion host performs
authentication and proxy functions
24
More secure
• More secure than each single
component because :
– offers both packet-level and
application-level filtering
25
Firewall Configurations
• This configuration also affords
flexibility in providing direct
Internet access (public information
server, e.g. Web server)
26
Configurations
(II)
• Screened host firewall system (dualhomed bastion host)
27
Configurations
(II)
• Consists of two systems just as
config (I) does.
• However, the bastion host separates
the network into two subnets.
28
Even more secure
• An intruder must generally penetrate
two separate systems
29
Configurations
(III)
• Screened-subnet firewall system
30
Configurations
(III)
• Three-level defense
– Most secure
– Two packet-filtering routers are used
– Creates an isolated sub-network
• Private network is invisible to the Internet
• Computers inside the private network
cannot construct direct routes to the
Internet
31
Demo
32
Conclusion
33
Capabilities of firewall
• Defines a single choke point at which
security features are applied
– Security management is simplified
• Provides a location for monitoring, audits
and alarms
• A convenient platform for several nonsecurity-related Internet functions
– e.g., NAT, network management
• Can serve as the platform for IPSec
– Implement VPN with tunnel mode capability
34
What firewalls cannot
protect against
• Attacks that bypass the firewall
– e.g., dial-in or dial-out capabilities that
internal systems provide
• Internal threats
– e.g., disgruntled employee or employee
who cooperates with external attackers
• The transfer of virus-infected
programs or files
35
Recommended Reading
• Chapman, D., and Zwicky, E. Building
Internet Firewalls. O’Reilly, 1995
• Cheswick, W., and Bellovin, S. Firewalls and
Internet Security: Repelling the Wily
Hacker. Addison-Wesley, 2000
• Gasser, M. Building a Secure Computer
System. Reinhold, 1988
• Pfleeger, C. Security in Computing.
Prentice Hall, 1997
36