Internet Firewalls
What it is all about
Concurrency System Lab, EE, National Taiwan University
http://cobra.ee.ntu.edu.tw R355
1
�Outline
Firewall Design Principles Firewall Characteristics Components of Firewalls Firewall Configurations
�Firewalls
Protecting a local network from security threats while affording access to the Internet
�Firewall Design Principles
The firewall is inserted between the private network and the Internet Aims:
Establish a controlled link Protect the local network from Internet-based attacks Provide a single choke point
4
�Firewall Characteristics
Design goals for a firewall
All traffic (in or out) must pass through the firewall Only authorized traffic will be allowed to pass The firewall itself is immune to penetration
�Firewall Characteristics
Four general techniques:
Service control Direction control User control
The type of Internet services that can be accessed Inbound or outbound Which user is attempting to access the service
Behavior control
e.g., Filter email to eliminate spam
�Components of Firewalls
Three common components of Firewalls:
Packet-filtering routers Application-level gateways Circuit-level gateways (Bastion host)
�Components of Firewalls (I)
Packet-filtering Router
�Packet-filtering Router
Packet-filtering Router
Applies a set of rules to each incoming IP packet and then forwards or discards the packet Filter packets going in both directions The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header Two default policies (discard or forward)
9
�TCP/IP header
10
�Packet-filtering Router
Advantages:
Simplicity Transparency to users High speed Difficulty of setting up packet filter rules Lack of Authentication
11
Disadvantages:
�Packet-filtering Router
Open-source under UNIX:
IP firewall IPFilter IPchain
12
�Components of Firewalls (II)
Application-level Gateway
13
�Application-level Gateway
Application-level Gateway
Also called proxy server Acts as a relay of application-level traffic
14
�Application-level Gateway
Advantages:
Higher security than packet filters Only need to check a few allowable applications Easy to log and audit all incoming traffic
Disadvantages:
Additional processing overhead on each connection (gateway as splice point)
15
�Application-level Gateway
Open-source under UNIX:
squid (WWW), delegate (general purpose), osrtspproxy (RTSP), smtpproxy (SMTP),
16
�Components of Firewalls (III)
Circuit-level Gateway
17
�Circuit-level Gateway
Similar to Application-level Gateway However
it typically relays TCP segments from one connection to the other without examining the contents Determines only which connections will be allowed Typical usage is a situation in which the system administrator trusts the internal 18 users
�In other words
Korean custom
Circuit-level gateway only checks your nationality Application-level gateway checks your baggage content in addition to your nationality
19
�Components of Firewalls
Open-source under UNIX
SOCKS dante
20
�Components of Firewalls (II) U (III)
Bastion Host
serves as
application-level gateway circuit-level gateway both
21
�Firewall Configurations
In addition to the use of simple configuration of a single system (single packet filtering router or single gateway), more complex configurations are possible Three common configurations
22
�Configurations (I)
Screened host firewall system (single-homed bastion host)
23
�Configurations (I)
Consists of two systems:
A packet-filtering router & a bastion host
Only packets from and to the bastion host are allowed to pass through the router The bastion host performs authentication and proxy functions
24
�More secure
More secure than each single component because :
offers both packet-level and application-level filtering
25
�Firewall Configurations
This configuration also affords flexibility in providing direct Internet access (public information server, e.g. Web server)
26
�Configurations (II)
Screened host firewall system (dualhomed bastion host)
27
�Configurations (II)
Consists of two systems just as config (I) does. However, the bastion host separates the network into two subnets.
28
�Even more secure
An intruder must generally penetrate two separate systems
29
�Configurations (III)
Screened-subnet firewall system
30
�Configurations (III)
Three-level defense
Most secure Two packet-filtering routers are used Creates an isolated sub-network
Private network is invisible to the Internet Computers inside the private network cannot construct direct routes to the Internet
31
�Demo
32
�Conclusion
33
�Capabilities of firewall
Defines a single choke point at which security features are applied Provides a location for monitoring, audits and alarms A convenient platform for several nonsecurity-related Internet functions Can serve as the platform for IPSec
e.g., NAT, network management Implement VPN with tunnel mode capability
34
Security management is simplified
�What firewalls cannot protect against
Attacks that bypass the firewall
e.g., dial-in or dial-out capabilities that internal systems provide
Internal threats
e.g., disgruntled employee or employee who cooperates with external attackers
The transfer of virus-infected programs or files
35
�Recommended Reading
Chapman, D., and Zwicky, E. Building Internet Firewalls. OReilly, 1995 Cheswick, W., and Bellovin, S. Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley, 2000 Gasser, M. Building a Secure Computer System. Reinhold, 1988 Pfleeger, C. Security in Computing. Prentice Hall, 1997
36
