Download - p Vl Firewalls
-
8/12/2019 p Vl Firewalls
1/31
FirewallsDr.P.V.Lakshmi
Information TechnologyGIT GITAM University
-
8/12/2019 p Vl Firewalls
2/31
-
8/12/2019 p Vl Firewalls
3/31
Firewall Design
Principles
Information systems undergone a steady
evolution (from small LAN`s to Internet
connectivity).
Strong security features for all
workstations and servers are not
established.
-
8/12/2019 p Vl Firewalls
4/31
Firewall DesignPrinciples cont..
The firewall is inserted between the
premises network and the Internet.
Aims:
Establish a controlled link.
Protect the premises network from Internet-
based attacks.
Provide a single choke point.
-
8/12/2019 p Vl Firewalls
5/31
Firewall Characteristics
Design goals:
All traffic from inside to outside and viceversa, must pass through the firewall
(physically blocking all access to the localnetwork except via the firewall).
Only authorized traffic (defined by the localsecurity policy) will be allowed to pass.
-The firewall itself is immune to penetration(use of trusted system with a secure
operating system).
-
8/12/2019 p Vl Firewalls
6/31
Firewall Characteristics cont..
Four general techniques:
Service control Determines the types of Internet services that
can be accessed, inbound or outbound.
Direction control
Determines the direction in which particular
service requests are allowed to flow throughthe firewall.
-
8/12/2019 p Vl Firewalls
7/31
Firewall Characteristics cont..
User control
Controls access to a service according to
which user is attempting to access it.
Behavior control
Controls how particular services are used
(e.g. filter e-mail).
-
8/12/2019 p Vl Firewalls
8/31
Scope of firewalls A fire wall defines a single choke point that keeps
unauthorized users out of the protected network,
prohibits potentially vulnerable services from
entering or leaving the network and provides the
protection from various kinds of IP spoofing androuting attacks.
A fire wall provides a location for monitoring
Security related events. A fire wall is convenient platform for several
internet functions that are not security related.
A firewall can serve as a platform for IPSec.
-
8/12/2019 p Vl Firewalls
9/31
Firewall Limitations
cannot protect against attacks bypassing it.
eg sneaker net, utility modems, trusted
organisations, trusted services (eg SSL/SSH)
cannot protect against internal threats.
eg disgruntled employee
cannot protect against transfer of all virusinfected programs or files.
because of huge range of O/S & file types
-
8/12/2019 p Vl Firewalls
10/31
Types of Firewalls
Three common types of Firewalls:
Packet-filtering routers
Application-level gateways Circuit-level gateways
Bastion host
-
8/12/2019 p Vl Firewalls
11/31
Packet-filtering Router
-
8/12/2019 p Vl Firewalls
12/31
Packet-filtering Router
Applies a set of rules to each incoming IPpacket and then forwards or discards the
packet. Filter packets going in both directions.
The packet filter is typically set up as a list
of rules based on matches to fields in the IPor TCP header.
Two default policies (discard or forward).
-
8/12/2019 p Vl Firewalls
13/31
Advantages:
Simplicity
Transparency to users
High speed
Disadvantages:
Difficulty of setting up packet filter rules
Lack of Authentication
-
8/12/2019 p Vl Firewalls
14/31
Possible attacks and appropriate
countermeasures
IP address spoofing
Source routing attacks
Tiny fragment attacks
-
8/12/2019 p Vl Firewalls
15/31
-
8/12/2019 p Vl Firewalls
16/31
Application-level Gateway
Also called proxy server. Acts as a relay of application-level traffic.
Advantages:
Higher security than packet filters.
Only need to scrutinize a few allowableapplications.
Easy to log and audit all incoming traffic.
Disadvantages:
Additional processing overhead on eachconnection (gateway as splice point).
-
8/12/2019 p Vl Firewalls
17/31
Circuit-level Gateway
-
8/12/2019 p Vl Firewalls
18/31
Circuit-level Gateway
Stand-alone system or
Specialized function performed by anApplication-level Gateway
Sets up two TCP connections
The gateway typically relays TCP segmentsfrom one connection to the other without
examining the contents
-
8/12/2019 p Vl Firewalls
19/31
The security function consists of
determining which connections will be
allowed.
Typically use is a situation in which the
system administrator trusts the internal
users.
An example is the SOCKS package.
-
8/12/2019 p Vl Firewalls
20/31
Bastion Host
A system identified by the firewall
administrator as a critical strong point in
the networks security.
The bastion host serves as a platform for an
application-level or circuit-level gateway.
-
8/12/2019 p Vl Firewalls
21/31
Firewall Configurations In addition to the use of simple configuration
of a single system (single packet filtering
router or single gateway), more complex
configurations are possible.
-
8/12/2019 p Vl Firewalls
22/31
Three common configurations
Screened host firewall system (single-homed
bastion host)
Screened host firewall system (dual-homed
bastion host)
Screened-subnet firewall system
-
8/12/2019 p Vl Firewalls
23/31
Screened host firewall system
(single-homed bastion host)
-
8/12/2019 p Vl Firewalls
24/31
Screened host firewall, single-homed bastion
configuration
Firewall consists of two systems:
A packet-filtering router.
A bastion host.
Configuration for the packet-filtering router:
Only packets from and to the bastion host
are allowed to pass through the router.
The bastion host performs authentication and
proxy functions.
-
8/12/2019 p Vl Firewalls
25/31
Greater security than single configurationsbecause of two reasons:
This configuration implements both packet-level and application-level filtering (allowingfor flexibility in defining security policy).
An intruder must generally penetrate twoseparate systems.
This configuration also affords flexibility inproviding direct Internet access (publicinformation server, e.g. Web server).
-
8/12/2019 p Vl Firewalls
26/31
Screened host firewall system
(dual-homed bastion host)
-
8/12/2019 p Vl Firewalls
27/31
Screened host firewall, dual-homed bastion
configuration
The packet-filtering router is not completely
compromised.
Traffic between the Internet and other
hosts on the private network has to flow
through the bastion host.
-
8/12/2019 p Vl Firewalls
28/31
Screened-subnet firewall
system
-
8/12/2019 p Vl Firewalls
29/31
Screened subnet firewall configuration
Most secure configuration of the three. Two packet-filtering routers are used.
Creation of an isolated sub-network.
Advantages: Three levels of defense to thwart intruders.
The outside router advertises only the
existence of the screened subnet to theInternet (internal network is invisible to the
Internet).
-
8/12/2019 p Vl Firewalls
30/31
The inside router advertises only the existence
of the screened subnet to the internal
network (the systems on the inside network
cannot construct direct routes to theInternet).
-
8/12/2019 p Vl Firewalls
31/31
Recommended Reading
William Stalling, Cryptography and Network
Security.
Cheswick, W., and Bellovin, S. Firewalls and
Internet Security: Repelling the Wily Hacker.
Addison-Wesley, 2000