firewall
TRANSCRIPT
![Page 1: Firewall](https://reader034.vdocument.in/reader034/viewer/2022051608/54477c21b1af9f691c8b492c/html5/thumbnails/1.jpg)
1
Internet Internet FirewallsFirewallsInternet Internet FirewallsFirewalls
What it is all aboutWhat it is all about
Concurrency System Lab, EE, National Taiwan University
http://cobra.ee.ntu.edu.tw
R355
![Page 2: Firewall](https://reader034.vdocument.in/reader034/viewer/2022051608/54477c21b1af9f691c8b492c/html5/thumbnails/2.jpg)
2
OutlineOutline• Firewall Design Principles• Firewall Characteristics• Components of Firewalls• Firewall Configurations
![Page 3: Firewall](https://reader034.vdocument.in/reader034/viewer/2022051608/54477c21b1af9f691c8b492c/html5/thumbnails/3.jpg)
3
FirewallsFirewalls
• Protecting a local network from security threats while affording access to the Internet
![Page 4: Firewall](https://reader034.vdocument.in/reader034/viewer/2022051608/54477c21b1af9f691c8b492c/html5/thumbnails/4.jpg)
4
Firewall DesignFirewall DesignPrinciplesPrinciples
• The firewall is inserted between the private network and the Internet
• Aims:– Establish a controlled link– Protect the local network from
Internet-based attacks– Provide a single choke point
![Page 5: Firewall](https://reader034.vdocument.in/reader034/viewer/2022051608/54477c21b1af9f691c8b492c/html5/thumbnails/5.jpg)
5
Firewall Firewall CharacteristicsCharacteristics
• Design goals for a firewall– All traffic (in or out) must pass
through the firewall– Only authorized traffic will be allowed
to pass– The firewall itself is immune to
penetration
![Page 6: Firewall](https://reader034.vdocument.in/reader034/viewer/2022051608/54477c21b1af9f691c8b492c/html5/thumbnails/6.jpg)
6
Firewall Firewall CharacteristicsCharacteristics
• Four general techniques:– Service control
• The type of Internet services that can be accessed
– Direction control• Inbound or outbound
– User control• Which user is attempting to access the service
– Behavior control• e.g., Filter email to eliminate spam
![Page 7: Firewall](https://reader034.vdocument.in/reader034/viewer/2022051608/54477c21b1af9f691c8b492c/html5/thumbnails/7.jpg)
7
Components of Components of FirewallsFirewalls
• Three common components of Firewalls:– Packet-filtering routers– Application-level gateways– Circuit-level gateways– (Bastion host)
![Page 8: Firewall](https://reader034.vdocument.in/reader034/viewer/2022051608/54477c21b1af9f691c8b492c/html5/thumbnails/8.jpg)
8
Components of Components of FirewallsFirewalls
(I)(I)• Packet-filtering Router
![Page 9: Firewall](https://reader034.vdocument.in/reader034/viewer/2022051608/54477c21b1af9f691c8b492c/html5/thumbnails/9.jpg)
9
Packet-filtering Router
• Packet-filtering Router– Applies a set of rules to each incoming IP
packet and then forwards or discards the packet
– Filter packets going in both directions– The packet filter is typically set up as a
list of rules based on matches to fields in the IP or TCP header
– Two default policies (discard or forward)
![Page 10: Firewall](https://reader034.vdocument.in/reader034/viewer/2022051608/54477c21b1af9f691c8b492c/html5/thumbnails/10.jpg)
10
TCP/IP header
![Page 11: Firewall](https://reader034.vdocument.in/reader034/viewer/2022051608/54477c21b1af9f691c8b492c/html5/thumbnails/11.jpg)
11
Packet-filtering Router
• Advantages:– Simplicity– Transparency to users– High speed
• Disadvantages:– Difficulty of setting up packet filter
rules– Lack of Authentication
![Page 12: Firewall](https://reader034.vdocument.in/reader034/viewer/2022051608/54477c21b1af9f691c8b492c/html5/thumbnails/12.jpg)
12
Packet-filtering Router
• Open-source under UNIX:– IP firewall– IPFilter– IPchain
![Page 13: Firewall](https://reader034.vdocument.in/reader034/viewer/2022051608/54477c21b1af9f691c8b492c/html5/thumbnails/13.jpg)
13
Components of Components of FirewallsFirewalls
(II)(II)• Application-level Gateway
![Page 14: Firewall](https://reader034.vdocument.in/reader034/viewer/2022051608/54477c21b1af9f691c8b492c/html5/thumbnails/14.jpg)
14
Application-level Gateway
• Application-level Gateway– Also called proxy server– Acts as a relay of application-level
traffic
![Page 15: Firewall](https://reader034.vdocument.in/reader034/viewer/2022051608/54477c21b1af9f691c8b492c/html5/thumbnails/15.jpg)
15
Application-level Gateway
• Advantages:– Higher security than packet filters– Only need to check a few allowable
applications– Easy to log and audit all incoming traffic
• Disadvantages:– Additional processing overhead on each
connection (gateway as splice point)
![Page 16: Firewall](https://reader034.vdocument.in/reader034/viewer/2022051608/54477c21b1af9f691c8b492c/html5/thumbnails/16.jpg)
16
Application-level Gateway
• Open-source under UNIX:– squid (WWW),– delegate (general purpose),– osrtspproxy (RTSP),– smtpproxy (SMTP),– …
![Page 17: Firewall](https://reader034.vdocument.in/reader034/viewer/2022051608/54477c21b1af9f691c8b492c/html5/thumbnails/17.jpg)
17
Components of Components of FirewallsFirewalls
(III)(III)• Circuit-level Gateway
![Page 18: Firewall](https://reader034.vdocument.in/reader034/viewer/2022051608/54477c21b1af9f691c8b492c/html5/thumbnails/18.jpg)
18
Circuit-level Gateway
• Similar to Application-level Gateway• However
– it typically relays TCP segments from one connection to the other without examining the contents
– Determines only which connections will be allowed
– Typical usage is a situation in which the system administrator trusts the internal users
![Page 19: Firewall](https://reader034.vdocument.in/reader034/viewer/2022051608/54477c21b1af9f691c8b492c/html5/thumbnails/19.jpg)
19
In other words
• Korean custom– Circuit-level gateway only checks
your nationality– Application-level gateway checks
your baggage content in addition to your nationality
![Page 20: Firewall](https://reader034.vdocument.in/reader034/viewer/2022051608/54477c21b1af9f691c8b492c/html5/thumbnails/20.jpg)
20
Components of Components of FirewallsFirewalls
• Open-source under UNIX– SOCKS– dante
![Page 21: Firewall](https://reader034.vdocument.in/reader034/viewer/2022051608/54477c21b1af9f691c8b492c/html5/thumbnails/21.jpg)
21
Components of Components of FirewallsFirewalls(II) U (III)(II) U (III)
• Bastion Host– serves as
• application-level gateway• circuit-level gateway• both
![Page 22: Firewall](https://reader034.vdocument.in/reader034/viewer/2022051608/54477c21b1af9f691c8b492c/html5/thumbnails/22.jpg)
22
Firewall Firewall ConfigurationsConfigurations
• In addition to the use of simple configuration of a single system (single packet filtering router or single gateway), more complex configurations are possible
• Three common configurations
![Page 23: Firewall](https://reader034.vdocument.in/reader034/viewer/2022051608/54477c21b1af9f691c8b492c/html5/thumbnails/23.jpg)
23
ConfigurationsConfigurations(I)(I)
• Screened host firewall system (single-homed bastion host)
![Page 24: Firewall](https://reader034.vdocument.in/reader034/viewer/2022051608/54477c21b1af9f691c8b492c/html5/thumbnails/24.jpg)
24
ConfigurationsConfigurations(I)(I)
• Consists of two systems:– A packet-filtering router & a bastion
host• Only packets from and to the
bastion host are allowed to pass through the router
• The bastion host performs authentication and proxy functions
![Page 25: Firewall](https://reader034.vdocument.in/reader034/viewer/2022051608/54477c21b1af9f691c8b492c/html5/thumbnails/25.jpg)
25
More secureMore secure
• More secure than each single component because :– offers both packet-level and
application-level filtering
![Page 26: Firewall](https://reader034.vdocument.in/reader034/viewer/2022051608/54477c21b1af9f691c8b492c/html5/thumbnails/26.jpg)
26
Firewall Firewall ConfigurationsConfigurations
• This configuration also affords flexibility in providing direct Internet access (public information server, e.g. Web server)
![Page 27: Firewall](https://reader034.vdocument.in/reader034/viewer/2022051608/54477c21b1af9f691c8b492c/html5/thumbnails/27.jpg)
27
ConfigurationsConfigurations(II)(II)
• Screened host firewall system (dual-homed bastion host)
![Page 28: Firewall](https://reader034.vdocument.in/reader034/viewer/2022051608/54477c21b1af9f691c8b492c/html5/thumbnails/28.jpg)
28
ConfigurationsConfigurations(II)(II)
• Consists of two systems just as config (I) does.
• However, the bastion host separates the network into two subnets.
![Page 29: Firewall](https://reader034.vdocument.in/reader034/viewer/2022051608/54477c21b1af9f691c8b492c/html5/thumbnails/29.jpg)
29
Even more secure
• An intruder must generally penetrate two separate systems
![Page 30: Firewall](https://reader034.vdocument.in/reader034/viewer/2022051608/54477c21b1af9f691c8b492c/html5/thumbnails/30.jpg)
30
ConfigurationsConfigurations(III)(III)
• Screened-subnet firewall system
![Page 31: Firewall](https://reader034.vdocument.in/reader034/viewer/2022051608/54477c21b1af9f691c8b492c/html5/thumbnails/31.jpg)
31
ConfigurationsConfigurations(III)(III)
• Three-level defense– Most secure– Two packet-filtering routers are used– Creates an isolated sub-network
• Private network is invisible to the Internet
• Computers inside the private network cannot construct direct routes to the Internet
![Page 32: Firewall](https://reader034.vdocument.in/reader034/viewer/2022051608/54477c21b1af9f691c8b492c/html5/thumbnails/32.jpg)
32
DemoDemoDemoDemo
![Page 33: Firewall](https://reader034.vdocument.in/reader034/viewer/2022051608/54477c21b1af9f691c8b492c/html5/thumbnails/33.jpg)
33
ConclusiConclusionon
ConclusiConclusionon
![Page 34: Firewall](https://reader034.vdocument.in/reader034/viewer/2022051608/54477c21b1af9f691c8b492c/html5/thumbnails/34.jpg)
34
Capabilities of firewall
• Defines a single choke point at which security features are applied– Security management is simplified
• Provides a location for monitoring, audits and alarms
• A convenient platform for several non-security-related Internet functions– e.g., NAT, network management
• Can serve as the platform for IPSec– Implement VPN with tunnel mode capability
![Page 35: Firewall](https://reader034.vdocument.in/reader034/viewer/2022051608/54477c21b1af9f691c8b492c/html5/thumbnails/35.jpg)
35
What firewalls cannot protect against
• Attacks that bypass the firewall– e.g., dial-in or dial-out capabilities that
internal systems provide
• Internal threats– e.g., disgruntled employee or employee
who cooperates with external attackers
• The transfer of virus-infected programs or files
![Page 36: Firewall](https://reader034.vdocument.in/reader034/viewer/2022051608/54477c21b1af9f691c8b492c/html5/thumbnails/36.jpg)
36
Recommended Recommended ReadingReading
• Chapman, D., and Zwicky, E. Building Internet Firewalls. O’Reilly, 1995
• Cheswick, W., and Bellovin, S. Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley, 2000
• Gasser, M. Building a Secure Computer System. Reinhold, 1988
• Pfleeger, C. Security in Computing. Prentice Hall, 1997