firewall new version
TRANSCRIPT
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 1/45
5/4/01 EMTM 553 1
EMTM 553: E-commerce Systems
Lecture 7b: Firewalls
Insup Lee
Department of Computer and Information ScienceUniversity of Pennsylvania
[email protected] www.cis.upenn.edu/~lee
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 2/45
5/4/01 EMTM 553 2
Why do we need firewalls ?
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 3/45
5/4/01 EMTM 553 3
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 4/45
5/4/01 EMTM 553 4
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 5/45
5/4/01 EMTM 553 5
BEFORE AFTER (your results may vary)
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 6/45
5/4/01 EMTM 553 6
What is a firewall?
• Two goals:– To provide the people in your organization with access to
the WWW without allowing the entire world to peak in;
– To erect a barrier between an untrusted piece ofsoftware, your organization’s public Web server, and thesensitive information that resides on your privatenetwork.
• Basic idea:
– Impose a specifically configured gateway machinebetween the outside world and the site’s inner network. – All traffic must first go to the gateway, where software
decide whether to allow or reject.
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 7/45
5/4/01 EMTM 553 7
What is a firewall
• A firewall is a system of hardware and softwarecomponents designed to restrict access betweenor among networks, most often between theInternet and a private Internet.
• The firewall is part of an overall security policythat creates a perimeter defense designed toprotect the information resources of theorganization.
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 8/45
5/4/01 EMTM 553 8
Firewalls DO
• Implement security policies at a single point• Monitor security-related events (audit, log)• Provide strong authentication• Allow virtual private networks• Have a specially hardened/secured operating
system
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 9/45
5/4/01 EMTM 553 9
Firewalls DON’T
• Protect against attacks that bypass the firewall– Dial-out from internal host to an ISP
• Protect against internal threats– disgruntled employee– Insider cooperates with and external attacker
• Protect against the transfer of virus-infectedprograms or files
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 10/45
5/4/01 EMTM 553 10
Types of Firewalls
• Packet-Filtering Router• Application-Level Gateway• Circuit-Level Gateway• Hybrid Firewalls
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 11/45
5/4/01 EMTM 553 11
Packet Filtering Routers
• Forward or discard IP packet according aset of rules
• Filtering rules are based on fields in the IP
and transport header
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 12/45
5/4/01 EMTM 553 12
What information is used for
filtering decision? • Source IP address (IP header)• Destination IP address (IP header)
• Protocol Type• Source port (TCP or UDP header)• Destination port (TCP or UDP header)• ACK. bit
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 13/45
5/4/01 EMTM 553 13
Web Access Through a Packet
Filter Firewall
[Stein]
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 14/45
5/4/01 EMTM 553 14
Packet Filtering Routers
pros and cons
• Advantages:– Simple– Low cost– Transparent to user
• Disadvantages:– Hard to configure filtering rules– Hard to test filtering rules– Don’t hide network topology(due to transparency) – May not be able to provide enough control over traffic
– Throughput of a router decreases as the number of filters increases
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 15/45
5/4/01 EMTM 553 15
Application Level Gateways(Proxy Server)
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 16/45
5/4/01 EMTM 553 16
A Telnet Proxy
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 17/45
5/4/01 EMTM 553 17
A sample telnet session
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 18/45
5/4/01 EMTM 553 18
Application Level Gateways(Proxy Server)
• Advantages:– complete control over each service (FTP/HTTP…) – complete control over which services are permitted
– Strong user authentication (Smart Cards etc.)– Easy to log and audit at the application level– Filtering rules are easy to configure and test
• Disadvantages:– A separate proxy must be installed for each application-level service– Not transparent to users
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 19/45
5/4/01 EMTM 553 19
Circuit Level Gateways
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 20/45
5/4/01 EMTM 553 20
Circuit Level Gateways (2)
• Often used for outgoing connections where the systemadministrator trusts the internal users
• The chief advantage is that a firewall can be configured as ahybrid gateway supporting application-level/proxy servicesfor inbound connections and circuit-level functions foroutbound connections
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 21/45
5/4/01 EMTM 553 21
Hybrid Firewalls
• In practice, many of today's commercial firewallsuse a combination of these techniques.
• Examples:– A product that originated as a packet-filtering firewall
may since have been enhanced with smart filtering at theapplication level.
– Application proxies in established areas such as FTP mayaugment an inspection-based filtering scheme.
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 22/45
5/4/01 EMTM 553 22
Firewall Configurations
• Bastion host– a system identified by firewall administrator as a critical
strong point in the network’s security – typically serves as a platform for an application-level or circuit-
level gateway– extra secure O/S, tougher to break into
• Dual homed gateway– Two network interface cards: one to the outer network and the
other to the inner– A proxy selectively forwards packets
• Screened host firewall system– Uses a network router to forward all traffic from the outerand inner networks to the gateway machine
• Screened-subnet firewall system
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 23/45
5/4/01 EMTM 553 23
Dual-homed gateway
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 24/45
5/4/01 EMTM 553 24
Screened-host gateway
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 25/45
5/4/01 EMTM 553 25
Screened Host Firewall
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 26/45
5/4/01 EMTM 553 26
Screened Subnet Firewall
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 27/45
5/4/01 EMTM 553 27
Screened subnet gateway
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 28/45
5/4/01 EMTM 553 28
Selecting a firewall system
• Operating system• Protocols handled
• Filter types• Logging• Administration• Simplicity
• Tunneling
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 29/45
5/4/01 EMTM 553 29
Commercial Firewall Systems
0%5%
10%15%20%
25%30%35%40%45%
C h e c k P
o i n t
C i s c
o
A x e
n t
N e t w
o r k A
s s o c i a t e
s
C y b e r G
u a r d
O t h e
r s
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 30/45
5/4/01 EMTM 553 30
Widely used commercial firewalls
• AltaVista• BorderWare (Secure Computing Corporation)
• CyberGurad Firewall (CyberGuard Corporation)• Eagle (Raptor Systems)• Firewall-1 (Checkpoint Software Technologies)• Gauntlet (Trusted Information Systems)
• ON Guard (ON Technology Corporation)
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 31/45
5/4/01 EMTM 553 31
Firewall’s security policy
• Embodied in the filters that allow or deny passages tonetwork traffic
• Filters are implemented as proxy programs.– Application-level proxies
o one for particular communication protocolo E.g., HTTP, FTP, SMo Can also filter based on IP addresses
– Circuit-level proxieso Lower-level, general purpose programs that treat packets
as black boxes to be forward or noto Only looks at header informationo Advantages: speed and generalityo One proxy can handle many protocols
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 32/45
5/4/01 EMTM 553 32
Configure a Firewall (1)
• Outgoing Web Access– Outgoing connections through a packet filter firewall– Outgoing connections through an application-level proxy– Outgoing connections through a circuit proxy
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 33/45
5/4/01 EMTM 553 33
Firewall Proxy
Configuring Netscape to use a firewall proxy involves entering
the address and port number for each proxied service. [Stein]
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 34/45
5/4/01 EMTM 553 34
Configure a Firewall (2)
• Incoming Web Access– The “Judas” server – The “Sacrificial Lamb” – The “Private Affair” server – The doubly fortified server
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 35/45
5/4/01 EMTM 553 35
The “Judas” Server (not recommended)
[Stein]
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 36/45
5/4/01 EMTM 553 36
The “sacrificial lamb”
[Stein]
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 37/45
5/4/01 EMTM 553 37
The “private affair” server
[Stein]
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 38/45
5/4/01 EMTM 553 38
Internal Firewall
An Internal Firewall protects the Web server from insider threats.
[Stein]
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 39/45
5/4/01 EMTM 553 39
Placing the sacrificial lamb in
the demilitarized zone.
[Stein]
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 40/45
5/4/01 EMTM 553 40
Poking holes in the firewall
• If you need to support a public Web server, but noplace to put other than inside the firewall.
• Problem: if the server is compromised, then youare cooked.
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 41/45
5/4/01 EMTM 553 41
Simplified Screened-Host
Firewall Filter Rules
[Stein]
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 42/45
5/4/01 EMTM 553 42
Filter Rule Exceptions for
Incoming Web Services
[Stein]
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 43/45
5/4/01 EMTM 553 43
Screened subnetwork
Placing the Web server on its own screened subnetwork insulatesit from your organization while granting the outside world limitedaccess to it. [Stein]
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 44/45
5/4/01 EMTM 553 44
Filter Rules for a
Screened Public Web Server
[Stein]
7/27/2019 Firewall new version
http://slidepdf.com/reader/full/firewall-new-version 45/45
5/4/01 EMTM 553 45
Q& A