firewalls the function of a strong position is to make the forces holding it practically...

FIREWALLSFIREWALLSThe function of a strong position is to make The function of a strong position is to make the forces holding it practically unassailablethe forces holding it practically unassailable

——On War, On War, Carl Von ClausewitzCarl Von Clausewitz

On the day that you take up your command, On the day that you take up your command, block the frontier passes, destroy the official block the frontier passes, destroy the official

tallies, and stop the passage of all emissariestallies, and stop the passage of all emissaries

——The Art of War, Sun TzuThe Art of War, Sun Tzu

What is a Firewall?What is a Firewall? A firewall is hardware or software (or a A firewall is hardware or software (or a

combination of hardware and software) that combination of hardware and software) that monitors the transmission of packets of digital monitors the transmission of packets of digital information that attempt to pass through the information that attempt to pass through the perimeter of a network.perimeter of a network.

A firewall is simply a program or hardware device A firewall is simply a program or hardware device that filters the information coming through the that filters the information coming through the Internet connection into your private Internet connection into your private networknetwork or or computer systemcomputer system. If an incoming packet of . If an incoming packet of information is flagged by the filters, it is not information is flagged by the filters, it is not allowed through.allowed through.

Perimeter DefensePerimeter Defense

A firewall is said to provide “perimeter security” because it sits on the outer boundary, or perimeter, of a network. The network boundary is the point at which one network connects to another.

What is a Firewall?What is a Firewall?

a a choke pointchoke point that keeps unauthorized users that keeps unauthorized users out of the protected network. out of the protected network.

interconnects networks with differing trustinterconnects networks with differing trust imposes restrictions on network servicesimposes restrictions on network services

only authorized traffic is allowed only authorized traffic is allowed

auditing and controlling accessauditing and controlling access can implement alarms for abnormal behaviorcan implement alarms for abnormal behavior

is itself immune to penetrationis itself immune to penetration provides provides perimeter defenceperimeter defence

Firewall LimitationsFirewall Limitations

cannot protect from attacks bypassing itcannot protect from attacks bypassing itcannot protect against internal threatscannot protect against internal threats

e.g. disgruntled employeee.g. disgruntled employeecannot protect against transfer of all virus cannot protect against transfer of all virus

infected programs or filesinfected programs or filesbecause of huge range of O/S & file typesbecause of huge range of O/S & file types

Types of FirewallsTypes of Firewalls

Packet FiltersPacket Filters

Application-Level GatewaysApplication-Level Gateways

Circuit-Level GatewaysCircuit-Level Gateways

Firewalls – Packet FiltersFirewalls – Packet Filters


A packet filtering router applies a set of A packet filtering router applies a set of rules to each incoming IP packet and then rules to each incoming IP packet and then forwards or discards the packet. forwards or discards the packet.

The router is typically configured to filter The router is typically configured to filter packets going in both directions (from and packets going in both directions (from and to the internal network). to the internal network).


Filtering rules are based on information contained Filtering rules are based on information contained in a network packet:in a network packet:

Source IP address: The IP address of the Source IP address: The IP address of the system that originated the IP packet (e.g., system that originated the IP packet (e.g., 192.168.1.1)192.168.1.1)

Destination IP address: The IP address of the Destination IP address: The IP address of the system the IP packet is trying to reach (e.g. system the IP packet is trying to reach (e.g. 192.168.1.2)192.168.1.2)

Source and destination transport-level address: Source and destination transport-level address: The transport level (e.g., TCP or UDP) port The transport level (e.g., TCP or UDP) port number, which defines applications such as number, which defines applications such as SNMP or TELNETSNMP or TELNET

Firewalls – Packet Filters: Firewalls – Packet Filters: Default PoliciesDefault Policies

Packet filtering is typically set up as a list of rules based on matches to fields in the IP or TCP header. When there is no match to any rule, a default action is taken.

There are two possible default policies: discard or forward.

Firewalls – Packet Filters: Firewalls – Packet Filters: Default PoliciesDefault Policies

Default = discard: that which is not expressly permitted is prohibited.

It is very conservative. Initially, everything is blocked—services must be added on a case-by-case basic.

Default = forward: that which is not expressly prohibited is permitted.

It increases ease of use for end users but provides reduced security. The security administrator must, in essence, react to each new security threat as it becomes available

Attacks on Packet FiltersAttacks on Packet Filters

IP address spoofingIP address spoofing fake source address to be trustedfake source address to be trustedadd filters on router to blockadd filters on router to block

source routing attackssource routing attacksattacker sets a route other than defaultattacker sets a route other than defaultblock source routed packetsblock source routed packets

tiny fragment attackstiny fragment attackssplit header info over several tiny packetssplit header info over several tiny packetseither discard or reassemble before checkeither discard or reassemble before check

Firewalls - Firewalls - Application Level Application Level Gateway (or Proxy)Gateway (or Proxy)


Acts as relay of application-level traffic. The user Acts as relay of application-level traffic. The user contacts the gateway using a TCP/IP contacts the gateway using a TCP/IP application, such as FTP, and the gateway asks application, such as FTP, and the gateway asks the user for the name of a remote host to be the user for the name of a remote host to be accessed. When the user responds and accessed. When the user responds and provides a valid user ID and authentication provides a valid user ID and authentication information, the gateway contacts the application information, the gateway contacts the application on the remote host and relays TCP segments on the remote host and relays TCP segments containing the application data between the two containing the application data between the two points.points.


Tend to be more secure than packet Tend to be more secure than packet filters.filters.

Need only scrutinize a few allowable Need only scrutinize a few allowable applications.applications.

It is easy to log and audit all incoming It is easy to log and audit all incoming traffic at the application level.traffic at the application level.


Main DisadvantageMain DisadvantageAdditional Processing overhead on each Additional Processing overhead on each

connection.connection.

Firewalls - Firewalls - Circuit Level GatewayCircuit Level Gateway

Firewalls - Firewalls - Circuit Level GatewayCircuit Level Gateway

relays two TCP connections relays two TCP connections (one between itself and a (one between itself and a TCP user on an inner host and one between itself and a TCP user TCP user on an inner host and one between itself and a TCP user on an outside host)on an outside host)

imposes security by limiting which such imposes security by limiting which such connections are allowedconnections are allowed

once created usually relays traffic without once created usually relays traffic without examining contentsexamining contents

typically used when trust internal users by typically used when trust internal users by allowing general outbound connectionsallowing general outbound connections

SOCKS (a protocol) commonly used for thisSOCKS (a protocol) commonly used for this

Bastion HostBastion Host highly secure host system that serves as a highly secure host system that serves as a

platform for an application-level or circuit-platform for an application-level or circuit-level gateway.level gateway.

host hardware platform executes a secure host hardware platform executes a secure version of it’s operating system, making it a version of it’s operating system, making it a trusted system.trusted system.

only services that the network administrator only services that the network administrator considers essential are installed on the considers essential are installed on the bastion host (e.g. Telnet, DNS, FTP, and bastion host (e.g. Telnet, DNS, FTP, and user authentication) user authentication)

Firewall ConfigurationsFirewall Configurations

Single-Homed Bastion: AdvantagesSingle-Homed Bastion: Advantages Consists of two systems: a packet-filtering router and a Consists of two systems: a packet-filtering router and a

bastion host. The router is configured so thatbastion host. The router is configured so that

For traffic from the Internet, only IP packets destined for the For traffic from the Internet, only IP packets destined for the bastion host are allowed in.bastion host are allowed in.

For the traffic from the internal network, only IP packets from For the traffic from the internal network, only IP packets from the bastion host are allowed to out.the bastion host are allowed to out.

The bastion host performs authentication and proxy The bastion host performs authentication and proxy functions.functions.

Single-Homed BastionSingle-Homed Bastion Has greater security than simply a packet filtering router Has greater security than simply a packet filtering router

or an application level gateway alone.or an application level gateway alone. Implements both packet-level and application-level filtering, Implements both packet-level and application-level filtering,

allowing for considerable flexibility in defining security policy.allowing for considerable flexibility in defining security policy. An intruder must generally penetrate two separate systems before An intruder must generally penetrate two separate systems before

the security of the internal network is compromised.the security of the internal network is compromised.

Affords flexibility in providing direct Internet access.Affords flexibility in providing direct Internet access.

If the packet-filtering router is completely compromised, If the packet-filtering router is completely compromised, traffic could flow directly through the router between the traffic could flow directly through the router between the Internet and other hosts on the private network.Internet and other hosts on the private network.

Firewall ConfigurationsFirewall Configurations

Screened Subnet FirewallScreened Subnet Firewall

There are now three levels of defense to thwart There are now three levels of defense to thwart intruders.intruders.

The outside router advertises only the existence The outside router advertises only the existence of the screened subnet to the Internet; therefore, of the screened subnet to the Internet; therefore, the internal network is invisible to the Internet.the internal network is invisible to the Internet.

Similarly, the inside router advertises only the Similarly, the inside router advertises only the existence of the screened subnet to the internal existence of the screened subnet to the internal network; therefore, the systems on the inside network; therefore, the systems on the inside network cannot construct direct routes to the network cannot construct direct routes to the Internet.Internet.

firewalls the function of a strong position is to make the forces holding it practically...

Documents

internal network

network services

private network

protected network

network boundary

incoming packet of information

incoming ip packet

perimeter defence slide