5/4/01EMTM 5531 EMTM 553: E-commerce Systems Lecture 7b: Firewalls Insup Lee Department of Computer and Information Science University of Pennsylvania.
Post on 19-Dec-2015
213 Views
Preview:
Transcript
5/4/01 EMTM 553 1
EMTM 553: E-commerce Systems
Lecture 7b: Firewalls
Insup Lee
Department of Computer and Information Science
University of Pennsylvanialee@cis.upenn.edu
www.cis.upenn.edu/~lee
5/4/01 EMTM 553 6
What is a firewall?
• Two goals:– To provide the people in your organization with access
to the WWW without allowing the entire world to peak in;
– To erect a barrier between an untrusted piece of software, your organization’s public Web server, and the sensitive information that resides on your private network.
• Basic idea:– Impose a specifically configured gateway machine
between the outside world and the site’s inner network.
– All traffic must first go to the gateway, where software decide whether to allow or reject.
5/4/01 EMTM 553 7
What is a firewall
• A firewall is a system of hardware and software components designed to restrict access between or among networks, most often between the Internet and a private Internet.
• The firewall is part of an overall security policy that creates a perimeter defense designed to protect the information resources of the organization.
5/4/01 EMTM 553 8
Firewalls DO
• Implement security policies at a single point• Monitor security-related events (audit, log)• Provide strong authentication• Allow virtual private networks• Have a specially hardened/secured operating
system
5/4/01 EMTM 553 9
Firewalls DON’T
• Protect against attacks that bypass the firewall– Dial-out from internal host to an ISP
• Protect against internal threats – disgruntled employee– Insider cooperates with and external attacker
• Protect against the transfer of virus-infected programs or files
5/4/01 EMTM 553 10
Types of Firewalls
• Packet-Filtering Router• Application-Level Gateway• Circuit-Level Gateway• Hybrid Firewalls
5/4/01 EMTM 553 11
Packet Filtering Routers
• Forward or discard IP packet according a set of rules
• Filtering rules are based on fields in the IP and transport header
5/4/01 EMTM 553 12
What information is used for filtering decision?
• Source IP address (IP header)• Destination IP address (IP header)• Protocol Type• Source port (TCP or UDP header)• Destination port (TCP or UDP header)• ACK. bit
5/4/01 EMTM 553 14
Packet Filtering Routerspros and cons
• Advantages:– Simple– Low cost– Transparent to user
• Disadvantages:– Hard to configure filtering rules– Hard to test filtering rules– Don’t hide network topology(due to transparency)– May not be able to provide enough control over traffic– Throughput of a router decreases as the number of filters
increases
5/4/01 EMTM 553 18
Application Level Gateways (Proxy Server)
• Advantages:– complete control over each service (FTP/HTTP…)– complete control over which services are permitted– Strong user authentication (Smart Cards etc.)– Easy to log and audit at the application level– Filtering rules are easy to configure and test
• Disadvantages:– A separate proxy must be installed for each
application-level service– Not transparent to users
5/4/01 EMTM 553 20
Circuit Level Gateways (2)
• Often used for outgoing connections where the system administrator trusts the internal users
• The chief advantage is that a firewall can be configured as a hybrid gateway supporting application-level/proxy services for inbound connections and circuit-level functions for outbound connections
5/4/01 EMTM 553 21
Hybrid Firewalls
• In practice, many of today's commercial firewalls use a combination of these techniques.
• Examples:– A product that originated as a packet-filtering firewall
may since have been enhanced with smart filtering at the application level.
– Application proxies in established areas such as FTP may augment an inspection-based filtering scheme.
5/4/01 EMTM 553 22
Firewall Configurations
• Bastion host– a system identified by firewall administrator as a critical
strong point in the network’s security– typically serves as a platform for an application-level or
circuit-level gateway– extra secure O/S, tougher to break into
• Dual homed gateway– Two network interface cards: one to the outer network and
the other to the inner– A proxy selectively forwards packets
• Screened host firewall system– Uses a network router to forward all traffic from the outer
and inner networks to the gateway machine• Screened-subnet firewall system
5/4/01 EMTM 553 28
Selecting a firewall system
• Operating system• Protocols handled• Filter types• Logging• Administration• Simplicity• Tunneling
5/4/01 EMTM 553 29
Commercial Firewall Systems
0%5%
10%15%20%25%30%35%40%45%
Check
Point
Cisco
Axent
Network
Ass
ocia
tes
Cyber
Guar
d
Oth
ers
5/4/01 EMTM 553 30
Widely used commercial firewalls
• AltaVista • BorderWare (Secure Computing Corporation)• CyberGurad Firewall (CyberGuard Corporation)• Eagle (Raptor Systems)• Firewall-1 (Checkpoint Software Technologies)• Gauntlet (Trusted Information Systems)• ON Guard (ON Technology Corporation)
5/4/01 EMTM 553 31
Firewall’s security policy
• Embodied in the filters that allow or deny passages to network traffic
• Filters are implemented as proxy programs.– Application-level proxies
o one for particular communication protocolo E.g., HTTP, FTP, SMo Can also filter based on IP addresses
– Circuit-level proxieso Lower-level, general purpose programs that treat
packets as black boxes to be forward or noto Only looks at header informationo Advantages: speed and generalityo One proxy can handle many protocols
5/4/01 EMTM 553 32
Configure a Firewall (1)
• Outgoing Web Access– Outgoing connections through a packet filter firewall– Outgoing connections through an application-level
proxy– Outgoing connections through a circuit proxy
5/4/01 EMTM 553 33
Firewall Proxy
Configuring Netscape to use a firewall proxy involves enteringthe address and port number for each proxied service. [Stein]
5/4/01 EMTM 553 34
Configure a Firewall (2)
• Incoming Web Access– The “Judas” server– The “Sacrificial Lamb”– The “Private Affair” server– The doubly fortified server
5/4/01 EMTM 553 38
Internal Firewall
An Internal Firewall protects the Web server from insider threats.
[Stein]
5/4/01 EMTM 553 40
Poking holes in the firewall
• If you need to support a public Web server, but no place to put other than inside the firewall.
• Problem: if the server is compromised, then you are cooked.
5/4/01 EMTM 553 43
Screened subnetwork
Placing the Web server on its own screened subnetwork insulatesit from your organization while granting the outside world limitedaccess to it. [Stein]
top related