1 Internet Internet Firewalls Firewalls What it is all What it is all about about Concurrency System Lab, EE, National Taiwan University http://cobra.ee.ntu.edu.tw R355
Jan 16, 2016
1
Internet Internet FirewallsFirewallsInternet Internet FirewallsFirewalls
What it is all aboutWhat it is all about
Concurrency System Lab, EE, National Taiwan University
http://cobra.ee.ntu.edu.tw
R355
2
OutlineOutline• Firewall Design Principles• Firewall Characteristics• Components of Firewalls• Firewall Configurations
3
FirewallsFirewalls
• Protecting a local network from security threats while affording access to the Internet
4
Firewall DesignFirewall DesignPrinciplesPrinciples
• The firewall is inserted between the private network and the Internet
• Aims:– Establish a controlled link– Protect the local network from
Internet-based attacks– Provide a single choke point
5
Firewall Firewall CharacteristicsCharacteristics
• Design goals for a firewall– All traffic (in or out) must pass
through the firewall– Only authorized traffic will be allowed
to pass– The firewall itself is immune to
penetration
6
Firewall Firewall CharacteristicsCharacteristics
• Four general techniques:– Service control
• The type of Internet services that can be accessed
– Direction control• Inbound or outbound
– User control• Which user is attempting to access the service
– Behavior control• e.g., Filter email to eliminate spam
7
Components of Components of FirewallsFirewalls
• Three common components of Firewalls:– Packet-filtering routers– Application-level gateways– Circuit-level gateways– (Bastion host)
8
Components of Components of FirewallsFirewalls
(I)(I)• Packet-filtering Router
9
Packet-filtering Router
• Packet-filtering Router– Applies a set of rules to each incoming IP
packet and then forwards or discards the packet
– Filter packets going in both directions– The packet filter is typically set up as a
list of rules based on matches to fields in the IP or TCP header
– Two default policies (discard or forward)
10
TCP/IP header
11
Packet-filtering Router
• Advantages:– Simplicity– Transparency to users– High speed
• Disadvantages:– Difficulty of setting up packet filter
rules– Lack of Authentication
12
Packet-filtering Router
• Open-source under UNIX:– IP firewall– IPFilter– IPchain
13
Components of Components of FirewallsFirewalls
(II)(II)• Application-level Gateway
14
Application-level Gateway
• Application-level Gateway– Also called proxy server– Acts as a relay of application-level
traffic
15
Application-level Gateway
• Advantages:– Higher security than packet filters– Only need to check a few allowable
applications– Easy to log and audit all incoming traffic
• Disadvantages:– Additional processing overhead on each
connection (gateway as splice point)
16
Application-level Gateway
• Open-source under UNIX:– squid (WWW),– delegate (general purpose),– osrtspproxy (RTSP),– smtpproxy (SMTP),– …
17
Components of Components of FirewallsFirewalls
(III)(III)• Circuit-level Gateway
18
Circuit-level Gateway
• Similar to Application-level Gateway• However
– it typically relays TCP segments from one connection to the other without examining the contents
– Determines only which connections will be allowed
– Typical usage is a situation in which the system administrator trusts the internal users
19
In other words
• Korean custom– Circuit-level gateway only checks
your nationality– Application-level gateway checks
your baggage content in addition to your nationality
20
Components of Components of FirewallsFirewalls
• Open-source under UNIX– SOCKS– dante
21
Components of Components of FirewallsFirewalls(II) U (III)(II) U (III)
• Bastion Host– serves as
• application-level gateway• circuit-level gateway• both
22
Firewall Firewall ConfigurationsConfigurations
• In addition to the use of simple configuration of a single system (single packet filtering router or single gateway), more complex configurations are possible
• Three common configurations
23
ConfigurationsConfigurations(I)(I)
• Screened host firewall system (single-homed bastion host)
24
ConfigurationsConfigurations(I)(I)
• Consists of two systems:– A packet-filtering router & a bastion
host• Only packets from and to the
bastion host are allowed to pass through the router
• The bastion host performs authentication and proxy functions
25
More secureMore secure
• More secure than each single component because :– offers both packet-level and
application-level filtering
26
Firewall Firewall ConfigurationsConfigurations
• This configuration also affords flexibility in providing direct Internet access (public information server, e.g. Web server)
27
ConfigurationsConfigurations(II)(II)
• Screened host firewall system (dual-homed bastion host)
28
ConfigurationsConfigurations(II)(II)
• Consists of two systems just as config (I) does.
• However, the bastion host separates the network into two subnets.
29
Even more secure
• An intruder must generally penetrate two separate systems
30
ConfigurationsConfigurations(III)(III)
• Screened-subnet firewall system
31
ConfigurationsConfigurations(III)(III)
• Three-level defense– Most secure– Two packet-filtering routers are used– Creates an isolated sub-network
• Private network is invisible to the Internet
• Computers inside the private network cannot construct direct routes to the Internet
32
DemoDemoDemoDemo
33
ConclusiConclusionon
ConclusiConclusionon
34
Capabilities of firewall
• Defines a single choke point at which security features are applied– Security management is simplified
• Provides a location for monitoring, audits and alarms
• A convenient platform for several non-security-related Internet functions– e.g., NAT, network management
• Can serve as the platform for IPSec– Implement VPN with tunnel mode capability
35
What firewalls cannot protect against
• Attacks that bypass the firewall– e.g., dial-in or dial-out capabilities that
internal systems provide
• Internal threats– e.g., disgruntled employee or employee
who cooperates with external attackers
• The transfer of virus-infected programs or files
36
Recommended Recommended ReadingReading
• Chapman, D., and Zwicky, E. Building Internet Firewalls. O’Reilly, 1995
• Cheswick, W., and Bellovin, S. Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley, 2000
• Gasser, M. Building a Secure Computer System. Reinhold, 1988
• Pfleeger, C. Security in Computing. Prentice Hall, 1997