426_Fall06_lect24.ppt

Computer Security CS 426

Lecture 24

Firewalls(Most Slides taken from Prof. Peng Ning’s Slides on

Network Security at NCSU)

CS426 Fall 2006/Lecture 24 2

Outline

• What are firewalls?• Types

– Filtering• Packet filtering

• Session filtering

– Proxy• Circuit Level

• Application Level

• Brief introduction to Personal Firewalls


What is a firewall?

• Device that provides secure connectivity between networks (internal/external; varying levels of trust)

• Used to implement and enforce a security policy for communication between networks

Trusted Networks

Untrusted Networks & ServersFirewall

Router

Internet

Intranet

DMZ Public Accessible Servers & Networks

Trusted Users

Untrusted Users


Firewalls

• From Webster’s Dictionary: a wall constructed to prevent the spread of fire

• Internet firewalls are more the moat around a castle than a building firewall

• Controlled access point


Firewalls can:

• Restrict incoming and outgoing traffic by IP address, ports, or users

• Block invalid packets


Convenient

• Give insight into traffic mix via logging• Network Address Translation• Encryption


Firewalls Cannot Protect…

• traffic that does not cross it– routing around – Internal traffic

• when misconfigured


InternetInternet

DMZ NetWeb Server Pool

Corporate

Network

ALERT!!ALERT!!ALERT!!

Security Requirement• Control access to network information and resources• Protect the network from attacks

Access Control


Filtering

• Typically route packets • Packets checked then passed• Inbound & outbound affect when policy is

checked• Client Server


Filtering

• Packet filtering – Access Control Lists

• Session filtering– Dynamic Packet Filtering– Stateful Inspection– Smart packet filtering– Context Based Access Control


Packet Filtering

• Decisions made on a per-packet basis• No state information saved


More about networking: port numbering

• TCP connection – Server port uses number less than 1024 – Client port uses number between 1024 and 16383

• Permanent assignment– Ports <1024 assigned permanently

• 20,21 for FTP 23 for Telnet• 25 for server SMTP 80 for HTTP

• Variable use– Ports >1024 must be available for client to make connection– Limitation for stateless packet filtering

• If client wants port 2048, firewall must allow incoming traffic


Typical Configuration

• Ports > 1024 left open• If dynamic protocols are in use, entire ranges of

ports must be allowed for the protocol to work.


ApplicationsApplications

PresentationsPresentations

SessionsSessions

TransportTransport

DataLinkDataLink

PhysicalPhysical

DataLinkDataLink

PhysicalPhysical

RouterRouter



SessionsSessions

TransportTransport

DataLinkDataLink

PhysicalPhysical

Packet Filter

NetworkNetwork NetworkNetwork


Session Filtering

• Packet decision made in the context of a connection

• If packet is a new connection, check against security policy

• If packet is part of an existing connection, match it up in the state table & update table


Typical Configuration

• All denied unless specifically allowed• Dynamic protocols (FTP, H323, RealAudio, etc.)

allowed only if supported


Applications

Presentations

Sessions

Transport

DataLink

Physical

DataLink

Physical

Applications

Presentations

Sessions

Transport

DataLink

Physical

Network Network

Network

Presentations

Sessions

Transport


Dynamic Dynamic State TablesState Tables

Dynamic Dynamic State TablesState Tables

Dynamic State Tables

Screens ALL attempts, Protects All applications

Extracts & maintains ‘state’ information

Makes an intelligent security / traffic decision

Session Filtering

“PORT 5151”

“OK”

DATA CHANNEL

TCP ACK

FTP ClientFTP Server

20Data

21Command 5150 5151 Client opens

command channel to server; tells server second port number

Server acknowledges

Server opens data channel to client’s second port

Client acknowledges

FTP


Proxy Firewalls

• Relay for connections• Client Proxy Server• Two flavors

– Application level – Circuit level (not application specific)


Application Gateways

• Understands specific applications– Limited proxies available– Proxy ‘impersonates’ both sides of connection

• Resource intensive– process per connection

• HTTP proxies may cache web pages



• More appropriate to TCP• ICMP difficult• Block all unless specifically allowed• Must write a new proxy application to

support new protocols– Not trivial!



• Clients configured for proxy communication• Transparent Proxies




SessionsSessions

TransportTransport

DataLinkDataLink

PhysicalPhysical

NetworkNetwork

DataLinkDataLink

PhysicalPhysical



SessionsSessions

TransportTransport

DataLinkDataLink

PhysicalPhysical

Application GatewayApplication Gateway



SessionsSessions

TransportTransport

NetworkNetwork NetworkNetwork

TelnetTelnetTelnetTelnet HTTPHTTPHTTPHTTPFTPFTPFTPFTP

Application Layer GW/proxy


Personal Firewalls

• Running on one PC, controlling network access– Windows firewall, iptables (Linux), ZoneAlarm, etc.

• Typically determines network access based on application programs

• Typically block most incoming traffic, harder to define policies for outgoing traffic

• Can be bypassed/disabled if host is compromised

Coming Attractions …

• November 21: – Web Browser Security

426_Fall06_lect24.ppt

Documents

network information

stateless packet filtering

packet filtering decisions

client port

port client

new proxy application

port number server

application specific