Вы находитесь на странице: 1из 36

Internet Firewalls

What it is all about

Concurrency System Lab, EE, National Taiwan University
http://cobra.ee.ntu.edu.tw R355

Firewall Design Principles Firewall Characteristics Components of Firewalls Firewall Configurations

Protecting a local network from security threats while affording access to the Internet

Firewall Design Principles

The firewall is inserted between the private network and the Internet Aims:
Establish a controlled link Protect the local network from Internet-based attacks Provide a single choke point

Firewall Characteristics
Design goals for a firewall
All traffic (in or out) must pass through the firewall Only authorized traffic will be allowed to pass The firewall itself is immune to penetration

Firewall Characteristics
Four general techniques:
Service control Direction control User control
The type of Internet services that can be accessed Inbound or outbound Which user is attempting to access the service

Behavior control

e.g., Filter email to eliminate spam

Components of Firewalls
Three common components of Firewalls:
Packet-filtering routers Application-level gateways Circuit-level gateways (Bastion host)

Components of Firewalls (I)

Packet-filtering Router

Packet-filtering Router
Packet-filtering Router
Applies a set of rules to each incoming IP packet and then forwards or discards the packet Filter packets going in both directions The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header Two default policies (discard or forward)

TCP/IP header


Packet-filtering Router
Simplicity Transparency to users High speed Difficulty of setting up packet filter rules Lack of Authentication


Packet-filtering Router
Open-source under UNIX:
IP firewall IPFilter IPchain


Components of Firewalls (II)

Application-level Gateway


Application-level Gateway
Application-level Gateway
Also called proxy server Acts as a relay of application-level traffic


Application-level Gateway
Higher security than packet filters Only need to check a few allowable applications Easy to log and audit all incoming traffic

Additional processing overhead on each connection (gateway as splice point)

Application-level Gateway
Open-source under UNIX:
squid (WWW), delegate (general purpose), osrtspproxy (RTSP), smtpproxy (SMTP),


Components of Firewalls (III)

Circuit-level Gateway


Circuit-level Gateway
Similar to Application-level Gateway However
it typically relays TCP segments from one connection to the other without examining the contents Determines only which connections will be allowed Typical usage is a situation in which the system administrator trusts the internal 18 users

In other words
Korean custom
Circuit-level gateway only checks your nationality Application-level gateway checks your baggage content in addition to your nationality


Components of Firewalls
Open-source under UNIX
SOCKS dante


Components of Firewalls (II) U (III)

Bastion Host
serves as
application-level gateway circuit-level gateway both


Firewall Configurations
In addition to the use of simple configuration of a single system (single packet filtering router or single gateway), more complex configurations are possible Three common configurations


Configurations (I)
Screened host firewall system (single-homed bastion host)


Configurations (I)
Consists of two systems:
A packet-filtering router & a bastion host

Only packets from and to the bastion host are allowed to pass through the router The bastion host performs authentication and proxy functions

More secure
More secure than each single component because :
offers both packet-level and application-level filtering


Firewall Configurations
This configuration also affords flexibility in providing direct Internet access (public information server, e.g. Web server)


Configurations (II)
Screened host firewall system (dualhomed bastion host)


Configurations (II)
Consists of two systems just as config (I) does. However, the bastion host separates the network into two subnets.


Even more secure

An intruder must generally penetrate two separate systems


Configurations (III)
Screened-subnet firewall system


Configurations (III)
Three-level defense
Most secure Two packet-filtering routers are used Creates an isolated sub-network

Private network is invisible to the Internet Computers inside the private network cannot construct direct routes to the Internet




Capabilities of firewall
Defines a single choke point at which security features are applied Provides a location for monitoring, audits and alarms A convenient platform for several nonsecurity-related Internet functions Can serve as the platform for IPSec
e.g., NAT, network management Implement VPN with tunnel mode capability

Security management is simplified

What firewalls cannot protect against

Attacks that bypass the firewall
e.g., dial-in or dial-out capabilities that internal systems provide

Internal threats
e.g., disgruntled employee or employee who cooperates with external attackers

The transfer of virus-infected programs or files


Recommended Reading
Chapman, D., and Zwicky, E. Building Internet Firewalls. OReilly, 1995 Cheswick, W., and Bellovin, S. Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley, 2000 Gasser, M. Building a Secure Computer System. Reinhold, 1988 Pfleeger, C. Security in Computing. Prentice Hall, 1997