Вы находитесь на странице: 1из 36

Internet Firewalls

What it is all about


Concurrency System Lab, EE, National Taiwan University
http://cobra.ee.ntu.edu.tw R355
1

Outline
Firewall Design Principles Firewall Characteristics Components of Firewalls Firewall Configurations

Firewalls
Protecting a local network from security threats while affording access to the Internet

Firewall Design Principles


The firewall is inserted between the private network and the Internet Aims:
Establish a controlled link Protect the local network from Internet-based attacks Provide a single choke point
4

Firewall Characteristics
Design goals for a firewall
All traffic (in or out) must pass through the firewall Only authorized traffic will be allowed to pass The firewall itself is immune to penetration

Firewall Characteristics
Four general techniques:
Service control Direction control User control
The type of Internet services that can be accessed Inbound or outbound Which user is attempting to access the service

Behavior control

e.g., Filter email to eliminate spam

Components of Firewalls
Three common components of Firewalls:
Packet-filtering routers Application-level gateways Circuit-level gateways (Bastion host)

Components of Firewalls (I)


Packet-filtering Router

Packet-filtering Router
Packet-filtering Router
Applies a set of rules to each incoming IP packet and then forwards or discards the packet Filter packets going in both directions The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header Two default policies (discard or forward)
9

TCP/IP header

10

Packet-filtering Router
Advantages:
Simplicity Transparency to users High speed Difficulty of setting up packet filter rules Lack of Authentication
11

Disadvantages:

Packet-filtering Router
Open-source under UNIX:
IP firewall IPFilter IPchain

12

Components of Firewalls (II)


Application-level Gateway

13

Application-level Gateway
Application-level Gateway
Also called proxy server Acts as a relay of application-level traffic

14

Application-level Gateway
Advantages:
Higher security than packet filters Only need to check a few allowable applications Easy to log and audit all incoming traffic

Disadvantages:
Additional processing overhead on each connection (gateway as splice point)
15

Application-level Gateway
Open-source under UNIX:
squid (WWW), delegate (general purpose), osrtspproxy (RTSP), smtpproxy (SMTP),

16

Components of Firewalls (III)


Circuit-level Gateway

17

Circuit-level Gateway
Similar to Application-level Gateway However
it typically relays TCP segments from one connection to the other without examining the contents Determines only which connections will be allowed Typical usage is a situation in which the system administrator trusts the internal 18 users

In other words
Korean custom
Circuit-level gateway only checks your nationality Application-level gateway checks your baggage content in addition to your nationality

19

Components of Firewalls
Open-source under UNIX
SOCKS dante

20

Components of Firewalls (II) U (III)


Bastion Host
serves as
application-level gateway circuit-level gateway both

21

Firewall Configurations
In addition to the use of simple configuration of a single system (single packet filtering router or single gateway), more complex configurations are possible Three common configurations

22

Configurations (I)
Screened host firewall system (single-homed bastion host)

23

Configurations (I)
Consists of two systems:
A packet-filtering router & a bastion host

Only packets from and to the bastion host are allowed to pass through the router The bastion host performs authentication and proxy functions
24

More secure
More secure than each single component because :
offers both packet-level and application-level filtering

25

Firewall Configurations
This configuration also affords flexibility in providing direct Internet access (public information server, e.g. Web server)

26

Configurations (II)
Screened host firewall system (dualhomed bastion host)

27

Configurations (II)
Consists of two systems just as config (I) does. However, the bastion host separates the network into two subnets.

28

Even more secure


An intruder must generally penetrate two separate systems

29

Configurations (III)
Screened-subnet firewall system

30

Configurations (III)
Three-level defense
Most secure Two packet-filtering routers are used Creates an isolated sub-network

Private network is invisible to the Internet Computers inside the private network cannot construct direct routes to the Internet

31

Demo
32

Conclusion
33

Capabilities of firewall
Defines a single choke point at which security features are applied Provides a location for monitoring, audits and alarms A convenient platform for several nonsecurity-related Internet functions Can serve as the platform for IPSec
e.g., NAT, network management Implement VPN with tunnel mode capability
34

Security management is simplified

What firewalls cannot protect against


Attacks that bypass the firewall
e.g., dial-in or dial-out capabilities that internal systems provide

Internal threats
e.g., disgruntled employee or employee who cooperates with external attackers

The transfer of virus-infected programs or files


35

Recommended Reading
Chapman, D., and Zwicky, E. Building Internet Firewalls. OReilly, 1995 Cheswick, W., and Bellovin, S. Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley, 2000 Gasser, M. Building a Secure Computer System. Reinhold, 1988 Pfleeger, C. Security in Computing. Prentice Hall, 1997
36