Beruflich Dokumente
Kultur Dokumente
DEFINITION
FIREWALL is a combination of hardware, software and management activities that are used to effect the internet security policy decided upon. A FIREWALL is any one of the several ways of protecting one network from other untrustworthy networks.
Hence a FIREWALL is a collection of components placed between two networks that collectively have the following properties:
All traffic from inside to outside, and vice versa, must pass through the firewall. Only authorized traffic, as defined by the local security policy, will be allowed to pass.
The placement of a firewall system with respect to the internal network is as follows.
Firewall
Firewall Internet
Company Network
Design Goals
All traffic from inside to outside must pass through the firewall (physically blocking all access to the local network except via the firewall) Only authorized traffic (defined by the local security police) will be allowed to pass
Design Goals
The firewall itself is immune to penetration (use of trusted system with a secure operating system)
General Techniques
Service control
Determines the types of Internet services that can be accessed, inbound or outbound
Direction control
Determines the direction in which particular service requests are allowed to flow
General Techniques
User control
Controls access to a service according to which user is attempting to access it
Behavior control
Controls how particular services are used (e.g. filter e-mail or restricted access to web pages)
Host level filtering This component implements the firewall design policy at the host level, thus allowing or denying specific external hosts from accessing the internal hosts and vice versa. This can be done by
router itself, or software.
This filtering is done by IP Packet Filtering, based on some or all of the following fields
source host IP address, destination host IP address, TCP/UDP source host port, and, TCP/UDP destination host port.
Firewall Architecture
Application level gateways This component uses software applications to forward and filter connections for services such as
telnet, ftp, http, etc.
Such a software application which provides these services, is referred to as a proxy service, while the host running the proxy service is referred to as an application gateway.
Application gateways and packet filtering modules can be combined to provide higher levels of security and flexibility than if either were used alone. An example of such a system is shown in following figure
Proxy Server
These two tasks are specifically achieved using this component of the firewall, called user authentication . There are various methods by which authentication can be achieved. Some of them are as follows.
Passwords Smartcards Session encryption, etc.
Types of Firewalls
Common types of Firewalls:
Packet-filtering routers Application-level gateways Circuit-level gateways Bastion host
Types of Firewalls
Packet-filtering Router
Types of Firewalls
Packet-filtering Router
Applies a set of rules to each incoming IP packet and then forwards or discards the packet Filter packets going in both directions The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header Two default policies (discard or forward)
Example
Types of Firewalls
Advantages:
Simplicity Transparency to users High speed
Disadvantages:
Difficulty of setting up packet filter rules Lack of Authentication
Types of Firewalls
Possible attacks on packet filtering firewalls and appropriate countermeasures
IP address spoofing Source routing attacks Tiny fragment attacks
Weaknesses in SPF
All the flaws of standard filtering can still apply. Default setups are sometimes insecure. The packet that leaves the remote site is the same packet that arrives at the client. Data inside an allowed connection can be destructive. Traditionally SPFs have poor logging.
Types of Firewalls
Application-level Gateway
Types of Firewalls
Application-level Gateway
Also called proxy server Acts as a relay of application-level traffic
Types of Firewalls
Advantages:
Higher security than packet filters Only need to scrutinize a few allowable applications Easy to log and audit all incoming traffic
Disadvantages:
Additional processing overhead on each connection (gateway as splice point)
Types of Firewalls
Circuit-level Gateway
Types of Firewalls
Circuit-level Gateway
Stand-alone system or Specialized function performed by an Application-level Gateway Sets up two TCP connections The gateway typically relays TCP segments from one connection to the other without examining the contents
Types of Firewalls
Circuit-level Gateway
The security function consists of determining which connections will be allowed Typically use is a situation in which the system administrator trusts the internal users An example is the SOCKS package (RFC 1928)
Types of Firewalls
Bastion Host
A system identified by the firewall administrator as a critical strong point in the networks security The bastion host serves as a platform for an applicationlevel or circuit-level gateway A bastion host may require additional authentication before a user is allowed access to the services. Each service may require its own authentication before granting user access.
Firewall Configurations
In addition to the use of simple configuration of a single system (single packet filtering router or single gateway), more complex configurations are possible Three common configurations
Firewall Configurations
Screened host firewall system (singlehomed bastion host)
Firewall Configurations
Screened host firewall, single-homed bastion configuration Firewall consists of two systems:
A packet-filtering router A bastion host
Firewall Configurations
Configuration for the packet-filtering router:
Only packets from and to the bastion host are allowed to pass through the router
Firewall Configurations
Greater security than single configurations because of two reasons:
This configuration implements both packetlevel and application-level filtering (allowing for flexibility in defining security policy) An intruder must generally penetrate two separate systems
Firewall Configurations
This configuration also affords flexibility in providing direct Internet access (public information server, e.g. Web server)
Firewall Configurations
Screened host firewall system (dual-homed bastion host)
Firewall Configurations
Screened host firewall, dual-homed bastion configuration
Compromising the packet-filtering router does not lead to direct access to internal hosts Traffic between the Internet and other hosts on the private network has to flow through the bastion host
Firewall Configurations
Screened-subnet firewall system
Firewall Configurations
Screened subnet firewall configuration
Most secure configuration of the three Two packet-filtering routers are used Creation of an isolated sub-network
Firewall Configurations
Advantages:
Three levels of defense to thwart intruders The outside router advertises only the existence of the screened subnet to the Internet (internal network is invisible to the Internet)
Firewall Configurations
Advantages:
The inside router advertises only the existence of the screened subnet to the internal network (the systems on the inside network cannot construct direct routes to the Internet)
Policy/Settings
No outside Web access. Outside connections to Public Web Server Only. Prevent Web-Radios from eating up the available bandwidth. Prevent your network from being used for a Smuft DoS attack. Prevent your network from being tracerouted or scanned. Drop all outgoing packets to any IP, Port 80 Drop all incoming TCP SYN packets to any IP except Web Server, port 80 Drop all incoming UDP packets except DNS and Router Broadcasts. Drop all ICMP packets going to a broadcast address Drop all incoming ICMP, UDP, or TCP echo-request packets, drop all packets with TTL < 5.
Attacks/Defense
IP Internal-Address Spoofing. Drop all incoming packets with local address.
Drop all incoming packets with small offset. Assemble IP fragments (hard work).
2nd-Fragment Probes.
SYN-ACK Probes.
Be Stateful -keep track of TCP outgoing SYN packets (start of all TCP connections) (hard work).
LIMITATIONS
The firewall model mentioned, has various limitations, some of which are as follows. A firewall offers no protection against viruses contained in files transferred via ftp or other services provided by the application level gateway.
A firewall can't protect against malicious insiders if the network access policy is not sound. A firewall can't protect against connections that don't go through it. A firewall can't protect against completely new threats at all times. A firewall cant protect against internal threats
LOGGING Why?
Identify suspicious activity Evidence to prosecute attackers To verify that the firewall is configured correctly
How?
Secure log host, near firewall
SYSLOG facility
Offsite backups
Prosecution
If you prosecute, youll have to keep them until at least the trial is over. It could be a while.
Firewall Drawbacks
Firewalls can become a bottleneck Certain protocols (FTP, Real-Audio) are difficult for firewalls to process Assumes inside users are trusted Multiple entry points make firewalls hard to manage
Internet
Corporate Firewall
Corporate Network
External Host
Internal Host 1
Internet
Corporate Firewall
Corporate Network
External Host
Internal Host 1
Internet
Corporate Firewall
External Host
Internal Host 1
External
Internal
Webserver
Internet
Corporate Network
External Host
Internal Host 1
External
Internal
Webserver
Internet
Corporate Network
External Host
Internal Host 1
External
Internal
Webserver
Internet
Corporate Network
External Host
Internal Host 1
Traditional Firewalls
Problems:
Complexity of domain rules of all the nodes in the topology May lead to security compromises. Filtering is centralized at a single node point. Unscalable at a single node point of failure.
Distributed Firewalls
General Philosophy
System manager uses high end language to describe endpoints and specify the security policy Compiler translates the policy into filter rules Management tool distributes the policy to all endpoints Endpoints accept or reject packets, based on filter rules and cryptographically verified identities.
Almost all commercial FIREWALLS support most of the standard protocols because they are commercial. But an inhouse developed FIREWALL can be evolved to support in-house developed protocols also. When we talk of developing a TRUSTED OS, a commercial FIREWALL sitting on such an OS, might defeat the purpose of the FIREWALL.
Planning Steps
Know the details of how client-server connections are made Determine physical location of equipment Decide who gets access in either direction
Screening router is on basis of IP/port not user
Must develop a failure plan if firewall breaks Develop a thorough testing procedure
Operations issues:
How much capacity and supporting personnel ?
A xe nt
Po in t
C isc
ss oc
er G
C he ck
N et w or
C yb
th er s
te s
ua r
ia
Case Study
Existing network
100baseT switched ethernet segment
Additions needed
Administratively independent work group and servers
Policy decisions
Servers protected but publicly visible and accessible to well known protocols Internal network invisible to outside, but must allow internal user to access Internet
Case Study
New topology
DMZ for servers behind firewall Internal network with IP Masquerading
Rules
Public services: Internet DMZ Outgoing services: Internal Internet Internal services: Internal DMZ
DMZ hosts can initiate connections to internal hosts if allowed in policy Internal hosts can directly connect (not masqueraded) to DMZ hosts
Thank You