firewalls (15)
TRANSCRIPT
-
8/10/2019 Firewalls (15)
1/51
C. Ding -- COMP581 -- L25 1
Lecture 25: Firewalls
Introduce several types of firewalls
Discuss their advantages and
disadvantagesCompare their performances
Demonstrate their applications
-
8/10/2019 Firewalls (15)
2/51
C. Ding -- COMP581 -- L25 2
What is a Firewall?
A firewall is a system of hardware andsoftware components designed to restrictaccess between or among networks, most
often between the Internet and a privateInternet.
The firewall is part of an overall securitypolicy that creates a perimeter defensedesigned to protect the informationresources of the organization.
-
8/10/2019 Firewalls (15)
3/51
-
8/10/2019 Firewalls (15)
4/51
C. Ding -- COMP581 -- L25 4
What a Firewall does
Implement security policies at a singlepoint
Monitor security-related events (audit, log)
Provide strong authenticationAllow virtual private networks
-
8/10/2019 Firewalls (15)
5/51
C. Ding -- COMP581 -- L25 5
What a Firewall does not do
Protect against attacks that bypass thefirewall Dial-out from internal host to an ISP
Protect against internal threats disgruntled employee
Insider cooperates with an external attacker
Protect against the transfer of virus-infected programs or files
-
8/10/2019 Firewalls (15)
6/51
C. Ding -- COMP581 -- L25 6
Firewall - Typical layout
A firewall denies or permits accessbased on policies and rules
Protected Private Network
Internet
-
8/10/2019 Firewalls (15)
7/51
C. Ding -- COMP581 -- L25 7
Watching for attack
Protected Private Network
Internet
Monitor Log
Attack
Notify
-
8/10/2019 Firewalls (15)
8/51
C. Ding -- COMP581 -- L25 8
Firewall technologies
Common firewall technologies: They may be classified into four categories:
Packet Filtering Firewalls Circuit Level Firewalls Application Gateway Firewalls (or proxy servers) Stateful Inspection Firewalls (dynamic packet filtering
firewalls)
These technologies operate at different levels ofdetail, providing varying degrees of networkaccess protection.These technologies are not mutually exclusive assome firewall products may implement several ofthese technologies simultaneously.
-
8/10/2019 Firewalls (15)
9/51
C. Ding -- COMP581 -- L25 9
The Internet protocol stack
Application
Data Link
PhysicalLeased Line, ISDN, xDSL . . . LAN Interface Card
Drivers, MAC AddressPPP, Frame Relay . . .
NetworkIP IP
Transport TCP, UDP . . .TCP, UDP . . .
WAN LAN
-
8/10/2019 Firewalls (15)
10/51
C. Ding -- COMP581 -- L25 10
Packet Filtering Firewalls
-
8/10/2019 Firewalls (15)
11/51
C. Ding -- COMP581 -- L25 11
Packet Filtering firewalls
The original firewall
Works at the network level of the OSImodel
Applies packet filters based on accessrules Source address
Destination address Application or protocol
Source port number
Destination port number
-
8/10/2019 Firewalls (15)
12/51
C. Ding -- COMP581 -- L25 12
Packet Filtering firewalls
-
8/10/2019 Firewalls (15)
13/51
C. Ding -- COMP581 -- L25 13
Packet Filtering firewalls
Packet Filtering is usually an integrated functionof a router.
Packet filtering relies on Network Layer andTransport Layer information contained in the
headers of data packets to police traffic. This information includes source IP address and
port number, destination IP address and portnumber, and protocol used (e.g., TCP, UDP, ICMP).This information is used as the criteria in networkaccess rules. These rules are organized intoseveral filter sets and each set handles trafficcoming to the firewall over a specific interface.
-
8/10/2019 Firewalls (15)
14/51
C. Ding -- COMP581 -- L25 14
Packet Filtering Policy Example
My host Other host
action name port name port comments
block * * microsoft.com * Block everythingfrom MS
allow My-gateway 25 * * Allow incomingmail
-
8/10/2019 Firewalls (15)
15/51
C. Ding -- COMP581 -- L25 15
Rule
1
2
3
4
5
6
7
8
Direction
Out
Out
In
In & Out
In
In
Out
In
Source
Address
*
10.56*
10.122*
*
*
201.32.4.76
*
*
Destination
Address
10.56.199*
10.122*
10.56.199*
10.56.199*
*
*
*
10.56.199*
Protocol
*
TCP
TCP
TCP
TCP
*
TCP
TCP
# Source
Port
*
*
23 (Telnet)
*
*
*
*
*
# Destin.
Port
*
23 (Telnet)
*
25 (Mail)
513 (rlogin)
*
20 (FTP)
20 (FTP)
Action
Drop
Pass
Pass
Pass
Drop
Drop
Pass
Drop
Slide 16
Packet Filtering Policy Example
-
8/10/2019 Firewalls (15)
16/51
C. Ding -- COMP581 -- L25 16
Web Access Through a PacketFilter Firewall
ACK: = positive acknowledgement message for the sender from the receiver.
Typically just one bit.
-
8/10/2019 Firewalls (15)
17/51
C. Ding -- COMP581 -- L25 17
Packet Filtering Firewalls
Firewall/Router
Data Link
Network
InternetPhysical
Input
Filter
Access Rules
Data Link
Network
Router
Internal
Network
Physical
Output
Filter
Access Rules
-
8/10/2019 Firewalls (15)
18/51
C. Ding -- COMP581 -- L25 18
Packet Filtering Firewalls:pros and cons
Advantages: Simple, low cost, transparent to user
Disadvantages:Hard to configure filtering rulesHard to test filtering rules
Dont hide network topology (due totransparency)
May not be able to provide enough control overtraffic
-
8/10/2019 Firewalls (15)
19/51
C. Ding -- COMP581 -- L25 19
Circuit Level Firewalls
(Circuit Level Gateways)
-
8/10/2019 Firewalls (15)
20/51
C. Ding -- COMP581 -- L25 20
Circuit Level Firewalls
Circuit level gateways work at the sessionlayer of the OSI model, or the TCP layerof TCP/IP
Monitor TCP handshaking between packetsto determine whether a requested sessionis legitimate.
-
8/10/2019 Firewalls (15)
21/51
C. Ding -- COMP581 -- L25 21
Circuit Level Firewalls
-
8/10/2019 Firewalls (15)
22/51
C. Ding -- COMP581 -- L25 22
Application Gateway Firewalls
(Proxy Firewalls)
-
8/10/2019 Firewalls (15)
23/51
C. Ding -- COMP581 -- L25 23
Application Gateway firewalls
Similar to circuit-level gateways except that theyare application specific.
Every connection between two networks is madevia an application program called a proxy
Proxies are application or protocol specific
Only protocols that have specific proxiesconfigured are allowed through the firewall; allother traffic is rejected.
Gateway that is configured to be a web proxy willnot allow any ftp, gopher, telnet or other trafficthrough
-
8/10/2019 Firewalls (15)
24/51
-
8/10/2019 Firewalls (15)
25/51
C. Ding -- COMP581 -- L25 25
Application Gateway Firewalls
-
8/10/2019 Firewalls (15)
26/51
C. Ding -- COMP581 -- L25 26
Application Gateway Strengths
Very secure if used in conjunction with anintelligent packet filtering firewall
Well designed proxies provide excellentsecurity
-
8/10/2019 Firewalls (15)
27/51
C. Ding -- COMP581 -- L25 27
Application Gateway weaknesses
Very CPU intensive
Requires high performance host computer
Host operating system liable to attack
Many proxies are transparent toapplication
Not transparent to users
Expensive
-
8/10/2019 Firewalls (15)
28/51
C. Ding -- COMP581 -- L25 28
Stateful Inspection Firewalls
-
8/10/2019 Firewalls (15)
29/51
C. Ding -- COMP581 -- L25 29
Stateful Inspection Firewalls
Third generation firewall technology, oftenreferred to as dynamic packet filtering
Understands data in packets from the
network layer (IP headers) up to theApplication Layer
Tracks the state of communicationsessions
-
8/10/2019 Firewalls (15)
30/51
C. Ding -- COMP581 -- L25 30
Stateful Inspection Firewalls
Firewall/Router
Router
Network - Access Rules
Transport - Access Rules
Application - State Table
Inspection Module
Data Link
Network
Data Link
Network
Internal
Network
PhysicalInternet
Physical
-
8/10/2019 Firewalls (15)
31/51
C. Ding -- COMP581 -- L25 31
Dynamic Filtering
Stateful Inspection firewallsdynamically open and closeports (application specificconnection points) based
on access policies.
Other traffic
from public
network
is blocked
Return traffic for validated
web session is permitted and the
state of the flow is monitored
Protected Private Network
Internet
Firewall checks policies to
validate sending computer
and allows traffic to pass to
Public network
User initiates web session
-
8/10/2019 Firewalls (15)
32/51
C. Ding -- COMP581 -- L25 32
Stateful Inspection Strengths
Monitors the state of all data flows
Dynamically adapts filters based ondefined policies and rules
Easily adapted to new Internet applications Transparent to users
Low CPU overheads
-
8/10/2019 Firewalls (15)
33/51
C. Ding -- COMP581 -- L25 33
Stateful InspectionWeaknesses
Need to provide new client program
Might have problems with the availability
of source code for various platforms
-
8/10/2019 Firewalls (15)
34/51
C. Ding -- COMP581 -- L25 34
Stateful Inspection Firewalls
These are among the most
secure firewalls available today
fooling them can be a lot of work
Jon McCown, network security analyst forthe - U.S. National Computer Security
Agency (NCSA)
-
8/10/2019 Firewalls (15)
35/51
C. Ding -- COMP581 -- L25 35
General Performance
-
8/10/2019 Firewalls (15)
36/51
C. Ding -- COMP581 -- L25 36
Other Issues about Firewalls
-
8/10/2019 Firewalls (15)
37/51
C. Ding -- COMP581 -- L25 37
RADIUS Support
Remote Authentication Dial-In UserServices A single, central security database for all
system users Centralised management of access lists
-
8/10/2019 Firewalls (15)
38/51
C. Ding -- COMP581 -- L25 38
Remote access security
Remote Dial-in user
Telephony
Services
Head office
Dial-in user
authenticated
Firewall policy assigned
to dial-in user before
completing connectionto network
-
8/10/2019 Firewalls (15)
39/51
C. Ding -- COMP581 -- L25 39
Stateful Inspection Implementation
Protected private network
Internet
Firewall checks
policy rules to
validate sender
User initiates
web session
Return traffic for validated
web session is permitted
and the state of the flow is
monitored
Firewall opens
required port
and allows traffic
to pass to
public network
-
8/10/2019 Firewalls (15)
40/51
C. Ding -- COMP581 -- L25 40
Network Address Translation
Protected private network
Internet
User communicates
with Internet
using a private
IP address
Firewall substitutes
private address
to public address
and forwards
to the Internet
Firewall translates
return flow from
Public to
Private address
-
8/10/2019 Firewalls (15)
41/51
C. Ding -- COMP581 -- L25 41
Application Level Gateway Example
Internet
FTP connection
initiated from
public network
Application Level
Gateway completes
connection
If connection is valid
the state table is
updated
and connection to
FTP Server
established
FTP Server
Access rules
verified
-
8/10/2019 Firewalls (15)
42/51
C. Ding -- COMP581 -- L25 42
Session Logging
The firewall can be configured to log anextensive range of events Including: All denied packets
All allowed packets Selected allowed and denied packet types
Etc.
-
8/10/2019 Firewalls (15)
43/51
C. Ding -- COMP581 -- L25 43
Protected private network
Notification SNMP/SMTP
Internet
Firewall detects
attack
(Port Scan)
SNMP Trap
message
to management
platform
Email sent to
specified
address
SNMP: simple network management protocol
-
8/10/2019 Firewalls (15)
44/51
C. Ding -- COMP581 -- L25 44
Protected private network
Notification and Reconfiguration
Internet
Firewall detects
attack
(SYN Flood)Server
DMZ
Web Server
Firewall automatically
reconfigured to deny all
External access to WEB
Server
Email sent to
System
Manager
-
8/10/2019 Firewalls (15)
45/51
C. Ding -- COMP581 -- L25 45
Secure management
Secure encrypted and authenticatedremote management Secure Shell SSH
RSA encryption keys 512 - 2048 bits DES and Triple DES encryption for SSH
sessions
Can limit access to specific user addresses
-
8/10/2019 Firewalls (15)
46/51
C. Ding -- COMP581 -- L25 46
Network configuration examples
-
8/10/2019 Firewalls (15)
47/51
C. Ding -- COMP581 -- L25 47
Protected private network
Protected private network
Internet
Allow all access from private network to theInternet
Deny all access from the Internet to the privatenetwork
-
8/10/2019 Firewalls (15)
48/51
C. Ding -- COMP581 -- L25 48
Semi-Militarised Zone
Protected private network
Semi Militarised Zone
SMZ
Mail
Server
WEB
Server
All other
incomingtraffic
blocked
Private network for
corporate servers
and users
All
unauthorised
traffic is
blocked
SMZ
Firewall policy limitsincoming access to
WEB and mail server
from public network
Internet
-
8/10/2019 Firewalls (15)
49/51
C. Ding -- COMP581 -- L25 49
Private LAN stays secure
Protected private network
Semi-Militarised Zone
SMZ
Mail
Server
WEB
Server
Internet
Login:hacker
Password:please
OK Then!
-
8/10/2019 Firewalls (15)
50/51
C. Ding -- COMP581 -- L25 50
Demilitarised Zone
Protected private network
Demilitarised Zone
Mail
Server
WEB
Server
Internet
DMZ
Open access
between
private LANand DMZ
Static filters
between private LAN
and DMZ used to
control access
Allow
SMTP,
From here
to there
only
-
8/10/2019 Firewalls (15)
51/51