Upload
xozan
View
228
Download
0
Embed Size (px)
Citation preview
8/10/2019 16. Firewalls
1/25
Stephen S. Yau 1CSE 465-591, Fall 2006
Firewalls
8/10/2019 16. Firewalls
2/25
Stephen S. Yau 2CSE 465-591, Fall 2006
DMZ
The DMZ(stands for Demilitarized Zone) is aportion of a network that separates a purelyinternal network from an external network.
DMZis the place, where public servers andproxies should be located
Proxyis an intermediate agent or server that acts
on behalf of an endpoint without allowing adirect connection between the two endpoints
T1: ch23.3
T2: ch26.3
8/10/2019 16. Firewalls
3/25
Stephen S. Yau 3CSE 465-591, Fall 2006
Firewalls
A firewallis a host that mediates access to anetwork, allowing and disallowing certain typesof access on the basis of a configured security
policy. Protect a network from external networks Block unwanted traffic and pass desirable traffic
to and from both sides of the network Examples:
Allows: http, mails Keeps out: suspected users, denial of services attacks,
spam, virusesT1: ch23.3.1
T2: ch26.3.1
8/10/2019 16. Firewalls
4/25
Stephen S. Yau 4
Operations of Firewall
8/10/2019 16. Firewalls
5/25
5
Firewalls in Different Layers Network layer:Packet-Filtering Firewalls
- Concerned with routingof packets to their destinations.
- Determine if a packet is from a permitted source to a permitteddestination
Transport layer: Circuit-Level Firewalls- Concerned with sessionof packets
- Need more knowledge of packet header to make decisions onaccepting or denying packets
Application layer:Application-Level Firewalls- Concerned with contentsof packets
- Need information about data make decision on accepting ordenying packets
Further reading:http://www.cisco.com/univercd/cc/td/doc/product/iaabu/centri4/user/scf4ch3.htm
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/centri4/user/scf4ch3.htmhttp://www.cisco.com/univercd/cc/td/doc/product/iaabu/centri4/user/scf4ch3.htm8/10/2019 16. Firewalls
6/25
6
Packet Filtering Firewalls
Apacket filtering firewallperforms access control on the basisof attributes of the packet headers, such as destination addresses,source address, and options.
Whenever network receives a packet, three possible actions:
forward it to destination block it
return it to sender
One of these actions is chosen according to a set of rules usuallyin a form of access control lists.
T1: ch23.3.1 T2: ch26.3.1
Rule Source Address Destination Address Action
1 149.59.0.0/16 123.45.6.0/24 permit
2 149.59.34.0/24 123.45.0.0/16 deny
3 0.0.0.0/0 0.0.0.0/0 deny (default)
8/10/2019 16. Firewalls
7/25Stephen S. Yau 7CSE 465-591, Fall 2006
Packet Filtering Firewalls (cont.)
Factors which determine the actions:
- Source address
- Destination address
- Direction of traffic
Rules applied top to bottom
Ordered from least restrictive to most restrictive
Packets are not scrutinized
Auditing is possible
8/10/2019 16. Firewalls
8/25
Stephen S. Yau 8CSE 465-591, Fall 2006
An Example of Packet Filtering Firewall
Local Network
(4.0.0.0/8)
Incoming Packet
[24.128.34.8, 4.16.128.3]
(denied)
Network Server: Firewall(Rule 1: 24.128.0.0/16, 4.0.0.0/8 deny
Rule 2: 64.248.128.0/24, 8.16.192.0/24 permit
Rule N: 34.128.0.0/16, 14.16.128.0/20 permit)
Another Network(8.16.192.0/24)
Incoming Packet
[64.248.128.5, 8.16.192.7](permitted)
8/10/2019 16. Firewalls
9/25
Stephen S. Yau 9CSE 465-591, Fall 2006
Circuit-Level Firewalls
Validates sessions before openingconnections (handshakes)
Once a connection is made, all packets
related to that connection pass
Packets not scrutinized
No direct connections with other networks
without validation
8/10/2019 16. Firewalls
10/25
8/10/2019 16. Firewalls
11/25
Stephen S. Yau 11CSE 465-591, Fall 2006
An Example of Circuit-Level Firewall
Network News Transfer Protocol (NNTP):The NNTP server connects to firewall
Internal systems' NNTP clients connect to firewall.
Circuit-level firewall simply passes bytes betweensystems
Internal Systems (NNTP clients)
External Servers (NNTP news providers)
Circuit-Level Firewall (Choke Point)
8/10/2019 16. Firewalls
12/25
Stephen S. Yau 12CSE 465-591, Fall 2006
Application-Level Firewalls
Application-level firewall(also called Proxyfirewall)uses proxies to perform access control.
Acts as a proxy server, evaluates requests anddecides according to security concerns
Two connections per session
All packets are scrutinizedAuditing is possible T1: ch23.3.1
T2: ch26.3.1
8/10/2019 16. Firewalls
13/25
13
Application-Level Firewalls(cont.)
Access control based on contentsof packets andmessages, as well as on attributes of packet headers.
Not allow direct connections between two endpoints
through a proxy firewall
Accept/Deny
Rules Application Level Proxy
Network Layer
Outgoing PacketsIncoming packets
Application Level
Network Level
Applications
8/10/2019 16. Firewalls
14/25
Stephen S. Yau 14CSE 465-591, Fall 2006
An Example of Application-Level Firewall
Simple (Send) Mail Transfer Protocol Proxies SMTP application proxies configured to allow only
necessary SMTP commands, such as helo, mail from:and rcpt to:, to pass through firewall
Stop expn command, which tries to expand a list
Stop vrfy command, which tries to verify that anaccount exists
The above are used by attackers and spammers toenumerate e-mail accounts.
MIME type and message size can be used to filtertraffic.
8/10/2019 16. Firewalls
15/25
Stephen S. Yau 15CSE 465-591, Fall 2006
An Example of Application Level Firewall(cont.)
Local Network:
Mail Clients
Incoming/Outgoing Request
for SMTP
(denied)
Network Server:
Implements Application Firewall in SMTP/POP/IMAP
Deny: expn, vrfy
Allow: helo, mail from:
Incoming/Outgoing Mail
;
(permitted)
8/10/2019 16. Firewalls
16/25
Stephen S. Yau 16CSE 465-591, Fall 2006
An Example of Using Firewalls
Requirements of the Drib Corporation:
The Drib wants the public be able to access its web serverand mail server, and no other services.
The Drib wishes to check all incoming e-mails for computerviruses through emails and attacks though web connections.
The Dribs has sensitive data which it does not want
outsiders to see.
The Drib allows file sharing among its systems. It does notwant the packets containing sensitive information to leak tothe Internet.
T1: ch23.3 T2: ch26.3
8/10/2019 16. Firewalls
17/25
Stephen S. Yau 17CSE 465-591, Fall 2006
An Example of Using Firewalls (cont.)
Desirable Network Infrastructure The public entities should be confined to the DMZ area
The outer firewall presents an interface between DMZ andinternet, that allows connections to the WWW service(HTTP and HTTPS) and to electronic mail (SMTP) service. Proxies having virus and attack scanning programs should be
implemented at the outer firewall.
The Dribs most sensitive data and systems should reside in
the internal network. The inner firewall sitting between DMZ and internal network
will block all traffic, except those specifically authorized toenter the internal network
8/10/2019 16. Firewalls
18/25
18
An Example of Using Firewalls (cont.)
Mail server
Outer Firewall
Internal
DNS server
Internet
Web Server
DMZINTERNAL Inner Firewall
Internal
mail server
DNS serverCorporate
data subnet
Customer
data subnet
Development subnet
Network designed for the Dribble Corporation
8/10/2019 16. Firewalls
19/25
19
An Example of Using Firewalls (cont.)
Outer firewall configuration The outer firewall is a proxy-based
firewall.
When e-mail connection is initiated, the
mail proxy on the firewall collects themail, analyzes it for computer virusesand other forms of malicious logic. Ifnone is found, it forwards the mail tothe DMZ mail server.
Similarly, when a web connectionarrives, the web proxy scans themessage for any suspiciouscomponents, if none is found, itforwards the messages to DMZ webserver.
Mail server
Outer Firewall
Internet
Web Server
DMZ
8/10/2019 16. Firewalls
20/25
Stephen S. Yau 20CSE 465-591, Fall 2006
D
MZ
An Example of Using Firewalls (cont.)
Inner firewall configuration
The inner firewall is also a proxy-basedfirewall.
Mail connections through the inner
firewall are allowed, and all emails aresent to DMZ mail server for disposition
Disallows packets containing sensitive
information (detected by the proxies in
the inner firewall) to reach DMZ All other traffic, including web access,
are blocked
Internal
DNS server
INTERNALInner Firewall
Internal
mail server
Corporate
data subnet
Customer
data subnet
Development subnet
8/10/2019 16. Firewalls
21/25
Stephen S. Yau 21CSE 465-591, Fall 2006
Choosing a Firewall
What OS required and other OSs supported? How much CPU/RAM/Disk space it needs?
What is the authentication scheme?
Does it support logging?What hardware is provided?
What software is provided?
What is the cost for installing and operatingthe firewall?
What are other features?
8/10/2019 16. Firewalls
22/25
Stephen S. Yau 22CSE 465-591, Fall 2006
Firewall Design Criteria
Organizations deciding to use firewalls must analyzetheir security needs. Potential risks and threats must becontemplated.
The following considerations may affect design andextensiveness of implementation of firewalls: Organizational policies
What level of access control does managementwant?The desired level of monitoring and access must
be determined.What level of risk is the organization willing to
accept?
8/10/2019 16. Firewalls
23/25
Stephen S. Yau 23CSE 465-591, Fall 2006
Firewall Design Criteria (cont.)
A checklist of what messages should be monitored,permitted and denied must be established.
The cost of various firewall programs, including on-goingmaintenance, must be considered against the potential
threat. What would be the potential cost/damage of attacksto the system from outside?
The number, placement, and types of firewalls to be usedmust be determined.
Firewalls should have packet filtering, circuit-level controls,and application-level proxies in order to provide effectivesecurity.
What is the estimated overhead in using the selectedfirewalls?
8/10/2019 16. Firewalls
24/25
Stephen S. Yau 24CSE 465-591, Fall 2006
Some Commercially
Available Firewalls Hardware Linksys Etherfast Cable/DSL Firewall Router, Microsoft
MN-100, D-Link Express EtherNetwork
Mac OS X servers DoorStop Server Firewall, Firewall X2, Impasse,
IPNetSentry, Net Barrier
Linux
IP tables, SINUS, ipchains Windows
BlackICE, Kerio, McAfee, Norton Personal Firewall,Outpost, Sygate, Terminet, and ZoneAlarm
8/10/2019 16. Firewalls
25/25
Stephen S. Yau 25CSE 465-591, Fall 2006
References
Matt Bishop, Introduction to Computer Security, Addison-Wesley,2004, ISBN: 0321247442
Matt Bishop, Computer Security: Art and Science, Addison- Wesley,2002, ISBN: 0201440997
M. Merkow, J. Breithaupt, Information Security: Principles andPractices,Prentice Hall, August 2005, 448 pages, ISBN0131547291
J. G. Boyce, D. W. Jennings, Information Assurance:ManagingOrganizational IT Security Risks. Butterworth Heineman, 2002,ISBN 0-7506-7327-3
http://www.du.edu/~jtinucci/Security/Thaxton/thaxton.html
http://www.du.edu/~jtinucci/Security/Thaxton/thaxton.htmlhttp://www.du.edu/~jtinucci/Security/Thaxton/thaxton.html