-
8/10/2019 16. Firewalls
1/25
Stephen S. Yau 1CSE 465-591, Fall 2006
Firewalls
-
8/10/2019 16. Firewalls
2/25
Stephen S. Yau 2CSE 465-591, Fall 2006
DMZ
The DMZ(stands for Demilitarized Zone) is aportion of a network
that separates a purelyinternal network from an external
network.
DMZis the place, where public servers andproxies should be
located
Proxyis an intermediate agent or server that acts
on behalf of an endpoint without allowing adirect connection
between the two endpoints
T1: ch23.3
T2: ch26.3
-
8/10/2019 16. Firewalls
3/25
Stephen S. Yau 3CSE 465-591, Fall 2006
Firewalls
A firewallis a host that mediates access to anetwork, allowing
and disallowing certain typesof access on the basis of a configured
security
policy. Protect a network from external networks Block unwanted
traffic and pass desirable traffic
to and from both sides of the network Examples:
Allows: http, mails Keeps out: suspected users, denial of
services attacks,
spam, virusesT1: ch23.3.1
T2: ch26.3.1
-
8/10/2019 16. Firewalls
4/25
Stephen S. Yau 4
Operations of Firewall
-
8/10/2019 16. Firewalls
5/25
5
Firewalls in Different Layers Network layer:Packet-Filtering
Firewalls
- Concerned with routingof packets to their destinations.
- Determine if a packet is from a permitted source to a
permitteddestination
Transport layer: Circuit-Level Firewalls- Concerned with
sessionof packets
- Need more knowledge of packet header to make decisions
onaccepting or denying packets
Application layer:Application-Level Firewalls- Concerned with
contentsof packets
- Need information about data make decision on accepting
ordenying packets
Further
reading:http://www.cisco.com/univercd/cc/td/doc/product/iaabu/centri4/user/scf4ch3.htm
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/centri4/user/scf4ch3.htmhttp://www.cisco.com/univercd/cc/td/doc/product/iaabu/centri4/user/scf4ch3.htm
-
8/10/2019 16. Firewalls
6/25
6
Packet Filtering Firewalls
Apacket filtering firewallperforms access control on the basisof
attributes of the packet headers, such as destination
addresses,source address, and options.
Whenever network receives a packet, three possible actions:
forward it to destination block it
return it to sender
One of these actions is chosen according to a set of rules
usuallyin a form of access control lists.
T1: ch23.3.1 T2: ch26.3.1
Rule Source Address Destination Address Action
1 149.59.0.0/16 123.45.6.0/24 permit
2 149.59.34.0/24 123.45.0.0/16 deny
3 0.0.0.0/0 0.0.0.0/0 deny (default)
-
8/10/2019 16. Firewalls
7/25Stephen S. Yau 7CSE 465-591, Fall 2006
Packet Filtering Firewalls (cont.)
Factors which determine the actions:
- Source address
- Destination address
- Direction of traffic
Rules applied top to bottom
Ordered from least restrictive to most restrictive
Packets are not scrutinized
Auditing is possible
-
8/10/2019 16. Firewalls
8/25
Stephen S. Yau 8CSE 465-591, Fall 2006
An Example of Packet Filtering Firewall
Local Network
(4.0.0.0/8)
Incoming Packet
[24.128.34.8, 4.16.128.3]
(denied)
Network Server: Firewall(Rule 1: 24.128.0.0/16, 4.0.0.0/8
deny
Rule 2: 64.248.128.0/24, 8.16.192.0/24 permit
Rule N: 34.128.0.0/16, 14.16.128.0/20 permit)
Another Network(8.16.192.0/24)
Incoming Packet
[64.248.128.5, 8.16.192.7](permitted)
-
8/10/2019 16. Firewalls
9/25
Stephen S. Yau 9CSE 465-591, Fall 2006
Circuit-Level Firewalls
Validates sessions before openingconnections (handshakes)
Once a connection is made, all packets
related to that connection pass
Packets not scrutinized
No direct connections with other networks
without validation
-
8/10/2019 16. Firewalls
10/25
-
8/10/2019 16. Firewalls
11/25
Stephen S. Yau 11CSE 465-591, Fall 2006
An Example of Circuit-Level Firewall
Network News Transfer Protocol (NNTP):The NNTP server connects
to firewall
Internal systems' NNTP clients connect to firewall.
Circuit-level firewall simply passes bytes betweensystems
Internal Systems (NNTP clients)
External Servers (NNTP news providers)
Circuit-Level Firewall (Choke Point)
-
8/10/2019 16. Firewalls
12/25
Stephen S. Yau 12CSE 465-591, Fall 2006
Application-Level Firewalls
Application-level firewall(also called Proxyfirewall)uses
proxies to perform access control.
Acts as a proxy server, evaluates requests anddecides according
to security concerns
Two connections per session
All packets are scrutinizedAuditing is possible T1: ch23.3.1
T2: ch26.3.1
-
8/10/2019 16. Firewalls
13/25
13
Application-Level Firewalls(cont.)
Access control based on contentsof packets andmessages, as well
as on attributes of packet headers.
Not allow direct connections between two endpoints
through a proxy firewall
Accept/Deny
Rules Application Level Proxy
Network Layer
Outgoing PacketsIncoming packets
Application Level
Network Level
Applications
-
8/10/2019 16. Firewalls
14/25
Stephen S. Yau 14CSE 465-591, Fall 2006
An Example of Application-Level Firewall
Simple (Send) Mail Transfer Protocol Proxies SMTP application
proxies configured to allow only
necessary SMTP commands, such as helo, mail from:and rcpt to:,
to pass through firewall
Stop expn command, which tries to expand a list
Stop vrfy command, which tries to verify that anaccount
exists
The above are used by attackers and spammers toenumerate e-mail
accounts.
MIME type and message size can be used to filtertraffic.
-
8/10/2019 16. Firewalls
15/25
Stephen S. Yau 15CSE 465-591, Fall 2006
An Example of Application Level Firewall(cont.)
Local Network:
Mail Clients
Incoming/Outgoing Request
for SMTP
(denied)
Network Server:
Implements Application Firewall in SMTP/POP/IMAP
Deny: expn, vrfy
Allow: helo, mail from:
Incoming/Outgoing Mail
;
(permitted)
-
8/10/2019 16. Firewalls
16/25
Stephen S. Yau 16CSE 465-591, Fall 2006
An Example of Using Firewalls
Requirements of the Drib Corporation:
The Drib wants the public be able to access its web serverand
mail server, and no other services.
The Drib wishes to check all incoming e-mails for
computerviruses through emails and attacks though web
connections.
The Dribs has sensitive data which it does not want
outsiders to see.
The Drib allows file sharing among its systems. It does notwant
the packets containing sensitive information to leak tothe
Internet.
T1: ch23.3 T2: ch26.3
-
8/10/2019 16. Firewalls
17/25
Stephen S. Yau 17CSE 465-591, Fall 2006
An Example of Using Firewalls (cont.)
Desirable Network Infrastructure The public entities should be
confined to the DMZ area
The outer firewall presents an interface between DMZ
andinternet, that allows connections to the WWW service(HTTP and
HTTPS) and to electronic mail (SMTP) service. Proxies having virus
and attack scanning programs should be
implemented at the outer firewall.
The Dribs most sensitive data and systems should reside in
the internal network. The inner firewall sitting between DMZ and
internal network
will block all traffic, except those specifically authorized
toenter the internal network
-
8/10/2019 16. Firewalls
18/25
18
An Example of Using Firewalls (cont.)
Mail server
Outer Firewall
Internal
DNS server
Internet
Web Server
DMZINTERNAL Inner Firewall
Internal
mail server
DNS serverCorporate
data subnet
Customer
data subnet
Development subnet
Network designed for the Dribble Corporation
-
8/10/2019 16. Firewalls
19/25
19
An Example of Using Firewalls (cont.)
Outer firewall configuration The outer firewall is a
proxy-based
firewall.
When e-mail connection is initiated, the
mail proxy on the firewall collects themail, analyzes it for
computer virusesand other forms of malicious logic. Ifnone is
found, it forwards the mail tothe DMZ mail server.
Similarly, when a web connectionarrives, the web proxy scans
themessage for any suspiciouscomponents, if none is found,
itforwards the messages to DMZ webserver.
Mail server
Outer Firewall
Internet
Web Server
DMZ
-
8/10/2019 16. Firewalls
20/25
Stephen S. Yau 20CSE 465-591, Fall 2006
D
MZ
An Example of Using Firewalls (cont.)
Inner firewall configuration
The inner firewall is also a proxy-basedfirewall.
Mail connections through the inner
firewall are allowed, and all emails aresent to DMZ mail server
for disposition
Disallows packets containing sensitive
information (detected by the proxies in
the inner firewall) to reach DMZ All other traffic, including
web access,
are blocked
Internal
DNS server
INTERNALInner Firewall
Internal
mail server
Corporate
data subnet
Customer
data subnet
Development subnet
-
8/10/2019 16. Firewalls
21/25
Stephen S. Yau 21CSE 465-591, Fall 2006
Choosing a Firewall
What OS required and other OSs supported? How much CPU/RAM/Disk
space it needs?
What is the authentication scheme?
Does it support logging?What hardware is provided?
What software is provided?
What is the cost for installing and operatingthe firewall?
What are other features?
-
8/10/2019 16. Firewalls
22/25
Stephen S. Yau 22CSE 465-591, Fall 2006
Firewall Design Criteria
Organizations deciding to use firewalls must analyzetheir
security needs. Potential risks and threats must
becontemplated.
The following considerations may affect design andextensiveness
of implementation of firewalls: Organizational policies
What level of access control does managementwant?The desired
level of monitoring and access must
be determined.What level of risk is the organization willing
to
accept?
-
8/10/2019 16. Firewalls
23/25
Stephen S. Yau 23CSE 465-591, Fall 2006
Firewall Design Criteria (cont.)
A checklist of what messages should be monitored,permitted and
denied must be established.
The cost of various firewall programs, including
on-goingmaintenance, must be considered against the potential
threat. What would be the potential cost/damage of attacksto the
system from outside?
The number, placement, and types of firewalls to be usedmust be
determined.
Firewalls should have packet filtering, circuit-level
controls,and application-level proxies in order to provide
effectivesecurity.
What is the estimated overhead in using the
selectedfirewalls?
-
8/10/2019 16. Firewalls
24/25
Stephen S. Yau 24CSE 465-591, Fall 2006
Some Commercially
Available Firewalls Hardware Linksys Etherfast Cable/DSL
Firewall Router, Microsoft
MN-100, D-Link Express EtherNetwork
Mac OS X servers DoorStop Server Firewall, Firewall X2,
Impasse,
IPNetSentry, Net Barrier
Linux
IP tables, SINUS, ipchains Windows
BlackICE, Kerio, McAfee, Norton Personal Firewall,Outpost,
Sygate, Terminet, and ZoneAlarm
-
8/10/2019 16. Firewalls
25/25
Stephen S. Yau 25CSE 465-591, Fall 2006
References
Matt Bishop, Introduction to Computer Security,
Addison-Wesley,2004, ISBN: 0321247442
Matt Bishop, Computer Security: Art and Science, Addison-
Wesley,2002, ISBN: 0201440997
M. Merkow, J. Breithaupt, Information Security: Principles
andPractices,Prentice Hall, August 2005, 448 pages,
ISBN0131547291
J. G. Boyce, D. W. Jennings, Information
Assurance:ManagingOrganizational IT Security Risks. Butterworth
Heineman, 2002,ISBN 0-7506-7327-3
http://www.du.edu/~jtinucci/Security/Thaxton/thaxton.html
http://www.du.edu/~jtinucci/Security/Thaxton/thaxton.htmlhttp://www.du.edu/~jtinucci/Security/Thaxton/thaxton.html
![IP address spoofing and traceback Firewalls - CCS Labsdressler/teaching/netzwerksicherheit-ws0708/16... · IP address spoofing and traceback Firewalls [NetSec], ... Economic and social](https://img.dokumen.tips/doc/110x75/5ae4806d7f8b9ad47c8fc5ae/ip-address-spoofing-and-traceback-firewalls-ccs-dresslerteachingnetzwerksicherheit-ws070816ip.jpg)
