Embed Size (px)
Citation preview
C. Ding -- COMP581 -- L25 1
Lecture 25: Firewalls
Introduce several types of firewallsDiscuss their advantages and
disadvantagesCompare their performancesDemonstrate their applications
C. Ding -- COMP581 -- L25 2
What is a Firewall?
A firewall is a system of hardware and software components designed to restrict access between or among networks, most often between the Internet and a private Internet.
The firewall is part of an overall security policy that creates a perimeter defense designed to protect the information resources of the organization.
C. Ding -- COMP581 -- L25 3
In other words…
“A data sentry at the gateway to your network, combining the power of multiple firewall technologies to deliver powerful perimeter security”
C. Ding -- COMP581 -- L25 4
What a Firewall does
Implement security policies at a single point
Monitor security-related events (audit, log)
Provide strong authentication Allow virtual private networks
C. Ding -- COMP581 -- L25 5
What a Firewall does not do
Protect against attacks that bypass the firewall Dial-out from internal host to an ISP
Protect against internal threats disgruntled employee Insider cooperates with an external attacker
Protect against the transfer of virus-infected programs or files
C. Ding -- COMP581 -- L25 6
Firewall - Typical layout
A firewall denies or permits access based on policies and rules
Protected Private Network
Internet
C. Ding -- COMP581 -- L25 7
Watching for attack
Protected Private Network
Internet
Monitor Log
Attack
Notify
C. Ding -- COMP581 -- L25 8
Firewall technologies
Common firewall technologies: They may be classified into four categories:
Packet Filtering Firewalls Circuit Level Firewalls Application Gateway Firewalls (or proxy servers) Stateful Inspection Firewalls (dynamic packet
filtering firewalls)
These technologies operate at different levels of detail, providing varying degrees of network access protection.These technologies are not mutually exclusive as some firewall products may implement several of these technologies simultaneously.
C. Ding -- COMP581 -- L25 9
The Internet protocol stack
Application
Data Link
PhysicalLeased Line, ISDN, xDSL . . . LAN Interface Card
Drivers, MAC AddressPPP, Frame Relay . . .
NetworkIP IP
Transport TCP, UDP . . .TCP, UDP . . .
WAN LAN
C. Ding -- COMP581 -- L25 10
Packet Filtering Firewalls
C. Ding -- COMP581 -- L25 11
Packet Filtering firewalls
The original firewall Works at the network level of the OSI
model Applies packet filters based on access
rules Source address Destination address Application or protocol Source port number Destination port number
C. Ding -- COMP581 -- L25 12
Packet Filtering firewalls
C. Ding -- COMP581 -- L25 13
Packet Filtering firewalls
Packet Filtering is usually an integrated function of a router.
Packet filtering relies on Network Layer and Transport Layer information contained in the headers of data packets to police traffic.
This information includes source IP address and port number, destination IP address and port number, and protocol used (e.g., TCP, UDP, ICMP). This information is used as the criteria in network access rules. These rules are organized into several “filter sets” and each set handles traffic coming to the firewall over a specific interface.
C. Ding -- COMP581 -- L25 14
Packet Filtering Policy Example
My host Other host
action
name port name port comments
block * * microsoft.com
* Block everything from MS
allow My-gateway
25 * * Allow incoming mail
C. Ding -- COMP581 -- L25 15
Rule
1
2
3
4
5
6
7
8
Direction
Out
Out
In
In & Out
In
In
Out
In
Source
Address
*
10.56*
10.122*
*
*
201.32.4.76
*
*
Destination
Address
10.56.199*
10.122*
10.56.199*
10.56.199*
*
*
*
10.56.199*
Protocol
*
TCP
TCP
TCP
TCP
*
TCP
TCP
# Source
Port
*
*
23 (Telnet)
*
*
*
*
*
# Destin.
Port
*
23 (Telnet)
*
25 (Mail)
513 (rlogin)
*
20 (FTP)
20 (FTP)
Action
Drop
Pass
Pass
Pass
Drop
Drop
Pass
Drop
Slide 16
Packet Filtering Policy Example
C. Ding -- COMP581 -- L25 16
Web Access Through a Packet Filter Firewall
ACK: = positive acknowledgement message for the sender from the receiver. Typically just one bit.
C. Ding -- COMP581 -- L25 17
Packet Filtering Firewalls
Firewall/Router
Data Link
Network
InternetPhysical
InputFilter
Access Rules
Data Link
Network
Router
InternalNetwork
Physical
OutputFilter
Access Rules
C. Ding -- COMP581 -- L25 18
Packet Filtering Firewalls:pros and cons Advantages:
Simple, low cost, transparent to user Disadvantages:
Hard to configure filtering rules Hard to test filtering rules Don’t hide network topology (due to
transparency) May not be able to provide enough control
over traffic
C. Ding -- COMP581 -- L25 19
Circuit Level Firewalls(Circuit Level Gateways)
C. Ding -- COMP581 -- L25 20
Circuit Level Firewalls
Circuit level gateways work at the session layer of the OSI model, or the TCP layer of TCP/IP
Monitor TCP handshaking between packets to determine whether a requested session is legitimate.
C. Ding -- COMP581 -- L25 21
Circuit Level Firewalls
C. Ding -- COMP581 -- L25 22
Application Gateway Firewalls
(Proxy Firewalls)
C. Ding -- COMP581 -- L25 23
Application Gateway firewalls
Similar to circuit-level gateways except that they are application specific.
Every connection between two networks is made via an application program called a proxy
Proxies are application or protocol specific Only protocols that have specific proxies
configured are allowed through the firewall; all other traffic is rejected.
Gateway that is configured to be a web proxy will not allow any ftp, gopher, telnet or other traffic through
C. Ding -- COMP581 -- L25 24
Application Gateway Firewalls
Firewall
Data Link
Network
InternetPhysical
Data Link
NetworkInternalNetwork
Physical
Router
Transport
Application
Transport
Application
Application Proxies
C. Ding -- COMP581 -- L25 25
Application Gateway Firewalls
C. Ding -- COMP581 -- L25 26
Application Gateway Strengths Very secure if used in conjunction with
an intelligent packet filtering firewall
Well designed proxies provide excellent security
C. Ding -- COMP581 -- L25 27
Application Gateway weaknesses
Very CPU intensive Requires high performance host
computer Host operating system liable to attack Many proxies are transparent to
application Not transparent to users Expensive
C. Ding -- COMP581 -- L25 28
Stateful Inspection Firewalls
C. Ding -- COMP581 -- L25 29
Stateful Inspection Firewalls
Third generation firewall technology, often referred to as dynamic packet filtering
Understands data in packets from the network layer (IP headers) up to the Application Layer
Tracks the state of communication sessions
C. Ding -- COMP581 -- L25 30
Stateful Inspection Firewalls
Firewall/Router
Router
Network - Access Rules
Transport - Access Rules
Application - State Table
Inspection Module
Data Link
Network
Data Link
Network
InternalNetwork
PhysicalInternet
Physical
C. Ding -- COMP581 -- L25 31
Dynamic Filtering
Stateful Inspection firewalls dynamically open and close ports (application specific connection points) based on access
policies.
Other traffic from public
networkis blocked
Return traffic for validatedweb session is permitted and the
state of the flow is monitored
Protected Private Network
Internet
Firewall checks policies tovalidate sending computerand allows traffic to pass to
Public network
User initiates web session
C. Ding -- COMP581 -- L25 32
Stateful Inspection Strengths
Monitors the state of all data flows Dynamically adapts filters based on
defined policies and rules Easily adapted to new Internet
applications Transparent to users Low CPU overheads
C. Ding -- COMP581 -- L25 33
Stateful Inspection Weaknesses
Need to provide new client program Might have problems with the
availability of source code for various platforms
C. Ding -- COMP581 -- L25 34
Stateful Inspection Firewalls
These are among the most secure firewalls available today
“fooling them can be a lot of work”Jon McCown, network security analyst for
the - U.S. National Computer Security Agency (NCSA)
C. Ding -- COMP581 -- L25 35
General Performance
C. Ding -- COMP581 -- L25 36
Other Issues about Firewalls
C. Ding -- COMP581 -- L25 37
RADIUS Support
Remote Authentication Dial-In User Services A single, central security database for all
system users Centralised management of access lists
C. Ding -- COMP581 -- L25 38
Remote access security
Remote Dial-in user
TelephonyServices
Head office
Dial-in userauthenticated
Firewall policy assignedto dial-in user before
completing connectionto network
C. Ding -- COMP581 -- L25 39
Stateful Inspection Implementation
Protected private network
Internet
Firewall checks policy rules tovalidate sender
User initiates web session
Return traffic for validatedweb session is permitted
and the state of the flow is monitored
Firewall opens required port
and allows trafficto pass to
public network
C. Ding -- COMP581 -- L25 40
Network Address Translation
Protected private network
Internet
User communicateswith Internet
using a private IP address
Firewall substitutes private address
to public addressand forwardsto the Internet
Firewall translatesreturn flow from
Public toPrivate address
C. Ding -- COMP581 -- L25 41
Application Level Gateway Example
FTP connectioninitiated from
public network
Application Level Gateway completes
connection
If connection is validthe state table is
updatedand connection to
FTP Server established
FTP Server
Access rules verified
C. Ding -- COMP581 -- L25 42
Session Logging
The firewall can be configured to log an extensive range of events Including: All denied packets All allowed packets Selected allowed and denied packet types Etc.
C. Ding -- COMP581 -- L25 43
Protected private network
Notification SNMP/SMTP
Internet
Firewall detectsattack
(Port Scan)
SNMP Trap message
to management platform
Email sent tospecifiedaddress
SNMP: simple network management protocol
C. Ding -- COMP581 -- L25 44
Protected private network
Notification and Reconfiguration
Internet
Firewall detectsattack
(SYN Flood)Server
DM
Z
Web Server
Firewall automaticallyreconfigured to deny all External access to WEB
Server
Email sent toSystem
Manager
C. Ding -- COMP581 -- L25 45
Secure management
Secure encrypted and authenticated remote management Secure Shell “SSH” RSA encryption keys 512 - 2048 bits DES and Triple DES encryption for SSH
sessions Can limit access to specific user addresses
C. Ding -- COMP581 -- L25 46
Network configuration examples
C. Ding -- COMP581 -- L25 47
Protected private network
Protected private network
Internet
Allow all access from private network to the Internet
Deny all access from the Internet to the private network
C. Ding -- COMP581 -- L25 48
Semi-Militarised Zone
Protected private network
Semi Militarised Zone
SMZ
MailServer
WEBServer
All otherincoming
trafficblocked
Private network forcorporate servers
and users
Allunauthorised
traffic is blocked
SMZFirewall policy limitsincoming access to WEB and mail serverfrom public network
Internet
C. Ding -- COMP581 -- L25 49
Private LAN stays secure
Protected private network
Semi-Militarised Zone
SMZ
MailServer
WEBServer
Internet
Login:hackerPassword:pleaseOK Then!
C. Ding -- COMP581 -- L25 50
Demilitarised Zone
Protected private network
Demilitarised Zone
MailServer
WEBServer
Internet
DMZ
Open accessbetween
private LANand DMZ
Static filtersbetween private LAN
and DMZ used to control access
Allow SMTP,
From hereto there
only
C. Ding -- COMP581 -- L25 51
Concluding Remarks
All that a firewall can do it’s to control network activities between OSI levels 2 and 7.
They cannot keep out data carried inside applications, such as viruses within email messages: there are just too many way of encoding data to be able to filter out this kind of threat.
Although Firewalls provide a high level of security in today's Private Networks to the outside world we still need the assistance of other related Security components in order to guarantee proper network security.
