Security Firewall

Security Firewall

Firewall design principle.

Firewall Characteristics.

Types of Firewalls.

Firewall Components & Configurations.

Firewall Design Principles.

• Information System undergo a steady evolution( from small LAN’s to Internet connectivity).

• Strong security features for all workstations and servers not established.

Firewalls

• Effective means of protection a local system or network of systems from network_based security threats while affording access to the outside world via WAN’s or the Internet.

Firewall Design Principles

• The firewall is interested between the permission network and internet.

• Aims :1. Establish a controlled link.2. Protect the premises network from

internet_based attacks.3. Provide a single choke point.

Firewalls Characteristics

• Design goals:1. All traffic form the inside to outside must

pass through the firewall (physically blocking all access to the local network except via firewall).

2. Only Authorized traffic ( defined by the local security policy) will be allowed to pass.

Firewall Characteristics

• Design goals:3. The firewall itself is immune to penetration

( use of trusted systems with secure operating systems).


• Four General Technologies:1. Service Control: determines the types of

the internet services that can be accessed, in bounded or out bounded.

2. Direction Control: determines the direction in which particular services requests are allowed to flow.


3. User Control: controls access to a service according to which user is attempting to access it.

4. Behavior Control: controls how particular service are used (e.g. filter e-mail)

Types of Firewalls

• Three common types of firewalls:1. Packet-filtering-router.2. Application-level-Gateways.3. Circuit-level-Gateways.4. (Bastion Host).

Packet-Filtering-Router

• Packet Filtering Router firewalls.

Internet

Packet Filtering Router

Private Network

Figure ( Packet Filtering Router Firewall).


• Applies a set of rules to each incoming IP packet and then forwards or discards the packet.

• Filter packets going in both directions.• The packet filter is typically set up as a list

of rule based on matches to fields in the IP or TCP header.

• Two default polices( discards or forwards).


• Advantages:1. Simplicity.2. Transparency to users.3. High speed• Disadvantages:1. Difficulty of setting up packet filter walls.2. Lack of Authentication.

Application-Level-Gateway

• Application Level Gateway Firewall.

TELNET

FTP

SMTP

HTTPOutside Connection

Inside Connection

Outside Host

Inside Host

Figure (Application Level Gateway).


• Also called (Proxy Server).• Acts as relay of application level traffic.


• Advantages:1. Higher security than packet filter2. Only need securitize a few allowable

applications.3. Easy to log and audit all incoming traffic.• Disadvantages:Additional processing overhead on each

connection (Gateway as splice point).

Circuit Level Gateway

• Circuit Level Gateway.

OUT

OUT

OUT

OUT

IN

IN

IN

IN

Outside host & outside

connection

Inside host & inside

connection


• Stand-alone system or specialized function performed by Application level gateway.

• Sets up two TCP connections.• The gateway typically relays TCP

segments from one connection to the other without examining the contents.


• The security function consists of which connections to be allowed.

• Typically use is a situation in which the system administrators trusts the internal users.

• An example is the SOCKS package.

Bastion Host

• A system identified by the firewall administrator as critical strong point in the networks security.

• The Bastion host serves as a platform for an application-level or circuit-level gateway.

Bastion Host

• In addition to the use of simple configuration of single system ( single packet filtering router or single gateway), more complex configurations are possible.

• Three common configurations

Screened host firewall system

• Also called single homed bastion host

PacketFilteringRouter

Internet

Private NetworkBastion

Host

Information Server

Screened host firewall (1)

• Configuration:- Consists of two systems which are:1. Packet filtering router.-Only packets from and to the bastion host

are allowed to pass through server.2. Bastion Host.- Authentication and Proxy functions.


• Greater security that the single configuration because of two reasons:

1. This configuration implements both packet level and application level filtering ( allowing for flexibility in defining security policy).

2. An intruder must generally penetrate two separate systems.


• This configuration also affords flexibility in providing direct internet access ( public information server, e.g. web server).

Dual Homed Bastion Host

• Dual Homed Bastion Host.


Private NetworkBastion

Host

Information Server

INTERNET

Dual Homed Bastion Host

• The packet filtering router is not completely compromised.

• Traffic between the internet and other hosts on the private network has to flow through the Bastion host.

Screened Subnet Firewall System

• See Figure.

INTERNET PrivateNetwork



Bastion Host

Modem

Information Server


• Most secured configuration of all the three known techniques in the bastion host.

• Two packet filtering routers are used.• Creation of an isolated sub-network.


• Advantages:- Three levels of defense to thwart intruders.- The outside router advertises only the

existence of the screened sub-net to the internet ( Internal network is invisible to the internet).


• Advantages:- The inside router advertises only the

existence of the screened sub-net to the internal network ( the systems on the inside cannot construct direct routes to the internet.

Documents

Security Firewall