p Vl Firewalls

8/12/2019 p Vl Firewalls

1/31

FirewallsDr.P.V.Lakshmi

Information TechnologyGIT GITAM University


2/31


3/31

Firewall Design

Principles

Information systems undergone a steady

evolution (from small LAN`s to Internet

connectivity).

Strong security features for all

workstations and servers are not

established.


4/31

Firewall DesignPrinciples cont..

The firewall is inserted between the

premises network and the Internet.

Aims:

Establish a controlled link.

Protect the premises network from Internet-

based attacks.

Provide a single choke point.


5/31

Firewall Characteristics

Design goals:

All traffic from inside to outside and viceversa, must pass through the firewall

(physically blocking all access to the localnetwork except via the firewall).

Only authorized traffic (defined by the localsecurity policy) will be allowed to pass.

-The firewall itself is immune to penetration(use of trusted system with a secure

operating system).


6/31

Firewall Characteristics cont..

Four general techniques:

Service control Determines the types of Internet services that

can be accessed, inbound or outbound.

Direction control

Determines the direction in which particular

service requests are allowed to flow throughthe firewall.


7/31

Firewall Characteristics cont..

User control

Controls access to a service according to

which user is attempting to access it.

Behavior control

Controls how particular services are used

(e.g. filter e-mail).


8/31

Scope of firewalls A fire wall defines a single choke point that keeps

unauthorized users out of the protected network,

prohibits potentially vulnerable services from

entering or leaving the network and provides the

protection from various kinds of IP spoofing androuting attacks.

A fire wall provides a location for monitoring

Security related events. A fire wall is convenient platform for several

internet functions that are not security related.

A firewall can serve as a platform for IPSec.


9/31

Firewall Limitations

cannot protect against attacks bypassing it.

eg sneaker net, utility modems, trusted

organisations, trusted services (eg SSL/SSH)

cannot protect against internal threats.

eg disgruntled employee

cannot protect against transfer of all virusinfected programs or files.

because of huge range of O/S & file types


10/31

Types of Firewalls

Three common types of Firewalls:

Packet-filtering routers

Application-level gateways Circuit-level gateways

Bastion host


11/31

Packet-filtering Router


12/31

Packet-filtering Router

Applies a set of rules to each incoming IPpacket and then forwards or discards the

packet. Filter packets going in both directions.

The packet filter is typically set up as a list

of rules based on matches to fields in the IPor TCP header.

Two default policies (discard or forward).


13/31

Advantages:

Simplicity

Transparency to users

High speed

Disadvantages:

Difficulty of setting up packet filter rules

Lack of Authentication


14/31

Possible attacks and appropriate

countermeasures

IP address spoofing

Source routing attacks

Tiny fragment attacks


15/31


16/31

Application-level Gateway

Also called proxy server. Acts as a relay of application-level traffic.

Advantages:

Higher security than packet filters.

Only need to scrutinize a few allowableapplications.

Easy to log and audit all incoming traffic.

Disadvantages:

Additional processing overhead on eachconnection (gateway as splice point).


17/31

Circuit-level Gateway


18/31

Circuit-level Gateway

Stand-alone system or

Specialized function performed by anApplication-level Gateway

Sets up two TCP connections

The gateway typically relays TCP segmentsfrom one connection to the other without

examining the contents


19/31

The security function consists of

determining which connections will be

allowed.

Typically use is a situation in which the

system administrator trusts the internal

users.

An example is the SOCKS package.


20/31

Bastion Host

A system identified by the firewall

administrator as a critical strong point in

the networks security.

The bastion host serves as a platform for an

application-level or circuit-level gateway.


21/31

Firewall Configurations In addition to the use of simple configuration

of a single system (single packet filtering

router or single gateway), more complex

configurations are possible.


22/31

Three common configurations

Screened host firewall system (single-homed

bastion host)

Screened host firewall system (dual-homed

bastion host)

Screened-subnet firewall system


23/31

Screened host firewall system

(single-homed bastion host)


24/31

Screened host firewall, single-homed bastion

configuration

Firewall consists of two systems:

A packet-filtering router.

A bastion host.

Configuration for the packet-filtering router:

Only packets from and to the bastion host

are allowed to pass through the router.

The bastion host performs authentication and

proxy functions.


25/31

Greater security than single configurationsbecause of two reasons:

This configuration implements both packet-level and application-level filtering (allowingfor flexibility in defining security policy).

An intruder must generally penetrate twoseparate systems.

This configuration also affords flexibility inproviding direct Internet access (publicinformation server, e.g. Web server).


26/31

Screened host firewall system

(dual-homed bastion host)


27/31

Screened host firewall, dual-homed bastion

configuration

The packet-filtering router is not completely

compromised.

Traffic between the Internet and other

hosts on the private network has to flow

through the bastion host.


28/31

Screened-subnet firewall

system


29/31

Screened subnet firewall configuration

Most secure configuration of the three. Two packet-filtering routers are used.

Creation of an isolated sub-network.

Advantages: Three levels of defense to thwart intruders.

The outside router advertises only the

existence of the screened subnet to theInternet (internal network is invisible to the

Internet).


30/31

The inside router advertises only the existence

of the screened subnet to the internal

network (the systems on the inside network

cannot construct direct routes to theInternet).


31/31

Recommended Reading

William Stalling, Cryptography and Network

Security.

Cheswick, W., and Bellovin, S. Firewalls and

Internet Security: Repelling the Wily Hacker.

Addison-Wesley, 2000

p Vl Firewalls

Documents

Transcript of p Vl Firewalls