Professional Documents
Culture Documents
Firewalls: Computer/Information Security Drmysiyal P9-1
Firewalls: Computer/Information Security Drmysiyal P9-1
Computer/Information Security
P9-1
FIREWALLS
DR M Y Siyal
Computer/Information Security
P9-2
FIRE WALLS
A firewall is hardware or software (or a combination of hardware and
software) that monitors the transmission of packets of digital information that
attempt to pass through the perimeter or a network.
HARDWARE FIREWALLS
Protect an entire network
Implemented on the router level
Usually more expensive, harder to configure
SOFTWARE FIREWALLS
Protect a single computer
Usually less expensive, easier to configure
HOW DOES A SOFTWARE FIREWALL WORK?
Inspects each individual packet of data as it arrives at either side of the
firewall (Inbound to or outbound from your computer)
Determines whether it should be allowed to pass through or if it should be
blocked
DR M Y Siyal
Computer/Information Security
P9-3
DR M Y Siyal
Computer/Information Security
P9-4
PERIMETER DEFENSE
A firewall is said to provide perimeter security because it sits on the outer
boundary, or perimeter, or a network. The network boundary is the point at
which one network connects to another.
DR M Y Siyal
Computer/Information Security
P9-5
DR M Y Siyal
Computer/Information Security
P9-6
2.
Ingress packets come into a site.
Egress packets go out from a site.
DR M Y Siyal
Computer/Information Security
P9-7
DR M Y Siyal
Computer/Information Security
P9-8
DR M Y Siyal
Computer/Information Security
P9-9
FIREWALL POLICIES
To protect private networks and individual machines from the dangers of the
greater Internet, a firewall can be employed to filter incoming or outgoing
traffic based on a predefined set of rules called firewall policies.
Trusted Internal Network
FIREWALL POLICIES
Un-trusted
Internet
DR M Y Siyal
Computer/Information Security
P9-10
POLICY ACTIONS
FIREWALL RULES
ALLOW: Traffic that flows automatically because it has been deemed as
safe
BLOCK: Traffic that is blocked because it has been deemed dangerous to
your computer
ASK: Asks the user whether or not the traffic is allowed to pass through
There are two approaches to creating firewall policies
1. BLACK LIST APPROACH
All packets are allowed through except those that fit the rules defined
specifically in a blacklist.
This configuration is flexible, but naive as it assumes the network
administrator can enumerate all of the properties of malicious traffic.
2. WHITE LIST APPROACH
A safer approach to defining a firewall rule set is the default-deny
policy, in which packets are dropped or rejected unless they are
specifically allowed by the firewall.
DR M Y Siyal
Computer/Information Security
P9-11
PERSONAL FIREWALL
A personal firewall (sometimes called a desktop firewall) is a software
application used to protect a single Internet-connected computer from
intruders
WHAT A PERSONAL FIREWALL CAN DO
Stop hackers from accessing your computer
Protects your personal information
Blocks pop up ads and certain cookies
Determines which programs can access the Internet
WHAT A PERSONAL FIREWALL CANNOT DO
Cannot prevent e-mail viruses
Only an antivirus product with updated definitions can prevent e-mail
viruses
After setting it initially, you can forget about it
The firewall will require periodic updates to the rule sets and the
software itself
DR M Y Siyal
Computer/Information Security
P9-12
Computer/Information Security
P9-13
DR M Y Siyal
Computer/Information Security
P9-14
DR M Y Siyal
Computer/Information Security
P9-15
Client
Trusted internal
network
ACK
Seq = x + 1
Ack = y + 1
Server
Firewall
Computer/Information Security
P9-16
Client
SYN
(blocked)
Trusted internal
network
Attacker
Seq = y
Port=80
Firewall
Computer/Information Security
P9-17
DR M Y Siyal
Computer/Information Security
P9-18
18
SPI FIREWALL
Stateful Packet Inspection Firewalls (SPI): Reviews the same packet
information but also records information about TCP connections.
Keeps track of each network connection established between internal and
external systems using a state table.
Tracks the state and context of each packet in the conversation by
recording which station sent what packet and when.
SPI firewalls can tell when packets are part of legitimate sessions originating
within a trusted network.
SPI firewalls maintain tables containing information on each active
connection, including the IP addresses, ports, and sequence numbers of
packets.
Using these tables, SPI can allow only inbound TCP packets that are in
response to a connection initiated from within the internal network.
Primary disadvantage: Additional processing requirements of managing
and verifying packets against the state table which can possibly expose the
system to a DoS attack.
DR M Y Siyal
Computer/Information Security
P9-19
STATES IN CONNECTION
Connections have distinct states or stages
Different states are subject to different attacks
SPI firewalls use different filtering rules for different states
Connection
Opening
State
DR M Y Siyal
Ongoing
Communication
State
20SECURITY
COMPUTER
Computer/Information
Security
Connection
Closing
State
P9-20
DR M Y Siyal
21SECURITY
COMPUTER
Computer/Information
Security
P9-21
DR M Y Siyal
COMPUTER SECURITY
Computer/Information
Security
P9-22
DR M Y Siyal
23SECURITY
COMPUTER
Computer/Information
Security
P9-23
Computer/Information Security
P9-24
APPLICATION GATEWAYS
Frequently installed on a dedicated computer; also known as a proxy server
Since proxy server is often placed in unsecured area of the network (e.g.,
DMZ), it is exposed to higher levels of risk from less trusted networks
With this configuration the proxy server, rather than the Web server, is
exposed to the outside world.
Additional filtering routers can be implemented behind the proxy server.
Gateway that is configured to be a web proxy will not allow any ftp, gopher,
telnet or other traffic through
Has full access to protocol
User requests service from proxy.
Proxy validates request as legal.
Then actions request and returns result to user.
Tends to be more secure than packet filters
Need only scrutinize a few allowable apps.
Easy to log and audit all incoming traffic.
DR M Y Siyal
Computer/Information Security
P9-25
PROXY FIREWALL
APPLICATION
GATEWAYS
DR M Y Siyal
Computer/Information Security
P9-26
DR M Y Siyal
Computer/Information Security
P9-27
DR M Y Siyal
Computer/Information Security
P9-28
Computer/Information Security
P9-29
CIRCUIT GATEWAY S
Circuit level gateways work at the session layer of the OSI model, or
the TCP layer of TCP/IP
They monitor TCP handshaking between packets to determine
whether a requested session is legitimate
Like filtering firewalls, do not usually look at data traffic flowing
between two networks, but prevent direct connections between one
network and another
Accomplished by creating tunnels connecting specific processes or
systems on each side of the firewall, and allow only authorized traffic in
the tunnels
Circuit level gateways are
Inexpensive
Have the advantage of hiding information about the private network
they protect.
DR M Y Siyal
Computer/Information Security
P9-30
DR M Y Siyal
P9-31
Computer/Information Security
GENERAL PERFORMANCE
TECHNOLOGY
Packet Filtering
SPEED
V Good
FLEXIBILITY INTELLIGENCE
V Good
Low
Application Proxy
Stateful Inspection
Circuit Level Proxy
Low
Good
Low
Low
Good
Low
V Good
Good
Low
Packet Filter
SPI
Circuit GW
App. GW
DR M Y Siyal
SECURITY
PERFORMANCE
3
2
2
1
1
2
3
4
Computer/Information Security
P9-32
Computer/Information Security
P9-33
FIREWALL ARCHITECTURES
Firewall devices can be configured in a number of network connection
architectures
Best configuration depends on three factors:
Objectives of the network
Organizations ability to develop and implement architectures
Budget available for function
Four common architectural implementations of firewalls: packet filtering
routers, screened host firewalls, dual-homed firewalls, screened subnet
firewalls
Computer/Information Security
P9-34
TRUSTED NETWORK
Unrestricted
Data Packets
Untrusted
Network
Blocked
Data Packets
DR M Y Siyal
Filtered
Data Packets
Computer/Information Security
P9-35
Computer/Information Security
P9-36
SCREENED-HOST FIREWALL
Bastion-host
Trusted network
Filtered
Data
Packets
Unrestricted
Data Packets
Proxy access
Untrusted
Network
Blocked
Data Packets
DR M Y Siyal
Application Level
Firewall
Computer/Information Security
P9-37
BASTION HOST
There are single homed-bastion and dual homed-bastion based firewalls.
SINGLE-HOMED BASTION: ADVANTAGES
Has greater security than simply a packet filtering router or an application
level gateway alone.
Implements both packet-level and application-level filtering, allowing for
considerable flexibility in defining security policy.
An intruder must generally penetrate two separate systems before the
security of the internal network is compromised.
Affords flexibility in providing direct Internet access.
DUAL-HOMED BASTION
The bastion-host contains two NICs (network interface cards).
One NIC connected to the external network, and one connected to the
internal network.
With two NICs all traffic must physically go through the firewall to move
between the internal and external networks.
A technology known as network-address translation (NAT) is
implemented with this architecture, creating another barrier to intrusion
from external attackers
DR M Y Siyal
Computer/Information Security
P9-38
SINGLE-HOMED BASTION
DR M Y Siyal
Computer/Information Security
P9-39
DUAL-HOMED BASTION
DR M Y Siyal
Computer/Information Security
P9-40
Untrusted
Network
Blocked External
Data Packets
Blocked Internal
Data Packets
Public IP Addresses
DR M Y Siyal
Computer/Information Security
P9-41
SCREENED-SUBNET FIREWALLS
Consists of two or more internal bastion-hosts, behind a packet-filtering router,
with each host protecting the trusted network.
The first general model consists of two filtering routers, with one or more dualhomed bastion-host between them.
The second general model involves the connection from the outside or untrusted network going through this path:
Through an external filtering router.
Into and then out of a routing firewall to the separate network segment
known as the DMZ
Connections into the trusted internal network are allowed only from the DMZ
bastion-host servers.
ADVANTAGES
There are now three levels of defense to thwart intruders.
The outside router advertises only the existence of the screened subnet to the
Internet; therefore, the internal network is invisible to the Internet.
Similarly, the inside router advertises only the existence of the screened subnet
to the internal network; therefore, the systems on the inside network cannot
construct direct routes to the Internet.
DR M Y Siyal
Computer/Information Security
P9-42
SCREENED-SUBNET FIREWALLS
Demilitarized zone
(DMZ)
Servers
Trusted network
Controlled access
Proxy access
Untrusted
Network
Blocked
Data Packets
DR M Y Siyal
External
filtering router
Internal
filtering router
Computer/Information Security
P9-43
Computer/Information Security
P9-44
Computer/Information Security
P9-45
RECOMMENDED PRACTICES
All traffic from the trusted network is allowed out.
The firewall device is always inaccessible directly from the public network.
Allow Simple Mail Transport Protocol (SMTP) data to pass through your
firewall, but insure it is all routed to a well-configured SMTP gateway to filter
and route messaging traffic securely.
All Internet Control Message Protocol (ICMP) data should be denied.
Block telnet (terminal emulation) access to all internal servers from the
public networks.
When Web services are offered outside the firewall, deny HTTP traffic from
reaching your internal networks by using some form of proxy access or DMZ
architecture.
TRADEOFF
Degree of communication with outside world, level of security!
Remember many highly protected sites still suffer from attacks.
DR M Y Siyal
Computer/Information Security
P9-46