Professional Documents
Culture Documents
Cryptography and Network Security: Chapter 20 - Firewalls
Cryptography and Network Security: Chapter 20 - Firewalls
Cryptography and Network Security: Chapter 20 - Firewalls
Security
Chapter 20 – Firewalls
Introduction
Ongoing evolution of information systems
Interconnecting networks: Mainframe + terminals, Local area
networks (LANs), premises networks, enterprise-wide area
networks (WANs), Internet
Causes persistent security concerns
Can hardly secure every system in an organization individually
Call for harm minimisation
A firewall
provides effective means of protecting local system or network from
network-based threats while still affording access to WANs and Internet
is inserted between premise network and Internet to establish controlled link
and to erect outer security wall or perimeter
protects premise network from Internet-based attacks and provides single
choke point where security and audit can be imposed
2
Control Mechanisms
Service control:
types of accessible Internet services,
filters on basis of IP address and TCP port number
provides proxies for interpreting service requests
hosts server software such as Web or mail service
Direction control:
determines direction in which service requests allowed to flow
User control:
controls access to service depending on who requests it
typically applied to local users (with IPSec also to externals)
Behavior control:
controls how particular services are used (e.g. eliminate spam)
3
Capabilities and Limitations
Defines single choke point that
keeps unauthorised users out of protected network,
prohibits potentially vulnerable services,
provides protection from IP spoofing, routing attacks
Platform for
monitoring security-related events,
e.g., audits and alarms can be implemented
various Internet functions,
e.g., network address translator, network management function
IP security (tunnel mode)
However, a firewall cannot protect against
attacks bypassing it, e.g., dial-out capabilities to connect to ISP, dial-
in capabilities for travelling employees
internal threats, e.g. disgruntled employee
transfer of all virus infected programs or files
4
Types of Firewalls
There are three common types of firewalls:
Packet-filtering routers:
Filters out packets that pass through it
Application-level gateway:
Proxy for remote services
Circuit-level gateway:
Allows only certain TCP connections
5
Packet Filters
7
Packet Filters – Examples
any inside host can send mail to outside
TCP packet with destination port 25 is routed to SMTP server on
destination machine
8
Packet Filters – Examples
IP packets allowed where source address is one of a list of
designated internal hosts and destination TCP port number
is 25
also allows incoming packets with source port number 25
that have ACK flag in TCP segment
set ACK flag acknowledges that segments sent from other
side
source and destination address designated explicitly:
9
Packet Filters – Examples
one approach to handling FTP connections
control connection to set up file transfer plus data
connection for actual file transfer
allows packets originating internally, reply packets to
connection initiated by internal machine, destined for high-
numbered port (non-servers)
10
Attacks on Packet Filters
IP address spoofing
fake source address to be trusted
discard packets with internal source address arriving on
external surface
Source routing attacks
attacker sets a route other than default
block source routed packets
Tiny fragment attacks
split header info over several tiny packets
either discard or reassemble before check
11
Stateful Inspection Filters
Traditional packet filters make decision independently from
higher-layer context
Stateful inspection keeps track of state of each outbound
connection passing through firewall
Only allow incoming packets corresponding to outbound
connection
12
Application Level Gateway (or Proxy)
13
Application Level Gateway (Proxy)
Relay of application-level traffic:
user requests service from proxy (via TCP/IP application)
proxy validates request as legal
proxy contacts remote host, relays TCP segments containing
application data
service not supported if proxy code not implemented
may support only specific features of application
Advantage:
just concerned with allowable applications
easy to log and audit incoming traffic
Disadvantage:
conditional processing overhead on each connection
14
Circuit Level Gateway
15
Circuit Level Gateway
Stand-alone system or specialized function performed by
proxy for certain applications
No end-to-end TCP connection
One to inner host, one to outer host
Traffic relayed without examining contents
Security function determines which connections allowed
Typically used when internal users trusted
support proxy service on inbound connections
16
Bastion Host
Critical strong point in network’s security
Typical platform for proxy or circuit-level gateway
Characteristics:
Executes secure version of its OS
Only essential services are installed: Telnet, SSH/FTP, SMTP,…
May require additional authentication for access
Each proxy supports subset of normal command set
Each proxy allows access to specific host systems
Each proxy maintains detailed audit logging
Each proxy module tailored for network security
Each proxy is independent of other proxies
No disk access other than reading initial configuration
17
Single-Homed Bastion Host
Packet-filtering router plus bastion host
Only packets destined for bastion host allowed in
Only packets from bastion host allowed out
18
Dual-homed Bastion Host
If packet-filtering router compromised:
traffic still can’t flow directly through router between
internet and other hosts in private network
Information server or other hosts can directly communicate
with router if allowed
19
Screened Subnet Firewall
Two packet-filtering routers creating isolated sub-network
Internet and internal network can access subnet, but
traffic across screened subnet is blocked
Three levels of defense, internal network invisible to
Internet, systems on inside cannot construct direct routes
to Internet
20
Summary
Topics discussed:
firewalls
types of firewalls
configurations
21