Firewall new version

7/27/2019 Firewall new version

http://slidepdf.com/reader/full/firewall-new-version 1/45

5/4/01 EMTM 553 1

EMTM 553: E-commerce Systems

Lecture 7b: Firewalls

Insup Lee

Department of Computer and Information ScienceUniversity of Pennsylvania

[email protected] www.cis.upenn.edu/~lee

mailto:[email protected]

mailto:[email protected]



5/4/01 EMTM 553 2

Why do we need firewalls ?



5/4/01 EMTM 553 3



5/4/01 EMTM 553 4



5/4/01 EMTM 553 5

BEFORE AFTER (your results may vary)



5/4/01 EMTM 553 6

What is a firewall?

• Two goals:– To provide the people in your organization with access to

the WWW without allowing the entire world to peak in;

– To erect a barrier between an untrusted piece ofsoftware, your organization’s public Web server, and thesensitive information that resides on your privatenetwork.

• Basic idea:

– Impose a specifically configured gateway machinebetween the outside world and the site’s inner network. – All traffic must first go to the gateway, where software

decide whether to allow or reject.



5/4/01 EMTM 553 7

What is a firewall

• A firewall is a system of hardware and softwarecomponents designed to restrict access betweenor among networks, most often between theInternet and a private Internet.

• The firewall is part of an overall security policythat creates a perimeter defense designed toprotect the information resources of theorganization.



5/4/01 EMTM 553 8

Firewalls DO

• Implement security policies at a single point• Monitor security-related events (audit, log)• Provide strong authentication• Allow virtual private networks• Have a specially hardened/secured operating

system



5/4/01 EMTM 553 9

Firewalls DON’T

• Protect against attacks that bypass the firewall– Dial-out from internal host to an ISP

• Protect against internal threats– disgruntled employee– Insider cooperates with and external attacker

• Protect against the transfer of virus-infectedprograms or files



5/4/01 EMTM 553 10

Types of Firewalls

• Packet-Filtering Router• Application-Level Gateway• Circuit-Level Gateway• Hybrid Firewalls



5/4/01 EMTM 553 11

Packet Filtering Routers

• Forward or discard IP packet according aset of rules

• Filtering rules are based on fields in the IP

and transport header



5/4/01 EMTM 553 12

What information is used for

filtering decision? • Source IP address (IP header)• Destination IP address (IP header)

• Protocol Type• Source port (TCP or UDP header)• Destination port (TCP or UDP header)• ACK. bit



5/4/01 EMTM 553 13

Web Access Through a Packet

Filter Firewall

[Stein]



5/4/01 EMTM 553 14

Packet Filtering Routers

pros and cons

• Advantages:– Simple– Low cost– Transparent to user

• Disadvantages:– Hard to configure filtering rules– Hard to test filtering rules– Don’t hide network topology(due to transparency) – May not be able to provide enough control over traffic

– Throughput of a router decreases as the number of filters increases



5/4/01 EMTM 553 15

Application Level Gateways(Proxy Server)



5/4/01 EMTM 553 16

A Telnet Proxy



5/4/01 EMTM 553 17

A sample telnet session



5/4/01 EMTM 553 18

Application Level Gateways(Proxy Server)

• Advantages:– complete control over each service (FTP/HTTP…) – complete control over which services are permitted

– Strong user authentication (Smart Cards etc.)– Easy to log and audit at the application level– Filtering rules are easy to configure and test

• Disadvantages:– A separate proxy must be installed for each application-level service– Not transparent to users



5/4/01 EMTM 553 19

Circuit Level Gateways



5/4/01 EMTM 553 20

Circuit Level Gateways (2)

• Often used for outgoing connections where the systemadministrator trusts the internal users

• The chief advantage is that a firewall can be configured as ahybrid gateway supporting application-level/proxy servicesfor inbound connections and circuit-level functions foroutbound connections



5/4/01 EMTM 553 21

Hybrid Firewalls

• In practice, many of today's commercial firewallsuse a combination of these techniques.

• Examples:– A product that originated as a packet-filtering firewall

may since have been enhanced with smart filtering at theapplication level.

– Application proxies in established areas such as FTP mayaugment an inspection-based filtering scheme.



5/4/01 EMTM 553 22

Firewall Configurations

• Bastion host– a system identified by firewall administrator as a critical

strong point in the network’s security – typically serves as a platform for an application-level or circuit-

level gateway– extra secure O/S, tougher to break into

• Dual homed gateway– Two network interface cards: one to the outer network and the

other to the inner– A proxy selectively forwards packets

• Screened host firewall system– Uses a network router to forward all traffic from the outerand inner networks to the gateway machine

• Screened-subnet firewall system



5/4/01 EMTM 553 23

Dual-homed gateway



5/4/01 EMTM 553 24

Screened-host gateway



5/4/01 EMTM 553 25

Screened Host Firewall



5/4/01 EMTM 553 26

Screened Subnet Firewall



5/4/01 EMTM 553 27

Screened subnet gateway



5/4/01 EMTM 553 28

Selecting a firewall system

• Operating system• Protocols handled

• Filter types• Logging• Administration• Simplicity

• Tunneling



5/4/01 EMTM 553 29

Commercial Firewall Systems

0%5%

10%15%20%

25%30%35%40%45%

C h e c k P

o i n t

C i s c

o

A x e

n t

N e t w

o r k A

s s o c i a t e

s

C y b e r G

u a r d

O t h e

r s



5/4/01 EMTM 553 30

Widely used commercial firewalls

• AltaVista• BorderWare (Secure Computing Corporation)

• CyberGurad Firewall (CyberGuard Corporation)• Eagle (Raptor Systems)• Firewall-1 (Checkpoint Software Technologies)• Gauntlet (Trusted Information Systems)

• ON Guard (ON Technology Corporation)



5/4/01 EMTM 553 31

Firewall’s security policy

• Embodied in the filters that allow or deny passages tonetwork traffic

• Filters are implemented as proxy programs.– Application-level proxies

o one for particular communication protocolo E.g., HTTP, FTP, SMo Can also filter based on IP addresses

– Circuit-level proxieso Lower-level, general purpose programs that treat packets

as black boxes to be forward or noto Only looks at header informationo Advantages: speed and generalityo One proxy can handle many protocols



5/4/01 EMTM 553 32

Configure a Firewall (1)

• Outgoing Web Access– Outgoing connections through a packet filter firewall– Outgoing connections through an application-level proxy– Outgoing connections through a circuit proxy



5/4/01 EMTM 553 33

Firewall Proxy

Configuring Netscape to use a firewall proxy involves entering

the address and port number for each proxied service. [Stein]



5/4/01 EMTM 553 34

Configure a Firewall (2)

• Incoming Web Access– The “Judas” server – The “Sacrificial Lamb” – The “Private Affair” server – The doubly fortified server



5/4/01 EMTM 553 35

The “Judas” Server (not recommended)

[Stein]



5/4/01 EMTM 553 36

The “sacrificial lamb”

[Stein]



5/4/01 EMTM 553 37

The “private affair” server

[Stein]



5/4/01 EMTM 553 38

Internal Firewall

An Internal Firewall protects the Web server from insider threats.

[Stein]



5/4/01 EMTM 553 39

Placing the sacrificial lamb in

the demilitarized zone.

[Stein]



5/4/01 EMTM 553 40

Poking holes in the firewall

• If you need to support a public Web server, but noplace to put other than inside the firewall.

• Problem: if the server is compromised, then youare cooked.



5/4/01 EMTM 553 41

Simplified Screened-Host

Firewall Filter Rules

[Stein]



5/4/01 EMTM 553 42

Filter Rule Exceptions for

Incoming Web Services

[Stein]



5/4/01 EMTM 553 43

Screened subnetwork

Placing the Web server on its own screened subnetwork insulatesit from your organization while granting the outside world limitedaccess to it. [Stein]



5/4/01 EMTM 553 44

Filter Rules for a

Screened Public Web Server

[Stein]



5/4/01 EMTM 553 45

Q& A

Firewall new version

Documents

Transcript of Firewall new version