Firewalls (15)

8/10/2019 Firewalls (15)

1/51

C. Ding -- COMP581 -- L25 1

Lecture 25: Firewalls

Introduce several types of firewalls

Discuss their advantages and

disadvantagesCompare their performances

Demonstrate their applications

8/10/2019 Firewalls (15)

2/51

C. Ding -- COMP581 -- L25 2

What is a Firewall?

A firewall is a system of hardware andsoftware components designed to restrictaccess between or among networks, most

often between the Internet and a privateInternet.

The firewall is part of an overall securitypolicy that creates a perimeter defensedesigned to protect the informationresources of the organization.

8/10/2019 Firewalls (15)

3/51

8/10/2019 Firewalls (15)

4/51

C. Ding -- COMP581 -- L25 4

What a Firewall does

Implement security policies at a singlepoint

Monitor security-related events (audit, log)

Provide strong authenticationAllow virtual private networks

8/10/2019 Firewalls (15)

5/51

C. Ding -- COMP581 -- L25 5

What a Firewall does not do

Protect against attacks that bypass thefirewall Dial-out from internal host to an ISP

Protect against internal threats disgruntled employee

Insider cooperates with an external attacker

Protect against the transfer of virus-infected programs or files

8/10/2019 Firewalls (15)

6/51

C. Ding -- COMP581 -- L25 6

Firewall - Typical layout

A firewall denies or permits accessbased on policies and rules

Protected Private Network

Internet

8/10/2019 Firewalls (15)

7/51

C. Ding -- COMP581 -- L25 7

Watching for attack


Internet

Monitor Log

Attack

Notify

8/10/2019 Firewalls (15)

8/51

C. Ding -- COMP581 -- L25 8

Firewall technologies

Common firewall technologies: They may be classified into four categories:

Packet Filtering Firewalls Circuit Level Firewalls Application Gateway Firewalls (or proxy servers) Stateful Inspection Firewalls (dynamic packet filtering

firewalls)

These technologies operate at different levels ofdetail, providing varying degrees of networkaccess protection.These technologies are not mutually exclusive assome firewall products may implement several ofthese technologies simultaneously.

8/10/2019 Firewalls (15)

9/51

C. Ding -- COMP581 -- L25 9

The Internet protocol stack

Application

Data Link

PhysicalLeased Line, ISDN, xDSL . . . LAN Interface Card

Drivers, MAC AddressPPP, Frame Relay . . .

NetworkIP IP

Transport TCP, UDP . . .TCP, UDP . . .

WAN LAN

8/10/2019 Firewalls (15)

10/51

C. Ding -- COMP581 -- L25 10

Packet Filtering Firewalls

8/10/2019 Firewalls (15)

11/51

C. Ding -- COMP581 -- L25 11

Packet Filtering firewalls

The original firewall

Works at the network level of the OSImodel

Applies packet filters based on accessrules Source address

Destination address Application or protocol

Source port number

Destination port number

8/10/2019 Firewalls (15)

12/51

C. Ding -- COMP581 -- L25 12


8/10/2019 Firewalls (15)

13/51

C. Ding -- COMP581 -- L25 13


Packet Filtering is usually an integrated functionof a router.

Packet filtering relies on Network Layer andTransport Layer information contained in the

headers of data packets to police traffic. This information includes source IP address and

port number, destination IP address and portnumber, and protocol used (e.g., TCP, UDP, ICMP).This information is used as the criteria in networkaccess rules. These rules are organized intoseveral filter sets and each set handles trafficcoming to the firewall over a specific interface.

8/10/2019 Firewalls (15)

14/51

C. Ding -- COMP581 -- L25 14

Packet Filtering Policy Example

My host Other host

action name port name port comments

block * * microsoft.com * Block everythingfrom MS

allow My-gateway 25 * * Allow incomingmail

8/10/2019 Firewalls (15)

15/51

C. Ding -- COMP581 -- L25 15

Rule

1

2

3

4

5

6

7

8

Direction

Out

Out

In

In & Out

In

In

Out

In

Source

Address

*

10.56*

10.122*

*

*

201.32.4.76

*

*

Destination

Address

10.56.199*

10.122*

10.56.199*

10.56.199*

*

*

*

10.56.199*

Protocol

*

TCP

TCP

TCP

TCP

*

TCP

TCP

# Source

Port

*

*

23 (Telnet)

*

*

*

*

*

# Destin.

Port

*

23 (Telnet)

*

25 (Mail)

513 (rlogin)

*

20 (FTP)

20 (FTP)

Action

Drop

Pass

Pass

Pass

Drop

Drop

Pass

Drop

Slide 16

Packet Filtering Policy Example

8/10/2019 Firewalls (15)

16/51

C. Ding -- COMP581 -- L25 16

Web Access Through a PacketFilter Firewall

ACK: = positive acknowledgement message for the sender from the receiver.

Typically just one bit.

8/10/2019 Firewalls (15)

17/51

C. Ding -- COMP581 -- L25 17

Packet Filtering Firewalls

Firewall/Router

Data Link

Network

InternetPhysical

Input

Filter

Access Rules

Data Link

Network

Router

Internal

Network

Physical

Output

Filter

Access Rules

8/10/2019 Firewalls (15)

18/51

C. Ding -- COMP581 -- L25 18

Packet Filtering Firewalls:pros and cons

Advantages: Simple, low cost, transparent to user

Disadvantages:Hard to configure filtering rulesHard to test filtering rules

Dont hide network topology (due totransparency)

May not be able to provide enough control overtraffic

8/10/2019 Firewalls (15)

19/51

C. Ding -- COMP581 -- L25 19

Circuit Level Firewalls

(Circuit Level Gateways)

8/10/2019 Firewalls (15)

20/51

C. Ding -- COMP581 -- L25 20


Circuit level gateways work at the sessionlayer of the OSI model, or the TCP layerof TCP/IP

Monitor TCP handshaking between packetsto determine whether a requested sessionis legitimate.

8/10/2019 Firewalls (15)

21/51

C. Ding -- COMP581 -- L25 21


8/10/2019 Firewalls (15)

22/51

C. Ding -- COMP581 -- L25 22

Application Gateway Firewalls

(Proxy Firewalls)

8/10/2019 Firewalls (15)

23/51

C. Ding -- COMP581 -- L25 23

Application Gateway firewalls

Similar to circuit-level gateways except that theyare application specific.

Every connection between two networks is madevia an application program called a proxy

Proxies are application or protocol specific

Only protocols that have specific proxiesconfigured are allowed through the firewall; allother traffic is rejected.

Gateway that is configured to be a web proxy willnot allow any ftp, gopher, telnet or other trafficthrough

8/10/2019 Firewalls (15)

24/51

8/10/2019 Firewalls (15)

25/51

C. Ding -- COMP581 -- L25 25

Application Gateway Firewalls

8/10/2019 Firewalls (15)

26/51

C. Ding -- COMP581 -- L25 26

Application Gateway Strengths

Very secure if used in conjunction with anintelligent packet filtering firewall

Well designed proxies provide excellentsecurity

8/10/2019 Firewalls (15)

27/51

C. Ding -- COMP581 -- L25 27

Application Gateway weaknesses

Very CPU intensive

Requires high performance host computer

Host operating system liable to attack

Many proxies are transparent toapplication

Not transparent to users

Expensive

8/10/2019 Firewalls (15)

28/51

C. Ding -- COMP581 -- L25 28

Stateful Inspection Firewalls

8/10/2019 Firewalls (15)

29/51

C. Ding -- COMP581 -- L25 29


Third generation firewall technology, oftenreferred to as dynamic packet filtering

Understands data in packets from the

network layer (IP headers) up to theApplication Layer

Tracks the state of communicationsessions

8/10/2019 Firewalls (15)

30/51

C. Ding -- COMP581 -- L25 30


Firewall/Router

Router

Network - Access Rules

Transport - Access Rules

Application - State Table

Inspection Module

Data Link

Network

Data Link

Network

Internal

Network

PhysicalInternet

Physical

8/10/2019 Firewalls (15)

31/51

C. Ding -- COMP581 -- L25 31

Dynamic Filtering

Stateful Inspection firewallsdynamically open and closeports (application specificconnection points) based

on access policies.

Other traffic

from public

network

is blocked

Return traffic for validated

web session is permitted and the

state of the flow is monitored


Internet

Firewall checks policies to

validate sending computer

and allows traffic to pass to

Public network

User initiates web session

8/10/2019 Firewalls (15)

32/51

C. Ding -- COMP581 -- L25 32

Stateful Inspection Strengths

Monitors the state of all data flows

Dynamically adapts filters based ondefined policies and rules

Easily adapted to new Internet applications Transparent to users

Low CPU overheads

8/10/2019 Firewalls (15)

33/51

C. Ding -- COMP581 -- L25 33

Stateful InspectionWeaknesses

Need to provide new client program

Might have problems with the availability

of source code for various platforms

8/10/2019 Firewalls (15)

34/51

C. Ding -- COMP581 -- L25 34


These are among the most

secure firewalls available today

fooling them can be a lot of work

Jon McCown, network security analyst forthe - U.S. National Computer Security

Agency (NCSA)

8/10/2019 Firewalls (15)

35/51

C. Ding -- COMP581 -- L25 35

General Performance

8/10/2019 Firewalls (15)

36/51

C. Ding -- COMP581 -- L25 36

Other Issues about Firewalls

8/10/2019 Firewalls (15)

37/51

C. Ding -- COMP581 -- L25 37

RADIUS Support

Remote Authentication Dial-In UserServices A single, central security database for all

system users Centralised management of access lists

8/10/2019 Firewalls (15)

38/51

C. Ding -- COMP581 -- L25 38

Remote access security

Remote Dial-in user

Telephony

Services

Head office

Dial-in user

authenticated

Firewall policy assigned

to dial-in user before

completing connectionto network

8/10/2019 Firewalls (15)

39/51

C. Ding -- COMP581 -- L25 39

Stateful Inspection Implementation

Protected private network

Internet

Firewall checks

policy rules to

validate sender

User initiates

web session

Return traffic for validated

web session is permitted

and the state of the flow is

monitored

Firewall opens

required port

and allows traffic

to pass to

public network

8/10/2019 Firewalls (15)

40/51

C. Ding -- COMP581 -- L25 40

Network Address Translation


Internet

User communicates

with Internet

using a private

IP address

Firewall substitutes

private address

to public address

and forwards

to the Internet

Firewall translates

return flow from

Public to

Private address

8/10/2019 Firewalls (15)

41/51

C. Ding -- COMP581 -- L25 41

Application Level Gateway Example

Internet

FTP connection

initiated from

public network

Application Level

Gateway completes

connection

If connection is valid

the state table is

updated

and connection to

FTP Server

established

FTP Server

Access rules

verified

8/10/2019 Firewalls (15)

42/51

C. Ding -- COMP581 -- L25 42

Session Logging

The firewall can be configured to log anextensive range of events Including: All denied packets

All allowed packets Selected allowed and denied packet types

Etc.

8/10/2019 Firewalls (15)

43/51

C. Ding -- COMP581 -- L25 43


Notification SNMP/SMTP

Internet

Firewall detects

attack

(Port Scan)

SNMP Trap

message

to management

platform

Email sent to

specified

address

SNMP: simple network management protocol

8/10/2019 Firewalls (15)

44/51

C. Ding -- COMP581 -- L25 44


Notification and Reconfiguration

Internet

Firewall detects

attack

(SYN Flood)Server

DMZ

Web Server

Firewall automatically

reconfigured to deny all

External access to WEB

Server

Email sent to

System

Manager

8/10/2019 Firewalls (15)

45/51

C. Ding -- COMP581 -- L25 45

Secure management

Secure encrypted and authenticatedremote management Secure Shell SSH

RSA encryption keys 512 - 2048 bits DES and Triple DES encryption for SSH

sessions

Can limit access to specific user addresses

8/10/2019 Firewalls (15)

46/51

C. Ding -- COMP581 -- L25 46

Network configuration examples

8/10/2019 Firewalls (15)

47/51

C. Ding -- COMP581 -- L25 47



Internet

Allow all access from private network to theInternet

Deny all access from the Internet to the privatenetwork

8/10/2019 Firewalls (15)

48/51

C. Ding -- COMP581 -- L25 48

Semi-Militarised Zone


Semi Militarised Zone

SMZ

Mail

Server

WEB

Server

All other

incomingtraffic

blocked

Private network for

corporate servers

and users

All

unauthorised

traffic is

blocked

SMZ

Firewall policy limitsincoming access to

WEB and mail server

from public network

Internet

8/10/2019 Firewalls (15)

49/51

C. Ding -- COMP581 -- L25 49

Private LAN stays secure


Semi-Militarised Zone

SMZ

Mail

Server

WEB

Server

Internet

Login:hacker

Password:please

OK Then!

8/10/2019 Firewalls (15)

50/51

C. Ding -- COMP581 -- L25 50

Demilitarised Zone


Demilitarised Zone

Mail

Server

WEB

Server

Internet

DMZ

Open access

between

private LANand DMZ

Static filters

between private LAN

and DMZ used to

control access

Allow

SMTP,

From here

to there

only

8/10/2019 Firewalls (15)

51/51

Firewalls (15)

Documents

Transcript of Firewalls (15)