1 / 51

Lecture 25: Firewalls

Lecture 25: Firewalls. Introduce several types of firewalls Discuss their advantages and disadvantages Compare their performances Demonstrate their applications. What is a Firewall?.

kynton
Télécharger la présentation

Lecture 25: Firewalls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 25: Firewalls • Introduce several types of firewalls • Discuss their advantages and disadvantages • Compare their performances • Demonstrate their applications C. Ding -- COMP581 -- L25

  2. What is a Firewall? • A firewall is a system of hardware and software components designed to restrict access between or among networks, most often between the Internet and a private Internet. • The firewall is part of an overall security policy that creates a perimeter defense designed to protect the information resources of the organization. C. Ding -- COMP581 -- L25

  3. In other words… “A data sentry at the gateway to your network, combining the power of multiple firewall technologies to deliver powerful perimeter security” C. Ding -- COMP581 -- L25

  4. What a Firewall does • Implement security policies at a single point • Monitor security-related events (audit, log) • Provide strong authentication • Allow virtual private networks C. Ding -- COMP581 -- L25

  5. What a Firewall does not do • Protect against attacks that bypass the firewall • Dial-out from internal host to an ISP • Protect against internal threats • disgruntled employee • Insider cooperates with an external attacker • Protect against the transfer of virus-infected programs or files C. Ding -- COMP581 -- L25

  6. Protected Private Network Internet Firewall - Typical layout A firewall denies or permits access based on policies and rules C. Ding -- COMP581 -- L25

  7. Log Monitor Notify Protected Private Network Internet Attack Watching for attack C. Ding -- COMP581 -- L25

  8. Firewall technologies Common firewall technologies: • They may be classified into four categories: • Packet Filtering Firewalls • Circuit Level Firewalls • Application Gateway Firewalls (or proxy servers) • Stateful Inspection Firewalls (dynamic packet filtering firewalls) These technologies operate at different levels of detail, providing varying degrees of network access protection. These technologies are not mutually exclusive as some firewall products may implement several of these technologies simultaneously. C. Ding -- COMP581 -- L25

  9. Transport TCP, UDP . . . TCP, UDP . . . Network IP IP Data Link WAN PPP, Frame Relay . . . Drivers, MAC Address Physical LAN Interface Card Leased Line, ISDN, xDSL . . . LAN The Internet protocol stack Application C. Ding -- COMP581 -- L25

  10. Packet Filtering Firewalls C. Ding -- COMP581 -- L25

  11. Packet Filtering firewalls • The original firewall • Works at the network level of the OSI model • Applies packet filters based on access rules • Source address • Destination address • Application or protocol • Source port number • Destination port number C. Ding -- COMP581 -- L25

  12. Packet Filtering firewalls C. Ding -- COMP581 -- L25

  13. Packet Filtering firewalls • Packet Filtering is usually an integrated function of a router. • Packet filtering relies on Network Layer and Transport Layer information contained in the headers of data packets to police traffic. • This information includes source IP address and port number, destination IP address and port number, and protocol used (e.g., TCP, UDP, ICMP). This information is used as the criteria in network access rules. These rules are organized into several “filter sets” and each set handles traffic coming to the firewall over a specific interface. C. Ding -- COMP581 -- L25

  14. Packet Filtering Policy Example C. Ding -- COMP581 -- L25

  15. Rule 1 2 3 4 5 6 7 8 Direction Out Out In In & Out In In Out In Source Address * 10.56* 10.122* * * 201.32.4.76 * * Destination Address 10.56.199* 10.122* 10.56.199* 10.56.199* * * * 10.56.199* Protocol * TCP TCP TCP TCP * TCP TCP # Source Port * * 23 (Telnet) * * * * * # Destin. Port * 23 (Telnet) * 25 (Mail) 513 (rlogin) * 20 (FTP) 20 (FTP) Action Drop Pass Pass Pass Drop Drop Pass Drop Packet Filtering Policy Example Slide 16 C. Ding -- COMP581 -- L25

  16. Web Access Through a Packet Filter Firewall ACK: = positive acknowledgement message for the sender from the receiver. Typically just one bit. C. Ding -- COMP581 -- L25

  17. Output Filter Access Rules Internal Network Internet Router Packet Filtering Firewalls Firewall/Router Input Filter Access Rules Network Network Data Link Data Link Physical Physical C. Ding -- COMP581 -- L25

  18. Packet Filtering Firewalls:pros and cons • Advantages: • Simple, low cost, transparent to user • Disadvantages: • Hard to configure filtering rules • Hard to test filtering rules • Don’t hide network topology (due to transparency) • May not be able to provide enough control over traffic C. Ding -- COMP581 -- L25

  19. Circuit Level Firewalls(Circuit Level Gateways) C. Ding -- COMP581 -- L25

  20. Circuit Level Firewalls • Circuit level gateways work at the session layer of the OSI model, or the TCP layer of TCP/IP • Monitor TCP handshaking between packets to determine whether a requested session is legitimate. C. Ding -- COMP581 -- L25

  21. Circuit Level Firewalls C. Ding -- COMP581 -- L25

  22. Application Gateway Firewalls (Proxy Firewalls) C. Ding -- COMP581 -- L25

  23. Application Gateway firewalls • Similar to circuit-level gateways except that they are application specific. • Every connection between two networks is made via an application program called a proxy • Proxies are application or protocol specific • Only protocols that have specific proxies configured are allowed through the firewall; all other traffic is rejected. • Gateway that is configured to be a web proxy will not allow any ftp, gopher, telnet or other traffic through C. Ding -- COMP581 -- L25

  24. Firewall Application Proxies Application Application Transport Transport Internal Network Network Network Data Link Data Link Internet Physical Physical Router Application Gateway Firewalls C. Ding -- COMP581 -- L25

  25. Application Gateway Firewalls C. Ding -- COMP581 -- L25

  26. Application Gateway Strengths • Very secure if used in conjunction with an intelligent packet filtering firewall • Well designed proxies provide excellent security C. Ding -- COMP581 -- L25

  27. Application Gateway weaknesses • Very CPU intensive • Requires high performance host computer • Host operating system liable to attack • Many proxies are transparent to application • Not transparent to users • Expensive C. Ding -- COMP581 -- L25

  28. Stateful Inspection Firewalls C. Ding -- COMP581 -- L25

  29. Stateful Inspection Firewalls • Third generation firewall technology, often referred to as dynamic packet filtering • Understands data in packets from the network layer (IP headers) up to the Application Layer • Tracks the state of communication sessions C. Ding -- COMP581 -- L25

  30. Firewall/Router Application - State Table Transport - Access Rules Network - Access Rules Internal Network Inspection Module Network Network Internet Data Link Data Link Physical Physical Router Stateful Inspection Firewalls C. Ding -- COMP581 -- L25

  31. Firewall checks policies to validate sending computer and allows traffic to pass to Public network Return traffic for validated web session is permitted and the state of the flow is monitored Internet User initiates web session Other traffic from public network is blocked Dynamic Filtering Stateful Inspection firewalls dynamically open and close ports (application specific connection points) based on access policies. Protected Private Network C. Ding -- COMP581 -- L25

  32. Stateful Inspection Strengths • Monitors the state of all data flows • Dynamically adapts filters based on defined policies and rules • Easily adapted to new Internet applications • Transparent to users • Low CPU overheads C. Ding -- COMP581 -- L25

  33. Stateful Inspection Weaknesses • Need to provide new client program • Might have problems with the availability of source code for various platforms C. Ding -- COMP581 -- L25

  34. Stateful Inspection Firewalls These are among the most secure firewalls available today “fooling them can be a lot of work” Jon McCown, network security analyst for the - U.S. National Computer Security Agency (NCSA) C. Ding -- COMP581 -- L25

  35. General Performance C. Ding -- COMP581 -- L25

  36. Other Issues about Firewalls C. Ding -- COMP581 -- L25

  37. RADIUS Support • Remote Authentication Dial-In User Services • A single, central security database for all system users • Centralised management of access lists C. Ding -- COMP581 -- L25

  38. Telephony Services Remote access security Dial-in user authenticated Head office Firewall policy assigned to dial-in user before completing connection to network Remote Dial-in user C. Ding -- COMP581 -- L25

  39. Protected private network Internet Stateful Inspection Implementation Return traffic for validated web session is permitted and the state of the flow is monitored Firewall checks policy rules to validate sender Firewall opens required port and allows traffic to pass to public network User initiates web session C. Ding -- COMP581 -- L25

  40. Protected private network Internet Network Address Translation Firewall substitutes private address to public address and forwards to the Internet Firewall translates return flow from Public to Private address User communicates with Internet using a private IP address C. Ding -- COMP581 -- L25

  41. Application Level Gateway completes connection If connection is valid the state table is updated and connection to FTP Server established FTP connection initiated from public network Application Level Gateway Example FTP Server Access rules verified C. Ding -- COMP581 -- L25

  42. Session Logging • The firewall can be configured to log an extensive range of events Including: • All denied packets • All allowed packets • Selected allowed and denied packet types • Etc. C. Ding -- COMP581 -- L25

  43. Protected private network Internet Notification SNMP/SMTP Email sent to specified address Firewall detects attack (Port Scan) SNMP Trap message to management platform SNMP: simple network management protocol C. Ding -- COMP581 -- L25

  44. Protected private network Internet Notification and Reconfiguration Web Server Firewall detects attack (SYN Flood) DMZ Email sent to System Manager Firewall automatically reconfigured to deny all External access to WEB Server C. Ding -- COMP581 -- L25

  45. Secure management • Secure encrypted and authenticated remote management • Secure Shell “SSH” • RSA encryption keys 512 - 2048 bits • DES and Triple DES encryption for SSH sessions • Can limit access to specific user addresses C. Ding -- COMP581 -- L25

  46. Network configuration examples C. Ding -- COMP581 -- L25

  47. Protected private network Internet Protected private network • Allow all access from private network to the Internet • Deny all access from the Internet to the private network C. Ding -- COMP581 -- L25

  48. All unauthorised traffic is blocked Private network for corporate servers and users Internet All other incoming traffic blocked SMZ Firewall policy limits incoming access to WEB and mail server from public network Semi-Militarised Zone Protected private network WEB Server SMZ Mail Server Semi Militarised Zone C. Ding -- COMP581 -- L25

  49. Internet Private LAN stays secure Protected private network WEB Server Login:hacker Password:please OK Then! SMZ Mail Server Semi-Militarised Zone C. Ding -- COMP581 -- L25

  50. Open access between private LAN and DMZ Allow SMTP, From here to there only Internet Static filters between private LAN and DMZ used to control access Demilitarised Zone Protected private network WEB Server DMZ Mail Server Demilitarised Zone C. Ding -- COMP581 -- L25

More Related