Internet firewalls
Sponsored Links
This presentation is the property of its rightful owner.
1 / 36

Internet Firewalls PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Internet Firewalls. What it is all about. Concurrency System Lab, EE, National Taiwan University R355. Outline. Firewall Design Principles Firewall Characteristics Components of Firewalls Firewall Configurations. Firewalls.

Download Presentation

Internet Firewalls

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Internet Firewalls

What it is all about

Concurrency System Lab, EE, National Taiwan University



  • Firewall Design Principles

  • Firewall Characteristics

  • Components of Firewalls

  • Firewall Configurations


  • Protecting a local network from security threats while affording access to the Internet

Firewall DesignPrinciples

  • The firewall is inserted between the private network and the Internet

  • Aims:

    • Establish a controlled link

    • Protect the local network from Internet-based attacks

    • Provide a single choke point

Firewall Characteristics

  • Design goals for a firewall

    • All traffic (in or out) must pass through the firewall

    • Only authorized traffic will be allowed to pass

    • The firewall itself is immune to penetration

Firewall Characteristics

  • Four general techniques:

    • Service control

      • The type of Internet services that can be accessed

    • Direction control

      • Inbound or outbound

    • User control

      • Which user is attempting to access the service

    • Behavior control

      • e.g., Filter email to eliminate spam

Components of Firewalls

  • Three common components of Firewalls:

    • Packet-filtering routers

    • Application-level gateways

    • Circuit-level gateways

    • (Bastion host)

Components of Firewalls(I)

  • Packet-filtering Router

Packet-filtering Router

  • Packet-filtering Router

    • Applies a set of rules to each incoming IP packet and then forwards or discards the packet

    • Filter packets going in both directions

    • The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header

    • Two default policies (discard or forward)

TCP/IP header

Packet-filtering Router

  • Advantages:

    • Simplicity

    • Transparency to users

    • High speed

  • Disadvantages:

    • Difficulty of setting up packet filter rules

    • Lack of Authentication

Packet-filtering Router

  • Open-source under UNIX:

    • IP firewall

    • IPFilter

    • IPchain

Components of Firewalls(II)

  • Application-level Gateway

Application-level Gateway

  • Application-level Gateway

    • Also called proxy server

    • Acts as a relay of application-level traffic

Application-level Gateway

  • Advantages:

    • Higher security than packet filters

    • Only need to check a few allowable applications

    • Easy to log and audit all incoming traffic

  • Disadvantages:

    • Additional processing overhead on each connection (gateway as splice point)

Application-level Gateway

  • Open-source under UNIX:

    • squid (WWW),

    • delegate (general purpose),

    • osrtspproxy (RTSP),

    • smtpproxy (SMTP),

Components of Firewalls(III)

  • Circuit-level Gateway

Circuit-level Gateway

  • Similar to Application-level Gateway

  • However

    • it typically relays TCP segments from one connection to the other without examining the contents

    • Determines onlywhich connections will be allowed

    • Typical usage is a situation in which the system administrator trusts the internal users

In other words

  • Korean custom

    • Circuit-level gateway only checks your nationality

    • Application-level gateway checks your baggage content in addition to your nationality

Components of Firewalls

  • Open-source under UNIX

    • SOCKS

    • dante

Components of Firewalls(II) U (III)

  • Bastion Host

    • serves as

      • application-level gateway

      • circuit-level gateway

      • both

Firewall Configurations

  • In addition to the use of simple configuration of a single system (single packet filtering router or single gateway), more complex configurations are possible

  • Three common configurations


  • Screened host firewall system (single-homed bastion host)


  • Consists of two systems:

    • A packet-filtering router & a bastion host

  • Only packets from and to the bastion host are allowed to pass through the router

  • The bastion host performs authentication and proxy functions

More secure

  • More secure than each single component because :

    • offers both packet-level and application-level filtering

Firewall Configurations

  • This configuration also affords flexibility in providing direct Internet access (public information server, e.g. Web server)


  • Screened host firewall system (dual-homed bastion host)


  • Consists of two systems just as config (I) does.

  • However, the bastion host separates the network into two subnets.

Even more secure

  • An intruder must generally penetrate two separate systems


  • Screened-subnet firewall system


  • Three-level defense

    • Most secure

    • Two packet-filtering routers are used

    • Creates an isolated sub-network

  • Private network is invisible to the Internet

  • Computers inside the private network cannot construct direct routes to the Internet



Capabilities of firewall

  • Defines a single choke point at which security features are applied

    • Security management is simplified

  • Provides a location for monitoring, audits and alarms

  • A convenient platform for several non-security-related Internet functions

    • e.g., NAT, network management

  • Can serve as the platform for IPSec

    • Implement VPN with tunnel mode capability

What firewalls cannot protect against

  • Attacks that bypass the firewall

    • e.g., dial-in or dial-out capabilities that internal systems provide

  • Internal threats

    • e.g., disgruntled employee or employee who cooperates with external attackers

  • The transfer of virus-infected programs or files

Recommended Reading

  • Chapman, D., and Zwicky, E. Building Internet Firewalls. O’Reilly, 1995

  • Cheswick, W., and Bellovin, S. Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley, 2000

  • Gasser, M. Building a Secure Computer System. Reinhold, 1988

  • Pfleeger, C. Security in Computing. Prentice Hall, 1997

  • Login