Internet firewalls
This presentation is the property of its rightful owner.
Sponsored Links
1 / 36

Internet Firewalls PowerPoint PPT Presentation


  • 35 Views
  • Uploaded on
  • Presentation posted in: General

Internet Firewalls. What it is all about. Concurrency System Lab, EE, National Taiwan University http://cobra.ee.ntu.edu.tw R355. Outline. Firewall Design Principles Firewall Characteristics Components of Firewalls Firewall Configurations. Firewalls.

Download Presentation

Internet Firewalls

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Internet firewalls

Internet Firewalls

What it is all about

Concurrency System Lab, EE, National Taiwan University

http://cobra.ee.ntu.edu.tw

R355


Outline

Outline

  • Firewall Design Principles

  • Firewall Characteristics

  • Components of Firewalls

  • Firewall Configurations


Firewalls

Firewalls

  • Protecting a local network from security threats while affording access to the Internet


Firewall design principles

Firewall DesignPrinciples

  • The firewall is inserted between the private network and the Internet

  • Aims:

    • Establish a controlled link

    • Protect the local network from Internet-based attacks

    • Provide a single choke point


Firewall characteristics

Firewall Characteristics

  • Design goals for a firewall

    • All traffic (in or out) must pass through the firewall

    • Only authorized traffic will be allowed to pass

    • The firewall itself is immune to penetration


Firewall characteristics1

Firewall Characteristics

  • Four general techniques:

    • Service control

      • The type of Internet services that can be accessed

    • Direction control

      • Inbound or outbound

    • User control

      • Which user is attempting to access the service

    • Behavior control

      • e.g., Filter email to eliminate spam


Component s of firewalls

Components of Firewalls

  • Three common components of Firewalls:

    • Packet-filtering routers

    • Application-level gateways

    • Circuit-level gateways

    • (Bastion host)


Component s of firewalls i

Components of Firewalls(I)

  • Packet-filtering Router


Packet filtering router

Packet-filtering Router

  • Packet-filtering Router

    • Applies a set of rules to each incoming IP packet and then forwards or discards the packet

    • Filter packets going in both directions

    • The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header

    • Two default policies (discard or forward)


Tcp ip header

TCP/IP header


Packet filtering router1

Packet-filtering Router

  • Advantages:

    • Simplicity

    • Transparency to users

    • High speed

  • Disadvantages:

    • Difficulty of setting up packet filter rules

    • Lack of Authentication


Packet filtering router2

Packet-filtering Router

  • Open-source under UNIX:

    • IP firewall

    • IPFilter

    • IPchain


Component s of firewalls ii

Components of Firewalls(II)

  • Application-level Gateway


Application level gateway

Application-level Gateway

  • Application-level Gateway

    • Also called proxy server

    • Acts as a relay of application-level traffic


Application level gateway1

Application-level Gateway

  • Advantages:

    • Higher security than packet filters

    • Only need to check a few allowable applications

    • Easy to log and audit all incoming traffic

  • Disadvantages:

    • Additional processing overhead on each connection (gateway as splice point)


Application level gateway2

Application-level Gateway

  • Open-source under UNIX:

    • squid (WWW),

    • delegate (general purpose),

    • osrtspproxy (RTSP),

    • smtpproxy (SMTP),


Component s of firewalls iii

Components of Firewalls(III)

  • Circuit-level Gateway


Circuit level gateway

Circuit-level Gateway

  • Similar to Application-level Gateway

  • However

    • it typically relays TCP segments from one connection to the other without examining the contents

    • Determines onlywhich connections will be allowed

    • Typical usage is a situation in which the system administrator trusts the internal users


In other words

In other words

  • Korean custom

    • Circuit-level gateway only checks your nationality

    • Application-level gateway checks your baggage content in addition to your nationality


Component s of firewalls1

Components of Firewalls

  • Open-source under UNIX

    • SOCKS

    • dante


Component s of firewalls ii u iii

Components of Firewalls(II) U (III)

  • Bastion Host

    • serves as

      • application-level gateway

      • circuit-level gateway

      • both


Firewall configurations

Firewall Configurations

  • In addition to the use of simple configuration of a single system (single packet filtering router or single gateway), more complex configurations are possible

  • Three common configurations


Configurations i

Configurations(I)

  • Screened host firewall system (single-homed bastion host)


Configurations i1

Configurations(I)

  • Consists of two systems:

    • A packet-filtering router & a bastion host

  • Only packets from and to the bastion host are allowed to pass through the router

  • The bastion host performs authentication and proxy functions


More secure

More secure

  • More secure than each single component because :

    • offers both packet-level and application-level filtering


Firewall configurations1

Firewall Configurations

  • This configuration also affords flexibility in providing direct Internet access (public information server, e.g. Web server)


Configurations ii

Configurations(II)

  • Screened host firewall system (dual-homed bastion host)


Configurations ii1

Configurations(II)

  • Consists of two systems just as config (I) does.

  • However, the bastion host separates the network into two subnets.


Even more secure

Even more secure

  • An intruder must generally penetrate two separate systems


Configurations iii

Configurations(III)

  • Screened-subnet firewall system


Configurations iii1

Configurations(III)

  • Three-level defense

    • Most secure

    • Two packet-filtering routers are used

    • Creates an isolated sub-network

  • Private network is invisible to the Internet

  • Computers inside the private network cannot construct direct routes to the Internet


Internet firewalls

Demo


Conclusion

Conclusion


Capabilities of firewall

Capabilities of firewall

  • Defines a single choke point at which security features are applied

    • Security management is simplified

  • Provides a location for monitoring, audits and alarms

  • A convenient platform for several non-security-related Internet functions

    • e.g., NAT, network management

  • Can serve as the platform for IPSec

    • Implement VPN with tunnel mode capability


What firewalls cannot protect against

What firewalls cannot protect against

  • Attacks that bypass the firewall

    • e.g., dial-in or dial-out capabilities that internal systems provide

  • Internal threats

    • e.g., disgruntled employee or employee who cooperates with external attackers

  • The transfer of virus-infected programs or files


Recommended reading

Recommended Reading

  • Chapman, D., and Zwicky, E. Building Internet Firewalls. O’Reilly, 1995

  • Cheswick, W., and Bellovin, S. Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley, 2000

  • Gasser, M. Building a Secure Computer System. Reinhold, 1988

  • Pfleeger, C. Security in Computing. Prentice Hall, 1997


  • Login