1 / 45

EMTM 553: E-commerce Systems Lecture 7b: Firewalls

EMTM 553: E-commerce Systems Lecture 7b: Firewalls. Insup Lee Department of Computer and Information Science University of Pennsylvania lee@cis.upenn.edu www.cis.upenn.edu/~lee. Why do we need firewalls ?. BEFORE AFTER (your results may vary). What is a firewall?. Two goals:

pilis
Download Presentation

EMTM 553: E-commerce Systems Lecture 7b: Firewalls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. EMTM 553: E-commerce SystemsLecture 7b: Firewalls Insup Lee Department of Computer and Information Science University of Pennsylvania lee@cis.upenn.edu www.cis.upenn.edu/~lee EMTM 553

  2. Why do we need firewalls? EMTM 553

  3. EMTM 553

  4. EMTM 553

  5. BEFORE AFTER (your results may vary) EMTM 553

  6. What is a firewall? • Two goals: • To provide the people in your organization with access to the WWW without allowing the entire world to peak in; • To erect a barrier between an untrusted piece of software, your organization’s public Web server, and the sensitive information that resides on your private network. • Basic idea: • Impose a specifically configured gateway machine between the outside world and the site’s inner network. • All traffic must first go to the gateway, where software decide whether to allow or reject. EMTM 553

  7. What is a firewall • A firewall is a system of hardware and software components designed to restrict access between or among networks, most often between the Internet and a private Internet. • The firewall is part of an overall security policy that creates a perimeter defense designed to protect the information resources of the organization. EMTM 553

  8. Firewalls DO • Implement security policies at a single point • Monitor security-related events (audit, log) • Provide strong authentication • Allow virtual private networks • Have a specially hardened/secured operating system EMTM 553

  9. Firewalls DON’T • Protect against attacks that bypass the firewall • Dial-out from internal host to an ISP • Protect against internal threats • disgruntled employee • Insider cooperates with and external attacker • Protect against the transfer of virus-infected programs or files EMTM 553

  10. Types of Firewalls • Packet-Filtering Router • Application-Level Gateway • Circuit-Level Gateway • Hybrid Firewalls EMTM 553

  11. Packet Filtering Routers • Forward or discard IP packet according a set of rules • Filtering rules are based on fields in the IP and transport header EMTM 553

  12. What information is used for filtering decision? • Source IP address (IP header) • Destination IP address (IP header) • Protocol Type • Source port (TCP or UDP header) • Destination port (TCP or UDP header) • ACK. bit EMTM 553

  13. Web Access Through a Packet Filter Firewall [Stein] EMTM 553

  14. Packet Filtering Routerspros and cons • Advantages: • Simple • Low cost • Transparent to user • Disadvantages: • Hard to configure filtering rules • Hard to test filtering rules • Don’t hide network topology(due to transparency) • May not be able to provide enough control over traffic • Throughput of a router decreases as the number of filters increases EMTM 553

  15. Application Level Gateways (Proxy Server) EMTM 553

  16. A Telnet Proxy EMTM 553

  17. A sample telnet session EMTM 553

  18. Application Level Gateways (Proxy Server) • Advantages: • complete control over each service (FTP/HTTP…) • complete control over which services are permitted • Strong user authentication (Smart Cards etc.) • Easy to log and audit at the application level • Filtering rules are easy to configure and test • Disadvantages: • A separate proxy must be installed for each application-level service • Not transparent to users EMTM 553

  19. Circuit Level Gateways EMTM 553

  20. Circuit Level Gateways (2) • Often used for outgoing connections where the system administrator trusts the internal users • The chief advantage is that a firewall can be configured as a hybrid gateway supporting application-level/proxy services for inbound connections and circuit-level functions for outbound connections EMTM 553

  21. Hybrid Firewalls • In practice, many of today's commercial firewalls use a combination of these techniques. • Examples: • A product that originated as a packet-filtering firewall may since have been enhanced with smart filtering at the application level. • Application proxies in established areas such as FTP may augment an inspection-based filtering scheme. EMTM 553

  22. Firewall Configurations • Bastion host • a system identified by firewall administrator as a critical strong point in the network’s security • typically serves as a platform for an application-level or circuit-level gateway • extra secure O/S, tougher to break into • Dual homed gateway • Two network interface cards: one to the outer network and the other to the inner • A proxy selectively forwards packets • Screened host firewall system • Uses a network router to forward all traffic from the outer and inner networks to the gateway machine • Screened-subnet firewall system EMTM 553

  23. Dual-homed gateway EMTM 553

  24. Screened-host gateway EMTM 553

  25. Screened Host Firewall EMTM 553

  26. Screened Subnet Firewall EMTM 553

  27. Screened subnet gateway EMTM 553

  28. Selecting a firewall system • Operating system • Protocols handled • Filter types • Logging • Administration • Simplicity • Tunneling EMTM 553

  29. Commercial Firewall Systems EMTM 553

  30. Widely used commercial firewalls • AltaVista • BorderWare (Secure Computing Corporation) • CyberGurad Firewall (CyberGuard Corporation) • Eagle (Raptor Systems) • Firewall-1 (Checkpoint Software Technologies) • Gauntlet (Trusted Information Systems) • ON Guard (ON Technology Corporation) EMTM 553

  31. Firewall’s security policy • Embodied in the filters that allow or deny passages to network traffic • Filters are implemented as proxy programs. • Application-level proxies • one for particular communication protocol • E.g., HTTP, FTP, SM • Can also filter based on IP addresses • Circuit-level proxies • Lower-level, general purpose programs that treat packets as black boxes to be forward or not • Only looks at header information • Advantages: speed and generality • One proxy can handle many protocols EMTM 553

  32. Configure a Firewall (1) • Outgoing Web Access • Outgoing connections through a packet filter firewall • Outgoing connections through an application-level proxy • Outgoing connections through a circuit proxy EMTM 553

  33. Firewall Proxy Configuring Netscape to use a firewall proxy involves entering the address and port number for each proxied service. [Stein] EMTM 553

  34. Configure a Firewall (2) • Incoming Web Access • The “Judas” server • The “Sacrificial Lamb” • The “Private Affair” server • The doubly fortified server EMTM 553

  35. The “Judas” Server (not recommended) [Stein] EMTM 553

  36. The “sacrificial lamb” [Stein] EMTM 553

  37. The “private affair” server [Stein] EMTM 553

  38. Internal Firewall An Internal Firewall protects the Web server from insider threats. [Stein] EMTM 553

  39. Placing the sacrificial lamb in the demilitarized zone. [Stein] EMTM 553

  40. Poking holes in the firewall • If you need to support a public Web server, but no place to put other than inside the firewall. • Problem: if the server is compromised, then you are cooked. EMTM 553

  41. Simplified Screened-Host Firewall Filter Rules [Stein] EMTM 553

  42. Filter Rule Exceptions for Incoming Web Services [Stein] EMTM 553

  43. Screened subnetwork Placing the Web server on its own screened subnetwork insulates it from your organization while granting the outside world limited access to it. [Stein] EMTM 553

  44. Filter Rules for a Screened Public Web Server [Stein] EMTM 553

  45. Q&A EMTM 553

More Related