Internet firewalls
1 / 36

Internet Firewalls - PowerPoint PPT Presentation

  • Uploaded on

Internet Firewalls. What it is all about. Concurrency System Lab, EE, National Taiwan University R355. Outline. Firewall Design Principles Firewall Characteristics Components of Firewalls Firewall Configurations. Firewalls.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Internet Firewalls' - ashby

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Internet firewalls

Internet Firewalls

What it is all about

Concurrency System Lab, EE, National Taiwan University



  • Firewall Design Principles

  • Firewall Characteristics

  • Components of Firewalls

  • Firewall Configurations


  • Protecting a local network from security threats while affording access to the Internet

Firewall design principles
Firewall DesignPrinciples

  • The firewall is inserted between the private network and the Internet

  • Aims:

    • Establish a controlled link

    • Protect the local network from Internet-based attacks

    • Provide a single choke point

Firewall characteristics
Firewall Characteristics

  • Design goals for a firewall

    • All traffic (in or out) must pass through the firewall

    • Only authorized traffic will be allowed to pass

    • The firewall itself is immune to penetration

Firewall characteristics1
Firewall Characteristics

  • Four general techniques:

    • Service control

      • The type of Internet services that can be accessed

    • Direction control

      • Inbound or outbound

    • User control

      • Which user is attempting to access the service

    • Behavior control

      • e.g., Filter email to eliminate spam

Component s of firewalls
Components of Firewalls

  • Three common components of Firewalls:

    • Packet-filtering routers

    • Application-level gateways

    • Circuit-level gateways

    • (Bastion host)

Component s of firewalls i
Components of Firewalls(I)

  • Packet-filtering Router

Packet filtering router
Packet-filtering Router

  • Packet-filtering Router

    • Applies a set of rules to each incoming IP packet and then forwards or discards the packet

    • Filter packets going in both directions

    • The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header

    • Two default policies (discard or forward)

Packet filtering router1
Packet-filtering Router

  • Advantages:

    • Simplicity

    • Transparency to users

    • High speed

  • Disadvantages:

    • Difficulty of setting up packet filter rules

    • Lack of Authentication

Packet filtering router2
Packet-filtering Router

  • Open-source under UNIX:

    • IP firewall

    • IPFilter

    • IPchain

Component s of firewalls ii
Components of Firewalls(II)

  • Application-level Gateway

Application level gateway
Application-level Gateway

  • Application-level Gateway

    • Also called proxy server

    • Acts as a relay of application-level traffic

Application level gateway1
Application-level Gateway

  • Advantages:

    • Higher security than packet filters

    • Only need to check a few allowable applications

    • Easy to log and audit all incoming traffic

  • Disadvantages:

    • Additional processing overhead on each connection (gateway as splice point)

Application level gateway2
Application-level Gateway

  • Open-source under UNIX:

    • squid (WWW),

    • delegate (general purpose),

    • osrtspproxy (RTSP),

    • smtpproxy (SMTP),

Component s of firewalls iii
Components of Firewalls(III)

  • Circuit-level Gateway

Circuit level gateway
Circuit-level Gateway

  • Similar to Application-level Gateway

  • However

    • it typically relays TCP segments from one connection to the other without examining the contents

    • Determines onlywhich connections will be allowed

    • Typical usage is a situation in which the system administrator trusts the internal users

In other words
In other words

  • Korean custom

    • Circuit-level gateway only checks your nationality

    • Application-level gateway checks your baggage content in addition to your nationality

Component s of firewalls1
Components of Firewalls

  • Open-source under UNIX

    • SOCKS

    • dante

Component s of firewalls ii u iii
Components of Firewalls(II) U (III)

  • Bastion Host

    • serves as

      • application-level gateway

      • circuit-level gateway

      • both

Firewall configurations
Firewall Configurations

  • In addition to the use of simple configuration of a single system (single packet filtering router or single gateway), more complex configurations are possible

  • Three common configurations

Configurations i

  • Screened host firewall system (single-homed bastion host)

Configurations i1

  • Consists of two systems:

    • A packet-filtering router & a bastion host

  • Only packets from and to the bastion host are allowed to pass through the router

  • The bastion host performs authentication and proxy functions

More secure
More secure

  • More secure than each single component because :

    • offers both packet-level and application-level filtering

Firewall configurations1
Firewall Configurations

  • This configuration also affords flexibility in providing direct Internet access (public information server, e.g. Web server)

Configurations ii

  • Screened host firewall system (dual-homed bastion host)

Configurations ii1

  • Consists of two systems just as config (I) does.

  • However, the bastion host separates the network into two subnets.

Even more secure
Even more secure

  • An intruder must generally penetrate two separate systems

Configurations iii

  • Screened-subnet firewall system

Configurations iii1

  • Three-level defense

    • Most secure

    • Two packet-filtering routers are used

    • Creates an isolated sub-network

  • Private network is invisible to the Internet

  • Computers inside the private network cannot construct direct routes to the Internet

Capabilities of firewall
Capabilities of firewall

  • Defines a single choke point at which security features are applied

    • Security management is simplified

  • Provides a location for monitoring, audits and alarms

  • A convenient platform for several non-security-related Internet functions

    • e.g., NAT, network management

  • Can serve as the platform for IPSec

    • Implement VPN with tunnel mode capability

What firewalls cannot protect against
What firewalls cannot protect against

  • Attacks that bypass the firewall

    • e.g., dial-in or dial-out capabilities that internal systems provide

  • Internal threats

    • e.g., disgruntled employee or employee who cooperates with external attackers

  • The transfer of virus-infected programs or files

Recommended reading
Recommended Reading

  • Chapman, D., and Zwicky, E. Building Internet Firewalls. O’Reilly, 1995

  • Cheswick, W., and Bellovin, S. Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley, 2000

  • Gasser, M. Building a Secure Computer System. Reinhold, 1988

  • Pfleeger, C. Security in Computing. Prentice Hall, 1997