1 / 43

Firewalls

Firewalls. CS432. Overview. What are firewalls? Types of firewalls Packet filtering firewalls Sateful firewalls Application gateway firewalls Address Translation firewalls Host based firewalls Hybrid firewalls. definition.

jalena
Download Presentation

Firewalls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Firewalls CS432

  2. Overview • What are firewalls? • Types of firewalls • Packet filtering firewalls • Sateful firewalls • Application gateway firewalls • Address Translation firewalls • Host based firewalls • Hybrid firewalls

  3. definition • A firewall is a device or systems that control the flow of traffic between different areas of your network • One of the main functions of firewalls is to control access to resources. • This may be achieved by installing a firewall on every workstation, or in a centralized manner (one firewall for the whole network).

  4. Types of Firewalls • Packet filtering firewalls • Stateful firewalls • Application gateway firewalls • Address translation firewalls • Host-based firewalls • Hybrid firewalls

  5. Packet Filtering Firewalls (PFF’s) • The simplest type of firewall. • Typically a router that can filter on some packet content. • Mainly layer 3 (network) and sometimes layer 4 (transport) packets are examined.

  6. Filtering Rules • Packet filtering rules must be defined on the firewall. • These rules indicate which traffic should be allowed and which traffic should be denied. • A decision should also be taken regarding the notification strategy when packets are dropped: inform the sender or not.

  7. Filtering information • Source and destination layer 3 addresses. • Layer 3 protocol information (type of protocol). • Layer 4 protocol information (port numbers and flags). • Interface of sent or received traffic.

  8. A Simple Example

  9. A Typical Rule Table

  10. Understanding the Rules • Understanding the rule set is crucial to the operation of firewalls. • For example, if you omit rule 4 in table 1 above, there will be two possibilities: allow all not matching traffic, or deny all not matching traffic. • If the first option is taken, you will be creating a big hole for your network

  11. An Example of Firewall Rules

  12. Advantages of packet filtering firewalls • They can process packets at high speed. • They can easily match on most fields in layer 3 and layer 4, giving flexibility in implementing security policies.

  13. Disadvantages • They can be complex to configure. • They cannot prevent application layer attacks. • They are susceptible to some TCP/IP attacks (SYN floods, and IP spoofing and cannot be detected). • They do not support authentication. • They have limited logging capabilities.

  14. Stateful Firewalls • Stateful firewalls keep track of connection states at all stages: initiation, data transfer, or termination.

  15. A Typical Scenario Where PFF’s Fail • Assume that there is an inbound rule saying that any external traffic to 134.1.1.10 is denied. • This implies that connection requests coming from outside will be dropped. • However, assume that 134.1.1.10 tries to access a web server on an external machine, 189.1.2.3, say.

  16. A Typical Scenario … • The firewall will allow the initiation of the connection. • However, when the reply comes back from 189.1.2.3 it will be dropped. • Two solutions are possible in PFFs: • Open ports higher than 1023 for inbound traffic • Examine TCP segment flag bits

  17. Problems with the above solutions • Opening ports will cause a lot of problems. • Examining TCP codes is not a good solution for this problem, because they may not be fully supported by all implementations, May be modified by hackers, and UDP traffic uses no flags.

  18. A Stateful Solutin • A stateful firewall solves the above problem by tracking the states of connections. • This is done through dynamic rules that are added when a connection is established and deleted after the connection is torn down. • The rules are either added to the main rule table or to new state table.

  19. A Stateful Solution • For example when machine 134.1.1.10 initiates a connection to external machine 189.1.2.3, the firewall adds a new rule to the rule table or the state table indicating that this is a request for a connection. • It notes the source and destination ports:

  20. Sateful solution • When 189.1.2.3 sends a reply to the connection request, the firewall notes from its table that this reply is part of an existing connection and allows the connection. • The traffic along this connection will be allowed as long as the connection is open. • When the connection is torn down, all rules relating to the connection will be removed

  21. Advantages • Aware of the state of the connection. • No need to open a large set of ports. • Prevents a wider set of DoS attacks (state table). • More robust logging (connection states).

  22. limitations • They may be difficult to configure. • Cannot prevent application layer attacks. • Do not support authentication. • Not all protocols contain state information. • Multiple connections with dynamic ports may cause problems. • Additional overhead in maintaining state information.

  23. Application Gateway Firewalls (AGFs) • Sometimes called proxy firewalls. • They filter information at layers 3,4,5 and 7. • Most filtering and processing is done in software which provides more flexibility. • Sometimes they support only limited applications, for example e-mail, FTP, Telnet.

  24. AGF’s and Authentication • One of the major advantages of AGF’s is their abilities to authenticate users. • A user requesting a connection to the network is first authenticated by the AGF. • The authentication database usually stores authorization information, e.g. which servers can the user connect to: • Ahmed 232.1.5.6 allow

  25. Authentication Methods • User/password. • Certificates. • Biometrics • Token cards.

  26. Types of AGF’s • Two types of AGF’s: • Connection gateway firewalls. • Cut through proxy firewalls

  27. Connection Gateway Firewalls (CGF’s) • All traffic to the web sever passes through the CGF. • First the CGF authenticates the user. If successful, CGF establishes connection to server. • CGF examines all packets sent to server and may control the type of traffic to be allowed or dropped.

  28. Cut Through Proxies (CTP) • Only authenticate user. • Perform filtering based on layer 3 and 4 information.

  29. Address Translation Firewalls. • It is well known that we are running out of IP addresses (address depletion). • A long term solution is to deploy IPv6. • A short term solution is to use Network Address Translation (NAT).

  30. Private Addresses • Tow RFC’s describe how NAT may be used. • RFC 1918 specifies private addresses (reserved addresses that can be used only inside the organization networks, with no global meaning). • Around 17 million addresses are available for local use

  31. Private addresses • 10.0.0.0 – 10.255.255.255 class A • 172.16.0.0 – 172.31.255.255 class B • 192.168.0.0 – 192.168.255.255 class C

  32. NAT • RFC1631 defines how network address translation may be performed. • Two schemes: • Simple NAT. • Overloaded NAT or PAT (Port Address Translation).

  33. NAT firewalls • A NAT firewall is a device configured to perform network address translation.

  34. Host based firewalls • Software packet filtering firewalls. • Simplified versions that concentrate only on protecting a single machine. • Some may provide host-based authentication.

  35. Hybrid Firewalls • In real life firewall solutions are usually complex and hybrid. • They involve packet filtering, state tracking, authentication, address translation …etc. Many solutions include even an IDS. • This dictated by competition. • A good example is CISCO PIX firewall.

  36. Designing A Firewall Solution • Develop a security policy. • Create a simple design solution. • Use devices as intended. • Implement a layered defense. • Consider solutions to internal threats.

  37. The policy • Define acceptable and unacceptable behavior. • Restrictions to resources. • Adhere to company plans and policies. • Resources that require access from internal and external users. • Vulnerabilities associated with these resources. • Methods that can be used to protect resources. • Cost-benefit analysis for possible solutions.

  38. Demilitarized zones (DMZ’S) • A demilitarized zone is a segment or segments that have a higher security level than that of external segments, but a lower security level than that of internal segments. • Grant external users access to web servers, DNS servers …etc without risking internal security. • They act as a buffer between internal and external networks.

  39. Demilitarized zones (DMZ’S) • Higher security levels can send traffic to lower security levels but not vice versa. • Same security levels cannot send traffic to each other.

  40. An Example Solution many different topologies can be considered router Internet packet filter Bastion host, here: a proxy firewall ? Mail server Web server internal packet filter DMZ De-Militarized Zone Internal network

  41. Bastion Server • A special type of proxy servers. • A single point of contact to the network. • Well fortified. • Logging capabilities.

More Related