Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
9/1/2012
Outline
Firewall overview
model
Firewall categories
Firewall design
9/1/2012
1. Firewall Overview
9/1/2012
(cont.)
9/1/2012
Definition of a Firewall
Its first use had to do not with network security, but with
controlling actual fires.
9/1/2012
(cont.)
9/1/2012
(cont.)
9/1/2012
Firewall Protection
9/1/2012
9/1/2012
(cont.)
9/1/2012
10
9/1/2012
11
(cont.)
9/1/2012
Interconnection
(OSI)
reference
model.
9/1/2012
13
9/1/2012
14
(cont.)
9/1/2012
15
(cont.)
9/1/2012
16
3. Firewall Categories
call a firewall.
9/1/2012
17
(cont.)
9/1/2012
Packet-filtering firewalls
Stateful firewalls
Application gateway firewalls
Address-translation firewalls
Host-based (server and personal) firewalls
Hybrid firewalls
18
9/1/2012
19
9/1/2012
20
(cont.)
Because TCP/IP is the de facto standard of
communications
protocols
in
today's
networks, most packet-filtering firewalls
support at least this protocol.
However,
packet-filtering firewalls can
support other protocols as well, including IPX,
AppleTalk, DECnet, and Layer 2 MAC
address and bridging information
9/1/2012
21
Filtering Actions
When implementing packet filtering, packetfiltering rules are defined on the firewall.
9/1/2012
22
Filtering Information
9/1/2012
23
Filtered Information
IP addresses
9/1/2012
24
Packet-Filtering Firewall
Example
9/1/2012
25
Packet-Filtering Table
Rule Source
address
1
Any
200.1.1.2
IP
Ip
Action
protocol protocol
inf
TCP
Port 80 Allow
Any
200.1.1.3
UDP
Port 53 Allow
Any
200.1.1.4
TCP
Port 25 Allow
Any
Any other
address
Any
Any
9/1/2012
Des
address
Drop
26
(cont.)
In this example, rule 1 states that if traffic
from any device on the Internet is sent to
TCP port 80 of 200.1.1.2, the packet-filtering
firewall should allow it.
Likewise, if any traffic is sent to UDP port 53
of 200.1.1.3 or TCP port 25 of 200.1.1.4, the
traffic should be allowed.
Any other type of traffic should be dropped.
9/1/2012
27
(cont.)
9/1/2012
28
For example
9/1/2012
29
(cont.)
dropped.
9/1/2012
30
Advantages of Packet-Filtering
Firewalls
Packet-filtering
firewalls
have
two
main
advantages:
31
(cont.)
9/1/2012
32
Limitations of Packet-Filtering
Firewalls
9/1/2012
9/1/2012
9/1/2012
35
(cont.)
9/1/2012
36
(cont.)
From a transport layer perspective, the
stateful firewall examines information in the
headers of Layer 3 packets and Layer 4
segments.
For example, it looks at the TCP header for
SYN, RST, ACK, FIN, and other control
codes to determine the state of the
connection.
9/1/2012
37
(cont.)
However,
because
the
session
layer
transport
layer
handles
the
actual
9/1/2012
38
9/1/2012
39
9/1/2012
40
Packet-Filtering Firewall
ExampleInitiating Connections
9/1/2012
41
(cont.)
9/1/2012
42
(cont.)
However, what happens if someone inside
the network, such as 200.1.1.10, tries to
access this external device (170.1.1.1)?
Assume that this is an HTTP request to
170.1.1.1, which has a web server running on
it.
HTTP uses TCP, and TCP goes through a
three-way handshake to establish a
connection before data is transferred: SYN,
SYN/ACK, and ACK.
9/1/2012
43
(cont.)
9/1/2012
44
(cont.)
the network.
45
(cont.)
170.1.1.1 now responds back to the TCP
SYN message of 200.1.1.10 with a SYN/ACK
(the second step in the three-way
handshake), as shown in Figure.
However, when the packet-filtering firewall
examines the packet, it determines that
because the destination is 200.1.1.10, the
packet should be dropped, according to its
packet-filtering rules.
9/1/2012
46
(cont.)
9/1/2012
47
Opening Ports
You can solve this problem with packetfiltering firewalls in two ways:
9/1/2012
48
9/1/2012
49
(cont.)
9/1/2012
50
Packet-Filtering Firewall
ExampleOpening Ports
9/1/2012
51
CAUTION
52
9/1/2012
53
(cont.)
With TCP, this can be done by examining the
control flags in the TCP segment header.
These are shown in Table and are defined in
RFC 793.
Note that multiple codes, commonly called
flags, can be sent in the same segment
header, such as SYN and ACK (SYN/ACK),
or FIN and ACK (FIN/ACK).
9/1/2012
54
Fin
Terminates a connection
Psh
Rst
Syn
Urg
9/1/2012
55
(cont.)
9/1/2012
56
For example
When the internal user (200.1.1.10) sends a
TCP SYN, you know that the 170.1.1.1 will
respond with a SYN and ACK in the TCP
segment header.
Therefore, if you know what kind of response
control flags TCP uses, you could configure
your packet-filtering firewall to allow this
traffic, as shown in Figure.
9/1/2012
57
9/1/2012
58
(cont.)
9/1/2012
59
(cont.)
9/1/2012
60
(cont.)
9/1/2012
61
State Table
Unlike
packet-filtering
firewalls,
stateful
this.
9/1/2012
62
9/1/2012
63
9/1/2012
64
(cont.)
9/1/2012
65
(cont.)
9/1/2012
66
(cont.)
When the stateful firewall receives this traffic,
it first checks to see whether the 200.1.1.10
connection is allowed out.
In this case, no filtering rules prevent this.
Unlike a packet-filtering firewall, which just
forwards the packet to 170.1.1.1, a stateful
firewall adds a filtering rule to its
configuration.
9/1/2012
67
(cont.)
connections.
9/1/2012
(cont.)
After 170.1.1.1 receives the connection
request, it responds to 200.1.1.1 with a
SYN/ACK.
When this segment reaches the stateful
firewall, the firewall looks in its state table first
(if the second method discussed previously is
used) to see if the connection exists.
9/1/2012
69
(cont.)
9/1/2012
70
(cont.)
9/1/2012
71
(cont.)
initiating a connection,
transferring data,
or terminating a connection.
9/1/2012
72
Advantages of Stateful
Firewalls
Stateful firewalls are aware of the state of a
connection.
Stateful firewalls do not have to open up a
large range of ports to allow communication.
Stateful firewalls prevent more kinds of DoS
attacks than packet-filtering firewalls and
have more robust logging.
9/1/2012
73
First
Stateful firewalls typically build a state table
and use this table to allow only returning
traffic from connections currently listed in the
state table.
After a connection is removed from the state
table, no traffic from the external device of
this connection is permitted.
Therefore, these types of connections are
more difficult to spoof.
9/1/2012
74
Second
75
Third
9/1/2012
76
Limitations of Stateful
Firewalls
9/1/2012
77
9/1/2012
78
(cont.)
79
(cont.)
by
assigning
an
idle
timer
to
these
80
(cont.)
removes it.
9/1/2012
81
(cont.)
9/1/2012
82
9/1/2012
83
(cont.)
Passive
84
FTP Connections
9/1/2012
85
(cont.)
9/1/2012
86
(cont.)
9/1/2012
87
9/1/2012
88
9/1/2012
9/1/2012
90
9/1/2012
91
(cont.)
Sometimes AGFs support only a limited
number of applications, or even just one
application.
Some of the more common applications that
an AGF might support include e-mail, web
services, DNS, Telnet, FTP, Usenet news,
LDAP, and finger.
9/1/2012
92
Authentication Process
9/1/2012
93
(cont.)
a device.
9/1/2012
94
(cont.)
In
this
example,
the
user
first
must
9/1/2012
95
9/1/2012
96
(cont.)
9/1/2012
97
(cont.)
9/1/2012
98
NOTE
more
efficient,
many
AGFs
information
stored
in
the
99
Authentication Methods
An
AGF
can
use
many
methods
to
and
passwords,
token
card
biometric information.
9/1/2012
100
(cont.)
101
(cont.)
If you are using a username and password
for authentication, the AGF prompts for the
username and password.
One problem with this authentication method
is that if the username and password are sent
across the connection in clear text, this
information is susceptible to eavesdropping.
9/1/2012
102
(cont.)
Therefore,
this
information
should
be
9/1/2012
103
9/1/2012
104
CGFs
offer
more protection
than CTP
firewalls.
connection
through a CGF.
9/1/2012
105
9/1/2012
106
NOTE
Therefore,
when
the
user
successfully
authenticates, all the authorization rules are put
into effect without requiring the user to
authenticate for each connection request.
9/1/2012
107
(cont.)
9/1/2012
108
9/1/2012
109
(cont.)
110
(cont.)
111
9/1/2012
112
In this example
9/1/2012
113
(cont.)
9/1/2012
114
(cont.)
HTTPS
for
handling
the
initial
authentication.
9/1/2012
115
Advantages of Application
Gateway Firewalls
9/1/2012
116
Limitations of Application
Gateway Firewalls
They
sometimes
require
special
client
software.
9/1/2012
117
(cont.)
Use a CTP
9/1/2012
118
other
application
gateways
119
(cont.)
the
proxy.
Whenever
the
individual
120
(cont.)
121
9/1/2012
122
3.5. Address-Translation
Firewalls
Address
translation
was
developed
to
9/1/2012
123
(cont.)
9/1/2012
124
(cont.)
9/1/2012
125
Address-Translation Firewalls
and the OSI Reference Model
9/1/2012
126
Filtering Process
9/1/2012
127
(cont.)
9/1/2012
128
Address-Translation Firewall
Example
9/1/2012
129
(cont.)
Because
private
IP
addresses
are
nonroutable in public networks, a public
address must be associated with these two
devices, and a DNS server needs to send the
public address in response to DNS queries
for the addresses of these devices.
9/1/2012
130
(cont.)
9/1/2012
131
9/1/2012
(cont.)
9/1/2012
133
9/1/2012
134
9/1/2012
135
more networks
9/1/2012
136
9/1/2012
137
Advantages of Host-Based
Firewalls
9/1/2012
138
Limitations of Host-Based
Firewalls
9/1/2012
139
140
9/1/2012
141
4. Firewall Design
9/1/2012
behavior,
should
state
143
(cont.)
The key to a good design is basing it on a
security policy.
Basically, a policy defines who is allowed to
access resources, what they are allowed to
do with resources, how resources should be
protected (in general terms), and what
actions are taken when a security issue
occurs.
9/1/2012
144
(cont.)
9/1/2012
145
implement
it,
maintain
it,
test
and
9/1/2012
146
147
9/1/2012
148
9/1/2012
149
9/1/2012
150
DMZ
9/1/2012
151
(cont.)
DMZs are used to grant external users
access to public and e-commerce resources
such as web, DNS, and e-mail servers
without exposing your internal network.
A firewall is used to provide the security-level
segmentation among the external, DMZ, and
internal resources.
9/1/2012
152
9/1/2012
153
(cont.)
9/1/2012
(cont.)
9/1/2012
155
(cont.)
Internet
9/1/2012
156
DMZ Types
internal
network,
and
DMZs
that
9/1/2012
157
Single DMZ
Single segment
Service-leg segment
9/1/2012
158
9/1/2012
159
9/1/2012
160
161
Multiple DMZs
9/1/2012
162
9/1/2012
163
Internal DMZ
internal network.
9/1/2012
164
9/1/2012
165
Components
Perimeter router
Firewall
VPN
IDS
9/1/2012
166
Firewall Component
9/1/2012
Stateful filtering
User authentication of connection with CTPs
Connection filtering with CGFs
Address translation
167
9/1/2012
168
9/1/2012
169