Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Firewall Characteristics
Types of Firewalls
Special Thanks to our friends at
The Blekinge Institute of Technology, Sweden for
providing the basis for these slides.
Fall 2008 CS 334: Computer Security 1 Fall 2008 CS 334: Computer Security 2
Fall 2008 CS 334: Computer Security 3 Fall 2008 CS 334: Computer Security 4
Fall 2008 CS 334: Computer Security 5 Fall 2008 CS 334: Computer Security 6
1
Design goals: Four general techniques:
All traffic from inside to outside must pass Service control
through the firewall (physically blocking all
access to the local network except via the Determines the types of Internet
firewall) services that can be accessed, inbound
Only authorized traffic (defined by the local or outbound
security policy) will be allowed to pass
Direction control
The firewall itself is immune to penetration
(use of trusted system with a secure operating Determines the direction in which
system) particular service requests are allowed
to flow
Fall 2008 CS 334: Computer Security 7 Fall 2008 CS 334: Computer Security 8
Fall 2008 CS 334: Computer Security 9 Fall 2008 CS 334: Computer Security 10
Fall 2008 CS 334: Computer Security 11 Fall 2008 CS 334: Computer Security 12
2
Packet-filtering Router Advantages:
Applies a set of rules to each incoming Simplicity
IP packet and then forwards or discards Transparency to users
the packet High speed
Filter packets going in both directions Disadvantages:
The packet filter is typically set up as a Difficulty of setting up packet filter rules
list of rules based on matches to fields Lack of Authentication
in the IP or TCP header Who really sent the packet?
Two default policies (discard or forward)
Fall 2008 CS 334: Computer Security 13 Fall 2008 CS 334: Computer Security 14
Can be clever:
Allow connections initiated from inside network
to outside, but not initiated from outside.
Traffic flows both way, but if firewall only allows
incoming packets with ACK set in TCP header, this
manages the issue.
Problem: some apps require outside node to initiate
connection with inside node (e.g. ftp, Xwindows), even
if original request initiated by inside node.
Solution (sort of): allow packets from outside if they
are connecting to high port number.
Fall 2008 CS 334: Computer Security 15 Fall 2008 CS 334: Computer Security 16
Fall 2008 CS 334: Computer Security 17 Fall 2008 CS 334: Computer Security 18
3
Possible attacks and appropriate
countermeasures
Tiny fragment attacks Application-level Gateway
Intruder uses IP fragment option to
create extremely small IP packets that
force TCP header information into
separate packet fragments
Discard all packets where protocol type
is TCP and IP fragment offset is small
Fall 2008 CS 334: Computer Security 19 Fall 2008 CS 334: Computer Security 20
Fall 2008 CS 334: Computer Security 21 Fall 2008 CS 334: Computer Security 22
Circuit-level Gateway
Circuit-level Gateway Stand-alone system or
Specialized function performed by an
Application-level Gateway
Sets up two TCP connections
The gateway typically relays TCP
segments from one connection to the
other without examining the contents
Fall 2008 CS 334: Computer Security 23 Fall 2008 CS 334: Computer Security 24
4
Circuit-level Gateway
The security function consists of Bastion Host
determining which connections will be A system identified by the firewall
allowed administrator as a critical strong point in
Typically use is a situation in which the the networks security
system administrator trusts the internal The bastion host serves as a platform
users for an application-level or circuit-level
gateway
Fall 2008 CS 334: Computer Security 25 Fall 2008 CS 334: Computer Security 26
Fall 2008 CS 334: Computer Security 27 Fall 2008 CS 334: Computer Security 28
Fall 2008 CS 334: Computer Security 29 Fall 2008 CS 334: Computer Security 30