Firewalls PDF

Firewall Design Principles
Firewall Characteristics
Types of Firewalls
Special Thanks to our friends at
The Blekinge Institute of Technology, Sweden for
providing the basis for these slides.
Fall 2008 CS 334: Computer Security 1 Fall 2008 CS 334: Computer Security 2
Systems provide many services by default

Effective means of protection a local
Many workstations provide remote access to
system or network of systems from files and configuration databases (for ease of
network-based security threats while management and file sharing)
affording access to the outside world via Even if configured only for specific users, they
WANs or the Internet can sometimes be tricked into providing
Information systems undergo a steady services they shouldnt
E.g. missing bounds check in input parsers
evolution (from small LAN`s to Internet
connectivity) Also, users sometimes forget to close
temporary holes
Strong security features for all E.g. leaving file system remote mountable for file
workstations and servers not established sharing
Firewalls enforce policies that centrally manage

access to services in ways that workstations
should, but dont
Which services?
Finger
The firewall is inserted between the
telnet: requires authentication, but password sent in premises network and the Internet
clear
rlogin: similar to telnet, but uses IP address based Aims:
authentication (Bad!)
ftp: Tricky because two connections, control channel
Establish a controlled link
from sender, and data connection from receiver. (passive Protect the premises network from
ftp has both sender originated)
X Windows Internet-based attacks
ICMP Provide a single choke point
1
Design goals: Four general techniques:
All traffic from inside to outside must pass Service control
through the firewall (physically blocking all
access to the local network except via the Determines the types of Internet
firewall) services that can be accessed, inbound
Only authorized traffic (defined by the local or outbound
security policy) will be allowed to pass
Direction control
The firewall itself is immune to penetration
(use of trusted system with a secure operating Determines the direction in which
system) particular service requests are allowed
to flow
Cannot protect against attacks that bypass

the firewall
User control
E.g. an internal modem pool
Controls access to a service according to Firewall does not protect against internal
which user is attempting to access it threats
Behavior control Firewall cannot protect against transfer of
Controls how particular services are used virus infected programs
(e.g. filter e-mail) Too many different apps and operating systems
supported to make it practical to scan all
incoming files for viruses
Three common types of Firewalls: Packet-filtering Router

Packet-filtering routers
Application-level gateways
Circuit-level gateways
(Bastion host)
2
Packet-filtering Router Advantages:
Applies a set of rules to each incoming Simplicity
IP packet and then forwards or discards Transparency to users
the packet High speed
Filter packets going in both directions Disadvantages:
The packet filter is typically set up as a Difficulty of setting up packet filter rules
list of rules based on matches to fields Lack of Authentication
in the IP or TCP header Who really sent the packet?
Two default policies (discard or forward)
Can be clever:
Allow connections initiated from inside network
to outside, but not initiated from outside.
Traffic flows both way, but if firewall only allows
incoming packets with ACK set in TCP header, this
manages the issue.
Problem: some apps require outside node to initiate
connection with inside node (e.g. ftp, Xwindows), even
if original request initiated by inside node.
Solution (sort of): allow packets from outside if they
are connecting to high port number.
Changes filtering rules dynamically (by

remembering what has happened in recent
past) Possible attacks and
Example: Connection initiated from inside appropriate countermeasures
node S to outside IP address D. For short IP address spoofing
time allow incoming connections from D to Discard packet with inside source
appropriate ports (I.e. ftp port). address if it arrives on external
In practice, much more caution interface
Stateful filter notices the incoming port Source routing attacks
requested by S and only allows connections
Discard all source routed packets
from D to that port. Requires parsing ftp
control packets
3
Possible attacks and appropriate
countermeasures
Tiny fragment attacks Application-level Gateway
Intruder uses IP fragment option to
create extremely small IP packets that
force TCP header information into
separate packet fragments
Discard all packets where protocol type
is TCP and IP fragment offset is small
Application-level Gateway Advantages:

Also called proxy server Higher security than packet filters
Acts as a relay of application-level traffic
Only need to scrutinize a few allowable
Can act as router, but typically placed between
two packet filtering firewalls (for total of
applications
three boxes) Easy to log and audit all incoming traffic
Two firewalls are routers that refuse to forward
anything from the global net that is not to gateway, Disadvantages:
and anything to global net that is not from gateway.
Additional processing overhead on each
Sometimes called a bastion host (we use
connection (gateway as splice point)
the term differently)
Circuit-level Gateway
Circuit-level Gateway Stand-alone system or
Specialized function performed by an
Application-level Gateway
Sets up two TCP connections
The gateway typically relays TCP
segments from one connection to the
other without examining the contents
4
Circuit-level Gateway
The security function consists of Bastion Host
determining which connections will be A system identified by the firewall
allowed administrator as a critical strong point in
Typically use is a situation in which the the networks security
system administrator trusts the internal The bastion host serves as a platform
users for an application-level or circuit-level
gateway
Assume all bad guys are on outside, and

everyone inside can be trusted.
In addition to the use of simple Firewalls can be defeated if malicious code
configuration of a single system can be injected into corporate network
(single packet filtering router or E.g. trick someone into launching an executable
single gateway), more complex from an email message or into downloading
something from the net.
configurations are possible Often make it difficult for legitimate
We wont go into these users to get their work done.
Misconfiguration, failure to recognize new app
If firewall allows anything through, people

figure out how to do what they need by
disguising their traffic as allowed traffic Chapman, D., and Zwicky, E. Building
Internet Firewalls. OReilly, 1995
E.g. file transfer by sending it through email.
If size of emails limited, then user breaks them Cheswick, W., and Bellovin, S. Firewalls and
into chunks, etc. Internet Security: Repelling the Wily
Firewall friendly traffic (e.g. using http for Hacker. Addison-Wesley, 2000
other purposes)
Defeats effort of sysadmin to control traffic
Less efficient than not using http

Firewalls PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Firewalls PDF

Caricato da

Copyright:

Formati disponibili

Firewall Design Principles

Systems provide many services by default

Firewalls enforce policies that centrally manage

Cannot protect against attacks that bypass

Three common types of Firewalls: Packet-filtering Router

Changes filtering rules dynamically (by

Application-level Gateway Advantages:

Assume all bad guys are on outside, and

If firewall allows anything through, people

Potrebbero piacerti anche