Firewalls

Lecture 25: Firewalls
Introduce several types of firewalls
Discuss their advantages and
disadvantages
Compare their performances
Demonstrate their applications
C. Ding -- COMP581 -- L25
What is a Firewall?
A firewall is a system of hardware and
software components designed to restrict

access between or among networks, most
often between the Internet and a private
Internet.
The firewall is part of an overall security
policy that creates a perimeter defense
designed to protect the information
resources of the organization.
In other words
A data sentry at the
gateway to your network,

combining the power of
multiple firewall
technologies to deliver
powerful perimeter
security
What a Firewall does

Implement security policies at a single
point
Monitor security-related events (audit, log)
Provide strong authentication
Allow virtual private networks
What a Firewall does not do

Protect against attacks that bypass the
firewall
Dial-out from internal host to an ISP
Protect against internal threats

disgruntled
employee
Insider cooperates with an external attacker
Protect against the transfer of virus-
infected programs or files
Firewall - Typical layout

A firewall denies or permits access
based on policies and rules
Protected Private Network
Internet
Watching for attack

Monitor
Log
Notify
Internet
Attack
Firewall technologies
Common firewall technologies:
They may be classified into four categories:
Packet Filtering Firewalls

Circuit Level Firewalls
Application Gateway Firewalls (or proxy servers)
Stateful Inspection Firewalls (dynamic packet filtering
firewalls)
These technologies operate at different levels of

detail, providing varying degrees of network
access protection.
These technologies are not mutually exclusive as
some firewall products may implement several of
these technologies simultaneously.
The Internet protocol stack

Application
TCP, UDP . . .
IP
Transport
Network
TCP, UDP . . .
IP
PPP, Frame Relay . . .
Data Link
Drivers, MAC Address
Leased Line, ISDN, xDSL . . .
Physical
LAN Interface Card
WAN
LAN
10
Packet Filtering firewalls

The original firewall
Works at the network level of the OSI
model
Applies packet filters based on access
rules
Source address
Destination address
Application or protocol
Source port number
Destination port number
11
12

Packet Filtering is usually an integrated function
of a router.
Packet filtering relies on Network Layer and
Transport Layer information contained in the
headers of data packets to police traffic.
This information includes source IP address and
port number, destination IP address and port
number, and protocol used (e.g., TCP, UDP, ICMP).
This information is used as the criteria in network
access rules. These rules are organized into
several filter sets and each set handles traffic
coming to the firewall over a specific interface.
13
Packet Filtering Policy Example

My host
Other host
action
name
port
name
port
comments
block
microsoft.com
Block everything
from MS
allow
My-gateway
25
Allow incoming
mail
14
Packet Filtering Policy Example

Rule
Direction
Source
Address
Destination Protocol
Address
# Source
# Destin.
Port
Port
Action
Slide 16
1
Out
10.56.199*
Drop
Out
10.56*
10.122*
TCP
23 (Telnet)
Pass
In
10.122*
10.56.199*
TCP
23 (Telnet)
Pass
In & Out
10.56.199*
TCP
25 (Mail)
Pass
In
TCP
513 (rlogin)
Drop
In
201.32.4.76
Drop
Out
TCP
20 (FTP)
Pass
In
10.56.199*
TCP
20 (FTP)
Drop
15
Web Access Through a Packet

Filter Firewall
ACK: = positive acknowledgement message for the sender from the receiver.
Typically just one bit.
16

Firewall/Router
Internal
Network
Output
Filter
Input
Filter
Access Rules
Access Rules
Network
Network
Data Link
Router
Data Link
Internet
Physical
Physical
17
Packet Filtering Firewalls:

pros and cons
Advantages:
Simple,
low cost, transparent to user
Disadvantages:
Hard to configure filtering rules
Hard to test filtering rules
Dont hide network topology (due to
transparency)
May not be able to provide enough control over
traffic
18

(Circuit Level Gateways)
19

Circuit level gateways work at the session
layer of the OSI model, or the TCP layer

of TCP/IP
Monitor TCP handshaking between packets
to determine whether a requested session
is legitimate.
20
21
Application Gateway Firewalls

(Proxy Firewalls)
22
Application Gateway firewalls

Similar to circuit-level gateways except that they
are application specific.

Every connection between two networks is made
via an application program called a proxy
Proxies are application or protocol specific
Only protocols that have specific proxies
configured are allowed through the firewall; all
other traffic is rejected.
Gateway that is configured to be a web proxy will
not allow any ftp, gopher, telnet or other traffic
through
23

Firewall
Application Proxies
Internal
Network
Application
Application
Transport
Transport
Network
Network
Data Link
Data Link
Internet
Physical
Physical
Router
24
25
Application Gateway Strengths

Very secure if used in conjunction with an
intelligent packet filtering firewall
Well designed proxies provide excellent
security
26
Application Gateway weaknesses

Very CPU intensive
Requires high performance host computer

Host operating system liable to attack
Many proxies are transparent to
application
Not transparent to users
Expensive
27
Stateful Inspection Firewalls
28

Third generation firewall technology, often
referred to as dynamic packet filtering

Understands data in packets from the
network layer (IP headers) up to the
Application Layer
Tracks the state of communication
sessions
29

Firewall/Router
Application - State Table
Transport - Access Rules
Network - Access Rules

Internal
Network
Inspection Module
Network
Data Link
Physical
Network
Router
Data Link
Internet
Physical
30
Dynamic Filtering
Stateful Inspection firewalls
dynamically open and close
ports (application specific
connection points) based
on access policies.
Firewall checks policies to

validate sending computer
and allows traffic to pass to
Public network
Internet
User initiates web session

Return traffic for validated
web session is permitted and the
state of the flow is monitored
Other traffic
from public
network
is blocked
31
Stateful Inspection Strengths

Monitors the state of all data flows
Dynamically adapts filters based on
defined policies and rules

Easily adapted to new Internet applications
Transparent to users
Low CPU overheads
32
Stateful Inspection
Weaknesses
Need to provide new client program
Might have problems with the availability
of source code for various platforms
33

These are among the most
secure firewalls available today
fooling them can be a lot of work
Jon McCown, network security analyst for

the - U.S. National Computer Security
Agency (NCSA)
34
General Performance
35
Other Issues about Firewalls
36
RADIUS Support
Remote Authentication Dial-In User
Services
A single, central security database for all

system users
Centralised management of access lists
37
Remote access security

Dial-in user
authenticated
Head office
Telephony
Services
Firewall policy assigned

to dial-in user before
completing connection
to network
Remote Dial-in user

38
Stateful Inspection Implementation
Firewall checks
policy rules to
validate sender
Return traffic for validated

web session is permitted
and the state of the flow is
monitored
Protected private network
Internet
User initiates
web session
Firewall opens
required port
and allows traffic
to pass to
public network
39
Network Address Translation

Firewall substitutes
private address
to public address
and forwards
to the Internet
Internet
User communicates
with Internet
using a private
IP address
Firewall translates
return flow from
Public to
Private address
40
Application Level Gateway Example

Application Level
Gateway completes
connection
FTP Server
Internet
If connection is valid
the state table is
updated
and connection to
FTP Server
established
Access rules
verified
FTP connection
initiated from
public network
41
Session Logging
The firewall can be configured to log an
extensive range of events Including:
All denied packets

All allowed packets
Selected allowed and denied packet types
Etc.
42
Notification SNMP/SMTP
Email sent to
specified
address
Firewall detects
attack
(Port Scan)
Internet
SNMP Trap
message
to management
platform
SNMP: simple network management protocol

43
Notification and Reconfiguration
DMZ
Web Server
Firewall detects
attack
(SYN Flood)
Server
Internet
Email sent to
System
Manager
Firewall automatically
reconfigured to deny all
External access to WEB
Server
44
Secure management
Secure encrypted and authenticated
remote management
Secure Shell SSH

RSA encryption keys 512 - 2048 bits
DES and Triple DES encryption for SSH
sessions
Can limit access to specific user addresses
45
Network configuration examples
46

Allow all access from private network to the
Internet
Deny all access from the Internet to the private
network
Internet
47
Semi-Militarised Zone
All
Private network for
unauthorised
corporate servers
traffic is
and users
blocked
Internet
WEB
Server
SMZ
Mail
Server
Semi Militarised Zone
All other
SMZ
Firewall policy limits incoming
incoming access to traffic
WEB and mail server blocked
from public network
48
Private LAN stays secure
Internet
WEB
Login:hacker
Server
Password:please
OK Then!
SMZ
Mail
Server
Semi-Militarised Zone
49
Demilitarised Zone
Open access
between
private LAN
and DMZ
WEB
Server
Internet
Allow
SMTP,
From here
to there
only
DMZ
Mail
Server
Static filters
between private LAN
and DMZ used to
control access
Demilitarised Zone
50
Concluding Remarks
All that a firewall can do its to control network
activities between OSI levels 2 and 7.

They cannot keep out data carried inside
applications, such as viruses within email messages:
there are just too many way of encoding data to
be able to filter out this kind of threat.
Although Firewalls provide a high level of security
in today's Private Networks to the outside world
we still need the assistance of other related
Security components in order to guarantee proper
network security.
51

Firewalls

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Firewalls

Uploaded by

Copyright:

Available Formats

Lecture 25: Firewalls

Introduce several types of firewalls

Discuss their advantages and

C. Ding -- COMP581 -- L25

software components designed to restrict

C. Ding -- COMP581 -- L25

gateway to your network,

C. Ding -- COMP581 -- L25

What a Firewall does

C. Ding -- COMP581 -- L25

What a Firewall does not do

Dial-out from internal host to an ISP

Protect against internal threats

infected programs or files

C. Ding -- COMP581 -- L25

Firewall - Typical layout

Protected Private Network

C. Ding -- COMP581 -- L25

Watching for attack

Protected Private Network

C. Ding -- COMP581 -- L25

Packet Filtering Firewalls

These technologies operate at different levels of

The Internet protocol stack

PPP, Frame Relay . . .

Drivers, MAC Address

Leased Line, ISDN, xDSL . . .

LAN Interface Card

C. Ding -- COMP581 -- L25

Packet Filtering Firewalls

C. Ding -- COMP581 -- L25

Packet Filtering firewalls

Works at the network level of the OSI

C. Ding -- COMP581 -- L25

Packet Filtering firewalls

C. Ding -- COMP581 -- L25

Packet Filtering firewalls

Packet Filtering Policy Example

C. Ding -- COMP581 -- L25

Packet Filtering Policy Example

C. Ding -- COMP581 -- L25

Web Access Through a Packet

Packet Filtering Firewalls

C. Ding -- COMP581 -- L25

Packet Filtering Firewalls:

low cost, transparent to user

C. Ding -- COMP581 -- L25

Circuit Level Firewalls

C. Ding -- COMP581 -- L25

Circuit Level Firewalls

layer of the OSI model, or the TCP layer

C. Ding -- COMP581 -- L25

Circuit Level Firewalls

C. Ding -- COMP581 -- L25

Application Gateway Firewalls

C. Ding -- COMP581 -- L25

Application Gateway firewalls

are application specific.

C. Ding -- COMP581 -- L25

Application Gateway Firewalls

C. Ding -- COMP581 -- L25

Application Gateway Firewalls

C. Ding -- COMP581 -- L25