Scribd Logo
Upload

Welcome to Scribd!

  • Firewall Design Principles

    Uploaded by

    miphy
    940 views19 pages
    The design principles of firewall

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The design principles of firewall

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    940 views19 pages

    Firewall Design Principles

    Uploaded by

    miphy
    The design principles of firewall

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 19

    FIREWALL DESIGN PRINCIPLES

    Stateful Inspection Firewall


    A stateful inspection packet filter tightens up the rules for
    TCP traffic by creating a directory of outbound TCP
    connections
    It will allow incoming traffic to high-numbered ports only
    for those packets that fit the profile of one of the entries
    in the directory.
    Hence they are better able to detect bogus packets sent
    out of context.

    It reviews the same packet information as a packet filtering


    firewall & also records information about TCP connections.
    Some stateful firewalls also keep track of TCP sequence
    numbers to prevent attacks that depend on the sequence
    number, such as session hijacking.
    Some even inspect limited amounts of application data for
    some well-known protocols like FTP, IM and SIPS commands,
    in order to identify and track related connections.

    Application Level Gateway


    An application-level gateway acts as a relay of applicationlevel traffic
    Also known as a proxy server
    has full access to protocol
    user requests service from proxy
    proxy validates request as legal
    Then actions request and returns result to user
    If the gateway does not implement the proxy code for a
    specific application, then it is not supported and cannot be
    used.
    Also, the gateway can be configured to support only specific
    features of an application

    Advantages:
    Higher security than packet filters
    Only need to scrutinize a few allowable applications
    Easy to log and audit all incoming traffic
    Disadvantages:
    Additional processing overhead on each connection
    (gateway as splice point) gateway must examine & forward
    all traffic in both direction

    Circuit Level Gateway


    Can be stand-alone system or hosted
    Specialized function performed by an Application-level
    Gateway
    does not permit end-to-end TCP connection
    sets up two TCP connection one on either side
    The gateway typically relays TCP segments from one
    connection to the other without examining the contents
    Typically use is a situation in which the system administrator
    trusts the internal users

    Bastion Host
    Common characteristics of a bastion host
    executes a secure version of its O/S, making it a trusted
    system
    has only essential services installed on the bastion host
    may require additional authentication before a user may
    access to proxy services
    configured to use only subset of standard commands,
    access only specific hosts
    maintains detailed audit information by logging all traffic

    each proxy module a very small software package designed


    for network security
    has each proxy independent of other proxies on the bastion
    host
    have a proxy performs no disk access other than read its
    initial configuration file
    have each proxy run as a non-privileged user in a private
    and secured directory

    Firewall Configurations
    Three common firewall configurations
    Screened host firewall, single-homed bastion
    Screened host firewall, dual-homed bastion
    Screened subnet firewall

    Screened host firewall, single-homed bastion

    Firewall consists of two systems:

    A packet-filtering router
    A bastion host
    Only packets from and to the bastion host are allowed to pass through the router.

    -From Internet, only IP packets destined for the bastion host are allowed.
    -From internal network, only IP packets from bastion host are allowed out.

    Greater security than single configurations because of two reasons:

    This configuration implements both packet-level and application-level filtering.


    An intruder must generally penetrate two separate systems.

    The router can allow direct traffic between the Internet and the information server.

    Screened host firewall, dual-homed bastion

    Traffic between the Internet and other hosts on the private network has to flow through the bastion
    host.

    If the packet-filtering router is completely compromised, traffic will not flow freely between Internet
    and protected network.

    Information server can be allowed direct communication with the router.

    Screened subnet firewall

    Most secure configuration of the three.

    Two packet-filtering routers are used.

    Creation of an isolated sub-network(consist of the bastion host, one or more information servers &
    modems).

    17

    Advantages:

    Three levels of defense against intruders.


    The outside router advertises only the existence of the screened subnet to the Internet (internal
    network is invisible to the Internet)

    Inside router advertises only the existence of the screened subnet to the internal network.
    An inside host can not construct direct route to the Internet.

    18

    THANK YOU

    You might also like