• No results found

Lect 15B Firewall

N/A
N/A
Info
Download
Protected

Academic year: 2020

Share "Lect 15B Firewall"

Copied!
16
0
0

Loading.... (view fulltext now)

Download now ( 16 Page )

Full text

(1)

1

Secure Communication System

Secure Communication System

Design

Design

Nazar Abbas Saqib

[email protected]

Lecture 3B -- Firewall

Firewalls

(2)

Agenda

Bastion Host

Firewall Configurations

(3)

3

Firewall Architectures

In practical implementation, firewall is a combination of two

components:

1. Packet filter router

2. Application gateway (Bastion host)

Based on this, three possible configurations can be made as shown

in Fig.

(4)

Bastion Host

An application gateway is also called as Bastion Host. Usually a bastion

host is a very key point in the security of network. Common

characteristics of a bastion host include the following:

1) a secure version of its operating system, making it a trusted system.

2) Only the services that the network administrator considers essential are installed on the bastion host that includes proxy applications such as Telnet, DNS, FTP, SMTP, and user authentication.

3) The bastion host may require additional authentication before a user is allowed access to the proxy services. In addition, each proxy service may require its own authentication before granting user access

4) Each proxy is configured to support only a subset of the standard application's command set.

5) Each proxy is configured to allow access only to specific host systems. This means that the limited command/feature set may be applied only to a subset of systems on the protected network

6) Each proxy maintains detailed audit information by logging all traffic, each

(5)

5

Screened host firewall, single-homed bastion

In the screened host firewall, single-homed bastion configuration

(Figure ), the firewall consists of two systems: a packet-filtering

router and a bastion host. Typically, the router is configured so that

Role of the packet-filtering router

1. For traffic from the Internet, only IP packets destined for the bastion host

are allowed in.

2. For traffic from the internal network, only IP packets from the bastion

host are allowed out.

Role of the bastion host

(6)
(7)

7

Screened host firewall, single-homed bastion

Advantages:

Advantages:

Advantages:

Advantages:

1. The security at both the application and the packet level – more

flexibility in defining security policy

2. An intruder has to compromise two separate systems from

outside

3. Direct internet access to information server (IS) like web

server on your internal network can be configured

Disadvantages

Disadvantages

Disadvantages

Disadvantages

1. The internal corporate users are linked with application as well

as packet filter router (at the front). If the packet filter router is

compromised, the whole corporate network is exposed to the

intruder

(8)

Screened host firewall, Dual-homed bastion

This configuration overcomes drawbacks of the screened host firewall-single

homed bastion

The direct connection between the internal hosts and packet filter router is

avoided. Instead, the internal hosts connect only application gateway which

establishes a separate connection with internal hosts.

(9)

9

Screened subnet firewall (Triple-Homed Firewall)

1. In this configuration, two packet-filtering routers are used, one between the

bastion host and the Internet and one between the bastion host and the

internal network.

2. The screened subnet firewall configuration (Figure) is the most secure of

previous two firewall configurations

3. With this configuration:

The DMZs services are isolated from the public network.

(10)
(11)

11

(12)

Demilitarized Zone Networks

In computer security, a demilitarized zone, named after the military usage of the term and normally abbreviated to DMZ; also known as a Data Management Zone or demarcation zone or perimeter network, is a physical or logical subnetwork that contains and exposes an organization's external services to a larger, untrusted network, usually the Internet.

DMZ is required when an

organization has servers (FTP, HTTP, HTTPs) that is needs to make

available to the outside world

Firewalls can, but with at least 3 interfaces

Access to any service on DMZ is restricted. If web server is the only

(13)

13

The default gateway for the DMZ computers would be

10.10.11.254

and the default

gateway for the Local computers would be

10.10.10.254

.

(14)

Demilitarized Zone Networks Services

Any service that is being provided to users on the external network can

be placed in the DMZ. The most common of these services are:

(15)

15

Host based firewalls:

Host-based firewalls, popularly known as personal firewalls

are devices or programs intended to protect a single

computer.

Examples of this type of firewalls are ZoneAlarm, Norton

Personal Firewall, and the Internet Connection Firewall (ICF)

built into Windows XP.

The personal firewalls are generally software based and

cost less than $100.

Network based firewalls

A network based firewall normally protects the entire network of

computers behind the firewall.

There are several firewall vendors including Checkpoint, Cisco,

Microsoft, and Symantec. A firewall may be implemented using

software or hardware.

The selection of firewall depends primarily on the functionality,

speed, and cost.

(16)

Limitations of Firewall

Insider’s Intrusion : the firewall is designed to protect from outside attackers,

an attack generated by inside intruders is therefore not defendable

Virus Attacks: A firewall cannot protect the internal network from virus or

other attacks through malicious software as it does not scan incoming

packets for any possible threat. Separate scanning tools are required for this

purpose

Direct Internet Traffic: A firewall is effective if this is a single point of

References

Download now ( PDF - 16 Page - 346.67 KB )

Related documents

FIREWALLS CHAPTER The Need for Firewalls Firewall Characteristics Types of Firewalls

application-level gateway bastion host circuit-level gateway distributed firewalls DMZ firewall host-based firewall IP address spoofing IP security (IPsec) packet filtering

Official Audit Report Issued December 10, 2014

The Office of Medicaid (MassHealth) paid questionable or unallowable medical claims totaling $35,137,347 during our audit period for non-emergency services provided to Limited

Firewalls. CS 6v81 - Network Security. What is a firewall? Firewall capabilities. Firewall limitations. Firewall limitations, cont d

Firewall Deployment Topologies 19 Internet Packet filtering router Server Bastion host Private network hosts.  Screened host firewall system – dual-homed

Network Security. Internet Firewalls. Chapter 13. Network Security (WS 2002): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

If the firewall comprises a bastion host, the packet filtering rules should further restrict traffic flow ( → screened host architecture):. As in the modified rules above only

Network Security. Chapter 13. Internet Firewalls. Network Security (WS 07/08): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

‰ In a screened subnet firewall, two packet filtering routers are set up: ‰ one for traffic allowed between the Internet and the bastion host, and ‰ one for traffic allowed

Chapter 6: Network Access Control

•  Stateless packet filters •  Stateful packet filters •  Application gateways •  Circuit-level gateways ❍  Firewall configurations •  Dual-homed •  Screened

Overview. Firewall Security. Perimeter Security Devices. Routers

„ Bastion host uses a single firewall with two interface cards „ Screened subnet uses a single firewall with three

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security

 The bastion host is protected from external hosts by an outer packet filter  The internal hosts are protected from the bastion host by an inner packet. The Split Screened