• No results found

12. Firewalls Content

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "12. Firewalls Content"

Copied!
9
0
0

Loading.... (view fulltext now)

Download now ( 9 Page )

Full text

(1)

Security in Communication

Networks WS‘00/01

1 / 17

Content

12.1 Definition

12.2 Packet Filtering & Proxy Servers

12.3 Architectures - Dual-Homed Host Firewall 12.4 Architectures - Screened Host Firewall 12.5 Architectures - Screened Subnet Firewall 12.6 Examples Security in Communication Networks WS‘00/01

12. Firewalls

2 / 17

12.1 Definition

Def.: A firewall is any security system protecting the boundary of an internal network.

A bastion host is a computer system with strong security as it is exposed to the outside world.

Tasks of a firewall:

• access control based on sender or receiver address • access control based on services requested

• hiding the internal network, e.g. topology, addresses, etc. • virus checking on incoming files

• authentication based on the source of traffic • logging of Internet activities

Two fundamental mechanisms used by firewalls are 1. Packet filtering

(2)

Security in Communication

Networks WS‘00/01

3 / 17

12.2 Packet Filtering & Proxy Servers

End System Intermediate System End System

Internetworking Device Application process Application process (1) (2) (3)

Placement of firewall components:

(1) packet filter (2) circuit-level proxy (3) application-level proxy application transport network Security in Communication Networks WS‘00/01

12. Firewalls

4 / 17

12.2 Packet Filtering & Proxy Servers

Packet Filtering

Packet filtering can be based on the following information:

• source address • destination address • protocol

• connection (stateful inspection) A packet filter behaves like a simple bridge. If it also provides routing functionality it is called a screening

router.

Proxy Server

• controlled invocation

• intercepts client’s request and decides whether it is permitted according to i ts security rules

• if so, request is passed on to the real service

• proxy server is the only entity seen by the outside world

• appears transparent to the internal users • can apply protocol-specific access rules,

perform access control based on user identities and on packet contents • proxy server needed for each service to

(3)

Security in Communication

Networks WS‘00/01

5 / 17

12.2.1 Proxy Servers

Application Level Proxy

• works at the application layer • application gateway only system

reachable from the outside

• application gateway provides proxy for each service to be used (e.g SMTP, FTP, HTTP)

• dual-homed, i.e. complete control over packets transmitted between the internal and external network

• user has to authenticate himself to the gateway before using the service • gateway is communication partner of

source, not the real destination

Circuit Level Proxy

• works at the transport layer

• service, for which no application level proxy is available, can use circuit level proxies for communication via application gateway

• generic proxy which can be used with several services

• relationship is n:1, i.e. proxy allows several clients to communicate with one server on the other side, as the

communication is addressed via the port number of the port relay

Security in Communication

Networks WS‘00/01

12. Firewalls

6 / 17

12.2.2 Communication via Application Level Proxy

(4)

Security in Communication

Networks WS‘00/01

7 / 17

12.2.3 SOCKS

SOCKS

• standardised environment for the transparent and secure use of firewalls • intercepts TCP and UDP connection

requests and transforms them into the SOCKS format

• communication via SOCKS is restricted to the communication between SOCKS client and SOCKS server (tunnel) • tunnel defines security association and

provides authentication, confidentiality and integrity

• combines possibilities of circuit level and application level proxies

• SOCKS requires modifications of the client Application Layer Socks Layer Transport Layer Network Layer Link Layer Security in Communication Networks WS‘00/01

12. Firewalls

8 / 17

12.2.4 Pros and Cons

Packet Filtering

+ simplicity + low cost

– correctly specifying packet filters is a difficult and error-prone process – reordering packet filter rules makes

correctly specifying rules even more difficult

Proxy Servers

+ user authentication

+ application protocol control + logging

+ accounting

– proxy needed for each application protocol

(5)

Security in Communication

Networks WS‘00/01

9 / 17

12.3 Architectures - Dual-Homed Host Firewall

Dual-Homed Host Firewall

• machine with two network interfaces

• routes packets and processes them according to its security rules • “all-in-one” firewall as it can provide packet filtering and proxy servers

• clients on the internal network can access services on the Internet either by using a proxy server in the firewall or by logging on to the firewall directly

Internal network Dual-homed host Internet Security in Communication Networks WS‘00/01

12. Firewalls

10 / 17

12.4 Architectures - Screened Hosts Firewall

Screened Hosts Firewall

• consists of a screening router and a bastion host on the internal network

• screening router performs packet filtering and provides the interface to the Internet • screening router sends all permitted incoming traffic to the bastion host, where further

access control decision can be made before packets are forwarded • screening router accepts internal packets only from the bastion host

Internal network Screening router

Internet

(6)

Security in Communication

Networks WS‘00/01

11 / 17

12.5 Architectures - Screened Subnet Firewall

Screened Subnet Firewall

• combines traits of the previous two approaches

• a peripheral network, called demilitarised zone (DMZ), is placed between the internal network and the Internet

• screening router between the Internet and the peripheral network

• dual-homed host firewall between the peripheral and the internal network applies more complex policies governing the internal users

• peripheral network is a suitable location for non-sensitive hosts accessible to the outside world (e.g. web server)

Security in Communication

Networks WS‘00/01

12. Firewalls

12 / 17

12.5 Architectures - Screened Subnet Firewall (cont.)

(7)

Security in Communication

Networks WS‘00/01

13 / 17

12.6.1 Example: IP Access List

Criteria:

allow all incoming TCP traffic if the session was initiated within the internal

corporate network

• allow FTP control and FTP data traffic to the FTP server with the address 144.254.1.4

• allow HTTP traffic to the Web server with the address 144.254.1.3 • deny all other traffic from entering the corporate network

• log all access list violations

Security in Communication

Networks WS‘00/01

12. Firewalls

14 / 17

12.6.1 Example: IP Access List

access-list 101 permit tcp any any established

access-list 101 permit tcp any host 144.254.1.4 eq ftp

access-list 101 permit tcp any host 144.254.1.4 eq ftp-data

access-list 101 permit tcp any host 144.254.1.3 eq www

access-list 101 deny ip any any log

!

Interface Serial 0/0

description to the Internet

(8)

Security in Communication

Networks WS‘00/01

15 / 17

12.6.1 Example: Packet Filter Flowchart

Receive Packet Parse Protocol Headers Apply Next Filter Rule Ok to forward? Need to block? Last Filter Rule? Forward Packet Block Packet Yes Yes Yes No No No Security in Communication Networks WS‘00/01

12. Firewalls

16 / 17

12.6.2 Example: Protection against SYN Flooding

SYN SYN, ACK

ACK

TCP connection establishment: SYN Flooding:

(9)

Security in Communication

Networks WS‘00/01

17 / 17

12.6.2 Example: Protection against SYN Flooding (cont.)

External Host Firewall Internal Host

References

Download now ( PDF - 9 Page - 112.90 KB )

Related documents

FIREWALLS CHAPTER The Need for Firewalls Firewall Characteristics Types of Firewalls

application-level gateway bastion host circuit-level gateway distributed firewalls DMZ firewall host-based firewall IP address spoofing IP security (IPsec) packet filtering

Funding from LEPs and LEADER for businesses and community groups in the South Downs National Park

• Give attendees an overview of possible funding sources from LEPs and LEADER (in the South Downs National Park) for business and community projects;!. • Provide contacts

v e r i g e n t w o r k s

Verigent provides qualified technical personnel to support your projects for any period

Firewalls (IPTABLES)

Because of the limited information available to the firewall, the logging functionality present in packet filter firewalls is limited Most packet filter firewalls do not

Proxy firewalls.

Server authentication will fail if proxy is between client and server and proxy wants to examine traffic by decrypting on behalf of both sides Proxy can work as a client and

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

• The private network is protected by a more powerful firewall (dynamic packet filter and/or application-level proxy) Intranet DMZ DMZ Screening Router Web server. Dynamic

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

The four basic types of firewall are packet filters, circuit level gateways, application level gateways and stateful multilayer inspection firewalls.. These types can be

Firewalls. configuring a sophisticated GNU/Linux firewall involves understanding

application level filter based firewalls inspect each packet and decide whether it should be allowed to pass the firewall and continue travelling towards its destination, or