1

Internet Internet FirewallsFirewallsInternet Internet FirewallsFirewalls

What it is all aboutWhat it is all about

Concurrency System Lab, EE, National Taiwan University

http://cobra.ee.ntu.edu.tw

R355

2

OutlineOutline• Firewall Design Principles• Firewall Characteristics• Components of Firewalls• Firewall Configurations

3

FirewallsFirewalls

• Protecting a local network from security threats while affording access to the Internet

4

Firewall DesignFirewall DesignPrinciplesPrinciples

• The firewall is inserted between the private network and the Internet

• Aims:– Establish a controlled link– Protect the local network from

Internet-based attacks– Provide a single choke point

5

Firewall Firewall CharacteristicsCharacteristics

• Design goals for a firewall– All traffic (in or out) must pass

through the firewall– Only authorized traffic will be allowed

to pass– The firewall itself is immune to

penetration

6

Firewall Firewall CharacteristicsCharacteristics

• Four general techniques:– Service control

• The type of Internet services that can be accessed

– Direction control• Inbound or outbound

– User control• Which user is attempting to access the service

– Behavior control• e.g., Filter email to eliminate spam

7

Components of Components of FirewallsFirewalls

• Three common components of Firewalls:– Packet-filtering routers– Application-level gateways– Circuit-level gateways– (Bastion host)

8

Components of Components of FirewallsFirewalls

(I)(I)• Packet-filtering Router

9

Packet-filtering Router

• Packet-filtering Router– Applies a set of rules to each incoming IP

packet and then forwards or discards the packet

– Filter packets going in both directions– The packet filter is typically set up as a

list of rules based on matches to fields in the IP or TCP header

– Two default policies (discard or forward)

10

TCP/IP header

11

Packet-filtering Router

• Advantages:– Simplicity– Transparency to users– High speed

• Disadvantages:– Difficulty of setting up packet filter

rules– Lack of Authentication

12

Packet-filtering Router

• Open-source under UNIX:– IP firewall– IPFilter– IPchain

13

Components of Components of FirewallsFirewalls

(II)(II)• Application-level Gateway

14

Application-level Gateway

• Application-level Gateway– Also called proxy server– Acts as a relay of application-level

traffic

15

Application-level Gateway

• Advantages:– Higher security than packet filters– Only need to check a few allowable

applications– Easy to log and audit all incoming traffic

• Disadvantages:– Additional processing overhead on each

connection (gateway as splice point)

16

Application-level Gateway

• Open-source under UNIX:– squid (WWW),– delegate (general purpose),– osrtspproxy (RTSP),– smtpproxy (SMTP),– …

17

Components of Components of FirewallsFirewalls

(III)(III)• Circuit-level Gateway

18

Circuit-level Gateway

• Similar to Application-level Gateway• However

– it typically relays TCP segments from one connection to the other without examining the contents

– Determines only which connections will be allowed

– Typical usage is a situation in which the system administrator trusts the internal users

19

In other words

• Korean custom– Circuit-level gateway only checks

your nationality– Application-level gateway checks

your baggage content in addition to your nationality

20

Components of Components of FirewallsFirewalls

• Open-source under UNIX– SOCKS– dante

21

Components of Components of FirewallsFirewalls(II) U (III)(II) U (III)

• Bastion Host– serves as

• application-level gateway• circuit-level gateway• both

22

Firewall Firewall ConfigurationsConfigurations

• In addition to the use of simple configuration of a single system (single packet filtering router or single gateway), more complex configurations are possible

• Three common configurations

23

ConfigurationsConfigurations(I)(I)

• Screened host firewall system (single-homed bastion host)

24

ConfigurationsConfigurations(I)(I)

• Consists of two systems:– A packet-filtering router & a bastion

host• Only packets from and to the

bastion host are allowed to pass through the router

• The bastion host performs authentication and proxy functions

25

More secureMore secure

• More secure than each single component because :– offers both packet-level and

application-level filtering

26

Firewall Firewall ConfigurationsConfigurations

• This configuration also affords flexibility in providing direct Internet access (public information server, e.g. Web server)

27

ConfigurationsConfigurations(II)(II)

• Screened host firewall system (dual-homed bastion host)

28

ConfigurationsConfigurations(II)(II)

• Consists of two systems just as config (I) does.

• However, the bastion host separates the network into two subnets.

29

Even more secure

• An intruder must generally penetrate two separate systems

30

ConfigurationsConfigurations(III)(III)

• Screened-subnet firewall system

31

ConfigurationsConfigurations(III)(III)

• Three-level defense– Most secure– Two packet-filtering routers are used– Creates an isolated sub-network

• Private network is invisible to the Internet

• Computers inside the private network cannot construct direct routes to the Internet

32

DemoDemoDemoDemo

33

ConclusiConclusionon

ConclusiConclusionon

34

Capabilities of firewall

• Defines a single choke point at which security features are applied– Security management is simplified

• Provides a location for monitoring, audits and alarms

• A convenient platform for several non-security-related Internet functions– e.g., NAT, network management

• Can serve as the platform for IPSec– Implement VPN with tunnel mode capability

35

What firewalls cannot protect against

• Attacks that bypass the firewall– e.g., dial-in or dial-out capabilities that

internal systems provide

• Internal threats– e.g., disgruntled employee or employee

who cooperates with external attackers

• The transfer of virus-infected programs or files

36

Recommended Recommended ReadingReading

• Chapman, D., and Zwicky, E. Building Internet Firewalls. O’Reilly, 1995

• Cheswick, W., and Bellovin, S. Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley, 2000

• Gasser, M. Building a Secure Computer System. Reinhold, 1988

• Pfleeger, C. Security in Computing. Prentice Hall, 1997