Preetha/ME-CSE/I

Firewall: Introduction to the past

• Idea came from construction industry in 19th century.– Structure of metal sheets in houses, flights etc were the

first physical firewall.– Metal sheets protected from fire.

• In 1980’s– Usage of internet was rapidly growing.– Businesses established and implemented networks.

• Difficulties faced !– Huge network data traffic.– Allocating the different networks.

• Solutions !– Procedure of firewall implemented in routers.– Networks were controlled.

Preetha/ME-CSE/I

Firewall: People who made it important.

– Clifford Stoll a US astronomer and computer expert, discovered that German spies accessing his system.After this incident US started to implement firewall security in the government networks.

– Bill Cheswick the author of the famous security book “Firewalls and Internet Security” set up a simple electronic jail to observe anattacker.He devoted himself and brought a huge impact on awareness of firewall and internet and network security.

– Robert Tappan Morris created Morris Worm which was the virus that awakened all the network administrators and made them think of the importance of firewall. The networks administrators weren’t expecting anything like this. The worm spread around networks around the world. 10% of the internet was infected.

Preetha/ME-CSE/I

FIREWALL• A firewall is a system designed to prevent

unauthorized access to or from a network.

• Firewalls can be implemented in both hardware and software, or a combination of both.

• Firewalls are frequently used to prevent unauthorized internet users from accessing private networks connected to the Internet

Preetha/ME-CSE/I

Design goals

• All traffic from inside to outside and vice versa, must

pass through the firewall.

• Only authorized traffic (defined by the local security

policy) will be allowed to pass.

• Firewall itself is immune to penetration.

Preetha/ME-CSE/I

Four general techniques

• Service control– Determines the types of Internet services that can be

accessed, inbound or outbound.• Direction control– Determines the direction in which particular service

requests are allowed to flow through the firewall.• User control– Controls access to a service according to which user is

attempting to access it.• Behavior control– Controls how particular services are used (e.g. filter e-

mail).

Preetha/ME-CSE/I

Capabilities of firewall

• Act as single choke point that keeps unauthorized users out of the protected network.

• Provides a location for monitoring security-related events.

• Can serve as the platform for IPSec.

Preetha/ME-CSE/I

Types of FirewallTypes of Firewall

• Types of Firewall:

–Packet-filtering routers

–Application-level gateways

–Circuit-level gateways

Preetha/ME-CSE/I

Packet-filtering router

• Simplest, fastest firewall component .

• Examine each IP packet (no context) and permit or deny according to rules .

• The router is typically configured to filter packets going in both directions.

• The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header.

• If there is no match , then default action is taken(discard or forward).

Preetha/ME-CSE/I

Packet-Filtering router

Preetha/ME-CSE/I

• Advantages:–Simplicity–Transparency to users–High speed

• Disadvantages:–Difficulty of setting up packet filter rules–Does not support advanced user

authentication schemes.–Generally vulnerable to attacks.

Preetha/ME-CSE/I

Cont..

• Possible attacks– IP address spoofing - is the creation of Internet

Protocol(IP) packets with a source IP address.– Source routing attacks- an attacker could use

source routing to direct packets to bypass existing security restrictions.

– Tiny fragment attacks-attacker uses IP fragmentation option to create extremely small fragments and force the TCP header information into a separate packet fragment.

Preetha/ME-CSE/I

Stateful Packet Filters• Also referred to as dynamic packet filtering.

• Stateful inspection is a firewall architecture that works at the network layer.

• Unlike packet filtering, which examines a packet based on the information in its header, Stateful inspection tracks each connection traversing all interfaces of the firewall and makes sure they are valid.

• filtering decisions are based not only on administrator-defined rules (as in static packet filtering) but also on context that has been established by prior packets that have passed through the firewall.

• Better able to detect bogus packets.

Preetha/ME-CSE/I

Application Level Gateway (or Proxy)– Also known as application proxy or application-level proxy– An application gateway is an application program that runs

on a firewall system between two networks. – The user connects the gateway using TCP/Ip application

and gateway asks the user for name of remote host to be accessed.

– When user responds & provides a valid user ID & authentication information , the gateway contacts the application on the remote host and relays TCP segments containing the application data between the 2 endpoints.

– Once connected, the proxy makes all packet-forwarding decisions. Since all communication is conducted through the proxy server, computers behind the firewall are protected.

– Can control traffic at application level .• Need separate proxies for each service

Preetha/ME-CSE/I

Cont..• Advantages:

– Higher security than packet filters.

– Easy to log and audit all incoming traffic.

• Disadvantages:

– Additional processing overhead on each connection.

Preetha/ME-CSE/I

Circuit-level gateway

– Specialized function performed by an Application-level Gateway for certain applications.

– Gateway set up two TCP connections:

• One between itself & TCP user on an inner host.

• One between itself & TCP user on an outer host.

– Once two connections are established , the gateway typically relays TCP segments from one connection to the other without examining the contents.

Preetha/ME-CSE/I

Circuit-level gateway

Preetha/ME-CSE/I

Bastion host

–A system identified by the firewall administrator as a critical strong point in the network´s security.

Characteristics:• The bastion host serves as a platform for an application-

level or circuit-level gateway.

• Only services considered by network admin are installed on the bastion host.

Preetha/ME-CSE/I

Firewall ConfigurationsFirewall Configurations

• In addition to the use of simple configuration of a single system (single packet filtering router or single gateway), more complex configurations are possible.– Screened host firewall system (single-homed

bastion host)

– Screened host firewall system (dual-homed bastion host)

– Screened-subnet firewall system.

Preetha/ME-CSE/I

Screened host firewall system (single-homed bastion host)

• Firewall consists of two systems:–A packet-filtering router.–A bastion host.

• The router is configured so that– For traffic from internet , only IP packets destined for

the bastion host are allowed in.– For traffic from the internal network , only IP packets

from the bastion host are allowed out.

• The bastion host performs authentication and proxy functions.

Preetha/ME-CSE/I

Screened host firewall system (single-homed bastion host)

Preetha/ME-CSE/I

Screened host firewall, dual-homed bastion configuration

–The packet-filtering router is not completely compromised.

–Traffic between the Internet and other hosts on the private network has to flow through the bastion host.

Preetha/ME-CSE/I

Screened host firewall, dual-homed bastion configuration

Preetha/ME-CSE/I

Screened subnet firewall configuration

–Most secure configuration of the three.

–Two packet-filtering routers are used.

–Creation of an isolated sub-network.• Which consist of simply the bastion host, may also

include one or more information servers and modems.

Preetha/ME-CSE/I

Screened subnet firewall configuration

Preetha/ME-CSE/I

• Advantages:

– Three levels of defense to prevent intruders.

– The outside router advertises only the existence of the screened subnet to the Internet (internal network is invisible to the Internet).

– The inside router advertises only the existence of the screened sub-net to the internal network ( the systems on the inside cannot construct direct routes to the internet).

Preetha/ME-CSE/I

Summary

– firewalls– types of firewalls• packet-filter, stateful inspection, application

proxy, circuit-level.

–Bastion host–Firewall configurations

Preetha/ME-CSE/I