5/4/01 EMTM 553 1

EMTM 553: E-commerce Systems

Lecture 7b: Firewalls

Insup Lee

Department of Computer and Information Science

University of Pennsylvanialee@cis.upenn.edu

www.cis.upenn.edu/~lee

5/4/01 EMTM 553 2

Why do we need firewalls?

5/4/01 EMTM 553 3

5/4/01 EMTM 553 4

5/4/01 EMTM 553 5

BEFORE AFTER (your results may vary)

5/4/01 EMTM 553 6

What is a firewall?

• Two goals:– To provide the people in your organization with access

to the WWW without allowing the entire world to peak in;

– To erect a barrier between an untrusted piece of software, your organization’s public Web server, and the sensitive information that resides on your private network.

• Basic idea:– Impose a specifically configured gateway machine

between the outside world and the site’s inner network.

– All traffic must first go to the gateway, where software decide whether to allow or reject.

5/4/01 EMTM 553 7

What is a firewall

• A firewall is a system of hardware and software components designed to restrict access between or among networks, most often between the Internet and a private Internet.

• The firewall is part of an overall security policy that creates a perimeter defense designed to protect the information resources of the organization.

5/4/01 EMTM 553 8

Firewalls DO

• Implement security policies at a single point• Monitor security-related events (audit, log)• Provide strong authentication• Allow virtual private networks• Have a specially hardened/secured operating

system

5/4/01 EMTM 553 9

Firewalls DON’T

• Protect against attacks that bypass the firewall– Dial-out from internal host to an ISP

• Protect against internal threats – disgruntled employee– Insider cooperates with and external attacker

• Protect against the transfer of virus-infected programs or files

5/4/01 EMTM 553 10

Types of Firewalls

• Packet-Filtering Router• Application-Level Gateway• Circuit-Level Gateway• Hybrid Firewalls

5/4/01 EMTM 553 11

Packet Filtering Routers

• Forward or discard IP packet according a set of rules

• Filtering rules are based on fields in the IP and transport header

5/4/01 EMTM 553 12

What information is used for filtering decision?

• Source IP address (IP header)• Destination IP address (IP header)• Protocol Type• Source port (TCP or UDP header)• Destination port (TCP or UDP header)• ACK. bit

5/4/01 EMTM 553 13

Web Access Through a Packet Filter Firewall

[Stein]

5/4/01 EMTM 553 14

Packet Filtering Routerspros and cons

• Advantages:– Simple– Low cost– Transparent to user

• Disadvantages:– Hard to configure filtering rules– Hard to test filtering rules– Don’t hide network topology(due to transparency)– May not be able to provide enough control over traffic– Throughput of a router decreases as the number of filters

increases

5/4/01 EMTM 553 15

Application Level Gateways (Proxy Server)

5/4/01 EMTM 553 16

A Telnet Proxy

5/4/01 EMTM 553 17

A sample telnet session

5/4/01 EMTM 553 18

Application Level Gateways (Proxy Server)

• Advantages:– complete control over each service (FTP/HTTP…)– complete control over which services are permitted– Strong user authentication (Smart Cards etc.)– Easy to log and audit at the application level– Filtering rules are easy to configure and test

• Disadvantages:– A separate proxy must be installed for each

application-level service– Not transparent to users

5/4/01 EMTM 553 19

Circuit Level Gateways

5/4/01 EMTM 553 20

Circuit Level Gateways (2)

• Often used for outgoing connections where the system administrator trusts the internal users

• The chief advantage is that a firewall can be configured as a hybrid gateway supporting application-level/proxy services for inbound connections and circuit-level functions for outbound connections

5/4/01 EMTM 553 21

Hybrid Firewalls

• In practice, many of today's commercial firewalls use a combination of these techniques.

• Examples:– A product that originated as a packet-filtering firewall

may since have been enhanced with smart filtering at the application level.

– Application proxies in established areas such as FTP may augment an inspection-based filtering scheme.

5/4/01 EMTM 553 22

Firewall Configurations

• Bastion host– a system identified by firewall administrator as a critical

strong point in the network’s security– typically serves as a platform for an application-level or

circuit-level gateway– extra secure O/S, tougher to break into

• Dual homed gateway– Two network interface cards: one to the outer network and

the other to the inner– A proxy selectively forwards packets

• Screened host firewall system– Uses a network router to forward all traffic from the outer

and inner networks to the gateway machine• Screened-subnet firewall system

5/4/01 EMTM 553 23

Dual-homed gateway

5/4/01 EMTM 553 24

Screened-host gateway

5/4/01 EMTM 553 25

Screened Host Firewall

5/4/01 EMTM 553 26

Screened Subnet Firewall

5/4/01 EMTM 553 27

Screened subnet gateway

5/4/01 EMTM 553 28

Selecting a firewall system

• Operating system• Protocols handled• Filter types• Logging• Administration• Simplicity• Tunneling

5/4/01 EMTM 553 29

Commercial Firewall Systems

0%5%

10%15%20%25%30%35%40%45%

Check

Point

Cisco

Axent

Network

Ass

ocia

tes

Cyber

Guar

d

Oth

ers

5/4/01 EMTM 553 30

Widely used commercial firewalls

• AltaVista • BorderWare (Secure Computing Corporation)• CyberGurad Firewall (CyberGuard Corporation)• Eagle (Raptor Systems)• Firewall-1 (Checkpoint Software Technologies)• Gauntlet (Trusted Information Systems)• ON Guard (ON Technology Corporation)

5/4/01 EMTM 553 31

Firewall’s security policy

• Embodied in the filters that allow or deny passages to network traffic

• Filters are implemented as proxy programs.– Application-level proxies

o one for particular communication protocolo E.g., HTTP, FTP, SMo Can also filter based on IP addresses

– Circuit-level proxieso Lower-level, general purpose programs that treat

packets as black boxes to be forward or noto Only looks at header informationo Advantages: speed and generalityo One proxy can handle many protocols

5/4/01 EMTM 553 32

Configure a Firewall (1)

• Outgoing Web Access– Outgoing connections through a packet filter firewall– Outgoing connections through an application-level

proxy– Outgoing connections through a circuit proxy

5/4/01 EMTM 553 33

Firewall Proxy

Configuring Netscape to use a firewall proxy involves enteringthe address and port number for each proxied service. [Stein]

5/4/01 EMTM 553 34

Configure a Firewall (2)

• Incoming Web Access– The “Judas” server– The “Sacrificial Lamb”– The “Private Affair” server– The doubly fortified server

5/4/01 EMTM 553 35

The “Judas” Server (not recommended)

[Stein]

5/4/01 EMTM 553 36

The “sacrificial lamb”

[Stein]

5/4/01 EMTM 553 37

The “private affair” server

[Stein]

5/4/01 EMTM 553 38

Internal Firewall

An Internal Firewall protects the Web server from insider threats.

[Stein]

5/4/01 EMTM 553 39

Placing the sacrificial lamb in the demilitarized zone.

[Stein]

5/4/01 EMTM 553 40

Poking holes in the firewall

• If you need to support a public Web server, but no place to put other than inside the firewall.

• Problem: if the server is compromised, then you are cooked.

5/4/01 EMTM 553 41

Simplified Screened-Host Firewall Filter Rules

[Stein]

5/4/01 EMTM 553 42

Filter Rule Exceptions for Incoming Web Services

[Stein]

5/4/01 EMTM 553 43

Screened subnetwork

Placing the Web server on its own screened subnetwork insulatesit from your organization while granting the outside world limitedaccess to it. [Stein]

5/4/01 EMTM 553 44

Filter Rules for a Screened Public Web Server

[Stein]

5/4/01 EMTM 553 45

Q&A