firewalls and trusted systems

8/3/2019 Firewalls and Trusted Systems

1/53

Henric Johnson 1

Chapter 10

Firewalls

Blekinge Institute of Technology, Sweden

http://www.its.bth.se/staff/hjo/

+46-708-250375


2/53

Henric Johnson 2

Outline

Firewall Design Principles Firewall Characteristics

Types of Firewalls Firewall Configurations

Trusted Systems

Data Access Control The Concept of Trusted systems Trojan Horse Defense


3/53

Henric Johnson 3

Firewalls

Effective means of protection a localsystem or network of systems from

network-based security threats whileaffording access to the outside worldvia WAN`s or the Internet


4/53

Henric Johnson 4

Firewall DesignPrinciples

Information systems undergo asteady evolution (from small LAN`s

to Internet connectivity) Strong security features for all

workstations and servers not

established


5/53

Henric Johnson 5

Firewall DesignPrinciples

The firewall is inserted between thepremises network and the Internet

Aims: Establish a controlled link

Protect the premises network from

Internet-based attacks Provide a single choke point


6/53

Henric Johnson 6

Firewall Characteristics

Design goals: All traffic from inside to outside must

pass through the firewall (physicallyblocking all access to the local networkexcept via the firewall)

Only authorized traffic (defined by thelocal security police) will be allowed topass


7/53

Henric Johnson 7


Design goals: The firewall itself is immune to

penetration (use of trusted system witha secure operating system)


8/53

Henric Johnson 8


Four general techniques: Service control

Determines the types of Internetservices that can be accessed, inboundor outbound

Direction control Determines the direction in which

particular service requests are allowedto flow


9/53

Henric Johnson 9


User control Controls access to a service according to

which user is attempting to access it Behavior control

Controls how particular services are

used (e.g. filter e-mail)


10/53

Henric Johnson 10

Types of Firewalls

Three common types of Firewalls: Packet-filtering routers

Application-level gateways Circuit-level gateways

(Bastion host)


11/53

Henric Johnson 11

Types of Firewalls

Packet-filtering Router


12/53

Henric Johnson 12

Types of Firewalls

Packet-filtering Router Applies a set of rules to each incoming

IP packet and then forwards or discardsthe packet Filter packets going in both directions The packet filter is typically set up as a

list of rules based on matches to fieldsin the IP or TCP header Two default policies (discard or forward)


13/53

Henric Johnson 13

Types of Firewalls

Advantages: Simplicity

Transparency to users High speed

Disadvantages:

Difficulty of setting up packet filterrules Lack of Authentication


14/53

Henric Johnson 14

Types of Firewalls

Possible attacks and appropriatecountermeasures

IP address spoofing Source routing attacks

Tiny fragment attacks


15/53

Henric Johnson 15

Types of Firewalls

Application-level Gateway


16/53

Henric Johnson 16

Types of Firewalls

Application-level Gateway Also called proxy server

Acts as a relay of application-leveltraffic


17/53

Henric Johnson 17

Types of Firewalls

Advantages: Higher security than packet filters

Only need to scrutinize a few allowableapplications

Easy to log and audit all incoming traffic

Disadvantages: Additional processing overhead on each

connection (gateway as splice point)


18/53

Henric Johnson 18

Types of Firewalls

Circuit-level Gateway


19/53

Henric Johnson 19

Types of Firewalls

Circuit-level Gateway Stand-alone system or

Specialized function performed by anApplication-level Gateway

Sets up two TCP connections

The gateway typically relays TCPsegments from one connection to theother without examining the contents


20/53


21/53

Henric Johnson 21

Types of Firewalls

Bastion Host A system identified by the firewall

administrator as a critical strong point inthe networks security

The bastion host serves as a platformfor an application-level or circuit-levelgateway


22/53

Henric Johnson 22

Firewall Configurations

In addition to the use of simpleconfiguration of a single system

(single packet filtering router orsingle gateway), more complexconfigurations are possible

Three common configurations


23/53

Henric Johnson 23


Screened host firewall system(single-homed bastion host)


24/53

Henric Johnson 24


Screened host firewall, single-homedbastion configuration

Firewall consists of two systems: A packet-filtering router

A bastion host


25/53

Henric Johnson 25


Configuration for the packet-filteringrouter:

Only packets from and to the bastionhost are allowed to pass through therouter

The bastion host performsauthentication and proxy functions


26/53

Henric Johnson 26


Greater security than singleconfigurations because of two

reasons: This configuration implements bothpacket-level and application-levelfiltering (allowing for flexibility in

defining security policy) An intruder must generally penetrate

two separate systems


27/53

Henric Johnson 27


This configuration also affordsflexibility in providing direct

Internet access (public informationserver, e.g. Web server)


28/53

Henric Johnson 28


Screened host firewall system (dual-homed bastion host)


29/53

Henric Johnson 29


Screened host firewall, dual-homedbastion configuration

The packet-filtering router is notcompletely compromised

Traffic between the Internet and other

hosts on the private network has to flowthrough the bastion host


30/53

Henric Johnson 30


Screened-subnet firewall system


31/53

Henric Johnson 31


Screened subnet firewallconfiguration

Most secure configuration of the three Two packet-filtering routers are used

Creation of an isolated sub-network


32/53

Henric Johnson 32


Advantages: Three levels of defense to thwart

intruders The outside router advertises only the

existence of the screened subnet to theInternet (internal network is invisible tothe Internet)


33/53

Henric Johnson 33


Advantages: The inside router advertises only the

existence of the screened subnet to theinternal network (the systems on theinside network cannot construct directroutes to the Internet)


34/53

Henric Johnson 34

Trusted Systems

One way to enhance the ability of asystem to defend against intruders

and malicious programs is toimplement trusted system technology


35/53

Henric Johnson 35

Data Access Control

Through the user access controlprocedure (log on), a user can be

identified to the system Associated with each user, there canbe a profile that specifies permissibleoperations and file accesses

The operation system can enforcerules based on the user profile


36/53

Henric Johnson 36

Data Access Control

General models of access control: Access matrix

Access control list Capability list


37/53

Henric Johnson 37

Data Access Control

Access Matrix


38/53

Henric Johnson 38

Data Access Control

Access Matrix: Basic elements of themodel

Subject: An entity capable of accessingobjects, the concept of subject equates withthat of process

Object: Anything to which access is controlled(e.g. files, programs)

Access right: The way in which an object isaccessed by a subject (e.g. read, write,execute)


39/53

Henric Johnson 39

Data Access Control

Access Control List: Decomposition ofthe matrix by columns


40/53

Henric Johnson 40

Data Access Control

Access Control List An access control list lists users and

their permitted access right The list may contain a default or public

entry


41/53

Henric Johnson 41

Data Access Control

Capability list: Decomposition of thematrix by rows


42/53

Henric Johnson 42

Data Access Control

Capability list A capability ticket specifies authorized

objects and operations for a user Each user have a number of tickets

Th C t f


43/53

Henric Johnson 43

The Concept ofTrusted Systems

Trusted Systems Protection of data and resources on the

basis of levels of security (e.g. military) Users can be granted clearances to

access certain categories of data

Th C t f


44/53

Henric Johnson 44


Multilevel security Definition of multiple categories or levels of

data

A multilevel secure system must enforce: No read up: A subject can only read an object

of less or equal security level (Simple SecurityProperty)

No write down: A subject can only write into anobject of greater or equal security level (*-Property)

Th C t f


45/53

Henric Johnson 45


Reference Monitor Concept:Multilevel security for a data

processing system

Th C t f


46/53

Henric Johnson 46


Th C t f


47/53

Henric Johnson 47


Reference Monitor Controlling element in the hardware and

operating system of a computer thatregulates the access of subjects toobjects on basis of security parameters

The monitor has access to a file

(security kernel database) The monitor enforces the security rules(no read up, no write down)

Th C t f


48/53

Henric Johnson 48


Properties of the Reference Monitor Complete mediation: Security rules are

enforced on every access Isolation: The reference monitor anddatabase are protected fromunauthorized modification

Verifiability: The reference monitorscorrectness must be provable(mathematically)

Th C t f


49/53

Henric Johnson 49


A system that can provide suchverifications (properties) is referred

to as a trusted system


50/53

Henric Johnson 50

Trojan Horse Defense

Secure, trusted operating systemsare one way to secure against Trojan

Horse attacks


51/53

Henric Johnson 51



52/53

Henric Johnson 52



53/53

Henric Johnson 53

Recommended Reading

Chapman, D., and Zwicky, E. BuildingInternet Firewalls. OReilly, 1995

Cheswick, W., and Bellovin, S. Firewalls andInternet Security: Repelling the WilyHacker. Addison-Wesley, 2000

Gasser, M. Building a Secure ComputerSystem. Reinhold, 1988

Pfleeger, C. Security in Computing. PrenticeHall, 1997

firewalls and trusted systems

Documents