set 325
TRANSCRIPT
-
8/2/2019 Set 325
1/38
C. Ding -- COMP4631 -- L25 1
Lecture 25: Firewalls
Introduce several types of firewallsDiscuss their advantages and
disadvantagesCompare their performancesDemonstrate their applications
-
8/2/2019 Set 325
2/38
C. Ding -- COMP4631 -- L25 2
What is a Digital Firewall?
A digital firewall is a system of hardwareand software components designed torestrict access between or among
networks, most often between theInternet and a private Internet.
The firewall is part of an overall securitypolicy that creates a perimeter defensedesigned to protect the informationresources of the organization.
-
8/2/2019 Set 325
3/38
C. Ding -- COMP4631 -- L25 3
A Physical Firewall
1. What is the firewallcomposed of?
2. What are the hardware andsoftware components of thisfirewall?
3. What is the defenceperimeter?
-
8/2/2019 Set 325
4/38
C. Ding -- COMP4631 -- L25 4
What a Firewall can do
Implement security policies at a singlepoint
Monitor security-related events (audit, log) Provide strong authentication for access
control purpose
-
8/2/2019 Set 325
5/38
C. Ding -- COMP4631 -- L25 5
What a Firewall cannot do
Protect against attacks that bypass thefirewall Dial-out from internal host to an ISP
Protect against internal threats disgruntled employee Insider cooperates with an external attacker
Protect against the transfer of virus-infected programs or files
-
8/2/2019 Set 325
6/38
C. Ding -- COMP4631 -- L25 6
Firewall - Typical Layout
A firewall denies or permits accessbased on policies and rules
Protected Private Network
Internet
-
8/2/2019 Set 325
7/38
C. Ding -- COMP4631 -- L25 7
Watching for Attacks
Protected Private Network
Internet
Monitor Log
Attack
Notify
-
8/2/2019 Set 325
8/38
C. Ding -- COMP4631 -- L25 8
Firewall Technologies
They may be classified into four categories:Packet filtering firewallsCircuit level gatewaysApplication gateways (or proxy servers)Dynamic packet filtering firewallsa combination of the three above
These technologies operate at differentlevels of detail, providing varying degreesof network access protection.
-
8/2/2019 Set 325
9/38
C. Ding -- COMP4631 -- L25 9
Filtering Types
Packet filtering Packets are treated individually No state information is memorized
Session filtering or dynamic packetfiltering Packets are grouped into connections Packets in a connection are detected State information is memorized
-
8/2/2019 Set 325
10/38
C. Ding -- COMP4631 -- L25 10
Packet Filtering
Decisions made on per-packet basis No state information saved Works at the network level of the OSI model Applies packet filters based on access rulesdefined by the following parameters:
Source address Destination address Application or protocol/next header (TCP, UDP, etc) Source port number Destination port number
-
8/2/2019 Set 325
11/38
C. Ding -- COMP4631 -- L25 11
Packet Filtering Policy Example
My host Other host
action name port name port comments
block * * microsoft.com * Block everythingfrom MS
allow My-gateway 25 * * Allow incomingmail
-
8/2/2019 Set 325
12/38
C. Ding -- COMP4631 -- L25 12
Rule
1
2
3
4
5
6
7
8
Direction
Out
Out
In
In & Out
In
In
Out
In
Source
Address
*
10.56*
10.122*
*
*
201.32.4.76
*
*
Destination
Address
10.56.199*
10.122*
10.56.199*
10.56.199*
*
*
*
10.56.199*
Protocol
*
TCP
TCP
TCP
TCP
*
TCP
TCP
# Source
Port
*
*
23 (Telnet)
*
*
*
*
*
# Destin.
Port
*
23 (Telnet)
*
25 (Mail)
513 (rlogin)
*
20 (FTP)
20 (FTP)
Action
DropPass
Pass
Pass
Drop
Drop
Pass
Drop
Packet Filtering Policy Example
-
8/2/2019 Set 325
13/38
C. Ding -- COMP4631 -- L25 13
Packet Filtering Firewalls
Firewall/Router
Data Link
Network
InternetPhysical
InputFilter
Access Rules
Data Link
Network
Router
Internal
Network
Physical
OutputFilter
Access Rules
-
8/2/2019 Set 325
14/38
C. Ding -- COMP4631 -- L25 14
Packet Filtering Firewalls Advantages:
Simple, low cost, fast, transparent to user Disadvantages:
They cannot prevent attacks that employ application-specific vulnerabilities or functions
because they do not examine upper-layer data. Most packet filter firewalls do not support advanced
authentication schemes
due to the lack of upper-layer functionality
It is easy to accidentally configure a packet filteringfirewall to allow traffic types, sources, and destinationsthat should be denied based on an organizations policy
due to the small number of variables used for decision
-
8/2/2019 Set 325
15/38
Session Filtering
Traditional packet filters do not examinehigher layer context ie matching return packets with outgoing flow
Dynamic packet filtering examines data atall levels
They examine each IP packet in context
Keep track of client-server connection Check each packet validly belongs to one
Hence are more able to detect boguspackets out of context
C. Ding -- COMP4631 -- L25 15
-
8/2/2019 Set 325
16/38
C. Ding -- COMP4631 -- L25 16
Session Filtering
Packet decision made in the context of aconnection
If packet is a new connection, check againpolicy
If packet is part of an existing connection,match it up in the state table and updatetable. A connection table is maintained
-
8/2/2019 Set 325
17/38
C. Ding -- COMP4631 -- L25 17
Example of Session Establishment
Telnet Server Telnet Client
23 1234
Port 1234
ACK
Step 1
Step 2
(1) The Client opens channel to the Server, tells its port number.
The ACK bit is not set while establishing the connection but
will be set on the remaining packets.
(2) Server acknowledges.
-
8/2/2019 Set 325
18/38
C. Ding -- COMP4631 -- L25 18
Example of Connection State Table
Source address Source port Destination
Address
Destination
port
Connection
state
192.168.1.100 1030 210.9.88.29 80 established
192.168.1.102 1031 216.32.42.123 25 established
In general, when an application that uses TCP creates asession with a remote host, it creates a TCP connection inwhich the TCP port number for the remote (server)
application is a number less than 1024 and the TCP portnumber for the local (client) application is a number between1024 and 16383.
The numbers less than 1024 are the well-known portnumbers and are assigned permanently to particular applic.
-
8/2/2019 Set 325
19/38
Using ACK in Session Filtering
C. Ding -- COMP4631 -- L25 19
The ACK signifies that the packet is partof an ongoing conversation
Packets without the ACK are connectionestablishment messages
-
8/2/2019 Set 325
20/38
C. Ding -- COMP4631 -- L25 20
Dynamic Packet FilteringFirewalls
Applications
Presentations
Sessions
Transport
Data Link
Physical
Data Link
Physical
Applications
Presentations
Sessions
Transport
Data Link
Physical
Network Network
Network
Presentations
Sessions
Transport
INSPECT Engine
Applications
Dynamic StateTablesDynamic State
TablesDynamic State
Tables
Packets inspected between data link layer and network layer State tables are created to maintain connection context
-
8/2/2019 Set 325
21/38
C. Ding -- COMP4631 -- L25 21
Dynamic Packet Filtering FirewallsExample
-
8/2/2019 Set 325
22/38
C. Ding -- COMP4631 -- L25 22
Dynamic Packet FilteringImplementation
Protected private network
Internet
Firewall checkspolicy rules to
validate sender
User initiatesweb session
Return traffic for validatedweb session is permitted
and the state of the flow is
monitored
Firewall opensrequired port
and allows traffic
to pass to
public network
-
8/2/2019 Set 325
23/38
C. Ding -- COMP4631 -- L25 23
Dynamic Packet FilteringStrengths Monitors the state of all data flows Transparent to users Low CPU overheads
For the second and later packets belong to thesame connection, no table look-up of the policydatabase is done.
-
8/2/2019 Set 325
24/38
24C. Ding -- COMP4631 -- L25 24
Designing the Physical Firewall
1. How do you design it intoa packet filtering
firewall?2. How do you design it into
a session filteringfirewall?
-
8/2/2019 Set 325
25/38
C. Ding -- COMP4631 -- L25 25
Circuit Level Gateways
Circuit level gateways work at the session layer ofthe OSI model, or the TCP layer of TCP/IP
Monitor TCP handshaking between packets todetermine whether a requested session islegitimate.
Do not permit an end-to-end TCP connection Rather, the gateway sets up two TCP connections, one
between itself and a TCP user on an inner host and one
between itself and a TCP user on an outside host. Once the two connections are established, the gateway
typically relays TCP segments from one to the otherwithout examining the contents
-
8/2/2019 Set 325
26/38
C. Ding -- COMP4631 -- L25 26
Circuit Level Gateway Example
Internet
tcp user
visitedhost
3
2
1
tcp connectionbetween tcp user andlocal gateway
tcp connection betweentwo gateways
tcp connectionbetween remotegateway and visitedhost
-
8/2/2019 Set 325
27/38
C. Ding -- COMP4631 -- L25 27
Circuit Level Gateways
-
8/2/2019 Set 325
28/38
C. Ding -- COMP4631 -- L25 28
Application Gateways
Similar to circuit-level gateways except that theyare application specific (i.e., tailored to a specificapplication program).
Every connection between two networks is madevia an application program called a proxy.
Connection state is maintained and updated. Proxies are application or protocol specific
Only protocols that have specific proxiesconfigured are allowed through the firewall; allother traffic is rejected. E.g., a gateway that is configured to be a web proxy will
not allow any ftp, gopher, telnet or other traffic through
-
8/2/2019 Set 325
29/38
C. Ding -- COMP4631 -- L25 29
Application Gateways
It filters packets onapplication data as wellas on IP/TCP/UDP fields.
Example: It allowsselected internal usersto telnet outside.
host-to-gatewaytelnet session
gateway-to-remotehost telnet session
applicationgateway
router and filter
1. Require all telnet users to telnet through gateway.
2. For authorized users, gateway sets up telnet connection todest host. Gateway relays data between 2 connections
3. Router filter blocks all telnet connections not originatingfrom gateway.
-
8/2/2019 Set 325
30/38
C. Ding -- COMP4631 -- L25 30
Application Gateway Example
Internet
FTP connectioninitiated from
public network
Application LevelGateway completes
connection
If connection is validthe state table is
updated
and connection to
FTP Server
established
FTP Server
Access rulesverified
-
8/2/2019 Set 325
31/38
C. Ding -- COMP4631 -- L25 31
Application Gateways
Firewall
Data Link
Network
InternetPhysical
Data Link
NetworkInternalNetwork
Physical
Router
Transport
Application
Transport
Application
Application Proxies
-
8/2/2019 Set 325
32/38
C. Ding -- COMP4631 -- L25 32
Application Gateways
-
8/2/2019 Set 325
33/38
C. Ding -- COMP4631 -- L25 33
Application Gateway Strengths
More secure than packet filtering firewalls Rather than trying to deal with the numerous
possible combinations that are to be allowedand forbidden at the TCP and IP level, theapplication gateway need only scrutinize a fewallowable applications.
It is easy to log and audit all incomingtraffic at the application level.
-
8/2/2019 Set 325
34/38
C. Ding -- COMP4631 -- L25 34
Application Gateway Weaknesses
Very CPU intensive There are two spliced connections between the
end users, with the gateway at the splice point,and the gateway must examine and forward alltraffic in both directions.
Requires high performance host computer Expensive
-
8/2/2019 Set 325
35/38
C. Ding -- COMP4631 -- L25 35
Network Configuration Examples
-
8/2/2019 Set 325
36/38
C. Ding -- COMP4631 -- L25 36
Protected private network
Protected Private Network
Internet
Allow all access from private network to theInternet
Deny all access from the Internet to the privatenetwork
-
8/2/2019 Set 325
37/38
C. Ding -- COMP4631 -- L25 37
Semi-Militarised Zone
Protected private network
Semi Militarised Zone
SMZ
MailServer
WEBServer
All other
incomingtraffic
blocked
Private network forcorporate servers
and users
Allunauthorised
traffic is
blocked
SMZ
Firewall policy limitsincoming access to
WEB and mail server
from public network
Internet
-
8/2/2019 Set 325
38/38
C Di COMP4631 L25 38
Concluding Remarks
All that a firewall can do is to control networkactivities between OSI levels 2 and 7.
They cannot keep out data carried insideapplications, such as viruses within email messages: there are just too many ways of encoding data to be able
to filter out this kind of threat.
Although firewalls provide a high level of securityin today's private networks to the outside world
we still need the assistance of other relatedsecurity components in order to guarantee propernetwork security.