set 325

8/2/2019 Set 325

1/38

C. Ding -- COMP4631 -- L25 1

Lecture 25: Firewalls

Introduce several types of firewallsDiscuss their advantages and

disadvantagesCompare their performancesDemonstrate their applications

8/2/2019 Set 325

2/38

C. Ding -- COMP4631 -- L25 2

What is a Digital Firewall?

A digital firewall is a system of hardwareand software components designed torestrict access between or among

networks, most often between theInternet and a private Internet.

The firewall is part of an overall securitypolicy that creates a perimeter defensedesigned to protect the informationresources of the organization.

8/2/2019 Set 325

3/38

C. Ding -- COMP4631 -- L25 3

A Physical Firewall

1. What is the firewallcomposed of?

2. What are the hardware andsoftware components of thisfirewall?

3. What is the defenceperimeter?

8/2/2019 Set 325

4/38

C. Ding -- COMP4631 -- L25 4

What a Firewall can do

Implement security policies at a singlepoint

Monitor security-related events (audit, log) Provide strong authentication for access

control purpose

8/2/2019 Set 325

5/38

C. Ding -- COMP4631 -- L25 5

What a Firewall cannot do

Protect against attacks that bypass thefirewall Dial-out from internal host to an ISP

Protect against internal threats disgruntled employee Insider cooperates with an external attacker

Protect against the transfer of virus-infected programs or files

8/2/2019 Set 325

6/38

C. Ding -- COMP4631 -- L25 6

Firewall - Typical Layout

A firewall denies or permits accessbased on policies and rules

Protected Private Network

Internet

8/2/2019 Set 325

7/38

C. Ding -- COMP4631 -- L25 7

Watching for Attacks


Internet

Monitor Log

Attack

Notify

8/2/2019 Set 325

8/38

C. Ding -- COMP4631 -- L25 8

Firewall Technologies

They may be classified into four categories:Packet filtering firewallsCircuit level gatewaysApplication gateways (or proxy servers)Dynamic packet filtering firewallsa combination of the three above

These technologies operate at differentlevels of detail, providing varying degreesof network access protection.

8/2/2019 Set 325

9/38

C. Ding -- COMP4631 -- L25 9

Filtering Types

Packet filtering Packets are treated individually No state information is memorized

Session filtering or dynamic packetfiltering Packets are grouped into connections Packets in a connection are detected State information is memorized

8/2/2019 Set 325

10/38

C. Ding -- COMP4631 -- L25 10

Packet Filtering

Decisions made on per-packet basis No state information saved Works at the network level of the OSI model Applies packet filters based on access rulesdefined by the following parameters:

Source address Destination address Application or protocol/next header (TCP, UDP, etc) Source port number Destination port number

8/2/2019 Set 325

11/38

C. Ding -- COMP4631 -- L25 11

Packet Filtering Policy Example

My host Other host

action name port name port comments

block * * microsoft.com * Block everythingfrom MS

allow My-gateway 25 * * Allow incomingmail

8/2/2019 Set 325

12/38

C. Ding -- COMP4631 -- L25 12

Rule

1

2

3

4

5

6

7

8

Direction

Out

Out

In

In & Out

In

In

Out

In

Source

Address

*

10.56*

10.122*

*

*

201.32.4.76

*

*

Destination

Address

10.56.199*

10.122*

10.56.199*

10.56.199*

*

*

*

10.56.199*

Protocol

*

TCP

TCP

TCP

TCP

*

TCP

TCP

# Source

Port

*

*

23 (Telnet)

*

*

*

*

*

# Destin.

Port

*

23 (Telnet)

*

25 (Mail)

513 (rlogin)

*

20 (FTP)

20 (FTP)

Action

DropPass

Pass

Pass

Drop

Drop

Pass

Drop

Packet Filtering Policy Example

8/2/2019 Set 325

13/38

C. Ding -- COMP4631 -- L25 13

Packet Filtering Firewalls

Firewall/Router

Data Link

Network

InternetPhysical

InputFilter

Access Rules

Data Link

Network

Router

Internal

Network

Physical

OutputFilter

Access Rules

8/2/2019 Set 325

14/38

C. Ding -- COMP4631 -- L25 14

Packet Filtering Firewalls Advantages:

Simple, low cost, fast, transparent to user Disadvantages:

They cannot prevent attacks that employ application-specific vulnerabilities or functions

because they do not examine upper-layer data. Most packet filter firewalls do not support advanced

authentication schemes

due to the lack of upper-layer functionality

It is easy to accidentally configure a packet filteringfirewall to allow traffic types, sources, and destinationsthat should be denied based on an organizations policy

due to the small number of variables used for decision

8/2/2019 Set 325

15/38

Session Filtering

Traditional packet filters do not examinehigher layer context ie matching return packets with outgoing flow

Dynamic packet filtering examines data atall levels

They examine each IP packet in context

Keep track of client-server connection Check each packet validly belongs to one

Hence are more able to detect boguspackets out of context

C. Ding -- COMP4631 -- L25 15

8/2/2019 Set 325

16/38

C. Ding -- COMP4631 -- L25 16

Session Filtering

Packet decision made in the context of aconnection

If packet is a new connection, check againpolicy

If packet is part of an existing connection,match it up in the state table and updatetable. A connection table is maintained

8/2/2019 Set 325

17/38

C. Ding -- COMP4631 -- L25 17

Example of Session Establishment

Telnet Server Telnet Client

23 1234

Port 1234

ACK

Step 1

Step 2

(1) The Client opens channel to the Server, tells its port number.

The ACK bit is not set while establishing the connection but

will be set on the remaining packets.

(2) Server acknowledges.

8/2/2019 Set 325

18/38

C. Ding -- COMP4631 -- L25 18

Example of Connection State Table

Source address Source port Destination

Address

Destination

port

Connection

state

192.168.1.100 1030 210.9.88.29 80 established

192.168.1.102 1031 216.32.42.123 25 established

In general, when an application that uses TCP creates asession with a remote host, it creates a TCP connection inwhich the TCP port number for the remote (server)

application is a number less than 1024 and the TCP portnumber for the local (client) application is a number between1024 and 16383.

The numbers less than 1024 are the well-known portnumbers and are assigned permanently to particular applic.

8/2/2019 Set 325

19/38

Using ACK in Session Filtering

C. Ding -- COMP4631 -- L25 19

The ACK signifies that the packet is partof an ongoing conversation

Packets without the ACK are connectionestablishment messages

8/2/2019 Set 325

20/38

C. Ding -- COMP4631 -- L25 20

Dynamic Packet FilteringFirewalls

Applications

Presentations

Sessions

Transport

Data Link

Physical

Data Link

Physical

Applications

Presentations

Sessions

Transport

Data Link

Physical

Network Network

Network

Presentations

Sessions

Transport

INSPECT Engine

Applications

Dynamic StateTablesDynamic State

TablesDynamic State

Tables

Packets inspected between data link layer and network layer State tables are created to maintain connection context

8/2/2019 Set 325

21/38

C. Ding -- COMP4631 -- L25 21

Dynamic Packet Filtering FirewallsExample

8/2/2019 Set 325

22/38

C. Ding -- COMP4631 -- L25 22

Dynamic Packet FilteringImplementation

Protected private network

Internet

Firewall checkspolicy rules to

validate sender

User initiatesweb session

Return traffic for validatedweb session is permitted

and the state of the flow is

monitored

Firewall opensrequired port

and allows traffic

to pass to

public network

8/2/2019 Set 325

23/38

C. Ding -- COMP4631 -- L25 23

Dynamic Packet FilteringStrengths Monitors the state of all data flows Transparent to users Low CPU overheads

For the second and later packets belong to thesame connection, no table look-up of the policydatabase is done.

8/2/2019 Set 325

24/38

24C. Ding -- COMP4631 -- L25 24

Designing the Physical Firewall

1. How do you design it intoa packet filtering

firewall?2. How do you design it into

a session filteringfirewall?

8/2/2019 Set 325

25/38

C. Ding -- COMP4631 -- L25 25

Circuit Level Gateways

Circuit level gateways work at the session layer ofthe OSI model, or the TCP layer of TCP/IP

Monitor TCP handshaking between packets todetermine whether a requested session islegitimate.

Do not permit an end-to-end TCP connection Rather, the gateway sets up two TCP connections, one

between itself and a TCP user on an inner host and one

between itself and a TCP user on an outside host. Once the two connections are established, the gateway

typically relays TCP segments from one to the otherwithout examining the contents

8/2/2019 Set 325

26/38

C. Ding -- COMP4631 -- L25 26

Circuit Level Gateway Example

Internet

tcp user

visitedhost

3

2

1

tcp connectionbetween tcp user andlocal gateway

tcp connection betweentwo gateways

tcp connectionbetween remotegateway and visitedhost

8/2/2019 Set 325

27/38

C. Ding -- COMP4631 -- L25 27

Circuit Level Gateways

8/2/2019 Set 325

28/38

C. Ding -- COMP4631 -- L25 28

Application Gateways

Similar to circuit-level gateways except that theyare application specific (i.e., tailored to a specificapplication program).

Every connection between two networks is madevia an application program called a proxy.

Connection state is maintained and updated. Proxies are application or protocol specific

Only protocols that have specific proxiesconfigured are allowed through the firewall; allother traffic is rejected. E.g., a gateway that is configured to be a web proxy will

not allow any ftp, gopher, telnet or other traffic through

8/2/2019 Set 325

29/38

C. Ding -- COMP4631 -- L25 29


It filters packets onapplication data as wellas on IP/TCP/UDP fields.

Example: It allowsselected internal usersto telnet outside.

host-to-gatewaytelnet session

gateway-to-remotehost telnet session

applicationgateway

router and filter

1. Require all telnet users to telnet through gateway.

2. For authorized users, gateway sets up telnet connection todest host. Gateway relays data between 2 connections

3. Router filter blocks all telnet connections not originatingfrom gateway.

8/2/2019 Set 325

30/38

C. Ding -- COMP4631 -- L25 30

Application Gateway Example

Internet

FTP connectioninitiated from

public network

Application LevelGateway completes

connection

If connection is validthe state table is

updated

and connection to

FTP Server

established

FTP Server

Access rulesverified

8/2/2019 Set 325

31/38

C. Ding -- COMP4631 -- L25 31


Firewall

Data Link

Network

InternetPhysical

Data Link

NetworkInternalNetwork

Physical

Router

Transport

Application

Transport

Application

Application Proxies

8/2/2019 Set 325

32/38

C. Ding -- COMP4631 -- L25 32


8/2/2019 Set 325

33/38

C. Ding -- COMP4631 -- L25 33

Application Gateway Strengths

More secure than packet filtering firewalls Rather than trying to deal with the numerous

possible combinations that are to be allowedand forbidden at the TCP and IP level, theapplication gateway need only scrutinize a fewallowable applications.

It is easy to log and audit all incomingtraffic at the application level.

8/2/2019 Set 325

34/38

C. Ding -- COMP4631 -- L25 34

Application Gateway Weaknesses

Very CPU intensive There are two spliced connections between the

end users, with the gateway at the splice point,and the gateway must examine and forward alltraffic in both directions.

Requires high performance host computer Expensive

8/2/2019 Set 325

35/38

C. Ding -- COMP4631 -- L25 35

Network Configuration Examples

8/2/2019 Set 325

36/38

C. Ding -- COMP4631 -- L25 36



Internet

Allow all access from private network to theInternet

Deny all access from the Internet to the privatenetwork

8/2/2019 Set 325

37/38

C. Ding -- COMP4631 -- L25 37

Semi-Militarised Zone


Semi Militarised Zone

SMZ

MailServer

WEBServer

All other

incomingtraffic

blocked

Private network forcorporate servers

and users

Allunauthorised

traffic is

blocked

SMZ

Firewall policy limitsincoming access to

WEB and mail server

from public network

Internet

8/2/2019 Set 325

38/38

C Di COMP4631 L25 38

Concluding Remarks

All that a firewall can do is to control networkactivities between OSI levels 2 and 7.

They cannot keep out data carried insideapplications, such as viruses within email messages: there are just too many ways of encoding data to be able

to filter out this kind of threat.

Although firewalls provide a high level of securityin today's private networks to the outside world

we still need the assistance of other relatedsecurity components in order to guarantee propernetwork security.

set 325

Documents