Security Firewall
description
Transcript of Security Firewall
Security Firewall
Firewall design principle.
Firewall Characteristics.
Types of Firewalls.
Firewall Components & Configurations.
Firewall Design Principles.
• Information System undergo a steady evolution( from small LAN’s to Internet connectivity).
• Strong security features for all workstations and servers not established.
Firewalls
• Effective means of protection a local system or network of systems from network_based security threats while affording access to the outside world via WAN’s or the Internet.
Firewall Design Principles
• The firewall is interested between the permission network and internet.
• Aims :1. Establish a controlled link.2. Protect the premises network from
internet_based attacks.3. Provide a single choke point.
Firewalls Characteristics
• Design goals:1. All traffic form the inside to outside must
pass through the firewall (physically blocking all access to the local network except via firewall).
2. Only Authorized traffic ( defined by the local security policy) will be allowed to pass.
Firewall Characteristics
• Design goals:3. The firewall itself is immune to penetration
( use of trusted systems with secure operating systems).
Firewall Characteristics
• Four General Technologies:1. Service Control: determines the types of
the internet services that can be accessed, in bounded or out bounded.
2. Direction Control: determines the direction in which particular services requests are allowed to flow.
Firewall Characteristics
3. User Control: controls access to a service according to which user is attempting to access it.
4. Behavior Control: controls how particular service are used (e.g. filter e-mail)
Types of Firewalls
• Three common types of firewalls:1. Packet-filtering-router.2. Application-level-Gateways.3. Circuit-level-Gateways.4. (Bastion Host).
Packet-Filtering-Router
• Packet Filtering Router firewalls.
Internet
Packet Filtering Router
Private Network
Figure ( Packet Filtering Router Firewall).
Packet-Filtering-Router
• Applies a set of rules to each incoming IP packet and then forwards or discards the packet.
• Filter packets going in both directions.• The packet filter is typically set up as a list
of rule based on matches to fields in the IP or TCP header.
• Two default polices( discards or forwards).
Packet-Filtering-Router
• Advantages:1. Simplicity.2. Transparency to users.3. High speed• Disadvantages:1. Difficulty of setting up packet filter walls.2. Lack of Authentication.
Application-Level-Gateway
• Application Level Gateway Firewall.
TELNET
FTP
SMTP
HTTPOutside Connection
Inside Connection
Outside Host
Inside Host
Figure (Application Level Gateway).
Application-Level-Gateway
• Also called (Proxy Server).• Acts as relay of application level traffic.
Application-Level-Gateway
• Advantages:1. Higher security than packet filter2. Only need securitize a few allowable
applications.3. Easy to log and audit all incoming traffic.• Disadvantages:Additional processing overhead on each
connection (Gateway as splice point).
Circuit Level Gateway
• Circuit Level Gateway.
OUT
OUT
OUT
OUT
IN
IN
IN
IN
Outside host & outside
connection
Inside host & inside
connection
Circuit Level Gateway
• Stand-alone system or specialized function performed by Application level gateway.
• Sets up two TCP connections.• The gateway typically relays TCP
segments from one connection to the other without examining the contents.
Circuit Level Gateway
• The security function consists of which connections to be allowed.
• Typically use is a situation in which the system administrators trusts the internal users.
• An example is the SOCKS package.
Bastion Host
• A system identified by the firewall administrator as critical strong point in the networks security.
• The Bastion host serves as a platform for an application-level or circuit-level gateway.
Bastion Host
• In addition to the use of simple configuration of single system ( single packet filtering router or single gateway), more complex configurations are possible.
• Three common configurations
Screened host firewall system
• Also called single homed bastion host
PacketFilteringRouter
Internet
Private NetworkBastion
Host
Information Server
Screened host firewall (1)
• Configuration:- Consists of two systems which are:1. Packet filtering router.-Only packets from and to the bastion host
are allowed to pass through server.2. Bastion Host.- Authentication and Proxy functions.
Screened host firewall (2)
• Greater security that the single configuration because of two reasons:
1. This configuration implements both packet level and application level filtering ( allowing for flexibility in defining security policy).
2. An intruder must generally penetrate two separate systems.
Screened host firewall (3)
• This configuration also affords flexibility in providing direct internet access ( public information server, e.g. web server).
Dual Homed Bastion Host
• Dual Homed Bastion Host.
PacketFilteringRouter
Private NetworkBastion
Host
Information Server
INTERNET
Dual Homed Bastion Host
• The packet filtering router is not completely compromised.
• Traffic between the internet and other hosts on the private network has to flow through the Bastion host.
Screened Subnet Firewall System
• See Figure.
INTERNET PrivateNetwork
PacketFilteringRouter
PacketFilteringRouter
Bastion Host
Modem
Information Server
Screened Subnet Firewall System
• Most secured configuration of all the three known techniques in the bastion host.
• Two packet filtering routers are used.• Creation of an isolated sub-network.
Screened Subnet Firewall System
• Advantages:- Three levels of defense to thwart intruders.- The outside router advertises only the
existence of the screened sub-net to the internet ( Internal network is invisible to the internet).
Screened Subnet Firewall System
• Advantages:- The inside router advertises only the
existence of the screened sub-net to the internal network ( the systems on the inside cannot construct direct routes to the internet.