Henric Johnson


‡ Firewall Design Principles
² Firewall Characteristics ² Types of Firewalls ² Firewall Configurations


‡ A firewall is hardware, software, or a combination of both that is used to prevent unauthorized programs or Internet users from accessing a private network and/or a single computer ‡ Effective means of protection a local system or network of systems from network-based security threats while affording access to the outside world via WAN`s or the Internet 3

4 .

Firewall Design Principles ‡ Information systems undergo a steady evolution (from small LAN`s to Internet connectivity) ‡ Strong security features for all workstations and servers not established 5 .

Firewall Design Principles ‡ The firewall is inserted between the premises network and the Internet ‡ Aims: ² Establish a controlled link ² Protect the premises network from Internet-based attacks ² Provide a single choke point 6 .

Firewall Characteristics ‡ Design goals: ² All traffic from inside to outside must pass through the firewall (physically blocking all access to the local network except via the firewall) ² Only authorized traffic (defined by the local security police) will be allowed to pass 7 .

Firewall Characteristics ‡ Design goals: ² The firewall itself is immune to penetration (use of trusted system with a secure operating system) 8 .

Firewall Characteristics ‡ Four general techniques: ‡ Service control ² Determines the types of Internet services that can be accessed. or may host the server software itself. such as a Web or mail service. inbound or outbound. 9 . may provide proxy software that receives and interprets each service request before passing it on. ² The firewall may filter traffic on the basis of IP address and TCP port number.

‡ User control ² Controls access to a service according to which user is attempting to access it. It may also be applied to incoming traffic from external users.Firewall Characteristics ‡ Direction control ² Determines the direction in which particular service requests are allowed to flow. 10 . ² This feature is typically applied to users inside the firewall perimeter (local users).

Firewall Characteristics ‡ Behavior control ² Controls how particular services are used. ² For example. or it may enable external access to only a portion of the information on a local Web server. 11 . the firewall may filter email to eliminate spam.

Types of Firewalls ‡ Three common types of Firewalls: ² ² ² ² Packet-filtering routers Application-level gateways Circuit-level gateways (Bastion host) 12 .

Types of Firewalls ‡ Packet-filtering Router 13 .

Types of Firewalls ‡ Packet-filtering Router ² Applies a set of rules to each incoming IP packet and then forwards or discards the packet ² Filter packets going in both directions ² The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header ² Two default policies (discard or forward) 14 .

Types of Firewalls ‡ Advantages: ² Simplicity ² Transparency to users ² High speed ‡ Disadvantages: ² Difficulty of setting up packet filter rules ² Lack of Authentication 15 .

Types of Firewalls ‡ Possible attacks and appropriate countermeasures ² IP address spoofing ² Source routing attacks ² Tiny fragment attacks 16 .

Types of Firewalls ‡ Application-level Gateway 17 .

Types of Firewalls ‡ Application-level Gateway ² Also called proxy server ² Acts as a relay of application-level traffic 18 .

Types of Firewalls ‡ Advantages: ² Higher security than packet filters ² Only need to scrutinize a few allowable applications ² Easy to log and audit all incoming traffic ‡ Disadvantages: ² Additional processing overhead on each connection (gateway as splice point) 19 .

Types of Firewalls ‡ Circuit-level Gateway 20 .

Types of Firewalls ‡ Circuit-level Gateway ² Stand-alone system or ² Specialized function performed by an Application-level Gateway ² Sets up two TCP connections ² The gateway typically relays TCP segments from one connection to the other without examining the contents 21 .

Types of Firewalls ‡ Circuit-level Gateway ² The security function consists of determining which connections will be allowed ² Typically use is a situation in which the system administrator trusts the internal users ² An example is the SOCKS package 22 .

Types of Firewalls ‡ Bastion Host ² A system identified by the firewall administrator as a critical strong point in the network´s security ² The bastion host serves as a platform for an application-level or circuit-level gateway 23 .

more complex configurations are possible ‡ Three common configurations 24 .Firewall Configurations ‡ In addition to the use of simple configuration of a single system (single packet filtering router or single gateway).

Firewall Configurations ‡ Screened host firewall system (single-homed bastion host) 25 .

single-homed bastion configuration ‡ Firewall consists of two systems: ² A packet-filtering router ² A bastion host 26 .Firewall Configurations ‡ Screened host firewall.

Firewall Configurations ‡ Configuration for the packet-filtering router: ² Only packets from and to the bastion host are allowed to pass through the router ‡ The bastion host performs authentication and proxy functions 27 .

Firewall Configurations ‡ Greater security than single configurations because of two reasons: ² This configuration implements both packet-level and application-level filtering (allowing for flexibility in defining security policy) ² An intruder must generally penetrate two separate systems 28 .

e.Firewall Configurations ‡ This configuration also affords flexibility in providing direct Internet access (public information server. Web server) 29 .g.

Firewall Configurations ‡ Screened host firewall system (dualhomed bastion host) 30 .

Firewall Configurations ‡ Screened host firewall. dual-homed bastion configuration ² The packet-filtering router is not completely compromised ² Traffic between the Internet and other hosts on the private network has to flow through the bastion host 31 .

Firewall Configurations ‡ Screened-subnet firewall system 32 .

Firewall Configurations ‡ Screened subnet firewall configuration ² Most secure configuration of the three ² Two packet-filtering routers are used ² Creation of an isolated sub-network 33 .

Firewall Configurations ‡ Advantages: ² Three levels of defense to thwart intruders ² The outside router advertises only the existence of the screened subnet to the Internet (internal network is invisible to the Internet) 34 .

Firewall Configurations ‡ Advantages: ² The inside router advertises only the existence of the screened subnet to the internal network (the systems on the inside network cannot construct direct routes to the Internet) 35 .

Henric Johnson 36 .