Professional Documents
Culture Documents
Firewalls
What it is all about
1
Outline
2
Firewalls
• Protecting a local
network from security
threats while affording
access to the Internet
3
Firewall Design
Principles
• The firewall is inserted between the private network and the Internet
• Aims:
• Establish a controlled link
• Protect the local network from Internet-based attacks
• Provide a single choke point
4
Firewall Characteristics
5
Firewall Characteristics
6
Components of Firewalls
7
Components of Firewalls
(I)
• Packet-filtering Router
8
Packet-filtering Router
• Packet-filtering Router
• Applies a set of rules to each incoming IP packet and then forwards or
discards the packet
• Filter packets going in both directions
• The packet filter is typically set up as a list of rules based on matches to fields
in the IP or TCP header
• Two default policies (discard or forward)
9
Packet-filtering Router
• Advantages:
• Simplicity
• Transparency to users
• High speed
• Disadvantages:
• Difficulty of setting up packet filter rules
• Lack of Authentication
10
Packet-filtering Router
11
Components of Firewalls
(II)
• Application-level Gateway
12
Application-level Gateway
• Application-level Gateway
• Also called proxy server
• Acts as a relay of application-level traffic
13
Application-level Gateway
• Advantages:
• Higher security than packet filters
• Only need to check a few allowable applications
• Easy to log and audit all incoming traffic
• Disadvantages:
• Additional processing overhead on each connection (gateway as splice point)
14
Application-level Gateway
15
Components of Firewalls
(III)
• Circuit-level Gateway
16
Circuit-level Gateway
17
In other words
• Korean custom
• Circuit-level gateway only checks your nationality
• Application-level gateway checks your baggage content in addition to your
nationality
18
Components of Firewalls
19
Components of Firewalls
(II) U (III)
• Bastion Host
• serves as
• application-level gateway
• circuit-level gateway
• both
20
Firewall Configurations
21
Configurations
(I)
• Screened host firewall system (single-homed bastion host)
22
Configurations
(I)
• Consists of two systems:
• A packet-filtering router & a bastion host
• Only packets from and to the bastion host are allowed to pass
through the router
• The bastion host performs authentication and proxy functions
23
More secure
24
Firewall Configurations
25
Configurations
(II)
• Screened host firewall system (dual-homed bastion host)
26
Configurations
(II)
• Consists of two systems just as config (I) does.
• However, the bastion host separates the network into two subnets.
27
Even more secure
28
Configurations
(III)
• Screened-subnet firewall system
29
Configurations
(III)
• Three-level defense
• Most secure
• Two packet-filtering routers are used
• Creates an isolated sub-network
• Private network is invisible to the Internet
• Computers inside the private network cannot
construct direct routes to the Internet
30
Capabilities of firewall
• Defines a single choke point at which security
features are applied
• Security management is simplified
• Provides a location for monitoring, audits and
alarms
• A convenient platform for several non-security-
related Internet functions
• e.g., NAT, network management
• Can serve as the platform for IPSec
31
What firewalls cannot
protect against
• Attacks that bypass the firewall
• e.g., dial-in or dial-out capabilities that internal systems provide
• Internal threats
• e.g., disgruntled employee or employee who cooperates with external
attackers
• The transfer of virus-infected programs or files
32
Firewall Design
Router Firewall - arguably this firewall architecture features no firewall
devices. Instead a mere router joins two networks. However, because of
packet forwarding which looks at the IP address source it prevents
something known as IP Spoofing.
Pros Cons
Inexpensive Inflexible
Simple to configure and operate Leaves public servers and private
hosts open to external network
Operates efficiently Shallow defense depends solely on
firewall
Firewall Design
Firewall Design
Single Host Firewall - Employs only a single packet-filtering firewall. The
first of a set of firewalls schemes that divides the network up into two single
networks one of which is protected by the firewall.
Pros Cons
Only slightly more expensive than router Public servers vulnerable
firewall
More flexible than the router firewall Shallow defense depends solely on firewall
Private hosts screened by firewall
Firewall Design
Single Host Firewall
Firewall Design
Single Host Firewall
Firewall Design
Multi-Host Firewall - Can overcome the security limitations of single host
firewalls.
Pros Cons
Public servers screened by firewall More expensive than single host architectures
Private hosts screened by firewall
Multi-layered defense
Firewall Design
Multi-Host Firewall
Firewall Design
Multi-Host Firewall
Firewall Design
Multi-Host Firewall
Choices of firewall
•Software Firewalls
•Hardware Firewalls
10/20/19 Firewall 42
Software Firewalls
10/20/19 Firewall 43
Some known software firewalls
10/20/19 Firewall 44
Some known software firewalls
• Norton 360:
• Has the best value for easy use of tools offered, and
overall system performance.
• Uses multiple tools to control the firewall.
10/20/19 Firewall 45
Some known software firewalls
10/20/19 Firewall 46
Hardware Firewalls
10/20/19 Firewall 47
Some known hardware firewalls
10/20/19 Firewall 48
Some known hardware firewalls
10/20/19 Firewall 49
Future of firewall
10/20/19 Firewall 50
HTTP Filtering
Pass
X
Router
X
HTTP Packet +
X
FTP Packet
Drop
X
Example Rule List
5 * * * * Drop
Discussion
Firewall Firewall
Restricted Network
Possible solution.