Internet

Firewalls
What it is all about

1
Outline

• Firewall Design Principles

• Firewall Characteristics
• Components of Firewalls
• Firewall Configurations

2
Firewalls

• Protecting a local
network from security
threats while affording
access to the Internet

3
Firewall Design
Principles
• The firewall is inserted between the private network and the Internet
• Aims:
• Establish a controlled link
• Protect the local network from Internet-based attacks
• Provide a single choke point

4
Firewall Characteristics

• Design goals for a firewall

• All traffic (in or out) must pass through the firewall
• Only authorized traffic will be allowed to pass
• The firewall itself is immune to penetration

5
Firewall Characteristics

• Four general techniques:

• Service control
• The type of Internet services that can be accessed
• Direction control
• Inbound or outbound
• User control
• Which user is attempting to access the service
• Behavior control
• e.g., Filter email to eliminate spam

6
Components of Firewalls

• Three common components of Firewalls:

• Packet-filtering routers
• Application-level gateways
• Circuit-level gateways
• (Bastion host)

7
Components of Firewalls
(I)
• Packet-filtering Router

8
Packet-filtering Router

• Packet-filtering Router
• Applies a set of rules to each incoming IP packet and then forwards or
discards the packet
• Filter packets going in both directions
• The packet filter is typically set up as a list of rules based on matches to fields
in the IP or TCP header
• Two default policies (discard or forward)

9
Packet-filtering Router

• Advantages:
• Simplicity
• Transparency to users
• High speed
• Disadvantages:
• Difficulty of setting up packet filter rules
• Lack of Authentication

10
Packet-filtering Router

• Open-source under UNIX:

• IP firewall
• IPFilter
• IPchain

11
Components of Firewalls
(II)
• Application-level Gateway

12
Application-level Gateway

• Application-level Gateway
• Also called proxy server
• Acts as a relay of application-level traffic

13
Application-level Gateway

• Advantages:
• Higher security than packet filters
• Only need to check a few allowable applications
• Easy to log and audit all incoming traffic
• Disadvantages:
• Additional processing overhead on each connection (gateway as splice point)

14
Application-level Gateway

• Open-source under UNIX:

• squid (WWW),
• delegate (general purpose),
• osrtspproxy (RTSP),
• smtpproxy (SMTP),
• …

15
Components of Firewalls
(III)
• Circuit-level Gateway

16
Circuit-level Gateway

• Similar to Application-level Gateway

• However
• it typically relays TCP segments from one connection to the other without
examining the contents
• Determines only which connections will be allowed
• Typical usage is a situation in which the system administrator trusts the
internal users

17
In other words

• Korean custom
• Circuit-level gateway only checks your nationality
• Application-level gateway checks your baggage content in addition to your
nationality

18
Components of Firewalls

• Open-source under UNIX

• SOCKS
• dante

19
Components of Firewalls
(II) U (III)
• Bastion Host
• serves as
• application-level gateway
• circuit-level gateway
• both

20
Firewall Configurations

• In addition to the use of simple configuration of a single system

(single packet filtering router or single gateway), more complex
configurations are possible
• Three common configurations

21
Configurations
(I)
• Screened host firewall system (single-homed bastion host)

22
Configurations
(I)
• Consists of two systems:
• A packet-filtering router & a bastion host
• Only packets from and to the bastion host are allowed to pass
through the router
• The bastion host performs authentication and proxy functions

23
More secure

• More secure than each single component because :

• offers both packet-level and application-level filtering

24
Firewall Configurations

• This configuration also affords flexibility in providing direct Internet

access (public information server, e.g. Web server)

25
Configurations
(II)
• Screened host firewall system (dual-homed bastion host)

26
Configurations
(II)
• Consists of two systems just as config (I) does.
• However, the bastion host separates the network into two subnets.

27
Even more secure

• An intruder must generally penetrate two separate systems

28
Configurations
(III)
• Screened-subnet firewall system

29
Configurations
(III)
• Three-level defense
• Most secure
• Two packet-filtering routers are used
• Creates an isolated sub-network
• Private network is invisible to the Internet
• Computers inside the private network cannot
construct direct routes to the Internet

30
Capabilities of firewall
• Defines a single choke point at which security
features are applied
• Security management is simplified
• Provides a location for monitoring, audits and
alarms
• A convenient platform for several non-security-
related Internet functions
• e.g., NAT, network management
• Can serve as the platform for IPSec

31
What firewalls cannot
protect against
• Attacks that bypass the firewall
• e.g., dial-in or dial-out capabilities that internal systems provide
• Internal threats
• e.g., disgruntled employee or employee who cooperates with external
attackers
• The transfer of virus-infected programs or files

32
Firewall Design
Router Firewall - arguably this firewall architecture features no firewall
devices. Instead a mere router joins two networks. However, because of
packet forwarding which looks at the IP address source it prevents
something known as IP Spoofing.
Pros Cons
Inexpensive Inflexible
Simple to configure and operate Leaves public servers and private
hosts open to external network
Operates efficiently Shallow defense depends solely on
firewall
Firewall Design
Firewall Design
Single Host Firewall - Employs only a single packet-filtering firewall. The
first of a set of firewalls schemes that divides the network up into two single
networks one of which is protected by the firewall.

Pros
Only slightly more expensive than router
firewall
More flexible than the router firewall
Private hosts screened by firewall
Cons
Public servers vulnerable
Shallow defense depends solely on firewall
 Firewall Design
Single Host Firewall
 Firewall Design
Single Host Firewall
Firewall Design
Multi-Host Firewall - Can overcome the security limitations of single host
firewalls.

Pros Cons
Public servers screened by firewall More expensive than single host architectures
Private hosts screened by firewall
Multi-layered defense
Firewall Design
Multi-Host Firewall
Firewall Design
Multi-Host Firewall
Firewall Design
Multi-Host Firewall
Choices of firewall

•Software Firewalls

•Hardware Firewalls

10/20/19 Firewall 42
Software Firewalls

• Most popular firewall choice for individual computers.

• Allows controlling functions and protection features.
• Protect computer against common trojans, viruses and email worms
etc.
• Blocks unsafe applications from running on the system.
• May also include privacy controls, web filtering etc.
• Will only protect the computer installed on.

10/20/19 Firewall 43
Some known software firewalls

• Kaspersky Internet Security:

• Provides a comprehensive security tool kit.
• A nicely organized interface.
• Protects from malware, dos attacks etc. Has a powerful firewall.

Kaspersky Internet Security interface

10/20/19 Firewall 44
Some known software firewalls

• Norton 360:
• Has the best value for easy use of tools offered, and
overall system performance.
• Uses multiple tools to control the firewall.

Norton 360: Firewall Protection Setting interface

10/20/19 Firewall 45
Some known software firewalls

• Zone Alarm Internet Security Suite:

• Compared to other softwares, one of the best firewall software.
• Has light weight software.
• Best performance at home use.

Zone Alarm: Firewall Protection Setting interface

10/20/19 Firewall 46
Hardware Firewalls

• Stand alone hardware component.

• Comes in broadband routers.
• It is an important part of network set up and network security.
• Very effective with little or no configuration.
• Can protect large businesses and enterprises and protects every
computer.
• Uses packet filtering to examine the header of the packet and
determines its source and destination.
• Using predefined or user created rules it forwards or drops a packet.

10/20/19 Firewall 47
Some known hardware firewalls

• D-Link: D-Link DIR-655 Xtreme N Gigabit Router

• Has fast performance.
• A combination of latest in built wireless security and intergraded
wireless security wizard is used.
• Controlled very easily.

DIR 655 : Configuration Page

10/20/19 Firewall 48
Some known hardware firewalls

• Cisco: ASA 5550 Firewall

• Delivers advanced threat defense service.
• Network and application traffic will be protected.
• Defensive from worms, virus and network attacks such as denial of services
or DDOS.
• Spyware and adware protection.

Cisco ASA Software for ASA 5500

10/20/19 Firewall 49
Future of firewall

• Market idea will remain.

• Hardware components may be included in the future personal
computers as personal firewalls.
• Supercomputers, Mainframe computers and mini computers may
come up with, its own firewall technology in the near future.
• Influence of viruses and network attacks.
• Combining firewall

10/20/19 Firewall 50
HTTP Filtering

Pass

X
Router
X
HTTP Packet +
X
FTP Packet
Drop
X
 Example Rule List

Rule Source Destination Protocol Source Action

Number Address Address Port
Number
1 10.56.2.99 * * * Drop

2 10.56. * 10.122. * TCP * Pass

3 10.122. * 10.56. * TCP 23 Pass

4 * 10.56. * TCP * Pass

5 * * * * Drop
 Discussion

Corporate Data Center

Company intranet Internet

Restricted Network

Place firewall(s) in this network.

 Discussion

Corporate Data Center

Firewall Firewall

Company intranet Internet

Restricted Network

Possible solution.