Scribd Logo
Upload

Welcome to Scribd!

  • Firewalls: 1 Henric Johnson

    Uploaded by

    Nipun Verma
    18 views28 pages
    CSE INT242 SUBJECT

    Original Title

    Firewall

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    CSE INT242 SUBJECT

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    18 views28 pages

    Firewalls: 1 Henric Johnson

    Uploaded by

    Nipun Verma
    CSE INT242 SUBJECT

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 28

    Firewalls

    Henric Johnson 1
    Firewalls

    The firewall is the barrier between a


    trusted and untrusted network, often
    used between your LAN and WAN. It’s
    typically placed in the forwarding path
    so that all packets have to be checked
    by the firewall, where we can drop or
    permit them.

    Henric Johnson 2
    Here’s an example:
    Filtering

    Stateful Stateless

    Firewalls, like routers can use access- each packet is treated


    lists to check for the source and/or individually and we don’t
    destination address or port numbers. keep track of packets we
    Most routers however, don’t spend have seen before or not.
    much time at filtering…when they This is called stateless
    receive a packet, they check if it filtering.
    matches an entry in the access-list
    and if so, they permit or drop the
    packet.
    Examples
     A computer on the LAN uses its email client to connect to a mail server on the Internet.
     The client will start the connection with a TCP three-way handshake, which the firewall
    sees.
     The firewall will keep track of this connection and when the mail server responds, the
    firewall will automatically permit this traffic to return to the client.

     A web server is sitting behind a firewall, it’s a busy server that accepts an average of 20
    new TCP connections per second from different IP addresses.
     The firewall keeps track of all connections, once it sees a source IP address that is
    requesting more than 10 new TCP connections per second, it will drop all traffic from this
    source IP address, preventing a DoS (Denial of Service).
     Above we have two security zones:
     INSIDE: this is our LAN
     OUTSIDE: this is our WAN
     The interfaces have been assigned to the correct security zone. These zones have two simple rules:
     Traffic from a “high” security level to a “lower” security level is permitted.
     Traffic from a “low” security level to a “higher” security level is denied.
     Our LAN is our trusted network, which would have a high security level. The WAN is untrusted so it will
    have a low security level. This means that traffic from our LAN > WAN will be permitted. Traffic from the
    WAN to our LAN will be denied. Since the firewall is stateful, it keeps track of outgoing connections and
    will permit the return traffic from our LAN.

     Traffic from INSIDE to OUTSIDE is permitted.
     Traffic from INSIDE to DMZ is permitted.
     Traffic from DMZ to OUTSIDE is permitted.
     Traffic from DMZ to INSIDE is denied.
     Traffic from OUTSIDE to DMZ is denied.
     Traffic from OUTSIDE to INSIDE is denied.
     To ensure traffic from the OUTSIDE is able to reach the servers in the DMZ, we will use an access-list
    that only permits traffic to the IP address (and port numbers) that the servers in the DMZ use. This
    setup is very secure, if one of your servers in the DMZ gets hacked, your INSIDE network will still be
    secure.

    Firewall Design
    Principles
     The firewall is inserted between the
    premises network and the Internet
     Aims:
     Establish a controlled link
     Protect the premises network from
    Internet-based attacks
     Provide a single choke point

    Henric Johnson 8
    Firewall Characteristics

     Design goals:
     All traffic from inside to outside must
    pass through the firewall (physically
    blocking all access to the local network
    except via the firewall)
     Only authorized traffic (defined by the
    local security police) will be allowed to
    pass

    Henric Johnson 9
    Firewall Characteristics

     Design goals:
     The firewall itself is immune to
    penetration (use of trusted system with
    a secure operating system)

    Henric Johnson 10
    Firewall Characteristics

     Four general techniques:


     Service control
     Determines the types of Internet
    services that can be accessed, inbound
    or outbound
     Direction control
     Determines the direction in which
    particular service requests are allowed
    to flow

    Henric Johnson 11
    Firewall Characteristics

     User control
     Controls access to a service according to
    which user is attempting to access it
     Behavior control
     Controls how particular services are
    used (e.g. filter e-mail)

    Henric Johnson 12
    Types of Firewalls

     Packet-filtering Router

    Henric Johnson 13
    Types of Firewalls

     Packet-filtering Router
     Applies a set of rules to each incoming
    IP packet and then forwards or discards
    the packet
     Filter packets going in both directions
     The packet filter is typically set up as a
    list of rules based on matches to fields
    in the IP or TCP header
     Two default policies (discard or forward)

    Henric Johnson 14
    Types of Firewalls

     Advantages:
     Simplicity
     Transparency to users
     High speed
     Disadvantages:
     Difficulty of setting up packet filter
    rules
     Lack of Authentication

    Henric Johnson 15
    Types of Firewalls

     Possible attacks and appropriate


    countermeasures
     IP address spoofing
     Source routing attacks
     Tiny fragment attacks

    Henric Johnson 17
    Types of Firewalls

     Application-level Gateway

    Henric Johnson 18
    Types of Firewalls

     Application-level Gateway
     Also called proxy server
     Acts as a relay of application-level
    traffic

    Henric Johnson 20
    Types of Firewalls

     Advantages:
     Higher security than packet filters
     Only need to scrutinize a few allowable
    applications
     Easy to log and audit all incoming traffic
     Disadvantages:
     Additional processing overhead on each
    connection (gateway as splice point)

    Henric Johnson 21
    Types of Firewalls

     Circuit-level Gateway

    Henric Johnson 22
    Types of Firewalls

    As an example of how circuit level gateways work, say computer A


    is in a network protected by a circuit level gateway firewall, and
    wants to view a web page on computer B which is outside the
    firewall.
    Computer A sends the request for the web page to computer B, which
    is intercepted and recorded by the firewall before being passed on.
    Computer B receives the request, which as far as it is concerned
    came from the address of the firewall, and starts sending the web-
    page data back across the Internet.
    When it reaches the firewall, it is compared to computer A's request
    to see if the IP address and the port match up, then the data is either
    allowed or dropped.
    Henric Johnson 23
    A major advantage to using this method is that non-requested data from
    outside the firewall is not allowed in, period. All ports are closed until the
    firewall opens them.

    The main disadvantage is that unless it is combined with some other form
    of filtering, any type of data requested from inside the firewall will be
    allowed though.

    You might also like