Firewalls : usage

• Data encryption• Access control : usage restriction on some protocols/ports/services• Authentication : only authorized users and hosts (machines)• Monitoring for further auditing• Packet filtering• Compliance with the specified protocols• Virus detection• Isolation of the internal network from the Internet• Connection proxies (masking of the internal network)• Application proxies (masking of the « real » software)

Firewalls : basics

• All packets exchanged between the internal and the external domains go through the FW that acts as a gatekeeper

– external hosts « see » the FW only

– internal and external hosts do not communicate directly

– the FW can take very sophisticated decisions based on the protocol implemented by the messages

– the FW is the single access point => authentication + monitoring site

– a set of “flow rules” allows decision taking

Firewalls : architecture (I)

Outside worldExterior router

Firewall

Interior router Internal network

servers

DMZ(DeMilitarized Zone)

Firewalls : architecture (II) : merging exterior and interior

FW

Outside worldExterior/InteriorFirewall

Internal network

servers

DMZ

Firewalls : architecture (III) : merging exterior FW and

servers

Outside world

External Firewall+servers

Internal FirewallInternal network

DMZBof…

Firewalls : architecture (IV) : managing multiple subnetworks

Outside worldExterior/InteriorFirewall

Internal subnetwork B

servers

DMZ

Backbone

Internal subnetwork A

Firewall

Firewall

Firewalls : architecture (V) : managing multiple exterior FW

Internet

ExteriorFirewall A

Interior Firewall

Internal network

servers

DMZ

ExteriorFirewall B

E.g. supplier network

Sub-DMZ A

Sub-DMZ B

Firewalls : architecture (VI) : managing multiple DMZ

Internet

Exterior/InteriorFirewall A

Internalnetwork

Servers A

DMZ A

E.g. supplier network

DMZ B

Exterior/InteriorFirewall B

Servers B

Firewalls : architecture (VII) : internal FW

Outside worldExterior/InteriorFirewall

Internal network

servers

DMZ

Sensitivearea Firewall

Sensitivearea

Firewalls : some recommendations

• Bastion hosts

– better to put the bastions in a DMZ than in an internal network– disable non-required services– do not allow user accounts– fix all OS bugs– safeguard the logs– run a security audit– do secure backups

• Avoid to put in the same area entities which have very different security requirements

Using proxies (I)

• Proxies can be used to « hide » the real servers

• Interior => Exterior traffic– Give the internal user the illusion that she/he accesses to the exterior

server – But intercept the traffic to/from the server, analyze the packets (check

the compliance with the protocol, search for keywords, etc.), log the requests

• Exterior => Interior traffic– Give the external user the illusion that she/he accesses to the interior

server – But intercept the traffic to the server, analyze the packets (check the

compliance with the protocol, search for keywords, etc.), log the requests

Using proxies (II)

• Advantage– knowledge of the service/protocol => efficiency and « intelligent »

filtering

– Ex : session tracking, stateful connection

• Disadvantages– one proxy per service !

– may require modifications of the client

– do not exist for all services

Static Network Address Translation (NAT) (I)

From Arkoon Inc. tutorial

xxx.xxx.xxx.xxx

Internal network

yyy.yyy.yyy.yyy

yyy.yyy.yyy.yyy

xxx.xxx.xxx.xxx

xxx.xxx.xxx.xxx

Static Network Address Translation (NAT) (II)

xxx.xxx.xxx.xxx

Internal network

yyy.yyy.yyy.yyyyyy.yyy.yyy.yyy

Internal network

xxx.xxx.xxx.xxxyyy.yyy.yyy.yyyxxx.xxx.xxx.xxx

• The FW maintains an address translation table

• The FW transforms address xxx.xxx.xxx.xxx into yyy.yyy.yyy.yyy in the field « source address »

• The FW transforms address yyy.yyy.yyy.yyy into address xxx.xxx.xxx.xxx in the field « destination address »

• This operation is transparent for both the exterior and the interior hosts

Applications

• Non TCP/UDP based protocols

• Pre-defined partnership addresses

• Web server, mail….(traffic to Internet)

• Application server (hidden behind a FW)

• Host known/authenticated outside with a specific address

• …

PAT : Port Address Translation (I)

Port 80

Port 2033

From Arkoon Inc. tutorial

Internal network

• Connections are open from an exterior host

• Translation table

• Use of lesser public addresses• Flexible management of server ports

PAT : Port Address Translation (II)

Web server

user, @IP'U'

U→P:80U → IP1:80

IP1:80 → UP:80 → U

U → P:81U → IP2:80

IP2:80 → UP:8 → U

Translation Table @IP « P »port 80 → @IP1 : port 80port 81 → @IP2 : port 80

@IP2, port 80

Web server

@IP1, port 80

FW, @IP 'P'

PAT : Port Address Translation (III)

From Arkoon Inc. tutorial

Web server

Internal network

Masking (I)

From Arkoon Inc. tutorial

Internal network

• Connections are open by internal hosts

• Dynamic connection table (IP address + source port number)

• One single address is known outside (the FW address)• Spare IP addresses

Masking (II)

Arkoon, @IP 'M'

Web server@IP'W'

user@IP1

user@IP2

Web server@IP 'W2'

1:1025->W M:10000->W

W->1:1025

2:1025->W

M:10001->W

W->M:10001

W->2:1025M:10000->W2

W2->M:10000W2->2:1026

W->M:10000

Translation table @IP « M »1:1025(10000)->W2:1025(10001)->W2:1026(10000)->W2

@IP2

FW, @IP 'M'

From Arkoon Inc. tutorial

Internal network

2:1026->W2