Security Firewall Firewall design principle. Firewall Characteristics. Types of Firewalls. Firewall...

Security Firewall

Firewall design principle.

Firewall Characteristics.

Types of Firewalls.

Firewall Components & Configurations.

Firewall Design Principles.

• Information System undergo a steady evolution( from small LAN’s to Internet connectivity).

• Strong security features for all workstations and servers not established.

Firewalls

• Effective means of protection a local system or network of systems from network_based security threats while affording access to the outside world via WAN’s or the Internet.

Firewall Design Principles

• The firewall is interested between the permission network and internet.

• Aims :

1. Establish a controlled link.

2. Protect the premises network from internet_based attacks.

3. Provide a single choke point.

Firewalls Characteristics

• Design goals:

1. All traffic form the inside to outside must pass through the firewall (physically blocking all access to the local network except via firewall).

2. Only Authorized traffic ( defined by the local security policy) will be allowed to pass.

Firewall Characteristics

• Design goals:

3. The firewall itself is immune to penetration ( use of trusted systems with secure operating systems).


• Four General Technologies:

1. Service Control: determines the types of the internet services that can be accessed, in bounded or out bounded.

2. Direction Control: determines the direction in which particular services requests are allowed to flow.


3. User Control: controls access to a service according to which user is attempting to access it.

4. Behavior Control: controls how particular service are used (e.g. filter e-mail)

Types of Firewalls

• Three common types of firewalls:

1. Packet-filtering-router.

2. Application-level-Gateways.

3. Circuit-level-Gateways.

4. (Bastion Host).

Packet-Filtering-Router

• Packet Filtering Router firewalls.

Internet

Packet Filtering Router

Private Network

Figure ( Packet Filtering Router Firewall).


• Applies a set of rules to each incoming IP packet and then forwards or discards the packet.

• Filter packets going in both directions.

• The packet filter is typically set up as a list of rule based on matches to fields in the IP or TCP header.

• Two default polices( discards or forwards).


• Advantages:

1. Simplicity.

2. Transparency to users.

3. High speed

• Disadvantages:

1. Difficulty of setting up packet filter walls.

2. Lack of Authentication.

Application-Level-Gateway

• Application Level Gateway Firewall.

TELNET

FTP

SMTP

HTTPOutside Connection

Inside Connection

Outside Host

Inside Host

Figure (Application Level Gateway).


• Also called (Proxy Server).

• Acts as relay of application level traffic.


• Advantages:

1. Higher security than packet filter

2. Only need securitize a few allowable applications.

3. Easy to log and audit all incoming traffic.

• Disadvantages:

Additional processing overhead on each connection (Gateway as splice point).

Circuit Level Gateway

• Circuit Level Gateway.

OUT

OUT

OUT

OUT

IN

IN

IN

IN

Outside host & outside

connection

Inside host & inside

connection


• Stand-alone system or specialized function performed by Application level gateway.

• Sets up two TCP connections.

• The gateway typically relays TCP segments from one connection to the other without examining the contents.


• The security function consists of which connections to be allowed.

• Typically use is a situation in which the system administrators trusts the internal users.

• An example is the SOCKS package.

Bastion Host

• A system identified by the firewall administrator as critical strong point in the networks security.

• The Bastion host serves as a platform for an application-level or circuit-level gateway.

Bastion Host

• In addition to the use of simple configuration of single system ( single packet filtering router or single gateway), more complex configurations are possible.

• Three common configurations

Screened host firewall system

• Also called single homed bastion host

PacketFilteringRouter

Internet

Private NetworkBastion

Host

Information Server

Screened host firewall (1)

• Configuration:

- Consists of two systems which are:

1. Packet filtering router.

-Only packets from and to the bastion host are allowed to pass through server.

2. Bastion Host.

- Authentication and Proxy functions.


• Greater security that the single configuration because of two reasons:

1. This configuration implements both packet level and application level filtering ( allowing for flexibility in defining security policy).

2. An intruder must generally penetrate two separate systems.


• This configuration also affords flexibility in providing direct internet access ( public information server, e.g. web server).

Dual Homed Bastion Host

• Dual Homed Bastion Host.


Private NetworkBastion

Host

Information Server

INTERNET

Dual Homed Bastion Host

• The packet filtering router is not completely compromised.

• Traffic between the internet and other hosts on the private network has to flow through the Bastion host.

Screened Subnet Firewall System

• See Figure.

INTERNETPrivate

NetworkPacketFilteringRouter


Bastion Host

Modem

Information Server


• Most secured configuration of all the three known techniques in the bastion host.

• Two packet filtering routers are used.

• Creation of an isolated sub-network.


• Advantages:

- Three levels of defense to thwart intruders.

- The outside router advertises only the existence of the screened sub-net to the internet ( Internal network is invisible to the internet).


• Advantages:

- The inside router advertises only the existence of the screened sub-net to the internal network ( the systems on the inside cannot construct direct routes to the internet.

Date post:	18-Dec-2015
Category:	Documents
View:	293 times
Download:	9 times

Security Firewall Firewall design principle. Firewall Characteristics. Types of Firewalls. Firewall...

Documents