ReferencesReferencesCircuit-level Gateways vs Application Gateways
◦ http://www.pcstats.com/articleview.cfm?articleid=1450&page=5
Introduction to Network Firewalls◦ http://www.more.net/technical/netserv/tcpip/firewalls/
Firewalls Explained◦ http://www.dmccormick.org/firewalls.htm
Firewall Architectures◦ http://docstore.mik.ua/orelly/networking/firewall/
ch04_02.htm
Introduction to Firewalls (on-line report)◦ http://www2.hawaii.edu/~sdunan/ics623/
Dunan.FirewallReport.html2
Topic ObjectivesTopic Objectives Describe categories of firewalls. Describe firewall architectures. Discuss considerations for selecting architectures
3
FirewallsFirewalls Goal is to prevent specific
types of information from moving between external networks and internal networks.
In general, the arrangement of security devices placed at the perimeter of a computer network to guard the entry is collectively called a firewall, or firewall perimeter.
At least one of those devices is a program or a hardware device called a firewall.
4
So, this “wall” can be several devices, including firewall itself
Create an integrated security Create an integrated security systemsystem
5
firewall perimeter = firewall+ IDS + antivirus
Also use access control and auditing
Create many firewall perimeters, at strategic entry points
Keep patching and updating them!
Categorizing FirewallsCategorizing Firewalls Processing mode
◦ Packet filtering, aka filtering (e.g. a router) ◦ Application gateways◦ Circuit gateways◦ MAC layer firewalls,◦ hybrid
Development Era (generation)◦ Which level of technology is used
Structure◦ Commercial-grade, residential-grade
Implementation◦ Software, hardware, hybrid
6
Many different firewalls to Many different firewalls to pick from pick from Basic personal use: ZoneAlarm, Norton
Personal, SygateMore commercial: e.g Check Point Next
Generationhttp://directory.google.com/Top/
Computers/Security/Firewalls/Products/ Many!
Cisco firewall appliance (i.e. hardware firewall) http://tools.cisco.com/search/JSP/search-results.get?strQueryText=pix+firewall&Search+All+cisco.com=cisco.com&language=en&country=US&thissection=f&accessLevel=Guest&autosuggest=true
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html Performance tables
7
Pros and ConsPros and Cons
8
Type of firewall
Pros Cons
Software - freeware
Easy and free minimal
Software – commercial personal firewalls
Simple, cheap, Not too many features, not robust
Software – commercial enterprise firewalls
Typically installed on a dedicated host; real time monitoring and other admin features
$$$, not too easy to setup
Hardware appliances
Faster and more scalable than software firewalls
$$$$$$, difficult to patch if bugs are discovered
Hybrid firewall Provides throughput and security of appliance with features of a software firewall
$$$$$$$$$$
Packet Filtering FirewallsPacket Filtering Firewalls Examine packet headers
◦ Use Access Control Lists (ACLs) to examine and control packet flow based on source/destination IP addresses in the network
◦ Simple firewalls examine IP network layer headers source/destination IP address, protocol (udp, tcp), inbound
or outbound traffic can reject (deny), discard, or forward packets
◦ 3 types of packet filtering firewalls static filtering - rules must be configured in advance dynamic filtering
firewall can modify rules dynamically in response to traffic opens and closes doors to allow only specified packet wiht
source, destination, and port to pass through the firewall stateful inspection – firewall keeps track of the state of
connection and if the packet “makes sense” in the context. It can check incoming packets that are responses to internal requests. If it cannot figure it out, it checks ACL tables.
9
Sample ACL table for a Sample ACL table for a stateless packet filtering stateless packet filtering firewallfirewall
11
Rule
SourceIP Source port
DestIP Dest port Action
1 any any 192.168.120.0
Above 1023
Allow
2 192.168.120.1
any any any Deny
3 any any 192.168.120.1
any Deny
4 192.168.120.0
any any any Allow
5 any any 192.168.120.2
25 Allow
6 any any 192.168.120.3
80 Allow
7 any any any any deny
Discussion: how do we read such a table? (Look at the Review of TCP and Logic file)
Discussion: what do these rules mean? Do you see why an IDS is necessary?
Stateful Inspection Stateful Inspection FirewallsFirewalls
Examine transport layer headers Track the state of transport layer connections using a
state table.◦ Able to track TCP and UDP source/destination ports
and TCP flags in particular Dynamic stateful inspection firewalls
◦ Maintain dynamic state tables to modify filtering rules based on network events
12
Sample ACL table for a Sample ACL table for a statefull packet filtering statefull packet filtering firewallfirewall
15
SourceIP Source port
DestIP Dest port
Connection state
192.168.120.101
1037 209.233.19.22
80 Established
192.168.120.104
1022 165.66.28.22 80 Established
192.168.120.107
1010 65.66.122.101
25 Established
192.168.120.102
1035 212.33.19.4 79 Established
233.54.33.5 1899 192.168.120.101
80 Established
306.33.21.3 3558 192.168.120.101
80 Established
Discussion: how do we read such a table? (Should we look at the Review of TCP and Logic file ?)
Discussion: what do these lines mean?
Where do we put packet Where do we put packet filters?filters?Cloud, packet filter, proxy server,
inside netCloud, packet filter, DMZ, packet
filter, inside net
16
Application GatewaysApplication Gateways AKA, application-level firewall, application firewall, or proxy server Frequently installed on a separate computer but used in conjunction
with the filtering router Examines application layer information to determine service type, etc. Acts as a proxy for a service request
◦ Web server proxy receives requests for web pages, accesses the web server, and returns the pages to the client
◦ Able to store recently accessed pages in a local cache. May be referred to as cache servers.
Frequently placed in an unsecured network location, or a DMZ network Can be used to route all internal traffic for web pages via the
intermediate proxy server Still widely used for e-commerce, but DMZ networks becoming more
commonly used. Can be slower than other types of firewalls. Designed for one or a few protocols; cannot be easily reconfigured.
17
Proxy Server Proxy Server (also called (also called application gateway, or application-level application gateway, or application-level firewall, or application firewall)firewall, or application firewall)
18
E.g. web proxy receives traffic meant for/from the web server and then delivers them to/from the web server.
The web server is protected by a firewall, in the figure above. There can be a packet-filter firewall in front of the proxy too.
Circuit GatewaysCircuit Gateways AKA, circuit gateway firewall or circuit-level
gateway Operates at transport layer Create tunnels connecting specific processes or
systems and allow only authorized traffic in tunnels Only examines address and port information; does
not examine application layer data.
19
MAC Layer & Hybrid MAC Layer & Hybrid FirewallsFirewallsMAC Layer filtering
◦ Operates at Layer 2 and examines MAC addresses
◦ Typically included as a feature of packet filtering firewalls, or hardware firewalls.
Hybrid Firewalls◦ Contain components of different types of
firewalls packet filtering + MAC layer filtering packet filtering + circuit gateway packet filtering + proxy server
20
Firewall GenerationsFirewall Generations First Generation
◦ static packet filtering Second Generation
◦ Proxy servers or application-level firewalls Third Generation
◦ Stateful inspection firewalls Fourth Generation
◦ Dynamic packet filtering firewalls Fifth Generation
◦ kernel proxy - operates at multiple layers of the protocol stack
◦ Windows NTEXEC kernel◦ Cisco Centri Firewall kernel
21
Firewall StructuresFirewall Structures Commercial-Grade Firewall Appliances
◦ standalone, self-contained hardware & software◦ firmware-based instructions increase reliability and
performance and reduce compromise◦ rule sets stored in nonvolatile RAM
Commercial-Grade Firewall Systems◦ Application software running on general-purpose computers
Small Office/Home Office-Grade (SOHO) Firewall Appliances◦ Protection for always-on high speed Internet connections◦ Support stateful inspection, MAC filtering, port forwarding
and NAT◦ May provide intrusion detection capability
Residential-Grade Firewall Software◦ Frequently available as free or inexpensive software
packages that run on individual hosts. 22
SOHO Hardware vs Software SOHO Hardware vs Software FirewallFirewall Suggestion --- use BOTH
◦ Implements the strategy of defense in depth◦ Hardware firewalls reduce/eliminate exposure of
individual systems from scanning and probes Very likely to eliminate 100% of pre-attack probes May improve system performance by reducing
unnecessary traffic on local network SOHO hardware firewalls are not especially expensive and
well worth the investment◦ Software firewalls provide an alternative, secondary
firewall as a backup if someone breaks through the perimeter firewall.
23
Firewall ArchitecturesFirewall Architectures4 common implementations
◦ Packet Filtering Routers◦ Screened Host Firewalls◦ Dual-Home Host Firewalls◦ Screened Subnet Firewalls (with DMZ)
24
Untrusted HostUntrusted Host Exposed hosts outside
border firewall Host is configured for
minimal services Both incoming and
outgoing traffic goes through the external host◦ E.g., proxy server
Internal hosts cannot trust the external host
If all traffic routes through the untrusted host, it may also be a dual-homed host.
26
Screened Screened HostHost Untrusted host on separate network
and inside firewall Still untrusted by internal hosts Other untrusted hosts can be on same
network Creates a public access network (e.g.,
web access) aka DMZ aka perimeter network, service
network
27
Dual-Homed HostDual-Homed Host All traffic enters/leaves
internal network via proxy server.
Proxy server may or may not be the firewall. Not required to be the same device.
28
Screened Subnet Screened Subnet FirewallFirewall Traffic between internal network and Internet
traverses two firewalls and DMZ network Hosts in DMZ act as publically accessible
servers Traffic entering inner firewally must originate
from a host in the DMZ Internal firewalls provide protection between
internal subnets
29
Firewall Configuration Firewall Configuration Advantages/DisadvantagesAdvantages/Disadvantages
30
Configuration
Advantages Disadvantages
Screening router
Simple, cheap; stateful packet filter good for home use
Min protection; viruses, trojans, etc might get through
Dual-homed host
Simple, cheap, can work well if configured well
Single point of failure and entry, depends entirely on the host computer
Screened host 2 layers of protection for home and small biz
Single point of failure and entry, depends entirely on the host computer and the router that protects it
Screened subnet DMZ
Isolates public servers from the internal LAN and thus protects them
Servers in DMZ are highly vulnerable, must be hardened
Multiple DMZ/firewalls
Layers of protection for a biz net
$$$
SingleDMZ/two firewalls
Balances heavy traffic load $$$
Branch offices/ multiple firewalls
Each office is protected Each location has to be set up
Reverse firewall
Monitors internal users’ access to external nets
Can slow down access to external nets (even parts of internal LAN)
SOCKS SOCKS ServersServers SOCKS
◦ Protocol for handling TCP traffic through a proxy server.
◦ Proprietary, circuit-level proxy server. Uses special client-side SOCKS agents on each
workstation. Filtering occurs in workstations, vice the proxy
server. Each workstation must be managed as a firewall
detection and protection device.
◦ May require extra support and management resources, since individual clients must also be managed.
31
SOCKS ServerSOCKS Server
Note: depicts dual-homed host configuration with inner and outer firewalls.
32
Firewall SelectionFirewall Selection
Factors to consider◦ Which firewall design provides the desired protection?◦ What type of firewall technology offers the right
balance between protection and cost and meets the needs of the organization?
◦ What features are included? In the base price, as add-ons? Are all cost factors known?
◦ How easy is it to set up and configure? How accessible are knowledgeable staff to support the
firewall?
◦ Can the proposed firewall adapt to projected network growth in the organization?
33