Académique Documents
Professionnel Documents
Culture Documents
Firewall
1
Slide 2
What is a firewall?
A firewall is a device (or software feature) designed to control the flow
of traffic into and out-of a network.
Introduction
– Firewall’s main goal is to protect TCP/IP networks
– Functions:
• Blocking traffic
• Permitting traffic
• Enabling secure remote connections (VPN)
• Logging traffic
• Content filtering (blocking): viruses, attacks
• Network management purposes (screening the traffic etc.)
4
Slide 5
Main goals
The main goal of firewalling is
– to control unnecessary services, traffic
– to hide our internal network topology and services
– to protect against protocol errors (e.g. invalid SMTP commands can be
filtered)
– to enable logging
– to control the activity of internal users
– every accessible point is a possible security hole: With firewalling we
minimize the accessible points and we are making it more difficult to
deploy an attack
– we can make it more difficult to exploit the vulnerability: E.g. with tftp
denied it is more difficult to send files to the internet after an attack
– we can separate the network to subnetworks: an intrusion will not
compromise our whole system, just a subnetwork/server
Slide 6
6
Slide 7
Firewall Placement
• The firewall is inserted between the premises network
and the Internet
• Aims:
– Establish a controlled link
– Protect the premises network from Internet-based attacks
– Provide a single choke point
Slide 8
Firewalls DON’T
• Protect against attacks that bypass the firewall
– Dial-out from internal host to an ISP
Edge Firewall
An edge firewall is usually software running on a
server or workstation.
An edge firewall protects a single computer from
attacks directed against it.
10
Slide 11
Firewall Appliance
It is a device whose sole function is to act as a
firewall.
Examples of these firewalls are:
Cisco PIX.
Netscreen series.
11
Slide 12
Network Firewall
• Router/Bridge based Firewall
– A firewall running on a bridge or a router protects from a group of
devices to an entire network.
12
Slide 13
Types of Firewalls
Adaptive Proxies
Types of Firewalls
Untrusted trusted
Network Network
Filtering Router
Slide 16
Types of Firewalls
• Packet-filtering Router
– Simplest and most effective in some situations
– Applies a set of rules to each incoming IP packet
and then forwards or discards the packet
– Controls access to packets on the basis of packet
address (source or destination) or specific transport
protocol type (e.g. HTTP web traffic)
– Filter packets going in both directions
– Works at network and transport layer
Slide 17
Hypertext Transfer Protocol (HTTP) is the underlying protocol used by the World Wide Web and this protocol defines
how messages are formatted and transmitted
Telnet is a protocol that's used as a simple way to communicate with devices over a network.
Slide 18
18
Slide 19
-Blocking all packets from outside that claim their source address is
an inside address
- i.e Blocking all packets from any address 100.50.25.x
- But of-course permitting in any packet with destination100.50.25.x
Slide 21
Packet Filters
• Data Available
– IP source and destination addresses
– Transport protocol (TCP, UDP, or ICMP)
– TCP/UDP source and destination ports
– ICMP message type
– Packet options (Fragment Size etc.)
• Actions Available
– Allow the packet to go through
– Drop the packet (Notify Sender/Drop Silently)
– Alter the packet (NAT?)
– Log information about the packet
Slide 22
Packet Filtering
Strengths :
• Packet filtering is typically faster than other packet screening methods. Because packet
filtering is done at the lower levels of the OSI model, the time it takes to process a packet is
much quicker.
• Packet filtering firewalls are typically less expensive. Many hardware devices and software
packages have packet filtering features included as part of their standard package.
Slide 25
Packet Filtering
Weaknesses
• Packet filtering firewalls allow a direct connection to be made between the two endpoints.
Although this type of packet screening is configured to allow or deny traffic between two
networks, the client/server model is never broken.
• Packet filtering firewalls are fast and typically have no impact on network performance, but
it's usually an all-or-nothing approach. If ports are open, they are open to all traffic passing
through that port, which in effect leaves a security hole in your network.
• Defining rules and filters on a packet filtering firewall can be a complex task.
Slide 26
• Packet filtering firewalls are prone to certain types of attacks. Since packet
inspection goes no deeper than the packet header information, There are three
common exploits to which packet filtering firewalls are susceptible.
The Internet Control Message Protocol (ICMP) provides background support for
the IP protocol.
Slide 27
• As packets pass through the firewall, packet header information is examined and fed into a
dynamic state table where it is stored.
• The packets are compared to pre-configured rules or filters and allow or deny decisions are
made based on the results of the comparison.
• State consists of details as the IP addresses and ports involved in the connection and the
sequence numbers of the packets traversing the connection.
• Stateful packet inspection compares the packets against the rules or filters and then checks
the dynamic state table to verify that the packets are part of a valid, established connection.
• By having the ability to "remember" the status of a connection, this method of packet
screening is better equipped to guard against attacks than standard packet filtering.
Slide 29
This method can make decisions based on one or more of the following:
• Source IP address
• Destination IP address
• Protocol type (TCP/UDP)
• Source port
• Destination port
• Connection state
Slide 30
Strengths :
• Like packet filtering firewalls, have very little impact on network performance.
• More secure than basic packet filtering firewalls. Because stateful packet inspection digs
deeper into the packet header information to determine the connection state between
endpoints.
• Usually it have some logging capabilities. Logging can help identify and track the different
types of traffic that pass though the firewall.
Slide 31
• Like packet filtering, stateful packet inspection does not break the client/server model and
therefore allows a direct connection to be made between the two endpoints
• Rules and filters in this packet screening method can become complex, hard to manage,
prone to error and difficult to test.
Slide 32
Application Gateways/Proxies
This type of firewall operates at the application level of the OSI model.
Slide 33
• Application-level Gateway
Slide 34
Application Gateways/Proxies
• The proxy plays middleman in all connection attempts (dummy sender and destination)
• For source and destination endpoints to be able to communicate with each other, a proxy
service must be implemented for each application protocol.
• Each endpoint can only communicate with the other by going through the gateway/proxy.
• The gateways/proxies are carefully designed to be reliable and secure because they are the
only connection point between the two networks.
Slide 35
• The response is sent back to the application gateway/proxy, which determines if it is valid and
then sends it on to the client.
• By breaking the client/server model, this type of firewall can effectively hide the trusted
network from the untrusted network.
• Unlike packet filtering and stateful packet inspection, an application gateway/proxy can see
all aspects of the application layer so it can look for more specific pieces of information
Slide 36
• Advantages:
– Higher security than packet filters
– Only need to scrutinize a few allowable applications
– Easy to log and audit all incoming traffic
• Disadvantages:
– Additional processing overhead on each connection (gateway as splice point)
Slide 38
Application Gateways/Proxies
Strengths
• Typically have the best content filtering capabilities. Since they have the ability to examine
the payload of the packet, they are capable of making decisions based on content.
• Allow the network administrator to have more control over traffic passing through the
firewall. They can permit or deny specific applications or specific features of an application.
Slide 39
Application Gateways/Proxies
Weaknesses
• The most significant weakness is the impact they can have on performance.
it requires more processing power and has the potential to become a bottleneck for the
network.
• Typically require additional client configuration. Clients on the network may require
specialized software or configuration changes to be able to connect to the application
gateway/proxy.
Slide 40
Adaptive Proxies
Circuit-level Gateway
• Unlike a packet filtering firewall, a circuit-level gateway does not examine individual packets.
Instead, circuit-level gateways monitor TCP or UDP sessions.
Once a session has been established, it leaves the port open to allow all other packets
belonging to that session to pass. The port is closed when the session is terminated.
circuit-level gateways operate at the transport layer (layer 4) of the OSI model.
Slide 42
Personal firewalls
– Every single host on the Internet is a target
– Most users do not use tight security (no updates, bad
passwords, no security settings)
– Attacked clients might become zombies for a DoS attack or
a relay for spams and other attacks
– They need some protection
– Personal firewalls are mostly simple packet filters
– Drop incoming service requests (my windows pc is not a
file server)
– Alert on (anomalous) outgoing requests
– Can protect against trojans / information leakage / privacy
problems too
– Can be integrated with virus protection
42
Slide 43
In order to pick the best architecture and packet screening method for a firewall solution,
the following questions should be considered:
Security Policy
The success of any firewall solution's implementation is directly related to the existence of a well-
thought-out and consistently-implemented security policy.
• Administrative Issues
– User access - Which users will be allowed access to and from the network?
– Access to services - Which services will be allowed in and out of the network?
– Access to resources - Which resources will be available to users?
– User authentication - Will the organization require user authentication?
– Logging and auditing - Will the organization want to keep log and audit files.
– Policy violation consequences - What will be the consequences of policy violation?
– Responsibilities - Who will oversee and administer the security policy? Who has final authority on
decisions?
Slide 45