EMTM 553: E-commerce Systems

Lecture 7b: Firewalls

Insup Lee

Department of Computer and Information Science

University of Pennsylvania
lee@cis.upenn.edu
www.cis.upenn.edu/~lee
5/4/01 EMTM 553 1
 Why do we need firewalls ?

5/4/01 EMTM 553 2

5/4/01 EMTM 553 3
5/4/01 EMTM 553 4
BEFORE AFTER (your results may vary)

5/4/01 EMTM 553 5

 What is a firewall?
• Two goals:
– To provide the people in your organization with access to
the WWW without allowing the entire world to peak in;
– To erect a barrier between an untrusted piece of
software, your organization’s public Web server, and the
sensitive information that resides on your private
network.
• Basic idea:
– Impose a specifically configured gateway machine
between the outside world and the site’s inner network.
– All traffic must first go to the gateway, where software
decide whether to allow or reject.

5/4/01 EMTM 553 6

 What is a firewall
• A firewall is a system of hardware and software
components designed to restrict access between
or among networks, most often between the
Internet and a private Internet.
• The firewall is part of an overall security policy
that creates a perimeter defense designed to
protect the information resources of the
organization.

5/4/01 EMTM 553 7

 Firewalls DO
• Implement security policies at a single point
• Monitor security-related events (audit, log)
• Provide strong authentication
• Allow virtual private networks
• Have a specially hardened/secured operating
system

5/4/01 EMTM 553 8

 Firewalls DON’T

• Protect against attacks that bypass the firewall

– Dial-out from internal host to an ISP
• Protect against internal threats
– disgruntled employee
– Insider cooperates with and external attacker
• Protect against the transfer of virus-infected
programs or files

5/4/01 EMTM 553 9

 Types of Firewalls

• Packet-Filtering Router
• Application-Level Gateway
• Circuit-Level Gateway
• Hybrid Firewalls

5/4/01 EMTM 553 10

 Packet Filtering Routers
• Forward or discard IP packet according a
set of rules
• Filtering rules are based on fields in the IP
and transport header

5/4/01 EMTM 553 11

 What information is used for
filtering decision?

• Source IP address (IP header)

• Destination IP address (IP header)
• Protocol Type
• Source port (TCP or UDP header)
• Destination port (TCP or UDP header)
• ACK. bit

5/4/01 EMTM 553 12

 Web Access Through a Packet
Filter Firewall

[Stein]
5/4/01 EMTM 553 13
 Packet Filtering Routers
pros and cons
• Advantages:
– Simple
– Low cost
– Transparent to user
• Disadvantages:
– Hard to configure filtering rules
– Hard to test filtering rules
– Don’t hide network topology(due to transparency)
– May not be able to provide enough control over traffic
– Throughput of a router decreases as the number of filters increases

5/4/01 EMTM 553 14

 Application Level Gateways
(Proxy Server)

5/4/01 EMTM 553 15

 A Telnet Proxy

5/4/01 EMTM 553 16

 A sample telnet session

5/4/01 EMTM 553 17

 Application Level Gateways
(Proxy Server)
• Advantages:
– complete control over each service (FTP/HTTP…)
– complete control over which services are permitted
– Strong user authentication (Smart Cards etc.)
– Easy to log and audit at the application level
– Filtering rules are easy to configure and test
• Disadvantages:
– A separate proxy must be installed for each application-
level service
– Not transparent to users

5/4/01 EMTM 553 18

 Circuit Level Gateways

5/4/01 EMTM 553 19

 Circuit Level Gateways (2)

• Often used for outgoing connections where the system

administrator trusts the internal users
• The chief advantage is that a firewall can be configured as a
hybrid gateway supporting application-level/proxy services
for inbound connections and circuit-level functions for
outbound connections

5/4/01 EMTM 553 20

 Hybrid Firewalls
• In practice, many of today's commercial firewalls
use a combination of these techniques.
• Examples:
– A product that originated as a packet-filtering firewall
may since have been enhanced with smart filtering at the
application level.
– Application proxies in established areas such as FTP may
augment an inspection-based filtering scheme.

5/4/01 EMTM 553 21

 Firewall Configurations
• Bastion host
– a system identified by firewall administrator as a critical
strong point in the network’s security
– typically serves as a platform for an application-level or circuit-
level gateway
– extra secure O/S, tougher to break into
• Dual homed gateway
– Two network interface cards: one to the outer network and the
other to the inner
– A proxy selectively forwards packets
• Screened host firewall system
– Uses a network router to forward all traffic from the outer
and inner networks to the gateway machine
• Screened-subnet firewall system

5/4/01 EMTM 553 22

 Dual-homed gateway

5/4/01 EMTM 553 23

 Screened-host gateway

5/4/01 EMTM 553 24

 Screened Host Firewall

5/4/01 EMTM 553 25

 Screened Subnet Firewall

5/4/01 EMTM 553 26

 Screened subnet gateway

5/4/01 EMTM 553 27

 Selecting a firewall system
• Operating system
• Protocols handled
• Filter types
• Logging
• Administration
• Simplicity
• Tunneling

5/4/01 EMTM 553 28

 Commercial Firewall Systems

45%
40%
35%
30%
25%
20%
15%
10%
5%
0%

nt t
i co n t es rd e rs
P o
C
i s xe ia u a
th
A c G O
eck ss
o
e r
h A y b
C k C
or
e tw
N
5/4/01 EMTM 553 29
Widely used commercial firewalls
• AltaVista
• BorderWare (Secure Computing Corporation)
• CyberGurad Firewall (CyberGuard Corporation)
• Eagle (Raptor Systems)
• Firewall-1 (Checkpoint Software Technologies)
• Gauntlet (Trusted Information Systems)
• ON Guard (ON Technology Corporation)

5/4/01 EMTM 553 30

 Firewall’s security policy
• Embodied in the filters that allow or deny passages to
network traffic
• Filters are implemented as proxy programs.
– Application-level proxies
o one for particular communication protocol
o E.g., HTTP, FTP, SM
o Can also filter based on IP addresses
– Circuit-level proxies
o Lower-level, general purpose programs that treat packets
as black boxes to be forward or not
o Only looks at header information
o Advantages: speed and generality
o One proxy can handle many protocols

5/4/01 EMTM 553 31

 Configure a Firewall (1)
• Outgoing Web Access
– Outgoing connections through a packet filter firewall
– Outgoing connections through an application-level proxy
– Outgoing connections through a circuit proxy

5/4/01 EMTM 553 32

 Firewall Proxy

Configuring Netscape to use a firewall proxy involves entering

the address and port numberEMTM
5/4/01 for 553
each proxied service. [Stein]33
 Configure a Firewall (2)
• Incoming Web Access
– The “Judas” server
– The “Sacrificial Lamb”
– The “Private Affair” server
– The doubly fortified server

5/4/01 EMTM 553 34

 The “Judas” Server (not recommended)

[Stein]
5/4/01 EMTM 553 35
 The “sacrificial lamb”

[Stein]

5/4/01 EMTM 553 36

 The “private affair” server

[Stein]
5/4/01 EMTM 553 37
 Internal Firewall

An Internal Firewall protects the Web server from insider threats.

5/4/01 EMTM 553 [Stein]
38
 Placing the sacrificial lamb in
the demilitarized zone.

[Stein]
5/4/01 EMTM 553 39
 Poking holes in the firewall
• If you need to support a public Web server, but no
place to put other than inside the firewall.
• Problem: if the server is compromised, then you
are cooked.

5/4/01 EMTM 553 40

 Simplified Screened-Host
Firewall Filter Rules

[Stein]
5/4/01 EMTM 553 41
 Filter Rule Exceptions for
Incoming Web Services

[Stein]

5/4/01 EMTM 553 42

 Screened subnetwork

Placing the Web server on its own screened subnetwork insulates

it from your organization while granting the outside world limited
access to it. [Stein]
5/4/01 EMTM 553 43
 Filter Rules for a
Screened Public Web Server

[Stein]
5/4/01 EMTM 553 44
 Q&A

5/4/01 EMTM 553 45