Security Firewall design principle Firewall Characteristics Types of
- Slides: 30
Security Firewall design principle. Firewall Characteristics. Types of Firewalls. Firewall Components & Configurations.
Firewall Design Principles. • Information System undergo a steady evolution( from small LAN’s to Internet connectivity). • Strong security features for all workstations and servers not established.
Firewalls • Effective means of protection a local system or network of systems from network_based security threats while affording access to the outside world via WAN’s or the Internet.
Firewall Design Principles • The firewall is interested between the permission network and internet. • Aims : 1. Establish a controlled link. 2. Protect the premises network from internet_based attacks. 3. Provide a single choke point.
Firewalls Characteristics • Design goals: 1. All traffic form the inside to outside must pass through the firewall (physically blocking all access to the local network except via firewall). 2. Only Authorized traffic ( defined by the local security policy) will be allowed to pass.
Firewall Characteristics • Design goals: 3. The firewall itself is immune to penetration ( use of trusted systems with secure operating systems).
Firewall Characteristics • Four General Technologies: 1. Service Control: determines the types of the internet services that can be accessed, in bounded or out bounded. 2. Direction Control: determines the direction in which particular services requests are allowed to flow.
Firewall Characteristics 3. User Control: controls access to a service according to which user is attempting to access it. 4. Behavior Control: controls how particular service are used (e. g. filter e-mail)
Types of Firewalls • 1. 2. 3. 4. Three common types of firewalls: Packet-filtering-router. Application-level-Gateways. Circuit-level-Gateways. (Bastion Host).
Packet-Filtering-Router • Packet Filtering Router firewalls. Internet Private Network Packet Filtering Router Figure ( Packet Filtering Router Firewall).
Packet-Filtering-Router • Applies a set of rules to each incoming IP packet and then forwards or discards the packet. • Filter packets going in both directions. • The packet filter is typically set up as a list of rule based on matches to fields in the IP or TCP header. • Two default polices( discards or forwards).
Packet-Filtering-Router • 1. 2. 3. • 1. 2. Advantages: Simplicity. Transparency to users. High speed Disadvantages: Difficulty of setting up packet filter walls. Lack of Authentication.
Application-Level-Gateway • Application Level Gateway Firewall. Inside Host TELNET Outside Host FTP SMTP Outside Connection HTTP Inside Connection Figure (Application Level Gateway).
Application-Level-Gateway • Also called (Proxy Server). • Acts as relay of application level traffic.
Application-Level-Gateway • Advantages: 1. Higher security than packet filter 2. Only need securitize a few allowable applications. 3. Easy to log and audit all incoming traffic. • Disadvantages: Additional processing overhead on each connection (Gateway as splice point).
Circuit Level Gateway • Circuit Level Gateway. OUT Outside host & outside connection IN OUT IN Inside host & inside connection
Circuit Level Gateway • Stand-alone system or specialized function performed by Application level gateway. • Sets up two TCP connections. • The gateway typically relays TCP segments from one connection to the other without examining the contents.
Circuit Level Gateway • The security function consists of which connections to be allowed. • Typically use is a situation in which the system administrators trusts the internal users. • An example is the SOCKS package.
Bastion Host • A system identified by the firewall administrator as critical strong point in the networks security. • The Bastion host serves as a platform for an application-level or circuit-level gateway.
Bastion Host • In addition to the use of simple configuration of single system ( single packet filtering router or single gateway), more complex configurations are possible. • Three common configurations
Screened host firewall system • Also called single homed bastion host Internet Information Server Pac Filt ket er Rou ing ter Bastion Host Private Network
Screened host firewall (1) • Configuration: - Consists of two systems which are: 1. Packet filtering router. -Only packets from and to the bastion host are allowed to pass through server. 2. Bastion Host. - Authentication and Proxy functions.
(Screened host firewall (2 • Greater security that the single configuration because of two reasons: 1. This configuration implements both packet level and application level filtering ( allowing for flexibility in defining security policy). 2. An intruder must generally penetrate two separate systems.
(Screened host firewall (3 • This configuration also affords flexibility in providing direct internet access ( public information server, e. g. web server).
Dual Homed Bastion Host • Dual Homed Bastion Host. INTERNET Information Server Pac Filt ket er Rou ing ter Bastion Host Private Network
Dual Homed Bastion Host • The packet filtering router is not completely compromised. • Traffic between the internet and other hosts on the private network has to flow through the Bastion host.
Screened Subnet Firewall System • See Figure. INTERNET Information Server Modem Pac Filt ket er Rou ing ter Bastion Host Private Network
Screened Subnet Firewall System • Most secured configuration of all the three known techniques in the bastion host. • Two packet filtering routers are used. • Creation of an isolated sub-network.
Screened Subnet Firewall System • Advantages: - Three levels of defense to thwart intruders. - The outside router advertises only the existence of the screened sub-net to the internet ( Internal network is invisible to the internet).
Screened Subnet Firewall System • Advantages: - The inside router advertises only the existence of the screened sub-net to the internal network ( the systems on the inside cannot construct direct routes to the internet.