ISM6222 - Firewalls
Firewalls
Means of protecting a local system or network of systems from network-based security threats At the same time, affording access to the outside world via wide area networks and the Internet
Packet-Filtering Router
Monitors network traffic by filtering incoming packets according to the information they carry - Applies a set of rules to each incoming IP packet - The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header (ie. IP addresses, port numbers, and other surface-level information) - Two default policies -- Discard -- Forward
Three Firewall Configurations
1. Single-Homed Bastion Host 2. Dual-Homed Bastion Host 3. Screened-Subnet Firewall System (Single-homed and dual homed are considered screened host firewall)
Packet-Filtering Router - Disadvantages
- Difficulty of setting up packet filter rules - Lack of Authentication: easy to bypass
Application-Level Gateway - Advantages
- Higher security than packet filters - Only need to scrutinize a few allowable applications - Easy to log and audit all incoming traffic - Implementation is okay
Firewall Configurations
- In addition to the use of simple configuration of a single system (single packet filtering router or single gateway), more complex configurations are possible - Three common configurations are possible
Firewall Basing
- It is common to base a firewall on a stand-alone machine running a common operating system, such as UNIX or Linux - Firewall functionality can also be implemented as a software module in a router
Firewall Design Principles
- A firewall is inserted between the premises network and the Internet -Aims: -- Establish a controlled link, outer security wall -- Protect the premises network from Internet-based attack -- Provide a single choke point where security and auditing can be imposed -Firewall Characteristics -Types of Firewalls - Firewall Configurations
Bastion Host
- A system identified by the firewall administrator as a critical strong point in the network's security - The bastion host serves as a platform for any one of the three types of firewalls: packet filter, circuit-level gateway, or application-level gateway ***!!! - A publicly accessible device for the network's security, which has a direct connection to a public network such as the Internet ***!!! - Check all incoming and outgoing traffic and enforce the rules specified in the security policy - Prepared for attacks from external and possible internal sources
Application-Level Gateway - Disadvantages
- Additional processing overhead on each connection - Relatively slow
Application-Level Gateway
- Also called proxy server - Acts as a relay of application-level traffic: operate at the application layer to filter incoming traffic
Circuit-Level Gateway
- Circular - The gateway typically relays TCP segments from one connection to the other without examining the contents -- Verifying the transmission control protocol (TCP) -- If a packet held malware, but had the right TCP handshake, it would pass right through ***!!! - Extremely resource-efficient - Typically use is a situation in which the system administrator trusts the internal users
Packet-Filtering Router - Advantages
- Simplicity: not resource intensive - Transparent to users - High speed (bc it's simple) - Low cost
Single-Home Bastion Host
- This is a device with only ONE NETWORK INTERFACE that interconnects it with an internal network (i.e. a network that is part of the intranet) - Normally used for an application-level gateway - The external router is configured to send ALL incoming data to the bastion host, and all internal clients are configured to send ALL outgoing data to the host - Accordingly, the host will test the data according to the security guidelines
Dual-Homed Bastion Host
- This is a firewall device with AT LEAST TWO network interfaces - Serve as application-level gateways, packet filters and circuit-level gateways as well - Create a complete break between the external network and the internal network. This break forces all incoming and outgoing traffic to pass through the host - Prevent a security break-in when a hacker tries to access internal devices
Screened-Subnet Firewall System - Advantages
- Three layer defense to thwart intruders - Outside router: Advertises only the existence of the screened subnet to the Internet (internal network is invisible to the Internet) - Inside router: Advertises only the existence of the screened subnet to the internal network (the systems on the inside network cannot construct direct routes to the Internet) --- cannot consist direct route to the Internet
Proxy Server
A server application that acts as an intermediary for requests from clients seeking resources from servers that provide those resources. A proxy server functions on behalf of the client when requesting service, potentially masking the true origin of the request to the server
Router
A wireless router connects directly to a modem by a cable. This allows it to receive information from and transmit information to the internet. The router then creates and communicates with you home WiFi network using built-in antennas. As a result, all of the devices on your home network have internet access
Screened-Subnet Firewall System
AKA DMZ, best firewall implementation method, 2 packet filtering router, one bastion host - Most secure configuration of the three - Two packet-filtering routers are used - Creation of an isolated sub-network -- Adds an extra layer of security to the screened host by adding a perimeter network that further isolates the internal network from the Internet
Perimeter Network
Another layer of security, an additional network between the external network and your protected internal network. If an attacker successfully breaks into the outer reaches of your firewall, the perimeter net offers an additional layer of protection between that attacker and your internal systems i.e. DMZ
Demilitarization Zone (DMZ)
Another word for premises network
TCP/IP Model
Application Layer Transport Layer Internet Layer Link/Network Layer
Screened Host Firewall
Consists of two systems: - Packet filtering router (that interconnects the intranet to the Internet) - Bastion host The screening router make sure that IP packets destined for intranet systems are first sent to an appropriate application gateway on the bastion host If a specific (TCP/IP) application protocol is assumed to be 'secure,' the screening router can be configured to bypass the bastion host and to send the IP packets directly to the destination system - Possible increased flexibility but also decreases security - Bastion host performs authentication and proxy functions
Firewall Characteristics
Design goals: - All traffic form outside to inside must pass through the firewall (physically blocking all access to the local network except via the firewall) - Only authorized traffic (defined by the local security policies) will be allowed to pass - The firewall itself is immune to penetration (use of trusted system with a secure operating system)
Three Types of Firewalls
Three common types of Firewalls: - Packet-filtering routers - Application-level gateways - Circuit-level gateways