CN&IS - L9 (Firewall)
What are the 3 most common firewall architectures?
- Dual homed host - Screened host - Screened subnet
Important architectural flaw of dual homed host
- Dual homed host is on both networks. - Therefore if it is compromised the attacker has direct access to the internal network. - Dual homed host is a single point of failure.
What can a firewall do?
- Provide a focus for security decisions.(all traffic must pass through the firewall, traffic can be restricted in almost any way) - Firewalls can be used to enforce security policies. (By only allowing services which administrators have approved to pass to and from the external network) - Firewall can efficiently log network activity( since all traffic is passing through the firewall anyway, it is a sensible place to log information about network use) Firewall limit exposure(people and networks can only see computers and services approved by administrators, firewalls are obvious places to configure this because they are the single point of contact between the internal and external networks)
Screened host
- Services of the external network are provided by a host on the internal network by proxying. (firewall host) Routing is performed separately by a dedicated device. packet filtering on the router is configured to allow machines on the external network only connect to the firewall host. then only certain types of connections are allowed(eg- delivering email) Access to internal systems from external network must be via firewall host. it is still possible to perform NAT incoming traffic is forwarded to the firewall host by a technique called port address translation or PAT. The firewall host is allowed to open permitted connections to the external network. The packet filtering router can also allow internal hosts other than the firewall host to open connections to hosts on the external network for specified services or disallow all connections from internal hosts other than firewall host to hosts on the external network, thus forcing internal users to use the proxy services provided by the firewall host. These filtering conditions can be mixed on a per-service basis Broadly, screened host is more secure than dual homed host because the primary pint of contact with the external network is a router not a host and generally speaking routers are more difficult to compromise than hosts. Firewall host, if compromised is a single point of failure because the firewall host is on the internal network. Router is also a single point of failure.
What a firewall can't do?
- can't protect from malicious insider.(if some one already access the internal network then firewall can't do anything, firewall can restrict outgoing services which might make it more difficult for insiders to transfer information out across the network.) - firewall can't protect against traffic that does not go through it.( is an insider installs a modem in their PC and connects to the internet through it, they have bypass the firewall) Firewall can't protect against completely new threats.( firewalls require maintenance because exploits are discovered in them, relevant patches must be installed when available)
How do firewalls works?(what are the 3 tasks?
- packet filtering - proxying - Application layer filtering (antivirus and anti-spam filtering)
Proxying
-Process of carrying out requests on behalf of someone else. eg- frequently PCs on the internal network are not allowed to browse the web directly. A proxy server is configured to carry out web requests on behalf of the internal PCs. allows very-fine grained control of a particular application. because the proxy server must understand the protocol it is proxying. in the case of web traffic this means that certain web sites can be blocked without the need to block all web traffic. This level of control is only possible with a proxy server.
Packet filtering
-This is the process of examining incoming and outgoing packets to determine which are allowed to pass and which will be blocked. - Firewalls are configured with set of rules about passing about packets. -if a packet does not match any of the rules for passing packets then it is dropped. ** possible to have different rules for incoming and outgoing packets.
Application layer Filtering
-Typically anti-virus and anti-spam filtering is done by a mail server. -sometimes the mail server is part of the firewall - in this case, the firewall is an ideal pace to scan virus. -Email viruses can be blocked before they ever reach the PCs they are intended to infect. firewall is a network layer device, and therefore application layer filtering is not architecturally part of a firewall. however often the distinction will not be drawn (Particularly by vendors trying to sell the features of their products.)
How firewall act between two networks?
Act as a bottleneck between two networks. Therefore it provides a unique opportunity to control the flow of traffic to and from a network.
Screened subnet
An extra layer of security is added in the screened subnet architecture. The firewall host is placed on a perimeter network which is located from the internal network by an interior router. By their nature, firewall hosts are the most exposed computers on your network. Therefore it makes sense to pt these computers on an isolated network, separate from your sensitive internal network. In this way, the impact of a compromise can be minimised. Two routers are used to isolate the perimeter network. one connects the perimeter network directly to the external network. The other one connects the external network, and also isolates the perimeter network from the internal network. There is nos single vulnerable point that will compromise the internal network. The use of a perimeter network means that if the firewall host is compromised the attacker cannot packet sniff on the internal network because the firewall host is no longer on the internal network.
Where firewall sits between?
Sits between an internal office network and the internet.
Dual homed host?
Dual homed host is a computer with two network connections. -one connection is internal - other one is external computer can forward traffic from one network to the other. dual homed host two IP addresses, one on the internal network, one on the external network. computers on internal network that want to send traffic to external network send it to the dual homed host. dual homed host can then perform packet filtering before forwarding traffic. Dual homed host performs NAT on internal network IP addresses. all traffic appears to be coming from the dual homed host. external hosts need to know nothing about the internal network. Therefore any traffic from the external network that appears on the internal network is a sign of a problem.
What is a firewall?
Group of h/w or/and s/w components that controls the flow of traffic from one network to another.
For which purpose most firewalls are use for?
Protect an office network from the internet. However a firewall can filter traffic between any two networks. (if a link exists between two companies they can use a firewall to protect each other from security breaches in the other company's network.)
Which traffic can be control by the firewall?
both incoming and outgoing traffic