Escolar Documentos
Profissional Documentos
Cultura Documentos
Firewalls
Internet connectivity essential to organization
Internet provide benefits
But enables outside to reach local resources
Not practical to secure all workstations
Alternative is firewalls
Inserted between local network and Internet
Single choke point to impose security, audit
Design Goals
All traffic must pass thru firewall
from inside to outside or outside to inside
block all access to LAN except thru firewall
Capabilities
Single choke point
simplifysecurity management
provide protection from various attack types
Internal threats
disgruntled employee cooperate with attacker
Transfer of virus-infected programs
varioustypes of operating systems
impossible to scan all file types
Types of Firewalls
Packet-filtering router
Stateful inspection firewalls
Application-level gateway
Circuit-level gateway
Packet-Filtering Routers
Apply set of rules to each in or out IP packet
Packet is then forwarded or discarded
Filtering rules based on
source IP address: e.g., 192.168.1.1
destination IP address: e.g. 192.168.1.2
transport protocol: TCP, UDP, DCCP, SCTP
transport port number
interface: inside, outside, or multiple interfaces
Packet-Filtering Routers
Filter set up as list of rules
Rules match fields in IP or TCP header
If packet matches one of rules, role invoked
If no match, apply default rule
Default rule can either be
deny: discard all packets except permitted by rule
permit: forward all packets except denied by rule
Allow
packets originated internally
reply packets to connection initiated internally
packets destined to high-numbered port on internal host
Advantages
simple: few variables
fast: only check TCP/IP headers
transparent to users
Disadvantages
cannot prevent application-level attacks
vulnerable to attacks on problems within TCP/IP
few variables: possible weak configurations
IP address spoofing
use fake source IP address (e.g. internal IP)
goal: penetrate source address based security
countermeasure: discard packets from external
interface with internal IP address as source
Source routing attacks
source routing overwrites routing decision
goal: allow packet get into private IP network
countermeasure: discard packets with this option
Attacks on Packet-Filtering Routers
Application-Level Gateway
Also called proxy server
Acts as relay of application-level traffic
Local host contacts gateway
provide authentication information
provide remote host information
Disadvantage
additionalprocessing overhead
maintain two spliced connections
Circuit-Level Gateway
Can be standalone or part of application GW
Shim layer between application, transport
No direct end-to-end TCP connection
Two separate TCP connections
one between inside host – gateway
one between gateway – outside host
Bastion Host
Source: en.wikipedia.org/wiki/Demilitarized_zone_(computing)
Firewall Configurations
Screened host firewall, single-homed bastion
Screened host firewall, dual-homed bastion
Screened-subnet firewall
Screened Host Firewall,
Single-Homed Bastion Host
Screened-Subnet Firewall
Two packet filtering routers
Creates isolated subnet containing BH
may also contain modems, public servers
can be accessed from Internet or internal net
through traffic is blocked
Advantages
three levels of defense: router, BH, router
internal network is invisible to Internet
Internet is invisible to internal network
Finally
The most secure computer is a one which
is disconnected from the network, AND
TURNED OFF!
Additional References
Microsoft Security Bulletin (MS99-038),
www.microsoft.com/technet/security/bulletin/fq99-038.mspx
Stateful Inspection Firewall,
www.juniper.net/products/integrated/stateful_inspection_fire
wall.pdf
Doug Lowe, “Networking All-in-One Desk Reference For
Dummies,” ISBN 0764599399,
books.google.com/books?id=GnGDds-1OekC
Home Computer Security – Glossary,
www.cert.org/homeusers/HomeComputerSecurity/glossary.
html
Syngress et al., “The Best Da*n Firewall Book Period”, ISBN
1931836906, books.google.com/books?id=q7rlxtIlOsEC