Escolar Documentos
Profissional Documentos
Cultura Documentos
Introduction
- Motivation
Firewalls - Firewall Characteristics
Types of Firewalls
Guilin Wang - Packet-Filtering Router
- Application-Level Gateways
The School of Computer Science - Circuit-Level Gateways
■ Originally, "firewall" means a wall to confine a fire or Basically, a firewall is a dedicated software
potential fire within a building. running on a computer or a router to inspect all
http://en.wikipedia.org/wiki/Firewall_%28construction%29 network traffic passing through it.
■ Here, firewall means a network security technology,
As a barrier between internal network and
which emerged in the late 1980s.
external networks, a firewall determines which
■ This is partially resulted from the spreading of Morris traffic is allowed to pass in each direction,
worm in 1988. according to a set of given security policy
http://en.wikipedia.org/wiki/Morris_Worm rules.
■ Robert Tappan Morris, an associate professor at MIT.
http://pdos.csail.mit.edu/~rtm/ Why firewalls are important?
3 4
■ Internet access becomes more and more important as What are the design goals for firewalls?
well as more vulnerable, as information systems have ■ All traffic from inside to outside and vice versa, must
undergone a steady evolution (from small LAN`s to pass through the firewall (physically blocking all access
Internet connectivity). to the local network except via the firewall).
■ It is usually impractical to equip all workstations and
■ Only authorized traffic (defined by the local security
servers with strong security measures.
policy) will be allowed to pass.
■ In contrast, firewall provides a good solution to protect
■ The firewall itself is immune to penetration, i.e., use of
internal networks from Internet-based attacks.
trusted system with a secure operating system.
■ At the same time, firewall also provides a single check
point to facilitate security audit and monitoring.
5 6
1
1. Introduction: Firewall Characteristics 1. Introduction: Firewall Characteristics
How to realize firewalls? Four general techniques: What are the things that firewalls cannot do?
■ Service Control: Determines the types of Internet ■ The firewall cannot protect against attacks that bypass
services that can be accessed, inbound or outbound. the firewall. For example, dial-in and dial-out access.
■ Direction Control: Determines the direction in which ■ The firewall does not protect against internal threats.
particular service requests are allowed to pass. ■ The firewall cannot protect against the transfer of virus-
■ User Control: Controls access to a service according to infected programs or files. It would be impractical and
which user is attempting to access it. perhaps impossible to scan all incoming files, emails
■ Behavior Control: Controls how to use particular and messages for viruses.
services (e.g. filtering email to eliminate spam etc).
7 8
9 10
11 12
2
2. Types of Firewalls 2. Types of Firewalls
13 14
15 16
■ The security function is to determine which In addition to the use of simple configuration of a single
connections will be allowed. system, such as single packet filtering router or single
■ Once the two connections are established, TCP gateway, more complex configurations of firewalls are
segments are usually relayed without checking. possible.
■ A stand-alone system or a specialized function There are three common configurations by using bastion
performed by an application-level gateway. host.
■ Typical Use: A situation in which the system ■ Bastion Host is a system identified by the firewall
administrator trusts all internal users. administrator as a critically secure platform.
- Example: SOCKS package (RFC 1928). ■ Typically, it serves as an application-level or circuit-
level gateway.
17 18
3
3. Firewall Configurations 3. Firewall Configurations
1) Screened Host Firewall System (Single-Homed ■ The firewall consists of two systems:
Bastion Host) - A packet-filtering router: Only packets from and to the
bastion host are allowed to pass through.
- A bastion host: Performs authentication and proxy
functions.
■ Greater security than single configurations:
- Flexibility in defining security policy: Implements both
packet-level and application-level filtering.
- Harder to be compromised: An intruder must generally
penetrate two separate systems.
■ Also provide direct Internet access (e.g. Web server).
19 20
2) Screened Host Firewall System (Dual-Homed ■ In the single-homed configuration, if the filtering
Bastion Host) router is totally compromised, traffic can go directly
btw Internet and internal hosts.
■ Dual-homed bastion configuration prevents this
security breach physically.
■ The reason is that traffic between the Internet and
internal hosts has to pass through the bastion host.
21 22
23 24
4
Summary
This Lecture:
- Firewall
Next Lecture:
- Security in Practice (Guest Lecture)
25