Outline

Introduction
Firewalls
Guilin Wang
The School of Computer Science
5 March. 2008 (L17)
1. Introduction: Motivation
■ Originally, "firewall" means a wall to confine a fire or
potential fire within a building.
http://en.wikipedia.org/wiki/Firewall_%28construction%29
■ Here, firewall means a network security technology,
which emerged in the late 1980s.
■ This is partially resulted from the spreading of Morris
worm in 1988.
http://en.wikipedia.org/wiki/Morris_Worm
■ Robert Tappan Morris, an associate professor at MIT.
http://pdos.csail.mit.edu/~rtm/
3 4
1. Introduction: Motivation
■ Internet access becomes more and more important as
well as more vulnerable, as information systems have
undergone a steady evolution (from small LAN`s to
Internet connectivity).
■ It is usually impractical to equip all workstations and
servers with strong security measures.
■ In contrast, firewall provides a good solution to protect
internal networks from Internet-based attacks.
■ At the same time, firewall also provides a single check
point to facilitate security audit and monitoring.
5 6
- Motivation
- Firewall Characteristics

Types of Firewalls
- Packet-Filtering Router
- Application-Level Gateways
- Circuit-Level Gateways

Firewall Configurations
1. Introduction: Motivation
Basically, a firewall is a dedicated software
running on a computer or a router to inspect all
network traffic passing through it.
As a barrier between internal network and
external networks, a firewall determines which
traffic is allowed to pass in each direction,
according to a set of given security policy
rules.
Why firewalls are important?
1. Introduction: Firewall Characteristics
What are the design goals for firewalls?
■ All traffic from inside to outside and vice versa, must
pass through the firewall (physically blocking all access
to the local network except via the firewall).
■ Only authorized traffic (defined by the local security
policy) will be allowed to pass.
■ The firewall itself is immune to penetration, i.e., use of
trusted system with a secure operating system.
1
1. Introduction: Firewall Characteristics
How to realize firewalls? Four general techniques:
■ Service Control: Determines the types of Internet
services that can be accessed, inbound or outbound.
■ Direction Control: Determines the direction in which
particular service requests are allowed to pass.
■ User Control: Controls access to a service according to
which user is attempting to access it.
■ Behavior Control: Controls how to use particular
services (e.g. filtering email to eliminate spam etc).
7 8
2. Types of Firewalls
There are three common types of Firewalls:
■ Packet-filtering routers
■ Application-level gateways
■ Circuit-level gateways
9 10
2. Types of Firewalls
■ The router is typically configured to filter packets
going in both directions.
■ The filtering rules are based on the information
contained in a network packet:
- Source IP add., Destination IP add., Port numbers,
Transport protocol, and Interface.
■ There are two default policies:
- Default=discard: Not explicitly permitted means prohibited.
- Default=forward: Not explicitly prohibited means permitted.
11
1. Introduction: Firewall Characteristics
What are the things that firewalls cannot do?
■ The firewall cannot protect against attacks that bypass
the firewall. For example, dial-in and dial-out access.
■ The firewall does not protect against internal threats.
■ The firewall cannot protect against the transfer of virus-
infected programs or files. It would be impractical and
perhaps impossible to scan all incoming files, emails
and messages for viruses.
2. Types of Firewalls
1) Packet-Filtering Routers:
■ The router applies a set of rules to each traveling IP
packet and then forwards or discards the packet.
2. Types of Firewalls
■ Advantages: Simple, Transparent to users, and very
fast.
■ Disadvantages:
- Difficult to set up proper filtering rules
- Lack of advanced user authentication
- Cannot prevent attacks involving application-specific
weaknesses and problems in TCP/IP structure
■ Specific attacks on packet-filtering routers:
- IP address spoofing
- Source routing attacks
- Tiny fragment attacks
12
2
2. Types of Firewalls
■ Stateful Inspection Firewall:
- The router maintains a state table for all connections
passing through the firewall.
- So the state of a connection becomes one of the
criteria to specify filtering rules.
- If a packet matches an existing connection listed on
the table, it will be permitted to go without further
checking.
- Otherwise, it is to start a new connection and will be
evaluated according to the filtering rules.
- This is useful to enhance the functionality of firewalls.
13
2. Types of Firewalls
■ Advantages:
- Tend to be more secure than packet filters.
- Only need to scrutinize a few allowable applications.
- Easy to log and audit all traffic at application level.
■ Disadvantages:
- Require additional processing overhead on each
connection, since as the splice point the gateway needs
to examine and forward all traffic in two directions.
- Only specified services and features are supported.
15
2. Types of Firewalls
■ The security function is to determine which
connections will be allowed.
■ Once the two connections are established, TCP
segments are usually relayed without checking.
■ A stand-alone system or a specialized function
performed by an application-level gateway.
■ Typical Use: A situation in which the system
administrator trusts all internal users.
- Example: SOCKS package (RFC 1928).
17
2. Types of Firewalls
2) Application-Level Gateway (A Proxy Server):
■ Acts as a relay of application-level traffic.
■ Does not support a particular application (feature), if the
gateways is not coded for this service.
14
2. Types of Firewalls
3) Circuit-Level Gateway:
■ It does not permit an end-to-end TCP connection,
but sets up two TCP connections btw itself and the
users.
16
3. Firewall Configurations
In addition to the use of simple configuration of a single
system, such as single packet filtering router or single
gateway, more complex configurations of firewalls are
possible.
There are three common configurations by using bastion
host.
■ Bastion Host is a system identified by the firewall
administrator as a critically secure platform.
■ Typically, it serves as an application-level or circuit-
level gateway.
18
3
3. Firewall Configurations 3. Firewall Configurations

1) Screened Host Firewall System (Single-Homed
Bastion Host)
■ The firewall consists of two systems:
- A packet-filtering router: Only packets from and to the
bastion host are allowed to pass through.
- A bastion host: Performs authentication and proxy
functions.
■ Greater security than single configurations:
- Flexibility in defining security policy: Implements both
packet-level and application-level filtering.
- Harder to be compromised: An intruder must generally
penetrate two separate systems.
■ Also provide direct Internet access (e.g. Web server).

19 20

3. Firewall Configurations 3. Firewall Configurations

2) Screened Host Firewall System (Dual-Homed
Bastion Host)
■ In the single-homed configuration, if the filtering
router is totally compromised, traffic can go directly
btw Internet and internal hosts.
■ Dual-homed bastion configuration prevents this
security breach physically.
■ The reason is that traffic between the Internet and
internal hosts has to pass through the bastion host.

21 22

3. Firewall Configurations 3. Firewall Configurations

3) Screened-Subnet Firewall System ■ Two packet-filtering routers are used to created an

isolated subnetwork.
■ The subnetwork consists of the bastion host and
one or more information servers.
■ The screened subnet can be accessed from both the
Internet and internal network.
■ However, the traffic across the subnet is blocked.
■ This is the most secure configuration of the three,
since it has three levels of defense to thwart
intruders.

23 24

4
Summary

This Lecture:
- Firewall

Next Lecture:
- Security in Practice (Guest Lecture)

25