Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. CECS 410 Computers and Networks COURSE NOTES -- Part 14 Security Through Isolation: Firewalls Isolation Isolation has been a primary security tool for thousands of years. Example: Castles with moats and drawbridges. Security Issue: Who is controlling access to the drawbridge? Who decides who gets in? Dr. Tracy Bradley Maples (Fall 2006) 1
  2. 2. Isolation in Networks One way to provide security is to isolate and organization’s internal network from the Internet, allowing some packets to pass while blocking others (like using a moat and drawbridge). This point of isolation in networks is called a firewall. administered public network Internet What can firewalls do for us? • Prevent denial of service attacks. o For example: SYN flooding when an attacker establishes many bogus TCP connections and no resources left for “real” connections. • Prevent illegal modification/access of internal data. o For example: An attacker replaces the CIA’s homepage with something else. • Allow only authorized access to inside network (to a set of authenticated users/hosts). Dr. Tracy Bradley Maples (Fall 2006) 2
  3. 3. Two types of Firewalls 1) Packet-filtering Firewalls 2) Application-level gateways (or proxy servers) Packet Filtering It is possible to configure packet forwarding devices (especially routers) to drop certain packets. Example: Suppose is a test network, and has active workstations.  Install filter to allow packets only from to  Keeps potentially bad packets away from remainder of the network. Dr. Tracy Bradley Maples (Fall 2006) 3
  4. 4. Packet Filtering Firewalls Defn: A packet filter placed at the edge of an intranet to exclude unauthorized packets is called a firewall. • A firewall restricts external packets to just a few carefully controlled internal hosts. • Firewalls define a secure perimeter around a local network. • Proxies forward packets through firewall after authorization The router (or firewall) filters on a packet-by-packet basis, making a decision to forward/drop a packet based on: • Source IP address • Destination IP address • TCP/UDP source and destination port numbers • Message type (for example, ICMP messages) • TCP datagram fields (for example, SYN and ACK bits) • Other packet criteria Dr. Tracy Bradley Maples (Fall 2006) 4
  5. 5. Application Gateways Application gateways (or proxy servers) can filter packets based on the high-level application layer data, as well as, the fields a firewall router can use. Example: You can select which internal users can telnet outside the network. gateway-to-remote host telnet session host-to-gateway telnet session application router and filter gateway Example: Restrict Telnets 1. Require all telnet users to telnet through the application gateway. 2. For authorized users, the gateway sets-up a telnet connection to destination host. The application gateway relays data between the two connections. 3. The router filter is configured to block all telnet connections not originating from gateway. Application gateways (or proxy servers) are commonly used for mail and web access. Dr. Tracy Bradley Maples (Fall 2006) 5
  6. 6. Limitations of Firewalls • IP spoofing: A router cannot know if data “really” comes from a claimed source. (A big problem!) • If multiple applications need special treatment, each must have its own application gateway. • The client software on each computer must know how to contact the application gateway. o For example, an administrator must set-up the IP address of the proxy in Web browser. • Filters often use all or nothing policy for UDP packets. • There are tradeoffs between the degree of communication with outside world and level of security desired. • Many highly protected sites still suffer from attacks. Interesting Quote About Firewalls Firewalls are "… a mechanism that most security purists consider to be an abomination." Networking Authors Peterson & Davie Do you agree? Disagree? Dr. Tracy Bradley Maples (Fall 2006) 6