Published on

  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. 1 Network Firewalls CSCI 5931 - Web SecurityCSCI 5931 - Web Security Spring 2003Spring 2003 Presented ByPresented By Yasir ZahurYasir Zahur
  2. 2. 2 Agenda • Reference Monitor • Introduction • Types of Firewalls • Screening Routers • Proxy Gateways • Guard • Sample Configurations
  3. 3. 3 Reference Monitor • Kernel is the heart of operating system • Security Kernel is responsible for enforcing security mechanisms of entire operating system • Portion of security kernel that controls accesses to objects is called reference monitor • Reference Monitor must be • Tamperproof • Always invoked • Small and simple enough for rigorous analysis
  4. 4. 4 Reference Monitor (…cont)
  5. 5. 5 First Line of Defense: The Firewall • Special form of reference monitor • Primary means of securing a private network against penetration from a public network • An access control device, performing perimeter security by deciding which packets are allowed or denied, and which must be modified before passing • Core of enterprise’s comprehensive security policy • Can monitor all traffic entering and leaving the private network, and alert the IT staff to any attempts to circumvent security or patterns of inappropriate use
  6. 6. 6 Network Firewall Concept Firewall System Your DomainLegitimate Activity Violations
  7. 7. 7 Types of Firewalls • Screening Routers (Packet Level Filters) • Proxy Gateways (Bastion Host) • Guards
  8. 8. 8 Screening Routers • Simplest and in some cases most effective type of firewall. Most simple form includes Access control Lists (ACLs) and Network Address Translation (NAT) • Also called Packet FilterPacket Filter since filtering mechanism does not keep a record of interaction or a history of previous datagrams • A manager can list any combination of source IP address, destination IP address, protocol, source protocol port number, destination port protocol number as packet filter specification
  9. 9. 9 Routers Screening Outside Addresses
  10. 10. 10 Security Policy in Packet Filtering • A packet filter that allows a managerA packet filter that allows a manager to specify which datagrams to blockto specify which datagrams to block • Requires continuous monitoring and updates as number of well known ports are large and rapidly growing in number • Certain services can assign port numbers dynamically e.g. RPC (Remote Procedure Call) • Listing ports of well-known services leaves the firewall vulnerable to tunneling • The answerThe answer • Block all datagrams except those explicitly specified
  11. 11. 11 Consequence Of Restricted Access For Clients • Each server operates at a well known port, a client does not • A client attempts to communicate with a server outside the organization. • Each outgoing datagram has client’s protocol port as source port and server’s protocol port as destination port. • Firewall will not block such datagrams as they leave • However, when response reaches back to firewall from outside, (with destination port now being client’s port) it will be blocked by the firewall since destination port is not approved
  12. 12. 12 Proxy Gateway • A firewall that simulates the effects of an application by running “pseudo-applications” • Because the firewall computer must be strongly fortified to serve as a secure communication channel, it is also called BASTION HOSTBASTION HOST • To the inside it implements part of the application protocol to make itself look as if it is the outside connection • To the outside it implements part of the application protocol to act just like the inside process would • It also examines the contents, not just the header of the packet
  13. 13. 13 Proxy Gateway Example. 1 • Consider Web access from an inside host • User cannot use a browser for direst access since firewall prevents user’s computer from receiving incoming datagrams • However organization uses web proxy server on Bastion Host • Browser on each host is configured to use proxy • Thus whenever user requests a URL, browser contacts proxy which in turn contacts outside server, obtains the page and delivers it to the inside host
  14. 14. 14 Proxy Gateway Example. 2 • Consider a site that blocks all incoming TELNET and FTP connections using a packet filtering router. • The router allows TELNET and FTP packets to go to one host only, the TELNET/FTP application gateway. • An outside user first telnets to the application gateway and enters the name of an internal host, • Gateway checks the user's source IP address and accepts or rejects it according to any access criteria in place, • User may need to authenticate • The proxy service creates a TELNET connection between the gateway and the internal host, • The proxy service then passes bytes between the two connections, and • The application gateway logs the connection
  15. 15. 15 Proxy Gateway - Advantages • proxy services allow only those services through for which there is a proxy • protocol can be filtered. Some firewalls, for example, can filter FTP connections and deny use of the FTP put command • information hiding, in which the names of internal systems need not necessarily be made known via DNS to outside systems, only application gateway’s name must be known • cost-effectiveness, because third-party software or hardware for authentication or logging need be located only at the application gateway • application traffic can be pre-authenticated before it reaches internal hosts and can be logged more effectively than if logged with standard host logging
  16. 16. 16 Guard • More “sophisticated” and “complex” proxy firewall • Since it is more complex, code is more prone to error • Can examine and interpret the contents of a packet • Usually implements and enforces certain business policies • E.g. enforcing email quota on proxy etc
  17. 17. 17 Firewall Configuration .. 1
  18. 18. 18 Firewall Configuration .. 2
  19. 19. 19 References • Firewalls • Security In Computing, 2nd Ed By Charles P. Pfleeger. Prentice Hall • Internetworking with TCP/IP, Vol:1 By Douglas E. Comer. Prentice Hall • Network Security Presentation Slides By Andrew Yang http://nas/yang/teaching/csci5233fall02/index.htm#topicsNotes • Presentation on Firewalls by Tom Longstaff Cert Coordination Center - Carnegie Mellon University