2Firewall Design Principles Firewall CharacteristicsAll traffic from inside to outside and vice-versa must pass through the firewall.Achieved by physically blocking all access to local networks except via the firewall.Only authorized traffic, as defined by the local security policy, will be allowed to pass.The firewall itself is immune to infiltration.
3Firewall Access Techniques Service ControlDetermines the types of internet services that can be accessed, inbound or outbound. The firewall may filter traffic on the basis of IP address and TCP port number; may provide proxy software that receives and interprets each service request before passing it on; or may host the server software itself, such as a Web or mail service.
4Firewall Access Techniques (Cont.) Direction ControlDetermines the direction in which particular service requests may be initiated and allowed to flow through the firewall.User ControlControls access to a service according to which user is attempting to access it. Typically applied to users inside the firewall perimeter (local users).
5Firewall Access Techniques (Cont.) Behavior ControlControls how particular services are used. For example, the firewall may filter to eliminate spam, or it may enable external access to only a portion of the information on a local web server.
6Capabilities of a Firewall Defining a single choke pointThe use of a single choke point simplifies security management because security capabilities and resources are consolidated on a single system or set of systems.SimplificationA firewall provides a location for monitoring all security-related events. Audits and alarms may be implemented on the system.
7Capabilities of a Firewall (Cont.) Convenient PlatformA firewall is a convenient platform for many non-security related events such as a network address translator, which maps local addresses to Internet addresses, and a network management function that audits or logs Internet Usage.
8Capabilities of a Firewall (Cont.) IPSecA firewall can serve as a platform for IPSec. Using the tunnel mode capability, the firewall can be used to implement virtual private networks.
9Firewall Limitations Bypassing Attacks The firewall cannot protect against attacks which bypass the firewall. Internal systems may have dial-out capability to connect to an ISP. An internal LAN may support a modem pool that provides dial-in capability for traveling employees and telecommuters.
10Firewall Limitations (Cont.) Internal ThreatsThe firewall does not protect against internal threats, such as a disgruntled employee or an employee who unwittingly cooperates with an external attacker.
11Firewall Limitations (Cont.) Virus-Infected Programs or FilesBecause of the variety of operating systems and applications supported inside the perimeter, it would be impractical if not impossible to scan all incoming files, , and messages for viruses.
12Types of Firewalls Packet-Filtering Router A packet-filtering router applies a set of rules to each incoming IP packet and then forwards or discards the packet. The router is typically configured to filter packets going in both directions (from and to the internal network). Filtering rules are based on information contained in a network packet.
13Types of Firewalls (Cont.) Packet-Filtering Router
14Types of Firewalls (Cont.) Packet-Filtering Router AdvantagesOne advantage to this type of firewall is its simplicity.Another is that these firewalls are typically transparent to users and are very fast.
15Types of Firewalls (Cont.) Packet-Filtering Router DisadvantagesBecause they do not examine upper-layer data, they cannot prevent attacks that employ application-specific vulnerabilities.Logging functionality present in packet filter firewalls is limited.Do not support advanced user authentication schemes.
16Types of Firewalls (Cont.) Packet-Filtering Router DisadvantagesGenerally vulnerable to attacks and exploits that take advantage of problems within the TCP/IP specification and protocol stack.Susceptible to security breaches caused by improper configurations due to the small number of variables used in access control decisions.
17Types of Firewalls (Cont.) Packet-Filtering Router AttacksIP Address SpoofingSource Routing AttacksTiny Fragment Attacks
18Types of Firewalls (Cont.) Packet-Filtering Examples
19Types of Firewalls (Cont.) Stateful Inspection FirewallsA stateful inspection packet filter tightens up the rules of TCP traffic by creating a directory of outbound TCP connections. Now, with an entry for each currently established connection, the packet filter will now allow incoming traffic to high-numbered ports only for those packets that fit the profile of one of the entries in this directory.
20Types of Firewalls (Cont.) Stateful Inspection Firewalls
21Types of Firewalls (Cont.) Application-Level GatewayAlso called a proxy server, acts as a relay of application-level traffic.Usually more secure than packet filters. Also easy to log and audit all incoming traffic at the application level.The disadvantage is the additional processing overhead on each connection.
22Types of Firewalls (Cont.) Application-Level Gateway
23Types of Firewalls (Cont.) Circuit-Level GatewayDoes not permit an end-to-end TCP connection; rather, the gateway sets up two TCP connections, one between itself, and the user on the inner host and one between itself and the user on the outside host.The gateway typically relays TCP segments between the two parties without examination. The security lies in the fact that it determines which connections will be allowed.
24Types of Firewalls (Cont.) Circuit-Level Gateway
25Types of Firewalls (Cont.) Bastion HostA system identified by the firewall administrator as a critical strong point in the network’s security.Serves as a platform for application-level and circuit-level gateways.
27Firewall Configurations Screened Host Firewall System (Single)Firewall consists of two systemsA packet-filtering routerConfigured so that for traffic from the internet, only IP packets destined for the bastion host are allowed in and for traffic from the internal network, only IP packets from the bastion host are allowed.A bastion hostPerforms authentication and proxy functions.
31Firewall Configurations Screened Subnet FirewallMost secure of these 3 configurations.Two packet-filtering routers, one between the bastion host and the Internet and one between the bastion host and the internal network.This configuration creates an isolated sub-network.