2 Firewall Design Principles Firewall CharacteristicsAll traffic from inside to outside and vice-versa must pass through the firewall.Achieved by physically blocking all access to local networks except via the firewall.Only authorized traffic, as defined by the local security policy, will be allowed to pass.The firewall itself is immune to infiltration.
3 Firewall Access Techniques Service ControlDetermines the types of internet services that can be accessed, inbound or outbound. The firewall may filter traffic on the basis of IP address and TCP port number; may provide proxy software that receives and interprets each service request before passing it on; or may host the server software itself, such as a Web or mail service.
4 Firewall Access Techniques (Cont.) Direction ControlDetermines the direction in which particular service requests may be initiated and allowed to flow through the firewall.User ControlControls access to a service according to which user is attempting to access it. Typically applied to users inside the firewall perimeter (local users).
5 Firewall Access Techniques (Cont.) Behavior ControlControls how particular services are used. For example, the firewall may filter to eliminate spam, or it may enable external access to only a portion of the information on a local web server.
6 Capabilities of a Firewall Defining a single choke pointThe use of a single choke point simplifies security management because security capabilities and resources are consolidated on a single system or set of systems.SimplificationA firewall provides a location for monitoring all security-related events. Audits and alarms may be implemented on the system.
7 Capabilities of a Firewall (Cont.) Convenient PlatformA firewall is a convenient platform for many non-security related events such as a network address translator, which maps local addresses to Internet addresses, and a network management function that audits or logs Internet Usage.
8 Capabilities of a Firewall (Cont.) IPSecA firewall can serve as a platform for IPSec. Using the tunnel mode capability, the firewall can be used to implement virtual private networks.
9 Firewall Limitations Bypassing Attacks The firewall cannot protect against attacks which bypass the firewall. Internal systems may have dial-out capability to connect to an ISP. An internal LAN may support a modem pool that provides dial-in capability for traveling employees and telecommuters.
10 Firewall Limitations (Cont.) Internal ThreatsThe firewall does not protect against internal threats, such as a disgruntled employee or an employee who unwittingly cooperates with an external attacker.
11 Firewall Limitations (Cont.) Virus-Infected Programs or FilesBecause of the variety of operating systems and applications supported inside the perimeter, it would be impractical if not impossible to scan all incoming files, , and messages for viruses.
12 Types of Firewalls Packet-Filtering Router A packet-filtering router applies a set of rules to each incoming IP packet and then forwards or discards the packet. The router is typically configured to filter packets going in both directions (from and to the internal network). Filtering rules are based on information contained in a network packet.
13 Types of Firewalls (Cont.) Packet-Filtering Router
14 Types of Firewalls (Cont.) Packet-Filtering Router AdvantagesOne advantage to this type of firewall is its simplicity.Another is that these firewalls are typically transparent to users and are very fast.
15 Types of Firewalls (Cont.) Packet-Filtering Router DisadvantagesBecause they do not examine upper-layer data, they cannot prevent attacks that employ application-specific vulnerabilities.Logging functionality present in packet filter firewalls is limited.Do not support advanced user authentication schemes.
16 Types of Firewalls (Cont.) Packet-Filtering Router DisadvantagesGenerally vulnerable to attacks and exploits that take advantage of problems within the TCP/IP specification and protocol stack.Susceptible to security breaches caused by improper configurations due to the small number of variables used in access control decisions.
17 Types of Firewalls (Cont.) Packet-Filtering Router AttacksIP Address SpoofingSource Routing AttacksTiny Fragment Attacks
18 Types of Firewalls (Cont.) Packet-Filtering Examples
19 Types of Firewalls (Cont.) Stateful Inspection FirewallsA stateful inspection packet filter tightens up the rules of TCP traffic by creating a directory of outbound TCP connections. Now, with an entry for each currently established connection, the packet filter will now allow incoming traffic to high-numbered ports only for those packets that fit the profile of one of the entries in this directory.
20 Types of Firewalls (Cont.) Stateful Inspection Firewalls
21 Types of Firewalls (Cont.) Application-Level GatewayAlso called a proxy server, acts as a relay of application-level traffic.Usually more secure than packet filters. Also easy to log and audit all incoming traffic at the application level.The disadvantage is the additional processing overhead on each connection.
22 Types of Firewalls (Cont.) Application-Level Gateway
23 Types of Firewalls (Cont.) Circuit-Level GatewayDoes not permit an end-to-end TCP connection; rather, the gateway sets up two TCP connections, one between itself, and the user on the inner host and one between itself and the user on the outside host.The gateway typically relays TCP segments between the two parties without examination. The security lies in the fact that it determines which connections will be allowed.
24 Types of Firewalls (Cont.) Circuit-Level Gateway
25 Types of Firewalls (Cont.) Bastion HostA system identified by the firewall administrator as a critical strong point in the network’s security.Serves as a platform for application-level and circuit-level gateways.
27 Firewall Configurations Screened Host Firewall System (Single)Firewall consists of two systemsA packet-filtering routerConfigured so that for traffic from the internet, only IP packets destined for the bastion host are allowed in and for traffic from the internal network, only IP packets from the bastion host are allowed.A bastion hostPerforms authentication and proxy functions.
31 Firewall Configurations Screened Subnet FirewallMost secure of these 3 configurations.Two packet-filtering routers, one between the bastion host and the Internet and one between the bastion host and the internal network.This configuration creates an isolated sub-network.