Presentation is loading. Please wait.

Presentation is loading. Please wait.

5/4/01EMTM 5531 EMTM 553: E-commerce Systems Lecture 7b: Firewalls Insup Lee Department of Computer and Information Science University of Pennsylvania.

Similar presentations

Presentation on theme: "5/4/01EMTM 5531 EMTM 553: E-commerce Systems Lecture 7b: Firewalls Insup Lee Department of Computer and Information Science University of Pennsylvania."— Presentation transcript:

1 5/4/01EMTM 5531 EMTM 553: E-commerce Systems Lecture 7b: Firewalls Insup Lee Department of Computer and Information Science University of Pennsylvania

2 5/4/01EMTM 5532 Why do we need firewalls ?

3 5/4/01EMTM 5533

4 5/4/01EMTM 5534

5 5/4/01EMTM 5535 BEFORE AFTER (your results may vary)

6 5/4/01EMTM 5536 What is a firewall? Two goals: –To provide the people in your organization with access to the WWW without allowing the entire world to peak in; –To erect a barrier between an untrusted piece of software, your organization’s public Web server, and the sensitive information that resides on your private network. Basic idea: –Impose a specifically configured gateway machine between the outside world and the site’s inner network. –All traffic must first go to the gateway, where software decide whether to allow or reject.

7 5/4/01EMTM 5537 What is a firewall A firewall is a system of hardware and software components designed to restrict access between or among networks, most often between the Internet and a private Internet. The firewall is part of an overall security policy that creates a perimeter defense designed to protect the information resources of the organization.

8 5/4/01EMTM 5538 Firewalls DO Implement security policies at a single point Monitor security-related events (audit, log) Provide strong authentication Allow virtual private networks Have a specially hardened/secured operating system

9 5/4/01EMTM 5539 Firewalls DON’T Protect against attacks that bypass the firewall –Dial-out from internal host to an ISP Protect against internal threats –disgruntled employee –Insider cooperates with and external attacker Protect against the transfer of virus-infected programs or files

10 5/4/01EMTM 55310 Types of Firewalls Packet-Filtering Router Application-Level Gateway Circuit-Level Gateway Hybrid Firewalls

11 5/4/01EMTM 55311 Packet Filtering Routers Forward or discard IP packet according a set of rules Filtering rules are based on fields in the IP and transport header

12 5/4/01EMTM 55312 What information is used for filtering decision? Source IP address (IP header) Destination IP address (IP header) Protocol Type Source port (TCP or UDP header) Destination port (TCP or UDP header) ACK. bit

13 5/4/01EMTM 55313 Web Access Through a Packet Filter Firewall [Stein]

14 5/4/01EMTM 55314 Packet Filtering Routers pros and cons Advantages: –Simple –Low cost –Transparent to user Disadvantages: –Hard to configure filtering rules –Hard to test filtering rules –Don’t hide network topology(due to transparency) –May not be able to provide enough control over traffic –Throughput of a router decreases as the number of filters increases

15 5/4/01EMTM 55315 Application Level Gateways (Proxy Server)

16 5/4/01EMTM 55316 A Telnet Proxy

17 5/4/01EMTM 55317 A sample telnet session

18 5/4/01EMTM 55318 Application Level Gateways (Proxy Server) Advantages: –complete control over each service (FTP/HTTP…) –complete control over which services are permitted –Strong user authentication (Smart Cards etc.) –Easy to log and audit at the application level –Filtering rules are easy to configure and test Disadvantages: –A separate proxy must be installed for each application- level service –Not transparent to users

19 5/4/01EMTM 55319 Circuit Level Gateways

20 5/4/01EMTM 55320 Circuit Level Gateways (2) Often used for outgoing connections where the system administrator trusts the internal users The chief advantage is that a firewall can be configured as a hybrid gateway supporting application-level/proxy services for inbound connections and circuit-level functions for outbound connections

21 5/4/01EMTM 55321 Hybrid Firewalls In practice, many of today's commercial firewalls use a combination of these techniques. Examples: –A product that originated as a packet-filtering firewall may since have been enhanced with smart filtering at the application level. –Application proxies in established areas such as FTP may augment an inspection-based filtering scheme.

22 5/4/01EMTM 55322 Firewall Configurations Bastion host –a system identified by firewall administrator as a critical strong point in the network’s security –typically serves as a platform for an application-level or circuit- level gateway –extra secure O/S, tougher to break into Dual homed gateway –Two network interface cards: one to the outer network and the other to the inner –A proxy selectively forwards packets Screened host firewall system –Uses a network router to forward all traffic from the outer and inner networks to the gateway machine Screened-subnet firewall system

23 5/4/01EMTM 55323 Dual-homed gateway

24 5/4/01EMTM 55324 Screened-host gateway

25 5/4/01EMTM 55325 Screened Host Firewall

26 5/4/01EMTM 55326 Screened Subnet Firewall

27 5/4/01EMTM 55327 Screened subnet gateway

28 5/4/01EMTM 55328 Selecting a firewall system Operating system Protocols handled Filter types Logging Administration Simplicity Tunneling

29 5/4/01EMTM 55329 Commercial Firewall Systems

30 5/4/01EMTM 55330 Widely used commercial firewalls AltaVista BorderWare (Secure Computing Corporation) CyberGurad Firewall (CyberGuard Corporation) Eagle (Raptor Systems) Firewall-1 (Checkpoint Software Technologies) Gauntlet (Trusted Information Systems) ON Guard (ON Technology Corporation)

31 5/4/01EMTM 55331 Firewall’s security policy Embodied in the filters that allow or deny passages to network traffic Filters are implemented as proxy programs. –Application-level proxies oone for particular communication protocol oE.g., HTTP, FTP, SM oCan also filter based on IP addresses –Circuit-level proxies oLower-level, general purpose programs that treat packets as black boxes to be forward or not oOnly looks at header information oAdvantages: speed and generality oOne proxy can handle many protocols

32 5/4/01EMTM 55332 Configure a Firewall (1) Outgoing Web Access –Outgoing connections through a packet filter firewall –Outgoing connections through an application-level proxy –Outgoing connections through a circuit proxy

33 5/4/01EMTM 55333 Firewall Proxy Configuring Netscape to use a firewall proxy involves entering the address and port number for each proxied service. [Stein]

34 5/4/01EMTM 55334 Configure a Firewall (2) Incoming Web Access –The “Judas” server –The “Sacrificial Lamb” –The “Private Affair” server –The doubly fortified server

35 5/4/01EMTM 55335 The “Judas” Server (not recommended) [Stein]

36 5/4/01EMTM 55336 The “sacrificial lamb” [Stein]

37 5/4/01EMTM 55337 The “private affair” server [Stein]

38 5/4/01EMTM 55338 Internal Firewall An Internal Firewall protects the Web server from insider threats. [Stein]

39 5/4/01EMTM 55339 Placing the sacrificial lamb in the demilitarized zone. [Stein]

40 5/4/01EMTM 55340 Poking holes in the firewall If you need to support a public Web server, but no place to put other than inside the firewall. Problem: if the server is compromised, then you are cooked.

41 5/4/01EMTM 55341 Simplified Screened-Host Firewall Filter Rules [Stein]

42 5/4/01EMTM 55342 Filter Rule Exceptions for Incoming Web Services [Stein]

43 5/4/01EMTM 55343 Screened subnetwork Placing the Web server on its own screened subnetwork insulates it from your organization while granting the outside world limited access to it. [Stein]

44 5/4/01EMTM 55344 Filter Rules for a Screened Public Web Server [Stein]

45 5/4/01EMTM 55345 Q&AQ&A

Download ppt "5/4/01EMTM 5531 EMTM 553: E-commerce Systems Lecture 7b: Firewalls Insup Lee Department of Computer and Information Science University of Pennsylvania."

Similar presentations

Ads by Google