CS682 Session 6 Prof. Katz. Firewalls An intelligent router? Used as a traffic control mechanism Based on information in the Layer 3 and 4 headers Administrator.
Published byModified over 4 years ago
Presentation on theme: "CS682 Session 6 Prof. Katz. Firewalls An intelligent router? Used as a traffic control mechanism Based on information in the Layer 3 and 4 headers Administrator."— Presentation transcript:
Firewalls An intelligent router? Used as a traffic control mechanism Based on information in the Layer 3 and 4 headers Administrator builds tables of what is and is not allowed For NCSA compliance, anything which is not specifically allowed is denied
Packet-filtering Firewalls Each packet is compared to a static list of rules defined by the administrator No information is stored from one packet to the next
Implementing a Packet Filter Sections Input - Packets are checked against these rules when they arrive at the interface Forward (not always implemented) – Packets are checked against these rules when they need to be routed by the kernel Output – Packets are checked against these rules when they being outputted to the Interface.
Implementing (cont) Rules Each rule will specify one authorized connection The most used rules should be first
Proxy firewall Proxy: to do something on behalf of someone else (I.e. voting by proxy) Operate at Layer 7 only Require software to specifically support the proxy Can be made somewhat transparent through the rewriting or winsock.dll
Proxy implementation Request from client is made to proxy server Proxy server makes request to remote server Proxy server routes data back (through layer 3) to client (Client only ever talks to proxy!)
Proxy servers Socks common proxy: can proxy any protocol that supports SOCKS protocol HTTP proxies can only proxy HTTP and HTTPS data Specific proxies required for all other protocols (POP3, SMTP, NNTP, telnet
Advantages Vs. Disadvantages Protects the secure network from direct attack Allows for filtering based on Layer 7 rules Usually an inexpensive solution Slows down the network because data must travel to layer 7 Software must support the proxies Requires additional protection for the proxy server itself
Stateful Inspection Keeps information on the state of the connection (SYN sent, SYN/ACK received, etc) Rules need to be setup only to allow the first packet (SYN), the rest are assumed to be allowed
State Table Maintained to hold the information on the connections Contains socket information as well as sequence and acknowledgement numbers If a packet which was not expected is received it will be dropped and the connection will be closed
Benefits of Stateful inspection Less rules = less administrative headache Usually can simplify NAT and Layer 7 rules as well Can protect against SYN floods and other attacks Faster than Proxies
Disadvantages of SI Usually very expensive Difficult to maintain in a cluster Slower than packet filtering Requires more RAM to maintain the state tables