Firewalls Jiang Long Spring 2002

Outline What’s a network firewall Why need a firewall Introduction What’s a network firewall Why need a firewall Weakness of firewalls Several types of firewall techniques Policy considerations Making firewalls fit Firewall configurations Conclusion & References

Internet Growth Thousands of users Source:Bank IT’98

What’s a network firewall Internet Home Internet Firewall A network firewall is a system or group of systems that enforces an access control policy between two networks Implemented in both hardware and software, or a combination of both

Why need a firewall against unauthenticated interactive logins from the “outside” world provide a single ``choke point'' where security and audit can be imposed act as your corporate “ambassador” to the Internet

Weakness of Firewalls difficult to let data in through make the network more complex can't protect very well against things like viruses provide no or little protection on incoming traffic

Several types of firewall techniques Packet Filtering Application-level Gateway Circuit-level Gateway Proxy Server

Packet Filtering Firewall looks at each packet entering or leaving the network and accepts or rejects it based on user-defined rules. fairly effective and transparent to users difficult to configure

Application-level Gateway applies security mechanisms to specific applications generally regarded as the most secure type of firewall, very effective , but can impose a performance degradation set up may be complex such as FTP and Telnet servers

Circuit-level Gateway also called as “Circuit Relay” or “Stateful Inspection Firewall” applies security mechanisms when a TCP or UDP connection is established packets can flow between the hosts without further checking.

Proxy Server a program possibly running on a separate proxy server computer accepts information transfer requests and sends appropriate responses back such as caching proxy for web browsers (used by ISP) used to block access to undesirable sites, or remove undesirable information contained on a web page effectively hides the true network addresses

Policy Considerations the risks you intend to manage the services you intend to offer from networks the services you intend to request from networks the objective that all incoming and outgoing network traffic must go through the firewall be safe and in your interests minimize the exposure of information

Making Firewalls Fit IP address Domain names Protocols (IP, TCP, HTTP,FTP,UDP etc.) Ports Specific words and phases

Firewall Configurations (1) Bastion Host No traffic directly between networks Figure 8.1 A typical Dual Homed Gateway

Firewall Configurations (2) Traffic Blocked Private Network Internet Screening Router Other Hosts Traffic Permitted Bastion Host Figure 8.2 A typical Screened Host Gateway

Firewall Configurations (3) Traffic Blocked Internet Private Network Screening Router Screened Subnet Other Hosts Traffic Permitted Bastion Host Figure 3: A typical Screened Subnet

Conclusion Firewalls are a very effective way to protect your system from most Internet security threats and are a critical component of today's computer networks. Firewalls in networks keep damage on one part of the network (e.g., eavesdropping, a worm program, file damage) from spreading to the rest of the network. Without firewalls, network security problems can rage out of control, dragging more and more systems down.

References http://searchsecurity.techtarget.com/sDefinition http://www.deatech.com/deatech/articles/FirewallWhyTo.html http://search.win2000mag.net/security/query.html?qt=firewall&qp=keywords:%22security%22 http://www.guest.seas.gwu.edu/~reto/firewall/ http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci212125,00.html

Thank you