1. 8: Network Management1 Firewalls

2. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service attacks: m SYN flooding: attacker establishes many bogus TCP connections. Attacked host alloc’s TCP buffers for bogus connections, none left for “real” connections. To prevent illegal modification of internal data. m e.g., attacker replaces CIA’s homepage with something else To prevent intruders from obtaining secret info. isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others. firewall

3. 8: Network Management3 Packet Filtering r Internal network is connected to Internet through a router. r Router manufacturer provides options for filtering packets, based on: m source IP address m destination IP address m TCP/UDP source and destination port numbers m ICMP message type m TCP SYN and ACK bits r Example 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23. m All incoming and outgoing UDP flows and telnet connections are blocked. r Example 2: Block inbound TCP segments with ACK=0. m Prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside.

4. 8: Network Management4 Application gateways r Filters packets on application data as well as on IP/TCP/UDP fields. r Example: allow select internal users to telnet outside. host-to-gateway telnet session gateway-to-remote host telnet session application gateway router and filter 1. Require all telnet users to telnet through gateway. 2. For authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections 3. Router filter blocks all telnet connections not originating from gateway.

5. 8: Network Management5 Limitations of firewalls and gateways r IP spoofing: router can’t know if data “really” comes from claimed source r If multiple app’s. need special treatment, each has own app. gateway. r Client software must know how to contact gateway. m e.g., must set IP address of proxy in Web browser r Filters often use all or nothing policy for UDP. r Tradeoff: degree of communication with outside world, level of security r Many highly protected sites still suffer from attacks.

6. 8: Network Management6 참고자료 : Firewalls

7. 8: Network Management7 Acknowledgements Professor Insup Lee r Department of Computer and Information Science r University of Pennsylvania r lee@cis.upenn.edu lee@cis.upenn.edu r www.cis.upenn.edu/~lee

8. 8: Network Management8 Why do we need firewalls ?

9. 8: Network Management9

10. 10

11. 8: Network Management11 BEFORE AFTER (your results may vary)

12. 8: Network Management12 What is a firewall? r Two goals: m To provide the people in your organization with access to the WWW without allowing the entire world to peak in; m To erect a barrier between an untrusted piece of software, your organization’s public Web server, and the sensitive information that resides on your private network. r Basic idea: m Impose a specifically configured gateway machine between the outside world and the site’s inner network. m All traffic must first go to the gateway, where software decide whether to allow or reject.

13. 8: Network Management13 What is a firewall r A firewall is a system of hardware and software components designed to restrict access between or among networks, most often between the Internet and a private Internet. r The firewall is part of an overall security policy that creates a perimeter defense designed to protect the information resources of the organization.

14. 8: Network Management14 Firewalls DO r Implement security policies at a single point r Monitor security-related events (audit, log) r Provide strong authentication r Allow virtual private networks r Have a specially hardened/secured operating system

15. 8: Network Management15 Firewalls DON ’ T r Protect against attacks that bypass the firewall m Dial-out from internal host to an ISP r Protect against internal threats m disgruntled employee m Insider cooperates with and external attacker r Protect against the transfer of virus- infected programs or files

16. 8: Network Management16 Types of Firewalls r Packet-Filtering Router r Application-Level Gateway r Circuit-Level Gateway r Hybrid Firewalls

17. 8: Network Management17 Packet Filtering Routers Forward or discard IP packet according a set of rules Filtering rules are based on fields in the IP and transport header

18. 8: Network Management18 What information is used for filtering decision? r Source IP address (IP header) r Destination IP address (IP header) r Protocol Type r Source port (TCP or UDP header) r Destination port (TCP or UDP header) r ACK. bit

19. 8: Network Management19 Web Access Through a Packet Filter Firewall [Stein]

20. 8: Network Management20 Packet Filtering Routers pros and cons r Advantages: m Simple m Low cost m Transparent to user r Disadvantages: m Hard to configure filtering rules m Hard to test filtering rules m Don’t hide network topology(due to transparency) m May not be able to provide enough control over traffic m Throughput of a router decreases as the number of filters increases

21. 8: Network Management21 Application Level Gateways (Proxy Server)

22. 8: Network Management22 A Telnet Proxy

23. 8: Network Management23 A sample telnet session

24. 8: Network Management24 Application Level Gateways (Proxy Server) r Advantages: m complete control over each service (FTP/HTTP…) m complete control over which services are permitted m Strong user authentication (Smart Cards etc.) m Easy to log and audit at the application level m Filtering rules are easy to configure and test r Disadvantages: m A separate proxy must be installed for each application- level service m Not transparent to users

25. 8: Network Management25 Circuit Level Gateways

26. 8: Network Management26 Circuit Level Gateways (2) r Often used for outgoing connections where the system administrator trusts the internal users r The chief advantage is that a firewall can be configured as a hybrid gateway supporting application-level/proxy services for inbound connections and circuit-level functions for outbound connections

27. 8: Network Management27 Hybrid Firewalls r In practice, many of today's commercial firewalls use a combination of these techniques. r Examples: m A product that originated as a packet-filtering firewall may since have been enhanced with smart filtering at the application level. m Application proxies in established areas such as FTP may augment an inspection-based filtering scheme.

28. 8: Network Management28 Firewall Configurations r Bastion host m a system identified by firewall administrator as a critical strong point in the network’s security m typically serves as a platform for an application-level or circuit-level gateway m extra secure O/S, tougher to break into r Dual homed gateway m Two network interface cards: one to the outer network and the other to the inner m A proxy selectively forwards packets r Screened host firewall system m Uses a network router to forward all traffic from the outer and inner networks to the gateway machine r Screened-subnet firewall system

29. 8: Network Management29 Dual-homed gateway

30. 8: Network Management30 Screened-host gateway

31. 8: Network Management31 Screened Host Firewall

32. 8: Network Management32 Screened Subnet Firewall

33. 8: Network Management33 Screened subnet gateway

34. 8: Network Management34 Selecting a firewall system r Operating system r Protocols handled r Filter types r Logging r Administration r Simplicity r Tunneling

35. 8: Network Management35 Commercial Firewall Systems

36. 8: Network Management36 Widely used commercial firewalls r AltaVista r BorderWare (Secure Computing Corporation) r CyberGurad Firewall (CyberGuard Corporation) r Eagle (Raptor Systems) r Firewall-1 (Checkpoint Software Technologies) r Gauntlet (Trusted Information Systems) r ON Guard (ON Technology Corporation)

37. 8: Network Management37 Firewall ’ s security policy r Embodied in the filters that allow or deny passages to network traffic r Filters are implemented as proxy programs. m Application-level proxies one for particular communication protocol E.g., HTTP, FTP, SM Can also filter based on IP addresses m Circuit-level proxies Lower-level, general purpose programs that treat packets as black boxes to be forward or not Only looks at header information Advantages: speed and generality One proxy can handle many protocols

38. 8: Network Management38 Configure a Firewall (1) r Outgoing Web Access m Outgoing connections through a packet filter firewall m Outgoing connections through an application- level proxy m Outgoing connections through a circuit proxy

39. 8: Network Management39 Firewall Proxy Configuring Netscape to use a firewall proxy involves entering the address and port number for each proxied service. [Stein]

40. 8: Network Management40 Configure a Firewall (2) r Incoming Web Access m The “Judas” server m The “Sacrificial Lamb” m The “Private Affair” server m The doubly fortified server

41. 8: Network Management41 The “ Judas ” Server (not recommended) [Stein]

42. 8: Network Management42 The “ sacrificial lamb ” [Stein]

43. 8: Network Management43 The “ private affair ” server [Stein]

44. 8: Network Management44 Internal Firewall An Internal Firewall protects the Web server from insider threats. [Stein]

45. 8: Network Management45 Placing the sacrificial lamb in the demilitarized zone. [Stein]

46. 8: Network Management46 Poking holes in the firewall r If you need to support a public Web server, but no place to put other than inside the firewall. r Problem: if the server is compromised, then you are cooked.

47. 8: Network Management47 Simplified Screened-Host Firewall Filter Rules [Stein]

48. 8: Network Management48 Filter Rule Exceptions for Incoming Web Services [Stein]

49. 8: Network Management49 Screened subnetwork Placing the Web server on its own screened subnetwork insulates it from your organization while granting the outside world limited access to it. [Stein]

50. 8: Network Management50 Filter Rules for a Screened Public Web Server [Stein]