SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

Transcription

1 SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

2 Introduction: A computer firewall protects computer networks from unwanted intrusions which could compromise confidentiality or result in data corruption. A firewall may be a hardware device or a software system running on a host computer. In either case, it has at least two network interfaces, one for the network which it is trying to protect and the other for the network it is exposed to, such as the internet [1]. An Internet firewall examines all traffic routed between a given network and the internet to see if it meets certain criteria. If it does, it is routed between the networks, otherwise it is stopped. A network firewall filters both inbound and outbound traffic. It is also capable of managing public access to private networked resources such as host applications. It can be used to log all attempts to enter the private network and trigger alarms when hostile or unauthorized entry is attempted [1]. Firewall Architectures: Firewalls traditionally operate by inspecting packet headers, and discarding packets with undesirable header information. When establishing an Internet firewall, the first thing one must decide is its basic architecture. There are two classes of firewall architectures, which are referred to as single layer and multiple layer architectures [2]. In a single layer architecture, a single firewall (or a host network with firewall functionality) is connected to all networks which we intend to protect (Figure 1). This architecture has the advantage of having all the firewall information on a single unit. The greatest disadvantage of this architecture is that a single implementation flaw or configuration error might cause firewall penetration [2]. Private network Firewall Internet Figure 1 In a multi-layer architecture, several firewall units (or hosts) are employed to achieve a greater level of protection. These hosts are typically connected in series, with DMZ networks between them [2]. The DMZ (Demilitarized Zone) network typically sits between the Internet and an internal network's line of defence, which is usually a combination of firewalls and supporting hosts. The most common method of securing a network using multi-layer architecture is illustrated in Figure 2. [3]. Private Network Firewall DMZ (web servers) firewall Internet Figure 2

3 Firewall Types: The four basic types of firewall are packet filters, circuit level gateways, application level gateways and stateful multilayer inspection firewalls. These types can be used separately or jointly and can be implemented on the same or on different firewall hosts. This report will look at the two most popular types of firewalls; Packet filters and application level gateways. It will also look at the TCP/IP layer on which the filtering takes place for each type of firewall. Packet Filters: Packet filtering firewalls work at the network level of the OSI model, or the IP layer of TCP/IP. They are usually part of a router firewall. In a packet filtering firewall, each packet is compared to a set of criteria before it is forwarded. Depending on the packet and the criteria, the firewall can drop the packet, forward it, or send a message to the originator. Figure 3 illustrates a packet filtering firewall in the TCP/IP architecture [1]. Figure 3: Packet Filtering Firewall [1] The advantage of packet filtering firewalls is their low cost and low impact on network performance. Other advantages are the simplicity, transparency to users and high speed of packet filters. The disadvantages of packet filtering firewalls include difficulty of setting up packet filter rules and lack of authentication [3].

4 Application Proxy: An application proxy acts as a relay of application-level traffic. It is an application program which runs on a firewall system between two networks. A client program which communicates though the firewall must first establish a connection directly to the proxy server. Upon success, two connections are established: one connection between the client and the proxy and the other between the proxy and the destination host. Henceforth, it is the proxy which makes all the packet forwarding decisions [1] Application level gateways can filter packets at the application layer of the OSI or TCP/IP model. Incoming or outgoing packets cannot access services for which there is no proxy. For example, an application level gateway that is configured to be a web proxy will not allow any ftp, gopher, telnet or other traffic through. Since application proxy gateways examine packets at application layer, they can filter application specific commands such as http: post and get, etc. This cannot be accomplished with either packet filtering firewalls or circuit level gateways because they do not know anything about the application level information [1]. Application proxies are more secure than packet filters. They only need to scrutinize a few allowable applications and it is easy to log and audit all incoming traffic. Since there is additional processing overhead (more complex filtering and access control decisions) on each connection, application level proxies tend to be slower. Application proxies are not transparent to the end users and require manual configuration of each client computer. Figure 4 illustrates an Application proxy firewall in the TCP/IP architecture. Figure 4:Application Proxy [1]

5 References: - [1] Vicomsoft, - [2] - [3] Stephen Northcutt, 2002, Inside Network Perimeter Security: The Definitive Guide to Firewalls, Virtual Private Networks (VPNs), Routers, and Intrusion Detection Systems, Paperback