Content 1 / 17 12.1 Definition 12.2 Packet Filtering & Proxy Servers 12.3 Architectures - Dual-Homed Host Firewall 12.4 Architectures - Screened Host Firewall 12.5 Architectures - Screened Subnet Firewall 12.6 Examples 12.1 Definition 2 / 17 Def.: A firewall is any security system protecting the boundary of an internal network. A bastion host is a computer system with strong security as it is exposed to the outside world. Tasks of a firewall: access control based on sender or receiver address access control based on services requested hiding the internal network, e.g. topology, addresses, etc. virus checking on incoming files authentication based on the source of traffic logging of Internet activities Two fundamental mechanisms used by firewalls are 1. Packet filtering 2. Proxy servers 1
12.2 Packet Filtering & Proxy Servers 3 / 17 Placement of firewall components: (1) packet filter (2) circuit-level proxy (3) application-level proxy application transport network Application process (3) (2) (1) Application process End System Intermediate System Internetworking Device End System 12.2 Packet Filtering & Proxy Servers 4 / 17 Packet Filtering Packet filtering can be based on the following information: source address destination address protocol connection (stateful inspection) A packet filter behaves like a simple bridge. If it also provides routing functionality it is called a screening router. Proxy Server controlled invocation intercepts client s request and decides whether it is permitted according to its security rules if so, request is passed on to the real service proxy server is the only entity seen by the outside world appears transparent to the internal users can apply protocol-specific access rules, perform access control based on user identities and on packet contents proxy server needed for each service to be protected 2
12.2.1 Proxy Servers 5 / 17 Application Level Proxy works at the application layer application gateway only system reachable from the outside application gateway provides proxy for each service to be used (e.g SMTP, FTP, HTTP) dual-homed, i.e. complete control over packets transmitted between the internal and external network user has to authenticate himself to the gateway before using the service gateway is communication partner of source, not the real destination Circuit Level Proxy works at the transport layer service, for which no application level proxy is available, can use circuit level proxies for communication via application gateway generic proxy which can be used with several services relationship is n:1, i.e. proxy allows several clients to communicate with one server on the other side, as the communication is addressed via the port number of the port relay 12.2.2 Communication via Application Level Proxy Source Application Proxy Destination 6 / 17 Connection establishment User authentication Connection establishment Data transfer Connection termination 3
12.2.3 SOCKS 7 / 17 SOCKS standardised environment for the transparent and secure use of firewalls intercepts TCP and UDP connection requests and transforms them into the SOCKS format communication via SOCKS is restricted to the communication between SOCKS client and SOCKS server (tunnel) tunnel defines security association and provides authentication, confidentiality and integrity combines possibilities of circuit level and application level proxies SOCKS requires modifications of the client Application Layer Socks Layer Transport Layer Network Layer Link Layer 12.2.4 Pros and Cons 8 / 17 Packet Filtering + simplicity + low cost correctly specifying packet filters is a difficult and error-prone process reordering packet filter rules makes correctly specifying rules even more difficult Proxy Servers + user authentication + application protocol control + logging + accounting proxy needed for each application protocol circuit level proxies usually not able to scan application data 4
12.3 Architectures - Dual-Homed Host Firewall 9 / 17 Dual-Homed Host Firewall machine with two network interfaces routes packets and processes them according to its security rules all-in-one firewall as it can provide packet filtering and proxy servers clients on the internal network can access services on the Internet either by using a proxy server in the firewall or by logging on to the firewall directly Internet Dual-homed host Internal network 12.4 Architectures - Screened Hosts Firewall 10 / 17 Screened Hosts Firewall consists of a screening router and a bastion host on the internal network screening router performs packet filtering and provides the interface to the Internet screening router sends all permitted incoming traffic to the bastion host, where further access control decision can be made before packets are forwarded screening router accepts internal packets only from the bastion host Internet Screening router Internal network Bastion host 5
12.5 Architectures - Screened Subnet Firewall 11 / 17 Screened Subnet Firewall combines traits of the previous two approaches a peripheral network, called demilitarised zone (DMZ), is placed between the internal network and the Internet screening router between the Internet and the peripheral network dual-homed host firewall between the peripheral and the internal network applies more complex policies governing the internal users peripheral network is a suitable location for non-sensitive hosts accessible to the outside world (e.g. web server) 12.5 Architectures - Screened Subnet Firewall (cont.) 12 / 17 Web server Internet Screening router Peripheral network (DMZ) Firewall Internal network 6
12.6.1 Example: IP Access List 13 / 17 Criteria: allow all incoming TCP traffic if the session was initiated within the internal corporate network allow FTP control and FTP data traffic to the FTP server with the address 144.254.1.4 allow HTTP traffic to the Web server with the address 144.254.1.3 deny all other traffic from entering the corporate network log all access list violations 12.6.1 Example: IP Access List 14 / 17 access-list 101 permit tcp any any established access-list 101 permit tcp any host 144.254.1.4 eq ftp access-list 101 permit tcp any host 144.254.1.4 eq ftp-data access-list 101 permit tcp any host 144.254.1.3 eq www access-list 101 deny ip any any log! Interface Serial 0/0 description to the Internet ip address 161.71.73.33 255.255.255.248 ip access-list 101 in 7
12.6.1 Example: Packet Filter Flowchart 15 / 17 Receive Packet Parse Protocol Headers Apply Next Filter Rule Ok to forward? Yes Forward Packet No Need to block? Yes Block Packet No Last Filter Rule? Yes No 12.6.2 Example: Protection against Flooding 16 / 17 TCP connection establishment: Flooding: Client Server Client Server. 8
12.6.2 Example: Protection against Flooding (cont.) 17 / 17 External Host Firewall Internal Host 1. 2. 9