Gateways and Firewas 1 Gateways and Firewas Prof. Jean-Yves Le Boudec Prof. Andrzej Duda ICA, EPFL CH-1015 Ecubens http://cawww.epf.ch
Gateways and Firewas Firewas 2 o architecture separates hosts and routers network = packet transportation ony private networks may want more protection access contro one component is a firewa o definition: a firewa is a system that separates from : a traffic must go through firewa ony authorized traffic may go through firewa itsef cannot be penetrated o Components of a firewa fitering router appication or transport gateway
Gateways and Firewas Fitering Routers 3 o A router sees a packets and may do more than packet forwarding as defined by IP fitering rues based on : port numbers, protoco type, contro bits in TCP header (SYN packets) o Exampe fitering router prot srce addr dest addr srce dest action port port 1 tcp * 198.87.9.2 >1023 23 permit 2 tcp * 198.87.9.3 >1023 25 permit 3 tcp 129.132.100.7 198.87.9.2 >1023 119 permit 4 * * * * * deny The exampe show 4 rues appied to the ports shown - rue 1 aows tenet connections from the outside to the machine 198.87.9.2 - rue 2 aows emai to be sent to machine 198.87.9.3 - rue 3 aows news to be sent to machine 198.87.9.2, but ony from machine 129.132.100.7 - rue 4 forbids a other packets. Designing the set of rues empoyed in a firewa is a compex task; the set shown on the picture is much simper than a rea configuration. Packet fitering aone offers itte protection because it is difficut to design a safe set of rues and at the same time offer fu service to the users.
Gateways and Firewas Appication Layer Gateways 4 o Appication ayer gateway is a ayer 7 intermediate system normay not used according to the architecture but mainy used for access contro aso used for interworking issues o Principe: proxy principe: viewed by cient as a server and by server as a cient supports access contro restrictions, authentication, encryption, etc A 1 GET xxx.. 2 GET xxx.. cient 4 data server gateway ogic cient 3 data B server Gateway 1. User at A sends an request. It is not sent to the fina destination but to the appication ayer gateway. This resuts from the configuration at the cient. 2. The gateway checks whether the transaction is authorized. Encryption may be performed. Then the request is issued again from the gateway to B as though it woud be originating from A. 3. A response comes from B, probaby under the form of a MIME header and data. The gateway may aso check the data, possiby decrypt, or reject the data. 4. If it accepts to pass it further, it is sent to A as though it woud be coming from B. Appication ayer gateways can be made for a appication eve protocos. They can be used for access contro, but aso for interworking, for exampe between IPv4 and IPv6.
Gateways and Firewas Transport Gateway o Simiar to appication gateways but at the eve of TCP connections independent of appication code requires cient software to be aware of the gateway 5 A 1 :1080 SYN ACK connection reay request to B :80 2 3 Transport Gateway (SOCKS Server) SYN ACK :80 SYN B OK SYN ACK ACK 4 1 GET xxx.. data reay data The transport gateway is a ayer 4 intermediate system. The exampe shows the SOCKS gateways. SOKCS is a standard being defined by the IETF. 1. A opens a TCP connection to the gateway. The destination port is the we known SOCKS server port 1080. 2. A requests from the SOCKS server the opening of a TCP connection to B. A indicates the destination port number (here, 80). The SOCKS server does various checks and accepts or rejects the connection request. 3. The SOCKS server opens a new TCP connection to B, port 80. A is informed that the connection is opened with success. 4. Data between A and B is reayed at the SOCKS server transparenty. However, there are two distinct TCP connections with their own, distinct ack and sequence numbers. Compared to an appication ayer gateway, the SOCKS server is simper because it is not invoved in appication ayer data units; after the connection setup phase, it acts on a packet by packet eve. Its performance is thus higher. However, it requires the cient side to be aware of the gateway: it is not transparent. Netscape and Microsoft browsers support SOCKS gateways.
Gateways and Firewas Typica Firewas Designs 6 o An appication / transport gateway aone can be used as firewa if it is the ony border between two networks Firewa = one dua homed gateway o A more genera design is one or more gateways isoated by fitering routers R1 R2 Firewa = gateways + sacrificia subnet The simpe firewa made of one host is an efficient soution, reativey simpe to monitor. It is typicay made of a Unix workstation with two interfaces (often: Linux). Care must be taken to disabe IP packet forwarding, otherwise, the station works as a router. This simpe soution is a singe point of faiure and a traffic botteneck. Large s need a mores eaborate soution, as shown on the figure. The fitering routers force a traffic to go through the coection of gateways, by forbidding any traffic not destined to one of the gateways. Attacks are sti possibe, but ony gateways need to be cosey monitored.
Gateways and Firewas Facts to Remember 7 o The simpe architectures can be combined to address various rea ife needs connection oriented networks such as Frame Reay, ATM and X.25 are used to interconnect routers or even hosts, in competition or by compementing the native IP method appication or transport gateways are introduced to satisfy security or interworking needs routers perform packet processing not ony based on destination address but aso other protoco information visibe in the packets.