1

Lecture 20: Firewalls• motivation• ingredients

– packet filters– application gateways– bastion hosts and DMZ

• example firewall design• using firewalls – virtual private networks• problems with firewalls

the pictures are from “Cryptography and Network Security” by William Stallings

2

Why Firewalls

• a firewall is a security located between the private network and the Internet regulating traffic between two networks

• reasons– eliminate unwanted traffic inside the private network – hard/expensive to enforce end-to-end security

• users on the inside do not have to concern with security• a number of “standard” programs are a potential security risk

and turned on by default:finger, telnet, rlogin/rsh, X Windows, ICMP

– convenient point to combine security with unrelated services like NAT (what’s that?)

3

Packet Filtering Router• router applies a set of rules on the fields of the header of (typically

incoming) IP packet and either lets it through or discards it• rules examine the fields and prescribe the action (allow or discard)• fields to use

– source/destination IP address– transport layer protocol: port number (which defines the application

telnet, ftp, web, etc)– interface (router has many)

• can be– stateless – examines each packet individually– stateful – takes communication context into account: some outside

packets are allowed to proceed if the inside and outside machine are in active communication

• attacks and countermeasures– IP address spoofing – attacker puts IP address of the internal host:

drop the packets with internal IP coming from external interface– source routing – origin is internal address: what’s the countermeasure?

4

Stateless Packet FilterTable Example

A and C : only mail allowed

B: everything blocked

D: outside ACKs allowed

5

Packet Filtering Router

• blah

6

Application Level Gateway

• (also called proxy server)– connections outside are allowed only through

proxy– internal host contact proxy, requests connection

with the outside, after authenticating the user and if it is configured to provide service for this type of connection (ftp, web, telnet, etc.) proxy relays packets to the outside

• adv: easy to monitor traffic and configure security, only allow allow traffic of specified kind

• disadv: additional processing time and connection delays

7

Bastion Host and DMZ

• bastion host – a secured machine that is allowed external access– must be made made secure: runs secure

versions of the OS, inessential services are disabled, authentication before initiating connection, logs auditing and traffic information

– implements application-level gateway• DMZ (demilitarized zone) – the portion of the

network where (partially screened) external traffic is allowed – usually contains the bastion host

8

FirewallSetup

Examples• the combination of

packet filtering and application layer gateway makes firewall more effective

• multiple layers of defense protect against the compromise of one router/gateway– multiple routers

allow NAT-based network hiding

9

Tunneling and VPNs• tunnel – a point-to-point connection over which the

communication takes of machines (not located at the endpoints of this connection) takes place

• secure tunnel can be used to connect several parts of network of the same organization over (insecure) internet– such configuration is called virtual private network

• Alice (in one portion of the network) sends an IP packet to Bob (in another), When the packet reaches Alice’s gateway, the gateway tunnels the packet to Bob’s gateway– IPsec is frequently used for this purpose, how?

10

Problems with Firewalls• firewalls without end-to-end security are not ideal

– they do not protect from the attack from the inside (what kind of attack?)

– once the security has been breached the network is vulnerable

– firewall usually lets email and web traffic through and a number of attacks can be launched through that (think which?)

– users are inconvenienced and think of ways of bypassing the security

• IP over HTTP (why is that a threat)?