426_fall06_lect24.ppt
TRANSCRIPT
Computer Security CS 426
Lecture 24
Firewalls(Most Slides taken from Prof. Peng Ning’s Slides on
Network Security at NCSU)
CS426 Fall 2006/Lecture 24 2
Outline
• What are firewalls?• Types
– Filtering• Packet filtering
• Session filtering
– Proxy• Circuit Level
• Application Level
• Brief introduction to Personal Firewalls
CS426 Fall 2006/Lecture 24 3
What is a firewall?
• Device that provides secure connectivity between networks (internal/external; varying levels of trust)
• Used to implement and enforce a security policy for communication between networks
Trusted Networks
Untrusted Networks & ServersFirewall
Router
Internet
Intranet
DMZ Public Accessible Servers & Networks
Trusted Users
Untrusted Users
CS426 Fall 2006/Lecture 24 4
Firewalls
• From Webster’s Dictionary: a wall constructed to prevent the spread of fire
• Internet firewalls are more the moat around a castle than a building firewall
• Controlled access point
CS426 Fall 2006/Lecture 24 5
Firewalls can:
• Restrict incoming and outgoing traffic by IP address, ports, or users
• Block invalid packets
CS426 Fall 2006/Lecture 24 6
Convenient
• Give insight into traffic mix via logging• Network Address Translation• Encryption
CS426 Fall 2006/Lecture 24 7
Firewalls Cannot Protect…
• traffic that does not cross it– routing around – Internal traffic
• when misconfigured
CS426 Fall 2006/Lecture 24 8
InternetInternet
DMZ NetWeb Server Pool
Corporate
Network
ALERT!!ALERT!!ALERT!!
Security Requirement• Control access to network information and resources• Protect the network from attacks
Access Control
CS426 Fall 2006/Lecture 24 9
Filtering
• Typically route packets • Packets checked then passed• Inbound & outbound affect when policy is
checked• Client Server
CS426 Fall 2006/Lecture 24 10
Filtering
• Packet filtering – Access Control Lists
• Session filtering– Dynamic Packet Filtering– Stateful Inspection– Smart packet filtering– Context Based Access Control
CS426 Fall 2006/Lecture 24 11
Packet Filtering
• Decisions made on a per-packet basis• No state information saved
CS426 Fall 2006/Lecture 24 12
More about networking: port numbering
• TCP connection – Server port uses number less than 1024 – Client port uses number between 1024 and 16383
• Permanent assignment– Ports <1024 assigned permanently
• 20,21 for FTP 23 for Telnet• 25 for server SMTP 80 for HTTP
• Variable use– Ports >1024 must be available for client to make connection– Limitation for stateless packet filtering
• If client wants port 2048, firewall must allow incoming traffic
CS426 Fall 2006/Lecture 24 13
Typical Configuration
• Ports > 1024 left open• If dynamic protocols are in use, entire ranges of
ports must be allowed for the protocol to work.
CS426 Fall 2006/Lecture 24 14
ApplicationsApplications
PresentationsPresentations
SessionsSessions
TransportTransport
DataLinkDataLink
PhysicalPhysical
DataLinkDataLink
PhysicalPhysical
RouterRouter
ApplicationsApplications
PresentationsPresentations
SessionsSessions
TransportTransport
DataLinkDataLink
PhysicalPhysical
Packet Filter
NetworkNetwork NetworkNetwork
CS426 Fall 2006/Lecture 24 15
Session Filtering
• Packet decision made in the context of a connection
• If packet is a new connection, check against security policy
• If packet is part of an existing connection, match it up in the state table & update table
CS426 Fall 2006/Lecture 24 16
Typical Configuration
• All denied unless specifically allowed• Dynamic protocols (FTP, H323, RealAudio, etc.)
allowed only if supported
CS426 Fall 2006/Lecture 24 17
Applications
Presentations
Sessions
Transport
DataLink
Physical
DataLink
Physical
Applications
Presentations
Sessions
Transport
DataLink
Physical
Network Network
Network
Presentations
Sessions
Transport
ApplicationsApplications
Dynamic Dynamic State TablesState Tables
Dynamic Dynamic State TablesState Tables
Dynamic State Tables
Screens ALL attempts, Protects All applications
Extracts & maintains ‘state’ information
Makes an intelligent security / traffic decision
Session Filtering
“PORT 5151”
“OK”
DATA CHANNEL
TCP ACK
FTP ClientFTP Server
20Data
21Command 5150 5151 Client opens
command channel to server; tells server second port number
Server acknowledges
Server opens data channel to client’s second port
Client acknowledges
FTP
CS426 Fall 2006/Lecture 24 19
Proxy Firewalls
• Relay for connections• Client Proxy Server• Two flavors
– Application level – Circuit level (not application specific)
CS426 Fall 2006/Lecture 24 20
Application Gateways
• Understands specific applications– Limited proxies available– Proxy ‘impersonates’ both sides of connection
• Resource intensive– process per connection
• HTTP proxies may cache web pages
CS426 Fall 2006/Lecture 24 21
Application Gateways
• More appropriate to TCP• ICMP difficult• Block all unless specifically allowed• Must write a new proxy application to
support new protocols– Not trivial!
CS426 Fall 2006/Lecture 24 22
Application Gateways
• Clients configured for proxy communication• Transparent Proxies
CS426 Fall 2006/Lecture 24 23
ApplicationsApplications
PresentationsPresentations
SessionsSessions
TransportTransport
DataLinkDataLink
PhysicalPhysical
NetworkNetwork
DataLinkDataLink
PhysicalPhysical
ApplicationsApplications
PresentationsPresentations
SessionsSessions
TransportTransport
DataLinkDataLink
PhysicalPhysical
Application GatewayApplication Gateway
ApplicationsApplications
PresentationsPresentations
SessionsSessions
TransportTransport
NetworkNetwork NetworkNetwork
TelnetTelnetTelnetTelnet HTTPHTTPHTTPHTTPFTPFTPFTPFTP
Application Layer GW/proxy
CS426 Fall 2006/Lecture 24 24
Personal Firewalls
• Running on one PC, controlling network access– Windows firewall, iptables (Linux), ZoneAlarm, etc.
• Typically determines network access based on application programs
• Typically block most incoming traffic, harder to define policies for outgoing traffic
• Can be bypassed/disabled if host is compromised
Coming Attractions …
• November 21: – Web Browser Security