Theory and Design of Network Security

1
Theory and Design of Network Security

• Part II System Security
• Unit 5 Firewalls

2
Reference

• William Stallings. Cryptography and Network
  Security Principles and Practice (Fourth
  Edition). Prentice Hall, 2005.
• Eric Maiwald. Fundamentals of Network Security.
  McGraw Hill Technology Education, 2004.

3
Firewall

• Firewall characteristics
• All traffic from inside to outside, and vice
  versa, must pass through the firewall
• Only authorized traffic will be allowed to pass
• The firewall itself is immune to penetration

4
General Techniques

• Service control
• Direction control
• User control
• Behavior control

5
Scope of a firewall

• A single choke
• Keeps unauthorized users out of the protected
  network
• Prohibits potentially vulnerable services from
  entering or leaving the network
• Provides protection from various kinds of IP
  spoofing and routing attacks
• Provides a location for monitoring
  security-related events
• A convenient platform for several Internet
  functions that are not security related
• Serve as the platform for IPSec

6
Limitations

• The firewall cannot protect against attacks that
  by pass the firewall
• Dial-out to connect to an ISP
• LAN supports the dial-in service
• The firewall does not protect against internal
  threats
• The firewall cannot protect against the transfer
  of virus-infected programs or files

7
Types of Firewalls
8
Packet-filtering router

• Packet-filtering router
• Applies a set of rules to each incoming IP packet
  and then forwards or discards the packet
• Typically configured to filter packets going in
  both directions
• Filtering rules are based on fields in the IP and
  transport (TCP or UDP) header
• Source and destination IP address
• IP protocol field
• TCP or UDP port number

9
Packet-filtering router
10
Packet-filtering router

• Rules example
• Assume that the defaultdiscard policy in force
• Ex (A)

11
Packet-filtering router

• EX (B)
• EX (C)

12
Packet-filtering router

• EX (D)
• EX (E)

13
Packet-filtering router

• Advantages
• Transparent to users
• Very fast
• Disadvantages
• Difficultly of setting up packet filter rules
  correctly
• Lack of authentication

14
Application-Level Gateway

• Also called a proxy server
• Acts as a relay of application-level traffic

15
Application-Level Gateway

• Proxy Server
• If the gateway does not implement the proxy code
  for a specific application, the service is not
  supported and cannot be forwarded across the
  firewall

16
Application-Level Gateway

• Advantages
• Tend to be more secure than packet filters
• Deal with the numerous possible combinations that
  are to be allowed and forbidden at the TCP and IP
  level
• Scrutinize a few allowable applications
• Log and audit all incoming traffic at the
  application level
• Disadvantages
• Additional processing overhead on each connection
• Drawbacks to using a proxy client

17
Bastion Host

• A bastion host is a system identified by the
  firewall administrator as a critical strong point
  in the networks security
• Typically, the bastion host serves as a platform
  for an application-level or circuit-level gateway

18
Firewall Configurations

• Dual homed host
• Screened-host
• Single-homed bastion
• Dual-homed bastion
• Screened-subnet

19
Dual homed host

• Two network interfaces
• Complete block to IP traffic between two networks
• All service are blocked except those for which
  proxies exists

20
Dual homed host
21
Screened Host

• Single-homed bastion
• The firewall consists of two systems a
  packet-filtering router and a bastion host
• The bastion host performs authentication and
  proxy functions
• This configuration has greater security than
  simply a packet-filtering router or an
  application-level gateway alone
• Traffic from Internet sites to bastion host can
  be routed
• Reject all traffic from inside unless it came
  from bastion host
• Some ?trusted? service can go directly between
  two networks

22
Screened Host

• Single-homed bastion
• If the packet-filtering router is completely
  compromised, traffic could flow directly through
  the router between the Internet and other hosts
  on the private network

23
Screened Host

• Dual-homed bastion

24
Screened-subnet

• Two packet-filtering routers are used
• One between the bastion host and the Internet and
  one between the bastion host and the internal
  network

25
Enterprise Example

• Case 1

26
Enterprise Example

• Case 2

27
Enterprise Example

• Case 3

28
Different Firewall Configuration Strategies
29
Screen Router
30
Stateful Package Filtering
31
DMZ Screened Subnet (1)

• A DMZ is a network that sits outside the internal
  network but that is connected to the firewall and
  that provides publicly available servers, such as
  Web servers.
• The firewall in a DMZ screened subnet setup is
  sometimes described as a three-pronged firewall
• The external network
• The DMZ screened subnet
• The LAN being protected

32
DMZ Screened Subnet (2)
33
Two Firewalls, One DMZ (1)

• The reasons
• One firewall can control traffic between the DMZ
  and the Internet, while the other can control
  traffic between the protected LAN and the DMZ.
• The second firewall can serve as a failover
  firewall. It provides a backup that can be
  configured to switch on if the first one fails,
  thus providing uninterrupted service for the
  organization.

34
Two Firewalls, One DMZ (2)
35
Two Firewalls with Two DMZs (1)

• Balance the traffic load between parts of the
  organization.
• One of the DMZs contains publicly accessible
  servers for Web, e-mail and DNS. The other
  contains a VPN tunnel server that holds files
  needed by the accounting office.
• Putting a tunnel server in the DMZ makes the
  server accessible to off-site works that have a
  tunneling client but without giving them access
  to other servers in the internal LAN.

36
Two Firewalls with Two DMZs (2)
37
Multiple Firewalls to Protect Branch Offices
38
Reverse Firewall

• A device that monitors information going out of a
  network rather than trying to block whats coming
  in.
• DoS attack
• Information will be flooding out of network from
  the infected computer(s), thus overloading the
  network.

39
NAT (1)

• Converts publicly accessible IP addresses to
  private ones and vice versa, thus shielding the
  IP address of computers on the protected network
  from those on the outside.

40
NAT (2)
41
VPNs (1)

• The advantage to a VPN over a conventional
  Internet-based connection is that VPN connections
  are encrypted and limited only to machines with
  specific IP addresses.
• The gateway can bypass the firewall and connect
  directly to the internal LAN.

42
VPNs (2)
43
IDS (1)

• An external router with IDS can notify you of
  intrusion attempts from the Internet.
• An internal router with IDS can notify you when a
  host on the internal network attempts to access
  the Internet through a suspicious port or using
  an unusual service, which may be a sign of a
  Trojan horse that has entered the system.

44
IDS (2)