CS459/559 - Network Security - Chapter 12: Firewalls
A firewall is typically a system used to enforce an access control policy between two networks. The firewall sits between two networks, examines all traffic that goes through the two networks, and only allows "authorized" traffic to pass through. The firewall enforces an authentication system that allows only authorized individuals to gain access to the private network.
- Types of Firewalls
- Packet Filtering
can filter packets based on:
- source & destination IP addresses
- source & destination ports
- TCP or UDP
- ICMP
- whether a packet is the first packet of a new TCP/IP connection or subsequent packets
- whether the packet is destined for, or originated from, a local application
- whether the packet is inbound or outbound
- PACKET-FILTERING - limited functionality, difficult to configure & maintain; only function at the lowest layers of the OSI model
- PROXY SERVICE - software application that forwards and filters connections
- Dual-homed gateway - 2 NICs on one host with IP forwarding disabled (internal IP addresses are not visible outside)
- Screened host - combines packet-filtering router with an application gateway on the protected side of the router (only requires one NIC); uses logical separation of internal network from perimeter network (only allows traffic between Internet and the gateway and public servers. (requires both a router & an application gateway).
- Screened subnet - similar to dual-homed and screened host firewall options.
- Firewall Pros and Cons
- Pro
- Protection for vulnerable services
- Protection against routing-based attacks
- Controlling access to systems
- Centralization of secruity software
- Privacy
- Statistic collection
- Policy enforcement
- Con
- complex to configure
- may block services that would be helpful as well
- back door attack may also be possible (modem access)
- cannot protect against viruses
- could cause performance problems (potential bottleneck)
- tends to concentrate security in a single spot
- Firewall Policy
- network service access policy - what is allowed and what is denied including use of internetwork services as well as dial-up and SLIP connections
- firewall design policy - technical details of how the firewall limits access (permit all services that are not expressly denied or deny all services that are not expressly permitted)
can use advanced authentication techniques like smart cards, authentication tokens like one time passwords
- Next-Generation Firewalls
- Second Generation - application and circuit gateways (proxies)
- circuit gateways - use transport layer to set up circuit; sits between network router and Internet and is the only address transmitted to the outside world
- application gateways - 1-to-1 proxy for one specific application
- Third Generation - Stateful Multi-Layer Inspection (SMLI)
- examines all 7 layers of OSI
- uses a traffic screening algorithm optimized for high throughput
- examines entire packet and comapres against known states of friendly packets
- CyberGuard - provides for application-level security without limitations of a proxy (users aren't restricted to certain applications); uses its own secure OS - Secure32OS
- CheckPoint's Firewall - uses the OPSEC (Open Platform for Secure Enterprise Computing) framework; uses stateful inspection which incorporates both communication-derived and application-derived state and context information (layers 3 - 7)
- Allowing Remote Access to Users - use a modem pool and locate outside firewall
- Demilterized Zone (DMZ) - extra layer of protection with servers that exist between protected network and external network attached at the firewall (3 NICs)
- Implementing Firewall Services
- Access control
prevent
- IP spoofing
- Denial-of-service attack
- ping of death
- Authentication
- user authentication (access to various services controlled per user)
- client authentication (access based on IP address)
- transparent session authentication (authenticates service on a a per-session basis)
- Encryption
- Router security management
- Network Address translation - used to conceal ("stealth") internal network addresses from the Internet
- Content security - Java/ActiveX applets[Finjan's Surfin Gate], viruses, screen access to specific URLs, shield outgoing e-mail message's From address
- Connection control
- Auditing, logging, and alerting