Cryptography and

Network Security
Chapter 22
Fifth Edition
by William Stallings
Lecture slides by Lawrie Brown

Chapter 20 Firewalls
The function of a strong position is to make
the forces holding it practically
unassailable
On War, Carl Von Clausewitz

Introduction

seen evolution of information systems

now everyone want to be on the Internet
and to interconnect networks
has persistent security concerns

cant easily secure every system in org

typically use a Firewall

to provide perimeter defence
as part of comprehensive security strategy

What is a Firewall?
a choke point

of control and monitoring

interconnects networks with differing trust
imposes restrictions on network services

only authorized traffic is allowed

auditing and controlling access

can implement alarms for abnormal behavior

provide NAT & usage monitoring

implement VPNs using IPSec
must be immune to penetration

What is a Firewall?

Firewall Limitations
cannot protect from

attacks bypassing it

eg sneaker net, utility modems, trusted

organisations, trusted services (eg SSL/SSH)

cannot protect against internal threats

eg disgruntled or colluding employees

cannot protect against access via WLAN

if improperly secured against external use

cannot protect against malware imported

via laptop, PDA, storage infected outside

Firewalls Packet Filters

simplest, fastest firewall component
foundation of any firewall system
examine each IP packet (no context) and

permit or deny according to rules

hence restrict access to services (ports)
possible default policies

that not expressly permitted is prohibited

that not expressly prohibited is permitted

Firewalls Packet Filters

Firewalls Packet Filters

Attacks on Packet Filters

IP address spoofing

fake source address to be trusted

add filters on router to block

source routing attacks

attacker sets a route other than default

block source routed packets

tiny fragment attacks

split header info over several tiny packets

either discard or reassemble before check

Firewalls Stateful Packet Filters

traditional packet filters do not examine

higher layer context

ie matching return packets with outgoing flow

stateful packet filters address this need

they examine each IP packet in context

keep track of client-server sessions

check each packet validly belongs to one

hence are better able to detect bogus

packets out of context

may even inspect limited application data

Firewalls - Application Level

Gateway (or Proxy)
have application specific gateway / proxy
has full access to protocol

user requests service from proxy

proxy validates request as legal
then actions request and returns result to user
can log / audit traffic at application level

need separate proxies for each service

some services naturally support proxying

others are more problematic

Firewalls - Application Level

Gateway (or Proxy)

Firewalls - Circuit Level Gateway

relays two TCP connections
imposes security by limiting which such

connections are allowed

once created usually relays traffic without
examining contents
typically used when trust internal users by
allowing general outbound connections
SOCKS is commonly used

Firewalls - Circuit Level Gateway

Bastion Host

highly secure host system

runs circuit / application level gateways
or provides externally accessible services
potentially exposed to "hostile" elements
hence is secured to withstand this

hardened O/S, essential services, extra auth

proxies small, secure, independent, non-privileged

may support 2 or more net connections

may be trusted to enforce policy of trusted
separation between these net connections

Host-Based Firewalls
s/w module used to secure individual host

available in many operating systems

or can be provided as an add-on package

often used on servers

advantages:

can tailor filtering rules to host environment

protection is provided independent of topology
provides an additional layer of protection

Personal Firewalls
controls traffic between PC/workstation

and Internet or enterprise network

a software module on personal computer
or in home/office DSL/cable/ISP router
typically much less complex than other
firewall types
primary role to deny unauthorized remote
access to the computer
and monitor outgoing activity for malware

Personal Firewalls

Firewall Configurations

Firewall Configurations

Firewall Configurations

DMZ
Networks

Virtual Private Networks

Distributed
Firewalls

Summary of Firewall
Locations and Topologies
host-resident firewall
screening router
single bastion inline
single bastion T
double bastion inline
double bastion T
distributed firewall configuration

Summary
have considered:

firewalls
types of firewalls
packet-filter, stateful inspection, application proxy,
circuit-level

basing
bastion, host, personal

location and configurations

DMZ, VPN, distributed, topologies