0% found this document useful (0 votes)
63 views7 pages

Firewalls

A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It protects private networks from unauthorized access while permitting legitimate communications. There are different types of firewalls including packet filtering, stateful inspection, and application-level gateways. While firewalls can block many threats, they cannot completely prevent attacks and must be used with other security measures.

Uploaded by

souhailaroud09
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
63 views7 pages

Firewalls

A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It protects private networks from unauthorized access while permitting legitimate communications. There are different types of firewalls including packet filtering, stateful inspection, and application-level gateways. While firewalls can block many threats, they cannot completely prevent attacks and must be used with other security measures.

Uploaded by

souhailaroud09
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

What is a Firewall?

Computer Security fire wall


1 : a wall constructed to prevent the spread of fire
2 usually firewall : a computer or computer software that prevents
unauthorized access to private data (as on a company's local area
Firewalls network or intranet) by outside computer users (as of the Internet)

April 13, 2005 ©2004, Bryan J. Higgs 1 2

What is a Firewall? What is a Firewall?


• A firewall is a kind of filter or barrier that affects the
message traffic passed between two networks • It is important to realize that a network firewall shares
• Often used as a perimeter defense something in common with its physical cousin:
– A physical fire wall is designed to slow down the spread of a fire.
– Allows an organization to choose which protocols it will exchange
It does not prevent the spread of a fire.
with the outside world.
• Can also be used to block access to certain Internet sites • A network firewall should be be viewed in the same way:
– It is not a complete solution
– To prevent employees from downloading from blacklisted servers
– Other measures must also be employed.
– To prevent employees from accessing porn sites, etc.
• Usually, blocks outsiders from accessing the internal
network.
• Sometimes, protects against internal users connecting with
the Internet.
3 4
What Firewalls Can Do* What Firewalls Cannot Do*
• Can be a single "choke point" to:
– keep unauthorized users out of the protected network
• Protect against attacks that bypass the firewall.
– prohibit potentially vulnerable services from entering or leaving the network – Dial-out / dial-in systems for employees and telecommuters
– provides protection from various kinds of IP spoofing and routing attacks • Protect against internal threats
– simplify security management by consolidating onto a single system – A disgruntled employee
• Provides a location for monitoring security-related events – An unwitting employee cooperating with attacker
– Audits and alarms can be implemented on the firewall
• Protect against the transfer of virus-infected programs or
• Provides a convenient platform for several security-related Internet
functions, including:
files.
– Network address translator, to map local addresses to Internet addresses
– Network management to provide audits or logs of Internet usage
• Can serve as the platform for IPSec.
– Can be used to implement virtual private networks (VPNs)

*Cryptography and Network Security, by William Stallings, published by Prentice-Hall. *Cryptography and Network Security, by William Stallings, published by Prentice-Hall.
5 6

Types of Firewalls Types of Firewall


• Hardware-based • Packet-Filtering Firewall
– Integrated "appliances" that include all of the hardware and software – a.k.a. Screening Firewall
necessary to implement the firewall • Stateful Inspection Firewall
– Typically have much better performance than software-based firewalls
– a.k.a. Stateful Packet Filter Firewall
– Vendors include Cisco, et. al.
• Application-Level Gateway
• Separate host – a.k.a. Application Proxy or Application-level Proxy
– Operating System / Software combination
• Circuit-Level Gateway
– Often a Unix box with perhaps additional software
• Local software
– Typically a personal firewall
– Vendors: Symantec, Zone Labs, etc.

7 8
Packet Filtering Firewall Packet Filtering Firewall
• Basically a router with a set of filters to determine which • The rule configurations include:
packets will are allowed to cross the boundary – Source IP address
– Operates at the Network Layer (Layer 3) and Transport Layer – Destination IP address
(Layer 4) – Source and destination transport-level address
– Looks at the IP and TCP packet headers, and applies a set of – IP protocol fields
configurable rules to either discard or forward the packet. – Router interface port (source or destination)

9 10

Packet Filtering Firewall Stateful Inspection Firewalls


• Can be subject to the following attacks: • Packet filtering firewalls analyze individual packets, and are
– IP address spoofing not capable of maintaining connection state information.
• Falsifying the source IP address • Stateful Inspection Firewalls maintain data about open
– Source Routing attacks connections to ensure that packets are part of a valid
• Attempts to bypass security measures that do not analyze the source
routing information
connection initiated by an authorized user.
– Tightens up the rules for TCP traffic by creating a directory of
– Tiny fragment attacks
outbound TCP connections, one entry per connection.
• Uses the IP fragmentation option to create extremely small fragments
and force TCP header information into a separate packet fragment. – Once a connection is in the directory, the packet filter will allow
• Attempts to circumvent filtering based on TCP header information. incoming traffic to high-numbered ports only for those packages that
fit the profile of one of the connections in the directory.

11 12
Application-Level Gateway Application-Level Gateway
• An Application-Level Gateway, also called a Proxy Server • Pros:
– Acts as a relay of application traffic – Tend to be more secure than packet filters
– Conversation looks like:
– User authentication allows for effective blocking of unwanted traffic
• The client contacts the gateway using a certain TCP/IP application protocol such
as Telnet, FTP, etc. – Easy to log and audit all incoming traffic at the protocol level.
• The gateway asks the client for the name of the remote host to be contacted. • Cons:
• The user responds, and provides a valid user IT and authentication
– Requires additional processing overhead for each connection
• The gateway then contacts the application on the remote host, and relays TCP
segments containing the application data between the two end points – Effectively two connections between end users
– If the gateway does not implement the code for a specific protocol, then that – Still susceptible to SYN floods and ping floods
protocol is not supported
– The gateway can also be configured to support only specified features of a
protocol that are considered acceptable.

13 14

Circuit-Level Gateway Circuit-Level Gateway


• A Circuit-Level Gateway • Pros:
– Can be:
– Relatively secure
• a stand-alone system, or
• a specialized function performed by an Application-Level Gateway for certain • Cons:
applications
– Does not permit an end-to-end TCP connection; instead, it sets up two TCP
– May not be appropriate for some public situations
connections: – Typically does not support certain features, such as URL filtering
• Between itself and a TCP user on an inner host – Often only offer limited auditing features.
• Between itself and a TCP user on an outside host
– Before the connections are set up, the user must be authenticated
– Once the connections have been established, TCP segments are conveyed
between the two without examining the segment contents
– The security consists of determining which connections are allowed.
– Can be configured to support application-level services on inbound
connections, and circuit-level functions for outbound connections

15 16
Firewall Topologies Bastion Host
• Bastion Host • Places the firewall at the perimeter of the network
– The sole link between the protected network and the outside world
• Screened Subnet – All traffic flowing in and out of the network must pass through the
– a.k.a. Demilitarized Zone (DMZ) firewall
• Dual Firewalls – Easiest topology to implement, and the least expensive

bas·tion
1 : a projecting part of a fortification
2 : a fortified area or position
3 : something that is considered a stronghold

17 18

Screened Subnet (DMZ) Dual Firewalls


• Still uses a single firewall, but with three network interface • Also provides a DMZ that may be used to house public
cards: services
– One connected to the external network – Replaces a single firewall having three NICs with two firewalls each
– One connected to the protected network with two NICs
– One connected to a Screened Subnet • Provides similar security benefits as the Screened Subnet
• A Screened Subnet: approach, plus minimizes the likelihood that an attacker
– Provides a middle ground that serves as neutral territory between the could compromise the firewall itself.
external and protected networks (hence the term DMZ) • To enhance this, can use two very different firewalls:
– Will contain servers that provide services to external users: – A hardware firewall + a software firewall
• Web servers, SMTP servers, etc. – Firewalls from two different vendors
– Allows servers to be compromised without compromising the – Firewalls with different levels of security certification
protected network.
19 20
Other Firewall Features Network Address Translation (NAT)
• Two features that are commonly supported by • NAT is a kludge that has allowed the Internet to survive
with only 32-bit addresses
firewalls are:
• NAT allows you to allocate IP addresses to your own
– Network Address Translation (NAT) private network, and prevent the outside world from every
– Virtual Public Networks (VPNs) seeing them
• In RFC 1918, IETF set aside some address ranges for
creating private networks:
– 10.x.y.z
– 172.16.y.z
– 192.168.y.z
These IP addresses are "unroutable", and will be dropped by
any router on the Internet.

21 22

Network Address Translation (NAT) NAT Security Benefits


• When you wish to communicate between a private network host, and the • Firewalls often implement NAT
Internet, the internal IP address is translated to an IP address that is acceptable
to the Internet, using a Network Address Translation (NAT) device • Helps to hide the internal network's internal IP address
• Possibilities include: usage
– Mapping to a single external IP address • By itself, NAT offers few security benefits, so NAT must
• All traffic appears to be coming from the NAT device's IP address
• Commonly used to connect a large network to the Internet when a limited number
be combined with a secure firewall implementation to
of IP addresses is available maintain adequate security
– 1-to-1 mapping
• Each machine in the internal network could have its own unique external IP
address
– Dynamically allocated address
• The NAT device could multiplex a large number of unroutable IP addresses to a
smaller number of valid external IP addresses

23 24
Virtual Public Networks (VPN) Summary
• Many firewalls support Virtual Public Networks (VPNs) • We've discussed:
• A VPN allows a user access from outside a firewall via a – The principles of firewalls, what they can do, and cannot do
"tunnel", and as a result appear to actually be inside the – The different kinds of firewalls
internal network. – The various firewall topologies
– A tunnel is a point-to-point connection where the actual – Additional functionality often supported by firewalls
communication occurs across a network. • This was not a complete, comprehensive treatment of
• Used to allow users who work from home or on the road to firewalls. To learn lots more detail about firewalls, see:
access their work systems in a secure fashion. Building Internet Firewalls (2nd Edition)
by Elizabeth D. Zwicky, Simon Cooper, D. Brent Chapman
• VPN typically uses IPSec to encrypt the communications, Publisher: O'Reilly (January 15, 2000)
using a modern block cipher, and thereby make ISBN: 1565928717
eavesdropping extremely difficult

25 26

You might also like