Stephen S. Yau 2CSE 465-591, Fall 2006
DMZDMZ The The DMZDMZ ( (stands for stands for DDeemmilitarized ilitarized
ZZone) one) is a portion of a network that is a portion of a network that separates a purely internal network separates a purely internal network from an external network. from an external network.
DMZDMZ is the place, where public is the place, where public servers and proxies should be locatedservers and proxies should be located ProxyProxy is an intermediate agent or server is an intermediate agent or server
that acts on behalf of an endpoint that acts on behalf of an endpoint without allowing a direct connection without allowing a direct connection between the two endpointsbetween the two endpoints T1:
ch23.3 T2: ch26.3
Stephen S. Yau 3CSE 465-591, Fall 2006
FirewallsFirewalls A A firewallfirewall is a host that mediates access is a host that mediates access
to a network, allowing and disallowing to a network, allowing and disallowing certain types of access on the basis of a certain types of access on the basis of a configured security policy.configured security policy.
Protect a network from external Protect a network from external networksnetworks
Block unwanted traffic and pass Block unwanted traffic and pass desirable traffic to and from both sides of desirable traffic to and from both sides of the networkthe network Examples:Examples:
Allows: http, mailsAllows: http, mails Keeps out: suspected users, denial of services Keeps out: suspected users, denial of services
attacks, spam, virusesattacks, spam, viruses T1: ch23.3.1 T2: ch26.3.1
Stephen S. Yau 5CSE 465-591, Fall 2006
Firewalls in Different Firewalls in Different LayersLayers
Network layer:Network layer: Packet-Filtering FirewallsPacket-Filtering Firewalls
- Concerned with - Concerned with routingrouting of packets to their of packets to their destinations. destinations.
- Determine if a packet is from a permitted source to - Determine if a packet is from a permitted source to a permitted destinationa permitted destination
Transport layer: Transport layer: Circuit-Level FirewallsCircuit-Level Firewalls- Concerned with Concerned with sessionsession of packets of packets- Need more knowledge of packet header to make Need more knowledge of packet header to make
decisions on accepting or denying packetsdecisions on accepting or denying packets Application layer: Application layer: Application-Level FirewallsApplication-Level Firewalls
- Concerned with Concerned with contentscontents of packets of packets- Need information about data make decision on Need information about data make decision on
accepting or denying packetsaccepting or denying packetsFurther reading: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/centri4/user/scf4ch3.htm
Stephen S. Yau 6CSE 465-591, Fall 2006
Packet Filtering Packet Filtering FirewallsFirewalls
A A packet filtering firewallpacket filtering firewall performs access performs access control on the basis of attributes of the packet control on the basis of attributes of the packet headers, such as destination addresses, source headers, such as destination addresses, source address, and options.address, and options.
Whenever network receives a packet, three Whenever network receives a packet, three possible actions: possible actions: forward it to destinationforward it to destination block itblock it return it to senderreturn it to sender
One of these actions is chosen according to a set One of these actions is chosen according to a set of rules usually in a form of “access control of rules usually in a form of “access control lists”.lists”.
T1: ch23.3.1 T2: ch26.3.1
RulRulee
Source Source Address Address
Destination Destination Address Address
ActionAction
11 149.59.0.0/16149.59.0.0/16 123.45.6.0/24123.45.6.0/24 permitpermit
22 149.59.34.0/2149.59.34.0/244
123.45.0.0/16123.45.0.0/16 denydeny
33 0.0.0.0/00.0.0.0/0 0.0.0.0/00.0.0.0/0 deny deny (default)(default)
Stephen S. Yau 7CSE 465-591, Fall 2006
Packet Filtering Packet Filtering Firewalls Firewalls (cont.)(cont.)
Factors which determine the actions:Factors which determine the actions:
- Source address- Source address
- Destination address- Destination address
- Direction of traffic - Direction of traffic Rules applied top to bottomRules applied top to bottom
Ordered from least restrictive to most Ordered from least restrictive to most restrictiverestrictive
Packets are not scrutinized Packets are not scrutinized Auditing is possibleAuditing is possible
Stephen S. Yau 8CSE 465-591, Fall 2006
An Example of Packet Filtering An Example of Packet Filtering FirewallFirewall
Local Network(4.0.0.0/8)
Incoming Packet[24.128.34.8, 4.16.128.3]
(denied)
Network Server: Firewall(Rule 1: 24.128.0.0/16, 4.0.0.0/8 deny
Rule 2: 64.248.128.0/24, 8.16.192.0/24 permit…•••
Rule N: 34.128.0.0/16, 14.16.128.0/20 permit)
Another Network(8.16.192.0/24)
Incoming Packet[64.248.128.5, 8.16.192.7]
(permitted)
Stephen S. Yau 9CSE 465-591, Fall 2006
Circuit-Level FirewallsCircuit-Level Firewalls Validates sessions before opening Validates sessions before opening
connections (handshakes)connections (handshakes) Once a connection is made, all Once a connection is made, all
packets related to that connection packets related to that connection passpass
Packets not scrutinizedPackets not scrutinized No direct connections with other No direct connections with other
networks without validationnetworks without validation
Stephen S. Yau 10CSE 465-591, Fall 2006
Circuit-Level Firewalls Circuit-Level Firewalls (cont.)(cont.)
Establishes two connections:Establishes two connections: Between client and firewall Between client and firewall Between firewall and serverBetween firewall and server
Implemented using sockets ( which Implemented using sockets ( which is IP address + Port number)is IP address + Port number)
Manipulating established connection Manipulating established connection is easyis easy
Packets are not scrutinizedPackets are not scrutinized Auditing is possibleAuditing is possible
Stephen S. Yau 11CSE 465-591, Fall 2006
An Example of Circuit-Level An Example of Circuit-Level FirewallFirewall
Network News Transfer Protocol (NNTP):Network News Transfer Protocol (NNTP): The NNTP server connects to firewallThe NNTP server connects to firewall Internal systems' NNTP clients connect to firewall. Internal systems' NNTP clients connect to firewall. Circuit-level firewall simply passes bytes between Circuit-level firewall simply passes bytes between
systemssystems
Internal Systems (NNTP clients)
External Servers (NNTP news providers)
Circuit-Level Firewall (Choke Point)
Stephen S. Yau 12CSE 465-591, Fall 2006
Application-Level Application-Level FirewallsFirewalls
Application-level firewallApplication-level firewall (also called (also called Proxy firewallProxy firewall)) uses proxies to perform uses proxies to perform access control. access control.
Acts as a proxy server, evaluates Acts as a proxy server, evaluates requests and decides according to requests and decides according to security concernssecurity concerns
Two connections per sessionTwo connections per session All packets are scrutinizedAll packets are scrutinized Auditing is possibleAuditing is possible
T1: ch23.3.1 T2: ch26.3.1
Stephen S. Yau 13CSE 465-591, Fall 2006
Application-Level Application-Level FirewallsFirewalls (cont.)(cont.)
Access control based on Access control based on contentscontents of of packets and messages, as well as on packets and messages, as well as on attributes of packet headers. attributes of packet headers.
Not allow direct connections between two Not allow direct connections between two endpoints through a proxy firewallendpoints through a proxy firewall
Accept/Deny Rules
Application Level Proxy
Network Layer
Outgoing Packets
Incoming packets
Application Level
Network Level
Applications
Stephen S. Yau 14CSE 465-591, Fall 2006
An Example of Application-Level An Example of Application-Level FirewallFirewall
Simple (Send) Mail Transfer Protocol Simple (Send) Mail Transfer Protocol ProxiesProxies SMTP application proxies configured to allow SMTP application proxies configured to allow
only necessary SMTP commands, such as only necessary SMTP commands, such as helohelo, , mail from:mail from: and and rcpt to:rcpt to:, to pass through firewall , to pass through firewall
Stop “Stop “expnexpn” command, which tries to expand a ” command, which tries to expand a list list
Stop “Stop “vrfyvrfy” command, which tries to verify that ” command, which tries to verify that an account existsan account exists
The above are used by attackers and spammers The above are used by attackers and spammers to enumerate e-mail accounts. to enumerate e-mail accounts.
MIME type and message size can be used to MIME type and message size can be used to filter traffic. filter traffic.
Stephen S. Yau 15CSE 465-591, Fall 2006
An Example of Application Level An Example of Application Level Firewall Firewall
(cont.)(cont.)
Local Network: Mail Clients
Incoming/Outgoing Requestfor SMTP<expn> (denied)
Network Server: Implements Application Firewall in SMTP/POP/IMAP
Deny: expn, vrfyAllow: helo, mail from:
Incoming/Outgoing Mail<helo>;<mail from:>
(permitted)
Stephen S. Yau 16CSE 465-591, Fall 2006
An Example of Using An Example of Using FirewallsFirewalls
Requirements of the Requirements of the Drib CorporationDrib Corporation:: The Drib wants the public be able to access its The Drib wants the public be able to access its
web server and mail server, and no other web server and mail server, and no other services.services.
The Drib wishes to check all incoming e-mails The Drib wishes to check all incoming e-mails for computer viruses through emails and for computer viruses through emails and attacks though web connections.attacks though web connections.
The Drib’s has sensitive data which it does not The Drib’s has sensitive data which it does not want outsiders to see.want outsiders to see.
The Drib allows file sharing among its systems. The Drib allows file sharing among its systems. It does not want the packets containing It does not want the packets containing sensitive information to leak to the Internet. sensitive information to leak to the Internet. T1: ch23.3 T2:
ch26.3
Stephen S. Yau 17CSE 465-591, Fall 2006
An Example of Using An Example of Using Firewalls Firewalls (cont.)(cont.)
Desirable Network InfrastructureDesirable Network Infrastructure The The publicpublic entities should be confined to the DMZ entities should be confined to the DMZ
areaarea The The outer firewallouter firewall presents an interface between presents an interface between
DMZ and internet, that allows connections to the DMZ and internet, that allows connections to the WWW service (HTTP and HTTPS) and to electronic WWW service (HTTP and HTTPS) and to electronic mail (SMTP) service. mail (SMTP) service.
Proxies having virus and attack scanning programs should Proxies having virus and attack scanning programs should be implemented at the outer firewall. be implemented at the outer firewall.
The Drib’s most sensitive data and systems should The Drib’s most sensitive data and systems should reside in the reside in the internal network.internal network.
The The inner firewallinner firewall sitting between DMZ and internal sitting between DMZ and internal network will block all traffic, except those network will block all traffic, except those specifically authorized to enter the internal networkspecifically authorized to enter the internal network
Stephen S. Yau 18CSE 465-591, Fall 2006
An Example of Using An Example of Using Firewalls Firewalls (cont.)(cont.)
Mail server
Outer Firewall
Internal DNS server
Internet
Internet
Web Server
DMZINTERNAL Inner Firewall
Internal mail server
DNS serverCorporate data subnet
Customer data subnet
Development subnet
Network designed for the Dribble Corporation
Stephen S. Yau 19CSE 465-591, Fall 2006
An Example of Using An Example of Using Firewalls Firewalls (cont.)(cont.)
Outer firewall configurationOuter firewall configuration The outer firewall is a The outer firewall is a proxy-basedproxy-based
firewall. firewall. When e-mail connection is initiated, When e-mail connection is initiated,
the mail proxy on the firewall collects the mail proxy on the firewall collects the mail, analyzes it for computer the mail, analyzes it for computer viruses and other forms of malicious viruses and other forms of malicious logic. If none is found, it forwards the logic. If none is found, it forwards the mail to the DMZ mail server. mail to the DMZ mail server.
Similarly, when a web connection Similarly, when a web connection arrives, the web proxy scans the arrives, the web proxy scans the message for any suspicious message for any suspicious components, if none is found, it components, if none is found, it forwards the messages to DMZ web forwards the messages to DMZ web server. server.
Mail server
Outer Firewall
Internet
Internet
Web Server
DMZ
Stephen S. Yau 20CSE 465-591, Fall 2006
DMZ
An Example of Using An Example of Using Firewalls Firewalls (cont.)(cont.)
Inner firewall configurationInner firewall configuration The inner firewall is also a The inner firewall is also a proxy-basedproxy-based firewall. firewall. Mail connections through the inner firewall are Mail connections through the inner firewall are
allowed, and all emails are sent to DMZ mail server allowed, and all emails are sent to DMZ mail server for disposition for disposition
Disallows packets containing sensitive information Disallows packets containing sensitive information (detected by the proxies in the inner firewall) to (detected by the proxies in the inner firewall) to reach DMZreach DMZ
All other traffic, including web access, are blockedAll other traffic, including web access, are blocked
Internal DNS server
INTERNALInner Firewall
Internal mail server
Corporate data subnet
Customer data subnet
Development subnet
Stephen S. Yau 21CSE 465-591, Fall 2006
Choosing a FirewallChoosing a Firewall What OS required and other OSs What OS required and other OSs
supported?supported? How much CPU/RAM/Disk space it How much CPU/RAM/Disk space it
needs?needs? What is the authentication scheme?What is the authentication scheme? Does it support logging?Does it support logging? What hardware is provided? What hardware is provided? What software is provided?What software is provided? What is the cost for installing and What is the cost for installing and
operating the firewall?operating the firewall? What are other features?What are other features?
Stephen S. Yau 22CSE 465-591, Fall 2006
Firewall Design Criteria Firewall Design Criteria Organizations deciding to use firewalls must Organizations deciding to use firewalls must
analyze their security needs. Potential risks analyze their security needs. Potential risks and threats must be contemplated. and threats must be contemplated.
The following considerations may affect The following considerations may affect design and extensiveness of implementation design and extensiveness of implementation of firewalls: of firewalls: Organizational policies Organizational policies
What level of access control does What level of access control does management want? management want?
The desired level of monitoring and The desired level of monitoring and access must be determined. access must be determined.
What level of risk is the organization What level of risk is the organization willing to accept? willing to accept?
Stephen S. Yau 23CSE 465-591, Fall 2006
Firewall Design Criteria Firewall Design Criteria (cont.)(cont.)
A checklist of what messages should be A checklist of what messages should be monitored, permitted and denied must be monitored, permitted and denied must be established. established.
The cost of various firewall programs, including on-The cost of various firewall programs, including on-going maintenance, must be considered against the going maintenance, must be considered against the potential threat. What would be the potential potential threat. What would be the potential cost/damage of attacks to the system from outside? cost/damage of attacks to the system from outside?
The number, placement, and types of firewalls to be The number, placement, and types of firewalls to be used must be determined. used must be determined.
Firewalls should have packet filtering, circuit-level Firewalls should have packet filtering, circuit-level controls, and application-level proxies in order to controls, and application-level proxies in order to provide effective security.provide effective security.
What is the estimated overhead in using the What is the estimated overhead in using the selected firewalls?selected firewalls?
Stephen S. Yau 24CSE 465-591, Fall 2006
Some Commercially Some Commercially Available FirewallsAvailable Firewalls
HardwareHardware Linksys Etherfast Cable/DSL Firewall Router, Linksys Etherfast Cable/DSL Firewall Router,
Microsoft MN-100, D-Link Express Microsoft MN-100, D-Link Express EtherNetwork EtherNetwork
Mac OS X serversMac OS X servers DoorStop Server Firewall, Firewall X2, DoorStop Server Firewall, Firewall X2,
Impasse, IPNetSentry, Net BarrierImpasse, IPNetSentry, Net Barrier LinuxLinux
IP tables, SINUS, ipchainsIP tables, SINUS, ipchains WindowsWindows
BlackICE, Kerio, McAfee, Norton Personal BlackICE, Kerio, McAfee, Norton Personal Firewall, Outpost, Sygate, Terminet, and Firewall, Outpost, Sygate, Terminet, and ZoneAlarm ZoneAlarm
Stephen S. Yau 25CSE 465-591, Fall 2006
ReferencesReferences Matt Bishop, Matt Bishop, Introduction to Computer SecurityIntroduction to Computer Security, ,
Addison-Wesley, 2004, ISBN: 0321247442Addison-Wesley, 2004, ISBN: 0321247442 Matt Bishop, Matt Bishop, Computer Security: Art and ScienceComputer Security: Art and Science, ,
Addison- Wesley, 2002, ISBN: 0201440997Addison- Wesley, 2002, ISBN: 0201440997 M. Merkow, J. Breithaupt, M. Merkow, J. Breithaupt, Information Security: Information Security:
Principles and PracticesPrinciples and Practices,, Prentice Hall, August Prentice Hall, August 2005, 448 pages, ISBN 0131547291 2005, 448 pages, ISBN 0131547291
J. G. Boyce, D. W. Jennings, J. G. Boyce, D. W. Jennings, Information AssuranceInformation Assurance:: Managing Organizational IT Security RisksManaging Organizational IT Security Risks. . Butterworth Heineman, 2002, ISBN 0-7506-7327-3Butterworth Heineman, 2002, ISBN 0-7506-7327-3
httphttp://www.du.edu/~jtinucci/Security/Thaxton/thaxton.h://www.du.edu/~jtinucci/Security/Thaxton/thaxton.htmltml
Top Related