Security Firewall

Firewall design principle.

Firewall Characteristics.
Types of Firewalls.
Firewall Components & Configurations.

Firewall Design Principles .

Information System undergo a steady
evolution( from small LANs to Internet
connectivity).
Strong security features for all
workstations and servers not established.

Firewalls
Effective means of protection a local
system or network of systems from
network_based security threats while
affording access to the outside world via
WANs or the Internet.

Firewall Design Principles

The firewall is interested between the

permission network and internet.
Aims :
1. Establish a controlled link.
2. Protect the premises network from
internet_based attacks.
3. Provide a single choke point.

Firewalls Characteristics
Design goals:
1. All traffic form the inside to outside must
pass through the firewall (physically
blocking all access to the local network
except via firewall).
2. Only Authorized traffic ( defined by the
local security policy) will be allowed to
pass.

Firewall Characteristics
Design goals:
3. The firewall itself is immune to penetration
( use of trusted systems with secure
operating systems).

Firewall Characteristics
Four General Technologies:
1. Service Control: determines the types of
the internet services that can be
accessed, in bounded or out bounded.
2. Direction Control: determines the
direction in which particular services
requests are allowed to flow.

Firewall Characteristics
3. User Control: controls access to a service
according to which user is attempting to
access it.
4. Behavior Control: controls how particular
service are used (e.g. filter e-mail)

Types of Firewalls

1.
2.
3.
4.

Three common types of firewalls:

Packet-filtering-router.
Application-level-Gateways.
Circuit-level-Gateways.
(Bastion Host).

Packet-Filtering-Router
Packet Filtering Router firewalls.
Internet

Private Network

Packet
Filtering
Router
Figure ( Packet Filtering Router Firewall).

Packet-Filtering-Router
Applies a set of rules to each incoming IP
packet and then forwards or discards the
packet.
Filter packets going in both directions.
The packet filter is typically set up as a list
of rule based on matches to fields in the IP
or TCP header.
Two default polices( discards or forwards).

Packet-Filtering-Router

1.
2.
3.

1.
2.

Advantages:
Simplicity.
Transparency to users.
High speed
Disadvantages:
Difficulty of setting up packet filter walls.
Lack of Authentication.

Application-Level-Gateway
Application Level
Gateway Firewall.

Inside Host
TELNET

Outside Host

FTP
SMTP
Outside
Connection

HTTP

Inside
Connection

Figure (Application Level Gateway).

Application-Level-Gateway
Also called (Proxy Server).
Acts as relay of application level traffic.

Application-Level-Gateway
Advantages:
1. Higher security than packet filter
2. Only need securitize a few allowable
applications.
3. Easy to log and audit all incoming traffic.
Disadvantages:
Additional processing overhead on each
connection (Gateway as splice point).

Circuit Level Gateway

Circuit Level
Gateway.
OUT

Outside host &

outside
connection

IN

OUT

IN

OUT

IN

OUT

IN

Inside host &

inside
connection

Circuit Level Gateway

Stand-alone system or specialized
function performed by Application level
gateway.
Sets up two TCP connections.
The gateway typically relays TCP
segments from one connection to the
other without examining the contents.

Circuit Level Gateway

The security function consists of which
connections to be allowed.
Typically use is a situation in which the
system administrators trusts the internal
users.
An example is the SOCKS package.

Bastion Host
A system identified by the firewall
administrator as critical strong point in the
networks security.
The Bastion host serves as a platform for
an application-level or circuit-level
gateway.

Bastion Host
In addition to the use of simple
configuration of single system ( single
packet filtering router or single gateway),
more complex configurations are possible.
Three common configurations

Screened host firewall system

Also called single
homed bastion host
Internet

Information
Server

Bastion
Host

Private
Network

Screened host firewall (1)

Configuration:
- Consists of two systems which are:
1. Packet filtering router.
-Only packets from and to the bastion host
are allowed to pass through server.
2. Bastion Host.
- Authentication and Proxy functions.

Screened host firewall (2)

Greater security that the single

configuration because of two reasons:
1. This configuration implements both
packet level and application level filtering
( allowing for flexibility in defining security
policy).
2. An intruder must generally penetrate two
separate systems.

Screened host firewall (3)

This configuration also affords flexibility in
providing direct internet access ( public
information server, e.g. web server).

Dual Homed Bastion Host

Dual Homed Bastion Host.

INTERNET

Information
Server

Bastion
Host

Private
Network

Dual Homed Bastion Host

The packet filtering router is not
completely compromised.
Traffic between the internet and other
hosts on the private network has to flow
through the Bastion host.

Screened Subnet Firewall System

See Figure.

Information
Server
Modem

Private
Network

INTERNET

Bastion
Host

Screened Subnet Firewall System

Most secured configuration of all the three
known techniques in the bastion host.
Two packet filtering routers are used.
Creation of an isolated sub-network.

Screened Subnet Firewall System

Advantages:
- Three levels of defense to thwart intruders.
- The outside router advertises only the
existence of the screened sub-net to the
internet ( Internal network is invisible to the
internet).

Screened Subnet Firewall System

Advantages:
- The inside router advertises only the
existence of the screened sub-net to the
internal network ( the systems on the
inside cannot construct direct routes to the
internet.