Slide 1Firewalls Ref: Firewalls and Internet Security, W.R. Cheswick and S.M. BellovinFirewallFirewallsSlide 5Packet Filter ref: Firewalls and Internet SecurityPacket FiltersSlide 8Slide 9Slide 10Slide 11Where to put the filtersSlide 13CommentsApplication Level GatewaysCircuit Level GatewaysTelecommunications Networking IILecture 41eFirewallsFirewallsRef: Firewalls and Internet Security, W.R. Cheswick and S.M. BellovinFirewall•A firewall is a mechanism through which we can attempt to protect a collection of computers and networks within an enclave from attacks launched from outside of the protected enclave•Firewalls can also be used to provide barriers between subsets of computers and networks within an enclaveFirewallsENCLAVEThe rest of cyberspaceGateway computerFirewallsSubnet 1Subnet 2The rest of cyberspaceEnclavePacket Filterref: Firewalls and Internet Securityaction ourhost port theirhost port commentblock * * spigot * block these guysallow our GW 25 * * our GW’s mailallow * * * 25 ???Packet Filters•In the previous slide, we filter packets on the basis of which of “our hosts” (inside the firewall) and which our “their hosts” (outside the firewall), and which ports are involved in a TCP connection, independent of which end established the connection•The first rule keeps spigot from participating in TCP connections with our hosts (we block packets to/from spigot)Packet Filters•The second rule allows any host to establish a connection to port 25 (SMTP =mail) on our gateway machine•The last rule says that any of our hosts can participate in a port 25 (SMTP =mail) TCP connection with any other host. This is dangerous, because an exterior host could use its port 25 to initiate a connection to one of our hosts for a purpose other than mailPacket Filterref: Firewalls and Internet Securityaction source port dest port flagsallow {ourhosts} * * * allow * * * * ACKallow * * * >1023Packet Filters•In the previous slide, we implement filtering based on which host has originated the TCP session•In particular, if a packet is a initial request to open up a TCP session, it does not have the TCP “ACK” bit set. All other packets have the “ACK” bit set. Therefore, we can block TCP connections that are initiated by “their host” (outside of the firewall)Packet Filters•We assume that our hosts will reject packets with the ACK bit set, if the corresponding TCP connection has not been initiated•Thus a host that is not one of our hosts cannot establish a TCP connection under either of the first two rules•The last rule allows external hosts to establish a TCP connection to our hosts if the target port number is higher than 1023Where to put the filtersSubnet 1Subnet 2The rest of cyberspaceEnclaveWhere to put the filters•The location of the filters is critical for-catching problems as close to the source as possible-identifying the link on which a packet has arrivedComments•The lack of authentication of packet sources and of routes taken by packets…as well as opportunities to modify packets in transit make the packet filtering problem much harderApplication Level Gateways•This type of gateway acts as an intermediary between outside hosts and inside hosts (their hosts and our hosts) by accepting packets associated with a specific application (e.g., Email) and scrutinizing the contents of those packets (or sets of related packets) at the application level. •An application level gateway can also provide useful functions, such as mail forwarding and reformattingCircuit Level Gateways•A circuit level gateway acts as an intermediary between two hosts that wish to establish a TCP connection between them. The TCP connection is established host-to-gateway-to-host. Since the gateway is in the middle of the TCP connection (not just looking at isolated packets) it can monitor and control some aspects of the connection (e.g., the number of bytes that are transferred, and how fast bytes can move through the
View Full Document
Unlocking...