FirewallsFirst notionsTypes of outsider attacks Intrusions Data compromise confidentiality, integrity Web defacement availability, reputation Zombie recruitment DOS, liability risk Denial of Service Attacks Sniffing/Information theftWhy firewalls? Against firewalls: Host security measures are effective Firewalls increase Internet latency, and imposearbitrary limitations on legitimate Internet usage Against host-based security only: administratively hard to enforce consistency firewalls may actually increase internal availablebandwidth by blocking bad traffic Scalability: network vs. host security modelInternet FirewallsPicture from textbook: Building firewalls, by Zwicki et al.Firewalls can Enforce security policies to decide whichtraffic to allow and to not allow through thefire-walled channel Log security-related information Reduce the visibility of the networkFirewalls cannot Prevent against previously unknown attacktypes Protect against insiders/ connections thatdo not go through it. Provide full protection against viruses.Services typically protected HTTP/HTTPS FTP SSH SMTP DNSFirewallConfigurationsSingle-Box Architectures Simple to manage, available from vendors Single point-of-failure, no defense-in-depth Types: Screening Router Dual-homed hostScreening RouterPicture from textbook: Building firewalls, by Zwicki et al.Dual-Homed HostPicture from textbook: Building firewalls, by Zwicki et al.Screened Host ArchitecturePicture from textbook: Building firewalls, by Zwicki et al.Screened Subnet Architectures Adds an extra layer of security to screened host Perimeter network isolates internal network from Internet Components: Perimeter network bastion host internal router external routerScreened networkPicture from textbook: Building firewalls, by Zwicki et al.Services on the Bastion Host Incoming connections from the Internet: DNS queries FTP download queries Incoming mail (SMTP) sessions Outgoing connections protected either by: Packet filtering (direct access to the Internet viascreening routers) Proxy services on bastion host(s)Split-screened subnetPicture from textbook: Building firewalls, by Zwicki et al.Multiple Internet ConnectionsPicture from textbook: Building firewalls, by Zwicki et al. For high performance, use multiplebastion hosts Ok to merge a bastion host with anexternal router Not Ok to merge a bastion host with aninternal router Bad to have multiple interior routers onthe same perimeter networkVariationsInternal FirewallsPicture from textbook: Building firewalls, by Zwicki et
View Full Document