Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Slide 31Slide 32Slide 33Slide 34Slide 35Slide 36Slide 37Slide 38Slide 39Slide 40Slide 41Slide 42Slide 43Slide 44Slide 45Slide 46Slide 47Slide 48Slide 49Slide 50Slide 51Slide 52Slide 53Slide 54Slide 55Slide 56Slide 57Slide 58Slide 59Slide 601Chapter 30 – Internet Security and Firewall Design30.13 Firewalls and Internet Access“Intranet”230.13 Firewalls and Internet Access - continuedSuccessful access control and content protection requires a careful combination of:► restrictions on network topology► intermediate information staging► packet filters30.14 Multiple Connections and Weakest Links Refers to first item above.In general, an organization’s intranet has multiple connections to the Internet.Must form a security perimeter by installing a firewall at each connection.All firewalls must be configured to have same access restrictionselse entry through “weakest link.”3Chapter 30 – Internet Security and Firewall Design30.13 Firewalls and Internet Access“Intranet”430.15 Firewall Implementation and Packet Filters Refers to 3rd item.We have previously seen the addition of additional capability to a router – NAT.Now we add another capability – packet filter.Recall: ► restrictions on network topology► intermediate information staging► packet filtersUsually, a packet filter allows a manager to identify classes of datagrams by specifying arbitrary combinations of:► source IP address► destination IP address► protocol► source port► destination port► arrival interface5A packet filter is stateless; it treats each datagram in isolation, not “remembering” datagrams that arrived earlier and keeping no record of this event, apart from possibly writing to a log.30.15 Firewall Implementation and Packet Filters - continuedWe hope that the packet filter will operate at wire speed, not delaying incoming IP datagram traffic.6Figure 7.2Recall row-by-row table search in routing:730.15 Firewall Implementation and Packet Filters - continuedWhen an IP datagram arrives, the packet filter will work through this table, row by row. If the datagram matches the specification on any row, the datagram will be filtered/blocked/discarded.128.5.0.0The ports are not in the IP datagram header, so modified router must “drill down” into data.8Like NAPT, packet filtering gets router involved in layer 4!(looking inside “data” in IP datagram, not just header)Transport930.16 Security and Packet Filter Specification This packet filter has specified a small list of services to be blocked.This does not work well, because:► the number of well-known (i.e. server) ports is large and growing► some Internet traffic does not travel to or from the well-known ports (e.g. organization can run WWW server on port 8080, instead of 80)► listing ports of well-known services leaves the firewall vulnerable to tunneling (needs inside accomplice).This suggests reversing the idea of the filter: Instead of specifying types of datagram that should be filtered, specify types that should be forwarded. Everything else is filtered.1030.17 Consequences of Restricted Access for ClientsProblem with this scheme:It prevents a client inside the firewall from receiving a reply from a server outside the firewall.Why? Because the client chooses a source port at random, in the range 1024 to 65,536. In the server’s reply the client’s source port becomes the destination port. The packet filter would have to be configured to forward all of these possibilities.1130.18 Stateful Firewalls Recall that basic packet filters are stateless. They treat each IP datagram separately and keep no record of datagrams received.Stateful firewalls watch outgoing requests and adapt the filter rules to accommodate the replies.Example:Internal client sends TCP connection request to external WWW server.Stateful firewall records this as the two endpoints of the requested connection:( IPsource, Portsource, IPdest, 80 )When the server returns a connection accept the firewall will recognize this as a response to the request, and forward it to the client.This is additional to the packet filter, so actions can still be prohibited, as determined by the administrator.1230.18 Stateful Firewalls – continuedIn the previous example, what if no reply is received to the connection request after a reasonable time?The record of the connection must be purged – “soft state”How does the stateful firewall know when a TCP connection is terminated, so that the record can be deleted?Firewall must watch for the two FIN segments (“connection monitoring”)13Figure 12.15Basically, the firewall must be following this state-transition diagram for each of the active connections!1430.19 Content Protection and Proxies Recall that successful access control requires a careful combination of:► restrictions on network topology► intermediate information staging► packet filtersProxies refer to the second item.We have been concentrating on access, but we may also have to protect content.This is almost impossible at the packet-filter level, since content can be divided among many datagrams, which can arrive in any order and may be fragmented.This is going far beyond the original idea of a wire-speed firewall!The firewall must mimic the ultimate destination host by assembling the entire message for inspection – application proxy.1530.19 Content Protection and Proxies - continued“Transparent” proxy – apart from delay, client/user is unaware that there is a proxy.“Non-transparent” – client is configured to access proxy when it tries to access the external server.PROXY1630.20 Monitoring and LoggingIf you’re the network administrator, do it!Or else you don’t know what’s happening.177.11 Establishing Routing TablesFor now, assume routing tables are loaded manually;In chapters 13 and 15 we’ll see protocols that allow routers to learn routes from each other.End of Chapter 7.Background to Chapter 13 - 1518BHMATL*198.11 Route Change Requests from Routers – continuedThis is not a general mechanism for route changes. It is restricted to routers sending to directly-connected hosts.Figure 8.7 – R5 cannot redirect R1 to use the shorter path from S to DBut R1 could tell S