Lecture On safety and security of information systems: Firewall

Lecture "On safety and security of information systems: Firewall" provide students with knowledge about: Firewall concept; Commercial firewalls; Selecting a firewall system;... Please refer to the detailed content of the lecture!
Nội dung trích xuất từ tài liệu:
Lecture On safety and security of information systems: Firewall FIREWALL What is a firewall?  Two goals:  To provide the people in your organization with access to the WWW without allowing the entire world to peak in;  To erect a barrier between an untrusted piece of software, your organization’s public Web server, and the sensitive information that resides on your private network.  Basic idea:  Impose a specifically configured gateway machine between the outside world and the site’s inner network.  All traffic must first go to the gateway, where software decide whether to allow or reject. 2 What is a firewall  A firewall is a system of hardware and software components designed to restrict access between or among networks, most often between the Internet and a private Internet.  The firewall is part of an overall security policy that creates a perimeter defense designed to protect the information resources of the organization. 3 Firewalls DO  Implement security policies at a single point  Monitor security-related events (audit, log)  Provide strong authentication  Allow virtual private networks  Have a specially hardened/secured operating system 4 Firewalls DON’T  Protect against attacks that bypass the firewall  Dial-out from internal host to an ISP  Protect against internal threats  disgruntled employee  Insider cooperates with and external attacker  Protect against the transfer of virus-infected programs or files 5 Types of Firewalls  Packet-Filtering Router  Application-Level Gateway  Circuit-Level Gateway  Hybrid Firewalls 6 Packet Filtering Routers • Forward or discard IP packet according a set of rules • Filtering rules are based on fields in the IP and transport header 7 What information is used for filtering decision?  Source IP address (IP header)  Destination IP address (IP header)  Protocol Type  Source port (TCP or UDP header)  Destination port (TCP or UDP header)  ACK. bit 8 Web Access Through a Packet Filter Firewall 9 Application Level Gateways (Proxy Server) 10 A Telnet Proxy 11 A sample telnet session 12 Application Level Gateways (Proxy Server)  Advantages:  complete control over each service (FTP/HTTP…)  complete control over which services are permitted  Strong user authentication (Smart Cards etc.)  Easy to log and audit at the application level  Filtering rules are easy to configure and test  Disadvantages:  A separate proxy must be installed for each application-level service 13  Not transparent to users Circuit Level Gateways 14 Circuit Level Gateways (2)  Often used for outgoing connections where the system administrator trusts the internal users  The chief advantage is that a firewall can be configured as a hybrid gateway supporting application-level/proxy services for inbound connections and circuit-level functions for outbound connections 15 Hybrid Firewalls  In practice, many of today's commercial firewalls use a combination of these techniques.  Examples:  A product that originated as a packet-filtering firewall may since have been enhanced with smart filtering at the application level.  Application proxies in established areas such as FTP may augment an inspection-based filtering scheme. 16 Firewall Configurations  Bastion host  a system identified by firewall administrator as a critical strong point in the network’s security  typically serves as a platform for an application-level or circuit-level gateway  extra secure O/S, tougher to break into  Dual homed gateway  Two network interface cards: one to the outer network and the other to the inner  A proxy selectively forwards packets  Screened host firewall system  Uses a network router to forward all traffic from the outer and inner networks to the gateway machine  Screened-subnet firewall system 17 Dual-homed gateway 18 EMTM 553 5/4/01 Screened-host gateway 19 Screened Host Firewall 20