docFirewall Tasks of a Firewall Tasks of a Firewall
download 
Plainte Transcription
Firewall Tasks of a Firewall Tasks of a Firewall
Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Firewalls Protection of Networks: Firewall TCP/IP enables communication using the Internet. • A Firewall is a barrier between a private, protected network (Intranet) and all other networks (e.g. the Internet) But: everybody has access to the Internet: • Snooping of confidential data • Break-in to company computers • Goal: unauthorized and unwanted communication between Intranet and Internet should be prevented • Spreading of computer virus • Needed: Processing of information from layer 3 upwards • ... Security concepts for protecting as well the own LAN as the own communication: • Secure protocols (IPsec, SSL, ...) Internet Intranet • Additional cooperation concepts (Virtual Private Network, VPN) • Additional components (Firewalls) Firewall Chapter 4.1: Firewalls Page 1 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Tasks of a Firewall Tasks of a Firewall: Example • User control Only authorized users are having access to the other side of the firewall Basing of the IP address of a sender, the firewall can change the receiver address and deliver the packets. Thus, the concrete topology and IP addresses are hidden to the sender. • Access control The access over the firewall is restricted to certain services. A service is characterized e.g. by IP address and port number. • Behavior control For an application, the allowed usage scenarios are known E.g. filters for e-mail attachments (virus removing) NAPT Mapping Source 131.107.2.200 Destination 200.200.20.1 192.168.10.3 Port 80 80 Intranet Internet • Direction control different rules for traffic into the Intranet and outgoing traffic to the Internet can be defined 192.168.10.3 Firewall 200.200.20.1 • Logging Record access attempts 131.107.2.200 • Hiding of the internal network Topology, addresses, ... should by hidden to the outer world (NAPT) Chapter 4.1: Firewalls Page 2 Chapter 4.1: Firewalls 192.168.10.1 192.168.10.2 Page 3 Chapter 4.1: Firewalls Page 4 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Types of Firewalls Packet Filter In principle, there are two general types of firewalls: 1. Packet Filter • Analyzing of network traffic and filtering due to certain rules. A filtering can use one or a combination of the following information: source address, destination address, used protocol, connection • If the firewall is realized in combination with a router, it is also called Screening Router • Cheap and simple (all types of connections can be controlled), but filtering rules are hard to define (correctly) 2. Proxy Server (Gateway) • “Controlled access” to a service: the firewall intercepts a requests and decides, if to forward it to the receiver • The proxy is the only computer known to the outer world • An access control could be done basing on user identity, used protocol, and content • More possibilities (Logging of detailed information, authentication, ...), but for each application protocol (HTTP, SMTP, FTP, …) an own proxy is needed Page 5 Chapter 4.1: Firewalls Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Two possible principles: • Everything that is not explicitly allowed, is denied • Everything that is not explicitly denied, is allowed • E.g. for your SMTP server with address 137.226.12.67 on port 25 you could define From (IP * ), (port *) From (IP 137.226.12.67), (port 25) (I.e.: your mail server can send mails to everybody, but nobody is allowed to send mails to your mail server) Characteristics: • Fast processing of packets, but only limited control on address level • Static packet filter only has a fixed set of such rules • Dynamic packet filter also considers a state: Deny all packets from outer world Only after a connection establishment from inside (set SYN flag), response packets coming from outside are accepted Page 6 Chapter 4.1: Firewalls Usual Firewall Implementation: DMZ Again two possible types: Mail server Circuit-Level Proxy • Works on layer 3/4 only (e.g. port numbers) • Proxy which can be used for each type of application • The firewall intercepts all connections, thus the network structure is hidden Source Source Application Application Proxy Proxy DMZ Web server Internet Intranet Screening Router Destination Destination Connection establishment Proxy Server • All resources which have to be contacted from outside (without restrictions) are placed in an own network segment (DMZ – Demilitarized Zone). • This segment is protected against the Internet only by a simple firewall (usually a screening router for packet filtering of uncritical systems, e.g. web server) • The private network is protected by a more powerful firewall (dynamic packet filter and/or application-level proxy) User authentication Connection establishment Data transfer Connection termination Chapter 4.1: Firewalls DENY ALLOW Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Proxy Server Application-Level Proxy • Also checks information on layer 7 • An own proxy is needed for each application protocol (SMTP, FTP, HTTP, ...) • A user has to authenticate before usage • Most possibilities, but most expensive To (IP 137.226.12.67), (port 25) To (IP *), (port *) Page 7 Chapter 4.1: Firewalls Page 8 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Additional: Honeypot Screening Router Mail server DMZ Web server Internet Intranet Honeypot Proxy Server • Although possible: provide a weak faked server in your DMZ to attract attackers • The honeypot does heavy logging and provides alarm systems instead of the real application services • Goal: get knowledge about the attackers Chapter 4.1: Firewalls Page 9
