Applications
Firewall Basics
1
Screened Subnet Architecture
DMZ:
inbound -> permitted
outbound -> blocked
Screened:
outbound -> permitted
inbound -> blocked
Firewall Basics
Firewalls Design
Firewall Strategies
{ A packet filter
{ Application proxy server
{ both
Firewall Architectures
{ packet filter router/host
{ single-homed gateway
{ dual-homed gateway
{ a screened host
{ a screened subnet
2
Firewall Architecture
• Hardware
{ router with screening capabilities
{ Dual-homed host with filtering and proxy server capabilities
{ FW appliances
• Advantages:
{ free
{ you only need one in the network entrance point
{ easy to use: no special training is required
• Disadvantages
{ managing large number of rules becomes complex
{ work on a small set of data (some tcp/ip headers)
{ if it is misconfigured the damage is sever to your network
3
Proxy Server Evaluation
• Advantages
{ hiding network information
{ application/content-level filtering
{ fail over and load balancing features
{ single-point of control (easy to control access)
{ powerful logging features
• Disadvantages
{ increases the communication latency/delay
{ proxy per application and no generic one
{ client might need to be modified/reconfigured to use the proxy
server
4
Firewall Rules
Firewall Rules
Firewall Rule Basics
{ Interface name (FW may have more than one
incoming/outgoing link
{ Interface or traffic direction
{ Source and destination IP address: this includes broadcast
and multicast addresses
{ IP options : need to check this for source routing
{ ICMP
{ Transport Protocols: UDP, TCP, IPX, ..
{ Well-know TCP/UDP Services: WEB, FTP .. etc
{ More restricted rules come first to avoid rule conflict and
shadowing:
1. Permit ANY TCP incoming (more general)
2. Deny DestPort=25 TCP incoming (will be shadowed by rule 1)
5
Recommendations for Firewall
Selection
6
Firewall Rule Recommendations
BTW, in stateless filter, you can use the ACKbit to block initiating TCP traffic to
pass into the network while allowing reply TCP traffic. Stateful is more
efficient here because not always Ack bit is cleared in the SYN packet.
Rule #1 and #2 automatically creates an entry for this stream in the FW table
to allow for the replies to go back without stating this as a rule. This entry
will use <IPSrc, IPDest, PortSrc, PortDest> tuple to match reply packets
belong to the same stream.
7
Network Address Translators (NAT):
Server Proxy Example
• Basic operation
{ Hiding the information on your network
{ Increases the LAN address space.
{ Uses valid IP addresses (EIP) in the outside
communications and internal IP address (IIP) in the
inside communications
{ Mapping/assignment has to be done between EIP and
IIP such that the total number of the simultaneous IIP
sessions will not exceed the number if EIP (static or
dynamic assignment)
{ NAT substitutes IIP with EIP before sending
{ NAT is not recommended if a large number of
active/simultaneous clients is expected
{ Solution: NAPT (network address and port translation)–
IP and port in the packet is replaced, means a single IP
address might serve about 2**16 client
8
Types and Examples of Inter-Firewall
Conflicts
1: tcp, 161.120.*.* : any, 140.192.*.* : 80, accept D2.2 D2.1
2: tcp, 161.120.*.* : any, 140.192.22.5 : 21, deny 161.120.33.0 161.120.24.0
3: tcp, 161.120.*.* : any, 140.192.*.* : 21, accept
4: tcp, 140.192.*.* : any, 161.120.33.* : 23, accept
R2/
5: tcp, 161.120.33.* : any, 140.192.*.* : 23, accept
FW 2
6: tcp, 161.120.24.* : any, 140.192.37.3 : 25, deny
7: tcp, 161.120.24.* : any, 140.192.22.5 : 25, deny
8: tcp, 161.120.*.* : any, 140.192.37.* : 25, accept
9: tcp, *.*.*.* : any, *.*.*.* : any, deny R0/
Internet
FW 0
1: tcp, 161.120.*.* : any 140.192.*.* : 80, accept
2: tcp, 140.192.*.* : any, 161.120.*.* : 80, accept
3: tcp, 161.120.*.* : any, 140.192.22.5 : 21, accept R1/
4: tcp, 161.120.33.* : any 140.192.37.* : 23, deny FW 1
5: tcp, 161.120.*.* : any, 140.192.*.* : 23, accept
6: tcp, 161.120.24.* : any, 140.192.37.3 : 25, deny
7: tcp, 161.120.24.* : any, 140.192.*.* : 25, accept D1.1 D1.2
8: tcp, *.*.*.* : any, *.*.*.* : any, deny 140.192.22.0 140.192.37.0