General Principles of Intellectual Property: Concepts of Intellectual Proper...
Firewall and It's Types
1. FIREWALLS
E-Commerce
BBA 6th Semester,
Prime College
Hem Sagar Pokhrel
Faculty Member, Computer Science & IT department
Prime College, Kathmandu
geeksagar@prime.edu.np
9843410129
2. Firewall Design Principles
The firewall is inserted between the premises
network and the Internet
Aims:
Establish a controlled link
Protect the premises network from Internet-based
attacks
2
3. Firewall Characteristics
• Design goals:
• All traffic from inside to outside must pass through
the firewall (physically blocking all access to the
local network except via the firewall)
• Only authorized traffic (defined by the local
security police) will be allowed to pass.
• The firewall itself is immune to penetration (use of
trusted system with a secure operating system)
3
4. Firewall Characteristics
Four general techniques:
1. Service control
Determines the types of Internet services that can be
accessed, inbound or outbound
2. Direction control
Determines the direction in which particular service requests
are allowed to flow
4
5. Firewall Characteristics
3. User control
Controls access to a service according to which user
is attempting to access it
4. Behavior control
Controls how particular services are used (e.g. filter
e-mail)
5
6. Types of Firewalls
Three common types of Firewalls:
1. Packet-filtering routers
2. Application-level gateways
3. Circuit-level gateways
(Bastion host)
6
7. Types of Firewalls
Packet-filtering Router
Applies a set of rules to each incoming IP packet
and then forwards or discards the packet
Filter packets going in both directions
The packet filter is typically set up as a list of
rules based on matches to fields in the IP or TCP
header
Two default policies (discard or forward)
7
9. Types of Firewalls
Advantages:
Simplicity
Transparency to users
High speed
Disadvantages:
Difficulty of setting up packet filter rules
Lack of Authentication
9
10. Types of Firewalls
Possible attacks and appropriate countermeasures
IP address spoofing
Source routing attacks
Tiny fragment attacks
10
11. Types of Firewalls
Application-level Gateway
Also known as application proxy or application-level proxy, an
application gateway is an application program that runs on a
firewall system between two networks.
When a client program establishes a connection to
a destination service, it connects to an application gateway,
or proxy.
The client then negotiates with the proxy server in order to
communicate with the destination service.
11
12. Application-level Gateway
In effect, the proxy establishes the connection with the
destination behind the firewall and acts on behalf of the client,
hiding and protecting individual computers on the network
behind the firewall.
This creates two connections: one between the client and the
proxy server and one between the proxy server and the
destination.
Once connected, the proxy makes all packet-forwarding
decisions.
Since all communication is conducted through the proxy server,
computers behind the firewall are protected.
12
14. Application-level Gateway
Advantages:
Higher security than packet filters
Only need to scrutinize a few allowable applications
Easy to log and audit all incoming traffic
Disadvantages:
Additional processing overhead on each connection
(gateway as splice point)
14
15. Types of Firewalls
Circuit-level Gateway
Stand-alone system or
Specialized function performed by an Application-level
Gateway
Sets up two TCP connections
The gateway typically relays TCP segments from one
connection to the other without examining the contents
15
16. Circuit-level Gateway
The security function consists of determining which connections will be
allowed
Typically use is a situation in which the system administrator trusts the
internal users
Circuit-level gateways work at the session layer of the OSI model, or as a
"shim-layer" between the application layer and the transport layer of
the TCP/IP stack.
They monitor TCP handshaking between packets to determine whether a
requested session is legitimate.
Information passed to a remote computer through a circuit-level gateway
appears to have originated from the gateway.
16
17. Circuit-level Gateway
Firewall technology supervises TCP handshaking among packets to
confirm a session is genuine.
Firewall traffic is clean based on particular session rules and may
be controlled to acknowledged computers only.
But circuit-level firewalls do not clean entity packets. This is useful
for hiding information about protected networks.
Circuit-level gateways are relatively inexpensive and have the
advantage of hiding information about the private network they
protect. On the other hand, they do not filter individual packets
17
19. Types of Firewalls
Bastion Host
A system identified by the firewall administrator as a
critical strong point in the network´s security
The bastion host serves as a platform for an application-
level or circuit-level gateway
19
Hinweis der Redaktion
IP address spoofing or IP spoofing is the creation of Internet Protocol (IP) packets with a forged source IP address, with the purpose of concealing the identity of the sender or impersonating another computing system.
Source routing is a method that can be used to specify the route that a packet should take through the network. In source routing the path through the network is set by the source or a device that tells the network source the desired path.