Outline

Chapter 10 • Firewall Design Principles

– Firewall Characteristics
– Types of Firewalls
Firewalls – Firewall Configurations
• Trusted Systems
– Data Access Control
Blekinge Institute of Technology, Sweden
– The Concept of Trusted systems
http://www.its.bth.se/staff/hjo/
+46-708-250375
– Trojan Horse Defense

Henric Johnson 1 Henric Johnson 2

Firewall Design
Firewalls
Principles
• Effective means of protection a local • Information systems undergo a
system or network of systems from steady evolution (from small LAN`s
network-based security threats while to Internet connectivity)
affording access to the outside world • Strong security features for all
via WAN`s or the Internet workstations and servers not
established

Henric Johnson 3 Henric Johnson 4

Firewall Design
Firewall Characteristics
Principles
• The firewall is inserted between the • Design goals:
premises network and the Internet – All traffic from inside to outside must
• Aims: pass through the firewall (physically
blocking all access to the local network
– Establish a controlled link
except via the firewall)
– Protect the premises network from
– Only authorized traffic (defined by the
Internet-based attacks
local security policy) will be allowed to
– Provide a single choke point pass

Henric Johnson 5 Henric Johnson 6

1
 Firewall Characteristics Firewall Characteristics

• Design goals: • Four general techniques:

– The firewall itself is immune to • Service control
penetration (use of trusted system with – Determines the types of Internet
a secure operating system) services that can be accessed, inbound
or outbound
• Direction control
– Determines the direction in which
particular service requests are allowed
to flow
Henric Johnson 7 Henric Johnson 8

Firewall Characteristics Types of Firewalls

• User control • Three common types of Firewalls:

– Controls access to a service according to – Packet-filtering routers
which user is attempting to access it – Application-level gateways
• Behavior control – Circuit-level gateways
– Controls how particular services are – (Bastion host)
used (e.g. filter e-mail)

Henric Johnson 9 Henric Johnson 10

Types of Firewalls Types of Firewalls

• Packet-filtering Router • Packet-filtering Router

– Applies a set of rules to each incoming
IP packet and then forwards or discards
the packet
– Filter packets going in both directions
– The packet filter is typically set up as a
list of rules based on matches to fields
in the IP or TCP header
– Two default policies (discard or forward)
Henric Johnson 11 Henric Johnson 12

2
 Types of Firewalls Types of Firewalls

• Advantages: • Possible attacks and appropriate

– Simplicity countermeasures
– Transparency to users – IP address spoofing
– High speed – Source routing attacks
• Disadvantages: – Tiny fragment attacks
– Difficulty of setting up packet filter
rules
– Lack of Authentication

Henric Johnson 13 Henric Johnson 14

Types of Firewalls Types of Firewalls

• Application-level Gateway • Application-level Gateway

– Also called proxy server
– Acts as a relay of application-level
traffic

Henric Johnson 15 Henric Johnson 16

Types of Firewalls Types of Firewalls

• Advantages: • Circuit-level Gateway

– Higher security than packet filters
– Only need to scrutinize a few allowable
applications
– Easy to log and audit all incoming traffic
• Disadvantages:
– Additional processing overhead on each
connection (gateway as splice point)
Henric Johnson 17 Henric Johnson 18

3
 Types of Firewalls Types of Firewalls

• Circuit-level Gateway • Circuit-level Gateway

– Stand-alone system or – The security function consists of
– Specialized function performed by an determining which connections will be
Application-level Gateway allowed
– Sets up two TCP connections – Typically use is a situation in which the
– The gateway typically relays TCP system administrator trusts the internal
segments from one connection to the users
other without examining the contents – An example is the SOCKS package

Henric Johnson 19 Henric Johnson 20

Types of Firewalls Firewall Configurations

• Bastion Host • In addition to the use of simple

– A system identified by the firewall configuration of a single system
administrator as a critical strong point in (single packet filtering router or
the network´s security single gateway), more complex
– The bastion host serves as a platform configurations are possible
for an application-level or circuit-level
• Three common configurations
gateway

Henric Johnson 21 Henric Johnson 22

Firewall Configurations Firewall Configurations

• Screened host firewall system • Screened host firewall, single-homed

(single-homed bastion host) bastion configuration
• Firewall consists of two systems:
– A packet-filtering router
– A bastion host

Henric Johnson 23 Henric Johnson 24

4
 Firewall Configurations Firewall Configurations

• Configuration for the packet-filtering • Greater security than single

router: configurations because of two
– Only packets from and to the bastion
reasons:
host are allowed to pass through the – This configuration implements both
router packet-level and application-level
filtering (allowing for flexibility in
• The bastion host performs defining security policy)
authentication and proxy functions – An intruder must generally penetrate
two separate systems

Henric Johnson 25 Henric Johnson 26

Firewall Configurations Firewall Configurations

• This configuration also affords • Screened host firewall system (dual-

flexibility in providing direct homed bastion host)
Internet access (public information
server, e.g. Web server)

Henric Johnson 27 Henric Johnson 28

Firewall Configurations Firewall Configurations

• Screened host firewall, dual-homed • Screened-subnet firewall system

bastion configuration
– The packet-filtering router is not
completely compromised
– Traffic between the Internet and other
hosts on the private network has to flow
through the bastion host

Henric Johnson 29 Henric Johnson 30

5
 Firewall Configurations Firewall Configurations

• Screened subnet firewall • Advantages:

configuration – Three levels of defense to thwart
– Most secure configuration of the three intruders
– Two packet-filtering routers are used – The outside router advertises only the
– Creation of an isolated sub-network existence of the screened subnet to the
Internet (internal network is invisible to
the Internet)

Henric Johnson 31 Henric Johnson 32

Firewall Configurations Trusted Systems

• Advantages: • One way to enhance the ability of a

– The inside router advertises only the system to defend against intruders
existence of the screened subnet to the and malicious programs is to
internal network (the systems on the implement trusted system technology
inside network cannot construct direct
routes to the Internet)

Henric Johnson 33 Henric Johnson 34

Data Access Control Data Access Control

• Through the user access control • General models of access control:

procedure (log on), a user can be – Access matrix
identified to the system
– Access control list
• Associated with each user, there can – Capability list
be a profile that specifies permissible
operations and file accesses
• The operation system can enforce
rules based on the user profile

Henric Johnson 35 Henric Johnson 36

6
 Data Access Control Data Access Control

• Access Matrix • Access Matrix: Basic elements of the

model
– Subject: An entity capable of accessing
objects, the concept of subject equates with
that of process
– Object: Anything to which access is controlled
(e.g. files, programs)
– Access right: The way in which an object is
accessed by a subject (e.g. read, write,
execute)
Henric Johnson 37 Henric Johnson 38

Data Access Control Data Access Control

• Access Control List: Decomposition of • Access Control List

the matrix by columns – An access control list lists users and
their permitted access right
– The list may contain a default or public
entry

Henric Johnson 39 Henric Johnson 40

Data Access Control Data Access Control

• Capability list: Decomposition of the • Capability list

matrix by rows – A capability ticket specifies authorized
objects and operations for a user
– Each user have a number of tickets

Henric Johnson 41 Henric Johnson 42

7
 The Concept of The Concept of
Trusted Systems Trusted Systems
• Trusted Systems • Multilevel security
– Definition of multiple categories or levels of
– Protection of data and resources on the data
basis of levels of security (e.g. military) • A multilevel secure system must enforce:
– Users can be granted clearances to – No read up: A subject can only read an object
access certain categories of data of less or equal security level (Simple Security
Property)
– No write down: A subject can only write into an
object of greater or equal security level (*-
Property)

Henric Johnson 43 Henric Johnson 44

The Concept of The Concept of

Trusted Systems Trusted Systems
• Reference Monitor Concept:
Multilevel security for a data
processing system

Henric Johnson 45 Henric Johnson 46

The Concept of The Concept of

Trusted Systems Trusted Systems
• Reference Monitor • Properties of the Reference Monitor
– Controlling element in the hardware and – Complete mediation: Security rules are
operating system of a computer that enforced on every access
regulates the access of subjects to – Isolation: The reference monitor and
objects on basis of security parameters database are protected from
– The monitor has access to a file unauthorized modification
(security kernel database) – Verifiability: The reference monitor’s
– The monitor enforces the security rules correctness must be provable
(no read up, no write down) (mathematically)

Henric Johnson 47 Henric Johnson 48

8
 The Concept of
Trojan Horse Defense
Trusted Systems
• A system that can provide such • Secure, trusted operating systems
verifications (properties) is referred are one way to secure against Trojan
to as a trusted system Horse attacks

Henric Johnson 49 Henric Johnson 50

Trojan Horse Defense Trojan Horse Defense

Henric Johnson 51 Henric Johnson 52

Recommended Reading
• Chapman, D., and Zwicky, E. Building
Internet Firewalls. O’Reilly, 1995
• Cheswick, W., and Bellovin, S. Firewalls and
Internet Security: Repelling the Wily
Hacker. Addison-Wesley, 2000
• Gasser, M. Building a Secure Computer
System. Reinhold, 1988
• Pfleeger, C. Security in Computing. Prentice
Hall, 1997

Henric Johnson 53