__
| | _________ Firewall
______________________ |
|
____________________
|
|
| |
|
|
|
|
| |
|
|
| Rest of Internet
|________ |
|_____ | Intranet
|
|
|
| |
|
|
|_____________________ |
| |
|___________________|
|_|
Outside
Inside
So. whatever I provide for my security
is called Firewall. It is a mechanism and not just a hardware or software.
3. Packet Filtering
: Router have information about some particular packets which should not be allowed.4. Application gateways :
or proxy servers.
1. Complacency : There are lots of attacks on the firewall from internal users and therefore, it's limitations should be understood.
2. Encapsulated packets : An encapsulated packet is an IP packet within another IP packet. If we ask the router to drop encapsulated packets then, it will drop the multicast packets also.
3. Throughput :So,
in order to check which packets are allowed and which are not, we are doing
some processing which can be an overhead and thus affects throughput.
We can use the following mechanisms:
Terms associated:
Many commercial routers offer a mechanism that augments normal routing and permits a manager to further control packet processing. Informally called a packet filter, the mechanism requires the manager to specify how the router should dispose of each datagram. For example, the manager might choose to filter (i.e.. block) all datagrams that come from a particular source or those used by a particular application, while choosing to route other datagrams to their destination.
The term packet filter arises because the filtering mechanism does not keep a record of interaction or a history of previous datagrams. Instead, the filter considers each datagrams separately. When a datagram first arrives, the router passes the datagram through its packet filter before performing any other processing. If the filter rejects the datagram, the router drops it immediately.
For example, normally I won't allow TFTP, openwin, RPC, rlogin, rsh packets to pass through the router whether from inside or outside and router just discard these packets. But I might put some restrictions on telnet, ftp, http, and smtp packets in order to pass through the router and therefore some processing is to be done before discarding or allowing these packets.
Because TCP/IP does not dictate a standard
for packet filters, each router vendor is free to choose the capabilities
of their packet filter as well as the interface the manager uses to configure
the filter. Some routers permit a manager to configure separate filter
actions for each interface, while others have a single configuration for
all interfaces. Usually, when specifying datagrams that the filter should
block, a manager can list any combination of source IP address, destination
IP address, protocol, source protocol port number, and destination protocol
port number.
So, these filtering rules may become more
tricky with complex network policies.
Since, Filtering rules are based on port
numbers, there is a problem with RPC applications. First, the number of
well-known ports is large and growing. Thus, a manager would need to update
such a list continually because a simple error of omission could
leave the firewall vulnerable. Second, much of the traffic on an internet
does not travel to or from a well-known port. In addition to programmers
who can choose port numbers for their private client-server applications,
services like Remote Procedure Call (RPC) assigns port dynamically.
Third, listing ports of well-known services leaves the firewall vulnerable
to tunneling, a technique in which one datagram is temporarily encapsulated
in another for transfer across part of an internet.
I can run multiple proxy on same machine. They may detect misuse by keeping loops. For example, some machine give login to Ph.D.. students. So, in this case it's better to keep proxy servers than to give login on those machines. But the disadvantage with this is that there are two connections for each process.
_________
__________
|
|
|
|
| User
|_______________| Proxy
|___________ Outside
| ________|
1.
|_________ |
2.
1. Packet Filtering Firewall
This is the simplest
design and it is considered when the network is small and user don't run
many Intranet applications.
__________
|
|
Intranet __________| Router |__________
Internet
|________ _ |
|
|
Filter
2. Dual home gateway
This gives least amount of flexibility. Instead
of router, we have application gateways.
______________
| Application |
Inside ________ _ |
level |___________
Outside
| gateway |
|____________ |
proxy
3. Sreened
host Firewall
It's the combination
of the above two schemes. Some applications are allowed uninterrupted while
some have to be screened. For any reasonable size network, Screened host
firewall can get loaded.
_________
___________
|
|
|
|
Inside _________|
Router 1 |_______________________ | Router 2 |______
Outside
|_________|
|
|__________ |
____|______
| |
| Proxy |
|__________|
The problem with this is that there is only one proxy and thus, it may get overloaded. Therefore, to reduce load, we can use multiple screened host firewalls. And this is what normally used.
_________
__________
|
|
|
|
Inside _____ | Router
1 |______________________________ | Router 2 |_____Outside
|_________|
|
|__________ |
____|____
| |
| Proxy 1 | Proxy2
.......
|________ |
Private IP
(PIP address)
It is an extension of transparent proxy. Here we also change the IP address (source
address) to one of the allocated IP address and send it. So, the client
does not know that the IP address has been changed, only the proxy server
knows it. The machine that changes the IP address is Network
address translator (NAT) . NAT also changes
other things like CRC, TCP header checksum ( this is calculated using
pseudo IP header). NAT can also change the port number.
e.g.. Port address translation
____________
X -------| |
|
NAT |
Y -------|___________ |
X1 , P1 ---->
G1 , Pa (IP address, port #)
X1 , P2 ----> G1 , Pb
Y , P3 ----> G1, Pc
I may not like to have global IP address because then, anybody can contact me inspite of these security measures. So, I work with Private IP. In that case, there has to be a one-to-one mapping between private IP and global IP.