Trong ngành mạng máy tính, bức tường lửa (tiếng Anh: firewall) là rào chắn mà một số cá nhân, tổ chức, doanh nghiệp, cơ quan nhà nước lập ra nhằm ngăn chặn các truy cập thông tin không mong muốn từ ngoài vào hệ thống mạng nội bộ cũng như ngăn chặn các thông tin bảo mật nằm trong mạng nội bộ xuất ra ngoài internet mà không được cho phép.Tường lửa là một thiết bị phần cứng vàhoặc một phần mềm hoạt động trong một môi trường máy tính nối mạng để ngăn chặn một số liên lạc bị cấm bởi chính sách an ninh của cá nhân hay tổ chức, việc này tương tự với hoạt động của các bức tường ngăn lửa trong các tòa nhà. Tường lửa còn được gọi là Thiết bị bảo vệ biên giới (Border Protection Device BPD), đặc biệt trong các ngữ cảnh của NATO, hay bộ lọc gói tin (packet filter) trong hệ điều hành BSD một phiên bản Unix của Đại học California, Berkeley.Nhiệm vụ cơ bản của tường lửa là kiểm soát giao thông dữ liệu giữa hai vùng có độ tin cậy khác nhau. Các vùng tin cậy (zone of trust) điển hình bao gồm: mạng Internet (vùng không đáng tin cậy) và mạng nội bộ (một vùng có độ tin cậy cao). Mục đích cuối cùng là cung cấp kết nối có kiểm soát giữa các vùng với độ tin cậy khác nhau thông qua việc áp dụng một chính sách an ninh và mô hình kết nối dựa trên nguyên tắc quyền tối thiểu (principle of least privilege).
Trang 1
Lecturer: Nguyễn Thị Thanh Vân – FIT - HCMUTE
Introduction
Capabilities and Limits
Firewall types
Firewall basing
Security: Defense in Depth
Firewall locations
Packet Filter Rules
Trang 2 Can be effective means of protecting LANs from threats
internet connectivity essential
o for organization and individuals
o but creates a threat when the outside is enabled to reach with
local network
could secure workstations and servers
also use firewall as perimeter defence
o single block point to impose security
o defines a single choke point
o provides a location for monitoring security events
o convenient platform for some Internet functions such
as NAT, usage monitoring, IPSEC VPNs
o cannot protect against attacks bypassing firewall
o may not protect fully against internal threats
o improperly secure wireless LAN
o laptop, PDA, portable storage device infected outside
then used inside
Trang 3 as a positive filter:
o allowing to pass only packets that meet specific criteria, or
as a negative filter:
o rejecting any packet that meets certain criteria
Depending on the type of firewall, it may examine:
• one or more protocol headers in each packet,
• the payload of each packet, or
• the pattern generated by a sequence of packets
The good, the bad &
the ugly…
Filter
The bad &
the ugly
The Good
Route Filter Packet Filter Content Filter
The principal types of firewalls:
• Packet Filtering Firewall
• Stateful Inspection Firewalls
• Application-Level Gateway.
• Circuit-Level Gateway.
Trang 4Web Request
Ping Request
FTP request
Email Connect Request
Web Response
Telnet Request
Email Response
SSH Connect Request
DNS Request
Email Response
Web Response Illegal Source IP Address
Illegal Dest IP Address
Microsoft NetBIOS Name Service
terminal
firewall
host
Packet Filtering:
• Packet header is inspected
• Single packet attacks caught
• Very little overhead in firewall: very
quick
• High volume filter
Trang 5 weaknesses
o cannot prevent attack on application bugs (do not examine
upper-layer data)
o limited logging functionality
o do no support advanced user authentication
o vulnerable to attacks on TCP/IP protocol bugs
o improper configuration can lead to breaches
attacks
o IP address spoofing,
o source route attacks,
o tiny fragment attacks
terminal
firewall
host
A
Stateful Inspection
• State retained in firewall memory
• Most multi-packet attacks caught
• More fields in packet header inspected
• Little overhead in firewall: quick
Trang 6reviews packet header information but also
o typically have low, “known” port no for server
o and high, dynamically assigned client port no
o simple packet filter must allow all return high port
numbered packets back in
o stateful inspection packet firewall tightens rules for
TCP traffic using a directory of TCP connections
o only allow incoming traffic to high-numbered ports for
packets matching an entry in this directory
o may also track TCP seq numbers as well
terminal
firewall
host
A B
Circuit-Level Firewall:
• Packet session terminated and
recreated via a Proxy Server
• All multi-packet attacks caught
• Packet header completely inspected
• High overhead in firewall: slow
Trang 7 sets up two TCP connections, to an inside user and to an
outside host
relays TCP segments from one connection to the other
without examining contents
o hence independent of application logic
o just determines whether relay is permitted
typically used when inside users trusted
o may use application-level gateway inbound and circuit-level
gateway outbound
o hence lower overheads
TCP/UDP applications to use firewall
o SOCKS server on firewall
o SOCKS client library on all internal hosts
o SOCKS-ified client applications
authenticates, sends relay request
Trang 815/11/2016 15
Application-Level Firewall
• Packet session terminated and
recreated
• via a Proxy Server
• Packet header completely inspected
• Most or all of application inspected
• Highest overhead: slow & low
volume
terminal
firewall
host
A B
acts as a relay of application-level traffic
o user contacts gateway with remote host name
o authenticates themselves
o gateway contacts application on remote host and relays TCP
segments between server and user
must have proxy code for each application
o may restrict application features supported
more secure than packet filters
but have higher overheads
Trang 9 several options for locating firewall:
o bastion host
o individual host-based firewall
o personal firewall
Computer fortified against
attackers
Applications turned off
Operating system patched
Security configuration
tightened
Trang 10 critical strongpoint in network
hosts application/circuit-level gateways
Common characteristics of a bastion host:
o runs secure O/S, only essential services
o may require user auth to access proxy or host
o each proxy can restrict features, hosts accessed
o each proxy small, simple, checked for security
o each proxy is independent, non-privileged
o limited disk use, hence read-only code
used to secure individual host
available in/add-on for many O/S
filter packet flows
often used on servers
advantages:
o taylored filter rules for specific host needs
o protection from both internal / external attacks
o additional layer of protection to org firewall
Trang 11 controls traffic flow to/from PC/workstation
for both home or corporate use
may be software module on PC
or in home cable/DSL router/gateway
typically much less complex
primary role to deny unauthorized access
may also monitor outgoing traffic to detect/block
worm/malware activity
• Border Router
• Perimeter firewall
• Internal firewall
• Intrusion Detection System
• Policies & Procedures & Audits
• Authentication
• Access Controls
Trang 12The Internet
De-Militarized Zone
Private Network
Border Router/Firewall
Commercial Network Private Network
WLAN
Router
External DNS
Server
E-Commerce
VPN Server Protected
Internal Netw ork
Zone
IDS Database/
File Servers
Internet
Demilitarized Zone With Proxy
Interface
Screened
Host
The router serves as a screen for the Firewall, preventing Denial of Service attacks to the Firewall.
Screening
Device
Firew all
IDS
IDS
Trang 14Policies Network Filter Capabilities
Write Rules
Protected Network
Audit Failures Corrections
Trang 15The Internet
De-Militarized Zone
Private Network
Border Router/
Firewall
Router/Firewall WLAN
Trang 16The Internet
De-Militarized Zone
Private Network
Border Router: Packet Filter
Bastion Hosts Proxy server firewall
WLAN
Introduction
Capabilities and Limits
Firewall types
Firewall basing
Security: Defense in Depth
Firewall locations
Packet Filter Rules
Trang 17 Set up a firewall
o On windows: ISA, TMG
o On Linux: IPtable, Pfsen, Endian, ClearOS…
Configure rules in firewall
Cryptography and Network Security, Principles
and Practice, William Stallings, Prentice Hall,
Sixth Edition, 2013