Trong ngành mạng máy tính, bức tường lửa (tiếng Anh: firewall) là rào chắn mà một số cá nhân, tổ chức, doanh nghiệp, cơ quan nhà nước lập ra nhằm ngăn chặn các truy cập thông tin không mong muốn từ ngoài vào hệ thống mạng nội bộ cũng như ngăn chặn các thông tin bảo mật nằm trong mạng nội bộ xuất ra ngoài internet mà không được cho phép.Tường lửa là một thiết bị phần cứng vàhoặc một phần mềm hoạt động trong một môi trường máy tính nối mạng để ngăn chặn một số liên lạc bị cấm bởi chính sách an ninh của cá nhân hay tổ chức, việc này tương tự với hoạt động của các bức tường ngăn lửa trong các tòa nhà. Tường lửa còn được gọi là Thiết bị bảo vệ biên giới (Border Protection Device BPD), đặc biệt trong các ngữ cảnh của NATO, hay bộ lọc gói tin (packet filter) trong hệ điều hành BSD một phiên bản Unix của Đại học California, Berkeley.Nhiệm vụ cơ bản của tường lửa là kiểm soát giao thông dữ liệu giữa hai vùng có độ tin cậy khác nhau. Các vùng tin cậy (zone of trust) điển hình bao gồm: mạng Internet (vùng không đáng tin cậy) và mạng nội bộ (một vùng có độ tin cậy cao). Mục đích cuối cùng là cung cấp kết nối có kiểm soát giữa các vùng với độ tin cậy khác nhau thông qua việc áp dụng một chính sách an ninh và mô hình kết nối dựa trên nguyên tắc quyền tối thiểu (principle of least privilege).
15/11/2016 Lecturer: Nguyễn Thị Thanh Vân – FIT - HCMUTE Introduction Capabilities and Limits Firewall types Firewall basing Security: Defense in Depth Firewall locations Packet Filter Rules 15/11/2016 15/11/2016 Can be effective means of protecting LANs from threats internet connectivity essential o for organization and individuals o but creates a threat when the outside is enabled to reach with local network could secure workstations and servers also use firewall as perimeter defence o single block point to impose security capabilities: o defines a single choke point o provides a location for monitoring security events o convenient platform for some Internet functions such as NAT, usage monitoring, IPSEC VPNs limitations: o cannot protect against attacks bypassing firewall o may not protect fully against internal threats o improperly secure wireless LAN o laptop, PDA, portable storage device infected outside then used inside 15/11/2016 as a positive filter: o as a negative filter: o allowing to pass only packets that meet specific criteria, or rejecting any packet that meets certain criteria Depending on the type of firewall, it may examine: • one or more protocol headers in each packet, • the payload of each packet, or • the pattern generated by a sequence of packets Route Filter Packet Filter Content Filter Filter The good, the bad & the ugly… 15/11/2016 The Good The bad & the ugly The principal types of firewalls: • • Packet Filtering Firewall Stateful Inspection Firewalls • Application-Level Gateway • Circuit-Level Gateway 15/11/2016 15/11/2016 Web Response Illegal Dest IP Address Web Request Email Response SSH Connect Request DNS Request Web Response Ping Request Illegal Source IP Address Email Response FTP request Microsoft NetBIOS Name Service Email Connect Request Telnet Request Packet Filtering: • Packet header is inspected • Single packet attacks caught • Very little overhead in firewall: very quick • High volume filter terminal host firewall A 15/11/2016 A 15/11/2016 weaknesses o cannot prevent attack on application bugs (do not examine upper- layer data) o limited logging functionality o no support advanced user authentication o vulnerable to attacks on TCP/IP protocol bugs o improper configuration can lead to breaches attacks o IP address spoofing, o source route attacks, o tiny fragment attacks Stateful Inspection • • • • State retained in firewall memory Most multi-packet attacks caught More fields in packet header inspected Little overhead in firewall: quick terminal host firewall A A A 15/11/2016 10 15/11/2016 reviews packet header information but also keeps info on TCP connections o typically have low, “known” port no for server o and high, dynamically assigned client port no o simple packet filter must allow all return high port numbered packets back in o stateful inspection packet firewall tightens rules for TCP traffic using a directory of TCP connections o only allow incoming traffic to high-numbered ports for packets matching an entry in this directory o may also track TCP seq numbers as well Circuit-Level Firewall: • • • • Packet session terminated and recreated via a Proxy Server All multi-packet attacks caught Packet header completely inspected High overhead in firewall: slow terminal host firewall A B A 15/11/2016 B 12 15/11/2016 sets up two TCP connections, to an inside user and to an outside host relays TCP segments from one connection to the other without examining contents o hence independent of application logic o just determines whether relay is permitted typically used when inside users trusted o may use application-level gateway inbound and circuit-level gateway outbound o hence lower overheads SOCKS v5 defined as RFC1928 to allow TCP/UDP applications to use firewall components: o SOCKS server on firewall o SOCKS client library on all internal hosts o SOCKS-ified client applications client app contacts SOCKS server, authenticates, sends relay request server evaluates & establishes relay connection UDP handled with parallel TCP control channel 15/11/2016 Application-Level Firewall • • • • • Packet session terminated and recreated via a Proxy Server Packet header completely inspected Most or all of application inspected Highest overhead: slow & low volume host terminal firewall A B A B 15/11/2016 15 acts as a relay of application-level traffic o user contacts gateway with remote host name o authenticates themselves o gateway contacts application on remote host and relays TCP segments between server and user must have proxy code for each application more secure than packet filters but have higher overheads o may restrict application features supported 15/11/2016 several options for locating firewall: o bastion host o individual host-based firewall o personal firewall Computer fortified against attackers Applications turned off Operating system patched Security configuration tightened 15/11/2016 critical strongpoint in network hosts application/circuit-level gateways Common characteristics of a bastion host: o runs secure O/S, only essential services o may require user auth to access proxy or host o each proxy can restrict features, hosts accessed o each proxy small, simple, checked for security o each proxy is independent, non-privileged o limited disk use, hence read-only code used to secure individual host available in/add-on for many O/S filter packet flows often used on servers advantages: o taylored filter rules for specific host needs o protection from both internal / external attacks o additional layer of protection to org firewall 10 15/11/2016 controls traffic flow to/from PC/workstation for both home or corporate use may be software module on PC or in home cable/DSL router/gateway typically much less complex primary role to deny unauthorized access may also monitor outgoing traffic to detect/block worm/malware activity • • • • • • • Border Router Perimeter firewall Internal firewall Intrusion Detection System Policies & Procedures & Audits Authentication Access Controls 11 15/11/2016 Border Router/Firewall The Internet De-Militarized Zone Commercial Network WLAN Private Network Private Network Internet Screening Device Router Screened Host With Proxy Interface Firew all Protected Internal Netw ork Zone IDS IDS Demilitarized Zone External DNS IDS IDS Web Server ECommerce VPN Server The router serves as a screen for the Firewall, preventing Denial of Service attacks to the Firewall Database/ File Servers 12 15/11/2016 13 15/11/2016 Policies Corrections Network Filter Capabilities Write Rules Audit Failures Protected Network 14 15/11/2016 Border Router/ Firewall The Internet De-Militarized Zone WLAN Router/Firewall Private Network 15 15/11/2016 Border Router: Packet Filter The Internet De-Militarized Zone Bastion Hosts WLAN Proxy server firewall Private Network Introduction Capabilities and Limits Firewall types Firewall basing Security: Defense in Depth Firewall locations Packet Filter Rules 15/11/2016 32 16 15/11/2016 Set up a firewall o On windows: ISA, TMG o On Linux: IPtable, Pfsen, Endian, ClearOS… Configure rules in firewall 15/11/2016 33 Cryptography and Network Security, Principles and Practice, William Stallings, Prentice Hall, Sixth Edition, 2013 15/11/2016 34 17 ... The bad & the ugly The principal types of firewalls: • • Packet Filtering Firewall Stateful Inspection Firewalls • Application-Level Gateway • Circuit-Level Gateway 15/11/2016 15/11/2016 Web Response... State retained in firewall memory Most multi-packet attacks caught More fields in packet header inspected Little overhead in firewall: quick terminal host firewall A A A 15/11/2016 10 15/11/2016... Router/ Firewall The Internet De-Militarized Zone WLAN Router /Firewall Private Network 15 15/11/2016 Border Router: Packet Filter The Internet De-Militarized Zone Bastion Hosts WLAN Proxy server firewall