CHAPTER 6

Firewall and Proxy Server

Securing Private Networks

1
 Outline
• Firewall
• Proxy Server
• Types of Firewalls
• Packet Filtering Firewalls
• Application level gateway
• Circuit level gateway
• Firewall configuration/topology
• Proxy server
• How Proxy Servers Work
• Proxy Servers and Packet Filters
• Goals of Proxy Servers

2
 Overview of Firewall
• Firewall is a router or other communications device
which filters access to a protected network.
• Firewall is also a program that screens all incoming
traffic and protects the network from unwelcome
intruders.
• It is a means of protection a local system or network of
systems from network-based security threats,
– while affording access to the outside world via WANs or the
Internet

3
 Firewall features
• General Firewall Features
- Port Control
- Network Address Translation
- Application Monitoring
- Packet Filtering
- Access control

• Additional features
- Data encryption
- Authentication
- Connection relay (hide internal network)
- reporting/logging
- e-mail virus protection
4
 Types of Firewalls

• Packet Filtering Firewalls

• Proxy Server Firewalls

5
 Packet Filtering Firewalls/Routers
• Packet Filtering router applies a set of rules to each incoming and
outgoing IP packet and then forwards or discards the packet.
– A filtering firewall works at the network level.

• The router is typically configured to filter packets going in both

directions (from and to the internal network).
• Filtering rules are based on information contained in a network packet:
– Source IP address: The IP address of the system that originated the IP packet
(e.g., 192.178.1.1)
– Destination IP address: The IP address of the system the IP packet is trying
to reach (e.g., 192.168.1.2)
– Source and destination port address : The transport level (e.g., TCP or UDP)
port number, which defines applications such as SNMP or TELNET
• Packet filtering is generally accomplished using Access Control Lists
(ACL) on routers
6
• Stateful Packet Filtering Firewalls
• Stateful inspection provides for the analysis of packets at the
network layer and other layers.(typically the transport layer)
• By combining information from various layers, the firewall is better
able to understand the protocol it is inspecting.
• Deep Packet Inspection (DPI) Firewall
– has the ability to look inside those packets and read the payload of
any packet weather encrypted or not.
– DPI firewalls decrypt any encrypted packet content, inspect and then
re-encrypt and forward it. DPI firewalls has latency.
– DPI is a tool that allows ISPs to scan packets traveling through their
networks.
– DPI systems would be only installed on the Tier 1 Internet Service
Providers (ISPs).
– If Ethio-Telcom needs to install DPI firewall, it will be installed on the
country gateway.
7
Firewall Configuration

8
 Bastion Host
• Is a special purpose computer on a network specifically
designed and configured to withstand attacks.
• The Bastion host serves as a platform for an application-level
gateway.
• A system identified by the firewall administrator as critical
strong point in the networks security.
• The bastion host hardware platform executes a secure version
of its operating system, making it a trusted system.
• Only the services that the network administrator considers
essential are installed on the bastion host.
– These include proxy applications such as Telnet, DNS, FTP,
SMTP, and user authentication.

9
 Bastion Host
• Three common configurations:

– Screened host firewall system (Single homed bastion

host)

– Dual Homed Bastion Host

– Screened Subnet Firewall System

10
 Screened host firewall system
• Also called single homed bastion host
Configuration:
• The firewall consists of two systems:
1. Packet filtering router: The router is configured so that:
a. For traffic from the Internet, only IP packets destined for the bastion host are
allowed in.
b. For traffic from the internal network, only IP packets from the bastion host are
allowed out.
2. Bastion Host
- performs authentication and Proxy functions.

11
 Screened host firewall system…
• This configuration has greater security than simply a packet-
filtering router or an application-level gateway alone, for two
reasons.
– This configuration implements both packet-level and application-level
filtering.
– An intruder must generally penetrate two separate systems before
the security of the internal network is compromised.

• This configuration also affords flexibility in providing direct

Internet access.
– For example, the internal network may include a public information
server, such as a Web server, for which a high level of security is not
required.
– In that case, the router can be configured to allow direct traffic
between the information server and the Internet.
12
 Dual Homed Bastion Host
• Screened host firewall system (dual-homed bastion host)
• Traffic between the Internet and other hosts on the private
network has to flow through the bastion host
• Uses two NICs for greater security.

13
 Screened Subnet Firewall System
• Most secured configuration of all the three known techniques in
the bastion host.
• Two packet filtering routers are used.
• Creation of an isolated sub-network.

14
 Screened Subnet Firewall System…

• Advantages:
- Three levels of defense to prevent intruders.
- The outside router advertises only the existence of the
screened sub-net to the internet
• Internal network is invisible to the internet.

- The inside router advertises only the existence of the

screened sub-net to the internal network
• the systems on the inside cannot construct direct routes to
the internet.

15
 Overview of Proxy Server
• Proxy Server is a computer program that acts as an
intermediary between a web browser and a web server.
– To give users rapid access to popular web destinations.

• Internet Service Providers use proxy servers as “holding

bins" to store frequently requested pages,
– rather than going out and fetching them repeatedly from the
Net (Eg, www.google.com.et)

• Proxy server is also used to control and monitor

outbound and inbound traffics.
16
 Overview of Proxy Servers…

• Scan and act on the data portion of an IP packet

• Act primarily on behalf of internal hosts
– receiving, rebuilding, and forwarding outbound
requests

• Go by many names
– Proxy services
– Application-level gateways
– Application proxies

17
 How Proxy Servers Work
• Function as a software , forwarding data between
internal and external hosts
• Focus on the port each service uses
– Screen all traffic into and out of each port
– Decide whether to block or allow traffic based on rules

• Proxies add time to communications, but in return,

they:
– Conceal clients
– Translate network addresses (NAT)
– Filter content
18
 Steps Involved in a Proxy Transaction
1. Internal host makes request to access a
Web site
2. Request goes to proxy server, which
examines header and data of the packet
against rule base
3. Proxy server recreates packet in its entirety
with a different source IP address
4. Proxy server sends packet to destination;
packet appears to come from proxy server
5. Returned packet is sent to proxy server,
which inspects it again and compares it
against its rule base
6. Proxy server rebuilds returned packet and
sends it to originating computer; packet
appears to come from external host

19
 Proxy Servers and Packet Filters
• Are used together in a firewall to provide multiple
layers of security

• They inspect different parts of IP packets and act on

them in different ways
– Proxy server works at the Application layer,
– Packet filter at network layer

20
How Proxy Servers Differ from Packet Filters

• Scan entire data part of IP packets and create more

detailed log file listings
• Rebuild packet with new source IP information
– covers internal users from outside users
• Server on the Internet and an internal host are never
directly connected to one another
• Caches data
• More critical to network communications

21
Dual-Homed Host Proxy Server Configuration

22
Screened Host Proxy Server Configuration

23
 Goals of Proxy Servers
• Conceal internal clients
• Block URLs
• Block and filter content
• Protect e-mail proxy
• Improve performance
• Ensure security
• Provide user authentication
• Redirect URLs

24
 Concealing Internal Clients
• Network appears as a single machine
• If external users cannot detect hosts on your internal
network, they cannot initiate an attack against these
hosts
• Proxy server receives requests as though it were the
destination server,
– then completely regenerates a new request, which is sent
to its destination

25
 Concealing Internal Clients
Demilitarized zone
• A DMZ is part of a
network on which you
place servers that must
be accessible by
sources both
outside and inside your A proxy server
makes all
network. communication
• However, the DMZ is come from a
not connected directly single gateway
to
either network, and it must
always be accessed
through the firewall.
• By using a DMZ, you
can create an
additional
step that makes it more
26
difficult for an
intruder to
 Goals of Proxy Servers
• Conceal internal clients
• Block URLs
• Block and filter content
• Protect e-mail proxy
• Improve performance
• Ensure security
• Provide user authentication
• Redirect URLs

27
 Blocking URLs

• An attempt to keep
employees from
visiting unsuitable
Web sites
• An unreliable
practice;
– users can use the IP
address that
corresponds to the
URL

NetProxy lets you block URLs based on domain name 28

 Goals of Proxy Servers
• Conceal internal clients
• Block URLs
• Block and filter content
• Protect e-mail proxy
• Improve performance
• Ensure security
• Provide user authentication
• Redirect URLs

29
 Blocking and Filtering Content
• Can block and strip out Java applets or ActiveX controls
• Can delete executable files attached to
e-mail messages
• Can filter out content based on rules that contain a
variety of parameters (eg, time, IP address, port
number)

30
 Goals of Proxy Servers
• Conceal internal clients
• Block URLs
• Block and filter content
• Protect e-mail proxy
• Improve performance
• Ensure security
• Provide user authentication
• Redirect URLs

31
 E-Mail Proxy Protection
• External e-mail users never interact directly with internal hosts

E-mail protection with a proxy SMTP server 32

 Improving Performance

• Speed up access to documents that have been

requested repeatedly

33
 Goals of Proxy Servers
• Conceal internal clients
• Block URLs
• Block and filter content
• Protect e-mail proxy
• Improve performance
• Ensure security
• Provide user authentication
• Redirect URLs

34
 Ensuring Security with Log Files
• Log file
– Text file set up to
store information
about access to
networked resources
– Can ensure
effectiveness of
firewall
• Detect intrusions
• Uncover weaknesses
• Provide
documentation

Select only the most critical services and events to log

35
 Goals of Proxy Servers
• Conceal internal clients
• Block URLs
• Block and filter content
• Protect e-mail proxy
• Improve performance
• Ensure security
• Provide user authentication
• Redirect URLs

36
 Providing User Authentication

• Enhances security
• Most proxy servers can request users for
username and password

37
 Goals of Proxy Servers
• Conceal internal clients
• Block URLs
• Block and filter content
• Protect e-mail proxy
• Improve performance
• Ensure security
• Provide user authentication
• Redirect URLs

38
 Creating Filter Rules
• Allow certain hosts to bypass the proxy
• Filter out URLs
• Enable internal users to send outbound requests only
at certain times
• Govern length of time a session can last

39
 Proxy Server Configuration
Considerations
• Scalability issues
– Add multiple proxy servers to the same network connection
• Need to configure each piece of client software that
will use the proxy server
• Need to have a separate proxy service available for
each network protocol (HTTP,TELNET,SMTP,…)
• Need to create packet filter rules
• Security vulnerabilities
– Single point of failure
– Buffer overflow
40
 Working with Client Configurations

Each client on the network must be configured to access the proxy server 41
 Working with Service Configurations

Each service needs to be configured to use a proxy server 42

 Choosing a Proxy Server
• Some are commercial products for home and small-
business users
• Some are designed to protect one type of service and
to serve Web pages stored in cache
• Most are part of a hybrid firewall (combining several
different security technologies)
• Some are true standalone proxy servers

43
 Proxy Server-Based Firewalls
• Firewalls based on proxy servers:
– TIS
– T.REX
– Squid
– SOCKS
– WinGate
– Symantec Enterprise Firewall
– Microsoft Internet Security & Acceleration Server
• Choice depends on your platform and the number of
hosts and services you need to protect
44
END of CLASS

END of COURSE