CHAPTER 6

Firewall and Proxy Server

Securing Private Networks

1
 Outline
• Firewall
• Proxy Server
• Types of Firewalls
• Packet Filtering Firewalls
• Application level gateway
• Circuit level gateway
• Firewall configuration/topology
• Proxy server
• How Proxy Servers Work
• Proxy Servers and Packet Filters
• Goals of Proxy Servers

2
 Securing Private Networks
• Minimize external access to LAN

• Done by means of firewalls and proxy servers

• Firewalls provide a secure interface between an “inner”

trusted network and “outer” untrusted network
• every packet to and from inner and outer network is
“processed”
• Firewalls require hardware and software to implement
• Software that is used are proxies and filters that allow or
deny network traffic access to either network

3
 Overview of Firewall
• Firewall is a router or other communications device
which filters access to a protected network.
• Firewall is also a program that screens all incoming
traffic and protects the network from unwelcome
intruders.
• It is a means of protection a local system or network of
systems from network-based security threats,
– while affording access to the outside world via WANs or the
Internet

4
 Overview of Firewall…
Firewall Objectives

 Keep intruders,
malicious code and
unwanted traffic or
information out

Private Network
 Keep private and
sensitive information in
Private data
security wall
between private External attacks
(protected)
network and External Network
outside word
5
 Overview of Firewall…

• Two primary types of firewalls are:

- Packet filtering firewalls
- Proxy-server firewalls

• Sometimes both are employed to protect a network.

• Firewalls can be designed to operate at any of the

following three layers in the TCP/IP protocol stacks:
- The application layer (eg: HTTP proxy)
- The network and transport layer (eg: packet filtering)
- The layer b/n the application layer and the transport layer
(eg: SOCKS proxy)

6
 Firewall features
• General Firewall Features
- Port Control
- Network Address Translation
- Application Monitoring
- Packet Filtering
- Access control

• Additional features
- Data encryption
- Authentication
- Connection relay (hide internal network)
- reporting/logging
- e-mail virus protection
- spy ware protection
7
 Firewall features…
• Use one or both methods
- Packet filtering
- Proxy service

• It protects from
- Remote logins
- IP spoofing
- Source addressing
- SMTP session hijacking
- Spam
- Denial of service
- E-mail bombs…

8
 Types of Firewalls

• Packet Filtering Firewalls

• Proxy Server Firewalls

9
 Packet Filtering Firewalls/Routers
• Packet Filtering router applies a set of rules to each incoming and
outgoing IP packet and then forwards or discards the packet.
– A filtering firewall works at the network level.

• The router is typically configured to filter packets going in both

directions (from and to the internal network).
• Filtering rules are based on information contained in a network packet:
– Source IP address: The IP address of the system that originated the IP packet
(e.g., 192.178.1.1)
– Destination IP address: The IP address of the system the IP packet is trying
to reach (e.g., 192.168.1.2)
– Source and destination port address : The transport level (e.g., TCP or UDP)
port number, which defines applications such as SNMP or TELNET
• Packet filtering is generally accomplished using Access Control Lists
(ACL) on routers
10
• Stateful Packet Filtering Firewalls
• Stateful inspection provides for the analysis of packets at the
network layer and other layers.(typically the transport layer)
• By combining information from various layers, the firewall is better
able to understand the protocol it is inspecting.
• Deep Packet Inspection (DPI) Firewall
– has the ability to look inside those packets and read the payload
of any packet weather encrypted or not.
– DPI firewalls decrypt any encrypted packet content, inspect and
then re-encrypt and forward it. DPI firewalls has latency.
– DPI is a tool that allows ISPs to scan packets traveling through
their networks.
– DPI systems would be only installed on the Tier 1 Internet Service
Providers (ISPs).
– If Ethio-Telcom needs to install DPI firewall, it will be installed on
the country gateway.
11
 Packet Filtering Firewalls
• Packet-filtering Router…
• Many network routers have the ability to perform some firewall
services.
• Filtering firewalls can be thought of as a type of router

12
Firewalls - Application Level Gateway
(or Proxy)
–Also called proxy server
–Acts as a relay of application-level traffic
- Proxy Services
 Application that mediates traffic between a protected network and the
internet
 Able to understand the application protocol being utilized and
implement protocol specific security
 Protocols include: FTP, HTTP, Telnet etc
–They decide based on TCP/IP information
• e.g. source and destination ports and IP addresses
–They decide based on content of message
• e.g. do not forward on and message containing VB executable or ActiveX
components

13
 Firewalls - Application Level Gateway (or Proxy)

• Can use an application specific gateway / proxy

• has full access to protocol
– user requests service from proxy
– proxy validates request as legal
– then actions request and returns result to user
• May need separate proxies for each service 14
Firewall Configuration

15
 Bastion Host
• Is a special purpose computer on a network specifically
designed and configured to withstand attacks.
• The Bastion host serves as a platform for an application-level
gateway.
• A system identified by the firewall administrator as critical
strong point in the networks security.
• The bastion host hardware platform executes a secure version
of its operating system, making it a trusted system.
• Only the services that the network administrator considers
essential are installed on the bastion host.
– These include proxy applications such as Telnet, DNS, FTP,
SMTP, and user authentication.

16
 Bastion Host
• Three common configurations:

– Screened host firewall system (Single homed bastion

host)

– Dual Homed Bastion Host

– Screened Subnet Firewall System

17
 Screened host firewall system
• Also called single homed bastion host
Configuration:
• The firewall consists of two systems:
1. Packet filtering router: The router is configured so that:
a. For traffic from the Internet, only IP packets destined for the bastion host are
allowed in.
b. For traffic from the internal network, only IP packets from the bastion host are
allowed out.
2. Bastion Host
- performs authentication and Proxy functions.

18
 Screened host firewall system…
• This configuration has greater security than simply a packet-
filtering router or an application-level gateway alone, for two
reasons.
– This configuration implements both packet-level and application-
level filtering.
– An intruder must generally penetrate two separate systems before
the security of the internal network is compromised.

• This configuration also affords flexibility in providing direct

Internet access.
– For example, the internal network may include a public information
server, such as a Web server, for which a high level of security is
not required.
– In that case, the router can be configured to allow direct traffic
between the information server and the Internet.
19
 Dual Homed Bastion Host
• Screened host firewall system (dual-homed bastion host)
• Traffic between the Internet and other hosts on the private
network has to flow through the bastion host
• Uses two NICs for greater security.

20
 Screened Subnet Firewall System
• Most secured configuration of all the three known techniques in
the bastion host.
• Two packet filtering routers are used.
• Creation of an isolated sub-network.

21
 Screened Subnet Firewall System…

• Advantages:
- Three levels of defense to prevent intruders.
- The outside router advertises only the existence of the
screened sub-net to the internet
• Internal network is invisible to the internet.

- The inside router advertises only the existence of the

screened sub-net to the internal network
• the systems on the inside cannot construct direct routes to
the internet.

22
 Overview of Proxy Server
• Proxy Server is a computer program that acts as an
intermediary between a web browser and a web
server.
– To give users rapid access to popular web destinations.

• Internet Service Providers use proxy servers as

“holding bins" to store frequently requested pages,
– rather than going out and fetching them repeatedly from the
Net (Eg, www.google.com.et)

• Proxy server is also used to control and monitor

outbound and inbound traffics.
23
 Overview of Proxy Servers…

• Scan and act on the data portion of an IP packet

• Act primarily on behalf of internal hosts
– receiving, rebuilding, and forwarding outbound
requests

• Go by many names
– Proxy services
– Application-level gateways
– Application proxies

24
 Web caches (proxy server)
Goal: satisfy client request without involving origin server

• user sets browser: Web origin

server
accesses via cache
• browser sends all HTTP HT
Proxy
TP server e st
requests to cache req req
u
clientHTTP ues
t HT T P
on se
– object in cache: cache res
pon r esp
se T TP
returns object H
est
H TT
u P
r eq se HT re q
– else cache requests object T P
po
n T P ue
HT e s re s st
from origin server, then T Pr po
ns
returns object to client HT e

client
origin
server

25
 More about Web caching
• cache acts as both client and server
• typically cache is installed by ISP (university, company,
residential ISP)

Why Web caching?

• reduce response time for client request
• reduce traffic on an institution’s access link.
• Reduce costs to use access link.

26
 Caching scenario
Assumptions origin
• average object size = 1Mb servers
• average request rate from public
institution’s browsers to origin Internet
servers = 15/sec
• delay from the router on the
Internet side of the access link to 1.5 Mbps
any origin server and back is = 2 access link
sec (Internet delay) institutional
network
Consequences 100 Mbps LAN

• total delay = Internet delay + access

delay + LAN delay
= 2 sec + >20 sec+ milliseconds

27
 Caching scenario…
origin
servers
possible solution (expensive) public
Internet
• increase bandwidth of access link
to, say, 10 Mbps
Consequence 10 Mbps
• Total delay = Internet delay + access access link
delay + LAN delay institutional
network
= 2 sec + 2 sec + msecs 100 Mbps LAN

• often a costly upgrade

28
 Caching scenario…
origin
possible solution: install cache servers
• suppose hit rate is 0.5 (up to 0.7) public
Internet

consequence
• 50% requests satisfied almost 1.5 Mbps
immediately access link

• 50% requests satisfied by origin institutional

server network
100 Mbps LAN
• utilization of access link reduced to
50%, resulting in lower delay rate
institutional
• Cashes may not have up to date cache
version of the resource!
29
 Conditional GET
• Goal: don’t send object if cache cache
server
has up-to-date cached version HTTP request msg
• cache: specify date of cached If-modified-since:
<date> object
copy in HTTP request not
If-modified-since: <date> modified
HTTP response
• server: response contains no HTTP/1.0
304 Not Modified
object if cached copy is up-to-date:
HTTP/1.0 304 Not Modified
HTTP request msg
If-modified-since:
<date> object
modified
HTTP response
HTTP/1.0 200 OK
<data>
30
 How Proxy Servers Work
• Function as a software , forwarding data between
internal and external hosts
• Focus on the port each service uses
– Screen all traffic into and out of each port
– Decide whether to block or allow traffic based on rules

• Proxies add time to communications, but in return,

they:
– Conceal clients
– Translate network addresses (NAT)
– Filter content
31
 Steps Involved in a Proxy Transaction
1. Internal host makes request to
access a Web site
2. Request goes to proxy server,
which examines header and data of
the packet against rule base
3. Proxy server recreates packet in its
entirety with a different source IP
address
4. Proxy server sends packet to
destination; packet appears to
come from proxy server
5. Returned packet is sent to proxy
server, which inspects it again and
compares it against its rule base
6. Proxy server rebuilds returned
packet and sends it to originating
computer; packet appears to come
from external host 32
 Proxy Servers and Packet Filters
• Are used together in a firewall to provide multiple
layers of security

• They inspect different parts of IP packets and act on

them in different ways
– Proxy server works at the Application layer,
– Packet filter at network layer

33
How Proxy Servers Differ from Packet Filters

• Scan entire data part of IP packets and create more

detailed log file listings
• Rebuild packet with new source IP information
– covers internal users from outside users
• Server on the Internet and an internal host are never
directly connected to one another
• Caches data
• More critical to network communications

34
Dual-Homed Host Proxy Server Configuration

35
Screened Host Proxy Server Configuration

36
 Goals of Proxy Servers
• Conceal internal clients
• Block URLs
• Block and filter content
• Protect e-mail proxy
• Improve performance
• Ensure security
• Provide user authentication
• Redirect URLs

37
 Concealing Internal Clients
• Network appears as a single machine
• If external users cannot detect hosts on your internal
network, they cannot initiate an attack against these
hosts
• Proxy server receives requests as though it were the
destination server,
– then completely regenerates a new request, which is sent
to its destination

38
 Concealing Internal Clients
Demilitarized zone
• A DMZ is part of a
network on which you
place servers that must
be accessible by
sources both
outside and inside your A proxy server
makes all
network. communication
• However, the DMZ is come from a
not connected directly single gateway
to
either network, and it must
always be accessed
through the firewall.
• By using a DMZ, you
can create an
additional
step that makes it more
39
difficult for an
intruder to
 Goals of Proxy Servers
• Conceal internal clients
• Block URLs
• Block and filter content
• Protect e-mail proxy
• Improve performance
• Ensure security
• Provide user authentication
• Redirect URLs

40
 Blocking URLs

• An attempt to keep
employees from
visiting unsuitable
Web sites
• An unreliable
practice;
– users can use the IP
address that
corresponds to the
URL

NetProxy lets you block URLs based on domain name 41

 Goals of Proxy Servers
• Conceal internal clients
• Block URLs
• Block and filter content
• Protect e-mail proxy
• Improve performance
• Ensure security
• Provide user authentication
• Redirect URLs

42
 Blocking and Filtering Content
• Can block and strip out Java applets or ActiveX controls
• Can delete executable files attached to
e-mail messages
• Can filter out content based on rules that contain a
variety of parameters (eg, time, IP address, port
number)

43
 Goals of Proxy Servers
• Conceal internal clients
• Block URLs
• Block and filter content
• Protect e-mail proxy
• Improve performance
• Ensure security
• Provide user authentication
• Redirect URLs

44
 E-Mail Proxy Protection
• External e-mail users never interact directly with internal hosts

E-mail protection with a proxy SMTP server 45

 Improving Performance

• Speed up access to documents that have been

requested repeatedly

46
 Goals of Proxy Servers
• Conceal internal clients
• Block URLs
• Block and filter content
• Protect e-mail proxy
• Improve performance
• Ensure security
• Provide user authentication
• Redirect URLs

47
 Ensuring Security with Log Files
• Log file
– Text file set up to
store information
about access to
networked resources
– Can ensure
effectiveness of
firewall
• Detect intrusions
• Uncover weaknesses
• Provide
documentation

Select only the most critical services and events to log

48
 Goals of Proxy Servers
• Conceal internal clients
• Block URLs
• Block and filter content
• Protect e-mail proxy
• Improve performance
• Ensure security
• Provide user authentication
• Redirect URLs

49
 Providing User Authentication

• Enhances security
• Most proxy servers can request users for
username and password

50
 Goals of Proxy Servers
• Conceal internal clients
• Block URLs
• Block and filter content
• Protect e-mail proxy
• Improve performance
• Ensure security
• Provide user authentication
• Redirect URLs

51
 Creating Filter Rules
• Allow certain hosts to bypass the proxy
• Filter out URLs
• Enable internal users to send outbound requests only
at certain times
• Govern length of time a session can last

52
 Proxy Server Configuration
Considerations
• Scalability issues
– Add multiple proxy servers to the same network connection
• Need to configure each piece of client software that
will use the proxy server
• Need to have a separate proxy service available for
each network protocol (HTTP,TELNET,SMTP,…)
• Need to create packet filter rules
• Security vulnerabilities
– Single point of failure
– Buffer overflow
53
 Working with Client Configurations

Each client on the network must be configured to access the proxy server 54
 Working with Service Configurations

Each service needs to be configured to use a proxy server 55

 Choosing a Proxy Server
• Some are commercial products for home and small-
business users
• Some are designed to protect one type of service and
to serve Web pages stored in cache
• Most are part of a hybrid firewall (combining several
different security technologies)
• Some are true standalone proxy servers

56
 Proxy Server-Based Firewalls
• Firewalls based on proxy servers:
– TIS
– T.REX
– Squid
– SOCKS
– WinGate
– Symantec Enterprise Firewall
– Microsoft Internet Security & Acceleration Server
• Choice depends on your platform and the number of
hosts and services you need to protect
57
END of CLASS

END of COURSE