Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Pattern Language for Firewalls Eduardo B. Fernandez, Maria M. Petrie, Naeem Seliya, Nelly Delessy, and Angela Herzberg.

Published bySusan French Modified over 9 years ago

Similar presentations

Presentation on theme: "A Pattern Language for Firewalls Eduardo B. Fernandez, Maria M. Petrie, Naeem Seliya, Nelly Delessy, and Angela Herzberg."— Presentation transcript:

1 A Pattern Language for Firewalls Eduardo B. Fernandez, Maria M. Petrie, Naeem Seliya, Nelly Delessy, and Angela Herzberg

2 Agenda Introduction The Pattern Language The Basic Firewall Pattern The Proxy-Based Firewall Pattern

3 Introduction Firewall: A choke point of entry (and exit) into a local network Allows access to approved traffic to and from the local network Denies access to unauthorized traffic to and from the local network Can enforce security policies

4 The Pattern Language Stateful Firewall Address Filter Firewall (static packet filter) Proxy-Based Firewall (application level) Content-Based Firewall Address Filtering

5 The Basic Firewall Pattern Intent To filter incoming and outgoing network traffic in a computer system, based on network addresses. Context Computer systems on a local network connected to the Internet and to external networks. Problem A local network is usually attacked from the outside The local network may be partitioned and attacks may come from other local networks The private information should be maintained within the local network.

6 The Basic Firewall Pattern Forces Need for filtering in a user-transparent form Need to have a clear model of what is being filtered and how The configuration of the firewalls must reflect the institution policies The configuration of the firewalls must be easy to change Logging is necessary for auditing or defense purposes

7 * Communicates Through The Basic Firewall Pattern Solution Firewall RuleBase 1 Network Level Implementation Level * * requestService * LocalNetwork address Rule in/out ExplicitRuleDefaultRule * 1 {ordered}

8 The Basic Firewall Pattern Dynamics Filtering a Local Network ’ s Request Use Case. LN1 : Local Network LN2 : Local Network : Firewall : RuleBase requestService filterRequest verify checkRule requestAccepted : Rule

9 The Basic Firewall Pattern Dynamics Defining a Rule Use Case. : Firewall : RuleBase : Administrator addRule(rule, location) addRule(rule) ruleAdded >

10 The Basic Firewall Pattern Consequences Advantages: A firewall filters all the traffic that passes through it based on network addresses and transparently to applications It is possible to express the filtering policies of the institutions through its rules. A firewall facilitates the detection of possible attacks and to hold regular users responsible of their actions. A firewall lends to a systematic logging of incoming and outgoing messages. Low cost, it is included as part of many operating systems. Good performance. It only needs to look at packets headers.

11 The Basic Firewall Pattern Consequences Liabilities: A firewall ’ s effectiveness may be limited due to its rule set (order of precedence). A firewall ’ s effectiveness is limited to the point of entry into the local network, and once a potential attacker has passed through the firewall the security of the system may be breached. A firewall can only enforce security policies on traffic that goes through the firewall. A (basic) firewall cannot stop higher level attacks (email, FTP).

12 The Basic Firewall Pattern Consequences Liabilities: A firewall generally tends to adversely affect the usability, performance, and cost of the protected system. The security policies that a firewall enforces are different for different sites, networks, and systems. Addition of new rules may interfere with existing rules in the rule set; hence, a careful approach should be taken in adding and updating access rules. Not state aware A packet filter cannot recognize forged addresses from traffic coming from outside.

13 The Basic Firewall Pattern Known Uses This model is a basic firewall architecture that is seen in commercial firewall products. The basic firewall model is used as an underlying architecture for other types of firewalls that include more advanced features.

14 The Basic Firewall Pattern Related Patterns: The authorization Pattern can be considered as a higher level pattern of the proposed Basic Firewall Pattern. The role-based access control pattern, a specialization of the authorization pattern, is applicable if the networks and their access rules are respectively defined in terms of roles and rights. The Firewall Pattern is also a special case of the Single-Point-of-Access

15 The Proxy-Based Firewall Pattern Intent To filter incoming and outgoing network traffic in a computer system based on application data inspection. To virtually separate the local network from the external network and its clients. Context Computer systems on a local network connected to the Internet and to external networks. A higher level of network traffic security is needed compared to the Basic Firewall context.

16 The Proxy-Based Firewall Pattern Problem The Basic Filtering Firewall does not provide security at the application level It does not provide security against IP spoofing.

17 The Proxy-Based Firewall Pattern Forces Forces of the Basic Firewall Pattern The user of the internal network may be required to configure the network

18 1 1 represents Proxy * * request Service 1 The Proxy-Based Firewall Pattern Solution RuleBase 1 Application Level Network Level * Rule in/out ExplicitRuleDefaultRule * 1 {ordered} LocalNetwork address service Service * port ApplicationLevel Firewall * * accessService

19 The Proxy-Based Firewall Pattern LocalNetwork1 :LocalNetwork2 :: Application Level Firewall : Proxy: Rule Base requestService filterRequest verifyRequest requestAccepted requestService provideService > Dynamics Providing Service to Client ’ s Request Use Case.

20 Consequences Advantages: The firewall inspects, modifies (if needed), and filters all access requests based on predefined application proxies that are transparent to the client It is possible to express the institution ’ s filtering policies through its application proxies and their rules It is possible to modify certain portions of the information in cases where suspicious commands are included in/or the data segment of packets A firewall facilitates the detection of possible attacks and to hold regular users responsible of their actions. The Proxy-Based Firewall Pattern

21 Consequences Advantages: It protects against possible implementation faults in the protocol stacks of the internal systems [Sch03]. The IP (Internet protocol) address of the internal network is always hidden to the external networks. A firewall lends to a systematic logging and tracking of all service requests going through it. High security performance since it inspects the complete packet including the headers and data segments. The Proxy-Based Firewall Pattern

22 Consequences Liabilities: High implementation cost due to the rebuilding of different protocols for each application. Delay due to the application proxy overhead and the inspection of the data segment of packets. Increased complexity of the firewall. Application Proxy Firewalls may require change in applications and/or the user ’ s interaction with the system. A firewall generally tends to adversely affect the usability, performance, and cost of the protected system. The Proxy-Based Firewall Pattern

23 Consequences Liabilities: A firewall ’ s effectiveness is limited to the point of entry into the local network, and once a potential attacker has passed through the firewall the security of the system may be breached. A firewall can only enforce security policies on traffic that goes through the firewall. The security policies that a firewall enforces are different for different sites, networks, and systems. Addition of new rules for a given application proxy may interfere with existing rules in the rule set; hence, a careful approach should be taken in adding and updating access rules. Not state aware. The Proxy-Based Firewall Pattern

24 Known Uses ARGuE Guard. Some specific firewall products that use application proxies are Pipex Security Firewalls and InterGate Firewall. The Proxy-Based Firewall Pattern

25 Related Pattern: The basic Address Filtering Firewall Pattern defines the packet filtering firewall model. The Authorization pattern defines the security model for the Basic Firewall Pattern. The Role-Based Access Control pattern, a specialization of the authorization pattern, is applicable if the networks and their access rules are respectively defined in terms of roles and rights. The Firewall pattern is also a special case of the Single-Point-of-Access. The Proxy Pattern The Proxy-Based Firewall Pattern

Download ppt "A Pattern Language for Firewalls Eduardo B. Fernandez, Maria M. Petrie, Naeem Seliya, Nelly Delessy, and Angela Herzberg."

Similar presentations

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.
Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Firewalls 2014.04.07 Uyanga Tserengombo

Firewalls Uyanga Tserengombo
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Winter 20021 CMPE 155 Week 7. Winter 20022 Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.

Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Lecture 14 Firewalls modified from slides of Lawrie Brown.

Lecture 14 Firewalls modified from slides of Lawrie Brown.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
Chapter 11 Firewalls.

Chapter 11 Firewalls.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Network and Security Patterns

Network and Security Patterns
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
1 Pertemuan 05 Firewall Matakuliah: H0451/Praktikum Jaringan Komputer Tahun: 2006 Versi: 1/0.

1 Pertemuan 05 Firewall Matakuliah: H0451/Praktikum Jaringan Komputer Tahun: 2006 Versi: 1/0.
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey

Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey

Similar presentations

Ads by Google