hagana-lecture10 - firewalls.pdf
TRANSCRIPT
-
10Firewalls
110 "
236350
"
:
Chapman, Zwicki. Building Internet
Firewalls 2nd
edition. OReilly, 2000.
Cheswick, Bellovin, Rubin. Firewalls and
Internet Security 2nd
edition. Addison
Wesley, 2003.
-
) / (
42 .
, , , ,
"
" 2 01
-
sllaweriF
:
/
(
) /
" 3 01
-
)( sllaweriF
) ( , llaweriF
llawerif- :
ekohc(
). tniop
llawerif-
, ""
" 4 01
-
llaweriF
" 5 01
-
?llaweriF
llaweriF
:
/
(
)
llaweriF
, , llaweriF
'
" 6 01
-
? llaweriF
, ) ( llaweriF
( tsoh demoh-itlum
)
llaweriF- :
, llaweriF .
.
" 7 01
-
sllaweriF
) ( WF-
. tniop ekohC
llaweriF-
efas liaF
,
! , llawerif-
" 8 01
-
sllaweriF
(
: llawerif ).
-
llawerif
llawerif-
" 9 01
-
sllaweriF
:
" 01 01
-
)HB( tsoH noitsaB
) tsoh noitsaB(
"(
). ,
:.
,
HB-
stsoH noitsaB
" 11 01
-
tsoH noitsaB : tsoh demoh-laud gnituor-noN
, , ) (
. : HB
llawerif-
: HB
- . .
HB
,
.
" 21 01
-
)ZMD(
)enoZ deziratilimeD(
). krowteN retemireP (
, ,
.
)stsoh noitsaB(
. ZMD
) ( seixorp-
" 31 01
-
)ZMD(
" 41 01
-
(
)
, ) (
,
",
" 51 01
-
:
snoisses ,
) (
ZMD-
srevres yxorp
" 61 01
-
llaweriF
:sllawerif
retlif tekcap sseletatS
)noitcepsni lufetats( retlif tekcap lufetatS
)syaler level noitacilppa .a.k.a( revres yxorP
,
,
,
" 71 01
-
-IP datagram
10 18 "
Gateway G2Gateway G1Host A Host B
Application
TCP UDP
IP
MAC
Application
TCP UDP
IP
MAC
IP
MAC
IP
MAC
-
-Stateless Packet Filtering
10 19 "
Stateless packet
filtering firewallHost A Host B
Application
TCP UDP
IP
MAC
Application
TCP UDP
IP
MAC
IP
MAC
-
retliF tekcaP , retlif tekcaP
.
)drawrof(
"
:
)PDU ,PCT(
KCA-
( ) tuo/ni(
)
" 02 01
redaeH PI
redaeH PDU/PCT
redaeH PCT
-
retliF tekcaP sseletatS-
retlif tekcaP-
) (
, PI/PCT-) sredaeh(
,
. ,
,
!
" 12 01
-
kcA-
PCT
( , noisses PCT
0=kca- ) noisses-
1=kca- noisses
, 0=kca ,
noisses
snoisses
" 22 01
-
Stateless Packet Filter
:
telnet
,
10 23 "
Rule Dir-ection
SourceAddr
Dest.Addr
Protocol SourcePort
Dest.Port
Ack Action
spoof in Internal any any any any any Deny
telnet out Internal any TCP >1023 23 any Permit
telnet in any Internal TCP 23 >1023 yes Permit
default any any any any any any any Deny
-
PTF
-trop , PCT PTF
:
-, trop dnammoc 12 trop
02 trop
- tneilc-, PTF-
- trop- noisses dnammoc
trop- noisses atad- . noisses atad
. tneilc- trop- 02
PTF
" 42 01
-
llaweriF- PTF
- revres- , llawerif PTF-
noisses atad
- vsap tneilc-, sllawerif-
noisses dnammoc
)3201>( trop
- trop- , trop- noisses tneilc-
revres
PTF
. noisses- sllaweriF
.
" 52 01
-
(
PTF- )
)323H, PTR (
:
-trop-
PCT .
, PDU ,
" 62 01
-
sretliF tekcaP lufetatS
. sretlif tekcap sseletats,
:
) ( PTF
(
) ,
/ -
,
.
" 72 01
-
Stateful Packet Filtering
10 28 "
Stateful packet
filtering firewallHost A Host B
Application
TCP UDP
IP
MAC
Application
TCP UDP
IP
MAC
IP
MAC
-
txetnoC noisseS
: - noisseS-
noitanitsed ,trop ecruos ,sserdda ecruos ,locotorptrop noitanitsed ,sserdda
, noisses
noisses
. noisses "
noisses- noisses
,
" 92 01
-
lufetatSnoitcepsnI
retlif tekcap sseletatS
,
,
retlif tekcap-
,
, noisses-
noitcepsni lufetats " 03 01
-
lufetatSnoitcepsnI-
txetnoc noisses noitcepsni lufetatS
( PTF
sretlif tekcap-)
, noisses dnammoc-
- . noisses atad-
noitcepsni lufetats
, .
noisses atad-
" 13 01
-
desaB noitacilppAlufetatSnoitcepsnI
llawerif
( llawerif-
)
)', , (
-llaweriF
( erawyps
)
" 23 01
-
Proxy Servers
10 33 "
Proxy serverHost A Host B
Application
TCP UDP
IP
MAC
Application
TCP UDP
IP
MAC
Application
TCP UDP
IP
MAC
-
srevreS yxorP
llawerif-
. elddiM eht ni naM- revres yxorp-
revres yxorp-
revreS yxorP tneilCrevreS
" 43 01
-
srevreS yxorP
yxorp- revres yxorP-
)sretlif tekcap ( snoitacilppa
PCT revres yxorP
PCT
, revres yxorp-
, /
retlif tekcap "
:
" 53 01
-
)yxorp ( tenleT
li.ca.noinhcet.xt moc.proc.cp_aras
32 8771
" 63 01
-
Telnet ( proxy)
sara_pc.corp.com
1778
proxy.corp.com
8023
tx.technion.ac.il
231889
10 37 "
-
PTMS srevreS yxorP , ) PTMS(
, PTMS
, yawetag liam
52 (
)
) maps( , -
, yawetag liam-
) (
( ,
)
" 83 01
-
srevreS yxorP
:
lortnoc ssecca-
)ptf- tenlet- - (
revres- tneilc PCT
yxorp ,
" 93 01
-
sretliF tekcaP
:
sretuor
:
) noitcepsni lufetats (
" 04 01
-
, :revres yxorP-
PI- - :retlif tekcap sseletatS-
retlif tekcap- .
. :retlif tekcap lufetatS-
( llawerif-
PI- retlif tekcap- , )
" 14 01
-
llaweriF-
llawerif-
llawerif-,
: " "
edom evitca PTF
''slocotorp yldneirf-llawerif''
" 24 01
-
llaweriF-
" 34 01
noitcepsni lufetatS gniretliF tekcaPgniretlif tekcap
yxorP
)sseletats(
-
sllaweriF
sllawerif
: llawerif
08 : sllawerif-
, ). sreirraC(
SPTTH-) 08 ( PTTH- , PTTH PCT
sllawerif- ) 344 (
" 44 01
-
)( sllaweriF
,
-llaweriF
''''
)SDI( noitceteD noisurtnI
" 54 01