up

2020-02-12

Guest Professor today while H.B. goes to court over his car crash

Simplest firewall architecture: Screening Router. The path to the internet goes through the router, which has a firewall running.

A firewall is easy to build on a router, because routers are already looking at the packet headers.

A screening router is:

• Simple and fast
• not flexible
  • permits or denies an entire protocol
• no depth of defense
• Appropriate only in high-performance networks with hardened hosts.

Dual Homed Host:

• A computer with two network interfaces
• Can behave exactly like a router
• More powerful than a router - can look beyond the headers
• High level of control
• Could be a bottleneck - lots of work
• Single point of failure
• not great for proxying inbound services
• no separation between high and low trust services

Screened Host:

• A host within the internal network becomes a bastion host
  • Still does proxying
  • only needs one interface
• And there’s a packet-filtering router
• packet filter blocks all inbound traffic except to bastion
• Internal hosts may create outbound connections
• bastion host is still a single point of failure and open to attack

Screened Subnet:

• There is an external router, internet → DMZ
  • ‘access router’
• There is a bastion host in the DMZ
• There is an internal router, DMZ → internal network
  • ‘choke router’
• Internal hosts are still not separated from each other
• Compromising the bastion host does not gain much
• if own router is compromised, the other will keep filtering.
• ISPs will do this, DMZ between internet and customers
• Exterior router
  • lightweight
  • filters spoofed packets

Split-Screened Subnet:

• External router
• dual-homed Host
• Internal router
• All the fun of a dual-homed host in a delicious DMZ package.