Firewall

A firewall is a software program or device that monitors, and sometimes controls, all transmissions between an organization's internal network and the Internet. However large the network, a firewall is typically deployed on the network's edge to prevent inappropriate access to data behind the firewall. A firewall has the basic task of controlling traffic between different zones of trust. Typical zones of trust include the Internet (a zone with no trust) and an internal network (a zone with high trust)

Common properties of firewalls: The firewall is resistant to attacks The firewall is the only transit point between networks The firewall enforces the access control policy

What firewall protects us from

!emote login Application backdoors "perating system bugs #enial of service $ mail bombs %iruses &'A(s Tro)ans I*(' bombing

 +T' brute force 'hishing

Firewall By Deployment
ost !ased Firewall ("n a #ingle #ystem(Window Firewall)) $etwork !ased Firewall(For Whole $etwork)

Firewall could !e: #oftware !ased (I#% #er&er('ro(y))Checkpoint) ardware !ased (Cisco 'i() $etgear Firewall)

Firewall *ypes %ccording to *echnology

+irewalls can be categorized into roughly three types, 'acket filter (Filtering %ccording to I' i+e+ %ccess list) %pplication,le&el pro(y (I#% #er&er for application le&el) #tateful packet filtering(-onitor all .ayers including connection states)

Firewall *ypes %ccording to Design

*wo .eg Firewall *hree .eg Firewall Four .eg Firewall

Two Legged Firewall

Three Legged Firewall

Packet Filters

A packet filtering firewall represents the first generation of firewalls. The most basic packet filter firewall inspects traffic based on -ayer . parameters /such as source or destination I' address0. 'acket filtering rules determine the types of traffic that are permitted access or denied access based on these 'arameters. Traffic types can be defined by the following, -ayer . parameters such as source1destination I' address and I' protocol type /e.g., T*', 2#', or I*('0

A packet filtering firewall is essentially a router with access control rules configured. !outers are normally configured via a command line interface that is comple3 to configure, with the configuration being stored as a list of configuration commands, which makes it difficult to visualize and manage your security policies. !outers also typically do not support logging locally as they do not possess sufficient file storage space, so logging is re4uired to an e3ternal system, which makes it more comple3 to maintain logs for auditing and reporting purposes.

'acket,Filtering Firewall %d&antages

A packet filtering firewall only operates up to -ayer . /some can inspect -ayer 5 parameters as well0 of the "&I model. It does not understand the

Higher layer levels such as the application layer /-ayer 60 7 7 7 7 7 7 Are based on simple permit or deny rule set Have a low impact on network performance Are easy to implement Are supported by most routers Afford an initial degree of security at a low network layer 'erform 89: of what higher end firewalls do, at a much lower cost

'acket,Filtering Firewall Disad&antages

7 7 'acket filtering is susceptible to I' spoofing. Hackers send arbitrary packets that fit A*- criteria and pass through the filter. 'acket filters do not filter fragmented packets well. ;ecause fragmented I' packets carry the T*' header in the first fragment and packet filters filter on T*' header information, all fragments after the first fragment are passed unconditionally. *omple3 A*-s are difficult to implement and maintain correctly. 'acket filters cannot dynamically filter certain services. 'acket filters are stateless.

7 7 7

Application-Layer Gateways

An application layer gateway firewall is commonly referred to as a pro3y based firewall, because it pro3ies application layer connections on behalf of other clients The application layer gateway is vastly different from a packet filtering firewall in approach<all access is controlled at the application layer /-ayer 6 of the "&I model0, and no client system ever communicates directly with a server system.

=. The initial connection re4uest packet from the web client is sent to the Application layer gateway<in essence the client is establishing a connection with the application layer gateway. >. The application layer gateway accepts or re)ects the connection re4uest based on the security policy configured. If the connection re4uest is permitted, the application layer gateway then establishes a new connection to the web server on behalf of the client

.. The web server receives the connection re4uest and sends back a connection acknowledgment to the application layer gateway. The application layer gateway sends an acknowledgment on behalf of the web server to the web client. 5. The web client sends an acknowledgment packet /known as a T*' A*?0 to the application layer gateway, which indicates the connection setup is complete. The application layer gateway sends an acknowledgment packet to the web server on behalf of the web client. @. The client starts sending data to the application layer gateway /e.g., an

HTT' A$T re4uest0. The data is forwarded to a pro3y web daemon/or service0, which is essentially a web server running on the application layer gateway. ;ecause the application layer gateway is running a web server, it understands the HTT' re4uests from the client and can ensure the traffic sent from the client is proper web traffic that conforms to the HTT' protocol standard. Assuming the traffic from the web client is legitimate, the application layer gateway then sends the data to the web server on behalf of the client. B. The web server processes the data received and responds to the data appropriately /in +igure =.6, the client sends an HTT' A$T re4uest, and the server returns the web content associated with the 2!-0. !eturn data is sent to the application layer gateway, which ensures the traffic is legitimate. This data is then sent to the web client on behalf of the web server. The application layer gateway introduces a greater level of security than a packet filtering firewall, because all connections to the outside world are made by the application layer gateway and the application layer gateway ensures all received traffic from either client or server at the application layer is legitimate. Cith a packet filtering firewall, although the firewall may understand that traffic is from a particular application, it does not understand the application protocol and what is considered legitimate traffic.
An application-layer gateway also becomes a target for attackers because the gateway is directly accepting connections from the outside world. The operating system on the application-layer gateway must be very secure however! it is still vulnerable to buffer overflow attacks and other unknown software bugs that might give attackers access to the gateway. "f an attacker manages to compromise an application-layer gateway! the security of the entire network has been breached as the attacker now has direct access to the internal network.

-ain purpose of using pro(ies Improve 'erformance Act as *ache server ;andwidth control +ilter !e4uests 'revent access to some web sitesDDD 'revent access to some protocols Time division

&urfing Anonymously ;rowsing the CCC without any identificationDDD !educe latency !educe Eetwork Traffic

*aching can greatly speed up Internet access. If one or more Internet sites are fre4uently re4uested, they are kept in the pro3y's cache, so that when a user re4uests them, they are delivered directly from the pro3y's cache instead of from the original Internet site. *aches diminish the need for network bandwidth, typically by .@: or more, by reducing the traffic from browsers to content servers. ;andwidth control 'olicy based ;andwidth -imits #eny by content type Filter /e0uests 'revent access to some web sitesDDD *ategories web sites Adult1&e3ually $3plicit Advertisements F 'op 2ps *hat Aambling Aames Hacking

Check !y content type .$3e 1 .*om .(id 1 .('. 1 .Cav .Avi 1 .(peg 1 .!m
#tateful "nspection Technology

&o whatGs the alternative to packet filtering firewalls and application levelH gatewaysH &tateful inspection operates in a manner similar to a packet filtering firewall, e3cept that it possesses much more sophisticated access control algorithms. ;oth stateful inspection firewalls and packet filtering firewalls essentially provide security by making control decisions+ %n e(ample of a control decision is whether to accept or re1ect a connection+ Another

e3ample might be to encrypt a packet. *heck 'oint +ireCall = uses a patented and innovative stateful inspection technology, which is designed to provide the speed and efficiency of a packet filtering firewall and the application state awareness and high security provided by an application layer gateway. "n a packet filtering firewall, control decisions are made purely on the -ayer . and1or -ayer 5 parameters of each packet received. $ach packet is either permitted or denied, and is processed independently of any other packet, with no logical relationship being established between packets that belong to the same connection. If the parameters match an allowed traffic type, a control decision is made to permit the traffic. A stateful inspection firewall on the other hand can make control decisions based on much more that )ust the information contained within each packet received. The following lists the types of information on which a stateful inspection firewall can make control decisions,
$ommunication information

Information from the -ayer . and -ayer 5 parameters of a packet /this is the only type of information a packet filtering firewall makes decisions on0.
$ommunication-derived state

Information derived from that passed within a connection. This can include -ayer .15 information /such as T*' ports, se4uence numbers, and so on0 through to -ayer 6 information /such as dynamic port allocations for new connections).
Application-derived state

Information derived from other applications. +or e3ample, *heck 'oint +irewall possesses a user authentication service that allows users to be identified. "nce a user has been successfully authenticated, this information can be passed to the stateful inspection engine, which allows access to authorized services for the users. This feature allows for access rules to be defined based on users or groups, !ather than I' hosts or networks.

A &tateful inspection firewall provides the speed and fle3ibility of a packet filter firewall, as well as the high security of an application layer gateway. This means that you gain the best of both worlds in a single, high performance 'latform.

#tateful Firewalls %d&antages

7 7 7 7 7 "ften used as a primary means of defense by filtering unwanted, unnecessary, or undesirable traffic. &trengthens packet filtering by providing more stringent control over security than packet filtering Improves performance over packet filters or pro3y servers. #efends against spoofing and #o& attacks Allows for more log information than a packet filtering firewall

Disad&antages

7 7 7

*annot prevent application layer attacks because it does not e3amine the actual contents of the HTT' connection. Eot all protocols are stateful, such 2#' and I*(' &ome applications open multiple connections re4uiring a whole new range of ports opened to allow this second connection

2nderstands application,layer protocols+ (aintains a dynamic connection table that is continuously updated with the state of each connection. This ensures the firewall enables the return traffic of allowed connections only as long as the connection is active, and also ensures that only legitimate traffic consistent with the e3pected state of the connection is permitted. +ragment reassembly allows the firewall to reassemble fragmented packets and inspect them, defeating a common method used by attackers to bypass firewall security+(as in 'acket filter) The underlying operating system of the firewall is protected, because the &tateful inspection engine processes packets before they reach the T*'1I' stack of the operating system.

Firewall 'ractice
7 7 7 7 7 7 7 'osition firewalls at security boundaries. +irewalls are the primary security device. It is unwise to rely e3clusively on a firewall for security. #eny all traffic by default. 'ermit only services that are needed. $nsure that physical access to the firewall is controlled. !egularly monitor firewall logs. 'ractice change management for firewall configuration changes. !emember that firewalls primarily protect from technical attacks originating from the outside.