Slide 1

Firewall

1
Slide 2

What is a firewall?
A firewall is a device (or software feature) designed to control the flow
of traffic into and out-of a network.

In general, firewalls are installed to prevent attacks from outside world

or internet (Creates Perimeter of Defence).

Provides protection from machines lacking security

Firewall is well isolation making it immune to modification

(tamperproof).

So implemented on separate computer with direct connections only to

outside and inside of networks

Functionality is kept simple 2

Slide 3

Firewall Goals and Idea

• Two goals:
– To provide the people in your organization with access to the
WWW without allowing the entire world to peak in;
– To erect a barrier between an untrusted piece of software, your
organization’s public Web server, and the sensitive information
that resides on your private network.
• Basic idea:
– Impose a specifically configured gateway machine between the
outside world and the site’s inner network.
– All traffic must first go to the gateway, where software decide
whether to allow or reject.
Slide 4

Introduction
– Firewall’s main goal is to protect TCP/IP networks

– Functions:
• Blocking traffic
• Permitting traffic
• Enabling secure remote connections (VPN)
• Logging traffic
• Content filtering (blocking): viruses, attacks
• Network management purposes (screening the traffic etc.)

4
Slide 5

Main goals
The main goal of firewalling is
– to control unnecessary services, traffic
– to hide our internal network topology and services
– to protect against protocol errors (e.g. invalid SMTP commands can be
filtered)
– to enable logging
– to control the activity of internal users
– every accessible point is a possible security hole: With firewalling we
minimize the accessible points and we are making it more difficult to
deploy an attack
– we can make it more difficult to exploit the vulnerability: E.g. with tftp
denied it is more difficult to send files to the internet after an attack
– we can separate the network to subnetworks: an intrusion will not
compromise our whole system, just a subnetwork/server
Slide 6

A firewall is not good for…

- Stopping information flow/leakage:
Data can be leaked out even through DNS applications or
e.g. HTTP tunnels. It is very hard to protect against covert
channels.
- Complete protection against intrusions:
A single open port can be used to gain privileged access
An application proxy might not stop attacking through
badly formed parameters, etc.
An industry spy can use the telefax to transport secrets…

6
Slide 7

Firewall Placement
• The firewall is inserted between the premises network
and the Internet
• Aims:
– Establish a controlled link
– Protect the premises network from Internet-based attacks
– Provide a single choke point
Slide 8

Benefits of Using Firewall

– Protect your network or PC
– Prevent viruses and worms on your network
– Prevent malicious attackers from getting into your network
– Prevent loss of sensitive or valuable company information
– Prevent Denial of Service (DoS) attacks
– Acting as a forensics tool
– Authenticate users, log users (accounting), and authorize users only for certain
content or applications
– Provide strong authentication
– Allow virtual private networks
– Have a specially hardened/secured operating system
Slide 9

Firewalls DON’T
• Protect against attacks that bypass the firewall
– Dial-out from internal host to an ISP

• Protect against internal threats

– disgruntled employee
– Insider cooperates with and external attacker

• Protect against the transfer of virus-infected

programs or files
Slide 10

Edge Firewall
An edge firewall is usually software running on a
server or workstation.
An edge firewall protects a single computer from
attacks directed against it.

Examples of these firewalls are:

ZoneAlarm
BlackIce
IPFW on OSX

10
Slide 11

Firewall Appliance
It is a device whose sole function is to act as a
firewall.
Examples of these firewalls are:
Cisco PIX.
Netscreen series.

11
Slide 12

Network Firewall
• Router/Bridge based Firewall
– A firewall running on a bridge or a router protects from a group of
devices to an entire network.

• Computer-based Network Firewall

– A network firewall runs on a computer (such as a PC or Unix
computer).
Commercial products include: Checkpoint Firewall-1. Apple OSX

12
Slide 13

Types of Firewalls

• Three common types of Firewalls based on

methodology:
– Packet-filtering gateways or screening routers
– Stateful inspection firewalls
– Application gateway/ proxies (Bastion host)
– Adaptive proxy
– Circuit level gateway
– Guard
– Personal Firewall
Slide 14

Adaptive Proxies

• Known as dynamic proxies

• Developed as an enhanced form of application gateways/proxies. Combining the merits of

both application gateways/proxies and packet filtering
Slide 15

Types of Firewalls

Packet-filtering gateways (or screening routers)

Untrusted trusted
Network Network
Filtering Router
Slide 16

Types of Firewalls

• Packet-filtering Router
– Simplest and most effective in some situations
– Applies a set of rules to each incoming IP packet
and then forwards or discards the packet
– Controls access to packets on the basis of packet
address (source or destination) or specific transport
protocol type (e.g. HTTP web traffic)
– Filter packets going in both directions
– Works at network and transport layer
Slide 17

Fig. Packet Filter Blocking Addresses and Protocols

a) Here N/W-1 is blocked by the firewall

b) N/W-2 is accepted.
c) Filter allows HTTP traffic but blocks traffic that is using Telnet protocol

Hypertext Transfer Protocol (HTTP) is the underlying protocol used by the World Wide Web and this protocol defines
how messages are formatted and transmitted
Telnet is a protocol that's used as a simple way to communicate with devices over a network.
Slide 18

How does a firewall work?

Blocks packets based on:
Source IP Address or range of addresses.
Source IP Port
Destination IP Address or range of addresses.
Destination IP Port
Some allow higher layers up the OSI model.
Other protocols (How would you filter DecNET anyway?).
Common ports
80 HTTP
443 HTTPS
20 & 21 FTP
23 Telnet
22 SSH
25 SMTP

18
Slide 19

Fig. Three Connected LANs.

-The screening router on the LAN at 100.24.4.0 is allowing

communication to host at 100.24.4.0
-Also allow out only communications addressed to either 144.27.5.3 or
192.19.33.0
Slide 20

Fig. Filter Screening Outside Addresses.

-Blocking all packets from outside that claim their source address is
an inside address
- i.e Blocking all packets from any address 100.50.25.x
- But of-course permitting in any packet with destination100.50.25.x
Slide 21

Packet Filters
• Data Available
– IP source and destination addresses
– Transport protocol (TCP, UDP, or ICMP)
– TCP/UDP source and destination ports
– ICMP message type
– Packet options (Fragment Size etc.)
• Actions Available
– Allow the packet to go through
– Drop the packet (Notify Sender/Drop Silently)
– Alter the packet (NAT?)
– Log information about the packet
Slide 22

Packet Filters Contd.

• Example filters
– Block all packets from outside except for SMTP
(simple mail transfer protocol)servers
– Block all traffic to a list of domains
– Block all connections from a specified domain
Slide 23

Example Firewall Rules

• Stateless packet filtering firewall
• Rule  (Condition, Action)
• Rules are processed in top-down order
– If a condition satisfied – action is taken
Slide 24

Packet Filtering

Strengths :

• Packet filtering is typically faster than other packet screening methods. Because packet
filtering is done at the lower levels of the OSI model, the time it takes to process a packet is
much quicker.

• Packet filtering firewalls can be implemented transparently. They typically require no

additional configuration for clients.

• Packet filtering firewalls are typically less expensive. Many hardware devices and software
packages have packet filtering features included as part of their standard package.
Slide 25

Packet Filtering

Weaknesses

• Packet filtering firewalls allow a direct connection to be made between the two endpoints.
Although this type of packet screening is configured to allow or deny traffic between two
networks, the client/server model is never broken.

• Packet filtering firewalls are fast and typically have no impact on network performance, but
it's usually an all-or-nothing approach. If ports are open, they are open to all traffic passing
through that port, which in effect leaves a security hole in your network.

• Defining rules and filters on a packet filtering firewall can be a complex task.
Slide 26

Packet Filtering (Weaknesses)

• Packet filtering firewalls are prone to certain types of attacks. Since packet
inspection goes no deeper than the packet header information, There are three
common exploits to which packet filtering firewalls are susceptible.

– These are IP spoofing

sending your data and faking a source address that the firewall will trust

– ICMP ”Internet Control Message Protocol” tunneling

ICMP tunneling allows a hacker to insert data into a legitimate ICMP packet.

The Internet Control Message Protocol (ICMP) provides background support for
the IP protocol.
Slide 27

Stateful Packet Inspection firewall

• Keeps track of the state of network connections (such as TCP streams) traveling across it.
• Some attackers break an attack into multiple short packets so that firewall cannot detect the
signature.
• Stateful inspection tracks the condition of state from one packet to another to foil the attack
• Stateful packet inspection uses the same fundamental packet screening technique that
packet filtering does.
• In addition, it examines the packet header information from the network layer of the OSI
model to the application layer
• This examination is to verify that the packet is part of a legitimate connection and the
protocols are behaving as expected.
Slide 28

Stateful Packet Inspection Firewall

• As packets pass through the firewall, packet header information is examined and fed into a
dynamic state table where it is stored.

• The packets are compared to pre-configured rules or filters and allow or deny decisions are
made based on the results of the comparison.

• The connection state is derived from information gathered in previous packets.

• It is an essential factor in making the decision for new communication attempts.

• State consists of details as the IP addresses and ports involved in the connection and the
sequence numbers of the packets traversing the connection.

• Stateful packet inspection compares the packets against the rules or filters and then checks
the dynamic state table to verify that the packets are part of a valid, established connection.

• By having the ability to "remember" the status of a connection, this method of packet
screening is better equipped to guard against attacks than standard packet filtering.
Slide 29

Stateful Packet Inspection Firewall

This method can make decisions based on one or more of the following:

• Source IP address
• Destination IP address
• Protocol type (TCP/UDP)
• Source port
• Destination port
• Connection state
Slide 30

Stateful Packet Inspection

Strengths :

• Like packet filtering firewalls, have very little impact on network performance.

• More secure than basic packet filtering firewalls. Because stateful packet inspection digs
deeper into the packet header information to determine the connection state between
endpoints.

• Usually it have some logging capabilities. Logging can help identify and track the different
types of traffic that pass though the firewall.
Slide 31

Stateful Packet Inspection

Weaknesses

• Like packet filtering, stateful packet inspection does not break the client/server model and
therefore allows a direct connection to be made between the two endpoints

• Rules and filters in this packet screening method can become complex, hard to manage,
prone to error and difficult to test.
Slide 32

Application Gateways/Proxies
This type of firewall operates at the application level of the OSI model.
Slide 33

• Application-level Gateway
Slide 34

Application Gateways/Proxies

• The proxy plays middleman in all connection attempts (dummy sender and destination)

• The application gateway/proxy acts as an intermediary between the two endpoints.

• For source and destination endpoints to be able to communicate with each other, a proxy
service must be implemented for each application protocol.

• Each endpoint can only communicate with the other by going through the gateway/proxy.

• The gateways/proxies are carefully designed to be reliable and secure because they are the
only connection point between the two networks.
Slide 35

Application Gateways/Proxies Firewall

• The response is sent back to the application gateway/proxy, which determines if it is valid and
then sends it on to the client.

• By breaking the client/server model, this type of firewall can effectively hide the trusted
network from the untrusted network.

• Unlike packet filtering and stateful packet inspection, an application gateway/proxy can see
all aspects of the application layer so it can look for more specific pieces of information
Slide 36

Fig. Actions of Firewall Proxies.

-Prevents login attack from remote nonemployees (in the instances when
a company wants to allow dial-in access by its employees)
-Check on the activities of the outsider
-Companies online price list cannot be changed by outsider or
sensitive files cannot be accessed (Proxy would monitor FTP data so that
they are read only not modified)
-Proxy on the firewall can be tailored to specific requirements such as login details
about accesses
Slide 37

• Advantages:
– Higher security than packet filters
– Only need to scrutinize a few allowable applications
– Easy to log and audit all incoming traffic

• Disadvantages:
– Additional processing overhead on each connection (gateway as splice point)
Slide 38

Application Gateways/Proxies
Strengths

• Application gateways/proxies do not allow a direct connection to be made between

endpoints. They actually break the client/server model.

• Typically have the best content filtering capabilities. Since they have the ability to examine
the payload of the packet, they are capable of making decisions based on content.

• Allow the network administrator to have more control over traffic passing through the
firewall. They can permit or deny specific applications or specific features of an application.
Slide 39

Application Gateways/Proxies

Weaknesses

• The most significant weakness is the impact they can have on performance.
it requires more processing power and has the potential to become a bottleneck for the
network.

• Typically require additional client configuration. Clients on the network may require
specialized software or configuration changes to be able to connect to the application
gateway/proxy.
Slide 40

Adaptive Proxies

• Known as dynamic proxies

• Developed as an enhanced form of application gateways/proxies. Combining the merits of

both application gateways/proxies and packet filtering
Slide 41

Circuit-level Gateway

• Unlike a packet filtering firewall, a circuit-level gateway does not examine individual packets.
Instead, circuit-level gateways monitor TCP or UDP sessions.

Once a session has been established, it leaves the port open to allow all other packets
belonging to that session to pass. The port is closed when the session is terminated.

circuit-level gateways operate at the transport layer (layer 4) of the OSI model.
Slide 42

Personal firewalls
– Every single host on the Internet is a target
– Most users do not use tight security (no updates, bad
passwords, no security settings)
– Attacked clients might become zombies for a DoS attack or
a relay for spams and other attacks
– They need some protection
– Personal firewalls are mostly simple packet filters
– Drop incoming service requests (my windows pc is not a
file server)
– Alert on (anomalous) outgoing requests
– Can protect against trojans / information leakage / privacy
problems too
– Can be integrated with virus protection

42
Slide 43

Selecting Firewall Solution

In order to pick the best architecture and packet screening method for a firewall solution,
the following questions should be considered:

• What does the firewall need to do?

• What additional services would be desirable?

• How will it fit in the existing network?

• How will it effect existing services and users?

Slide 44

Security Policy
The success of any firewall solution's implementation is directly related to the existence of a well-
thought-out and consistently-implemented security policy.

Some of the topics a security policy may address are:

• Administrative Issues

– User access - Which users will be allowed access to and from the network?
– Access to services - Which services will be allowed in and out of the network?
– Access to resources - Which resources will be available to users?
– User authentication - Will the organization require user authentication?
– Logging and auditing - Will the organization want to keep log and audit files.
– Policy violation consequences - What will be the consequences of policy violation?
– Responsibilities - Who will oversee and administer the security policy? Who has final authority on
decisions?
Slide 45

Selecting a firewall system

• Operating system
• Protocols handled
• Filter types
• Logging
• Administration
• Simplicity
• Tunneling
Slide 46

Widely used commercial firewalls

• AltaVista
• BorderWare (Secure Computing Corporation)
• CyberGurad Firewall (CyberGuard
Corporation)
• Eagle (Raptor Systems)
• Firewall-1 (Checkpoint Software Technologies)
• Gauntlet (Trusted Information Systems)
• ON Guard (ON Technology Corporation)