A

SEMINAR REPORT
ON
FIREWALL
INTRODUCTION
Computer networks are generally designed to do one thing above all others: allow any computer
connected to the network to freely exchange information with any other computer also connected
tothe same network. In an ideal world, this is a perfect way for a network to operate facilitating
universalcommunications between connected systems. Individual computers are then free to
decide who theywant to communicate with, what information they want to allow access to and
which services they willmake available. This way of operating is called "host based security",
because individual computers orhosts implement security mechanisms. In practice individual
computers on say, an office network, arenot terribly good at defining and securely enforcing a
consistent security policy. They run verycomplex, and therefore by definition are error prone
software systems, and it is very difficult to ensurethat they are consistently kept secure, much
less that their users obey basic advice like choosingdifficult to guess passwords etc.

This situation may be adequate where individual users on a network have a similar level of trust
suchthat there is little chance or motive for a user to subvert host security, such as a small
companynetwork where everyone with physical access is trusted (e.g. employee etc). Once that
network isconnected to other networks where the trust relationships simply do not exist in the
same way, andthen other mechanisms need to be put in place to provide adequate security by
protecting resourceson the trusted network from potential access by attackers on the un-trusted
part of the network.
The way this is done is by partially breaking connectivity at the network level so that nodes on
thetrusted and untrusted parts of the network can no longer freely exchange information in an
unfetteredway. The device which does this is called a "Firewall", by reference to the analogue in
Americanautomobile engineering, where the Firewall is a thick steel plate barrier between engine
andpassenger compartments which prevents a fire in the former spreading to the latter. I suppose
that ifthis particular piece of technology had been invented on the English side of the Atlantic, it
would havebeen called a "bulkhead" instead!

A firewall is a system or group of systems that enforces an access control policy between two
networks. The actual means by which this is accomplished varies widely, but in principle, the
firewallcan be thought of as a pair of mechanisms: one which exists to block traffic, and the
other whichexists to permit traffic. Some firewalls place a greater emphasis on blocking traffic,
while othersemphasize permitting traffic. Probably the most important thing to recognize about a
firewall is that itimplements an access control policy. If you don't have a good idea of what kind
of access you want toallow or to deny, a firewall really won't help you. It's also important to
recognize that the firewall'sconfiguration, because it is a mechanism for enforcing policy,
imposes its policy on everything behindit. Administrators for firewalls managing the
connectivity for a large number of hosts therefore have aheavy responsibility.
WHAT EXACTLY ARE FIREWALLS?

Firewalls are software programs or hardware devices that filter the traffic that flows into you PC
or your network through a internet connection. They sift through the data flow & block that
which they deem (based on how & for what you have tuned the firewall) harmful to your
network or computer system.

When connected to the internet, even a standalone PC or a network of interconnected computers

make easy targets for malicious software & unscrupulous hackers. A firewall can offer the
security that makes you less vulnerable and also protect your data from being compromised or
your computers being taken hostage.

HOW DO THEY WORK?

Firewalls are setup at every connection to the Internet, therefore subjecting all data flow to
careful monitoring. Firewalls can also be tuned to follow "rules". These Rules are simply
security rules that can be set up by yourself or by the network administrators to allow traffic to
their web servers, FTP servers, Telnet servers, thereby giving the computer
owners/administrators immense control over the traffic that flows in & out of their systems or
networks.

Rules will decide who can connect to the internet, what kind of connections can be made, which
or what kind of files can be transmitted in out. Basically all traffic in & out can be watched and
controlled thus giving the firewall installer a high level of security & protection.

FIREWALL LOGIC

Firewalls use 3 types of filtering mechanisms:

• Packet filtering or packet purity

Data flow consists of packets of information and firewalls analyze these packets to sniff
out offensive or unwanted packets depending on what you have defined as unwanted
packets.

• Proxy

Firewalls in this case assume the role of a recipient & in turn sends it to the node that has
requested the information & vice versa.
 • Inspection

In this case Firewalls instead of sifting through all of the information in the packets, mark
key features in all outgoing requests & check for the same matching characteristics in the
inflow to decide if it relevant information that is coming through.

FIREWALL RULES

Firewalls rules can be customized as per your needs, requirements & security threat levels. You
can create or disable firewall filter rules based on such conditions as:

• IP Addresses

Blocking off a certain IP address or a range of IP addresses, which you think are
predatory.

• Domain names

You can only allow certain specific domain names to access your systems/servers or
allow access to only some specified types of domain names or domain name extension
like .edu or .mil.

• Protocols

A firewall can decide which of the systems can allow or have access to common
protocols like IP, SMTP, FTP, UDP,ICMP,Telnet or SNMP.

• Ports

Blocking or disabling ports of servers that are connected to the internet will help maintain
the kind of data flow you want to see it used for & also close down possible entry points
for hackers or malignant software.

• Keywords

Firewalls also can sift through the data flow for a match of the keywords or phrases to
block out offensive or unwanted data from flowing in.
WHAT FIREWALL DOES

A firewall is simply a program or hardware device that filters the information coming through
the Internet connection into your private network or computer system. If an incoming packet of
information is flagged by the filters, it is not allowed through. A Firewall disrupts free
communication between trusted and un-trusted networks, attempting to manage the information
flow and restrict dangerous free access. There are numerous mechanisms employed to do this,
each one being somewhere between completely preventing packets flowing, which would be
equivalent to completely disconnected networks, and allowing free exchange of data, which
would be equivalent to having no Firewall.

In order to understand how each of these works, it is first necessary to understand the basics of
how data moves across the Internet.

PROTOCOLS: TCP/IP

The underlying way that data moves across the Internet is in individual packets called Internet
Protocol (IP) data grams. Each packet is completely self contained, and has the unique address of
the originating computer (source-address), and intended recipient computer (destination address).
On it's journey between the source and destination, the packet is forwarded by routers which
simply forward it on, one hop at a time to it's destination. In a non-Firewall environment these
packets flow freely between the two machines. To have a complete conversation in order to e.g.
send an e-mail, or view a web page, a sequence of packets are grouped together using something
called Transmission Control Protocol (the TCP bit of TCP/IP). Under TCP, a complete
conversation looks something like this:

The data part above would contain the higher level protocol which actually sends and e-mail, or
requests, and gets the contents of a web page. In order to connect to the right service on a
particular host, a special identifier called a "port number" is used which routes the exchange
through to the correct application program on the server end of the connection. For example, by
convention, web-requests are directed at port 80, and incoming e-mails involve a connection to
port 25.

SIMPLER REQUESTS: UDP

TCP is a bit cumbersome for simple requests, so a streamlined protocol called User Datagram
Protocol also exists. This doesn't have the same connection setup overhead and tends to be used
for simpler conversations which perhaps only involve a simple information exchange, which
may be repeated if packets are lost and things go wrong.
HOW DOES A FIREWALL PROTECT?

A Firewall normally includes mechanisms for protection at the:

· Network Layer: IP packets are sanitized (source routing disabled, only packets with valid
external addresses allowed), and routed according to predefined rules. Some firewalls allow
translation of internal IP addresses to valid Internet IP addresses (NAT or Network Address
Translation) and other replace all internal addresses with the firewall address .

· Transport Layer: Access to TCP & UDP ports can be granted/blocked, depending on IP
address of both sender and receiver. This allows access control for many TCP services, but
doesn't work at all for others (e.g. X11, ftp, port map per services).

· Application Layer:
o Proxy servers (also called application gateways) accept requests for a particular
application and either further the request to the final destination, or block the request.
Ideally proxies should be transparent to the end user. Proxies are stripped-down, reliable
versions of standard applications with access control and forwarding built-in.

o Typical proxies include HTTP (for WWW), telnet, ftp etc. Certain applications such as
Internet Email (SMTP) are designed for the use of relays or forwarders.

o The DNS application provides IP address to hostname (or vice versa) lookup. DNS
does not really check where information comes from, so it may be possible for an attacker
to spoof the DNS service into giving false information, e.g. that the hostname of an
attackers machine is that of a trusted host.

o Applications such as rlogin and NFS use host-names for access control and are
hence vulnerable to DNS spoofing.

o IP addresses should be used on proxy access control lists instead of DNS names (to
minimize the risk of DNS spoofing). But even IP addresses can be spoofed if routers are
not configured properly and switches are not used.

· Encryption: A firewall may use encryption to provide confidentiality, authenticate or improve

integrity. When encryption is used for confidentiality (often called VPNs, Virtual Private
Networks), there are two general cases:
1. Encryption is performed by the firewall, i.e. it is the endpoint of a VPN. The firewall could
understand and filter the actual protocol used within the VPN and provide intelligent logging.

2. Encryption is performed by a host inside the firewall (End-to-End encryption). The firewall
sees an encrypted stream but cannot understand it. This is useful is you don't trust the firewall
administrator, not so useful if you want to filter the protocols within the VPN. The VPN
becomes a point of entry for an attacker that the Firewall administrator cannot detect.
Therefore, the VPN end-point inside the firewall must be VERY well configured / monitored
and use firewall mechanisms such as strong authentication.

· Dept of defence: A Firewall should also include redundant security barriers, so that a single
point of failure cannot compromise the network. The Firewall should be as invisible as possible
to
users (who could weaken security) and the network (difficult to attack).

· Reliability: Redundant routing, clusters, RAID, cold standbys etc. can all be used to provide
varying levels of availability. The reliability of service required should be specified before a
firewall
is designed.

FIREWALL DESIGN ISSUES

1. Define goals: What services do you want? How much can it cost? Provide a business
justification for services.

2. Who/what are you trying to protect, from whom / against what (threats)?

3. What known weaknesses need to be addressed?

4. What risks (likelihood and consequences or impact) do the above threats entail?

5. Develop a strategy to counter the unacceptable threats: policy, organisation, processes and
specific technical mechanisms.

6. Select the appropriate technical solution: What tools can provide access to the required
services with the specified budget at an acceptable risk? Choose a stable well known
technical architecture, test the solution, and install it securely.
7. Define a support organisation with roles, processes. You need a well organised team to
manage firewalls. Make sure that processes exist for handling a security breach swiftly. Plan for
an attack!

8. Submit the firewall to regular monitoring and independent audits.

9. Running an Internet firewall is an endless operation, so it makes sense to follow the technical
and social evolution of the Internet.

TYPES OF FIREWALL

There are a number of different kinds of technique which may be employed by a Firewall in
order to correctly identify a conversation and act on it. The techniques used by a particular
Firewall have an impact on the accuracy with which it can identify traffic, the level of
sophistication of the checks it can implement, but also its complexity and therefore cost and
likelihood that it incorporates bugs.

PACKET FILTER

Packets (small chunks of data) are analyzed against a set of filters. Packets that make it through
the filters are sent to the requesting system and all others are discarded. The network level
operations corresponding to the security policy above were actually an example of a simple
packet filter. A Firewall implementing a packet filter looks at one packet at a time, and considers
it in isolation in order to make a forwarding decision. Because of the way that a packet filtering
Firewall works, it can implement a restricted range of filtering decisions. The principal
limitations of packet filtering are:

· TCP connections can be filtered on port and direction in order to implement simple directional
traffic rules keyed on port number only.

· It is not possible to completely filter TCP packets which aren't valid, or don't form part of an
active connection. It is not possible to fully filter UDP connections to ensure that they are part
of a valid conversation. The latter restriction is a fairly serious drawback of packet filtering. It
means the Firewall implementor is left with the choice of either completely blocking UDP
transactions, or accepting that packets may traverse the Firewall which should not be allowed
through. In the face of this, the only safe option is to block external to internal UDP transactions
when using a packet filtering Firewall. Although the above drawbacks may seem significant,
there are also some quite strong advantages to a basic packet filtering Firewall:
· It is simple to implement, which means that it is much more unlikely that exploitable bugs exist
in the Firewall code.

· The same simplicity means that rule sets tend to be less complex, and again are less likely to
contain unintentional access routes.

· It can be implemented on relatively inexpensive hardware, meaning that simple, cheap boxes
can do packet filtering for very large numbers of user connections.

APPLICATION PROXIES

Another mechanism for controlling risks when Internal servers must allow connections from the
Internet is to use a technique called Application Proxies on a single external firewall.
Information from the Internet is retrieved by the firewall and then sent to the requesting system
and vice versa. These work by terminating the external connection at a special service within the
firewall. As the name suggests, this service acts as a proxy for the real server, implementing the
application protocol in the same way as the real server running on the internal network. It forms
a connection to the internal server, only passing on application protocol elements that pass its
strict checks of correctness.

This way, most mechanisms for subverting the internal application server are blocked.
Using an application proxy is not without difficulty as their complexity tends to mean that they
need to be implemented on firewalls which are significantly more powerful than the relatively
simple systems used for basic packet filters. This, and the fact that such firewalls are typically
sold to "Enterprise" customers mean that their cost is often uneconomic for small businesses.

Application proxy firewalls also tend to require frequent software updating to ensure that they
are running latest versions of the proxy code. This occurs both when new exploits are identified
which need to be blocked, but also when problems occur in interactions between the proxy and
widely deployed applications (in other words when the proxy is actually breaking an otherwise
working connection due to over strict or even erroneous checking).

STATEFUL INSPECTION

A newer method that doesn't examine the contents of each packet but instead compares certain
key parts of the packet to a database of trusted information. Information traveling from inside the
firewall to the outside is monitored for specific defining characteristics, and then incoming
information is compared to these characteristics. If the comparison yields a reasonable match, the
information is allowed through. Otherwise it is discarded. Stateful inspection takes the basic
principles of packet filtering and adds the concept of history, so that the Firewall considers the
packets in the context of previous packets.
This has a number of advantages over simpler packet filtering:

· It is possible to build up Firewall rules for protocols which cannot be properly controlled by
packet filtering (e.g. UDP based protocols).

· More complete control of traffic is possible.

Equally, there are some disadvantages to a stateful inspection solution, in that the
implementation is necessarily more complex and therefore more likely to be buggy.It also
requires a device with more memory and a more powerful CPU etc for a given traffic load, as
information has to be stored about each and every traffic flow seen over a period of time.

NETWORK ADDRESS TRANSLATION

This is not really a Firewall technology at all, but is often confused with one! NAT is a
pragmatic solution to the issue of IP address limitations.

When a network is connected to the Internet, the computers on that network need to be given
addresses so that other computers on the Internet can send packets to them. Because IP addresses
are a somewhat limited resource, and have to be unique across the globe, they are assigned
hierarchically by a central authority and passed down in blocks to service providers who then
make them available to their customers.

As an end customer this has some implications if you are to apply for and get sufficient IP
addresses for your network:

You need to be prepared to justify the need for all the IP addresses you will use in terms of the
number of computers you have, or will have - it is not possible to obtain 10 times as many IP
addresses as you need simply for administrative convenience. There is a bureaucratic overhead
that both you and your ISP need to be prepared to undertake.

Unless you are a very large organisation with thousands of computers who can justify a direct
allocation of addresses, you will need to do this all over again when you change providers.
Many organisations and ISPs choose to sidestep these issues by only allocating a single global IP
address to the customer, who then installs a NAT device at the end of the connection and uses
self allocated private addresses on their internal network.

The way that NAT works is very similar to stateful inspection firewalling, but with the added
twist that the Firewall modifies the address part of all packets on the way through. The NAT
gateway sees an outgoing packet from an internal private address, to an external global Internet
address. It makes a note of the (internal, private) source address of the packet, and the destination
server address and port number. It then overwrites the source IP address with it's own single
global Internet address and sends it on towards the Internet.

The remote server receives the packet with the NAT gateway's address as the originator, and
directs it's replies at this address. When the reply packet arrives back at the NAT gateway, it
looks up the address and port number in it's table, works out what the (internal) address of the
real originator was, substitutes this into the destination address and forwards on through the
Internal network.

LIMITATIONS OF NAT

Although NAT is an extremely convenient way to avoid IP address allocation issues, the
technique itself does have some limitations. Firstly most simple NAT gateways can only deal
with substituting addresses which occur at the start of the packet in an area called the header.

The designers of Internet application protocols never really envisaged the use of NAT, and some
applications themselves use the address of the computer they are talking to and bury it in the
application data part of the packet. Unless the NAT gateway knows about how to interpret the
application data as well as the Internet headers for these protocols, then they will not operate
properly in a NAT environment.

Examples of protocols that have this problem include FTP, (file transfer protocol), and a protocol
called H.323 which is used extensively my Microsoft Net meeting and similar audio/video
applications.

Problems with NAT and FTP are easily dealt with by using a protocol mode called passive FTP
which doesn't have the same issues with NAT. Unfortunately the H.323 protocol issues are more
fundamental, and you may well find that this protocol will not work with most NAT gateways.

SECURITY IMPLICATIONS OF NAT

It is a widely held belief that the presence of NAT and use of private internal addresses renders a
network immediately secure. This is a most dangerous notion!

The basis of this is that with outgoing only NAT, an attacker cannot connect directly to a
machine on the internal network, even if the Firewall rules are accidentally configured to allow
this. The reasoning then goes that seeing as the Firewall is now fail-safe, the network is
invulnerable.
The problem with this assertion is that it's assumption that outgoing only NAT will be the only
thing enabled is often false, and ignores the possibility that an attacker will compromise the
network not by making a direct connection at a packet level with an internal host, but will instead
find another mechanism to make it call him.

OUTGOING ONLY SOLUTION

Many simple Firewall solutions are sold by ISPs and system resellers on a "fit and forget" basis
on the assumption that a simple, cheap packet filter or stateful inspection device is perfectly
secure so long as it incorporates NAT, and is configured to allow only outbound connections.

The problem with this approach is that in order to do anything useful, the first thing most users
need to do is open holes, or reverse NAT connections to internal servers. Once this is done,
Firewall's protection can be entirely sidestepped by an attacker and information on the internal
network is no longer particularly secure.

HOLES AND INCOMING TRAFFIC

An example of the kind of hole which is typically opened up in a Firewall is that necessary for
mail delivery.

On the Internet, a protocol called SMTP is used to deliver between mail servers. This works in
effect by the mail sender's machine connecting to the mail recipient's server and pushing the e-
mail. In order to accept mail from the Internet onto a local mail server it is usual to open up a
hole which allows any server to connect to the local mail server. This will often be justified using
logic which says that this is only a small hole to one specific service on one specific host, and the
rest of the internal network is still fully protected by the Firewall "outbound only" rule.

Unfortunately what this does is open up the internal mail server to any attack that is possible
against the software installed on it, and if this is at all complex, there will be lots of potential
attacks.

As an example, a search on Bugtraq (an industry source of application vulnerability data) against
a popular mail server, Microsoft Exchange showed that there had been 4 major vulnerabilities
discovered, just between March and July 2002. Today these vulnerabilities have increased to a
much greater extent and are on continuous increase

Many of these vulnerabilities would have allowed a remote hacker not only to gain unauthorized
access to the server itself, but also to then use it as a launch point to attack any other system on
the network, just as if the Firewall wasn't there.
NO HOLES: THE DEMILITARISED ZONE

The classic solution to the problem of opening up holes in the network perimeter to allow access
to services is the Demilitarised Zone or DMZ. Named after the buffer zone between opposing
forces in a military peacekeeping scenario, the DMZ is a special separate network of servers to
which external untrusted hosts have access, but which have no access to the Internal network.

Large enterprise Internet access and Firewall systems always incorporate at least one level of
DMZ as this is seen as essential to preventing the vulnerabilities described above which are
inherent in opening up holes in the Firewall onto the internal network.

The issue with this solution for the medium sized or smaller enterprise is one of cost. A typical
DMZ solution requires at least three devices, the external Firewall, the internal Firewall, and the
DMZ server machine. This means of course three times the cost which may not be feasible or
proportionate for a small organisation wishing to secure it's ADSL Internet connection.

MAKING THE FIREWALL FIT

Firewalls are customizable. This means that you can add or remove filters based on several
conditions. Some of these are:

· IP addresses - Each machine on the Internet is assigned a unique address called an IP

address. IP addresses are 32-bit numbers, normally expressed as four "octets" in a "dotted
decimal number." A typical IP address looks like this: 216.27.61.137. For example, if a certain
IP address outside the company is reading too many files from a server, the firewall can block
all traffic to or from that IP address.

· Domain names - Because it is hard to remember the string of numbers that make up an IP
address, and because IP addresses sometimes need to change, all servers on the Internet
also have human-readable names, called domain names. For example, it is easier for most
of us to remember www.howstuffworks.com than it is to remember 216.27.61.137. A company
might block all access to certain domain names, or allow access only to specific domain
names.

· Protocols - The protocol is the pre-defined way that someone who wants to use a service
talks with that service. The "someone" could be a person, but more often it is a computer
program like a Web browser. Protocols are often text, and simply describe how the client and
server will have their conversation. The http in the Web's protocol. Some common protocols that
you can set firewall filters for include:

 IP (Internet Protocol) - the main delivery system for information over the Internet

 TCP (Transmission Control Protocol) - used to break apart and rebuild information
that travels over the Internet

 HTTP (Hyper Text Transfer Protocol) - used for Web pages

 FTP (File Transfer Protocol) - used to download and upload files

 UDP (User Datagram Protocol) - used for information that requires no response, such
as streaming audio and video

 ICMP (Internet Control Message Protocol) - used by a router to exchange the

information with other routers

 SMTP (Simple Mail Transport Protocol) - used to send text-based information (e-mail)

 SNMP (Simple Network Management Protocol) - used to collect system information

from a remote computer

 Telnet - used to perform commands on a remote computer

A company might set up only one or two machines to handle a specific protocol and ban that
protocol on all other machines.

· Ports - Any server machine makes its services available to the Internet using numbered
ports, one for each service that is available on the server (see How Web Servers Work for
details). For example, if a server machine is running a Web (HTTP) server and an FTP
server, the Web server would typically be available on port 80, and the FTP server would be
available on port 21. A company might block port 21 access on all machines but one inside
the company.

· Specific words and phrases - This can be anything. The firewall will sniff (search
through) each packet of information for an exact match of the text listed in the filter. For
example, you could instruct the firewall to block any packet with the word "X-rated" in it. The
key here is that it has to be an exact match. The "X-rated" filter would not catch "X rated" (no
hyphen). But you can include as many words, phrases and variations of them as you need. Some
operating systems come with a firewall built in. Otherwise, a software firewall can be installed
on the computer in your home that has an Internet connection. This computer is considered a
gateway because it provides the only point of access between your home network and the
Internet. With a hardware firewall, the firewall unit itself is normally the gateway. A good
example is the Linksys Cable/DSL router. It has a built-in Ethernet card and hub. Computers in
your home network connect to the router, which in turn is connected to either a cable or DSL
modem. You configure the router via a Web-based interface that you reach through the browser
on your computer. You can then set any filters or additional information.

Hardware firewalls are incredibly secure and not very expensive. Home versions that include a
router, firewall and Ethernet hub for broadband connections can be found for well under $100.

WHAT FIREWALL PROTECTS US FROM

There are many creative ways that unscrupulous people use to access or abuse unprotected
computers:

· Remote login - When someone is able to connect to your computer and control it in some
form. This can range from being able to view or access your files to actually running programs
on your computer.

· Application backdoors - Some programs have special features that allow for remote
access. Others contain bugs that provide a backdoor, or hidden access, that provides some
level of control of the program.

· SMTP session hijacking - SMTP is the most common method of sending e-mail over the
Internet. By gaining access to a list of e-mail addresses, a person can send unsolicited junk email
(spam) to thousands of users. This is done quite often by redirecting the e-mail through
the SMTP server of an unsuspecting host, making the actual sender of the spam difficult to
trace.

· Operating system bugs - Like applications, some operating systems have backdoors.
Others provide remote access with insufficient security controls or have bugs that an
experienced hacker can take advantage of.

· Denial of service - This type of attack is nearly impossible to counter. What happens is that
the hacker sends a request to the server to connect to it. When the server responds with an
acknowledgement and tries to establish a session, it cannot find the system that made the
request. By inundating a server with these unanswerable session requests, a hacker causes
the server to slow to a crawl or eventually crash.

· E-mail bombs - An e-mail bomb is usually a personal attack. Someone sends you the same e-
mail hundreds or thousands of times until your e-mail system cannot accept any more messages.
· Macros - To simplify complicated procedures, many applications allow you to create a script
of commands that the application can run. This script is known as a macro. Hackers have
taken advantage of this to create their own macros that, depending on the application, can
destroy your data or crash your computer.

· Viruses - Probably the most well-known threat is computer viruses. A virus is a small
program that can copy itself to other computers. This way it can spread quickly from one
system to the next. Viruses range from harmless messages to erasing all of your data.

· Spam - Typically harmless but always annoying, spam is the electronic equivalent of junk
mail. Spam can be dangerous though. Quite often it contains links to Web sites. Be careful of
clicking on these because you may accidentally accept a cookie that provides a backdoor to
your computer.

· Redirect bombs - Hackers can use ICMP to change (redirect) the path information takes by
sending it to a different router. This is one of the ways that a denial of service attack is set up.

· Source routing - In most cases, the path a packet travels over the Internet (or any other
network) is determined by the routers along that path. But the source providing the packet can
arbitrarily specify the route that the packet should travel. Hackers sometimes take advantage
of this to make information appear to come from a trusted source or even from inside the
network! Most firewall products disable source routing by default.Some of the items in the list
above are hard, if not impossible, to filter using a firewall. While some
firewalls offer virus protection, it is worth the investment to install anti-virus software on each
computer. And, even though it is annoying, some spam is going to get through your firewall as
long as you accept e-mail.

FIREWALL ARCHITECTURE

There are many possible ways to set up a Firewall. Here the principle methods are shown. The
choice of Firewall depends on cost, performance, availability needs and the sensitivity of the
information being protected by the firewall. Highly secure, high performance, high availability
systems are not cheap. If high availability is important, it could double costs.
BASIC FILTER ARCHITECTURE (SCREENING ROUTER)
The cheapest (and least secure) setup involves using a router (which can filter inbound and
outbound packets on each interface) to screen access to one (or more) internal servers.
A router is normally needed anyway to connect to the Internet, so the filter is for free. This
server is the starting point for all outside connections. Internal clients who wish to access the
outside do so via this screened server.

Advantages:

· Transparent, simple.

· Cheapest solution, lowest security.

· The router could be replaced by an intelligent filter, providing fine grained access control,
protection against IP spoofing and with logging (although such logging is at a low level,
making it difficult to interpret).

Disadvantages:

· Complex filtering rules (and hence error prone) are required on the router. Fine grained
access control is near impossible.

· Since most routers cannot do logging, little is known about possible attacks.

· The screening router can be easily modified to allow other internal hosts to access the
outside. This is a bad thing, as it can soon get out of hand (too may hosts, too many complex
rules, difficult to verify).

· Some (old) routers do not correctly screen source routed packets.

· Routers cannot add authentication.

· Difficult to hide internal structure.

· Only one barrier.

This architecture is not recommended, except where finance is a severe problem (even then, is it
really worth the risk?). As an improvement, an "intelligent filter" (see below) could be used to
replace the router filter.
DUAL HOMED FIREWALL ARCHITECTURE

In this classical firewall architecture, a host is setup with two network interfaces, one connected
to the outside, one to the inside. Packet forwarding is disabled on the gateway; information is
passed at the application level. The gateway can be reached from both sides, but traffic cannot
directly flow across it. Normally, a router is also needed for Internet connection.
ADVANTAGES:

· The simple architecture is also easy enough to verify, but requires careful configuration of
the gateway. Can hide internal network.

· Cheap, but dept of defence (2 barriers) and diversity of defence are weak. May be
enough for small sites using basic outgoing services (HTTP, telnet, ftp).

· As with the previous example, an intelligent filter as opposed to a router filtering can
improve security.

· Internet servers (WWW, ftp) would normally be placed on a third network

DISADVANTAGES:

· Since the dual homed host cannot forward packets, a proxy must exist for all services that
traverse the gateway (unless the gateway also has a packet filter). Not all services can be
proxied and they require user input or configuration.

· Firewall performance is limited to the performance of one machine.

SCREENED HOST ARCHITECTURE

This variation of the Basic Filter involves the use of two filters, the additional filter being used
between the screened host and its clients. The "protected" host is known as a Bastion Host.
variation of the Basic Filter involves the use of two filters, the additional filter being used
between the screened host and its clients. The "protected" host is known as a Bastion Host.
In Figure 1, a network layer firewall called a ``screened host firewall'' is represented. In a
screened host firewall, access to and from a single host is controlled by means of a router
operating at a network layer. The single host is a bastion host; a highly-defended and secured
strong-point that (hopefully) can resist attack.

This
Example Network layer firewall: In Figure 2, a network layer firewall called a ``screened subnet
firewall'' is represented. In a screened subnet firewall, access to and from a whole network is
controlled by means of a router operating at a network layer. It is similar to a screened host,
except that it is, effectively, a network of screened hosts.
ADVANTAGES

· Filtering rules are simpler that the Basic Filter architecture, the external router only allows
traffic between the bastion host and the outside and the internal router only allows traffic
between the bastion host and the inside.

· Security is also improved (more barriers, greater dept of defence).

· If two different routers are used, diversity of defence is improved, at the cost of
complexity.

· Internet servers (WWW, ftp) would normally be placed on the outside without any access
to the internal network.

· Relatively cheap solution.

DISADVANTAGES

· Costs are higher

· Routers cannot do logging, little is known about possible attacks at the packet level.

· Routers can't do "intelligent" filtering of dual port protocols such as FTP.

This architecture may be a solution for small sites with tight finances, or simple outgoing
services.

SCREENED SUBNET (OR DMZ) ARCHITECTURE

This architecture is an extension of the screened host architecture. The classical firewall setup is
a packet filter between the outside and a "semi-secure" or De-Militarised Zone (DMZ) subnet
where the proxies lie (this allows the outside only restricted access services in the DMZ Zone).
The DMZ is further separated from the internal network by another packet filter which only
allows connections to/from the proxies.

The filters specified above are "intelligent" with logging. All incoming and outgoing services
between the Internet and the Internal networks pass via proxy servers in the DMZ.
· The DMZ can be a switched LAN, or a two switched LANs with dual homed bastion hosts
between them. The latter is more secure since only proxied connections will be allowed
through and protects against a software error in the filters. Direct inside<-> outside socket
connections are no longer possible, unless an extra filter is added on the default route in
place of a bastion..

· Modular & flexible.

· Dept and diversity of defence (but also cost and complexity) are higher than the previous
solution.

· For maximum diversity of defence, two different firewall products should be used for the
"packet filters" shown above.

· For very high availability, the DMZ with front & back end filters can be duplicated and hooked
together by routers (2 on the inside and 2 on the outside) that support redundant routing.
Recommended for large sites, or those protecting valuable assets..

INVISIBLE FILTER ARCHITECTURE

Some products act as bridges and are as such invisible to TCP/IP traffic. An example is the
SunScreen from Sun Microsystems. This offers a huge advantage, especially if the filter is
intelligent -it is very difficult to attack the packet filter.

ADVANTAGES

· Since the filter doesn't have an IP address, it is much more difficult to attack. Being invisible is
a major security advantage.

· Since it can bridge but not route, it can be inserted into a current network without changing
current addresses or subnet masks. But this also means that a router is still necessary!

· For high availability a duplicate filter should be available.

The filter above is a Single point of failure. What if it dies or the wrong rule is added by
mistake?
So while using this type of architecture firewall used must be carefully designed, specified and
installed over a network.
ENCRYPTING FIREWALLS / TUNNELS
Where secure data communication over a public network (such as the Internet) is required, the
most transparent solution is encryption of TCP/IP traffic at the IP level.

In the above scenario, sites B & C can securely exchange information, but not with Site A. There
are many different encrypting Firewalls, using incompatible protocols. No clear standards exist,
although some companies are putting forward their solutions as proposed standards (e.g. Cisco's
PIX,
Netscape's SSL, Sun's SKIP, Microsoft's PPTP, SSH. Some products offer firewall-to-firewall
encryption, while others offer end-to-end, or both. The IP sec standard (if it's ever finished)
should allow for better interoperation of VPNs.

WHAT IS A NETWORK FIREWALL?

A firewall is a system or group of systems that enforces an access control policy between two or
more networks. The actual means by which this is accomplished varies widely, but in principle,
the firewall can be thought of as a pair of mechanisms: one which exists to block traffic, and the
other which exists to permit traffic. Some firewalls place a greater emphasis on blocking traffic,
while others emphasize permitting traffic. Probably the most important thing to recognize about
a firewall is that it implements an access control policy. If you don't have a good idea of what
kind of access you want to allow or to deny, a firewall really won't help you. It's also important
to recognize that the firewall's configuration, because it is a mechanism for enforcing policy,
imposes its policy on everything behind it. Administrators for firewalls managing the
connectivity for a large number of hosts therefore have a heavy responsibility

WHY WOULD I WANT A FIREWALL?

The Internet, like any other society, is plagued with the kind of jerks who enjoy the electronic
equivalent of writing on other people's walls with spraypaint, tearing their mailboxes off, or just
sitting in the street blowing their car horns. Some people try to get real work done over the
Internet, and others have sensitive or proprietary data they must protect. Usually, a firewall's
purpose is to keep the jerks out of your network while still letting you get your job done.

Many traditional-style corporations and data centers have computing security policies and
practices that must be followed. In a case where a company's policies dictate how data must be
protected, a firewall is very important, since it is the embodiment of the corporate policy.
Frequently, the hardest part of hooking to the Internet, if you're a large company, is not justifying
the expense or effort, but convincing management that it's safe to do so. A firewall provides not
only real security--it often plays an important role as a security blanket for management.
Lastly, a firewall can act as your corporate ``ambassador'' to the Internet. Many corporations use
their firewall systems as a place to store public information about corporate products and
services, files to download, bug-fixes, and so forth. Several of these systems have become
important parts of the Internet service structure (e.g., UUnet.uu.net, whitehouse.gov,
gatekeeper.dec.com) and have reflected well on their organizational sponsors. Note that while
this is historically true, most organizations now place public information on a Web server, often
protected by a firewall, but not normally on the firewall itself.

WHAT CAN A FIREWALL PROTECT AGAINST?

Some firewalls permit only email traffic through them, thereby protecting the network against
any attacks other than attacks against the email service. Other firewalls provide less strict
protections, and block services that are known to be problems.

Generally, firewalls are configured to protect against unauthenticated interactive logins from the
``outside'' world. This, more than anything, helps prevent vandals from logging into machines on
your network. More elaborate firewalls block traffic from the outside to the inside, but permit
users on the inside to communicate freely with the outside. The firewall can protect you against
any type of network-borne attack if you unplug it.

Firewalls are also important since they can provide a single ``choke point'' where security and
audit can be imposed. Unlike in a situation where a computer system is being attacked by
someone dialing in with a modem, the firewall can act as an effective ``phone tap'' and tracing
tool. Firewalls provide an important logging and auditing function; often they provide summaries
to the administrator about what kinds and amount of traffic passed through it, how many
attempts there were to break into it, etc.

Because of this, firewall logs are critically important data. They can be used as evidence in a
court of law in most countries. You should safeguard, analyze and protect yoru firewall logs
accordingly.

This is an important point: providing this ``choke point'' can serve the same purpose on your
network as a guarded gate can for your site's physical premises. That means anytime you have a
change in ``zones'' or levels of sensitivity, such a checkpoint is appropriate. A company rarely
has only an outside gate and no receptionist or security staff to check badges on the way in. If
there are layers of security on your site, it's reasonable to expect layers of security on your
network.
 WHAT CAN’T A FIREWALL PROTECT AGAINST?

Firewalls can't protect against attacks that don't go through the firewall. Many corporations that
connect to the Internet are very concerned about proprietary data leaking out of the company
through that route. Unfortunately for those concerned, a magnetic tape, compact disc, DVD, or
USB flash drives can just as effectively be used to export data. Many organizations that are
terrified (at a management level) of Internet connections have no coherent policy about how dial-
in access via modems should be protected. It's silly to build a six-foot thick steel door when you
live in a wooden house, but there are a lot of organizations out there buying expensive firewalls
and neglecting the numerous other back-doors into their network. For a firewall to work, it must
be a part of a consistent overall organizational security architecture. Firewall policies must be
realistic and reflect the level of security in the entire network. For example, a site with top secret
or classified data doesn't need a firewall at all: they shouldn't be hooking up to the Internet in the
first place, or the systems with the really secret data should be isolated from the rest of the
corporate network.

Lost or stolen PDAs, laptops, cell phones, USB keys, external hard drives, CDs, DVDs, etc. For
protection against this type of data loss, you will need a good policy, encryption, and some sort
of enterprise
auditing/enforcement. Places that really care about Intellectual Property (IP) and data loss
prevention use USB firewalling technology on their desktops and systems in public areas. The
details are outside the scope of this FAQ.

Badly written, pooly thought out, or non-existent organizational policy. A firewall is the end
extension of an organization's security policy. If that policy is ill-informed, pooly formed, or not
formed at all, then the state of
the firewall is likely to be similar. Executive buy-in is key to good security practice, as is the
complete and unbiased enforcement of your policies. Firewalls can't protect against political
exceptions to the policy, so these must be documented and kept at a miniumum.

Another thing a firewall can't really protect you against is traitors or idiots inside your network.
While an industrial spy might export information through your firewall, he's just as likely to
export it through a telephone, FAX machine, or Compact Disc. CDs are a far more likely means
for information to leak from your organization than a firewall. Firewalls also cannot protect you
against stupidity. Users who reveal sensitive information over the telephone are good targets for
social engineering; an attacker may be able to break into your network by completely bypassing
your firewall, if he can find a ``helpful'' employee inside who can be fooled into giving access to
a modem pool or desktop through a "remote support" type portal. Before deciding this isn't a
problem in your organization, ask yourself how much trouble a contractor has getting logged into
the network or how much difficulty a user who forgot his password has getting it reset. If the
people on the help desk believe that every call is internal, you have a problem that can't be fixed
by tightening controls on the firewalls.

Firewalls can't protect against tunneling over most application protocols to trojaned or poorly
written clients. There are no magic bullets and a firewall is not an excuse to not implement
software controls on internal networks or ignore host security on servers. Tunneling ``bad'' things
over HTTP, SMTP, and other protocols is quite simple and trivially demonstrated. Security isn't
``fire and forget''.

Lastly, firewalls can't protect against bad things being allowed through them. For instance, many
Trojan Horses use the Internet Relay Chat (IRC) protocol to allow an attacker to control a
compromised internal host from a public IRC server. If you allow any internal system to connect
to any external system, then your firewall will provide no protection from this vector of attack.

What are the critical resources in a firewall?

It's important to understand the critical resources of your firewall architecture, so when you do
capacity planning, performance optimizations, etc., you know exactly what you need to do, and
how much you need to do it in order to get the desired result.

What exactly the firewall's critical resources are tends to vary from site to site, depending on the
sort of traffic that loads the system. Some people think they'll automatically be able to increase
the data throughput of their firewall by putting in a box with a faster CPU, or another CPU, when
this isn't necessarily the case. Potentially, this could be a large waste of money that doesn't do
anything to solve the problem at hand or provide the expected scalability.

On busy systems, memory is extremely important. You have to have enough RAM to support
every instance of every program necessary to service the load placed on that machine. Otherwise,
the swapping will start and the productivity will stop. Light swapping isn't usually much of a
problem, but if a system's swap space begins to get busy, then it's usually time for more RAM. A
system that's heavily swapping is often relatively easy to push over the edge in a denial-of-
service attack, or simply fall behind in processing the load placed on it. This is where long email
delays start.

Beyond the system's requirement for memory, it's useful to understand that different services use
different system resources. So the configuration that you have for your system should be
indicative of the kind of load you plan to service. A 700 MHz processor isn't going to do you
much good if all you're doing is netnews and mail, and are trying to do it on an IDE disk with an
ISA controller.
SUMMARY

Firewalls are a must have for any kind of computer usage that go online. They protect you from
all kinds of abuse & unauthorised access like trojans that allow taking control of your computers
by remote logins or backdoors, virus or use your resources to launch DOS attacks.

Firewalls are worth installing. Be it a basic standalone system, a home network or a office
network, all face varying levels of risks & Firewalls do a good job in mitigating these risks. Tune
the firewall for your requirements & security levels and you have one reason less to worry.

Some of the firewall products that you may want to check out are:

• McAfee Internet Security

• Microsoft Windows Firewall
• Norton Personal Firewall
• Trend Micro PC-cillin
• ZoneAlarm Security Suit

Example:
CONCLUSION

The level of security you establish will determine how many of these threats can be stopped by
your firewall. The highest level of security would be to simply block everything. Obviously that
defeats the purpose of having an Internet connection. But a common rule of thumb is to block
everything, and then begin to select what types of traffic you will allow. You can also restrict
traffic that travels through the firewall so that only certain types of information, such as e-mail,
can get through. This is a good rule for businesses that have an experienced network
administrator that understands what the needs are and knows exactly what traffic to allow
through. For most of us, it is probably better to work with the defaults provided by the firewall
developer unless there is a specific reason to change it. One of the best things about a firewall
from a security standpoint is that it stops anyone on the outside from logging onto a computer in
your private network. While this is a big deal for businesses, most home networks will probably
not be threatened in this manner. Still, putting a firewall in place provides some peace of mind.
REFERENCES
1. http://www.Howstuffworks.htm
2. http://firewalls-faq@interhack.ne t
3. http://www.ranum.com/pubs/fwfaq
4. http://sunsite.unc.edu/LDP/HOWTO/Firewall-HOWTO.htm l
5. ftp://ftp.cisco.com/pub/mibs/app_notes/access-lists
6. http://www.ipcortex.co.uk/wp/fw.rhtm