CHAPTER 9

FIREWALLS
Introduction to fire walls

• A firewall is basically the first line of defense for your network.

• The basic purpose of a firewall is to keep uninvited guests from browsing your
network.
• A firewall can be a hardware device or a software application or a combination
of both and generally is placed at the perimeter (outer boundary) of the network
to act as the gatekeeper for all incoming and outgoing traffic.
• Firewalls are frequently used to prevent unauthorized Internet users from
accessing private networks connected to the Internet.
• All data entering or leaving the Intranet pass through the firewall, which
examines each packet and blocks those that do not meet the specified security
criteria.
• Firewalls are essential since they can provide a single block point where security
and auditing can be imposed.
• Firewalls provide an important logging and auditing function; often they provide
summaries to the administrator.
• Firewalls can be an effective means of protecting a local system or network of
systems from network-based security threats which at the same time affording
access to the outside world via WAN and internet.
A firewall is computer that sits between your internal network and the rest of the network
and attempts to prevent bad things from happening without preventing good things from
happenings.

Design principles

Every organization, Govt agencies etc. uses information systems to protect their vital
data. Internet connectivity is a basic requirement for most organization, because the
information and services available from internet are very much essential. At the same
time it enables the outside world to reach and interact with local network assets. This
creates a threat to the organization. In providing security to the organization network the
firewalls have been used.

General Characteristics (design goals)

• All traffic from inside and outside vice-versa must pass through a firewall .
• Only authorized traffic , as defined by the local security policy, will be allowed to
pass.
• Use of trusted systems and with a secure operating system should be used.

Firewall services:
There are 4 services.
Service Control: Determines the type of services that can be accessed , inbound or
outbound. The firewall may filter traffic on the basis of IP
address
and TCP port no.
Direction Control: Determines the directions in which particular service request may
be initiated and allowed to flow through the firewall.
User Control: Controls access to a service according to which user is attempting
to access it.
Behavior Control: Controls how particular services are used

Firewall limitations:

• The firewalls cannot protect against attacks that bypass the firewall.(multiple
entry points).
• The firewall does not protect against internal threats like , unhappy or frustrated
employee or an employee who unknowingly cooperate with an external attacker.
• The firewall cannot protect against the transfer of virus-infected programs or files.

Types of Firewalls:

The three common types of firewalls are:

1. Packet filters
2. Application-level gateways
3. Circuit-level gateways.

1.Packet Filters:

Simplest form of firewall selectively discards packets based on configurable

criteria, such as addresses in the IP header. For example, it might be
configured to only allow some systems on your network to communicate
outside.
Packet filtering inspects each packet passing through the network and
accepts or rejects it based on user-defined rules.
Packet filters usually permit or deny network traffic based on:

• Source and destination IP addresses

• Protocol, such as TCP, UDP, or ICMP
• Source and destination ports and ICMP types and codes
• Flags in the TCP header, such as whether the packet is a connect request
• Direction (inbound or outbound)
• Which physical interface the packet is traversing

Although difficult to configure, it is fairly effective and mostly transparent

to its users.
 In addition, most IP packet filters are stateless, which means they do not
remember anything about the packets they previously process. A packet

filter with state can keep some information about previous traffic, which
gives you the ability to configure that only replies to requests from the
internal network are allowed from the Internet. Stateless packet filters are
vulnerable to IP spoofing since the source IP address and ACK bit in the
packet's header can be easily forged by attackers

2. Application- level Gateway:

Another way to protect your vulnerable network is by use of an application level

gateway. The Gateway could have two network adaptors and act as a
router, but more often it is placed between two packet filtering firewalls.
The two firewalls are routers that refuse to forward anything unless it’s to
or from the gateway.

An application-level proxy server provides all the basic proxy features and
also provides extensive packet analysis.

When packets from the outside arrive at the gateway, they are examined
and evaluated to determine if the security policy allows the packet to enter
into the internal network. Not only does the server evaluate IP addresses, it
also looks at the data in the packets to stop hackers from hiding
information in the packets.
 A typical application-level gateway can provide proxy services for
applications and protocols like Telnet, FTP (file transfers), HTTP (Web
services), and SMTP (e-mail).

3. Circuit-level gateway :

This type of proxy server provides a controlled network connection

between internal and external systems. A virtual "circuit" exists between
the internal client and the proxy server. Internet requests go through this
circuit to the proxy server, and the proxy server delivers those requests to
the Internet after changing the IP address. External users only see the IP
address of the proxy server. Responses are then received by the proxy
server and sent back through the circuit to the client. While traffic is
allowed through, external systems never see the internal systems. This
type of connection is often used to connect "trusted" internal users to the
Internet.

As an example of how circuit level gateways work;

 say computer A is in a network protected by a circuit level gateway
firewall, and wants to view a web page on computer B which is outside
the firewall. Computer A sends the request for the web page to computer
B, which is intercepted and recorded by the firewall before being passed
on. Computer B receives the request, which as far as it is concerned came
from the address of the firewall, and starts sending the web-page data back
across the Internet. When it reaches the firewall, it is compared to
computer A's request to see if the IP address and the port match up, then
the data is either allowed or dropped.

A major advantage to using this method is that non-requested data from

outside the firewall is not allowed in, period. All ports are closed until the
firewall opens them. The main disadvantage is that unless it is combined
with some other form of filtering, any type of data requested from inside
the firewall will be allowed though.

Access control :

Access control mechanisms are a necessary and crucial design element to any
application's security.

In general, a web application should protect front-end and back-end data and system
resources by implementing access control restrictions on what users can do, which
resources they have access to, and what functions they are allowed to perform on the
data.

Ideally, an access control scheme should protect against the unauthorized viewing,
modification, or copying of data.

Additionally, access control mechanisms can also help limit malicious code execution, or
unauthorized actions through an attacker exploiting infrastructure dependencies.

A general model of access control are as follows:

Subject : An entity capable of accessing objects. Example, any user or application gain
access to object by means of a process.
Object: Anything to which access is controlled,. Examples files, portions of files,
programs, and segments of memory.
Access right: The way in which an object is accessed by subject. Examples, read write,
and execute.
 Fig:Access control list

Access control information can be viewed as a matrix with rows representing the
subjects, and columns representing the objects. The access that the subject is permitted to
the object is shown in the body of the matrix. For example, in the matrix, the letter at an
intersection of a row and a column indicates what type of access the subject may make to
the object. Because least privilege is a primary goal of access control, most cells of the
matrix will be empty, meaning that no access is allowed. When most of the cells are
empty, the matrix is said to be sparse.

Trusted systems :

Monitoring and Management