Network Security Assignment

Explain what firewalls are, the different types and how they can protect your network against various threats including DoS, unauthorised access, etc. Discuss how firewalls are implemented and select the appropriate one for this network.

A firewall is a software or hardware that acts as a barrier between internal (trusted) network and the external (untrusted) network. A firewall is a set of related programs that enforce an access control policy between 2 or more networks.Fir ewalls consist of a pair of mechanisms that perform two separate functions, one blocks traffic and the other permits traffic. Emphasis on blocking and permitting traffic is determined on what specifications are chosen. Firewalls designs range from simple s ingle solutions for small networks to multiple firewall designs for large networks.

Firewalls fall into four broad categories: packet filters, circuit level gateways, application level gateways and stateful multilayer inspection firewalls. Packet filtering firewalls work at the network level of the OSI model, or the IP layer of TCP/IP. They are usually part of a router. A router is a device that receives packets from one network and forwards them to another network. In a packet filtering firewall each packet is compared to a set of criteria before it is forwarded. Depending on the packet and the criteria, the firewall can drop the packet, forward it or send a message to the originator. Rules can include source and destination IP address, source and destination port number and protocol used. The advantage of packet filtering firewalls is their low cost and low impact on network performance. Most routers support packet filtering. Even if other firewalls are used, implementing packet filtering at the route r

level affords an initial degree of security at a low network layer. This type of firewall only works at the network layer however and does not support sophisticated rule based models. Network Address Translation (NAT) routers offer the advantages of packet filtering firewalls but can also hide the IP addresses of computers behind the firewall, and offer a level of circuit -based filtering.

Static packet filtering firewalls works by filtering traffic at the network layer of the OSI model (IP layer of TCP/IP). Acts as layer 3 devices, uses filtering rules and ACLs to determine whether to deny or permit traffic based on source and destination IP addresses and port numbers plus packet type. Packet filtering firewalls are similar to packet filtering routers but offer additional benefits. Packet filtering are very scalable and application independent and have high performance standards.

Circuit Level firewalls Also known as Transparent firewalls, operates as a layer 2 device and behaves like a stealth firewall meaning it is seen as a router hop to connected devices. The security appliance connects the network on its inside and outside ports, however each interface resides on a separate VLAN. The characteristics of this firewall mode are y Supports two interfaces, usually an inside and an outside interface y Can run in single or multiple context mode y Packets are bridged by the security appliance from one VLAN to the other instead of being routed. y MAC lookups are performed rather than routing tables lookups With this firewall you can configure it to allow any traffic using extended ACL (IP traffic) or an Ethertype ACL (non -IP traffic). Without a specific ACL the only traffic allowed to pass through is address resolution protocol (ARP).

Application Layer firewalls Sometimes known as a proxy firewall, allows the greatest level of control and works across all 7 layers of the OSI model. This firewall filters traffic at layers 3, 4, 5, and 7 of the OSI model. It determines whether to allow communication between internal network and the internet by serving as an intermediary between them and there is no direct connection between inside or outside. The proxy server provides the only visible IP address on the outside. Advantages y Authenticates individuals not devices y Difficult to spoof and implement DoS attacks y Can monitor and filter application data y Provides detailed logging

Dynamic packet filtering firewalls Also known as a Stateful packet filter, this firewall is the most common and the most versatile firewall that works at the network layer. These firewalls operate at layers 3, 4, and 5 of the OSI model. This firewall maintains a state table that is part of the firewalls internal structure. If a packet has properties matching whats list in the table the firewall allows the packet to pass. Depending on the traffic flow the state table changes dynamically.

Uses of Stateful packet filtering Firewall

y y

y y

Primary means of defense Filtering unwanted, unnecessary or undesirable network traffic Intelligent first line of defense Routing devices that support this function may be used as a primary line of defense or as an added layer of security on perimeter routers Strengthens packet filtering Provides cost effective means to gain greater control over security than does packet filtering Improves routing performance Does not require a large number of port numbers to allow returning traffic back into the network. B y using the state table it can quickly determine whether a packet is returning, if not the filter table filters the traffic Defend against spoofing and DoS attacks This firewall tracks the state of the connection in the state table listing every connectio n or connectionless transaction. Tracking whether a packet belongs to an existing connection or from an unauthorized source lets the firewall allow only traffic from connections listed in the table. After the connection is removed from the state table the firewall does not allow any more from that device. Stateful can log more information than packet filter firewall , allowing them to track when a connection was setup how long it was up and when it was torn down making connections harder to spoof.

Implementation y Determine the access denial method to use . It is recommended you begin with a method that denies all access by default. In other words, start with a gateway that routes no traffic and is effectively a brick wall with no doors in it. Determine inbound access policy . If all of your Internet traffic originates on the LAN this may be quite simple. A straightforward NAT router will block all inbound traffic that is not in response to requests originating from within the LAN. As previously mentioned, the true IP addresses of hosts behind the firewall are never revealed to the outside world, making intrusion extremely difficult. Indeed, local host IP addresses in this type of configuration are usually non-public addresses, making it impossible to route traffic to them from the Internet. Packets coming in from the Internet in response to requests from local hosts are addressed to dynamically allocated port numbers on the public side of the NAT router. These change rapidly making it difficult or impossibl e for an intruder to make assumptions about which port numbers to use.

If your requirements involve secure access to LAN based services from Internet based hosts, then you will need to determine the criteria to be used in deciding when a packet originatin g from the Internet may be allowed into the LAN. The stricter the criteria, the more secure your network will be. Ideally you will know which public IP addresses on the Internet may originate inbound traffic. By limiting inbound traffic to packets originat ing from these hosts, you decrease the likelihood of hostile intrusion. You may also want to limit inbound traffic to certain protocol sets such as ftp or http. All of these techniques can be achieved with packet filtering on a NAT router. If you cannot kn ow the IP addresses that may originate inbound traffic, and you cannot use protocol filtering then you will need more a more complex rule based model and this will involve a stateful multilayer inspection firewall.
y Determine outbound access policy . If you only need access to the web, a proxy server may give a high level of security with access granted selectively to appropriate users. Outbound protocol filtering can also be transparently achieved with packet filtering and no sacrifice in security. I