What is a Firewall ?

In addition to protecting individual computers and servers attached to the network, it is important to
control traffic traveling to and from the network.

A Firewall is one of the most effective security tools available for protecting internal network users from
external threats. A firewall resides between two or more networks and controls the traffic between
them as well as helps prevent unauthorized access. Firewall products use various techniques for
determining what is permitted or denied access to a network.

 Packet Filtering - Prevents or allows access based on IP or MAC addresses

 Application / Web Site Filtering - Prevents or allows access based on the application. Websites
can be blocked by specifying a website URL address or keywords.
 Stateful Packet Inspection (SPI) - Incoming packets must be legitimate responses to requests
from internal hosts. Unsolicited packets are blocked unless permitted specifically. SPI can also
include the capability to recognize and filter out specific types of attacks such as DoS.

Firewall products may support one or more of these filtering capabilities. Additionally, Firewalls often
perform Network Address Translation (NAT). NAT translates an internal address or group of addresses
into an outside, public address that is sent across the network. This allows internal IP addresses to be
concealed from outside users.

Firewall products come packaged in various forms:

 Appliance-based firewalls - An appliance-based firewall is a firewall that is built-in to a dedicated

hardware device known as a security appliance.
 Server-based firewalls - A server-based firewall consists of a firewall application that runs on a
network operating system (NOS) such as UNIX, Windows or Novell.
 Integrated Firewalls - An integrated firewall is implemented by adding firewall functionality to
an existing device, such as a router.
 Personal firewalls - Personal firewalls reside on host computers and are not designed for LAN
implementations. They may be available by default from the OS or may be installed from an
outside vendor.

Using a Firewall
By placing the firewall between the internal network (intranet) and the Internet as a border device, all
traffic to and from the Internet can be monitored and controlled. This creates a clear line of defense
between the internal and external network. However, there may be some external customers that
require access to internal resources. A demilitarized zone (DMZ) can be configured to accomplish this.

The term demilitarized zone is borrowed from the military, where a DMZ is a designated area between
two powers where military activity is not permitted. In computer networking, a DMZ refers to an area of
the network that is accessible to both internal and external users. It is more secure than the external
network but not as secure as the internal network. It is created by one or more firewalls to separate the
internal, DMZ and external networks. Web servers for public access are frequently placed in a DMZ.

Single firewall configuration

A single firewall has three areas, one for the external network, the internal network, and the DMZ. All
traffic is sent to the firewall from the external network. The firewall is then required to monitor the
traffic and determine what traffic should be passed to the DMZ, what traffic should be passed internally,
and what should be denied altogether.

Two firewall configuration

In a two firewall configuration, there is an internal and external firewall with the DMZ located between
them. The external firewall is less restrictive and allows Internet user access to the services in the DMZ
as well as allowing a traffic that any internal user requested to pass through. The internal firewall is
more restrictive and protects the internal network from unauthorized access.
A single firewall configuration is appropriate for smaller, less congested networks. However, a single
firewall configuration does have a single point of failure and can be overloaded. A two-firewall
configuration is more appropriate for larger, more complex networks that handle a lot more traffic.

Many home network devices, such as integrated routers, frequently include multi-function firewall
software. This firewall typically provides Network Address Translation (NAT), Stateful Packet Inspection
(SPI) and IP, Application and web site filtering capabilities. They also support DMZ capabilities.

With the integrated router, a simple DMZ can be set up that allows an internal server to be accessible by
outside hosts. To accomplish this, the server requires a static IP address that must be specified in the
DMZ configuration. The integrated router isolates traffic destined to the IP address specified. This traffic
is then forwarded only to the switch port where the server is connected. All other hosts are still
protected by the firewall.

When the DMZ is enabled, in its simplest form, outside hosts can access all ports on the server, such as
80 (HTTP), 21 (FTP), and 110 (Email POP3), etc.

A more restrictive DMZ can be set up using the port forwarding capability. With port forwarding, ports
that should be accessible on the server are specified. In this case, only traffic destined for those port(s) is
allowed, all other traffic is excluded.
The wireless access point within the integrated router is considered part of the internal network. It is
important to realize that if the wireless access point is unsecured, anyone who connects to it is within
the protected part of the internal network and is behind the firewall. Hackers can use this to gain access
to the internal network and completely bypass any security.

Security Practise

Authentication, Authorization, and Accounting (AAA) is a three-step process used by network

administrators to make it difficult for attackers to gain access to a network.

Authentication requires users to prove their identity using a username and password. Authentication
databases are typically stored on servers that use the RADIUS or TACACS protocols.

Authorization gives users rights to access specific resources and perform specific tasks.

Accounting tracks which applications are used and the length of time that they are used.
For example, authentication acknowledges that a user named "student" exists and is able to log on.
Authorization services specify that user student can access host server XYZ using Telnet. Accounting
tracks that user student accessed host server XYZ using Telnet on a specific day for 15 minutes.

AAA can be used on various types of network connections. AAA requires a database to keep track of
user credentials, permissions, and account statistics. Local authentication is the simplest form of AAA
and keeps a local database on the gateway router. If an organization has more than a handful of users
authenticating with AAA, the organization must use a database on a separate server.

Access Control List and Port Filtering

Even with the use of AAA and encryption, there are still many different types of attacks that an ISP must
protect against. ISPs are especially vulnerable to denial-of-service (DoS) attacks, because the ISP may
host sites for many different registered domain names that may or may not require authentication.
Currently, there are three key types of DoS attacks.

DoS

A standard DoS attack is when a server or service is attacked to prevent legitimate access to that service.
Some examples of standard DoS attacks are SYN floods, ping floods, LAND attacks, bandwidth
consumption attacks, and buffer overflow attacks.

DDoS

A distributed denial-of-service (DDoS) attack occurs when multiple computers are used to attack a
specific target. The attacker has access to many compromised computer systems, usually on the
Internet. Because of this, the attacker can remotely launch the attack. DDoS attacks are usually the
same kinds of attacks as standard DoS attacks, except that DDoS attacks are run from many computer
systems simultaneously.

DRDoS

A distributed reflected denial-of-service (DRDoS) attack occurs when an attacker sends a spoofed, or
mock, request to many computer systems on the Internet, with the source address modified to be the
targeted computer system. The computer systems that receive the request respond. When the
computer systems respond to the request, all the requests are directed at the target computer system.
Because the attack is reflected, it is very difficult to determine the originator of the attack.
ISPs must be able to filter out network traffic, such as DoS attacks, that can be harmful to the operation
of their network or servers. Port filtering and access control lists (ACL) can be used to control traffic to
servers and networking equipment.

Port Filtering

Port filtering controls the flow of traffic based on a specific TCP or UDP port. Many server operating
systems have options to restrict access using port filtering. Port filtering is also used by network routers
and switches to help control traffic flow and to secure access to the device.

Access Control Lists

ACLs define traffic that is permitted or denied through the network based on the source and destination
IP addresses. ACLs can also permit or deny traffic based on the source and destination ports of the
protocol being used. Additonally, ICMP and routing update traffic can be controlled using ACLs.
Administrators create ACLs on network devices, such as routers, to control whether or not traffic is
forwarded or blocked.

ACLs are only the first line of defense and are not enough to secure a network. ACLs only prevent access
to a network; they do not protect the network from all types of malicious attacks.

Firewall
A firewall is network hardware or software that defines which traffic can come into and go out of
sections of the network and how traffic is handled.

ACLs are one of the tools used by firewalls. ACLs control which type of traffic is allowed to pass through
the firewall. The direction the traffic is allowed to travel can also be controlled. In a medium-sized
network, the amount of traffic and networking protocols needing to be controlled is quite large, and
firewall ACLs can become very complicated.

Firewalls use ACLs to control which traffic is passed or blocked. They are constantly evolving as new
capabilities are developed and new threats are discovered.

Different firewalls offer different types of features. For example, a dynamic packet filter firewall or
stateful firewall keeps track of the actual communication process occurring between the source and
destination devices. It does this by using a state table. When a communication stream is approved, only
traffic that belongs to one of these communication streams is permitted through the firewall. The Cisco
IOS Firewall software is embedded in the Cisco IOS software and allows the user to turn a router into a
network layer firewall with dynamic or stateful inspection.

Firewalls are constantly evolving as new capabilities are developed and new threats are discovered. The
more functionality embedded in a firewall, the more time it takes for packets to be processed.

Firewalls can provide perimeter security for the entire network and for internal local network segments,
such as server farms.

Within an ISP network or a medium-sized business, firewalls are typically implemented in multiple
layers. Traffic that comes in from an untrusted network first encounters a packet filter on the border
router. Permitted traffic goes through the border router to an internal firewall to route traffic to a
demilitarized zone (DMZ). A DMZ is used to store servers that users from the Internet are allowed to
access. Only traffic that is permitted access to these servers is permitted into the DMZ. Firewalls also
control what kind of traffic is permitted into the protected, local network itself. The traffic that is
allowed into the internal network is usually traffic that is being sent due to a specific request by an
internal device. For example, if an internal device requests a web page from an external server, the
firewall permits the requested web page to enter the internal network.

Some organizations can choose to implement internal firewalls to protect sensitive areas. Internal
firewalls are used to restrict access to areas of the network that need to have additional protection.
Internal firewalls separate and protect business resources on servers from users inside the organization.
Internal firewalls prevent external and internal hackers, as well as unintentional internal attacks and
malware.
IDS dan IPS
ISPs also have a responsibility to prevent, when possible, intrusions into their networks and the
networks of customers who purchase managed services. There are two tools often utilized by ISPs to
accomplish this.

Intrusion Detection System (IDS)

An IDS is a software- or hardware-based solution that passively listens to network traffic. Network traffic
does not pass through an IDS device. Instead, the IDS device monitors traffic through a network
interface. When the IDS detects malicious traffic, it sends an alert to a preconfigured management
station.

Intrusion Prevention System (IPS)

An IPS is an active physical device or software feature. Traffic travels in one interface of the IPS and out
the other. The IPS examines the actual data packets that are in the network traffic and works in real
time to permit or deny packets that want access into the network

IDS and IPS technologies are deployed as sensors. An IDS or an IPS sensor can be any of the following:
Router configured with Cisco IOS version IPS

Appliance (hardware) specifically designed to provide dedicated IDS or IPS services

Network module installed in an adaptive security appliance (ASA), switch, or router

IDS and IPS sensors respond differently to incidences detected on the network, but both have roles
within a network.

IDS solutions are reactive when it comes to detecting intrusions. They detect intrusions based on a
signature for network traffic or computer activity. They do not stop the initial traffic from passing
through to the destination, but react to the detected activity.

When properly configured, the IDS can block further malicious traffic by actively reconfiguring network
devices, such as security appliances or routers, in response to malicious traffic detection. It is important
to realize that the original malicious traffic has already passed through the network to the intended
destination and cannot be blocked. Only subsequent traffic is blocked. In this regard, IDS devices cannot
prevent some intrusions from being successful.
IDS solutions are often used on the untrusted perimeter of a network, outside of the firewall. Here the
IDS can analyze the type of traffic that is hitting the firewall and determine how attacks are executed.
The firewall can be used to block most malicious traffic. An IDS can also be placed inside the firewall to
detect firewall misconfigurations. When the IDS sensor is placed here, any alarms that go off indicate
that malicious traffic has been allowed through the firewall. These alarms mean that the firewall has not
been configured correctly.

IPS

Unlike IDS solutions, which are reactive, IPS solutions are proactive. They block all suspicious activity in
real time. An IPS is able to examine almost the entire data packet from Layer 2 to Layer 7 of the OSI
model. When the IPS detects malicious traffic, it blocks the malicious traffic immediately. The IPS then
sends an alert to a management station about the intrusion. The original and subsequent malicious
traffic is blocked as the IPS proactively prevents attacks.

An IPS is an intrusion detection appliance, not software. The IPS is most often placed inside the firewall.
This is because it can examine most of the data packet and, therefore, be used to protect server
applications if malicious traffic is being sent. The firewall typically does not examine the entire data
packet, whereas the IPS does. The firewall drops most of the packets that are not allowed, but may still
allow some malicious packets through. The IPS has a smaller number of packets to examine, so it can
examine the entire packet. This allows the IPS to immediately stop new attacks that the firewall was not
originally configured to deny. IPS can also stop attacks that the firewall is unable to deny based on
limitations of the firewall.