Network Security Using Firewalls
* * **
Robert Györödi , Cornelia Györödi , George Pecherle
Radu Lucaciu***
*
Associate professor Phd. Eng.,** Phd student, *** Student
Department of Computer Science, Faculty of Electrotehnics and Informatics, University of Oradea, Str. Universitatii 1, 410087,
Oradea, Romania
Phone: +40 (0) 259 408-226, E-Mail: cgyorodi@uoradea.ro, rgyorodi@rdsor.ro, gpecherle@uoradea.ro
Abstract. As networks increase in size and complexity,
security products are growing in sophistication and
security threats are becoming more ingenious. The usage
of security solutions has become inevitable for all
modern organisations. There is no perfect security, but
the idea is to make a network so hard to access, that it
doesn’t worth trying. One of the crucial components that
contribute to this security are firewalls. It is important to
prevent undesired data before it ever gets into the target
system. This is the job of firewalls and the article covers
this topic.
1. Introduction
Due to the ever increasing request for connectivity
and inter-human communications, the Internet has known
a booming growth in the last years. Even though it started
as a way to connect Universities through expensive circuit
switching methods, the following breakthroughs in
networking protocols as well as physical technologies
meant that Internet connectivity has become widely
available even to home users. Computer interconnections
have provided us with the means for quick
communications and great ways for sharing information.
These advantages, however, do not come without their
downsides. One might think this new, easy way to have
access to any site in the world is great, but one might also
notice that it has enabled shady, uninvited characters to
pop up and stick their noses into other people’s business.
Thus the need for security devices, meant to keep intruders
out as well as classified information in, has been
acknowledged as a very important part of managing a
network or site. Even if a site or network doesn’t have any
classified information to keep secret, many times a little
effort invested in network security can save huge amounts
of time spend trying to repair a malevolent person’s
actions against the site. From another point of view, even
if a network doesn’t have any information it wants to
protect, trouble could still arise from the network’s usage
as a 3rd party attacking clone. After all, nobody wants the
Internet Service Provider to suspend the site’s Internet
connection because attacks seem to be initiated from the
site itself [7][9].
38
one, but instead they are both communicating with the
proxy server.
There are quite a few ways to defend an internal
network like using a bastion-host, setting up a perimeter
network or using a firewall. However none of these
methods are complete solutions for security, each suffering
from different flaws. The best bet against a security breach
is using a combination of these techniques. It must be said
that a 100% breach resistant system is impossible to build.
The goal is to make breaching the system hard enough so
that the effort isn’t worth it.
2. Firewall techniques
The whole philosophy of the Internet is based on the
TCP/IP protocol. This protocol was designed as a set of
overlaying layers, each with a complete and specific role.
The four layers that compose the TCP/IP protocol are the
Application Layer (consisting of applications and services
that use the network), Host-to-Host Transport Layer
(providing end-to-end data delivery services), the Internet
layer (handling the routing of the data) and the Network
Access Layer (consisting of routines for addressing
physical elements)[15].
The fundamental TCP/IP communication unit is the
packet. The data that needs to be transmitted between two
hosts is broken down into small fragments [5]. To these
fragments each of the composing layers attaches a header.
A TCP/IP packet usually contains the source IP address
and port number, the destination IP address and port
number, the original data and various TCP/IP options [4].
Two different approaches are to be considered when
building a firewall. The first one, packet filtering, relies on
monitoring the source and destination fields in the IP
packet to determine whether a packet should be forwarded
or dropped. The second method is implemented using
proxy services. A proxy server runs on a dual-homed host
(a host connected simultaneously to two networks) and
acts as a intermediary between two hosts that want to
communicate to each other. This way, to each of the hosts
it seems they are directly communicating with the other

There are two forms of packet filtering. The first one,
the simplest, is filtering by address. This kind of filtering
permits control over the flow of packets based on the
source and/or destination address. Filtering by address is
Figure 1: The representation of a proxy service
This paper will focus on packet filtering theory and
it’s practical implementation.
As a packet travels from its source to its destination it
will have to pass through different network nodes. Each of
these nodes has an equipment, called a router, that
determines which way a packet should go to reach it’s
destination. Since a packet usually only contains the
destination and not the way to it, the routers have to
communicate between them to determine a route. This
communication between routers is done through specific
protocols like Routing Information Protocol or Open
Shortest Path First. A router that implements the packet
filtering technique determines not only where a packet
should go but also if it should be allowed to go.
Packet filtering allows control over the packet stream
based on their source address, destination address and
application protocols used to send the data.
Packet filtering has the following advantages:
• It is available in both hardware and software
implementations
• It is built-in in many routers
• It offers great leverage over an entire network.
One filter placed in a strategic choke-point can
protect an entire network
• It is transparent to the end-user
However, packet filtering isn’t flawless. Following are a
few disadvantages:
• Packets cannot be filtered based on the data they
contain
• It cannot be used to fully back trace an attack.
The logs can tell you the address where an attack
came from but not the user.
• There are protocols that are not suited for packet
filtering, such as some Remote Control Protocols
because they use random ports to connect to a
host.
39
vulnerable to forgery attacks where the attacker’s machine
assumes the identity of a trusted machine. The second way
of filtering is filtering by service. Filtering by service takes
into account not only the source/destination addresses but
the source and destination ports too.
Figure 2: Packet filtering
Packet filtering should be implemented in as many
routers as possible without having a noticeable effect on
the performance of a host/network. Also one should take
into account the maintenance issue. Having a big number
of routers that have to be maintained could raise problems.
3. The application
The primary goal of the programmer when designing
this application was to create a modular, efficient program,
that occupies a minimum of resources when running.
The vast majority of firewalls available on the market
today have a negative impact on the resources of the
system where it runs. The firewall that we developed is
minimal and it offers only filtering based on the IP address,
port and protocol, and not based on the service.
However, no filtering method is perfect. If we suppose
that a certain port will always be used by a certain service,
all connections from that port will be accepted. However,
to an attacker with admin rights on the system, it would be
quite easy to use a program that runs on that port.
To build the application layout and the user interface,
we have used the features of the Microsoft Foundation
Class (MFC) [11][12][13]. Based on this, the rest of the
application has been developed. The graphical user
interface is below:
 The Rules button from the interface will display a
dialog box to view the security rules. Right clicking any
rule will allow the user to manage them. Adding a new rule
is done through a dialog box. The two windows are
presented in figure 5 below:

Figure 3: The Graphical User Interface

Because a firewall should always run when the

computer is working, we considered that its permanent
presence on the dektop and also on the taskbar would be
unpleasant and it would just waste useful space. This
determined us to implement a window minimize model
that reduces the interface to a simple icon in the System
Tray. This icon offers a menu with a minimum of possible
actions. To see a menu with the actions that can be done,
right click the system tray icon. Figure 5: The dialog boxes for managing the rules

The Logs button will display a window that allows the

real time monitoring of the traffic through all network
interfaces. This screen in presented in figure 6 below:

Figure 4: The System Tray icon

In order to keep the resource consumption to a

minimum, instead of dealing with the packets itself, the
application programs the network interface to reject or
allow packets from specific addresses and ports, letting the
interface to deal with the packets.

To accomplish this, the program will iterate through

all the active networking interfaces on the computer, and
will create a filter.

When setting up a rule, the user can set the source

address and port, the destination address and port, the
protocol (can be selected from TCP, UDP, ICMP, All) and
action (Allow/Drop). For example, the following rule:
Source IP: 192.168.0.3; Source Port:1025; Destination IP:
0.0.0.0; Destination Port:0; Protocol: UDP; Action: Drop,
would drop all packets originating from 192.168.0.3 port Figure 6: The dialog box that monitors the
1025 and going to all other IP addresses. network traffic

40
 Some of the main classes from the project are:
CAboutDlg (that implements the About dialog box of the
application); CFirewallApp (the base class of the
application; at run-time, an object from this class is created
and then it gets the control); CMainFrame (this class
processes the messages received from the operating system
and it is responsible with the creation and management of
the visualization and document classes).
The OnAppExit() takes care of the normal program
exit. Also, because MFC doesn’t implement functions that
handle the SystemTray icons, we had to create such a
function: TrayMessage() creates and registers, or removes
the icon.
The function that actually implements the packet
filtering routine is StartFirewall(). PIP_ADAPTER_INFO
is a data structure containing specific data about each
network interface, and IP_ADDR_STRING is a data
structure for keeping an IP address as a string of
characters.
The modularity is implemented through the use of
plug-ins. The plug-in can be a collection of classes and/or
methods with a completely different functionality than that
of the original application. The module will be compiled to
a DLL file (Dynamic Link Library) and copied to the
Plugins subfolder of the application.
At startup, the program will check to see which plug-
ins are currently available, but none of the plug-ins are
loaded unless specifically requested by the user. This is
done in order to prevent malicious plug-ins that could
cause harm without the user being aware. After installing a
new plug-in the application needs to be restarted in order
to correctly detect the newly installed module.
A plugin can have any number of classes, but it is
necessary to contain these three functions. The
LoadPlugin() function receives a string of characters as a
parameter containing the full path to a plugin that is first
checked and then loaded into the memory.
To load plugins, it is necessary they are identified.
This is done by the LoadPluginsIntoList() function. This
will scan all subfolders from \Plugins to identify all
plugins.
Running a plugin can be done on user request by
selecting the corresponding plugin and then the Run
button. This will execute the void
CPluginDlgBar::OnButtonRunPlugins() function.
41
4. Conclusion
Packet filtering by itself is not flawless, but when
combined with other protection techniques it can be very
efficient. A good compromise must be found between the
security level and the amount of effort needed to setup and
maintain a firewall or security policy.
The application was designed to provide a passive
protection, meaning it will not scan the ports for services
trying to connect to the Internet and will only block or
allow packets based on the rules specifically set up by the
user. It should not be considered a perfect protection tool
and should not be used as the only protection device.
5. References
[1] Leonard Kleinrock, Information Flow in Large
Communication Nets, 1961, MIT
[2] Michael Hauben, The untold history of the
ARPANET, 1995, Univeristy of Columbia
[3] Steve Crocker, The Documentation Conventions
RFC, 1969
[4] Andrew S. Tanenbaum, Reţele de calculatoare,
Compter Press Agora, 1998
[5] Andrew S. Tanenbaum, Modern Operating
Systems, Prentice Hall, 1992
[6] Peter L. Kantor, History: USENET, Hudson
Valley Community College, 2003
[7] D. Brent Chapman, Elizabet D. Zwicky, Building
Internet Firewalls, O’Reilly, 1995
[8] Robert Gyorodi, Sisteme de operare Teorie şi
Aplicaţii, Ed. Universităţii din Oradea. 2000
[9] S&C Enterprises, Hacking secrets revealed, 2000
[10] Anonim, Maximum Security: A hacker’s guide to
protecting your Internet Site and Network, Macmillan
Computer Publishing, 1997
[11] Kate Gregory, Using Visual C++ 6 Special
Edition, Que, 1998
[12] Marshall Brain, Lance Lovette, Developing
Professional Applications in Windows 95 and NT Using
MFC, Prentice Hall, 1996
[13] MSDN Library Visual Studio 6.0, Microsoft,
2000
[14] Anonymous, Hacking into computer systems – A
beginner’s guide, 1998
[15] Cisco, Understanding TCP/IP
[16] Terry Dawson, Philip Hazel, Linux Network
Administrator’s Guide, O’Reilly 1993