Firewalls

Stephen S. Yau

CSE 465-591, Fall 2006

DMZ

The DMZ (stands for Demilitarized Zone) is a

portion of a network that separates a purely
internal network from an external network.
DMZ is the place, where public servers and
proxies should be located

Proxy is an intermediate agent or server that acts

on behalf of an endpoint without allowing a
direct connection between the two endpoints
T1: ch23.3
T2: ch26.3

Stephen S. Yau

CSE 465-591, Fall 2006

Firewalls

A firewall is a host that mediates access to a

network, allowing and disallowing certain types
of access on the basis of a configured security
policy.
Protect a network from external networks
Block unwanted traffic and pass desirable traffic
to and from both sides of the network

Examples:
Allows: http, mails
Keeps out: suspected users, denial of services attacks,
spam, viruses

Stephen S. Yau

CSE 465-591, Fall 2006

T1: ch23.3.1
T2: ch26.3.1

Operations of Firewall

Stephen S. Yau

Firewalls in Different Layers

Network layer: Packet-Filtering Firewalls

- Concerned with routing of packets to their destinations.
- Determine if a packet is from a permitted source to a permitted
destination
Transport layer: Circuit-Level Firewalls
- Concerned with session of packets
- Need more knowledge of packet header to make decisions on
accepting or denying packets
Application layer: Application-Level Firewalls
- Concerned with contents of packets
- Need information about data make decision on accepting or
denying packets
Further reading:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/centri4/user/scf4ch3.htm

Packet Filtering Firewalls

A packet filtering firewall performs access control on the basis

of attributes of the packet headers, such as destination addresses,
source address, and options.
T1: ch23.3.1 T2: ch26.3.1
Whenever network receives a packet, three possible actions:

forward it to destination
block it
return it to sender

One of these actions is chosen according to a set of rules usually

in a form of access control lists.
Rule Source Address

Destination Address

Action

149.59.0.0/16

123.45.6.0/24

permit

149.59.34.0/24

123.45.0.0/16

deny

0.0.0.0/0

0.0.0.0/0

deny (default)

Packet Filtering Firewalls (cont.)

Factors which determine the actions:

- Source address
- Destination address
- Direction of traffic
Rules applied top to bottom
Ordered from least restrictive to most restrictive
Packets are not scrutinized
Auditing is possible

Stephen S. Yau

CSE 465-591, Fall 2006

An Example of Packet Filtering Firewall

Incoming Packet
[64.248.128.5, 8.16.192.7]
(permitted)

Another Network
(8.16.192.0/24)

Network Server: Firewall

(Rule 1: 24.128.0.0/16, 4.0.0.0/8 deny
Rule 2: 64.248.128.0/24, 8.16.192.0/24 permit

Rule N: 34.128.0.0/16,

Local Network
(4.0.0.0/8)
Stephen S. Yau

14.16.128.0/20 permit)

Incoming Packet
[24.128.34.8, 4.16.128.3]
(denied)
CSE 465-591, Fall 2006

Circuit-Level Firewalls

Validates sessions before opening

connections (handshakes)
Once a connection is made, all packets
related to that connection pass
Packets not scrutinized
No direct connections with other networks
without validation

Stephen S. Yau

CSE 465-591, Fall 2006

Circuit-Level Firewalls (cont.)

Establishes two connections:

Between client and firewall
Between firewall and server
Implemented using sockets ( which is IP address
+ Port number)
Manipulating established connection is easy
Packets are not scrutinized
Auditing is possible

Stephen S. Yau

CSE 465-591, Fall 2006

10

An Example of Circuit-Level Firewall

Network News Transfer Protocol (NNTP):

The NNTP server connects to firewall
Internal systems' NNTP clients connect to firewall.
Circuit-level firewall simply passes bytes between
systems

Internal Systems (NNTP clients)

Circuit-Level Firewall (Choke Point)

External Servers (NNTP news providers)

Stephen S. Yau

CSE 465-591, Fall 2006

11

Application-Level Firewalls

Application-level firewall (also called Proxy

firewall) uses proxies to perform access control.

Acts as a proxy server, evaluates requests and

decides according to security concerns
Two connections per session
All packets are scrutinized
T1: ch23.3.1
Auditing is possible
T2: ch26.3.1

Stephen S. Yau

CSE 465-591, Fall 2006

12

Application-Level Firewalls (cont.)

Access control based on contents of packets and

messages, as well as on attributes of packet headers.
Not allow direct connections between two endpoints
through a proxy firewall
Applications
Accept/Deny
Rules

Application Level Proxy

Network Layer
Incoming packets

Application Level

Network Level
Outgoing Packets
13

An Example of Application-Level Firewall

Simple (Send) Mail Transfer Protocol Proxies

SMTP application proxies configured to allow only
necessary SMTP commands, such as helo, mail from:
and rcpt to:, to pass through firewall
Stop expn command, which tries to expand a list
Stop vrfy command, which tries to verify that an
account exists
The above are used by attackers and spammers to
enumerate e-mail accounts.
MIME type and message size can be used to filter
traffic.

Stephen S. Yau

CSE 465-591, Fall 2006

14

An Example of Application Level Firewall

(cont.)

Network Server:
Implements Application Firewall in SMTP/POP/IMAP
Deny: expn, vrfy
Allow: helo, mail from:
Local Network:
Mail Clients

Stephen S. Yau

Incoming/Outgoing Request
for SMTP
<expn>
(denied)
Incoming/Outgoing Mail
<helo>;<mail from:>
(permitted)
CSE 465-591, Fall 2006

15

An Example of Using Firewalls

Requirements of the Drib Corporation:

The Drib wants the public be able to access its web server
and mail server, and no other services.
The Drib wishes to check all incoming e-mails for computer
viruses through emails and attacks though web connections.
The Dribs has sensitive data which it does not want
outsiders to see.
The Drib allows file sharing among its systems. It does not
want the packets containing sensitive information to leak to
the Internet.
T1: ch23.3 T2: ch26.3

Stephen S. Yau

CSE 465-591, Fall 2006

16

An Example of Using Firewalls (cont.)

Desirable Network Infrastructure

The public entities should be confined to the DMZ area

The outer firewall presents an interface between DMZ and
internet, that allows connections to the WWW service
(HTTP and HTTPS) and to electronic mail (SMTP) service.

Proxies having virus and attack scanning programs should be

implemented at the outer firewall.

The Dribs most sensitive data and systems should reside in

the internal network.
The inner firewall sitting between DMZ and internal network
will block all traffic, except those specifically authorized to
enter the internal network

Stephen S. Yau

CSE 465-591, Fall 2006

17

An Example of Using Firewalls (cont.)

INTERNAL

DMZ

Inner Firewall
Mail server

Corporate
data subnet

Internal
mail server

Customer
data subnet

DNS server
Web Server

Internal
DNS server
Outer Firewall

Development subnet

Internet

Network designed for the Dribble Corporation

18

An Example of Using Firewalls (cont.)

DMZ

Outer firewall configuration

Mail server

Web Server

Outer Firewall

Internet

The outer firewall is a proxy-based

firewall.
When e-mail connection is initiated, the
mail proxy on the firewall collects the
mail, analyzes it for computer viruses
and other forms of malicious logic. If
none is found, it forwards the mail to
the DMZ mail server.
Similarly, when a web connection
arrives, the web proxy scans the
message for any suspicious
components, if none is found, it
forwards the messages to DMZ web
19
server.

An Example of Using Firewalls (cont.)

INTERNAL Inner Firewall
Corporate
data subnet

Internal
mail server

Customer
data subnet

D
M
Z

Inner firewall configuration

Internal
DNS server

Development subnet

Stephen S. Yau

The inner firewall is also a proxy-based

firewall.
Mail connections through the inner
firewall are allowed, and all emails are
sent to DMZ mail server for disposition
Disallows packets containing sensitive
information (detected by the proxies in
the inner firewall) to reach DMZ
All other traffic, including web access,
are blocked

CSE 465-591, Fall 2006

20

Choosing a Firewall

What OS required and other OSs supported?

How much CPU/RAM/Disk space it needs?
What is the authentication scheme?
Does it support logging?
What hardware is provided?
What software is provided?
What is the cost for installing and operating
the firewall?
What are other features?

Stephen S. Yau

CSE 465-591, Fall 2006

21

Firewall Design Criteria

Organizations deciding to use firewalls must analyze

their security needs. Potential risks and threats must be
contemplated.
The following considerations may affect design and
extensiveness of implementation of firewalls:
Organizational policies
What level of access control does management
want?
The desired level of monitoring and access must
be determined.
What level of risk is the organization willing to
accept?

Stephen S. Yau

CSE 465-591, Fall 2006

22

Firewall Design Criteria (cont.)

A checklist of what messages should be monitored,

permitted and denied must be established.

The cost of various firewall programs, including on-going

maintenance, must be considered against the potential
threat. What would be the potential cost/damage of attacks
to the system from outside?
The number, placement, and types of firewalls to be used
must be determined.
Firewalls should have packet filtering, circuit-level controls,
and application-level proxies in order to provide effective
security.
What is the estimated overhead in using the selected
firewalls?

Stephen S. Yau

CSE 465-591, Fall 2006

23

Some Commercially
Available Firewalls

Hardware

Mac OS X servers

DoorStop Server Firewall, Firewall X2, Impasse,

IPNetSentry, Net Barrier

Linux

Linksys Etherfast Cable/DSL Firewall Router, Microsoft

MN-100, D-Link Express EtherNetwork

IP tables, SINUS, ipchains

Windows

BlackICE, Kerio, McAfee, Norton Personal Firewall,

Outpost, Sygate, Terminet, and ZoneAlarm

Stephen S. Yau

CSE 465-591, Fall 2006

24

References

Matt Bishop, Introduction to Computer Security, Addison-Wesley,

2004, ISBN: 0321247442
Matt Bishop, Computer Security: Art and Science, Addison- Wesley,
2002, ISBN: 0201440997
M. Merkow, J. Breithaupt, Information Security: Principles and
Practices, Prentice Hall, August 2005, 448 pages, ISBN
0131547291
J. G. Boyce, D. W. Jennings, Information Assurance: Managing
Organizational IT Security Risks. Butterworth Heineman, 2002,
ISBN 0-7506-7327-3
http://www.du.edu/~jtinucci/Security/Thaxton/thaxton.html

Stephen S. Yau

CSE 465-591, Fall 2006

25