Documente Academic
Documente Profesional
Documente Cultură
CS 772
Fall 2011
Firewalls
• A software or hardware component that restricts network
communication between two computers or networks.
• In buildings, a firewall is a fireproof wall that restricts the
spread of a fire.
– Network firewall prevents threats from spreading from
one network to another
• Prevent specific types of information from moving
between the outside world (untrusted networks) and the
inside world (trusted networks)
• The firewall may be a separate computer system, a software
service running on an existing router all server, or a separate
network containing a number of supporting devices.
• Types of Firewall
• Software firewalls
New generation Operating systems come with built in
firewalls or you can buy a firewall software for the
computer that accesses the internet or acts as the
gateway to your home network.
• Hardware firewalls
Hardware firewalls are usually routers with a built in
Ethernet card and hub. Your computer or computers on
your network connect to this router & access the web.
Internet Firewalls
What Firewalls do
Protects the resources of an internal network.
- Restrict external access.
- Log Network activities.
-Intrusion detection
-DoS
- Act as intermediary
- Centralized Security Management
• Carefully administer one firewall to control internet
traffic of many machines.
• Internal machines can be administered with less
care.
Types of Firewalls (General)
• Firewall Rules
• Firewalls rules can be customized as per your needs, requirements &
security threat levels. You can create or disable firewall filter rules based on
such conditions as:
• IP Addresses
Blocking off a certain IP address or a range of IP addresses, which you think
are predatory. What is my IP address? Where is an IP address located?
• Domain names
You can only allow certain specific domain names to access your
systems/servers or allow access to only some specified types of domain
names or domain name extension like .edu or .mil.
Firewall Rules
• Protocols
A firewall can decide which of the systems can allow or have access to
common protocols like IP, SMTP, FTP, UDP,ICMP,Telnet or SNMP.
• Ports
Blocking or disabling ports of servers that are connected to the internet
will help maintain the kind of data flow you want to see it used for & also
close down possible entry points for hackers or malignant software.
• Keywords
Firewalls also can sift through the data flow for a match of the keywords
or phrases to block out offensive or unwanted data from flowing in.
*There are three subsets of
packet filtering firewalls:
-static filtering
-dynamic filtering
-stateful inspection
static filtering:
-requires that the filtering rules coverning how the
firewall decides which packets are allowed and which
are denied.
-This type of filtering is common in network routers and
gateways.
Dynamic filtering
- allows the firewall to create rules to deal with event.
-This reaction could be positive as in allowing an internal user
to engage in a specific activity upon request or negative as in
dropping all packets from a particular address
Stateful inspection
-keep track of each network connection between internal
and external systems using a state table.
-A state table tracks the state and context of each packet in
the conversation by recording which station send , what
packet and when.
-More complex than their constituent component firewalls
-Nearly all modern firewalls in the market today are staful
Stateful Inspection
Firewalls
Basic Weaknesses Associated with
Packet Filters\ Statful
• They cannot prevent attacks that employ application-
specific vulnerabilities or functions.
• Logging functionality present in packet filter firewalls
is limited
• Most packet filter firewalls do not support advanced
user authentication schemes.
• Vulnerable to attacks and exploits that take
advantage of problems within the TCP/IP specification
and protocol stack, such as network layer address
spoofing.
• Susceptible to security breaches caused by improper
configurations.
Packet Filtering
Advantages:
Summary
– One packet filter can protect an entire network
– Efficient (requires little CPU)
– Supported by most routers
Disadvantages:
– Difficult to configure correctly
Must consider rule set in its entirety
– Difficult to test completely
– Performance penalty for complex rulesets
Stateful packet filtering much more expensive
– Enforces ACLs at layer 3 + 4, without knowing any application
details
Packet Filtering
• Firewalls
The original firewall
• Works at the network level of the OSI
model
• Applies packet filters based on access
Rules:
– Source IP address
– Destination IP address
– Application or protocol
– Source port number
– Destination port number
Packet Filtering
Firewalls Firewalls
2- application gateways:
Disadvantages:
• Complex Configuration.
• limited in terms of support for
new
• network applications and
protocols.
• Speed!!.
3- circuit gateways:
– Stateful firewall
– Stateless firewall
Types of Firewalls ..cont
Stateful firewall
{our hosts}
21
21 {our hosts}
{our hosts} For data traffic in passive mode
Stateful Inspection
• Example E shows that
>1024 ports need to be opened
– not only due to FTP, all services have such a structure
• <1024 ports are for servers, a client using a service should use a
local port number between 1024 and 16383
• So the firewall should keep track of the currently
opened >1024 ports
• A stateful inspection firewall keeps track of outbound
TCP connection with local port numbers in a table
and allow inbound traffic for >1024 ports if there is an
entry in that table (see next slide for an example
table)
Stateful Inspection
Packet-filtering Router
• Advantages:
– Simplicity
– High speed
– Transparency to users
• Disadvantages
– Difficulty of setting up packet filter rules
• configuration is error-prone
– a port is either open or close; no application layer
flexibility
– IP address spoofing
• attacker uses an internal IP address and hopes that packet
penetrates into the system
• countermeasure: do not accept internal IPs from external
interface
Application-level Gateway
• Application-level Gateway (proxy server)
– Acts as a relay of application-level traffic
• Proxy obtains application specific information from the
user and relays to the server
– Optionally authenticates the users
• Only allowable applications can pass through
– Feature-based processing is possible
• Additional processing overhead on each connection