Firewalls

CS 772
Fall 2011
 Firewalls
• A software or hardware component that restricts network
communication between two computers or networks.
• In buildings, a firewall is a fireproof wall that restricts the
spread of a fire.
– Network firewall prevents threats from spreading from
one network to another
• Prevent specific types of information from moving
between the outside world (untrusted networks) and the
inside world (trusted networks)
• The firewall may be a separate computer system, a software
service running on an existing router all server, or a separate
network containing a number of supporting devices.
• Types of Firewall
• Software firewalls
 New generation Operating systems come with built in
firewalls or you can buy a firewall software for the
computer that accesses the internet or acts as the
gateway to your home network.
•   Hardware firewalls
 Hardware firewalls are usually routers with a built in
Ethernet card and hub. Your computer or computers on
your network connect to this router & access the web.
Internet Firewalls
 What Firewalls do
Protects the resources of an internal network.
- Restrict external access.
- Log Network activities.
-Intrusion detection
-DoS
- Act as intermediary
- Centralized Security Management
• Carefully administer one firewall to control internet
traffic of many machines.
• Internal machines can be administered with less
care.
 Types of Firewalls (General)

• Firewalls types can be categorized

depending on:
– The Function or methodology the firewall use
– Whether the communication is being done
between a single node and the network, or
between two or more networks.
– Whether the communication state is being
tracked at the firewall or not.
 Types of Firewalls

2. With regard to the scope of filtered communications

the done between a single node and the network, or
between two or more networks there exist :

– Personal Firewalls, a software application which

normally filters traffic entering or leaving a single
computer.
– Network firewalls, normally running on a dedicated
network device or computer positioned on the
boundary of two or more networks.
 Firewall categorization
methods
1-The Function or methodology the firewall use
Five processing modes that firewalls can be categorized
by are :
1.  packet filtering
2.  application gateways
3.  circuit gateways
4.  MAC layer firewalls
5.  hybrids
1- packet filtering:

• examine the header information of data packets that come

into a network.
• a packet filtering firewall installed on TCP/IP based network
and determine wether to drop a packet or forward it to the
next network connection based on the rules programmed in
the firewall.
• Packet filtering firewalls scan network data packets looking
for violation of the rules of the firewalls database.
• Filtering firewall inspect packets on at the network layers.
• If the device finds a packet that matches a restriction it
stops the packet from traveling from network to another.
 Packet Filtering (cont)
• filters packet-by-packet, decides to Accept/Deny/Discard
packet based on certain/configurable criteria – Filter
Rule sets.
• Typically stateless: do not keep a table of the
connection state of the various traffic that flows through
them
• Not dynamic enough to be considered true firewalls.
• Usually located at the boundary of a network.
• Their main strength points: Speed and Flexibility.
 Firewall Rules

• Firewall Rules
• Firewalls rules can be customized as per your needs, requirements &
security threat levels. You can create or disable firewall filter rules based on
such conditions as:
• IP Addresses
 
Blocking off a certain IP address or a range of IP addresses, which you think
are predatory. What is my IP address?  Where is an IP address located?
 
• Domain names
 
You can only allow certain specific domain names to access your
systems/servers or allow access to only some specified types of domain
names or domain name extension like .edu or .mil.
 
 Firewall Rules

• Protocols
 
A firewall can decide which of the systems can allow or have access to
common protocols like IP, SMTP, FTP, UDP,ICMP,Telnet or SNMP.
 
• Ports
 
Blocking or disabling ports of servers that are connected to the internet
will help maintain the kind of data flow you want to see it used for & also
close down possible entry points for hackers or malignant software.
 
• Keywords
 
Firewalls also can sift through the data flow for a match of the keywords
or phrases to block out offensive or unwanted data from flowing in.
*There are three subsets of
packet filtering firewalls:
-static filtering
-dynamic filtering
-stateful inspection
 static filtering:
-requires that the filtering rules coverning how the
firewall decides which packets are allowed and which
are denied.
-This type of filtering is common in network routers and
gateways.
 Dynamic filtering
- allows the firewall to create rules to deal with event.
-This reaction could be positive as in allowing an internal user
to engage in a specific activity upon request or negative as in
dropping all packets from a particular address
 Stateful inspection
-keep track of each network connection between internal
and external systems using a state table.
-A state table tracks the state and context of each packet in
the conversation by recording which station send , what
packet and when.
-More complex than their constituent component firewalls
-Nearly all modern firewalls in the market today are staful
Stateful Inspection
Firewalls
Basic Weaknesses Associated with
Packet Filters\ Statful
• They cannot prevent attacks that employ application-
specific vulnerabilities or functions.
• Logging functionality present in packet filter firewalls
is limited
• Most packet filter firewalls do not support advanced
user authentication schemes.
• Vulnerable to attacks and exploits that take
advantage of problems within the TCP/IP specification
and protocol stack, such as network layer address
spoofing.
• Susceptible to security breaches caused by improper
configurations.
 Packet Filtering
Advantages:
Summary
– One packet filter can protect an entire network
– Efficient (requires little CPU)
– Supported by most routers
Disadvantages:
– Difficult to configure correctly
Must consider rule set in its entirety
– Difficult to test completely
– Performance penalty for complex rulesets
Stateful packet filtering much more expensive
– Enforces ACLs at layer 3 + 4, without knowing any application
details
 Packet Filtering
• Firewalls
The original firewall
• Works at the network level of the OSI
model
• Applies packet filters based on access
Rules:
– Source IP address
– Destination IP address
– Application or protocol
– Source port number
– Destination port number
 Packet Filtering
Firewalls Firewalls
2- application gateways:

• is also known as proxy server since it runs special

software that acts as a proxy for a service request.
• One common example of proxy server is a firewall that
blocks or requests for and responses to request for web
pages and services from the internal computers of an
organization.
• The primary disadvantage of application level firewalls is
that they are designed for a specific protocols and cannot
easily be reconfigured to protect against attacks in other
protocols.
• Application firewalls work at the application layer.
 Application/Proxy
• Filters packetsServers…cont
on application data as well as on IP/TCP/UDP fields.
• The interaction is controlled at the application layer
• A proxy server is an application that mediates traffic
between two network segments.
• With the proxy acting as mediator, the source and
destination systems never actually “connect”.
• Filtering Hostile Code: Proxies can analyze the payload
of a packet of data and make decision as to whether this
packet should be passed or dropped.
.
Application/Proxy
Servers…cont
 Application/Proxy
• Servers…cont
No proxy, no Internet application
• Typical proxies include:
• FTP
• SMTP, POP3
• Telnet
• DNS
• Http
 Application/Proxy
Servers…cont
Advantages:
• Extensive logging capability
• Allow security enforcement
• of user authentication .
• less vulnerable to address
• spoofing attacks.

Disadvantages:
• Complex Configuration.
• limited in terms of support for
new
• network applications and
protocols.
• Speed!!.
3- circuit gateways:

• operates at the transport layer.

• Connections are authorized based on addresses , they

prevent direct connections between network and another.

• They accomplish this prevention by creating channels

connecting specific systems on each side of the firewall and
then allow only authorized traffic.
 circuit gateways
• relays two TCP connections (session layer)
..cont
• imposes security by limiting which such connections are
allowed
• once created usually relays traffic without examining
contents
• Monitor handshaking between packets to decide whether
the traffic is legitimate
• typically used when trust internal users by allowing
general outbound connections
• SOCKS commonly used for this
Circuit Level Firewalls
Example
 circuitDisadvantages
gateways ..cont
Individual packets are not filtered.
• Access control mechanisms are needed, since
logs cant catch all the abuses.
– Time limit on how long ports will last.
– List of permissible outside called to the port.
• The other big problem is need to provide new
client program.
• Code changes issues include availability of
application source code for various platforms,
version control, distribution and more.
4- MAC layer firewalls:
• design to operate at the media access control layer.

• Using this approach the MAC addresses of specific

host computers are linked to ACL entries that identify
the specific types of packets that can be send to each
host and all other traffic is blocked.
5- Hybrids firewalls:
• companied the elements of other types of firewalls ,
example the elements of packet filtering and proxy
services, or a packet filtering and circuit gateways.

• That means a hybrids firewalls may actually of two

separate firewall devices; each is a separate firewall
system, but they are connected so that they work
together.
General Performance
 Types of Firewalls
3. Finally, Types depending on whether the firewalls
keeps track of the state of network connections or
treats each packet in isolation, two additional
categories of firewalls exist:

– Stateful firewall
– Stateless firewall
 Types of Firewalls ..cont
Stateful firewall

keeps track of the state of network connections (such

as TCP streams) traveling across it.

Stateful firewall is able to hold in memory significant

attributes of each connection, from start to finish.
These attributes, which are collectively known as the
state of the connection, may include such details as
the IP addresses and ports involved in the connection
and the sequence numbers of the packets traversing
the connection.
 Types of Firewalls ..cont
Stateless firewall

Treats each network frame (Packet) in isolation. Such

a firewall has no way of knowing if any given packet is
part of an existing connection, is trying to establish a
new connection, or is just a rogue packet.

The classic example is the File Transfer Protocol,

because by design it opens new connections to
random ports.
 Advantages of a Firewal
• Stop incoming calls to insecure services
such as rlogin and NFS
• Control access to other services
• Control the spread of viruses
• Cost Effective
• More secure than securing every
system
 Disadvantages of a Firewall
• Central point of attack
• Restrict legitimate use of the Internet
• Bottleneck for performance
• Does not protect the ‘back door’
• Cannot always protect against
smuggling
• Cannot prevent insider attacks
 Firewalls have weaknesses
• Some security hackers boast there is
not a single firewall that they cannot
Penetrate
• They cannot keep out data carried inside
applications, such as viruses within email
Messages
• Although firewalls provide a high level of security
in today's private networks to the outside world
we still need the assistance of other related
security components in order to guarantee
proper network security.
Firewalls categorized by
development generation:

• First generation firewalls: are static packet filtering

firewalls.
• Second generation firewalls: are application-level firewalls
or proxy service.
• Third generation firewalls: are stateful inspection firewalls.
• Fourth generation firewalls: dynamic packets filtering
firewalls, allow only a particular packet with a particular
source, destination, and port address to enter.
• Fifth generation firewalls: is the kernel proxy.
 Selecting the right firewall

Most important of these is the extend to which the firewall

design provides the desired protection. 

1.what type of firewall technology offers the right balance

between protection and cost for the needs of the
organization?

2.how easy is it to set up and configure the firewall.

 The second most important issue is cost.
 Firewall Products
Classification
• H/W – Platform • Perimeter Firwall
-Linux, Solaris, Windows, -Checkpoint
….system. -PIX
-Proprietary (Nokia-Box, Cisco -Sun SPF
PIX)
• Stand Alone Box
• Software (Appliance)
-Checkpoint FireWall 1 (FW-1) - Satic Wall
-NetGuard Guardian - Watch Guard FireBox
- Netscreen
• Personal FireWall
– BlackICE
– Zone Alarm
THANK YOU
 Introduction
• Any device, software, or arrangement that
limits network access.
• Categories:
– Packet filtering (Network level)
– Circuit gateways
– Application gateways
– Dynamic packet filter (Packet filter + circuit-
level gateway)
 Packet Filters
action src port dest Port
• Runs at the network level
• Drop/permit packets based on
their source or destination
addresses or port#s
• No context is kept (memory block * * SPIGOT *
less)---decision solely based on
current packet contents
• Filtering ma be done at the
incoming interface, the outgoing
interface, or both. Allow OUR- *
• GW
Ingress filtering: refers to traffic
coming into your organization
• Egress filtering: Outbound packet
security is called egress filtering. Allow * * OUR- 25
• Rules are applied from top to GW
bottom. So the last rule should be
to block all those that don’t fit in
the above rules.
Block * * * *
 Example
• Intended policies:
– Limited connections are permitted O u ts id e w o r ld
through thr router between GW and the
outside world
– Very limited, but possibly different, G a tew a y R ou te r
conections are permitted between GW
and anything on NET 2 or NET 3 D M Z I n s id e N e t 3
– Any thing can pass between Net 2 and I n s id e N e t 1
NET 3
I n s id e N e t 2
– Outgoing calls are allowed between
NET 2 or NET 2 and the external link
 Example (cont.)
• Rule set for external
interface at the router
(that is filtering
packets coming in
from the outside
world)
Action Src Port Dest Port Flags comment
Block {NET 1} * * * flags Block forgeries
Block {NET 2} * * * Block forgeries
Block {NET 3} * * * Block forgeries
Allow * * GW 25 Legal calls
Allow * * {NET 2} * ACK Replies to our calls
Allow * * {NET 3} * ACK Replies to our calls
 Example (cont.)
• Rule set on the
router’s interface to
NET 1
Action Src Port Dest Port Flags comment
Allow GW * {partners} 25 Mail relay
Allow GW * {NET 2} * ACK Replies to inside calls
Allow GW * {NET 3} * ACK
Block GW * {NET 2} * Stop other calls from GW
Block GW * {NET 3} *
Allow GW * * * Let GW call the world
Sample Configurations
 Packet-filtering Performance
• Total degradation due to filtering depends on the
number of rules applied at any point.
• It is better to hav eone rule specifying a network
rather than to have several rules enumerating
different hosts on that network.
• Also, speed up things by ordering the rules so
that the most common types of traffic are
processed first.
 Application-level Filtering
• Deal with the details of the particular service
they are checking
• Special purpose code needed for each
application
• Easy to log and control all incoming and
outgoing traffic---e.g., checking mail message for
specific words.
• Web queries can be checked for conformation
with organizational policies
• E-mail is generally passed through an
application-level filter
 What Firewalls cannot do
• They are not a panacea
• Useless against attacks from insiders (legitimate
user with a bad intention)
• Firewalls act at a specific layer and are not
concerned about other layers
• Transitivity is a problem: If A trusts B, and B
trusts C, then A trusts C whether or not it wants.
• Errors in rules or firewall is a serious threat.
 Application-Level Filtering
• More complex than packet filters---look at the
details of the particular service they are checking
• Special code for each desired application
• Easy to control and log all incoming and outgoing
traffic
– Look for inappropriate or confidential words
– Check if web queries are in conformance with
company policies
– Strip dangerous attachments
– E-mail is usually passed through an application-level
gateway
 Firewall Problems
(i) Inadvertent problems
• Example: Suppose a company has a policy to
drop all e-mail coming through the gateway, to
avoid exposure to mail-borne viruses. If port 80
is left open, Web mail services (e.g., gmail,
hotmail) introduce a new avenue for malicious
cod eto get in, via-e-mail-over-Web tunnels.
• Example: Admin errors are the most common
cause of trivial firewall problems. A large set of
complex rules is a cause of such problems.
 Firewall Problems
(ii) Intentional subversions
• Consciously subversions---more
functionality, malicious parties
• Firewalls often allow traffic for port 80 to
pass; Inbound HTTP traffic should be
allowed only to a Web server, and should
not reach other internal machines. Web
server should be on a DMZ network
• Httptunnel is a publicly available tool for
transporting IP packets over HTTP.
 Why do we need Firewalls?
• Internet connectivity is a must for most people and
organizations
– especially for me 
• But a convenient Internet connectivity is an invitation for
intruders and hackers
– yet another example of tradeoff between convenience and
security
– Question: What do we mean by “convenient” Internet
connection?
• Firewall basically provides us an option to play within the
spectrum of this tradeoff
 What is a Firewall?
• Effective means of protecting local
network of systems from network-based
security threats from outer world
– while providing (limited) access to the outside
world (the Internet)
 Firewall Basics
• The firewall is inserted between the internal
network and the Internet (a choke point)
– Establish a controlled link and protect the network
from Internet-based attacks
• keeps unauthorized users away,
• imposes restrictions on network services; only authorized
traffic is allowed
– Location for monitoring security-related events
• auditing, alarms can be implemented
– some firewalls supports IPSec, so VPNs can be
implemented firewall-to-firewall
– some firewalls support NAT (not so security
related)
• Open discussion: can’t we put one firewall for
each station within the local network? What
are pros and cons?
 Firewall Characteristics - 1
• Design goals:
– All traffic from inside from/to outside must pass
through the firewall
– Only authorized traffic (defined by the local security
policy) will be allowed to pass
– The firewall itself should be immune to penetration
(use of trusted system with a secure operating
system)
 Firewall Characteristics - 2
• General techniques for access control
– Service control
• Determines the types of Internet services that can be accessed
– Mostly using TCP/UDP port numbers
• Direction of traffic is important for the decision
– Some services are open for outbound, but not inbound (or vice versa)
– User control
• Controls access to a service according to which user is attempting to
access it
• need to authenticate users. This is easy for internal users, but what can be
done for external ones?
– Behavior control
• Controls how particular services are used (e.g. filter e-mail for spam control)
 Firewall Limitations

• cannot protect from attacks bypassing it

– typical example: dial-in, dial-out
• cannot protect against internal threats
– e.g. fired sysadmin 
• cannot protect against transfer of all virus
infected programs or files
– because of heavy traffic and huge range of O/S &
file types
 Types of Firewalls
• Packet-filtering routers
• Application-level gateways
• Circuit-level gateways (not common, so
skipped)
 Packet-filtering Router
• Foundation of any firewall system
• Applies a set of rules to each incoming IP packet and
then forwards or discards the packet (in both
directions)
• The packet filter is typically set up as a list of rules
based on matches to fields in the IP or TCP header
• context is not checked
• Two default policies (discard or forward)
 Packet-filtering Router
• Filtering rules are based on
– Source and Destination IP addresses
– Source and destination ports (services) and transport protocols
(TCP or UDP)
– Router’s physical interface
• Rules are listed and a match is tried to be found starting
with the first rule
– Action is either forward or discard
– Generally first matching rule is applied
– If no match, then default policy is used
• Default is either discard or forward
Packet Filtering Examples

{our hosts}

21
21 {our hosts}
{our hosts} For data traffic in passive mode
 Stateful Inspection
• Example E shows that
>1024 ports need to be opened
– not only due to FTP, all services have such a structure
• <1024 ports are for servers, a client using a service should use a
local port number between 1024 and 16383
• So the firewall should keep track of the currently
opened >1024 ports
• A stateful inspection firewall keeps track of outbound
TCP connection with local port numbers in a table
and allow inbound traffic for >1024 ports if there is an
entry in that table (see next slide for an example
table)
Stateful Inspection
 Packet-filtering Router
• Advantages:
– Simplicity
– High speed
– Transparency to users
• Disadvantages
– Difficulty of setting up packet filter rules
• configuration is error-prone
– a port is either open or close; no application layer
flexibility
– IP address spoofing
• attacker uses an internal IP address and hopes that packet
penetrates into the system
• countermeasure: do not accept internal IPs from external
interface
 Application-level Gateway
• Application-level Gateway (proxy server)
– Acts as a relay of application-level traffic
• Proxy obtains application specific information from the
user and relays to the server
– Optionally authenticates the users
• Only allowable applications can pass through
– Feature-based processing is possible
• Additional processing overhead on each connection