CECS 410 Computers and Networks
COURSE NOTES -- Part 14
Security Through Isolation: Firewalls
Isolation has been a primary security tool for thousands of years.
Example: Castles with moats and drawbridges.
Security Issue: Who is controlling access to the drawbridge? Who decides
who gets in?
Dr. Tracy Bradley Maples (Fall 2006) 1
Isolation in Networks
One way to provide security is to isolate and organization’s internal
network from the Internet, allowing some packets to pass while blocking
others (like using a moat and drawbridge).
This point of isolation in networks is called a firewall.
What can firewalls do for us?
• Prevent denial of service attacks.
o For example: SYN flooding when an attacker establishes many
bogus TCP connections and no resources left for “real”
• Prevent illegal modification/access of internal data.
o For example: An attacker replaces the CIA’s homepage with
• Allow only authorized access to inside network (to a set of
Dr. Tracy Bradley Maples (Fall 2006) 2
Two types of Firewalls
1) Packet-filtering Firewalls
2) Application-level gateways (or proxy servers)
It is possible to configure packet forwarding devices (especially routers) to
drop certain packets.
Example: Suppose 18.104.22.168 is a test network, and 22.214.171.124 has active
Install filter to allow packets only from 126.96.36.199 to
Keeps potentially bad packets away from remainder of the
Dr. Tracy Bradley Maples (Fall 2006) 3
Packet Filtering Firewalls
Defn: A packet filter placed at the edge of an intranet to exclude
unauthorized packets is called a firewall.
• A firewall restricts external packets to just a few carefully controlled
• Firewalls define a secure perimeter around a local network.
• Proxies forward packets through firewall after authorization
The router (or firewall) filters on a packet-by-packet basis, making a
decision to forward/drop a packet based on:
• Source IP address
• Destination IP address
• TCP/UDP source and destination port numbers
• Message type (for example, ICMP messages)
• TCP datagram fields (for example, SYN and ACK bits)
• Other packet criteria
Dr. Tracy Bradley Maples (Fall 2006) 4
Application gateways (or proxy servers) can filter packets based on the
high-level application layer data, as well as, the fields a firewall router can
Example: You can select which internal users can telnet outside the
host telnet session
application router and filter
Example: Restrict Telnets
1. Require all telnet users to telnet through the application gateway.
2. For authorized users, the gateway sets-up a telnet connection to
destination host. The application gateway relays data between the two
3. The router filter is configured to block all telnet connections not
originating from gateway.
Application gateways (or proxy servers) are commonly used for mail and
Dr. Tracy Bradley Maples (Fall 2006) 5
Limitations of Firewalls
• IP spoofing: A router cannot know if data “really” comes from a
claimed source. (A big problem!)
• If multiple applications need special treatment, each must have its own
• The client software on each computer must know how to contact the
o For example, an administrator must set-up the IP address of the
proxy in Web browser.
• Filters often use all or nothing policy for UDP packets.
• There are tradeoffs between the degree of communication with outside
world and level of security desired.
• Many highly protected sites still suffer from attacks.
Interesting Quote About Firewalls
Firewalls are "… a mechanism that most
security purists consider to be an
Networking Authors Peterson & Davie
Do you agree? Disagree?
Dr. Tracy Bradley Maples (Fall 2006) 6