Notes on Firewall – firstname.lastname@example.org (Skype: asokanchennai) FIREWALL Notes by A.K.Asokan, CCNA, MBA(IT) (email@example.com)What is a firewall? This is the question which welcomed me, whenever I readsomething on Firewall! And I understood the question perfectly but not the rest of thetext, most of the time, unfortunately!You must have read that a firewall is placed in between your LAN and the Internet toallow, deny or filter the packets which are traveling from the LAN behind it, to theInternet and from the Internet to the LAN through the firewall. True. What else afirewall can do? How a firewall identify the packets? Can a firewall understand whatservices the packet in question is destined? (whether it is for http traffic or ftp traffic?).If so, what are the parameters which tell the firewall that such is the service the packetis destined to? Is it a software? Or hardware? Or a combination of both!I am a hacker (excuse me hackers, to use this beautiful word in a different perspectivewhich was also stolen by the so called crackers long ago! I do not use the word hackerbecause a hacker is a respectable person who has tremendous technical knowledge. Butunfortunately, it has been misunderstood that a hacker is a bad person with maliciousintention!) and I inserted a virus or a malicious script with the data (the payload) andthen send the packet to the LAN through the firewall. Of course, the firewall can readthe header information. But will it be able to go into the packet and check whether thereis any virus or malicious script present? If so what the firewall can do on such scripts?I am the Managing Director of “Asokan Company” and I do not want my employees inthe packing section to access the internet. Secondly, I permit the accounts departmentpersonnel to access the Internet only for http traffic (only to browse the net) and not forany other services like ftp or telnet. Can I implement this requirement in the firewall?So that when someone from the packing section tries to access the internet, the firewalltells him, sorry yaar you can’t access the internet! How it can be implemented on afirewall? Are there various types of firewalls? What is the difference between packet
Notes on Firewall – firstname.lastname@example.org (Skype: asokanchennai)filtering firewalls and Application gateway firewalls? Let us discuss these fundamentalissues one by one.Well. There are firewalls which are based on Graphical User Interface (GUI) (exampleCheckpoint Firewall) and there are Firewalls where the Administrator configures thepolicies at the Console (Example PIX firewall from Cisco systems). Checkpoint firewallhas large installation base in the world and since it is based on GUI, it is considered lessdifficult for anyone to configure, provided he/she understands as to what are the variousparameters which provide Network Security.When you learn driving, you need a car to practice. Though we say in general that Ipracticed driving, we seldom say that I practiced driving in a Toyota car, though youmight have used a Toyota car when you practice. The reason for this (unnecessary!)intro is that though we say firewall in general, when we discuss certain in-depthconcepts, we need to refer certain components of a specific firewall. I use thecheckpoint firewall to explain the following concepts but I have no other intention byreferring the name except to make the point, what I am describing, clearer to the targetreaders.Let us discuss as to how a firewall identify the packets. Most firewalls identify thepackets by something called the packet parameters. What are packet parameters? Theyare the header information. The source and destination IP addresses, the destination portnumbers and transport layer parameters from the packet etc.You might have heard terms like policy, rules etc. What is a policy? A policy can be adecision taken by the Management. Remembering the Managing Director of “Asokancompany” has taken a decision not to allow the packing section personnel to access theinternet? This can be one policy. The same can be implemented in the firewall bywriting a rule. See the following table carefully.
Notes on Firewall – email@example.com (Skype: asokanchennai)Example of a rule base.Source Destination Service Action10.0.0.10 (packing section system) any Any Drop10.0.0.20 (Accounts department system) any http acceptIn the above example, when someone from the packing section (IP address 10.0.0.10)trying to access any destination in the internet for any service, the action is that thepackets are dropped by the Firewall. Means that he will never be allowed to access theinternet. (The IP address of the Corporate is in the Private addressing scheme and it isnot routable beyond the firewall. Hence it is assumed that in the firewall, we did thenecessary NATing. For understanding NAT concepts, please read my notes on NetworkAddress Translation (NAT).In the second instance, when someone from the Accounts Department (IP address10.0.0.20) is trying to access any destination in the internet for http traffic (only forbrowsing) the action is accepted means the firewall will allow the connectivity to beestablished. But, for any other service other than http, the packets will get automaticallydropped. If you need to allow them to access http as well as ftp, then you have to addftp service also in the service column like the one in the following example.Source Destination Service Action10.0.0.20 (Accounts department system) any http accept ftpA firewall can do lot of functions like, authentication, create a VPN tunnel between thehead office and branch offices, Can set up secure remote connections, filter, allow ordeny access to incoming or outgoing packets, integrate with third party softwares(antivirus etc.) URL filtering, FTP, HTTP and SMTP Content Security, Loadbalancing…..waav, host of such services. The firewall can also authenticate users,computers (clients) and a session (from login till you log out).
Notes on Firewall – firstname.lastname@example.org (Skype: asokanchennai)If we want a firewall to authenticate a user, the user profile must have created. Wherewill you create the user profile? You have choices. You can create the same in thefirewall system itself, in any Active Directory, in TACACS server, in RADIUS serveror in the Exchange Server or in the Operating system. Wherever you create the userprofile, the firewall has to be configured in such a way so that when the user is askingfor authentication, the firewall can look into the appropriate place to check the userprofile for the required permissions to either authenticate him or otherwise. Example,there are two employees, Asokan and Steve. Asokans profile is created in the operatingsystem, and Steves profile is created in the Firewall itself. If we configure correctly,then both the employees can be authenticated by the firewall and the firewall isreferring the respective user profiles to check for the credentials of the respectiveemployees.Why there are many types of authentication like user authentication, clientauthentication, session authentication etc? The reason is that in certain firewalls, theuser authentication is not available for all the services. It is available only for certainservices say http, ftp, telnet, and rlogin. Apart from these four services (these are knownas authenticated services), if someone wants to access other services like remotedesktop, or a netbios session, then user authentication cannot be used. For this purpose,the firewall can authenticate a client (a system in the LAN) so that a user using theclient is authenticated to access the services. (There are lot of configurations and signon methods in client authentication like, manual sign on, partially automatic sign on,fully automatic sign on etc. which are not described here since the idea of this note is togive an overview of firewall).The next concept is the LDAP integration. LDAP stands for Light Weight DirectoryAccess Protocol. If the users are created in the Active Directory, the user profilescreated there can be integrated into the firewall so that the firewall can provide themauthentication to access services outside the Corporate LAN. Suppose two newemployees joined the organization, and the system administrator created user profilesfor them in the Active Directory, then it will automatically reflect in the firewall onceyou did the LDAP integration.
Notes on Firewall – email@example.com (Skype: asokanchennai)Thirdly, the content security. The Firewall provides content security. It can providecontent security for FTP, HTTP and SMTP traffic. Ftp is for transferring files fromeither client to server or/and server to client. Suppose I have an ftp server and I postedlot of computer security notes there and I wish to share the notes between anyone whowish to read the same. In that case, I can give the username and password to anyone or(anonymous login) to my ftp server so that those who wish to download the files canenter the ftp server and can see those files and download the same. Good.However, I pose a threat that if, someone out there coming to my ftp server is a cracker,and then he may put some virus or any malicious coding into my ftp server so that hecan destroy it! How can I protect the situation? Simple, I should instruct my firewallthat people can access the ftp server only for downloading the permitted contents andnot write or upload anything to ftp server. ftp has get command and put command.ftp get means enabling download from ftp server, ftp put means uploading files TO ftpserver, which I do not allow in order to protect the server.Likewise for http traffic also. Recall the above example, the M.D of Asokan Companydoes not permit packing section employees to access the internet at all. But he permitsthe accounts personnel to access the http traffic. But he often sees that employees in theaccounts department is browsing naukri.com and post their resume in search of otherjobs! Now he impose one more restriction on them that employees can browsenaukri.com but should not be able to go to the specific page where they can upload theirresume! Yes. If you configure a URI resource (Uniform Resource Identifier) in thefirewall, you can prevent your employees from visiting specific pages in a website, oryou can even block a specific web site. If you prefer a list of websites to be blocked,you can type all the URLs in a file in a specific format and import into the firewallconfiguration so that none of the websites mentioned in the file will be accessed by theiremployees! The firewall can be configured in such a way that it can rip into the payload(data portion) and see whether the webpage or the ftp content contain a virus ormalicious scripts. If so, the firewall can remove such malicious codes and then send theoriginal content alone into the LAN. (However, the firewall may require third partysoftware for providing content security).
Notes on Firewall – firstname.lastname@example.org (Skype: asokanchennai)Asokan Company has 300 employees in various departments. More over it has onebranch office elsewhere in the country. The main medium of communication is throughe-mail. In order to have better security control, the M.D has installed an ExchangeServer in a De-militarized zone (DMZ) for the SMTP traffic. SMTP stands for SimpleMail Transfer Protocol. Now that the mails are going out from the corporate office tobranch office and people out there in the public internet also write mail to the officersinside the LAN. When mails are coming from untrusted network, there is a vulnerabilitythat it may contain a virus or someone may try to launch an attack towards the server tobring it down! To prevent this, the firewall can be suitably instructed to check thecontents of the SMTP traffic also whether the mails have any attachment of virus files,scripts, active X contents, or java coding. If it present, the firewall can be instructed toremove the same. Thereby we can provide content security for SMTP traffic also.As we discussed above, the company has a branch office also. All the systems in thehead office as well as branch office are in the private IP family and both the network isbehind the firewall gateway. The head office belongs to 10.0.0.0 network and thebranch office belongs to 172.16.0.0 network. In order to communicate securely, one ofthe possibilities is to set up a Virtual Private Network (VPN). To set up a VPN tunnel.Tunneling encrypts the entire original packet including the headers. Imagine you write aletter to your friend and put it in an envelope and the to address and the from address arewritten on the cover. Then, if you enclose the cover into another cover, how can thepostman read the to address and from address? Similarly, when a packet in tunneled, itmeans that the entire packet (including the header and the payload) are enclosed in apacket. If so, how will it get routed? In order to understand how it is getting routed, weneed to understand the following concept.VPN when established, the firewall establishes two phases between the participatinggateways (HO and BO). Phase 1 and Phase 2. Phase 1 is for the key installation andPhase 2 is for the data exchange. Phase 1 is handled by Internet Key Exchange (IKE)protocol and Phase 2 is handled by IPSec. Here something known as SA negotiationtakes place. What is SA? SA stands for Security Association. Once an SA is
Notes on Firewall – email@example.com (Skype: asokanchennai)established, it means what keys to use, what algorithm to use for data encryption andalso for data integrity, all such details will be agreed upon by the two participatinggateways. That is what is known as Security Association (SA). What is the basis inwhich the firewalls (bo and ho) authenticate each other? How it is identifying whetherreally the peer firewall is contacting or someone is impersonating? Well. It can beascertained in two ways. VPN can be established by using either a ‘shared secret key’ ora ‘certificate’. The shared secret key is, that you set a secret word (like password) in oneof the participating gateways and the same secret word should be set in the otherparticipating gateway as well while the VPN is being configured. This single secretword is shared between the participating gateways to identify the peer firewall. What ishappening behind the scene? Let us see.Phase 1 exchange the public keys and it use the Diffie-Hellman key calculation togenerate the shared secret key. This is accomplished by hashing and encrypting thefirewall’s identity with the shared secret key and exchanged between the firewalls.From there onwards, they identify each other. That is how each firewall identifies itspeer. Phase 1 negotiation for key exchange is asymmetric and takes muchcomputational power whereas Phase 2 negotiation is symmetric and hence it takes lesscomputational power and the re-negotiation interval between phase 1 and phase 2 isalso varies accordingly.The other method is based on “Certificate”. You can create a certificate (The firewallacts as a Certifying Authority - CA) and the certificates can be exchanged between theparticipating Gateways. From the certificate, each firewall can identify its peer.Phase 2, uses the IKE SA negotiated in Phase 1, to negotiate an IPSec SA forencrypting the data traffic. In other words, the data transmission between the firewallsis encrypted and sent by IPSec protocol. Phase 1 lays the road and phase 2 runs the caron the road.
Notes on Firewall – firstname.lastname@example.org (Skype: asokanchennai)At the outset, the phase 2 negotiates the IPSec protocol combination that will be used.What is a protocol combination? What are the combinations? IPSec protocol? Yes.IPSec is a protocol stack like TCP/IP. We discuss two important headers of IPSec herebriefly, the AH and ESP. AH stands for Authentication Header and ESP stands forEncapsulating Security Payload. (I understand that I am going a bit deep into thesubject but unless you know something about these two headers, the VPN tunnelingconcepts will not be clear to you. Read on….) These can be used as a combination i.e.AH+ESP or AH alone or ESP alone. AH provides authentication and messageintegrity. Not Confidentiality. When confidentiality is not there, it means that, ifsomeone catches the data while in transit, he will be able to read the data! However ifthe data is tampered while reaching the destination, it can be found as AH provides dataintegrity. For this purpose AH uses a message digest (Read my cryptography notes tounderstand message digest). If you feel that, if someone sees the data in between, it isok with you, then you can use AH as an authentication header of the IPSec protocol. Inother words, AH does not encrypt the data hence it cannot provide confidentiality.ESP, Encapsulating Security Payload provides, Authentication, Data integrity as wellas Confidentiality. The latest version of some firewalls does not support AH at all. Theysupport ESP. What is happening behind the scene?There are two modes of transport to understand here 1) Transport mode and 2) Tunnelmode. Imagine an IP packet. It has data as well as headers. If the data alone is encryptedwithout the header part, it is known as Transport mode encryption. If the entire IPpacket is encrypted including the header (put it into another cover as discussed above) itis known as Tunnel mode. That’s what we discussed above. Now the problem is sincethe IP header itself is inside the tunnel, how a tunnel mode encrypted packet gettingrouted. It is simple, that the ESP adds its own IP header onto the tunneled packet.
Notes on Firewall – email@example.com (Skype: asokanchennai)Look at the figure above. Imagine that a packet is going from head office to branchoffice. At the ho, when a packet goes out, the source IP will be 10.0.0.10. Its target IPis 172.16.0.10. When it reach the ho Firewall, since VPN is configured on the firewallfor secured communication between ho and bo, the ESP takes the packets (with sourceIP 10.0.0.10 and destination IP 172.16.0.10) and put it into a cover. This is known asTunneling. The ESP also creates another IP header, with source IP, the outboundinterface of the ho firewall (126.96.36.199) and destination IP, the outbound interface of thebo firewall (188.8.131.52). Now the secured tunnel communication will be between hofirewall and bo firewall (between 184.108.40.206 and 220.127.116.11). When the data reached thedestination i.e. at 18.104.22.168 (the bo firewall), it decrypts the encrypted tunnel and pass thedata to the system 172.16.0.10 located in the branch office local network. Please notethat the data in the head office till the ho firewall and the same data from the branchoffice firewall to the bo LAN is NOT encrypted. Another important thing to rememberis that when you set up VPN, there is NO need to provide NAT as there is no AddressTranslation taking place either at the ho firewall or at the bo firewall. This is how VPNworks. (Lot of configuration details have been omitted as it is beyond the scope of thissimple note.)Hope this note was useful to you. I would appreciate if you could just mail firstname.lastname@example.org your opinion as to how well you were able to understand the topics,the way it is explained and whether any changes in the narration have to be incorporated andyour valuable suggestions. It will enable me to write future notes incorporating all yoursuggestion. – with love. Asokan (skype discussion: asokanchennai). ___________________________________