In a traditional LAN system, all workstations can access the Internet with a result of equal attack from the outside.
Just one of the weakest host will break the system.
The firewall addresses this problem by using a special configurable machine between the outside world and internal machines to control the traffic.
The location of a firewall
All traffic must go through the proxy server ( firewall as well ) which then decides to accept or reject the traffic.
Two basic Firewall Systems
There are two basic implementations for firewalls.
Dual home gateway firewall, the gateway machine has two network interface cards each of them is connected to the LAN (inter network) and the Internet (Outer network)
Screened-host gateway uses a router to forward all the traffic from/to the outer and inner networks.
Dual-home gateway firewall
By default, the two networks are isolated.
However, there is a need to communicate between the inner and outer networks through the specialised programs called proxy (or proxies, many programs with firewall features)
A network router is used to control access to the inner network. The router restricts communication between the outer and inner networks.
It ensures that the packets from the Internet can reach the well secured proxy which then examines the data.
In fact, there is no effective difference between dual-home and screen-host
Notes about firewall
Many companies use firewall systems that are not strictly firewalls. They are used to block dangerous traffic only.
The essence of a firewall system is to allow or deny passage to network traffic. They are application level for particular communications protocols, such as HTTP, e-mail, FTP (You need to configure the rule)
For example, if you decided to block all active X, you then program the proxy to check the contents of all HTML and block those that have active X.
Select a firewall system (1)
Because of the large number of competing firewall vendors, it can be difficult to choose. Below is a check list.
Operating system: Firewall products are available that run on both Unix (linux) or Windows XP systems. Neither has advantages over others. If you are familiar with Unix, Choose it.
Protocols used: All firewalls will handle FTP, e-mail, HTTP, NNTP telnet etc, but some might not handle SNMP or Real Audio etc. Choose those that can satisfy your need.
Select a firewall system (2)
Filter types:Network filters based on application level proxies gives the programmers control over what passes across the firewall. Network filters based on circuit-level proxies have better performance such as IP packet-filtering system.
Logging: A firewall performs exhaustive logging with tools to analyse the log and summarise the log.
Administration: Some firewalls are configured with graphical user interfaces, others use text only.
Select a firewall system (3)
Simplicity: Good firewall systems are simple. The proxies are small and easy to understand.
Tunneling: Some firewall systems provide the ability to setup up an encrypting tunnel across the Internet in order to securely connect two networks. ( Tunneling is the transmission of data intended for use only within a private, usually corporate network through the Internet in such a way that the routing node s in the Internet are unaware that the transmission is part of a private network. VPN is an example.)
Products No need to memorise Available a a software-only package or as a turnkey combination. Gauntlet Packet filtering an stateful inspection for NT and Unix Firewall-1 Uses application and circuit level proxy and is available for NT and Unix machines Eagle Unix to support packet filtering, application and circuit-level. CyberGuard A Unix-only system for both application-level and packet-level BorderWare Uses a combination of packet filters, application level proxies and circuit-level AltaVista Feature Product
How to configure a firewall?
As there are many commercial products with different commands and approaches, here, we would use a table for describing the routing information and is independent on any products.
Outgoing web access
How to allow people within your organisation to safely browse the Web;
How to make your organisation’s public web available to the rest of the world?
A simple example – packet filter – IE and FTP
Assume that you need to provide filter exceptions for outgoing connections to the HTTP (port 80) and FTP (port 21) and the data sent back in response to those connections. (RULE)
The first column indicates whether it is allowed or blocked that traffic.
The second and third columns indicate which traffic shows from the source. Here port number is specified as well.
The fourth and fifth columns indicate that outgoing (destination) traffic. Again, port number is specified as well.
Flags indicates whether it is an
Another simple example – block IE and allow FTP
Assume that you need to provide filter exceptions for outgoing connections to the FTP (port 21) and the data sent back in response to those connections. We simply block all traffic expect FTP.
important ftp - incoming ACK * * 21 * Allow ftp - outgoing * 21 * * [internal user] Allow Block all * * * * * Block Comment Flags Port Dest Port Src Action
Picture – Gopher protocol is blocked, the table is in the Proxy
A simple example – application level – outgoing, linux environment
If the firewall uses application level proxy to provide Internet access, we need to enable separate proxies for each of the protocols commonly used on the Web such as HTTP, FTP, SSL. Below is an example for FTP for a Class C network at 189.45.56
#rules for the FTP gateway
ftp-gw: denial-msg /usr/local/ect/ftp-deny.txt
ftp-gw: welcome-msg /us/local/ect/ftp-welcome.txt
ftp-gw: help-msg /usr/local/etc/ftp-help.txt
ftp-gw: timeout 3600
ftp-gw: deny-hosts unknown
ftp-gw: permit-hosts 189.45.56.*
#rules for the http/gopher gateway
http-gw: permit-hosts 189.45.56.*
No need to memorise , step by step, but have to understand
The first six lines of this file set up defaults for the FTP proxy.
The line containing deny-host prohibits the use of the proxy by any machine without a domain name system entry (here unknown)
The line containing permit-host allows any hosts in the internal network to use the proxy. Others are prohibited by default. (here, permit-hosts 193.49.189.*, any at this network.)
Incoming Web access
Once we solve the problem of outgoing Web services, we need to consider the incoming Web access.
There are many possibilities (web server with proxy, web server inside the LAN, web server outside the LAN.) Here, we introduce:
Judas server – Proxy and Web server
Sacrificial Lamb – Web server outside firewall
Private Affairs – Web server inside the firewall
Doubly Fortified Server - use multi-level of proxy to separate networks.
Judas – combine Proxy and Web server
It is not a good idea to combine proxy and web server together.
It is because Web server cannot be trusted to be bug free.
Any security holes will degrade the proxy.
Not a good idea
The Sacrificial Lamb
The safest place for a public web server is outside the firewall. It is intended to public use.
Because communication between LAN and the public web server is restricted, it is difficult to use file sharing or remote login to update the material in the web server.
Access by outsiders
The Private Affair Server
If the Web server is not intended to be publicly available, all best location is behind the firewall.
It maintains confidential or sensitive information.
Filter all first
The Doubly Fortified Server
If you consider your web server contains highly confidential information, you should place it out of the Internet with a multiple level firewalls. (You have to set up a private firewall system.)
Running a reverse Web proxy
The primary mission of firewall proxies is to allow people inside the organisation to make outgoing connections to servers on the Internet.
Their desk-top software connects to a proxy on the firewall; it relays the request to the Internet server and forwards the server's response back.
It is also possible to use application-level proxies in the reverse direction to grant people on the Internet controlled access to a Web server.
Flow of Information – Bastion (firewall) 1 2 3 4
The hybrid approach is to combine two together. One on an external scarified lamb server; one on the firewall.
In this configuration, an internal server is maintained behind the firewall and kept completely inaccessible from the outside world.
Hybrid approach – Bastion (firewall here)
Firewall is to filter the unwanted traffic
It is to limit the Incoming and outgoing traffic as well.
Criteria to select a firewall
Configure a firewall – application level (IE, e-mail) or packet level (IP or TCP)
Incoming web access – Judas server, Sacrificial lamb, Private affair, Doubly fortified server, reverse web proxy etc.