Nowak Aesthetics was founded in 1999 in Chula Vista, California by Dr. Eugene Nowak to provide dermatological, cosmetic surgery, and skin rejuvenation procedures to residents of San Diego County. Dr. Nowak is board certified in dermatology and aims to help patients regain confidence and achieve their desired look through both medical and cosmetic procedures. Nowak Aesthetics has consistently ranked in the top 5 dermatologists in San Diego County for customer service and innovative procedures.
Nowak Aesthetics, was founded by Dr. Eugene Nowak in 1999, in Ch.docx
1. Nowak Aesthetics, was founded by Dr. Eugene Nowak in 1999,
in Chula Vista, California; since then Nowak Aesthetic mission
has been to serve residents throughout San Diego County for
dermatological, cosmetic surgery and skin rejuvenation
procedures.
Dr. Nowak it is a Board Certified Dermatologist; with one
mission, to help their patients regain confidence in themselves
and achieve desired look, not being an issue if is a dermatology
or cosmetic procedure. To accomplish this, he has created his
own formula in skin care products for patients with acne, and
melisma conditions, also treats patients with eczema,
birthmarks, psoriasis, sun spots caused by sun damage, which
may cause cancer, rosacea, vitiligo or any other skin condition.
Dr. Nowak is conservative, and innovative on his cosmetics
procedure. His mission it is to help patients to look better, and
achieve their goals.
Overall he promotes, an exceptional customer service to each of
his patients, assuring every patient gets an extraordinary
experience at Nowak Aesthetics.
Nowak Aesthetics has 4 consecutive years, being in the top 5 in
all San Diego County dermatologists
In Aesthetics Nowak received daily about 80 patients of whom
20% are medical consultations, the other 80% is basically
cosmetic consultations or procedures. Each patient is offered a
free skin analysis, regardless of the reason why we visit.
Provides medical consultations for skin problems at very
reasonable and affordable cost to patients who do not have
medical insurance, I think these plans with the purpose of
benefiting patients who do not have the resources to treat their
skin problems; Nowak Aesthetics has a special program for the
community, which donates baskets with products from
Dr.Nowak’s skin care products, for schools in San Diego
2. County, for the auctioned in their events and raise funds.
In addition to patients, visiting Nowak Aesthetics, for cosmetic
consultations, first consultation is at no cost, given the
opportunity to meet patients Nowak Aesthetics facilities, meet
the staff, which always gets a smile every patient regardless of
their financial status, and furthermore every cosmetic
consultation, gives each patient a free evaluation with no
obligation, concerning the service for which the patient visited
Nowak Aesthetics.
Nowak Aesthetics has a protocol To receive each of our
patients, in a personalized way. Every time you register a new
patient was taking a photo, which is on file, on the other hand
there is also a section in the patient's file where is written to
any specification of the patient, what he likes, or do not like, as
he prefers to be called, among other concerns. As patients
continue to attend Nowak Aesthetics, certain patients are
considered VIP patients. The reasons why a patient becomes
VIP, may be, because they are people with positive attitude
when they reach Aesthetics Nowak sees them as family, others
may become VIP, because they are consistent in their cosmetic
procedures, and have spent hefty amounts of money. VIP
patients are given a gift card to spend at Nowak Aesthetics
when they refer their friends, or family. Being a VIP patient,
every birthday are given a $ 100 to spend on Nowak Aesthetics.
Patient’s, who do not have the benefit of being a VIP patient,
also awarded a $ 25, when referring to friends or family.
In Nowak Aesthetics, the biggest concern will always be the
patient, but yet there is also a sales goal, monthly, apart from
all the benefits offered to each patient, also offers a monthly
free seminars in each of these seminars are talking about a
specific procedure, and that day in particular there is a discount
for that procedure, which can range from 15% to 25% discount,
3. for coming. 2 times a year, offers an open house, where you can
get discounts of 50% to be in the different services on offer,
25% discount on the products of skin care. In services Botox
and fillers, patients may find BOGO promotions. In each of
these events either seminar or open house, offer free
refreshments, of excellent quality.
Nowak Aesthetics not only cares about providing the best
service to their patients, as an employer, is always rewarding
employees, in different ways, can be offering their services
employees at no cost, to each one of its employees was gives a
monthly, depending on the percentage of sales, and this is done
in a fair, depending on the time you have to work to Nowak
Aesthetics, and the hours each employee works, this is done in
the form of gratitude, for the performance of each employee, to
provide outstanding service to each patient. The motto of Dr.
Nowak is that each individual, working in an atmosphere of
peace and tranquility, without stress, so each individual offer
the best, to do their jobs in the best way possible. Likewise
offering excellent service, which has always promoted.
Nowak Aesthetics in search for longer be kept in the top 5 of all
San Diego County, has sought the best consultants in the United
States, to continually be improving in all aspects, and
innovating every day, to the last procedures thus technology to
help patients achieve their goals and objectives, without having
to take extra time on their jobs, or having to stand, all
innovative procedures offered, patients and out walking, having
thus ensuring a schedule filled continuously patients.
Figure 1 shows how an internal desktop (denoted as Proxy
Client) is protected by a proxy firewall. Let's assume that the
internal desktop is used by Alice and she wants to remotely log
into the external machine denoted as the Telnet server. Alice
runs a Telnet client program on her desktop.
4. 1. Let’s first assume that the Proxy Firewall does not exist. In
this case, when Alice needs to remotely login into the external
Telnet server, the Telnet client program that runs on her desktop
will send packet #1 of the TCP 3-way handshake protocol to the
Telnet Server. What is the source IP address put in the header of
packet #1 (4 points)?
2. After a while, packet #2 of the TCP 3-way handshake
protocol will be sent from the Telnet Server to the internal
Proxy client. What is the source port number put in the header
of packet #2 (4 points)?
3. After a while, packet #3 of the TCP 3-way handshake
protocol will be sent from the internal Telnet client program to
the Telnet Server program. What is the dest IP address put in
the header of packet #3? (4 points)
4. Based on your answers to Questions 1, 2, and 3, you will
notice that if the Telnet server is malicious, the Internal
Network will face a major security threat. What is it? (6 points)
1.5: To address this security threat, let’s deploy the Proxy
Firewall. To see why the proxy firewall is useful, let’s revisit
the same example. When Alice needs to remotely login into the
Telnet server, the Telnet client program will send packet #1 of
the TCP 3-way handshake protocol to the Telnet Server.
5. The destination IP address put in the header of packet #1
cannot be the IP address of the Proxy Firewall. Why? (6 points)
6. What is the dest IP address put in the header of packet #1? (4
points)
1.6: When Packet #1 arrives at the Proxy Firewall:
5. 7. The Proxy Firewall will not let the packet directly go through
the firewall. Why? (6 points)
8. When the packet leaves the Proxy Firewall, what is the
source IP address in the header? (4 points)
9. After a while, packet #2 of the TCP 3-way handshake
protocol will be sent from the Telnet Server to the Proxy
Firewall. What is the destination IP address put in the header of
packet #2? (4 points)
10. After a while, the Proxy Firewall will receive packet #2.
Then the firewall will modify the packet a bit. When this packet
leaves the Proxy Firewall, what is the source IP address in the
header? (4 points)
Figure 2 shows the screened subnet firewall architecture.
11. Let’s assume the PC next to the Email Coordinator is
Alice’s desktop. Let’s assume the IP address of this desktop is
130.3.20.2. Please give a concrete packet filtering firewall rule
for the Screening Router to block any outgoing TCP connection
requests from Alice’s desktop to a remote machine. The format
of a firewall rule is: || Rule ID || packet direction || source IP ||
dest IP || protocol name || source port || dest port || ACK ||
decision || (10 points)
6. 12. Please give a concrete filtering firewall rule for the
Screening Router to allow incoming TCP packets to reach the
Web server. (8 points)
2.3: Since the Email server in the Peripheral Network could be
broken, it is risky let the internal desktops to be directly
connected to the email server. To solve this problem, we will
set up the Email Coordinator in the Internal Network.
13. When Alice wants to send out an email. The Outlook
program that runs on Alice’s desktop will compose and send out
some packets. In the header of the first packet, denoted packet
#1, sent out from Outlook, what is the destination IP address? (6
points)
14. When packet #1 leaves the Email Coordinator, what is the
source IP address of its header? (6 points)
15. To make sure that the email server on the Peripheral
Network can only communicate with the Email Coordinator,
Firewall II needs to enforce 4 firewall rules if not less. What
are they? (14 points)
16. Tell three fundamental differences between packet filtering
firewalls and proxy server firewalls. (10 points)
Published on IST 554 (https://online.ist.psu.edu/ist554)
Topic 3: Firewalls
The Internet is revolutionary in its ability to publish
information and to provide access to information.
However, like any other society, the Internet is plagued with
7. bad guys who enjoy the electronic
equivalent of spying on other people, stealing their valuables,
destroying their property, or simply
disturbing the peace. This poses a great danger to those who try
to get real work done over the
Internet or who have sensitive or proprietary data and resources
on the Internet to protect.
Connecting a network to the Internet, while maintaining a
certain degree of security, has become a
major task for many corporations. It is therefore natural to think
about how to develop a system that
can act as a protective boundary between a private network and
the outside world. Like a guard in
front of a securely controlled building, a firewall is a security
system that restricts access between
the outside (i.e., the Internet) and the inside (your private
network).
Many corporations now have security policies and practices to
protect their networks. A firewall is a
very important component of those policies and practices. The
existence of a firewall has been
proven to greatly reduce the chances of internal systems and
networks getting penetrated and
compromised.
Topic objectives:
Explain the TCP/IP model and common Internet services.
Define a firewall and describe its capabilities.
Define packet filtering technology, describe how the technology
works, and identify the
capabilities of the technology when building a firewall.
Define stateful packet filtering technology and describe how the
technology works.
9. implications for distinct services.
Transport Control Protocol/Internet Protocol (TCP/IP)
The Internet is made up of a wide variety of computers, from
supercomputers to personal
computers. Each of these computers on the Internet has every
imaginable type of software and
applications running. How do all of these computers understand
each other and work together?
When computers communicate, there are sets of rules to govern
the communications so that each
computer understands how to act and how to interpret the
actions of others. In data
communications, these sets of rules are called protocols.
Transport Control Protocol/Internet Protocol
(TCP/IP) is the basic communication protocol that each
computer uses to talk with others for data
transmission. Anything that can speak TCP/IP can play on the
Internet.
When transferring information across a network, TCP breaks the
information into small pieces, called
packets, each of which are transmitted separately. While data
can be lost in the course of
transmission, TCP is capable of guaranteeing the correct
delivery of these data packets. TCP is able
to detect errors or lost data and to trigger retransmission until
the data is correctly and completely
received.
IP is responsible for carrying TCP packets from one computer to
another computer based on a four
byte destination address called the IP address. Each computer,
or host, is uniquely identified by a
specific IP address on the Internet. The IP address ensures that
11. Example
When a user wants to get a Telnet service, he/she interacts with
a Telnet client process running on
his/her computer, which initiates a connection with a Telnet
server. When the server receives the
connection request, it sends back its response. The client reads
the response and reports back to the
user. Thus, the bidirectional connection is built and can be used
for sending and receiving data.
Internet Services
Internet services usually refer to those higher-layer applications
and processes designed for end-
users that reside in the end-communicating system.
Such applications include:
electronic mail using Simple Mail Transfer Protocol (SMTP);
World Wide Web using Hyper Text Transfer Protocol (HTTP);
file transfer service using File Transfer Protocol (FTP); and
Telnet service using TELNET protocol.
In TCP/IP, in addition to the data sent by a host process, a port
number is used to distinguish among
various applications (services) running. In other words, the port
is the means for identifying a specific
service program on a computer in a network.
Example
Port 80 is the standard port used by HTTP to send and retrieve
Web pages. Most application level
protocols are associated with one or more port numbers in
TCP/IP.
12. Port numbers are specified by a 16-bit number and are
numbered from 0 to 65535. By convention,
port numbers within the range of 0-1023 are assigned to the
well-known applications mostly on the
server side and are called well-known ports. Ports within the
range of 1024-65535 are usually called
dynamic ports (i.e., open dynamically when you attempt to
connect to a server port) and can be
used by any client or server.
During a TCP/IP session, on the server side, a server
application would "listen" on a port for users'
connections to request some "well-known services," e.g., HTTP
(TCP port 80), Telnet (TCP port 21),
DNS (UDP and sometimes TCP port 53). On the client side, a
client application needs to "open" a
dynamic port in order to connect to a server application. This is
done by choosing a port above 1023
on the client machine that is not currently in use by another
application and using it as the "sender"
in the new connection.
In a TCP connection, both sides need to be identified by IP
addresses and port numbers. Therefore,
an end-to-end communication between two applications can be
uniquely identified on the Internet by
the four-tuple: source port, source address, destination port, and
destination address.
** Note that when two applications run on the same host, the
source address is the same as the
destination address, but the source port is different from the
destination port to distinguish these
14. 80 (HTTP) for new connections, and client 5.6.7.8 wants to surf
to 1.2.3.4, port 80.
First, the client browser issues a connect call. The connect call
goes to find an unused dynamic port,
usually somewhere above 1023, in this example, 1029. The local
port number is necessary so that
when the replies come back later from the server, the client host
will know to which client
application to pass the reply. The client host does this by
remembering what application uses which
local port number. The first packet is then sent from local IP
5.6.7.8, port 1029, to 1.2.3.4, port 80.
The server responds with a packet from 1.2.3.4, port 80, to
5.6.7.8, port 1029. Thus a connection is
built between 5.6.7.8 1029 and 1.2.3.4 80.
Table 2.1 lists some basic TCP applications and their
corresponding port numbers.
Table 2.1
TCP Application Port Number
FTP 20 (Data), 21 (Control, or Program)
Telnet 23
SMTP 25
HTTP 80
UDP Application Port Number
DNS 53
16. Electronic mail is one of the most basic network services. Most
systems on the Internet use Simple
Mail Transfer Protocol (SMTP) to send messages from a mail
client to a mail server and from one
server to another server. The messages can be retrieved from a
server with an e-mail client on each
user's machine. With this service, mail can be delivered to
individual users, and distributed to many
users (mailing lists) on different machines. Mail can include
simple text messages, file attachments,
images, video/audio files, or Web site links.
SMTP is an Internet standard for sending and receiving e-mail
between computers. SMTP server uses
port 25 to communicate. SMTP protocol is not usually a
security problem, but the SMTP server can
be.
!WARNING!
Common assaults associated with e-mail service are spamming
or unsolicited mails. An e-mail can
appear to be from a legitimate source (e.g., your bank) and ask
you to provide sensitive information
(e.g., your account information). A system that is open to
receive e-mails is vulnerable for DoS
attack. Additionally, electronic mails can contain malicious
programs, such as a Trojan horses or
computer viruses.
Remote Terminal Access (Telnet)
Remote Terminal Access provides users with the capability to
use a remote system over the Internet
as if it were a directly connected terminal. Telnet is the Internet
standard that offers such an
18. Page 5 of 34
mailto:[email protected]
http://ist.psu.edu
Published on IST 554 (https://online.ist.psu.edu/ist554)
Related Links
Hijack [1] - An example of how an attacker can hijack a telnet
session
File Transfer Protocol (FTP)
File Transfer Protocol (FTP) is the Internet standard protocol
used to transfer files between systems.
It allows users to bring files in to their system, rather than
waiting for a file to be sent as an
electronic mail, for example. To use FTP to contact a remote
machine, the remote computer requires
that the user log in with username and password; FTP logins are
usually recorded on the remote
machine. FTP uses port 21 and 20 (for data) to communicate.
FTP can be set up for anonymous access, which allows people
on the network who do not have an
account on a specific machine to deposit or retrieve files from a
special directory. Many institutions
use anonymous FTP as a low-cost method to distribute software
and general information to the
public.
!WARNING!
As with the Telnet command, the passwords typed to FTP are
transmitted unencrypted over
19. the network. Therefore, some sites may wish to disable the FTP
service, or modify it to use
alternative authentication protocols.
Another problem associated with FTP is that files that are
brought in to a computer may
contain undesirable programs and data. For example, users may
bring in games and pirated
software which can occupy huge amounts of CPU time and disk
space. Users may even bring
in Trojan horse software. By the same token, if outside users are
allowed to use FTP to
transfer files from your site, these files should be placed in a
separate, public area of the
system to ensure that users cannot gain access to other areas or
files that should be
protected or private.
World Wide Web Access (HTTP)
The World Wide Web is a collection of Internet resources in the
form of electronic documents, called
Web pages, which can be viewed on the computer through a
Web browser, such as Netscape
Navigator, Microsoft Internet Explorer, Mozilla Firefox, or
Apple Safari. Providing information on the
World Wide Web involves two parts: writing the World Wide
Web pages, and storing them on a World
Wide Web server connected to the Internet that distributes the
Web pages upon request.
Web pages include files that are in different formats such as
text, graphics, audio, video, etc., and
hypertext links to other documents or information systems.
Users can navigate from one document
to another on the Internet regardless of where the documents are
located. The most common format
21. Hostname/Address Lookup (DNS)
Hosts are identified using IP addresses. In the real world, each
host in a network is typically assigned
a unique name because IP addresses are not user-friendly.
Hostname/address lookup provides a
naming service to map user-friendly host names to IP addresses.
The Internet has a particular
naming system called the domain name system (DNS). Most
Internet services rely on DNS to work. If
DNS fails, Web sites cannot be located and e-mails cannot be
delivered. It is an essential Internet
application, but users generally only indirectly interact with it.
DNS works on port 53.
!WARNING!
DNS servers that don't have security systems built in are
vulnerable to spoofing attacks. For
instance, a DNS server could accept and use incorrect
information from an unauthorized host. Such
spoofing attacks can mislead users to wrong Web sites or
redirect e-mail to non-authorized mail
servers.
Related Links
Librenix [2] - An article that illustrates the nature of DNS
attacks, and proposes security measures to
counter such attacks
DNS Documentation [3] - This site collects a variety of DNS
documentation, which addresses several
DNS security scenarios.
Bitpipe [4] - A short summary on DNS attacks, in addition to a
22. listing of attacks and associated
software products.
Simple Network Management Protocol (SNMP)
SNMP is a protocol to centrally manage network equipment
such as routers, hosts, etc. SNMP can
configure or control certain functions of network equipment,
request information from network
equipment, or report the status of network equipment, such as
when a connection is down.
!WARNING!
The major risk with SNMP is the takeover or control of network
equipment. An attacker may
reconfigure network equipment for malicious purposes. For
example, an attacker can change
routings defined in a router and steal important information.
Lesson Wrap-Up
TCP and IP are two of the most important communication
protocols for linking different computer
systems together over the Internet. In this lesson, we discussed
how the Internet services are
provided in a client-server model via TCP/IP, as well as
reviewed six basic services available on the
Internet. We have learned that every network service carries
potential security problems; therefore,
it is essential to protect the services you are going to use or
provide over the network.
Now that you have completed this lesson, you should be able to:
Define TCP/IP and explain how TCP/IP works.
Describe TCP ports.
24. external networks, such as the Internet. It provides controlled
access between the inside and the
outside as it retains some level of isolation. Firewalls are the
most basic defense systems in an
overall organizational security plan. This lesson introduces
Internet firewalls and summarizes what
they can and cannot do for a site's overall security.
Lesson objectives:
Define a firewall and discuss its capabilities.
Describe three basic firewall technologies.
Discuss the benefits and limitations of a firewall.
What is a Firewall?
Similar to a firewall in building construction that is used to
prevent a fire from spreading, a firewall in
computer networking protects the internal network against the
dangers of external connections. It is
generally defined as a type of mechanism that implements
access control between two or more
networks.
Firewalls are a very effective type of network security solution
and are frequently used to prevent
unauthorized Internet users from accessing private networks
connected to the Internet. All traffic
entering or leaving the private network must pass through the
firewall, which examines each
message and blocks those that do not meet the specified security
criteria.
A firewall is usually a special computer running appropriate
security software. A router, a host
computer, or some combination of routers and computers can
work as a firewall with the appropriate
26. communicate freely with the outside. Or to be less strict, the
firewall can be set to block services
that are known to be problematic.
Although the areas in which a firewall is designed to focus vary
from organization to organization,
generally the firewall serves the following three main functions:
keeps outsiders from breaking in;
keeps insiders from exposing valuable data or services; and
enables secure communications between two networks, thus
each individual host can
communicate as it would normally do without worrying about
security methods, such as
encryption/decryption and key negotiation.
Scenario
Volume II of the Riptech Internet Security Threat Report was
published by Riptech, Inc. in July 2002.
Riptech's aim was to devise a set of quantitative security
measures that could categorize a variety of
Internet-based security threats targeted at hundreds of
organizations from January 1 through June
30, 2002. Due to the large number and wide variety of the
organizations studied, the trends and
other findings in this report provided a good overall indicator of
threats faced by the entire Internet
community.
A few highlights:
Overall attack activity for this six-month period was 28% higher
than for the six-month period
just prior. On average, companies experienced 32 attacks per
company per week (up from 25
28. Page 9 of 34
http://www.securitystats.com/reports/Riptech-
Internet_Security_Threat_Report_vII.20020708.pdf
mailto:[email protected]
http://ist.psu.edu
Published on IST 554 (https://online.ist.psu.edu/ist554)
Packet Filtering
Packet filtering determines whether a packet should be accepted
or rejected purely based upon
some basic information in the packet's header (e.g., source IP,
destination IP, in or out interface,
protocol type, port number).
If the header's information matches the rule set defined in the
firewall, the packet is allowed to pass;
otherwise the packet is denied.
!WARNING!
Packet filtering does not have detailed knowledge about what a
packet is actually talking to or where
it is actually coming from; therefore, it is susceptible to an IP
or a port spoofing attack because the
decision to block is based on the IP and port. However, packet
filtering tends to be faster than other
firewall technologies and is very transparent to users.
Proxying
Proxying handles all the communications between users and
Internet services and performs logging
29. and access control. It takes users' requests for Internet services
(i.e., FTP and Telnet) and forwards
them to the actual services or drops them as directed by the
site's security policy. Instead of talking
to each other directly, users and services each talk to the server
offering proxying--the proxy server.
Proxy servers permit no direct traffic between networks, thus
effectively hiding true network
addresses and better protecting the internal network. They are
able to provide more detailed audit
reports and tend to enforce more conservative security models
than packet filtering.
Stateful Packet Filtering
Stateful packet filtering attempts to track the state of each
network connection and makes the
forwarding decision on both the packet content and the
connection state when filtering packets.
When the first packet of a connection is inspected and
permitted, the firewall adds an entry to a
state table. A subsequent packet is allowed to pass through the
firewall when the packet matches an
established connection which has satisfied the implemented
rules on the firewall. This means that
only the initial connection needs to be specified; the return
packets are authorized because there is
a state associated with them (the connection has already been
authorized).
The capabilities of stateful packet filtering are a cross between
the functions of packet filtering and
proxying.
Each technology has its merits and flaws, and each performs
31. network. It is simple, efficient, and economically inexpensive to
implement.
separates the site's network from other networks, or one section
of the internal network from
another section.
A firewall limits the exposure of the protected parts of the
network and helps to
contain security problems.
helps to enforce unified security policies for an organization,
allowing only "approved" traffic
to pass through.
A firewall can limit Telnet requests to internal use and block
external Telnet
applications.
performs important logging and auditing functions.
A firewall summarizes and logs the type and amount of traffic
that passes through it
and how many attempts were made to break into it. Firewall
logs are critical and can
be analyzed to trace daily activities.
Firewall Limitations
A firewall:
is not the solution for every security problem.
A firewall provides effective protection against network threats;
however, certain
threats are beyond the control of the firewall.
cannot protect against malicious inside attacks.
32. A firewall cannot stop an insider from copying the company's
proprietary data onto a
magnetic tape, compact disc, or USB flash drive and using it
maliciously.
cannot handle attacks using connections that bypass it.
A firewall cannot prevent hackers from accessing internal
systems via such a modem
connection if a dial-up modem connection is allowed in a
network. Also, if any internal
system is allowed to connect to any external system, then the
firewall will provide no
protection from external attack via this connection.
cannot handle bogus connections, i.e., IP spoofing.
Attackers can spoof an authorized IP address and send out
traffics that are
considered valid by a firewall that uses source and destination
addresses and port
numbers to determine whether incoming traffic is allowed to
pass through to the
internal network.
cannot protect well against attacks such as Trojan horses,
viruses or malicious software.
A firewall is not the best mechanism to protect against data-
driven attacks in which
something is mailed or copied to an internal host where it is
then executed. This is
because firewalls cannot scan the details of all incoming data
traffic. A more effective
anti-virus solution is to make sure every vulnerable host has
virus scanning software
that runs each time the machine is rebooted.
cannot adequately handle attacks exploiting the inherent
34. Firewall technologies available in today's products include
packet filtering, proxy server, and stateful
packet filtering. Each of these technologies implies a certain
range of possible choices for deploying
firewall architectures. In the next two lessons, we will explore
these technologies in more detail.
Now that you have completed this lesson, you should be able to:
Define a firewall and discuss its capabilities.
Describe three basic firewall technologies.
Discuss the benefits and limitations of a firewall.
Lesson 3: Packet Filtering
There are different technologies to use when implementing
firewall systems. The packet filtering
firewall is the most common and easiest to employ for small,
uncomplicated networks. Basically, a
packet filtering router is installed at the point where the internal
network connects to the Internet
and the packet filtering rules are configured in the router to
block or filter traffic to and from the
internal network.
This lesson describes the concept and techniques involved in
building and configuring a packet
filtering firewall. It also discusses an advanced packet filtering
technology--stateful packet filtering,
and the advantages and disadvantages of packet filtering.
Lesson objectives:
Define packet filtering.
Define TCP/IP header, TCP 3-way handshake, and UDP.
36. layer and uses rules to determine which
packets are forwarded from one interface to another. It accepts
or blocks data transfer based on the
information at the header of each packet including the source
address of the packet, the destination
address of the packet, the protocol type of the packet (TCP,
UDP, ICMP, etc.), the source port of the
packet, the destination port of the packet and flags set on the
packet (e.g., ACK). Packet filtering
controls the flow of packets by looking at the information and
determining whether they match the
rule set.
The TCP and IP Header
Figure 3.2: The TCP and IP header
To better understand how the packet filtering rule set works,
let's take a look at the TCP and IP
header of a packet.
As shown in Figure 3.2, an IP header in a packet contains the
following main information:
Protocol (8 bits, whether the packet is TCP, UDP, or ICMP
packet)
Source IP address (32 bits) (e.g., 192.123.121.2)
Destination IP address (32 bits)
A TCP header contains the following main information:
Source Port (16 bits)
Destination Port
ACK flag (1 bit)
SYN flag
38. If a client program A (IP 5.6.7.8) wants to open a connection
with a server program B (IP 1.2.3.4) for
Web service (on port 80), program A begins the connection
attempt by dynamically opening a port,
for example, 1078, and sends the request:
5.6.7.8: 1078 -> 1.2.3.4: 80 SYN=1
Program B receives the packet and understands that a client
wants to form a new connection.
A response is sent:
1.2.3.4: 80 -> 5.6.7.8:1078 SYN=1 ACK=1
The client program A receives the response, and informs that
the response is received:
5.6.7.8: 1049 -> 1.2.3.4: 80 ACK=1
Here, the connection is opened and real data will begin
transferral. Note that the first packet in each
direction has the SYN flag set, and all subsequent packets
following the first packet from a client
have the ACK flag set.
Flag ACK: "Acknowledges" the receipt of a previous packet.
Flag SYN: Initiates a new TCP connection.
A packet containing only the SYN flag is the first part of the 3-
way handshake of TCP connection
initiation. The purpose is to verify that both hosts A and B have
a working connection. If the client
sends out the initial SYN without receiving a SYN+ACK within
a few seconds, it will resend the SYN. If
40. communications services (e.g., broadcasting
messages over a network) not available from TCP. UDP is
described as a connectionless service (as
opposed to TCP).
UDP packets are similar to TCP packets in structure. A UDP
header contains UDP source and
destination port numbers, just like TCP source and destination
port numbers. However, a UDP packet
DOES NOT contain anything resembling an ACK flag. The
ACK flag is how the TCP mechanism
ensures its reliable delivery of data. UDP makes no such
guarantees; therefore, there is no way for a
packet filtering router to determine, simply by examining the
header of an incoming UDP packet,
whether that packet is a first packet from an external client to
an internal server, or a response from
an external server back to an internal client. Thus all packets
must be blocked if the goal is to block
a UDP session.
Configuring a Packet Filtering Firewall
The fundamental function of a firewall is to restrict the flow of
information between two networks. To
set up a firewall using packet filtering technology, it is
necessary to define the types of data to pass
or block. This is called defining the firewall's policy. After a
policy is defined, then the actual packet
filtering rule set must be created on the firewall that reflects
this policy.
Example
Packet filtering implementations can enforce a policy that
allows internal clients to connect to
external servers, but prevents external clients from connecting
43. Published on IST 554 (https://online.ist.psu.edu/ist554)
required by Rule 3.
Rule C: denies any incoming packets from external Telnet
servers (port 23) to internal host
132.28.6.4. Note, that if rule B is enforced, Rule C is not
useful. Rule C is redundant because
132.28.6.4 will not be able to establish a connection with an
outside Telnet server, according to Rule
B. So we can remove Rule C from the firewall configuration.
Rule 2: is implemented by Rules D and E combined.
Rule D: allows any outbound Telnet connections.
Rule E: allows any incoming Telnet packets from external
Telnet servers to internal clients. Because
of this, internal clients are permitted to send a request to the
outside for Telnet service and the
response from external servers will pass through the firewall.
**Note that we must have a priority order for Rule B, Rule D
and Rule E because they are not
consistent. Rule B needs to be placed before Rule D and E in
this case. So if host 132.28.6.4 sends
out a Telnet request, the packet will pass Rule A, but will be
denied by Rule B. However, if another
internal host 5.6.7.8 sends out a Telnet request, it will not
match Rule A, B, and C, but it will pass
Rule D. When the external server responds to the Telnet request
from client 5.6.7.8, the response
packets will pass Rule E. If we put Rules D and E before B and
C, Telnet packets from 132.28.6.4 will
pass Rule D, and therefore are allowed to go out through the
44. firewall which will disobey Rule 3.**
Rule F: denies any incoming UDP packets.
Effective Packet Filtering: Example 2
When the security policy restricts connections to e-mail only, a
firewall can be programmed as
follows:
Firewall
Rule
Source
Address
Dest.
Address
Source
Port
Dest.
Port
Protocol ACK Action
A External Internal * 25 TCP * Permit
B Internal External 25 * TCP 1 Permit
C Internal External * 25 TCP * Permit
D External Internal 25 * TCP 1 Permit
E * * * * * * Deny
46. In summary, Rule A allows any external client to communicate
with an internal SMTP server for e-
mail service and Rule B allows responses from the internal
SMTP server to pass through to the
external client. Rules A and B are paired to allow
communications between external clients and
internal servers. Similarly, Rule C allows any internal client to
communicate with an external SMTP
server for e-mail service, and Rule D allows responses from an
external SMTP server to pass through
to the internal client. Rules C and D are paired to allow
communications between an external client
and an internal server.
Let's now consider some sample packets to see how the firewall
works in this example. As shown in
Figure 3.5, let's say that the host IP address is 1.2.3.4, in which
an SMTP server runs on port 25 and
an Oracle database server runs on port 1080 (there are some
services using ports above 1023 for
servers). A remote host with IP address 5.6.7.8 tries to send an
e-mail from port 1234 to your SMTP
server.
Figure 3.5: Example of Packet Filtering for Inbound and
Outbound SMTP Service
Here are the sample packets, filtered by the packet filtering
firewall:
Packet Source
Address
Dest.
Address
48. Published on IST 554 (https://online.ist.psu.edu/ist554)
The client uses port 1356.
Packet Source
Address
Dest.
Address
Source
Port
Dest.
Port
Protocol ACK Action
3 11.2.3.4 15.6.7.8 1356 25 TCP 0 Permit
(C)
4 15.6.7.8 11.2.3.4 25 1356 TCP 1 Permit
(D)
Again, the packet filtering rules permit your outgoing e-mail.
Rule C permits outgoing packets from
your SMTP client to an outside SMTP server (Packet 3), and
rule D permits responses from the server
back to your client (Packet 4).
What if the external client tries to open a connection from a
port 5550 on his end to your Oracle
database server on port 1080?
Packet Source
Address
49. Dest.
Address
Source
Port
Dest.
Port
Protocol ACK Action
5 5.6.7.8 1.2.3.4 5550 1080 TCP 0 Deny (E)
We can see that Packet 5 ends up being denied by the last rule.
Now, let's say a smart attacker controls this remote client, uses
port 25 by spoofing as the client port
on his end, and then attempts to open a connection to your
Oracle server.
Packet Source
Address
Dest.
Address
Source
Port
Dest.
Port
Protocol ACK Action
6 5.6.7.8 1.2.3.4 25 1080 TCP 0 Deny (E)
50. This connection won't succeed as Packet 6 will end up being
denied by the last rule, too. Note,
however, that Packet 6 will pass Rule D if we don't set the ACK
flag (ACK=1) in Rule D.
1. When we design the packet filtering rule set, we need to
consider several factors. Because
someone who is in control of the source machine can run any
client or server he or she
chooses to on a "source port" that the firewall allows through,
the local port numbers should
be restricted as much as possible. Rule A allows only inbound
connections to the SMTP server
on port 25. It doesn't matter whether the program that sends the
incoming request is a
genuine SMTP client or not. The concern is to limit inbound
connections to only ports running
trustworthy servers, and to be sure internal servers are
genuinely trustworthy.
Firewall
Rule
Source
Address
Dest.
Address
Source
Port
Dest.
Port
52. D External Internal 25 * TCP 1 Permit
E * * * * * * Deny
2. Because many clients use random ports above 1023 to
communicate, inbound packets for
ports above 1023 will frequently need to be accepted. Because
there are also some services
using ports above 1023 for servers, accepted inbound packets
might include those from ports
that might have untrustworthy servers on them. In TCP, inbound
packets can be accepted
without accepting inbound connections by requiring the ACK
flag to be set.
In this example, Rule B applies to outgoing connections from
the site, while Rule D controls incoming
connections to the private network. Rule D is more important
because private networks generally
want to have more control on incoming connections than
outgoing connections. Additionally,
because Rule D cannot specify an exact destination port because
the client uses a random port
above 1023, it is safer to have the ACK flag set. Thus, Rule D
accepts incoming packets from SMTP
servers as specified by port 25, only if the packets are part of a
connection started from the inside
(your client to a remote server).
3. Because the attacker can spoof a port number (port 25 in this
case), Rules C and D enable
the attacker to talk to any port inside the protected network. A
better idea is to change "*" to
"> 1023", which means that the host outside can only
communicate with the host inside on
53. ports greater than 1023, so the well-known service offered by
the internal network (ports
below 1023) will be better protected.
Question: If in Rule D, what will happen if ACK is set as "*"?
Both Examples 1 and 2 are samples of static packet filtering,
where the firewall does not
"remember" any outgoing packet it has seen. We will now
discuss stateful packet filtering, where the
firewall "remembers" the packets passing through.
To better understand this example, we have provided an
animation which will make the information
from the preceding screens much clearer and easier to follow.
Stateful Packet Filtering
Stateful packet filtering limits information coming into a
network based, not only on the packet
header content, such as the destination and source address, but
also on the packet data content and
connection state. This technology maintains a complete session
state table and provides more
security checks. Each time a TCP or UDP session is established
for inbound or outbound connection,
the stateful packet filtering intercepts incoming packets from
one interface and builds relevant
information, such as TCP sequence numbers, or connection start
time, in a session state table. It
collects information from every packet passing through and
updates the session state table until it
has enough information about each connection. Packets are
inspected according to the table to
determine the "state" of the connection of a packet. Those
considered to be a part of a valid,
55. Assume there are three outgoing UDP packets; if the firewall
can remember the packet, the firewall
can pass only the incoming UDP packets that:
have been directed to the hosts and ports that sent the outbound
packets; and
are from the hosts and ports that the outbound packets were sent
to.
Example 2
Stateful packet filtering can be configured to drop packets if the
packets belong to a connection that
has lasted too long, for example, three hours. Stateful packet
filtering can maintain statistics
information such as the duration of the session. The filtering
rule can be set to drop packets if they
are part of a connection that has lasted longer than a specified
time period.
The biggest difference between static packet filtering and
stateful packet filtering is that static
packet filtering examines only the header of a packet and allows
packets to pass if the information in
their headers meets the filtering rule sets. Every packet is
handled on an individual basis. Previously
forwarded packets belonging to a connection have no bearing on
the filter's decision to forward or
drop a new packet. Stateful packet filtering examines not just
the header information but also the
contents of the packet and passes only those packets which meet
the filtering rule sets and are part
of a valid, established connection.
Advantages and Disadvantages of Packet Filtering
57. done without the cooperation and often without the knowledge
of users.
Disadvantages
Packet filtering is simple and efficient, but not very powerful.
In other words, as long as the rule set
is passed, a connection is made directly from outside the
firewall to inside the firewall, which results
in reduced security. For example, an attack on the SMTP service
would pass through the firewall
without a problem if packet filtering were set to allow incoming
e-mail from the Internet. Because of
this, it cannot hide information on internal networks (e.g., the
IP addresses of internal clients can be
revealed).
Packet filtering rules tend to be hard to configure and maintain.
There are usually several hundred
rules (e.g., 600-1000 rules) to be set in packet filtering router.
Creating a rule set that correctly
reflects the security needs of a protected site, and managing it
can be very difficult. Packet filtering
rules are also often difficult to test thoroughly, which may leave
a site open to vulnerabilities. When
the security needs of a protected site become more complicated
and stringent, the packet filtering
rules also become more complicated and may become
unmanageable.
Additionally, some security policies are difficult to enforce by
packet filtering because it works on the
network layer. For example, security policies based on user
identities (e.g., allow Tom, but not Jason,
to use FTP); and security policies based on protocols (e.g.,
58. allow some files to be downloaded via
FTP, but not others).
Lastly, a packet filtering firewall has little or no logging
capability. It may not be easy to determine
whether the router has been compromised or is under attack.
Stateful packet filtering provides enhanced security over static
packet filtering. For example, static
packet filtering is limited for security policies based on
connection context (e.g., how long a
connection lasts), while stateful packet filtering has the
capabilities to address this. Also, static
packet filtering is vulnerable to IP spoofing attacks, unless it
has been specifically configured to
prevent this.
Lesson Wrap-Up
Packet filtering is the simplest type of firewall and almost the
easiest to employ for small,
uncomplicated sites. With a packet filtering firewall, direct
connections are allowed from the external
network to hosts on the internal network. Thus, a number of
disadvantages are introduced. Stateful
packet filtering adds more security, but does not necessarily
address all of the problems of static
packet filtering. It is, nonetheless, more desirable in practice.
In our next lesson, we will take a closer look at another firewall
technology--the proxying
firewall--and see how it works.
Now that you have completed this lesson, you should be able to:
Define packet filtering.
Define TCP/IP header, TCP 3-way handshake, and UDP.
60. Describe how a proxy firewall works.
Discuss two different types of proxy servers.
Describe the commercial proxy firewall package: SOCKS.
Identify the advantages and disadvantages of a proxy firewall.
What is a Proxy Firewall?
Before a typical proxy server accepts a connection from a user,
it first determines if the requested
connection between a computer on the internal network and one
on the outside is permitted. If the
connection is authorized, it then completes the connection on
behalf of the requesting software and
sets up the necessary communication links between the two
computers.
Proxy firewall technology runs a special proxy server program
on a firewall host to deal with external
servers on behalf of internal clients or vice versa. It provides a
single host with secured and
controlled Internet access, while giving users the illusion that
the interactions are directly linked to
the machines on the Internet with which they want to
communicate.
Figure 4.1 shows a proxy firewall that sits between a user
(client) on the internal network and a
service (server) on the external network (i.e., the Internet). The
proxy server program handles all the
communication between the user and the server on the Internet.
It takes users' requests for Internet
services (e.g., FTP and Telnet) and, if allowed by the site's
security policy, forwards them to the real
servers that offer the services and relays answers back to users.
Both the server and the client talk
to the proxy. The existence of the proxy server is transparent. It
is as if the client is dealing directly
63. a proxy server, the client is a proxy client. When the proxy
server forwards the request to the real
server, the proxy server becomes a proxy client. A proxy server
running on the firewall can protect
either a client on the internal network or a real server on the
internal network.
Figure 4.3:
Example
Client
Let us take a closer look at the proxy firewall that protects a
client, as shown in Figure 4.1, and
imagine that the internal host sends a request for Telnet service
directly to the proxy server rather
than to the "real" server on the Internet.
The proxy server evaluates the request from the proxy client
and decides what to approve and what
to deny.
If a request is approved, the proxy server contacts the real
server on behalf of the client and
proceeds to relay requests from the proxy client to the real
server and responses from the real
server to the proxy client.
Example
Real Server
65. Custom Client Software: The proxy client is a special version of
a normal client program. When a
user makes a request (e.g., for Telnet), the special client
program knows how to contact the proxy
server instead of the real server and tells the proxy server with
what real server to connect.
Custom User Procedures: The user uses a standard client
program to talk to the proxy server and
tells it to connect to the real server, instead of connecting to the
real server directly.
Sample Proxy Firewall
Solution
s
Figure 4.4 shows an example of a Telnet proxy server. In this
example, the proxy server is used to
protect two Telnet servers in the internal network.
Figure 4.4: A Telnet Proxy Server
Case 1
Contact Webmaster