1 IntroductionOur project “Study Different Firewalls” is related to study the functioning ofdifferent firewalls available to us and find out each others pros and cons. We haveselected few firewalls like Windows Firewall, Zone Alarm Firewall,ComodoFirewall etc for our project. In our project we are concerned only about thesoftware firewalls. ObjectiveMicrosoft Windows provides a variety of methods by which security software canperform network traffic filtering and other security-related tasks. However, thesesame capabilities can be used by malicious software, also known as malware, totap into the operating system’s network architecture in order to circumvent securitysoftware, open backdoors, and steal information. A number of articles have beenpublished that discuss and compare the features of different software firewalls, butthere are few resources that explore the filtering techniques that these firewalls use.Understanding these filtering techniques is not only useful for choosing a softwarefirewall and troubleshooting problems with it, but it also helps to understand,detect, and prevent the malware threats that exploit inherent weaknesses in them.
2 ScopeThe Internet, like any other society, is plagued with the kind of jerks who enjoy theelectronic equivalent of writing on other peoples walls with spray-paint, tearingtheir mailboxes off, or just sitting in the street blowing their car horns. Somepeople try to get real work done over the Internet, and others have sensitive orproprietary data they must protect. Usually, a firewalls purpose is to keep the jerksout of your network while still letting you get your job done.Many traditional-style corporations and data centers have computing securitypolicies and practices that must be followed. In a case where a companys policiesdictate how data must be protected, a firewall is very important, since it is theembodiment of the corporate policy. Frequently, the hardest part of hooking to theInternet, if youre a large company, is not justifying the expense or effort, butconvincing management that its safe to do so. A firewall provides not only realsecurity--it often plays an important role as a security blanket for management.Some firewalls permit only email traffic through them, thereby protecting thenetwork against any attacks other than attacks against the email service. Otherfirewalls provide less strict protections, and block services that are known to beproblems.Generally, firewalls are configured to protect against unauthenticated interactivelogins from the ``outside world. This, more than anything, helps prevent vandalsfrom logging into machines on your network. More elaborate firewalls blocktraffic from the outside to the inside, but permit users on the inside to communicatefreely with the outside. The firewall can protect you against any type of network-borne attack if you unplug it.
3 What is a Firewall?The Internet is a network of computer networks. It has evolved from theinterconnection of networks around the globe. Interconnection is a good thing; itallows the free exchange of information via the Web, e-mail and file transfer. Butit also carries a price, namely the risk that your Internet connection may be used by“hackers” (or as some would rather call them “crackers”) to gain unauthorizedaccess to your local network. Availability of computing facilities can also betargeted by Denial of Service (DoS) attacks.A firewall is a system that implements and enforces an access control (or security)policy between two networks; it usually guards an internal private network from anexternal public one, isolating an intranet from the Internet. Essentially a firewallconnects two or more networks but only allows specified forms of traffic to flowbetween them. The firewall is a means by which a security policy can be enforced.
4 Types of FirewallThere have historically been two main types of firewall; application layer andnetwork layer: 1. Application layer firewalls implement a proxy server for each service required. A proxy is a server that enables connections between a client and server, such that the client talks to the proxy, and the proxy to the server on behalf of the client. They prevent traffic from passing directly between networks, and as the proxies are often implemented for a specific protocol they are able to perform sophisticated logging and auditing of the data passing through them. A disadvantage of application layer firewalls is that a proxy must exist for each protocol that you wish to pass through the firewall; if one does not exist then that protocol cannot be used. Some protocols, such as SMTP for e-mail, are natural proxies. Others, such as FTP for file transfer, are not.
52. Network layer firewalls make decisions on whether to allow or disallow individual Internet Protocol (IP) packets to pass between the networks. IP is the protocol by which almost all data is routed around the Internet. IP connections rely on a unique source and destination IP address for the communicating hosts. TCP layer port numbers (the “application layer endpoints”) are also readily available to a network layer firewall. For example, port 25 is the agreed port number for SMTP e-mail transfer. The firewall can make filtering decisions based on the IP and port number values. This type of firewall can be very flexible. However the added complexity increases the risk of security holes through misconfiguration. In Figure , a network layer firewall called a ``screened host firewall is represented. In a screened host firewall, access to and from a single host is controlled by means of a router operating at a network layer. The single host is a bastion host; a highly-defended and secured strong-point that can resist attack.
6Modes of operationThere are two very distinct and different modes for network firewalls to operate in.1.Default allow firewalls allow all traffic in and out of a site. Some specifiedservices may be blocked on the firewall, but all others can freely pass through.2.Default deny firewalls block all traffic in or out of a site (though commonly theyonly block inbound, rather than outbound, traffic). Only named services areallowed to pass through the firewall. All firewall systems which were tested were found to be susceptible to packet spoofing which tricks the server into thinking packets have come from a trusted host, or into using its intrusion-detection counter measures to cut connectivity to legitimate sites. Detection mainly via sending packets (requests) and collecting responses from client machines about packets and thereby getting a detail report about the port to which the packet was send across the Network. When one machine sends its request, the request is encapsulated in an IP packet. The IP packet consists of two parts, i.e. header and data part. The header part consists of all information of data i.e. the Source IP Address and Destination IP Addresses, the send time and checksums. This can be used for analyzing data integrity. The TCP-IP Protocol Suit is responsible for converting low-level Network Frames into Packets and Segments. TCP is an independent, general-purpose protocol. Since TCP makes very few assumptions about the underlying network, it is possible to use it over a single network like an Ethernet as well as over a complex Internet, It is a communication protocol.
7 A connection consists of virtual circuit between two application programs. TCP defines an end point to be a pair of integers (host, port). It defines various protocols they are TCP, UDP, ICMP, IGMP TCP TCP is a connection oriented reliable protocol. For sniffing purpose like sniffing the details of a packet based on TCP protocol. It would list out the following details of the packet. Source IP, Destination IP, Source Port, Destination Port, Sequence, Acknowledgement UDP For sniffing purpose like sniffing the details of a packet based on UDP protocol. UDP is a connectionless unreliable protocol. It would list out the following details of the packet. Source IP, Destination IP, Source Port, Destination Port, length ICMP For sniffing purpose like sniffing the details of a packet based onICMP protocol. It would list out the following details of the packet. Source IP, Destination IP, Source Port, Destination Port IGMP For sniffing purpose like sniffing the details of a packet based onICMP protocol. It would list out the following details of the packet.Source IP,Destination IP, Source Port, Destination Port.Firewall policies must be realistic and reflect the level of security in the entirenetwork .For a firewall to work, it must be a part of a consistent overall
8organizational security architecture. A firewall cannot replace security-consciousness on the part of your users. Firewall is a software/hardware which functions in a networkedenvironment to prevent unauthorized access. Its goal is to provide controlledconnectivity between internet and internal network. This is acquired by enforcing asecurity policy .A firewall is that it implements an access control policy .A firewallis a system or group of systems that enforces an access control policy between twoor more networks . For firewalls where the emphasis is on security instead ofconnectivity, you should consider blocking everything by default, and onlyspecifically allowing what services you need on a case-by-case basis.If you block everything, except a specific set of services, then youve already madeyour job much easier. Instead of having to worry about every security problemwith everything product and service around, you only need to worry about everysecurity problem with a specific set of services and products.
9 Popular hardware & software firewallsSoftware Firewall Hardware FirewallWindows Firewall Cisco PIXZoneAlarm FortiguardComodo Firewall CyberoamNorton Internet Security Check PointOutpost NetScreenBlackICE NetDMacfee Internet Security WatchGuard
10 Windows Firewall Windows Firewall is a software component of Microsoft Windows that provides firewalling and packet filtering functions. It was first included in Windows XP and Windows Server 2003. Windows Firewall, previously known as Internet Connection Firewall or ICF, is a protective boundary that monitors and restricts information that travels between your computer and a network or the Internet. This provides a line of defense against someone who might try to access your computer from outside the Windows Firewall without your permission. Windows Firewall was first introduced as part of Windows XP Service Pack 2. Every type of network connection, whether it is wired, wireless, VPN, or even FireWire, has the firewall enabled by default, with some built-in exceptions to allow connections from machines on the local network. It also fixed a problem whereby the firewall policies would not be enabled on a network connection until several seconds after the connection itself was created, thereby creating a window of vulnerability. XPs Windows Firewall cannot block outbound connections; it is only capable of blocking inbound ones. Windows Firewall is turned on by default. However, some computer manufacturers and network administrators might turn it off.To open Windows Firewall1. Click Start and then click Control Panel.2. In the control panel, click Windows Security Center.3. Click Windows Firewall.
11Windows Firewall should be always turned on.
12 How Windows Firewall WorksWhen someone on the Internet or on a network tries to connect to your computer,we call that attempt an "unsolicited request." When your computer gets anunsolicited request, Windows Firewall blocks the connection. If you run a programsuch as an instant messaging program or a multiplayer network game that needs toreceive information from the Internet or a network, the firewall asks if you want toblock or unblock (allow) the connection. You should see a window like the onebelow.If you choose to unblock the connection, Windows Firewall creates an exceptionso that the firewall wont bother you when that program needs to receiveinformation in the future.The Exceptions tab includes a list of programs and services that you can select ordeselect to allow or remove access to the network. You can also add or delete ports(both TCP and UDP).When adding programs or ports, you also have the following options to limit thescope of access: Any Computer (Including Those On The Internet), My Network(Subnet) Only, or Custom List, which allows you to choose a mix of IP addressesand subnets.On the Advanced tab, you can choose which connections the firewall will apply to,and you can specify logging features. You can also control, with some granularity,how the firewall handles Internet Control Message Protocol (ICMP) packets.
13Finally, if you get completely lost and make changes that prevent the computerfrom connecting to the Internet, you can click the Restore Defaults button. Thisremoves all of your changes, returning Windows Firewall to the Microsoft defaultstate.
14What Windows Firewall Does and Does Not DoIt does It does notHelp block computer viruses and Detect or disable computer viruses and worms if theyworms from reaching your computer. are already on your computer. For that reason, you should also install antivirus software and keep it updated to help prevent viruses, worms, and other security threats from damaging your computer or using your computer to spread viruses to others.Ask for your permission to block or Stop you from opening e-mail with dangerousunblock certain connection requests. attachments. Dont open e-mail attachments from senders that you dont know. Even if you know and trust the source of the e-mail you should still be cautious. If someone you know sends you an e-mail attachment, look at the subject line carefully before opening it. If the subject line is gibberish or does not make any sense to you, check with the sender before opening it.Create a record (a security log), if Block spam or unsolicited e-mail from appearing in youryou want one, that records successful inbox. However, some e-mail programs can help you doand unsuccessful attempts to connect this.to your computer. This can be usefulas a troubleshooting tool.
16 Pros and Cons of Windows FirewallThe Windows Firewall does a good job of proxying inbound responses tooutbound connection requests, and it does a good job of blocking inboundconnection requests for TCP or UDP conversations that you havent initiated. Itwill block any connection attempts that you havent specifically allowed in thesettings. However, thats only half of what a firewall needs to do.A firewall should also monitor, inspect, and proxy outbound communication—andthis is where Windows Firewall fails. Any program on your computer can initiateany type of connection to any IP address on the Internet, and the Windows Firewallwill sit by passively and let it happen!Dont let any prompts fool you: Even though it tells you a program has initiated aconnection to the Internet and asks if you want to allow this connection, theconnection has already occurred. What it’s really asking is whether you want toallow the Internet to connect to this program.
17 ZoneAlarm FirewallZoneAlarm is a personal firewall software application originally developed by ZoneLabs, which was acquired by Check Point. It includes an inbound intrusion detectionsystem, as well as the ability to control which programs can create outboundconnections. In ZoneAlarm, program access is controlled by way of "zones", into which allnetwork connections are divided. The "trusted zone" generally includes the userslocal area network and can share resources such as files and printers, while the"Internet zone" includes everything not in the trusted zone. The user can specifywhich "permissions" (trusted zone client, trusted zone server, Internet zone client,Internet zone server) to give to a program before it attempts to access the Internet(e.g. before running it for the first time) or, alternatively, ZoneAlarm will ask the userto give the program permission on its first access attempt.
18 Features Designed to be used in conjunction with an antivirus program, the strongesttool in ZoneAlarms belt is the outbound firewall. Though Windows does offer someoutbound protection, its not activated by default. Most users tend to leave it offbecause they either dont know about it, or when they do turn it on it regularlyinterrupts their workflow with pop-up security warnings. Older versions ofZoneAlarm used to be noisy with pop-ups as well, but the new version has been set tobe quieter without changing the level of protection. If you prefer, this can be changedin the program settings.During the testing of the default ZoneAlarm Firewall settings, the only pop-upsencountered were those blocking new software installations. The pop-ups for thethree programs tested went away and allowed the installation to proceed with oneclick. More than just a low rate of interference, only encountering pop-ups forprogram installations is precisely the kind of warning that keeps you aware ofwhats occurring on your computer without distracting you simply for surfing theWeb.
19The benefits of an outbound firewall might not be readily apparent. An inboundfirewall blocks threats coming in from the outside, but an outbound firewall doesmore than prevent your computer from spreading viruses and malware to others. Ifyour computer has been compromised by a botnet, for example, outboundprotection will stop it from sending your data back to its host servers. It can alsostop program spoofing, which is when a malicious program pretends to be a goodone, and IP spoofing, which is when harmful network transmissions dress up assafe ones.
20The ZoneAlarm toolbar has also been given more than a simple spit-shine. We canopt out of installing it when you run the main installer, and install it later if youwish, but ZoneAlarm was quick to point out that it without it key security featuresare not activated. Hiding the toolbar after its been installed wont disable itsprotections, which include the aforementioned signature and heuristic-based antiphishing protections.
21It also adds a site check option that can be used to reveal the date founded andphysical location of the site and has customizable safe site buttons for launchingregularly visited sites such as Facebook or your banking site. The e-mail checkerbuilt into the toolbar is compatible with Hotmail, Gmail, Yahoo, RR, Univision,and POP3 accounts.
22 PerformanceZoneAlarms performance was notable simply for how unnoticeable it was.Shutdown time did not appear to be affected at all, and neither did starting up coldnor rebooting. Changing the antivirus program that it was partnered with didntaffect the firewalls behavior, either. Pros and Cons of ZoneAlarmPros: Free for non commercial use, frequently updated, protects incoming andoutgoing connections without additional configurationCons: Did not automatically configure as many applications.
23 Outpost FirewallOutpost Firewall Pro is a software-based personal firewall package developed by theRussian firm Agnitum. Outpost Firewall 2009 Free now includes full Windows Vista(32 and 64bit) support and a completely revamped user interface.Outpost Firewall Pro (personal firewall) is designed to monitor incoming andoutgoing network traffic on Windows machines. Like most advanced PC firewalls(ZoneAlarm, Comodo, etc.), Outpost goes beyond monitoring internet traffic and alsomonitors application behavior in an attempt to stop malicious software covertlyinfecting Windows systems. Agnitum calls this technology "Component Control" and"Anti-Leak Control" (included into HIPS-based "Host Protection" module). Theproduct also includes a spyware scanner and monitor, together with pop-upblocker/spyware filter for Internet Explorer and Mozilla Firefox (Outposts websurfing security tools include black-lists for IPs and URLs, unwanted web pageelement filters and ad-blocking. The technology altogether is known as "Webcontrol").
24Outpost Firewall Pro allows the user to specifically define how a PC applicationconnects to the Internet. This is known as the "Rules Wizard" mode, or policy, andis the default behavior for the program. When in this mode, Outpost Firewall Prodisplays a prompt each time a new process attempts network access or when aprocess requests a connection that is not covered by its pre-validated rules. Theidea being that this then lets the user decide whether an application should beallowed a network connection to a specific address, port or protocol.In practice, prompting users can make the product seem over complicated to lessexperienced users. Agnitum engineers includes pre-set rules for many popularapplications. Users can optionally submit rules they have created through theAgnitumImproveNet system for validation and sharing new rules by Agnitumengineers via product updates.Outpost is a very powerful and feature rich firewall. Many users will barely scratchthe surface of what can be done with the configuration manager.Were happy to report that the instant nagging prompts pushing users to upgrade tothe paid version, which plagued the previous version of Outpost Firewall are gone.Gone too are the concerns about lack of support for the software. Agnitum seem fullycommitted to supporting this new free firewall and we had no concerns about the
25software being out of date this time. Configuring and working with Outpost mayinitially seem a bit daunting, although with the new interface it is much easier. Pros and Cons of ZoneAlarmPros: Very powerful firewall, extensive configuration options, protects incomingand outgoing connections without additional configuration, automaticconfiguration for lots of popular software, full 64 bit operating system support.Cons: Some users find ZoneAlarm easier to use, although thanks to the revampedinterface Outpost Firewall is no longer as daunting to beginners.
26 Comodo FirewallComodo Internet Security is currently ranked number 1 in Matousecs ProactiveSecurity Challenge, and passing 100% of the 148 software firewall tests, and is theonly firewall and host intrusion prevention system to consistently score number 1 ortie for number one (usually with Online Armor) in all independent tests.Comodo Internet Security was designed around the concept of layered security, byintegrating components designed to prevent intrusions upon a computer system (theFirewall, Defense+, and Memory Firewall), with components designed to resolve anyintrusions which the other components miss.This free software firewall, from a leading global security solutions provider andcertification authority, use the patent pending "Clean PC Mode" to prohibit anyapplications from being installed on your computer unless it meets one of twocriteria. Those criteria are a) the user gives permission for the installation and b) theapplication is on an extensive list of approved applications provided by Comodo.With this feature, you dont have to worry about unauthorized programs installing onyour computer without your knowledge.
27 ConfigurationComodo Firewall Pro is a freeware software package for Windows that that controlsthe programs that can connect to the outside world and the types of connections thatthey can make. If Comodo Firewall isnt configured correctly, it can prevent Firefoxfrom accessing the Internet, causing Firefox to give Server not found errors.This describes how to configure Comodo Firewall Pro to give Firefox access to theInternet.Open Comodo Firewall Pro - click the Windows Start button,then click All Programs >Comodo> Firewall > COMODO Firewall Pro.In the Summary window, under the Security Monitoring heading, click theApplicationMonitor.
28In the list of Application Control Rules, locate any mentions of Firefox or firefox.exe.Click on each one, then click Remove.After removing each instance of Firefox in the Application Control Rules list,click the Tasks button.In the Tasks window, click the Define a new Trusted Application.
29In the Trusted Application window, under the Specify Application heading, clickBrowse... Navigate to your Firefox program folder (usually C:ProgramFilesMozilla Firefox and choose firefox.exe. Click OK at the bottom of theTrusted Application Window.
30Return to the Application Monitor by clicking its icon on the left side of theWindow. You should see Firefox listed, this time with full access rights.Unless you have a whole lot of stuff to setup or multiple usersor youare on a network machine, we would suggest just install and enter thesettings as the firewall detects new applications and activities.In the message box that shows up1.set the action to do (allow . block ...)2.set the type of app that it is (installer,.....)3.Ifyou want to set this property for this app permanently checkthe the box (do this always)As you add more app to the do always list the frequency of the Message box willgo down.
31 PROS of Comodo Firewall1. Free means free! : Comodo firewall is a completely free software and theyactually mean free. They don’t give any nag screens, no promotional offers,nothing. They are giving away the software at zero cost. They just require you tosupply you with your email address, so that they can send you the registration keyat no cost. They send registration keys to keep a track on how many people areusing their software.2. Great security : It delivers, what it is supposed to and thus qualifies itself asone of the better security softwares available on the Internet. In various tests, it hasproved its worth and helped in identifying the unwanted elements. It blocks attacksfrom outside world and blocks malware-style leak tests. Let’s you take control ofthe softwares or programs which will access the Internet connection. Watch outbad guys, the firewall will not let you break into the computer so easily.3. Simple Interface : The interface of the software is also simple. It is goodenough for any user and most of the users will find ease in using and going through
32the options it has to offer. However, still there is scope of improvement but I’msure that most of the users will be fine with it.4. Recognize know programs : One of the good thing about this software is that itlets you scan your computer first and then automatically puts the known programsin the safe list and doesn’t give alerts for those softwares. CONS of ComodoFirewall :1. Too many alerts : Somehow, it gave lots and lots of alerts and thus it can alarmany beginner in starting and can create problems in case a user clicks on the denybutton of an important software. Although, alerts can be minimized by letting theprogram scan through the system for the known programs.2. Starting problems in accessing the web based services : I did face someproblems in accessing the web based services like GMail, Google Reader.However, once I restarted the computer, everything seemed normal. After, using itfor few days, I started to face the problem in connecting to the Internet and gaveme errors too. However, just a simple restart and everything used to get back tonormal.
33Bibliography"Firewalls-A complete guide*"-J.L.Aadrew .S .Tanenbuamwww.google.comFirewall and Internet Security -Cheswick, Bellovin, RubinThe Best Damn Firewall Book Period -Cherie Amon