SlideShare a Scribd company logo

Cryptography Project by Aelsayed & Kyasser.pdf

A
ahmeddeath6

45g6wedfs

Technology
1 of 22
Download to read offline
1 Chapter 6: Firewall Systems Introduction Due to the rapid growth of interest in the Internet and the widespread availability of penetration testing tools, techniques, and methods discussed previously, the network security has become a major concern for organizations worldwide. Attacks on computer networks within an organization can be originated from outside the organization (these are termed as external attacks) or within the organization itself (these are internal attacks). A firewall is a generic name to designate any security system protecting the boundary of an internal network against external threats from the Internet. This module will describe various firewall technologies and architectures, with focus on external attacks. The need for firewall When connecting their private network to the Internet to seek for external useful information or for information sharing purpose, organizations are at the same time exposing their private networks to potential attacks from outsiders, for instance, probing attacks, DoS attacks, IP spoofing, probing attacks, DoS attacks, application layer attacks (such as Trojan horses), to name a few. Questions that may arise include: (1) How to protect confidential information from those entities who do not explicitly need to access it? (2) How to protect the private network and its resources from malicious users and accidents that originate outside of your network? The functionality requirement of an organization’s computer network is dictated by its business goals and security policy. The level of security that is established within the organization determines how effective the above mentioned attacks can be addressed and the above questions resolved.
2 Edge networks must be protected from the rest of the Internet. To do so, firewalls can be used. This helps enforcing some aspects of the security policy. The reasons for using firewall technology include, but are not limited to the following: • Encryption cannot stop malicious packets from getting into an edge network. • Authentication can determine whether an incoming IP packet comes from a trusted user. However, not all host computers have resources to run authentication algorithms. • Host computers are managed by different users with different skill levels. However, it should be emphasized that the rules that govern the firewall define what to do with some of the traffic, not all the traffic. Firewalls cannot protect against attacks originated from inside the firewall itself, and there are attacks that a firewall alone cannot prevent, i.e. firewalls alone are not a solution to the problem of securing a network. In an organization that has implemented firewalls, it is critical to inform and educate the users to view security as vital part of their computer use. A Firewall can be characterized as: • A gateway between a trusted network and a less trusted one. • An enforcer of security policy. • A system designed to: o Control external access to company data and resources (ingress). o Control internal access to Internet systems and services (egress). o Provide a security and monitoring choke point. An example of firewall architecture is depicted in Figure 5-1. Figure 5-1: Example of firewall architecture (Wang, 2009) ALT TAG: Fig 5-1. Diagram showing an example firewall architecture made of two blocks. The external network (left side) and the internal network composed of
3 four computers (right side) are two entities separated physically by a firewall, whose goal is filter the traffic coming from the external network and destined to the internal network. Functionality and Implementation: Typical tasks of a firewall consist of: • Access control based on sender or receiver addresses. • Access control based on the service requested. • Hiding the internal network (e.g.: topology, addresses, traffic, etc.) • Virus checking on incoming files and emails filtering. • Authentication based on the source of traffic. • Logging of Internet activities. Developing or selecting a firewall requires identifying the security requirements and defining accordingly a security policy. To do so, one needs to: • Understand the assets to be protected and the threats to those assets. • Understand the user requirements. • Understand the available resources: operating system, network infrastructures and protocols. • Design access policies and rules. Firewall categories Filtering routers Packet inspection can take place at any of the seven Open System Interconnection (OSI) reference layer (described in Module 2) as shown in Figure 5-2.
4 Figure 5-2: The OSI reference layers ALT TAG: Fig 6-2. Diagram showing the 7 layers of the OSI reference model. However, it is commonly implemented at the application layer, at the network layer, or at the transport layer. • Application layer: the inspection is implemented by application layer firewalls, also called application gateways proxy servers (also called proxies). • Network layer: the inspection is implemented by network layer firewalls, also called filtering routers or screening routers. • Transport layer: the inspection is implemented by transport layer firewalls, also called circuit gateways. Filtering routers: • Perform ingress (incoming) and egress (outgoing) filtering on packets. • Only inspect IP and TCP/UDP headers, not the payloads. • Can perform either stateless or stateful filtering. Stateless filtering is easy to implement but very simple. On the other hand, stateful filtering: harder to implement but more powerful. Before routing a packet, filtering routers perform a filtering of the received packets based on the headers and Access Control List (ACL) associated with the physical interface the packet came through. Each ACL entry specifies the values for particular packet header fields as well as the action to be taken if the received packet matches these values.
5 Access Control List (ACL): An ACL entry for filtering is based on IP and transport protocols (e.g.: UDP, TCP) headers. The following fields are used: • Source IP addres • Destination IP address. • Protocol type (e.g. TCP, UDP or ICMP protocol). • Source port. • Destination port • ACK. bit (TCP header). Rules are checked from top to bottom and the first rule found is applied. If no rules match, the packet is blocked by default. Sample rules: • Source address: stops the packets arriving from the Internet supposedly originating from an internal source address. • Destination address: for instance, limits the incoming traffic only to the bastion host. • Protocol: allows for instance FTP and block Telnet based on destination port numbers. • Connection: distinguishes for instance the packets that arrive in connection to an internal FTP request from those that belong to a connection from the Internet. These are achieved using stateful inspection. Example of filtering router: Protecting against spoofing of internal IP addresses Many network services base their authentication on the source IP address of the host requesting the service. Filtering Router can be used in this case to prevent spoofed IP packets that claim to be originating from the local network to cross the borders of the local network. An example is depicted in Figure 5-3.
6 Figure 5-3: example of filtering router. ALT TAG: Fig. 5-3. Diagram showing an example of a filtering router sitting between a local network (left side) and the Internet (right side), with the goal to filter the traffic originated from the Internet and destined to the local network. Security Policy: Filter out all packets coming through an external interface and whose source IP address belongs to the local network. The ACL for port #1 in Figure 5-3 is shown in Table 5-1. Table 5-1: ACL for port #1 in Figure 5-3. ALT TAG: Table 5-1. Table displaying the ACL for port #1 in Figure 5-3, made of port’s entry number, source and destination IP addresses and masks, and recommended action. Advantages of Filtering Routers: • Reliability: a filtering router is easy to implement, which means that it is much more unlikely that exploitable bugs exist in the firewall code. • Performance: The same simplicity means that the rule sets tend to be less complex, and better communication performance can be achieved. Entry number Source IP address/Mask Destination IP address/Mask A (1) 220.0.0.0/255.0.0.0 any (2) any any p
7 • Cost: a filtering router can be implemented on relatively inexpensive hardware, meaning that simple, cheap boxes can do packet filtering for very large numbers of user connections. Limitations of Filtering Routers: • Exposure of network topology information: it is important to hide knowledge of the local network to outsiders. Such knowledge can help compromising the network. • It is not possible to completely filter TCP packets which aren't valid, or are not part of an active connection. • It is not possible to fully filter UDP connections to ensure that they are part of a valid conversation. Hence, one is left with the choice of either completely blocking UDP transactions, or accepting that packets may traverse the firewall which should not be allowed through. Stateful inspection: Packet filtering is restricted to making its filtering decisions based only on the header information on each individual packet without considering any prior packets. Stateful inspection filtering allows both complex combinations of payload (message content) and context established by prior packets to influence filtering decisions. For a stateful inspection: • Take the basic principles of packet filtering and adds the concept of history, so that the firewall considers the packets in the context of previous packets. For example, it records when it sees a TCP SYN packet in an internal table, and will only allow TCP packets that match an existing conversation to be forwarded to the network. • Keep track of connection states between internal and external hosts. • only accept/reject based packets on the connection state. As with packet filtering, stateful inspection is implemented as an “add-on” to routing, so the host on which the stateful inspection function is executed must also act as a router. Limitations of stateful inspection: • The implementation is necessarily more complex and therefore more likely to be buggy. • It also requires a device with more memory and a more powerful CPU for a given traffic load since information has to be stored about each and every traffic flow seen over a period of time.
8 Example of stateful inspection: Linux IP Tables are a powerful tool that enables implementing firewall functionality in the Linux operating system. They incorporate a packet-selection mechanism and a mechanism for applying actions to these selected packets. The selection and filtering of packets are carried out based on their IP source and destination address or other packet features. There is a wide variety of actions that can be applied to packets, called TARGETS in IPTables terminology. These are captured in the Table 5-2 and Table 5-3. Table 5-2: Examples of IPTables rules. ALT TAG: Table 5-2. Table displaying five IPTables rules.
9 Table 5-3: Additional IPTables rules. ALT TAG: Table 5-3. Table displaying two additional IPTables rules. In Table 5-3, the first rule logs a message for every DNS query from host 192.168.0.10 to the DNS server 192.168.12.10. The second rule has a ACCEPT TARGET,allowing the packet to continue its journey. Connection Tracking: IPTables provides stateful inspection referred to as connection tracking in the IPTables terminology. This allows IPTables to know the state of a connection for each packet that get processed. The connection tracking states used in building the rules are shown in Table 5-4. Table 5-4: Connection tracking states.
10 ALT TAG: Table 5-4. Table displaying the connection tracking states used in building the rules. An example of connection state table is shown in Table 5-5. Client address 219.22.101. 32 219.22.101. 54 210.99.201. 14 24.102.129. 21 Client port 1030 1034 2001 3389 Server address 129.63.24.8 4 129.63.24.8 4 129.63.24.8 7 129.63.24.8 7 Server port 25 161 80 110 Connectio n state established established established established Protocol TCP UDP TCP TCP Table 5-5: An example of connection state table. [Isaac Woungang Copyright 2012] ALT TAG: Table 5-5. A table showing the state of connection (in this case “established”) between a series of five clients and a given server, both identified by their addresses, port numbers that they used to connect to the server, and protocols that is followed (TCP or UDP). Circuit gateways Circuit gateways operate at the transport layer. Their purpose is to examine information of IP addresses and port numbers in TCP/UDP headers to determine if a connection is allowed. Usually, they are combined with a packet filter to form a dynamic packet filter. Typically, a circuit gateway is meant to: • Relay a TCP connection between an internal and external host. • Disallow the direct connection between the external and the internal networks. • Maintain a table for valid connection and check incoming packet against that table. Its basic structure is depicted in Figure 5-4.
11 Figure 5-4: Basic architecture of a circuit gateway (Wang, 2009) ALT TAG: Fig 5-4. Diagram showing the basic architecture of a circuit gateway, Chapter 7, pp. 256-257. The client host in an internal network made of a circuit gateway and other hosts (right side) sends a service request to the client host in the external network (left side) via the server host in the internal network. The later responds by exchanging few messages with this server host, eventually sends back the response to the server host, which will undergo a filtering process by the circuit gateway before reaching the client host in the internal network. Proxy servers A proxy server prevents the direct connection between a host on an untrusted network (such as Internet) and a host on a trusted network 9such as corporate virtual private networks). • The direct connection is broken in two connections with the proxy mediating between the two hosts. • The function of the proxy consists of protecting the internal network by hiding information and restricting the access to users’ information and services.
12 An example of proxy server deployment is depicted in Figure 5-5. Figure 5-5: Example of proxy server deployment ALT TAG: Fig 5-5. Diagram showing the deployment of a proxy server. The external or untrusted network (left side) and the internal (or trusted) network (right side) are two entities separated physically by a proxy server, whose goal is filter the traffic coming from the untrusted network and destined to the trusted network. Basic functionalities of a proxy program include: • Accepting the client sessions and appearing to them as a server. • Receiving from the client software the name of the actual server. • Contacting the actual server and appearing to it as a client. • Relaying all the data from the client to a server. • Performing access control and enforcement functions by checking, and accepting or rejecting the incoming and outgoing connections. • Performing deep packet inspection on all packets, i.e. – Inspecting the application program formats. – Applying the rules based on the payload. – Having the ability to detect malicious and suspicious packets. Specific functionalities of a proxy may include: • Hiding the information about the internal network and user identities by exposing a specific service.
13 • Protecting a particular service or protocol. • Providing application-level extension of stateful packet filtering by: o Supporting the scanning packet payloads. o Dropping the packets that do not match the expected connection state or data type for protocol. Although more expensive, application proxies are, in some ways, inherently more secure than packet filtering routers. An example of application proxy is shown in Figure 5-6. Figure 5-6: Example of application proxy (Wang, 2009). ALT TAG: Fig 5-6. Diagram showing an example of application proxy, Chapter 7, page 258 . The external client (left side) and the internal network made of one server and two computers (right side) are two entities separated physically by an internal packet filtering router, an application gateway, and an external router (placed in series), whose goal are to filter the traffic originated from the external client and destined to any of the two clients in the internal network. Application gateways are placed between the external and the internal networks. As such, they are exposed to attacks from the external network. Therefore, they need to have strong security protections in terms of trusted operating system i.e. operating systems that meets a particular set of security requirements, and Bastion hosts, i.e. systems with strong defensive mechanisms. Firewall configurations Single-Homed Bastion System (SHBS)
14 Bastion hosts are systems with strong defensive mechanisms. Typically, they serve as hosts computers for implementing gateways, circuit gateways, and other types of firewalls. They are designed to operate on a trusted operating systems. As such, they must not have any unnecessary functionality, and must they must keep the system simple to reduce error probabilities. A Single-Homed Bastion System (SHBS) consists of a packet-filtering router and a bastion host. The router connects the internal network to the external one. The Bastion host resides inside the internal network. The packet filtering firewall inspects each egress and blocks it if its source address is not the IP address of the bastion host. If the packet filtering router is compromised, the attacker can modify the ACLs and bypass the bastion host. An example of SHBS is depicted in Figure 5-7 Figure 5-7: Example of Single-Homed Bastion System (SHBS) (Wang, 2009). ALT TAG: Fig 5-7. Diagram showing an example of Single-Homed Bastion System (SHBS), Chapter 7, page 262 . The external network (left side) is separated physically from the internal network made of three clients and a series of server computers and devices (right side) by a SHBS (made of a packet- filtering router and a SHBS host). The role of the SHBS is to filter the incoming traffic from the external network that is destined to any of the two clients or servers in the internal network. Screened Subnets: In the above figure of a SHBH architecture, when a SHBH network paired with a second packet filtering router for the internal network, the area between the two packet filtering routers is called a screened subnet. A screened subnet hides the internal network structure from external hosts.
15 Dual-Homed Bastion System (DHBS) The Dual-home Bastion system (DHBS) includes: • Two zones in the internal network: – The inner zone – where hosts are unreachable from the external network. – The outer zone – where hosts may be reached from the Internet. • Hosts in the inner zone are protected by both the Bastion host and the packet filtering router. • Servers in the outer zone protected by the packet filtering router. The DHBS prevents access to the internal network even if the packet filtering router is compromised. An example of such system is illustrated in Figure 5-8. Figure 5-8: Example of Dual-Homed Bastion System (DHBS) (Wang, 2009). ALT TAG: Fig 5-8. Diagram showing an example of Dual-Homed Bastion System (DHBS), Chapter 7, page 263 . The external network (left side) is separated physically from the internal network made of three clients and a series of server computers and devices (right side) by a DHBS (made of a packet-filtering router and a DHBS host). The role of the DHBS is to filter the incoming traffic from the external network that is destined to any of the two clients or servers in the internal network. Demilitarized zone (DMZ) A DMZ is a subnet lying between two firewalls in an internal network: the internal firewall and the external one. The external firewall protects the DMZ from
16 external threats whereas the internal firewall protects the internal network from DMZ. In general, DMZs can be implemented in a hierarchal structure. An example of DMZ is shown in Figure 5-9. Figure 5-9: Example of Delimitarized zone (DZM) architecture (Wang, 2009). ALT TAG: Fig 5-9. Diagram showing an example of Delimitarized zone (DZM) architecture (DMZ), Chapter 7, page 264 . The Internet (External network in left side) is separated physically from the internal network made of two clients computers (right side) by a DMZ (made of a packet-filtering router, four servers (Web/SMTP/Proxy), and two packet filters). The DMZ protects the Internal network by filtering the Internet traffic destined to it. Network Address Translation (NAT) A network address translation (NAT) is a pragmatic solution to the issue of IP address limitations. IP addresses are a somewhat limited resource, and have to be unique across the globe (IPv4 is limited to only 232 addresses). Hence, they are assigned hierarchically by a central authority and passed down in blocks to service providers, who then make them available to their customers. Many organizations and Internet Service Providers (ISPs) choose to allocate a single global IP address to the customer, who then installs a NAT device at the end of the connection and uses self-allocated private addresses on their internal network.
17 NAT divides the IP addresses into public and private (non-routable) groups. Many private IP addresses can connect to the Internet through a few public IP addresses. The NAT gateway works by modifying the address part of all packets on the way through as shown in Figure 5-10. Figure 5-10: Example of Network Address Translation (NAT) gateway deployment. ALT TAG: Fig 5-10. Diagram showing an example of Network Address Translation (NAT) gateway deployment. The address of the packets originated from the Host IP is passed through the Internet (right side) and forwarded to the NAT gateway (middle), which modifies it and passes it to the local (Internal) network, which is then passed to the host IP (right side). Outgoing packet: The NAT gateway makes a note of the (internal, private) source address of the packet, as well as the destination server address and port number. It then overwrites the source IP address with its own single global Internet address and sends it on towards the Internet. The remote server receives the packet with the NAT gateway's address as the originator, and directs its replies at this address. Reply packet: When the reply packet arrives back at the NAT gateway, it looks up the address and port number in its table, works out what the (internal) address of the real originator was, substitutes this into the destination address and forwards on through the internal network. Dynamic NAT: this dynamically assigns a small number of public IPs to a large number of private IPs. Port Address Translation (PAT) is a variant of NAT that:
18 – Allows one or more private networks to share a single public IP. – Is commonly used for homes and small businesses. – Works by remapping the source and destination addresses and ports of packets. Basic firewall architectures Typical firewall architectures include the Basic Border Firewall architecture, the Basic Border Firewall with Untrustworthy Architecture, the Basic Firewall with DMZ Network Architecture, and the Dual Firewall with DMZ Network Architecture. Basic Border Firewall architecture: This is represented by a single host interconnecting the (trusted) internal network and some untrusted network (e.g.: Internet). In this configuration, the single host provides all firewall functions. An example of such architecture is shown in Figure 5-11. Figure 5-11: Basic Border Firewall architecture. ALT TAG: Fig. 5-11. Diagram of a Basic Border Firewall architecture, showing a firewall sitting between the Internet (left side) and a private network (right side), with the role to filter the traffic originated from the Internet and destined to the private network. Basic Border Firewall with Untrustworthy Architecture: In this configuration, a host with limited trust is added to the basic border architecture. The host is minimally configured and carefully managed to be as secure as possible. The firewall is configured to require incoming and outgoing traffic to go through the
19 untrustworthy host. The host is referred to as untrustworthy because it cannot be protected by the firewall. An example of such architecture is shown in the figure below: Figure 5-12: Basic Border Firewall with Untrustworthy architecture. [Isaac Woungang Copyright 2012] ALT TAG: Fig. 5-12. Diagram of a Basic Border Firewall with Untrustworthy architecture, showing an outer firewall sitting between the Internet (left side) and a private network (right side). The traffic originated from the Internet is passed along to an untrustworthy host (left side), before reaching the outer firewall, whose role is to filter that traffic before passing it to the private network. Basic Firewall with DMZ Network Architecture: In a DMZ network, the untrusted host is brought “inside” the firewall, but placed on a network by itself (the firewall host then interconnects three networks). This type of architecture increases the security, reliability, and availability of the untrusted host, but it does not increase the level of trust that other “inside” hosts can afford it. Other untrustworthy hosts designed for other purpose (for example, a public web site or ftp server) can easily be placed on the DMZ network, creating a public services network. An example of such architecture is shown in Figure 5.13.
20 Figure 5-13: Basic Firewall with DMZ network architecture. ALT TAG: Fig. 5-13. Diagram of a Basic Firewall with DMZ network architecture, showing an outer firewall sitting between the Internet (left side) and a private network (right side). The traffic originated from the Internet is passed along to an untrustworthy host (that has infiltrated the DMZ network), before reaching the private network, after a filtering process by the DMZ network itself. Dual Firewall with DMZ Network Architecture: The internal network is further isolated from the untrustworthy network by adding a second firewall host. By connecting the untrustworthy network to one firewall host, the internal network to the other firewall host, and the DMZ in between, the traffic between the internal network and the Internet must traverse two firewalls and the DMZ. The peripheral network is a suitable location for non-sensitive hosts that should be accessible to the outside world, like Web servers. An example of such architecture is shown in Figure 5-14.
21 Figure 5-14: Dual Firewall with DMZ network architecture. ALT TAG: Fig. 5-14. Diagram of a Dual Firewall with DMZ network architecture, showing an outer firewall and an inner firewall sitting between the Internet (left side) and a private network (right side). The traffic originated from the Internet has passed the outer firewall filtering, but is subject to a second level filtering by the inner firewall (middle) before reaching the private network since an untrustworthy host has infiltrated himself in between the two firewalls. Web application firewalls (WAF) Network firewalls do not work for HTTP, thus the need for WAF. The WAF functionality includes: • Full support for HTTP in terms of: o Access to individual fields (field content, length, field count, etc). o Entire transaction (both request and response). o Uploaded files. • Anti-evasion features (also known as normalisation, or canonicalization, or transformation features). • Blocking features for: transaction, connection, IP address, session, user, honeypot redirection, TCP/IP resets (connection), blocking via external device. • Detection:
22 o Using signatures such as simple text strings or regular expression patterns matched against the input data. This is not very flexible. o Using rules such as multiple operators, logical expressions, and customized variables. This is flexible. WAF deployment: Three deployment options are possible, namely, using network-level device, reverse proxy, or embedded the WAF in a Web server. Network-level device are of two types: network passive and network in-line. Network passive has the following characteristics: it does not affect performance; it is easy to add; it is not a bottleneck or point of failure; it has limited prevention options, and it must have copies of SSL keys. On the other hand, network in-line has the following characteristics: it may be a potential bottleneck or point of failure; it is easy to add, and it must have copies of SSL keys. Reverse proxy: This type of WAF deployment has a potential bottleneck or point of failure. It requires changes to the network (unless it is a transparent reverse proxy). It must terminate the SSL (in fact, this can be a problem if the application needs to access the client certificate data). Finally, it has a separate architecture/security layer. Embedded WAF: This type of WAF deployment is easy to add (and usually much cheaper). It is not a bottleneck or point of failure, and it uses the Web server resources. Summary This module has described different firewall technologies and architectures. Several characteristics differentiating these technologies and architectures were also highlighted.

Recommended

Network Security_Dr Shivashankar_Module 5.pdf
Network Security_Dr Shivashankar_Module 5.pdfNetwork Security_Dr Shivashankar_Module 5.pdf
Network Security_Dr Shivashankar_Module 5.pdfDr. Shivashankar
 
Information Security (Firewall)
Information Security (Firewall)Information Security (Firewall)
Information Security (Firewall)Zara Nawaz
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewallCoder Tech
 
Network defenses
Network defensesNetwork defenses
Network defensesG Prachi
 
Firewalls by Puneet Bawa
Firewalls by Puneet BawaFirewalls by Puneet Bawa
Firewalls by Puneet BawaPuneet Bawa
 
J1087181
J1087181J1087181
J1087181IJERD Editor
 
International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentIJERD Editor
 
CSC437-Fall2013-Module-7-Firewalls-IDS.pdf
CSC437-Fall2013-Module-7-Firewalls-IDS.pdfCSC437-Fall2013-Module-7-Firewalls-IDS.pdf
CSC437-Fall2013-Module-7-Firewalls-IDS.pdfssuser1f1964
 

Recommended

Network Security_Dr Shivashankar_Module 5.pdf
Network Security_Dr Shivashankar_Module 5.pdfNetwork Security_Dr Shivashankar_Module 5.pdf
Network Security_Dr Shivashankar_Module 5.pdfDr. Shivashankar
 
Information Security (Firewall)
Information Security (Firewall)Information Security (Firewall)
Information Security (Firewall)Zara Nawaz
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewallCoder Tech
 
Network defenses
Network defensesNetwork defenses
Network defensesG Prachi
 
Firewalls by Puneet Bawa
Firewalls by Puneet BawaFirewalls by Puneet Bawa
Firewalls by Puneet BawaPuneet Bawa
 
J1087181
J1087181J1087181
J1087181IJERD Editor
 
International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentIJERD Editor
 
CSC437-Fall2013-Module-7-Firewalls-IDS.pdf
CSC437-Fall2013-Module-7-Firewalls-IDS.pdfCSC437-Fall2013-Module-7-Firewalls-IDS.pdf
CSC437-Fall2013-Module-7-Firewalls-IDS.pdfssuser1f1964
 
Firewall ( Cyber Security)
Firewall ( Cyber Security)Firewall ( Cyber Security)
Firewall ( Cyber Security)Jainam Shah
 
Firewall and its Types
Firewall and its TypesFirewall and its Types
Firewall and its Typescrisma baby mathew
 
Firewalls
FirewallsFirewalls
FirewallsJyoti Akhter
 
Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Radhika Talaviya
 
Firewall configuration
Firewall configurationFirewall configuration
Firewall configurationNutan Kumar Panda
 
Module 7 Firewalls Part - 2 Presentation
Module 7 Firewalls Part - 2 PresentationModule 7 Firewalls Part - 2 Presentation
Module 7 Firewalls Part - 2 Presentation9921103075
 
CSS (KNC-301) 4. Packet Filtering Firewall By Vivek Tripathi.pptx
CSS (KNC-301) 4. Packet Filtering Firewall By Vivek Tripathi.pptxCSS (KNC-301) 4. Packet Filtering Firewall By Vivek Tripathi.pptx
CSS (KNC-301) 4. Packet Filtering Firewall By Vivek Tripathi.pptxVivekTripathi684438
 
Firewall
FirewallFirewall
FirewallKenny2012
 
Network security
Network security Network security
Network securityVikas Jagtap
 
Firewalls and packet filters
Firewalls and packet filtersFirewalls and packet filters
Firewalls and packet filtersMOHIT AGARWAL
 
Firewall
FirewallFirewall
FirewallShivank Shah
 
firewall.ppt
firewall.pptfirewall.ppt
firewall.pptssuser530a07
 
Firewalls
FirewallsFirewalls
FirewallsDr.Florence Dayana
 
FIREWALL
FIREWALLFIREWALL
FIREWALLswati463221
 
Firewall and It's Types
Firewall and It's TypesFirewall and It's Types
Firewall and It's TypesHem Pokhrel
 
Firewalls
FirewallsFirewalls
FirewallsUniversity of Central Punjab
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementationajeet singh
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementationajeet singh
 
Firewall
FirewallFirewall
FirewallSaurabh Chauhan
 
BAIT1103 Chapter 8
BAIT1103 Chapter 8BAIT1103 Chapter 8
BAIT1103 Chapter 8limsh
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 

More Related Content

Similar to Cryptography Project by Aelsayed & Kyasser.pdf

Firewall ( Cyber Security)
Firewall ( Cyber Security)Firewall ( Cyber Security)
Firewall ( Cyber Security)Jainam Shah
 
Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Radhika Talaviya
 
Module 7 Firewalls Part - 2 Presentation
Module 7 Firewalls Part - 2 PresentationModule 7 Firewalls Part - 2 Presentation
Module 7 Firewalls Part - 2 Presentation9921103075
 
CSS (KNC-301) 4. Packet Filtering Firewall By Vivek Tripathi.pptx
CSS (KNC-301) 4. Packet Filtering Firewall By Vivek Tripathi.pptxCSS (KNC-301) 4. Packet Filtering Firewall By Vivek Tripathi.pptx
CSS (KNC-301) 4. Packet Filtering Firewall By Vivek Tripathi.pptxVivekTripathi684438
 
Firewalls and packet filters
Firewalls and packet filtersFirewalls and packet filters
Firewalls and packet filtersMOHIT AGARWAL
 
Firewall and It's Types
Firewall and It's TypesFirewall and It's Types
Firewall and It's TypesHem Pokhrel
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementationajeet singh
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementationajeet singh
 
BAIT1103 Chapter 8
BAIT1103 Chapter 8BAIT1103 Chapter 8
BAIT1103 Chapter 8limsh
 

Similar to Cryptography Project by Aelsayed & Kyasser.pdf (20)

Firewall ( Cyber Security)
Firewall ( Cyber Security)Firewall ( Cyber Security)
Firewall ( Cyber Security)
 
Firewall and its Types
Firewall and its TypesFirewall and its Types
Firewall and its Types
 
Firewalls
FirewallsFirewalls
Firewalls
 
Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters
 
Firewall configuration
Firewall configurationFirewall configuration
Firewall configuration
 
Module 7 Firewalls Part - 2 Presentation
Module 7 Firewalls Part - 2 PresentationModule 7 Firewalls Part - 2 Presentation
Module 7 Firewalls Part - 2 Presentation
 
CSS (KNC-301) 4. Packet Filtering Firewall By Vivek Tripathi.pptx
CSS (KNC-301) 4. Packet Filtering Firewall By Vivek Tripathi.pptxCSS (KNC-301) 4. Packet Filtering Firewall By Vivek Tripathi.pptx
CSS (KNC-301) 4. Packet Filtering Firewall By Vivek Tripathi.pptx
 
Firewall
FirewallFirewall
Firewall
 
Network security
Network security Network security
Network security
 
Firewalls and packet filters
Firewalls and packet filtersFirewalls and packet filters
Firewalls and packet filters
 
Firewall
FirewallFirewall
Firewall
 
firewall.ppt
firewall.pptfirewall.ppt
firewall.ppt
 
Firewalls
FirewallsFirewalls
Firewalls
 
FIREWALL
FIREWALLFIREWALL
FIREWALL
 
Firewall and It's Types
Firewall and It's TypesFirewall and It's Types
Firewall and It's Types
 
Firewalls
FirewallsFirewalls
Firewalls
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementation
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementation
 
Firewall
FirewallFirewall
Firewall
 
BAIT1103 Chapter 8
BAIT1103 Chapter 8BAIT1103 Chapter 8
BAIT1103 Chapter 8
 

Recently uploaded

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 

Recently uploaded (20)

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 

Cryptography Project by Aelsayed & Kyasser.pdf

  • 1. 1 Chapter 6: Firewall Systems Introduction Due to the rapid growth of interest in the Internet and the widespread availability of penetration testing tools, techniques, and methods discussed previously, the network security has become a major concern for organizations worldwide. Attacks on computer networks within an organization can be originated from outside the organization (these are termed as external attacks) or within the organization itself (these are internal attacks). A firewall is a generic name to designate any security system protecting the boundary of an internal network against external threats from the Internet. This module will describe various firewall technologies and architectures, with focus on external attacks. The need for firewall When connecting their private network to the Internet to seek for external useful information or for information sharing purpose, organizations are at the same time exposing their private networks to potential attacks from outsiders, for instance, probing attacks, DoS attacks, IP spoofing, probing attacks, DoS attacks, application layer attacks (such as Trojan horses), to name a few. Questions that may arise include: (1) How to protect confidential information from those entities who do not explicitly need to access it? (2) How to protect the private network and its resources from malicious users and accidents that originate outside of your network? The functionality requirement of an organization’s computer network is dictated by its business goals and security policy. The level of security that is established within the organization determines how effective the above mentioned attacks can be addressed and the above questions resolved.
  • 2. 2 Edge networks must be protected from the rest of the Internet. To do so, firewalls can be used. This helps enforcing some aspects of the security policy. The reasons for using firewall technology include, but are not limited to the following: • Encryption cannot stop malicious packets from getting into an edge network. • Authentication can determine whether an incoming IP packet comes from a trusted user. However, not all host computers have resources to run authentication algorithms. • Host computers are managed by different users with different skill levels. However, it should be emphasized that the rules that govern the firewall define what to do with some of the traffic, not all the traffic. Firewalls cannot protect against attacks originated from inside the firewall itself, and there are attacks that a firewall alone cannot prevent, i.e. firewalls alone are not a solution to the problem of securing a network. In an organization that has implemented firewalls, it is critical to inform and educate the users to view security as vital part of their computer use. A Firewall can be characterized as: • A gateway between a trusted network and a less trusted one. • An enforcer of security policy. • A system designed to: o Control external access to company data and resources (ingress). o Control internal access to Internet systems and services (egress). o Provide a security and monitoring choke point. An example of firewall architecture is depicted in Figure 5-1. Figure 5-1: Example of firewall architecture (Wang, 2009) ALT TAG: Fig 5-1. Diagram showing an example firewall architecture made of two blocks. The external network (left side) and the internal network composed of
  • 3. 3 four computers (right side) are two entities separated physically by a firewall, whose goal is filter the traffic coming from the external network and destined to the internal network. Functionality and Implementation: Typical tasks of a firewall consist of: • Access control based on sender or receiver addresses. • Access control based on the service requested. • Hiding the internal network (e.g.: topology, addresses, traffic, etc.) • Virus checking on incoming files and emails filtering. • Authentication based on the source of traffic. • Logging of Internet activities. Developing or selecting a firewall requires identifying the security requirements and defining accordingly a security policy. To do so, one needs to: • Understand the assets to be protected and the threats to those assets. • Understand the user requirements. • Understand the available resources: operating system, network infrastructures and protocols. • Design access policies and rules. Firewall categories Filtering routers Packet inspection can take place at any of the seven Open System Interconnection (OSI) reference layer (described in Module 2) as shown in Figure 5-2.
  • 4. 4 Figure 5-2: The OSI reference layers ALT TAG: Fig 6-2. Diagram showing the 7 layers of the OSI reference model. However, it is commonly implemented at the application layer, at the network layer, or at the transport layer. • Application layer: the inspection is implemented by application layer firewalls, also called application gateways proxy servers (also called proxies). • Network layer: the inspection is implemented by network layer firewalls, also called filtering routers or screening routers. • Transport layer: the inspection is implemented by transport layer firewalls, also called circuit gateways. Filtering routers: • Perform ingress (incoming) and egress (outgoing) filtering on packets. • Only inspect IP and TCP/UDP headers, not the payloads. • Can perform either stateless or stateful filtering. Stateless filtering is easy to implement but very simple. On the other hand, stateful filtering: harder to implement but more powerful. Before routing a packet, filtering routers perform a filtering of the received packets based on the headers and Access Control List (ACL) associated with the physical interface the packet came through. Each ACL entry specifies the values for particular packet header fields as well as the action to be taken if the received packet matches these values.
  • 5. 5 Access Control List (ACL): An ACL entry for filtering is based on IP and transport protocols (e.g.: UDP, TCP) headers. The following fields are used: • Source IP addres • Destination IP address. • Protocol type (e.g. TCP, UDP or ICMP protocol). • Source port. • Destination port • ACK. bit (TCP header). Rules are checked from top to bottom and the first rule found is applied. If no rules match, the packet is blocked by default. Sample rules: • Source address: stops the packets arriving from the Internet supposedly originating from an internal source address. • Destination address: for instance, limits the incoming traffic only to the bastion host. • Protocol: allows for instance FTP and block Telnet based on destination port numbers. • Connection: distinguishes for instance the packets that arrive in connection to an internal FTP request from those that belong to a connection from the Internet. These are achieved using stateful inspection. Example of filtering router: Protecting against spoofing of internal IP addresses Many network services base their authentication on the source IP address of the host requesting the service. Filtering Router can be used in this case to prevent spoofed IP packets that claim to be originating from the local network to cross the borders of the local network. An example is depicted in Figure 5-3.
  • 6. 6 Figure 5-3: example of filtering router. ALT TAG: Fig. 5-3. Diagram showing an example of a filtering router sitting between a local network (left side) and the Internet (right side), with the goal to filter the traffic originated from the Internet and destined to the local network. Security Policy: Filter out all packets coming through an external interface and whose source IP address belongs to the local network. The ACL for port #1 in Figure 5-3 is shown in Table 5-1. Table 5-1: ACL for port #1 in Figure 5-3. ALT TAG: Table 5-1. Table displaying the ACL for port #1 in Figure 5-3, made of port’s entry number, source and destination IP addresses and masks, and recommended action. Advantages of Filtering Routers: • Reliability: a filtering router is easy to implement, which means that it is much more unlikely that exploitable bugs exist in the firewall code. • Performance: The same simplicity means that the rule sets tend to be less complex, and better communication performance can be achieved. Entry number Source IP address/Mask Destination IP address/Mask A (1) 220.0.0.0/255.0.0.0 any (2) any any p
  • 7. 7 • Cost: a filtering router can be implemented on relatively inexpensive hardware, meaning that simple, cheap boxes can do packet filtering for very large numbers of user connections. Limitations of Filtering Routers: • Exposure of network topology information: it is important to hide knowledge of the local network to outsiders. Such knowledge can help compromising the network. • It is not possible to completely filter TCP packets which aren't valid, or are not part of an active connection. • It is not possible to fully filter UDP connections to ensure that they are part of a valid conversation. Hence, one is left with the choice of either completely blocking UDP transactions, or accepting that packets may traverse the firewall which should not be allowed through. Stateful inspection: Packet filtering is restricted to making its filtering decisions based only on the header information on each individual packet without considering any prior packets. Stateful inspection filtering allows both complex combinations of payload (message content) and context established by prior packets to influence filtering decisions. For a stateful inspection: • Take the basic principles of packet filtering and adds the concept of history, so that the firewall considers the packets in the context of previous packets. For example, it records when it sees a TCP SYN packet in an internal table, and will only allow TCP packets that match an existing conversation to be forwarded to the network. • Keep track of connection states between internal and external hosts. • only accept/reject based packets on the connection state. As with packet filtering, stateful inspection is implemented as an “add-on” to routing, so the host on which the stateful inspection function is executed must also act as a router. Limitations of stateful inspection: • The implementation is necessarily more complex and therefore more likely to be buggy. • It also requires a device with more memory and a more powerful CPU for a given traffic load since information has to be stored about each and every traffic flow seen over a period of time.
  • 8. 8 Example of stateful inspection: Linux IP Tables are a powerful tool that enables implementing firewall functionality in the Linux operating system. They incorporate a packet-selection mechanism and a mechanism for applying actions to these selected packets. The selection and filtering of packets are carried out based on their IP source and destination address or other packet features. There is a wide variety of actions that can be applied to packets, called TARGETS in IPTables terminology. These are captured in the Table 5-2 and Table 5-3. Table 5-2: Examples of IPTables rules. ALT TAG: Table 5-2. Table displaying five IPTables rules.
  • 9. 9 Table 5-3: Additional IPTables rules. ALT TAG: Table 5-3. Table displaying two additional IPTables rules. In Table 5-3, the first rule logs a message for every DNS query from host 192.168.0.10 to the DNS server 192.168.12.10. The second rule has a ACCEPT TARGET,allowing the packet to continue its journey. Connection Tracking: IPTables provides stateful inspection referred to as connection tracking in the IPTables terminology. This allows IPTables to know the state of a connection for each packet that get processed. The connection tracking states used in building the rules are shown in Table 5-4. Table 5-4: Connection tracking states.
  • 10. 10 ALT TAG: Table 5-4. Table displaying the connection tracking states used in building the rules. An example of connection state table is shown in Table 5-5. Client address 219.22.101. 32 219.22.101. 54 210.99.201. 14 24.102.129. 21 Client port 1030 1034 2001 3389 Server address 129.63.24.8 4 129.63.24.8 4 129.63.24.8 7 129.63.24.8 7 Server port 25 161 80 110 Connectio n state established established established established Protocol TCP UDP TCP TCP Table 5-5: An example of connection state table. [Isaac Woungang Copyright 2012] ALT TAG: Table 5-5. A table showing the state of connection (in this case “established”) between a series of five clients and a given server, both identified by their addresses, port numbers that they used to connect to the server, and protocols that is followed (TCP or UDP). Circuit gateways Circuit gateways operate at the transport layer. Their purpose is to examine information of IP addresses and port numbers in TCP/UDP headers to determine if a connection is allowed. Usually, they are combined with a packet filter to form a dynamic packet filter. Typically, a circuit gateway is meant to: • Relay a TCP connection between an internal and external host. • Disallow the direct connection between the external and the internal networks. • Maintain a table for valid connection and check incoming packet against that table. Its basic structure is depicted in Figure 5-4.
  • 11. 11 Figure 5-4: Basic architecture of a circuit gateway (Wang, 2009) ALT TAG: Fig 5-4. Diagram showing the basic architecture of a circuit gateway, Chapter 7, pp. 256-257. The client host in an internal network made of a circuit gateway and other hosts (right side) sends a service request to the client host in the external network (left side) via the server host in the internal network. The later responds by exchanging few messages with this server host, eventually sends back the response to the server host, which will undergo a filtering process by the circuit gateway before reaching the client host in the internal network. Proxy servers A proxy server prevents the direct connection between a host on an untrusted network (such as Internet) and a host on a trusted network 9such as corporate virtual private networks). • The direct connection is broken in two connections with the proxy mediating between the two hosts. • The function of the proxy consists of protecting the internal network by hiding information and restricting the access to users’ information and services.
  • 12. 12 An example of proxy server deployment is depicted in Figure 5-5. Figure 5-5: Example of proxy server deployment ALT TAG: Fig 5-5. Diagram showing the deployment of a proxy server. The external or untrusted network (left side) and the internal (or trusted) network (right side) are two entities separated physically by a proxy server, whose goal is filter the traffic coming from the untrusted network and destined to the trusted network. Basic functionalities of a proxy program include: • Accepting the client sessions and appearing to them as a server. • Receiving from the client software the name of the actual server. • Contacting the actual server and appearing to it as a client. • Relaying all the data from the client to a server. • Performing access control and enforcement functions by checking, and accepting or rejecting the incoming and outgoing connections. • Performing deep packet inspection on all packets, i.e. – Inspecting the application program formats. – Applying the rules based on the payload. – Having the ability to detect malicious and suspicious packets. Specific functionalities of a proxy may include: • Hiding the information about the internal network and user identities by exposing a specific service.
  • 13. 13 • Protecting a particular service or protocol. • Providing application-level extension of stateful packet filtering by: o Supporting the scanning packet payloads. o Dropping the packets that do not match the expected connection state or data type for protocol. Although more expensive, application proxies are, in some ways, inherently more secure than packet filtering routers. An example of application proxy is shown in Figure 5-6. Figure 5-6: Example of application proxy (Wang, 2009). ALT TAG: Fig 5-6. Diagram showing an example of application proxy, Chapter 7, page 258 . The external client (left side) and the internal network made of one server and two computers (right side) are two entities separated physically by an internal packet filtering router, an application gateway, and an external router (placed in series), whose goal are to filter the traffic originated from the external client and destined to any of the two clients in the internal network. Application gateways are placed between the external and the internal networks. As such, they are exposed to attacks from the external network. Therefore, they need to have strong security protections in terms of trusted operating system i.e. operating systems that meets a particular set of security requirements, and Bastion hosts, i.e. systems with strong defensive mechanisms. Firewall configurations Single-Homed Bastion System (SHBS)
  • 14. 14 Bastion hosts are systems with strong defensive mechanisms. Typically, they serve as hosts computers for implementing gateways, circuit gateways, and other types of firewalls. They are designed to operate on a trusted operating systems. As such, they must not have any unnecessary functionality, and must they must keep the system simple to reduce error probabilities. A Single-Homed Bastion System (SHBS) consists of a packet-filtering router and a bastion host. The router connects the internal network to the external one. The Bastion host resides inside the internal network. The packet filtering firewall inspects each egress and blocks it if its source address is not the IP address of the bastion host. If the packet filtering router is compromised, the attacker can modify the ACLs and bypass the bastion host. An example of SHBS is depicted in Figure 5-7 Figure 5-7: Example of Single-Homed Bastion System (SHBS) (Wang, 2009). ALT TAG: Fig 5-7. Diagram showing an example of Single-Homed Bastion System (SHBS), Chapter 7, page 262 . The external network (left side) is separated physically from the internal network made of three clients and a series of server computers and devices (right side) by a SHBS (made of a packet- filtering router and a SHBS host). The role of the SHBS is to filter the incoming traffic from the external network that is destined to any of the two clients or servers in the internal network. Screened Subnets: In the above figure of a SHBH architecture, when a SHBH network paired with a second packet filtering router for the internal network, the area between the two packet filtering routers is called a screened subnet. A screened subnet hides the internal network structure from external hosts.
  • 15. 15 Dual-Homed Bastion System (DHBS) The Dual-home Bastion system (DHBS) includes: • Two zones in the internal network: – The inner zone – where hosts are unreachable from the external network. – The outer zone – where hosts may be reached from the Internet. • Hosts in the inner zone are protected by both the Bastion host and the packet filtering router. • Servers in the outer zone protected by the packet filtering router. The DHBS prevents access to the internal network even if the packet filtering router is compromised. An example of such system is illustrated in Figure 5-8. Figure 5-8: Example of Dual-Homed Bastion System (DHBS) (Wang, 2009). ALT TAG: Fig 5-8. Diagram showing an example of Dual-Homed Bastion System (DHBS), Chapter 7, page 263 . The external network (left side) is separated physically from the internal network made of three clients and a series of server computers and devices (right side) by a DHBS (made of a packet-filtering router and a DHBS host). The role of the DHBS is to filter the incoming traffic from the external network that is destined to any of the two clients or servers in the internal network. Demilitarized zone (DMZ) A DMZ is a subnet lying between two firewalls in an internal network: the internal firewall and the external one. The external firewall protects the DMZ from
  • 16. 16 external threats whereas the internal firewall protects the internal network from DMZ. In general, DMZs can be implemented in a hierarchal structure. An example of DMZ is shown in Figure 5-9. Figure 5-9: Example of Delimitarized zone (DZM) architecture (Wang, 2009). ALT TAG: Fig 5-9. Diagram showing an example of Delimitarized zone (DZM) architecture (DMZ), Chapter 7, page 264 . The Internet (External network in left side) is separated physically from the internal network made of two clients computers (right side) by a DMZ (made of a packet-filtering router, four servers (Web/SMTP/Proxy), and two packet filters). The DMZ protects the Internal network by filtering the Internet traffic destined to it. Network Address Translation (NAT) A network address translation (NAT) is a pragmatic solution to the issue of IP address limitations. IP addresses are a somewhat limited resource, and have to be unique across the globe (IPv4 is limited to only 232 addresses). Hence, they are assigned hierarchically by a central authority and passed down in blocks to service providers, who then make them available to their customers. Many organizations and Internet Service Providers (ISPs) choose to allocate a single global IP address to the customer, who then installs a NAT device at the end of the connection and uses self-allocated private addresses on their internal network.
  • 17. 17 NAT divides the IP addresses into public and private (non-routable) groups. Many private IP addresses can connect to the Internet through a few public IP addresses. The NAT gateway works by modifying the address part of all packets on the way through as shown in Figure 5-10. Figure 5-10: Example of Network Address Translation (NAT) gateway deployment. ALT TAG: Fig 5-10. Diagram showing an example of Network Address Translation (NAT) gateway deployment. The address of the packets originated from the Host IP is passed through the Internet (right side) and forwarded to the NAT gateway (middle), which modifies it and passes it to the local (Internal) network, which is then passed to the host IP (right side). Outgoing packet: The NAT gateway makes a note of the (internal, private) source address of the packet, as well as the destination server address and port number. It then overwrites the source IP address with its own single global Internet address and sends it on towards the Internet. The remote server receives the packet with the NAT gateway's address as the originator, and directs its replies at this address. Reply packet: When the reply packet arrives back at the NAT gateway, it looks up the address and port number in its table, works out what the (internal) address of the real originator was, substitutes this into the destination address and forwards on through the internal network. Dynamic NAT: this dynamically assigns a small number of public IPs to a large number of private IPs. Port Address Translation (PAT) is a variant of NAT that:
  • 18. 18 – Allows one or more private networks to share a single public IP. – Is commonly used for homes and small businesses. – Works by remapping the source and destination addresses and ports of packets. Basic firewall architectures Typical firewall architectures include the Basic Border Firewall architecture, the Basic Border Firewall with Untrustworthy Architecture, the Basic Firewall with DMZ Network Architecture, and the Dual Firewall with DMZ Network Architecture. Basic Border Firewall architecture: This is represented by a single host interconnecting the (trusted) internal network and some untrusted network (e.g.: Internet). In this configuration, the single host provides all firewall functions. An example of such architecture is shown in Figure 5-11. Figure 5-11: Basic Border Firewall architecture. ALT TAG: Fig. 5-11. Diagram of a Basic Border Firewall architecture, showing a firewall sitting between the Internet (left side) and a private network (right side), with the role to filter the traffic originated from the Internet and destined to the private network. Basic Border Firewall with Untrustworthy Architecture: In this configuration, a host with limited trust is added to the basic border architecture. The host is minimally configured and carefully managed to be as secure as possible. The firewall is configured to require incoming and outgoing traffic to go through the
  • 19. 19 untrustworthy host. The host is referred to as untrustworthy because it cannot be protected by the firewall. An example of such architecture is shown in the figure below: Figure 5-12: Basic Border Firewall with Untrustworthy architecture. [Isaac Woungang Copyright 2012] ALT TAG: Fig. 5-12. Diagram of a Basic Border Firewall with Untrustworthy architecture, showing an outer firewall sitting between the Internet (left side) and a private network (right side). The traffic originated from the Internet is passed along to an untrustworthy host (left side), before reaching the outer firewall, whose role is to filter that traffic before passing it to the private network. Basic Firewall with DMZ Network Architecture: In a DMZ network, the untrusted host is brought “inside” the firewall, but placed on a network by itself (the firewall host then interconnects three networks). This type of architecture increases the security, reliability, and availability of the untrusted host, but it does not increase the level of trust that other “inside” hosts can afford it. Other untrustworthy hosts designed for other purpose (for example, a public web site or ftp server) can easily be placed on the DMZ network, creating a public services network. An example of such architecture is shown in Figure 5.13.
  • 20. 20 Figure 5-13: Basic Firewall with DMZ network architecture. ALT TAG: Fig. 5-13. Diagram of a Basic Firewall with DMZ network architecture, showing an outer firewall sitting between the Internet (left side) and a private network (right side). The traffic originated from the Internet is passed along to an untrustworthy host (that has infiltrated the DMZ network), before reaching the private network, after a filtering process by the DMZ network itself. Dual Firewall with DMZ Network Architecture: The internal network is further isolated from the untrustworthy network by adding a second firewall host. By connecting the untrustworthy network to one firewall host, the internal network to the other firewall host, and the DMZ in between, the traffic between the internal network and the Internet must traverse two firewalls and the DMZ. The peripheral network is a suitable location for non-sensitive hosts that should be accessible to the outside world, like Web servers. An example of such architecture is shown in Figure 5-14.
  • 21. 21 Figure 5-14: Dual Firewall with DMZ network architecture. ALT TAG: Fig. 5-14. Diagram of a Dual Firewall with DMZ network architecture, showing an outer firewall and an inner firewall sitting between the Internet (left side) and a private network (right side). The traffic originated from the Internet has passed the outer firewall filtering, but is subject to a second level filtering by the inner firewall (middle) before reaching the private network since an untrustworthy host has infiltrated himself in between the two firewalls. Web application firewalls (WAF) Network firewalls do not work for HTTP, thus the need for WAF. The WAF functionality includes: • Full support for HTTP in terms of: o Access to individual fields (field content, length, field count, etc). o Entire transaction (both request and response). o Uploaded files. • Anti-evasion features (also known as normalisation, or canonicalization, or transformation features). • Blocking features for: transaction, connection, IP address, session, user, honeypot redirection, TCP/IP resets (connection), blocking via external device. • Detection:
  • 22. 22 o Using signatures such as simple text strings or regular expression patterns matched against the input data. This is not very flexible. o Using rules such as multiple operators, logical expressions, and customized variables. This is flexible. WAF deployment: Three deployment options are possible, namely, using network-level device, reverse proxy, or embedded the WAF in a Web server. Network-level device are of two types: network passive and network in-line. Network passive has the following characteristics: it does not affect performance; it is easy to add; it is not a bottleneck or point of failure; it has limited prevention options, and it must have copies of SSL keys. On the other hand, network in-line has the following characteristics: it may be a potential bottleneck or point of failure; it is easy to add, and it must have copies of SSL keys. Reverse proxy: This type of WAF deployment has a potential bottleneck or point of failure. It requires changes to the network (unless it is a transparent reverse proxy). It must terminate the SSL (in fact, this can be a problem if the application needs to access the client certificate data). Finally, it has a separate architecture/security layer. Embedded WAF: This type of WAF deployment is easy to add (and usually much cheaper). It is not a bottleneck or point of failure, and it uses the Web server resources. Summary This module has described different firewall technologies and architectures. Several characteristics differentiating these technologies and architectures were also highlighted.