Uploaded byahmeddeath6
45 views

Cryptography Project by Aelsayed & Kyasser.pdf

The document discusses firewall technologies and architectures. It begins by explaining the need for firewalls to protect internal networks from external threats. It then describes various firewall types including filtering routers, which inspect IP and TCP/UDP headers; stateful inspection, which tracks connection states; circuit gateways, which operate at the transport layer; and proxy servers, which break direct connections and mediate traffic. It provides examples of how each type of firewall works and their advantages and limitations. It also covers firewall configurations like the single-homed bastion system.

Embed presentation

Download to read offline
1 Chapter 6: Firewall Systems Introduction Due to the rapid growth of interest in the Internet and the widespread availability of penetration testing tools, techniques, and methods discussed previously, the network security has become a major concern for organizations worldwide. Attacks on computer networks within an organization can be originated from outside the organization (these are termed as external attacks) or within the organization itself (these are internal attacks). A firewall is a generic name to designate any security system protecting the boundary of an internal network against external threats from the Internet. This module will describe various firewall technologies and architectures, with focus on external attacks. The need for firewall When connecting their private network to the Internet to seek for external useful information or for information sharing purpose, organizations are at the same time exposing their private networks to potential attacks from outsiders, for instance, probing attacks, DoS attacks, IP spoofing, probing attacks, DoS attacks, application layer attacks (such as Trojan horses), to name a few. Questions that may arise include: (1) How to protect confidential information from those entities who do not explicitly need to access it? (2) How to protect the private network and its resources from malicious users and accidents that originate outside of your network? The functionality requirement of an organization’s computer network is dictated by its business goals and security policy. The level of security that is established within the organization determines how effective the above mentioned attacks can be addressed and the above questions resolved.
2 Edge networks must be protected from the rest of the Internet. To do so, firewalls can be used. This helps enforcing some aspects of the security policy. The reasons for using firewall technology include, but are not limited to the following: • Encryption cannot stop malicious packets from getting into an edge network. • Authentication can determine whether an incoming IP packet comes from a trusted user. However, not all host computers have resources to run authentication algorithms. • Host computers are managed by different users with different skill levels. However, it should be emphasized that the rules that govern the firewall define what to do with some of the traffic, not all the traffic. Firewalls cannot protect against attacks originated from inside the firewall itself, and there are attacks that a firewall alone cannot prevent, i.e. firewalls alone are not a solution to the problem of securing a network. In an organization that has implemented firewalls, it is critical to inform and educate the users to view security as vital part of their computer use. A Firewall can be characterized as: • A gateway between a trusted network and a less trusted one. • An enforcer of security policy. • A system designed to: o Control external access to company data and resources (ingress). o Control internal access to Internet systems and services (egress). o Provide a security and monitoring choke point. An example of firewall architecture is depicted in Figure 5-1. Figure 5-1: Example of firewall architecture (Wang, 2009) ALT TAG: Fig 5-1. Diagram showing an example firewall architecture made of two blocks. The external network (left side) and the internal network composed of
3 four computers (right side) are two entities separated physically by a firewall, whose goal is filter the traffic coming from the external network and destined to the internal network. Functionality and Implementation: Typical tasks of a firewall consist of: • Access control based on sender or receiver addresses. • Access control based on the service requested. • Hiding the internal network (e.g.: topology, addresses, traffic, etc.) • Virus checking on incoming files and emails filtering. • Authentication based on the source of traffic. • Logging of Internet activities. Developing or selecting a firewall requires identifying the security requirements and defining accordingly a security policy. To do so, one needs to: • Understand the assets to be protected and the threats to those assets. • Understand the user requirements. • Understand the available resources: operating system, network infrastructures and protocols. • Design access policies and rules. Firewall categories Filtering routers Packet inspection can take place at any of the seven Open System Interconnection (OSI) reference layer (described in Module 2) as shown in Figure 5-2.
4 Figure 5-2: The OSI reference layers ALT TAG: Fig 6-2. Diagram showing the 7 layers of the OSI reference model. However, it is commonly implemented at the application layer, at the network layer, or at the transport layer. • Application layer: the inspection is implemented by application layer firewalls, also called application gateways proxy servers (also called proxies). • Network layer: the inspection is implemented by network layer firewalls, also called filtering routers or screening routers. • Transport layer: the inspection is implemented by transport layer firewalls, also called circuit gateways. Filtering routers: • Perform ingress (incoming) and egress (outgoing) filtering on packets. • Only inspect IP and TCP/UDP headers, not the payloads. • Can perform either stateless or stateful filtering. Stateless filtering is easy to implement but very simple. On the other hand, stateful filtering: harder to implement but more powerful. Before routing a packet, filtering routers perform a filtering of the received packets based on the headers and Access Control List (ACL) associated with the physical interface the packet came through. Each ACL entry specifies the values for particular packet header fields as well as the action to be taken if the received packet matches these values.
5 Access Control List (ACL): An ACL entry for filtering is based on IP and transport protocols (e.g.: UDP, TCP) headers. The following fields are used: • Source IP addres • Destination IP address. • Protocol type (e.g. TCP, UDP or ICMP protocol). • Source port. • Destination port • ACK. bit (TCP header). Rules are checked from top to bottom and the first rule found is applied. If no rules match, the packet is blocked by default. Sample rules: • Source address: stops the packets arriving from the Internet supposedly originating from an internal source address. • Destination address: for instance, limits the incoming traffic only to the bastion host. • Protocol: allows for instance FTP and block Telnet based on destination port numbers. • Connection: distinguishes for instance the packets that arrive in connection to an internal FTP request from those that belong to a connection from the Internet. These are achieved using stateful inspection. Example of filtering router: Protecting against spoofing of internal IP addresses Many network services base their authentication on the source IP address of the host requesting the service. Filtering Router can be used in this case to prevent spoofed IP packets that claim to be originating from the local network to cross the borders of the local network. An example is depicted in Figure 5-3.
6 Figure 5-3: example of filtering router. ALT TAG: Fig. 5-3. Diagram showing an example of a filtering router sitting between a local network (left side) and the Internet (right side), with the goal to filter the traffic originated from the Internet and destined to the local network. Security Policy: Filter out all packets coming through an external interface and whose source IP address belongs to the local network. The ACL for port #1 in Figure 5-3 is shown in Table 5-1. Table 5-1: ACL for port #1 in Figure 5-3. ALT TAG: Table 5-1. Table displaying the ACL for port #1 in Figure 5-3, made of port’s entry number, source and destination IP addresses and masks, and recommended action. Advantages of Filtering Routers: • Reliability: a filtering router is easy to implement, which means that it is much more unlikely that exploitable bugs exist in the firewall code. • Performance: The same simplicity means that the rule sets tend to be less complex, and better communication performance can be achieved. Entry number Source IP address/Mask Destination IP address/Mask A (1) 220.0.0.0/255.0.0.0 any (2) any any p
7 • Cost: a filtering router can be implemented on relatively inexpensive hardware, meaning that simple, cheap boxes can do packet filtering for very large numbers of user connections. Limitations of Filtering Routers: • Exposure of network topology information: it is important to hide knowledge of the local network to outsiders. Such knowledge can help compromising the network. • It is not possible to completely filter TCP packets which aren't valid, or are not part of an active connection. • It is not possible to fully filter UDP connections to ensure that they are part of a valid conversation. Hence, one is left with the choice of either completely blocking UDP transactions, or accepting that packets may traverse the firewall which should not be allowed through. Stateful inspection: Packet filtering is restricted to making its filtering decisions based only on the header information on each individual packet without considering any prior packets. Stateful inspection filtering allows both complex combinations of payload (message content) and context established by prior packets to influence filtering decisions. For a stateful inspection: • Take the basic principles of packet filtering and adds the concept of history, so that the firewall considers the packets in the context of previous packets. For example, it records when it sees a TCP SYN packet in an internal table, and will only allow TCP packets that match an existing conversation to be forwarded to the network. • Keep track of connection states between internal and external hosts. • only accept/reject based packets on the connection state. As with packet filtering, stateful inspection is implemented as an “add-on” to routing, so the host on which the stateful inspection function is executed must also act as a router. Limitations of stateful inspection: • The implementation is necessarily more complex and therefore more likely to be buggy. • It also requires a device with more memory and a more powerful CPU for a given traffic load since information has to be stored about each and every traffic flow seen over a period of time.
8 Example of stateful inspection: Linux IP Tables are a powerful tool that enables implementing firewall functionality in the Linux operating system. They incorporate a packet-selection mechanism and a mechanism for applying actions to these selected packets. The selection and filtering of packets are carried out based on their IP source and destination address or other packet features. There is a wide variety of actions that can be applied to packets, called TARGETS in IPTables terminology. These are captured in the Table 5-2 and Table 5-3. Table 5-2: Examples of IPTables rules. ALT TAG: Table 5-2. Table displaying five IPTables rules.
9 Table 5-3: Additional IPTables rules. ALT TAG: Table 5-3. Table displaying two additional IPTables rules. In Table 5-3, the first rule logs a message for every DNS query from host 192.168.0.10 to the DNS server 192.168.12.10. The second rule has a ACCEPT TARGET,allowing the packet to continue its journey. Connection Tracking: IPTables provides stateful inspection referred to as connection tracking in the IPTables terminology. This allows IPTables to know the state of a connection for each packet that get processed. The connection tracking states used in building the rules are shown in Table 5-4. Table 5-4: Connection tracking states.
10 ALT TAG: Table 5-4. Table displaying the connection tracking states used in building the rules. An example of connection state table is shown in Table 5-5. Client address 219.22.101. 32 219.22.101. 54 210.99.201. 14 24.102.129. 21 Client port 1030 1034 2001 3389 Server address 129.63.24.8 4 129.63.24.8 4 129.63.24.8 7 129.63.24.8 7 Server port 25 161 80 110 Connectio n state established established established established Protocol TCP UDP TCP TCP Table 5-5: An example of connection state table. [Isaac Woungang Copyright 2012] ALT TAG: Table 5-5. A table showing the state of connection (in this case “established”) between a series of five clients and a given server, both identified by their addresses, port numbers that they used to connect to the server, and protocols that is followed (TCP or UDP). Circuit gateways Circuit gateways operate at the transport layer. Their purpose is to examine information of IP addresses and port numbers in TCP/UDP headers to determine if a connection is allowed. Usually, they are combined with a packet filter to form a dynamic packet filter. Typically, a circuit gateway is meant to: • Relay a TCP connection between an internal and external host. • Disallow the direct connection between the external and the internal networks. • Maintain a table for valid connection and check incoming packet against that table. Its basic structure is depicted in Figure 5-4.
11 Figure 5-4: Basic architecture of a circuit gateway (Wang, 2009) ALT TAG: Fig 5-4. Diagram showing the basic architecture of a circuit gateway, Chapter 7, pp. 256-257. The client host in an internal network made of a circuit gateway and other hosts (right side) sends a service request to the client host in the external network (left side) via the server host in the internal network. The later responds by exchanging few messages with this server host, eventually sends back the response to the server host, which will undergo a filtering process by the circuit gateway before reaching the client host in the internal network. Proxy servers A proxy server prevents the direct connection between a host on an untrusted network (such as Internet) and a host on a trusted network 9such as corporate virtual private networks). • The direct connection is broken in two connections with the proxy mediating between the two hosts. • The function of the proxy consists of protecting the internal network by hiding information and restricting the access to users’ information and services.
12 An example of proxy server deployment is depicted in Figure 5-5. Figure 5-5: Example of proxy server deployment ALT TAG: Fig 5-5. Diagram showing the deployment of a proxy server. The external or untrusted network (left side) and the internal (or trusted) network (right side) are two entities separated physically by a proxy server, whose goal is filter the traffic coming from the untrusted network and destined to the trusted network. Basic functionalities of a proxy program include: • Accepting the client sessions and appearing to them as a server. • Receiving from the client software the name of the actual server. • Contacting the actual server and appearing to it as a client. • Relaying all the data from the client to a server. • Performing access control and enforcement functions by checking, and accepting or rejecting the incoming and outgoing connections. • Performing deep packet inspection on all packets, i.e. – Inspecting the application program formats. – Applying the rules based on the payload. – Having the ability to detect malicious and suspicious packets. Specific functionalities of a proxy may include: • Hiding the information about the internal network and user identities by exposing a specific service.
13 • Protecting a particular service or protocol. • Providing application-level extension of stateful packet filtering by: o Supporting the scanning packet payloads. o Dropping the packets that do not match the expected connection state or data type for protocol. Although more expensive, application proxies are, in some ways, inherently more secure than packet filtering routers. An example of application proxy is shown in Figure 5-6. Figure 5-6: Example of application proxy (Wang, 2009). ALT TAG: Fig 5-6. Diagram showing an example of application proxy, Chapter 7, page 258 . The external client (left side) and the internal network made of one server and two computers (right side) are two entities separated physically by an internal packet filtering router, an application gateway, and an external router (placed in series), whose goal are to filter the traffic originated from the external client and destined to any of the two clients in the internal network. Application gateways are placed between the external and the internal networks. As such, they are exposed to attacks from the external network. Therefore, they need to have strong security protections in terms of trusted operating system i.e. operating systems that meets a particular set of security requirements, and Bastion hosts, i.e. systems with strong defensive mechanisms. Firewall configurations Single-Homed Bastion System (SHBS)
14 Bastion hosts are systems with strong defensive mechanisms. Typically, they serve as hosts computers for implementing gateways, circuit gateways, and other types of firewalls. They are designed to operate on a trusted operating systems. As such, they must not have any unnecessary functionality, and must they must keep the system simple to reduce error probabilities. A Single-Homed Bastion System (SHBS) consists of a packet-filtering router and a bastion host. The router connects the internal network to the external one. The Bastion host resides inside the internal network. The packet filtering firewall inspects each egress and blocks it if its source address is not the IP address of the bastion host. If the packet filtering router is compromised, the attacker can modify the ACLs and bypass the bastion host. An example of SHBS is depicted in Figure 5-7 Figure 5-7: Example of Single-Homed Bastion System (SHBS) (Wang, 2009). ALT TAG: Fig 5-7. Diagram showing an example of Single-Homed Bastion System (SHBS), Chapter 7, page 262 . The external network (left side) is separated physically from the internal network made of three clients and a series of server computers and devices (right side) by a SHBS (made of a packet- filtering router and a SHBS host). The role of the SHBS is to filter the incoming traffic from the external network that is destined to any of the two clients or servers in the internal network. Screened Subnets: In the above figure of a SHBH architecture, when a SHBH network paired with a second packet filtering router for the internal network, the area between the two packet filtering routers is called a screened subnet. A screened subnet hides the internal network structure from external hosts.
15 Dual-Homed Bastion System (DHBS) The Dual-home Bastion system (DHBS) includes: • Two zones in the internal network: – The inner zone – where hosts are unreachable from the external network. – The outer zone – where hosts may be reached from the Internet. • Hosts in the inner zone are protected by both the Bastion host and the packet filtering router. • Servers in the outer zone protected by the packet filtering router. The DHBS prevents access to the internal network even if the packet filtering router is compromised. An example of such system is illustrated in Figure 5-8. Figure 5-8: Example of Dual-Homed Bastion System (DHBS) (Wang, 2009). ALT TAG: Fig 5-8. Diagram showing an example of Dual-Homed Bastion System (DHBS), Chapter 7, page 263 . The external network (left side) is separated physically from the internal network made of three clients and a series of server computers and devices (right side) by a DHBS (made of a packet-filtering router and a DHBS host). The role of the DHBS is to filter the incoming traffic from the external network that is destined to any of the two clients or servers in the internal network. Demilitarized zone (DMZ) A DMZ is a subnet lying between two firewalls in an internal network: the internal firewall and the external one. The external firewall protects the DMZ from
16 external threats whereas the internal firewall protects the internal network from DMZ. In general, DMZs can be implemented in a hierarchal structure. An example of DMZ is shown in Figure 5-9. Figure 5-9: Example of Delimitarized zone (DZM) architecture (Wang, 2009). ALT TAG: Fig 5-9. Diagram showing an example of Delimitarized zone (DZM) architecture (DMZ), Chapter 7, page 264 . The Internet (External network in left side) is separated physically from the internal network made of two clients computers (right side) by a DMZ (made of a packet-filtering router, four servers (Web/SMTP/Proxy), and two packet filters). The DMZ protects the Internal network by filtering the Internet traffic destined to it. Network Address Translation (NAT) A network address translation (NAT) is a pragmatic solution to the issue of IP address limitations. IP addresses are a somewhat limited resource, and have to be unique across the globe (IPv4 is limited to only 232 addresses). Hence, they are assigned hierarchically by a central authority and passed down in blocks to service providers, who then make them available to their customers. Many organizations and Internet Service Providers (ISPs) choose to allocate a single global IP address to the customer, who then installs a NAT device at the end of the connection and uses self-allocated private addresses on their internal network.
17 NAT divides the IP addresses into public and private (non-routable) groups. Many private IP addresses can connect to the Internet through a few public IP addresses. The NAT gateway works by modifying the address part of all packets on the way through as shown in Figure 5-10. Figure 5-10: Example of Network Address Translation (NAT) gateway deployment. ALT TAG: Fig 5-10. Diagram showing an example of Network Address Translation (NAT) gateway deployment. The address of the packets originated from the Host IP is passed through the Internet (right side) and forwarded to the NAT gateway (middle), which modifies it and passes it to the local (Internal) network, which is then passed to the host IP (right side). Outgoing packet: The NAT gateway makes a note of the (internal, private) source address of the packet, as well as the destination server address and port number. It then overwrites the source IP address with its own single global Internet address and sends it on towards the Internet. The remote server receives the packet with the NAT gateway's address as the originator, and directs its replies at this address. Reply packet: When the reply packet arrives back at the NAT gateway, it looks up the address and port number in its table, works out what the (internal) address of the real originator was, substitutes this into the destination address and forwards on through the internal network. Dynamic NAT: this dynamically assigns a small number of public IPs to a large number of private IPs. Port Address Translation (PAT) is a variant of NAT that:
18 – Allows one or more private networks to share a single public IP. – Is commonly used for homes and small businesses. – Works by remapping the source and destination addresses and ports of packets. Basic firewall architectures Typical firewall architectures include the Basic Border Firewall architecture, the Basic Border Firewall with Untrustworthy Architecture, the Basic Firewall with DMZ Network Architecture, and the Dual Firewall with DMZ Network Architecture. Basic Border Firewall architecture: This is represented by a single host interconnecting the (trusted) internal network and some untrusted network (e.g.: Internet). In this configuration, the single host provides all firewall functions. An example of such architecture is shown in Figure 5-11. Figure 5-11: Basic Border Firewall architecture. ALT TAG: Fig. 5-11. Diagram of a Basic Border Firewall architecture, showing a firewall sitting between the Internet (left side) and a private network (right side), with the role to filter the traffic originated from the Internet and destined to the private network. Basic Border Firewall with Untrustworthy Architecture: In this configuration, a host with limited trust is added to the basic border architecture. The host is minimally configured and carefully managed to be as secure as possible. The firewall is configured to require incoming and outgoing traffic to go through the
19 untrustworthy host. The host is referred to as untrustworthy because it cannot be protected by the firewall. An example of such architecture is shown in the figure below: Figure 5-12: Basic Border Firewall with Untrustworthy architecture. [Isaac Woungang Copyright 2012] ALT TAG: Fig. 5-12. Diagram of a Basic Border Firewall with Untrustworthy architecture, showing an outer firewall sitting between the Internet (left side) and a private network (right side). The traffic originated from the Internet is passed along to an untrustworthy host (left side), before reaching the outer firewall, whose role is to filter that traffic before passing it to the private network. Basic Firewall with DMZ Network Architecture: In a DMZ network, the untrusted host is brought “inside” the firewall, but placed on a network by itself (the firewall host then interconnects three networks). This type of architecture increases the security, reliability, and availability of the untrusted host, but it does not increase the level of trust that other “inside” hosts can afford it. Other untrustworthy hosts designed for other purpose (for example, a public web site or ftp server) can easily be placed on the DMZ network, creating a public services network. An example of such architecture is shown in Figure 5.13.
20 Figure 5-13: Basic Firewall with DMZ network architecture. ALT TAG: Fig. 5-13. Diagram of a Basic Firewall with DMZ network architecture, showing an outer firewall sitting between the Internet (left side) and a private network (right side). The traffic originated from the Internet is passed along to an untrustworthy host (that has infiltrated the DMZ network), before reaching the private network, after a filtering process by the DMZ network itself. Dual Firewall with DMZ Network Architecture: The internal network is further isolated from the untrustworthy network by adding a second firewall host. By connecting the untrustworthy network to one firewall host, the internal network to the other firewall host, and the DMZ in between, the traffic between the internal network and the Internet must traverse two firewalls and the DMZ. The peripheral network is a suitable location for non-sensitive hosts that should be accessible to the outside world, like Web servers. An example of such architecture is shown in Figure 5-14.
21 Figure 5-14: Dual Firewall with DMZ network architecture. ALT TAG: Fig. 5-14. Diagram of a Dual Firewall with DMZ network architecture, showing an outer firewall and an inner firewall sitting between the Internet (left side) and a private network (right side). The traffic originated from the Internet has passed the outer firewall filtering, but is subject to a second level filtering by the inner firewall (middle) before reaching the private network since an untrustworthy host has infiltrated himself in between the two firewalls. Web application firewalls (WAF) Network firewalls do not work for HTTP, thus the need for WAF. The WAF functionality includes: • Full support for HTTP in terms of: o Access to individual fields (field content, length, field count, etc). o Entire transaction (both request and response). o Uploaded files. • Anti-evasion features (also known as normalisation, or canonicalization, or transformation features). • Blocking features for: transaction, connection, IP address, session, user, honeypot redirection, TCP/IP resets (connection), blocking via external device. • Detection:
22 o Using signatures such as simple text strings or regular expression patterns matched against the input data. This is not very flexible. o Using rules such as multiple operators, logical expressions, and customized variables. This is flexible. WAF deployment: Three deployment options are possible, namely, using network-level device, reverse proxy, or embedded the WAF in a Web server. Network-level device are of two types: network passive and network in-line. Network passive has the following characteristics: it does not affect performance; it is easy to add; it is not a bottleneck or point of failure; it has limited prevention options, and it must have copies of SSL keys. On the other hand, network in-line has the following characteristics: it may be a potential bottleneck or point of failure; it is easy to add, and it must have copies of SSL keys. Reverse proxy: This type of WAF deployment has a potential bottleneck or point of failure. It requires changes to the network (unless it is a transparent reverse proxy). It must terminate the SSL (in fact, this can be a problem if the application needs to access the client certificate data). Finally, it has a separate architecture/security layer. Embedded WAF: This type of WAF deployment is easy to add (and usually much cheaper). It is not a bottleneck or point of failure, and it uses the Web server resources. Summary This module has described different firewall technologies and architectures. Several characteristics differentiating these technologies and architectures were also highlighted.

More Related Content

PPTX
Firewalls and packet filters
byMOHIT AGARWAL
 
PDF
UNIT 4 Firewalls Information Security Sharad Institute
bySatishPise4
 
PPTX
firewall firewall firewall firewall firewall firewall firewall firewall
byNagaraja465570
 
PPT
Firewalls (6)
byBhargu Bhargavi
 
PPT
Introduction to Firewalls and functions.ppt
bydalton6070
 
PPT
firewalls.ppt
byRaj Kumar
 
PPTX
Information Security (Firewall)
byZara Nawaz
 
PPTX
Firewall
bySaurabh Chauhan
 
Firewalls and packet filters
byMOHIT AGARWAL
 
UNIT 4 Firewalls Information Security Sharad Institute
bySatishPise4
 
firewall firewall firewall firewall firewall firewall firewall firewall
byNagaraja465570
 
Firewalls (6)
byBhargu Bhargavi
 
Introduction to Firewalls and functions.ppt
bydalton6070
 
firewalls.ppt
byRaj Kumar
 
Information Security (Firewall)
byZara Nawaz
 
Firewall
bySaurabh Chauhan
 

Similar to Cryptography Project by Aelsayed & Kyasser.pdf

PPTX
Firewalls by Puneet Bawa
byPuneet Bawa
 
PPT
Network security
byVikas Jagtap
 
PPTX
CSS (KNC-301) 4. Packet Filtering Firewall By Vivek Tripathi.pptx
byVivekTripathi684438
 
PDF
BAIT1103 Chapter 8
bylimsh
 
PDF
firewallproject-230706055059-f9b27eff (1).pdf
byheckerthakor
 
PDF
Network Security_Dr Shivashankar_Module 5.pdf
byDr. Shivashankar
 
PPT
Tech 101: Understanding Firewalls
byLikan Patra
 
PPTX
9780840024220 ppt ch04
byKristin Harrison
 
PPTX
Firewall and Types of firewall
byCoder Tech
 
PPTX
FIREWALL
byswati463221
 
PPTX
Lecture-13-Firewall_information_Security.pptx
byhomecooking511
 
PPTX
FIREWALLS BY SAIKIRAN PANJALA
bySaikiran Panjala
 
PPTX
Firewall Design and Implementation
byajeet singh
 
PPTX
Firewall Design and Implementation
byajeet singh
 
PPT
Firewall
bylmbriscoe
 
PPT
firewall.ppt
byssuser530a07
 
PPT
firewalls.ppt
byMohanLal141254
 
PPTX
FIREWALL PROJECT.pptx BY SAKSHI SOLAPURE
bySakshiSolapure1
 
PPTX
Firewalls
byvaishnavi
 
PPTX
Firewall
byShivank Shah
 
Firewalls by Puneet Bawa
byPuneet Bawa
 
Network security
byVikas Jagtap
 
CSS (KNC-301) 4. Packet Filtering Firewall By Vivek Tripathi.pptx
byVivekTripathi684438
 
BAIT1103 Chapter 8
bylimsh
 
firewallproject-230706055059-f9b27eff (1).pdf
byheckerthakor
 
Network Security_Dr Shivashankar_Module 5.pdf
byDr. Shivashankar
 
Tech 101: Understanding Firewalls
byLikan Patra
 
9780840024220 ppt ch04
byKristin Harrison
 
Firewall and Types of firewall
byCoder Tech
 
FIREWALL
byswati463221
 
Lecture-13-Firewall_information_Security.pptx
byhomecooking511
 
FIREWALLS BY SAIKIRAN PANJALA
bySaikiran Panjala
 
Firewall Design and Implementation
byajeet singh
 
Firewall Design and Implementation
byajeet singh
 
Firewall
bylmbriscoe
 
firewall.ppt
byssuser530a07
 
firewalls.ppt
byMohanLal141254
 
FIREWALL PROJECT.pptx BY SAKSHI SOLAPURE
bySakshiSolapure1
 
Firewalls
byvaishnavi
 
Firewall
byShivank Shah
 

Recently uploaded

PDF
Afsar Ahmed - Digital Marketing Portfolio
byAfsar Ahmed
 
PDF
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
PDF
Real-Time AI at Scale Masterclass - Challenges of AI at Scale
byScyllaDB
 
PDF
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
PDF
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
PDF
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
PDF
Web3 - Applications and Architectures - History and Horizons
byGokul Alex
 
PPTX
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
PDF
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
Certified AI-Empowered SAFe 6 Scrum Master.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
PDF
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
PDF
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
PDF
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
PPTX
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
PPTX
Code Like Bro -A guide for better Coding
byMadan Panthi
 
PDF
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
PDF
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
PDF
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
PDF
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
Afsar Ahmed - Digital Marketing Portfolio
byAfsar Ahmed
 
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
Real-Time AI at Scale Masterclass - Challenges of AI at Scale
byScyllaDB
 
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
Web3 - Applications and Architectures - History and Horizons
byGokul Alex
 
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Certified AI-Empowered SAFe 6 Scrum Master.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
Code Like Bro -A guide for better Coding
byMadan Panthi
 
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 

Cryptography Project by Aelsayed & Kyasser.pdf

  • 1.
    1 Chapter 6: Firewall Systems Introduction Dueto the rapid growth of interest in the Internet and the widespread availability of penetration testing tools, techniques, and methods discussed previously, the network security has become a major concern for organizations worldwide. Attacks on computer networks within an organization can be originated from outside the organization (these are termed as external attacks) or within the organization itself (these are internal attacks). A firewall is a generic name to designate any security system protecting the boundary of an internal network against external threats from the Internet. This module will describe various firewall technologies and architectures, with focus on external attacks. The need for firewall When connecting their private network to the Internet to seek for external useful information or for information sharing purpose, organizations are at the same time exposing their private networks to potential attacks from outsiders, for instance, probing attacks, DoS attacks, IP spoofing, probing attacks, DoS attacks, application layer attacks (such as Trojan horses), to name a few. Questions that may arise include: (1) How to protect confidential information from those entities who do not explicitly need to access it? (2) How to protect the private network and its resources from malicious users and accidents that originate outside of your network? The functionality requirement of an organization’s computer network is dictated by its business goals and security policy. The level of security that is established within the organization determines how effective the above mentioned attacks can be addressed and the above questions resolved.
  • 2.
    2 Edge networks mustbe protected from the rest of the Internet. To do so, firewalls can be used. This helps enforcing some aspects of the security policy. The reasons for using firewall technology include, but are not limited to the following: • Encryption cannot stop malicious packets from getting into an edge network. • Authentication can determine whether an incoming IP packet comes from a trusted user. However, not all host computers have resources to run authentication algorithms. • Host computers are managed by different users with different skill levels. However, it should be emphasized that the rules that govern the firewall define what to do with some of the traffic, not all the traffic. Firewalls cannot protect against attacks originated from inside the firewall itself, and there are attacks that a firewall alone cannot prevent, i.e. firewalls alone are not a solution to the problem of securing a network. In an organization that has implemented firewalls, it is critical to inform and educate the users to view security as vital part of their computer use. A Firewall can be characterized as: • A gateway between a trusted network and a less trusted one. • An enforcer of security policy. • A system designed to: o Control external access to company data and resources (ingress). o Control internal access to Internet systems and services (egress). o Provide a security and monitoring choke point. An example of firewall architecture is depicted in Figure 5-1. Figure 5-1: Example of firewall architecture (Wang, 2009) ALT TAG: Fig 5-1. Diagram showing an example firewall architecture made of two blocks. The external network (left side) and the internal network composed of
  • 3.
    3 four computers (rightside) are two entities separated physically by a firewall, whose goal is filter the traffic coming from the external network and destined to the internal network. Functionality and Implementation: Typical tasks of a firewall consist of: • Access control based on sender or receiver addresses. • Access control based on the service requested. • Hiding the internal network (e.g.: topology, addresses, traffic, etc.) • Virus checking on incoming files and emails filtering. • Authentication based on the source of traffic. • Logging of Internet activities. Developing or selecting a firewall requires identifying the security requirements and defining accordingly a security policy. To do so, one needs to: • Understand the assets to be protected and the threats to those assets. • Understand the user requirements. • Understand the available resources: operating system, network infrastructures and protocols. • Design access policies and rules. Firewall categories Filtering routers Packet inspection can take place at any of the seven Open System Interconnection (OSI) reference layer (described in Module 2) as shown in Figure 5-2.
  • 4.
    4 Figure 5-2: TheOSI reference layers ALT TAG: Fig 6-2. Diagram showing the 7 layers of the OSI reference model. However, it is commonly implemented at the application layer, at the network layer, or at the transport layer. • Application layer: the inspection is implemented by application layer firewalls, also called application gateways proxy servers (also called proxies). • Network layer: the inspection is implemented by network layer firewalls, also called filtering routers or screening routers. • Transport layer: the inspection is implemented by transport layer firewalls, also called circuit gateways. Filtering routers: • Perform ingress (incoming) and egress (outgoing) filtering on packets. • Only inspect IP and TCP/UDP headers, not the payloads. • Can perform either stateless or stateful filtering. Stateless filtering is easy to implement but very simple. On the other hand, stateful filtering: harder to implement but more powerful. Before routing a packet, filtering routers perform a filtering of the received packets based on the headers and Access Control List (ACL) associated with the physical interface the packet came through. Each ACL entry specifies the values for particular packet header fields as well as the action to be taken if the received packet matches these values.
  • 5.
    5 Access Control List(ACL): An ACL entry for filtering is based on IP and transport protocols (e.g.: UDP, TCP) headers. The following fields are used: • Source IP addres • Destination IP address. • Protocol type (e.g. TCP, UDP or ICMP protocol). • Source port. • Destination port • ACK. bit (TCP header). Rules are checked from top to bottom and the first rule found is applied. If no rules match, the packet is blocked by default. Sample rules: • Source address: stops the packets arriving from the Internet supposedly originating from an internal source address. • Destination address: for instance, limits the incoming traffic only to the bastion host. • Protocol: allows for instance FTP and block Telnet based on destination port numbers. • Connection: distinguishes for instance the packets that arrive in connection to an internal FTP request from those that belong to a connection from the Internet. These are achieved using stateful inspection. Example of filtering router: Protecting against spoofing of internal IP addresses Many network services base their authentication on the source IP address of the host requesting the service. Filtering Router can be used in this case to prevent spoofed IP packets that claim to be originating from the local network to cross the borders of the local network. An example is depicted in Figure 5-3.
  • 6.
    6 Figure 5-3: exampleof filtering router. ALT TAG: Fig. 5-3. Diagram showing an example of a filtering router sitting between a local network (left side) and the Internet (right side), with the goal to filter the traffic originated from the Internet and destined to the local network. Security Policy: Filter out all packets coming through an external interface and whose source IP address belongs to the local network. The ACL for port #1 in Figure 5-3 is shown in Table 5-1. Table 5-1: ACL for port #1 in Figure 5-3. ALT TAG: Table 5-1. Table displaying the ACL for port #1 in Figure 5-3, made of port’s entry number, source and destination IP addresses and masks, and recommended action. Advantages of Filtering Routers: • Reliability: a filtering router is easy to implement, which means that it is much more unlikely that exploitable bugs exist in the firewall code. • Performance: The same simplicity means that the rule sets tend to be less complex, and better communication performance can be achieved. Entry number Source IP address/Mask Destination IP address/Mask A (1) 220.0.0.0/255.0.0.0 any (2) any any p
  • 7.
    7 • Cost: afiltering router can be implemented on relatively inexpensive hardware, meaning that simple, cheap boxes can do packet filtering for very large numbers of user connections. Limitations of Filtering Routers: • Exposure of network topology information: it is important to hide knowledge of the local network to outsiders. Such knowledge can help compromising the network. • It is not possible to completely filter TCP packets which aren't valid, or are not part of an active connection. • It is not possible to fully filter UDP connections to ensure that they are part of a valid conversation. Hence, one is left with the choice of either completely blocking UDP transactions, or accepting that packets may traverse the firewall which should not be allowed through. Stateful inspection: Packet filtering is restricted to making its filtering decisions based only on the header information on each individual packet without considering any prior packets. Stateful inspection filtering allows both complex combinations of payload (message content) and context established by prior packets to influence filtering decisions. For a stateful inspection: • Take the basic principles of packet filtering and adds the concept of history, so that the firewall considers the packets in the context of previous packets. For example, it records when it sees a TCP SYN packet in an internal table, and will only allow TCP packets that match an existing conversation to be forwarded to the network. • Keep track of connection states between internal and external hosts. • only accept/reject based packets on the connection state. As with packet filtering, stateful inspection is implemented as an “add-on” to routing, so the host on which the stateful inspection function is executed must also act as a router. Limitations of stateful inspection: • The implementation is necessarily more complex and therefore more likely to be buggy. • It also requires a device with more memory and a more powerful CPU for a given traffic load since information has to be stored about each and every traffic flow seen over a period of time.
  • 8.
    8 Example of statefulinspection: Linux IP Tables are a powerful tool that enables implementing firewall functionality in the Linux operating system. They incorporate a packet-selection mechanism and a mechanism for applying actions to these selected packets. The selection and filtering of packets are carried out based on their IP source and destination address or other packet features. There is a wide variety of actions that can be applied to packets, called TARGETS in IPTables terminology. These are captured in the Table 5-2 and Table 5-3. Table 5-2: Examples of IPTables rules. ALT TAG: Table 5-2. Table displaying five IPTables rules.
  • 9.
    9 Table 5-3: AdditionalIPTables rules. ALT TAG: Table 5-3. Table displaying two additional IPTables rules. In Table 5-3, the first rule logs a message for every DNS query from host 192.168.0.10 to the DNS server 192.168.12.10. The second rule has a ACCEPT TARGET,allowing the packet to continue its journey. Connection Tracking: IPTables provides stateful inspection referred to as connection tracking in the IPTables terminology. This allows IPTables to know the state of a connection for each packet that get processed. The connection tracking states used in building the rules are shown in Table 5-4. Table 5-4: Connection tracking states.
  • 10.
    10 ALT TAG: Table5-4. Table displaying the connection tracking states used in building the rules. An example of connection state table is shown in Table 5-5. Client address 219.22.101. 32 219.22.101. 54 210.99.201. 14 24.102.129. 21 Client port 1030 1034 2001 3389 Server address 129.63.24.8 4 129.63.24.8 4 129.63.24.8 7 129.63.24.8 7 Server port 25 161 80 110 Connectio n state established established established established Protocol TCP UDP TCP TCP Table 5-5: An example of connection state table. [Isaac Woungang Copyright 2012] ALT TAG: Table 5-5. A table showing the state of connection (in this case “established”) between a series of five clients and a given server, both identified by their addresses, port numbers that they used to connect to the server, and protocols that is followed (TCP or UDP). Circuit gateways Circuit gateways operate at the transport layer. Their purpose is to examine information of IP addresses and port numbers in TCP/UDP headers to determine if a connection is allowed. Usually, they are combined with a packet filter to form a dynamic packet filter. Typically, a circuit gateway is meant to: • Relay a TCP connection between an internal and external host. • Disallow the direct connection between the external and the internal networks. • Maintain a table for valid connection and check incoming packet against that table. Its basic structure is depicted in Figure 5-4.
  • 11.
    11 Figure 5-4: Basicarchitecture of a circuit gateway (Wang, 2009) ALT TAG: Fig 5-4. Diagram showing the basic architecture of a circuit gateway, Chapter 7, pp. 256-257. The client host in an internal network made of a circuit gateway and other hosts (right side) sends a service request to the client host in the external network (left side) via the server host in the internal network. The later responds by exchanging few messages with this server host, eventually sends back the response to the server host, which will undergo a filtering process by the circuit gateway before reaching the client host in the internal network. Proxy servers A proxy server prevents the direct connection between a host on an untrusted network (such as Internet) and a host on a trusted network 9such as corporate virtual private networks). • The direct connection is broken in two connections with the proxy mediating between the two hosts. • The function of the proxy consists of protecting the internal network by hiding information and restricting the access to users’ information and services.
  • 12.
    12 An example ofproxy server deployment is depicted in Figure 5-5. Figure 5-5: Example of proxy server deployment ALT TAG: Fig 5-5. Diagram showing the deployment of a proxy server. The external or untrusted network (left side) and the internal (or trusted) network (right side) are two entities separated physically by a proxy server, whose goal is filter the traffic coming from the untrusted network and destined to the trusted network. Basic functionalities of a proxy program include: • Accepting the client sessions and appearing to them as a server. • Receiving from the client software the name of the actual server. • Contacting the actual server and appearing to it as a client. • Relaying all the data from the client to a server. • Performing access control and enforcement functions by checking, and accepting or rejecting the incoming and outgoing connections. • Performing deep packet inspection on all packets, i.e. – Inspecting the application program formats. – Applying the rules based on the payload. – Having the ability to detect malicious and suspicious packets. Specific functionalities of a proxy may include: • Hiding the information about the internal network and user identities by exposing a specific service.
  • 13.
    13 • Protecting aparticular service or protocol. • Providing application-level extension of stateful packet filtering by: o Supporting the scanning packet payloads. o Dropping the packets that do not match the expected connection state or data type for protocol. Although more expensive, application proxies are, in some ways, inherently more secure than packet filtering routers. An example of application proxy is shown in Figure 5-6. Figure 5-6: Example of application proxy (Wang, 2009). ALT TAG: Fig 5-6. Diagram showing an example of application proxy, Chapter 7, page 258 . The external client (left side) and the internal network made of one server and two computers (right side) are two entities separated physically by an internal packet filtering router, an application gateway, and an external router (placed in series), whose goal are to filter the traffic originated from the external client and destined to any of the two clients in the internal network. Application gateways are placed between the external and the internal networks. As such, they are exposed to attacks from the external network. Therefore, they need to have strong security protections in terms of trusted operating system i.e. operating systems that meets a particular set of security requirements, and Bastion hosts, i.e. systems with strong defensive mechanisms. Firewall configurations Single-Homed Bastion System (SHBS)
  • 14.
    14 Bastion hosts aresystems with strong defensive mechanisms. Typically, they serve as hosts computers for implementing gateways, circuit gateways, and other types of firewalls. They are designed to operate on a trusted operating systems. As such, they must not have any unnecessary functionality, and must they must keep the system simple to reduce error probabilities. A Single-Homed Bastion System (SHBS) consists of a packet-filtering router and a bastion host. The router connects the internal network to the external one. The Bastion host resides inside the internal network. The packet filtering firewall inspects each egress and blocks it if its source address is not the IP address of the bastion host. If the packet filtering router is compromised, the attacker can modify the ACLs and bypass the bastion host. An example of SHBS is depicted in Figure 5-7 Figure 5-7: Example of Single-Homed Bastion System (SHBS) (Wang, 2009). ALT TAG: Fig 5-7. Diagram showing an example of Single-Homed Bastion System (SHBS), Chapter 7, page 262 . The external network (left side) is separated physically from the internal network made of three clients and a series of server computers and devices (right side) by a SHBS (made of a packet- filtering router and a SHBS host). The role of the SHBS is to filter the incoming traffic from the external network that is destined to any of the two clients or servers in the internal network. Screened Subnets: In the above figure of a SHBH architecture, when a SHBH network paired with a second packet filtering router for the internal network, the area between the two packet filtering routers is called a screened subnet. A screened subnet hides the internal network structure from external hosts.
  • 15.
    15 Dual-Homed Bastion System(DHBS) The Dual-home Bastion system (DHBS) includes: • Two zones in the internal network: – The inner zone – where hosts are unreachable from the external network. – The outer zone – where hosts may be reached from the Internet. • Hosts in the inner zone are protected by both the Bastion host and the packet filtering router. • Servers in the outer zone protected by the packet filtering router. The DHBS prevents access to the internal network even if the packet filtering router is compromised. An example of such system is illustrated in Figure 5-8. Figure 5-8: Example of Dual-Homed Bastion System (DHBS) (Wang, 2009). ALT TAG: Fig 5-8. Diagram showing an example of Dual-Homed Bastion System (DHBS), Chapter 7, page 263 . The external network (left side) is separated physically from the internal network made of three clients and a series of server computers and devices (right side) by a DHBS (made of a packet-filtering router and a DHBS host). The role of the DHBS is to filter the incoming traffic from the external network that is destined to any of the two clients or servers in the internal network. Demilitarized zone (DMZ) A DMZ is a subnet lying between two firewalls in an internal network: the internal firewall and the external one. The external firewall protects the DMZ from
  • 16.
    16 external threats whereasthe internal firewall protects the internal network from DMZ. In general, DMZs can be implemented in a hierarchal structure. An example of DMZ is shown in Figure 5-9. Figure 5-9: Example of Delimitarized zone (DZM) architecture (Wang, 2009). ALT TAG: Fig 5-9. Diagram showing an example of Delimitarized zone (DZM) architecture (DMZ), Chapter 7, page 264 . The Internet (External network in left side) is separated physically from the internal network made of two clients computers (right side) by a DMZ (made of a packet-filtering router, four servers (Web/SMTP/Proxy), and two packet filters). The DMZ protects the Internal network by filtering the Internet traffic destined to it. Network Address Translation (NAT) A network address translation (NAT) is a pragmatic solution to the issue of IP address limitations. IP addresses are a somewhat limited resource, and have to be unique across the globe (IPv4 is limited to only 232 addresses). Hence, they are assigned hierarchically by a central authority and passed down in blocks to service providers, who then make them available to their customers. Many organizations and Internet Service Providers (ISPs) choose to allocate a single global IP address to the customer, who then installs a NAT device at the end of the connection and uses self-allocated private addresses on their internal network.
  • 17.
    17 NAT divides theIP addresses into public and private (non-routable) groups. Many private IP addresses can connect to the Internet through a few public IP addresses. The NAT gateway works by modifying the address part of all packets on the way through as shown in Figure 5-10. Figure 5-10: Example of Network Address Translation (NAT) gateway deployment. ALT TAG: Fig 5-10. Diagram showing an example of Network Address Translation (NAT) gateway deployment. The address of the packets originated from the Host IP is passed through the Internet (right side) and forwarded to the NAT gateway (middle), which modifies it and passes it to the local (Internal) network, which is then passed to the host IP (right side). Outgoing packet: The NAT gateway makes a note of the (internal, private) source address of the packet, as well as the destination server address and port number. It then overwrites the source IP address with its own single global Internet address and sends it on towards the Internet. The remote server receives the packet with the NAT gateway's address as the originator, and directs its replies at this address. Reply packet: When the reply packet arrives back at the NAT gateway, it looks up the address and port number in its table, works out what the (internal) address of the real originator was, substitutes this into the destination address and forwards on through the internal network. Dynamic NAT: this dynamically assigns a small number of public IPs to a large number of private IPs. Port Address Translation (PAT) is a variant of NAT that:
  • 18.
    18 – Allows oneor more private networks to share a single public IP. – Is commonly used for homes and small businesses. – Works by remapping the source and destination addresses and ports of packets. Basic firewall architectures Typical firewall architectures include the Basic Border Firewall architecture, the Basic Border Firewall with Untrustworthy Architecture, the Basic Firewall with DMZ Network Architecture, and the Dual Firewall with DMZ Network Architecture. Basic Border Firewall architecture: This is represented by a single host interconnecting the (trusted) internal network and some untrusted network (e.g.: Internet). In this configuration, the single host provides all firewall functions. An example of such architecture is shown in Figure 5-11. Figure 5-11: Basic Border Firewall architecture. ALT TAG: Fig. 5-11. Diagram of a Basic Border Firewall architecture, showing a firewall sitting between the Internet (left side) and a private network (right side), with the role to filter the traffic originated from the Internet and destined to the private network. Basic Border Firewall with Untrustworthy Architecture: In this configuration, a host with limited trust is added to the basic border architecture. The host is minimally configured and carefully managed to be as secure as possible. The firewall is configured to require incoming and outgoing traffic to go through the
  • 19.
    19 untrustworthy host. Thehost is referred to as untrustworthy because it cannot be protected by the firewall. An example of such architecture is shown in the figure below: Figure 5-12: Basic Border Firewall with Untrustworthy architecture. [Isaac Woungang Copyright 2012] ALT TAG: Fig. 5-12. Diagram of a Basic Border Firewall with Untrustworthy architecture, showing an outer firewall sitting between the Internet (left side) and a private network (right side). The traffic originated from the Internet is passed along to an untrustworthy host (left side), before reaching the outer firewall, whose role is to filter that traffic before passing it to the private network. Basic Firewall with DMZ Network Architecture: In a DMZ network, the untrusted host is brought “inside” the firewall, but placed on a network by itself (the firewall host then interconnects three networks). This type of architecture increases the security, reliability, and availability of the untrusted host, but it does not increase the level of trust that other “inside” hosts can afford it. Other untrustworthy hosts designed for other purpose (for example, a public web site or ftp server) can easily be placed on the DMZ network, creating a public services network. An example of such architecture is shown in Figure 5.13.
  • 20.
    20 Figure 5-13: BasicFirewall with DMZ network architecture. ALT TAG: Fig. 5-13. Diagram of a Basic Firewall with DMZ network architecture, showing an outer firewall sitting between the Internet (left side) and a private network (right side). The traffic originated from the Internet is passed along to an untrustworthy host (that has infiltrated the DMZ network), before reaching the private network, after a filtering process by the DMZ network itself. Dual Firewall with DMZ Network Architecture: The internal network is further isolated from the untrustworthy network by adding a second firewall host. By connecting the untrustworthy network to one firewall host, the internal network to the other firewall host, and the DMZ in between, the traffic between the internal network and the Internet must traverse two firewalls and the DMZ. The peripheral network is a suitable location for non-sensitive hosts that should be accessible to the outside world, like Web servers. An example of such architecture is shown in Figure 5-14.
  • 21.
    21 Figure 5-14: DualFirewall with DMZ network architecture. ALT TAG: Fig. 5-14. Diagram of a Dual Firewall with DMZ network architecture, showing an outer firewall and an inner firewall sitting between the Internet (left side) and a private network (right side). The traffic originated from the Internet has passed the outer firewall filtering, but is subject to a second level filtering by the inner firewall (middle) before reaching the private network since an untrustworthy host has infiltrated himself in between the two firewalls. Web application firewalls (WAF) Network firewalls do not work for HTTP, thus the need for WAF. The WAF functionality includes: • Full support for HTTP in terms of: o Access to individual fields (field content, length, field count, etc). o Entire transaction (both request and response). o Uploaded files. • Anti-evasion features (also known as normalisation, or canonicalization, or transformation features). • Blocking features for: transaction, connection, IP address, session, user, honeypot redirection, TCP/IP resets (connection), blocking via external device. • Detection:
  • 22.
    22 o Using signaturessuch as simple text strings or regular expression patterns matched against the input data. This is not very flexible. o Using rules such as multiple operators, logical expressions, and customized variables. This is flexible. WAF deployment: Three deployment options are possible, namely, using network-level device, reverse proxy, or embedded the WAF in a Web server. Network-level device are of two types: network passive and network in-line. Network passive has the following characteristics: it does not affect performance; it is easy to add; it is not a bottleneck or point of failure; it has limited prevention options, and it must have copies of SSL keys. On the other hand, network in-line has the following characteristics: it may be a potential bottleneck or point of failure; it is easy to add, and it must have copies of SSL keys. Reverse proxy: This type of WAF deployment has a potential bottleneck or point of failure. It requires changes to the network (unless it is a transparent reverse proxy). It must terminate the SSL (in fact, this can be a problem if the application needs to access the client certificate data). Finally, it has a separate architecture/security layer. Embedded WAF: This type of WAF deployment is easy to add (and usually much cheaper). It is not a bottleneck or point of failure, and it uses the Web server resources. Summary This module has described different firewall technologies and architectures. Several characteristics differentiating these technologies and architectures were also highlighted.