A firewall monitors and controls transmissions between an internal network and the internet. There are different types of firewalls including host-based, network-based, software-based, and hardware-based. Firewalls can also be categorized as packet filters, application-level proxies, or stateful packet filters. Stateful packet filters make access decisions based on layer 3 and 4 parameters as well as derived state information to provide high security while maintaining performance.

1. Lecture 5
Firewall
A firewall is a software program or device that monitors, and sometimes controls, all
transmissions between an organization's internal network and the Internet. However
large the network, a firewall is typically deployed on the network's edge to prevent
inappropriate access to data behind the firewall.
Types of Firewall
· Host based Firewall (On a Single System(Window Firewall))
· Network based Firewall(For Whole Network)
Firewall could be:
· Software based (ISA Server(Proxy),Checkpoint)
· Hardware based (Cisco Pix, Netgear Firewall)
Firewall Types According to Mechanism
Firewalls can be categorized into roughly three types:
· Packet filter (Filtering According to IP i.e. Access list)
· Application-level proxy (ISA Server for application level)
· Stateful packet filtering(Monitor all Layers including connection states)

2. Packet Filters
A packet filtering firewall represents the first generation of firewalls. The
most basic packet filter firewall inspects traffic based on Layer 3 parameters
(such as source or destination IP address). Packet filtering rules determine
the types of traffic that are permitted access or denied access based on these
parameters. Traffic types can be defined by the following:
· Layer 3 parameters such as source/destination IP address and IP
protocol type (e.g., TCP, UDP, or ICMP)

3. A packet filtering firewall is essentially a router with access control rules configured.
Routers are normally configured via a command line interface that is complex to
configure, with the configuration being stored as a list of configuration commands, which
makes it difficult to visualize and manage your security policies. Routers also typically
do not support logging locally as they do not possess sufficient file storage space, so
logging is required to an external system, which makes it more complex to maintain logs
for auditing and reporting purposes.
A packet filtering firewall only operates up to Layer 3 (some can inspect
Layer 4 parameters as well) of the OSI model. It does not understand the
Higher layer levels such as the application layer (Layer 7)
Application-Layer Gateways
An application-layer gateway firewall is commonly referred to as a proxybased
firewall, because it proxies application-layer connections on behalf ofother clients
The application-layer gateway is vastly different from a packet filtering firewall
in approach—all access is controlled at the application layer (Layer 7 of the OSI
model), and no client system ever communicates directly with a server system.

4. 1. The initial connection request packet from the web client is sent to the
application-layer gateway—in essence the client is establishing a connection
with the application-layer gateway.
2. The application-layer gateway accepts or rejects the connection request
based on the security policy configured. If the connection request is permitted,
the application-layer gateway then establishes a new connection to the web
server on behalf of the client
.
3. The web server receives the connection request and sends back a
connection acknowledgment to the application-layer gateway. The
application-layer gateway sends an acknowledgment on behalf of
the web server to the web client
4. The web client sends an acknowledgment packet (known as a TCP ACK)
to the application-layer gateway, which indicates the connection setup
is complete. The application-layer gateway sends an acknowledgment
packet to the web server on behalf of the web client.
5. The client starts sending data to the application-layer gateway (e.g., an
HTTP GET request). The data is forwarded to a proxy web daemon(or service),
which is essentially a web server running on the application layer
gateway. Because the application-layer gateway is running a web
server, it understands the HTTP requests from the client and can ensure
the traffic sent from the client is proper web traffic that conforms
to the HTTP protocol standard. Assuming the traffic from the web client
is legitimate, the application-layer gateway then sends the data to
the web server on behalf of the client.
6. The web server processes the data received and responds to the data
appropriately (in Figure 1.7, the client sends an HTTP GET request,
and the server returns the web content associated with the URL).
Return data is sent to the application-layer gateway, which ensures the
traffic is legitimate. This data is then sent to the web client on behalf
of the web server.

5. The application-layer gateway introduces a greater level of security than
a packet filtering firewall, because all connections to the outside world are
made by the application-layer gateway and the application-layer gateway
ensures all received traffic from either client or server at the application layer
is legitimate. With a packet filtering firewall, although the firewall may
understand that traffic is from a particular application, it does not understand
the application protocol and what is considered legitimate traffic.
An application-layer gateway also becomes a target for attackers because the
gateway is directly accepting connections from the outside world. The operating
system on the application-layer gateway must be very secure; however,
it is still vulnerable to buffer overflow attacks and other unknown software
bugs that might give attackers access to the gateway. If an attacker manages
to compromise an application-layer gateway, the security of the entire network
has been breached as the attacker now has direct access to the internal
network.
Stateful Inspection Technology
So what’s the alternative to packet filtering firewalls and application-level
gateways? Stateful inspection operates in a manner similar to a packet
filtering firewall, except that it possesses much more sophisticated access
control algorithms. Both stateful inspection firewalls and packet filtering
firewalls essentially provide security by making control decisions. An example
of a control decision is whether to accept or reject a connection. Another
example might be to encrypt a packet. Check Point FireWall-1 uses a
patented and innovative stateful inspection technology, which is designed
to provide the speed and efficiency of a packet filtering firewall and the
application state awareness and high security provided by an applicationlayer
gateway.
On a packet filtering firewall, control decisions are made purely on the
Layer 3 and/or Layer 4 parameters of each packet received. Each packet
is either permitted or denied, and is processed independently of any other
packet, with no logical relationship being established between packets that
belong to the same connection. If the parameters match an allowed traffic
type, a control decision is made to permit the traffic. A stateful inspection
firewall on the other hand can make control decisions based on much more
that just the information contained within each packet received. The following
lists the types of information on which a stateful inspection firewall can
make control decisions:

6. Communication information
Information from the Layer 3 and Layer 4parameters of a packet (this is the only type
of information a packetfiltering firewall makes decisions on).
Communication-derived state
Information derived from that passedwithin a connection. This can include
Layer 3/4 information (such as TCPports, sequence numbers, and so on) through to
Layer 7 information
(such as dynamic port allocations for new connections).
Application-derived state Information derived from other applications.
For example, Check Point FireWall-1 possesses a user authentication service
that allows users to be identified. Once a user has been successfully
authenticated, this information can be passed to the stateful inspection
engine, which allows access to authorized services for the users. This
feature allows for access rules to be defined based on users or groups,
rather than IP hosts or networks.

7. A Stateful inspection firewall provides the speed and flexibility of a packet
filter firewall, as well as the high security of an application-layer gateway.
This means that you gain the best of both worlds in a single, high-performance
Platform. The following summarizes the advantages of a stateful inspection
Firewall:
_ High performance.
_ Understands both transport-layer (e.g., TCP/UDP) and application layer
(e.g., FTP) connections rather than just packets
Understands application-layer protocols.
· Maintains a dynamic connection table that is continuously updated
with the state of each connection. This ensures the firewall enables the
return traffic of allowed connections only as long as the connection is
active, and also ensures that only legitimate traffic consistent with the
expected state of the connection is permitted.
· Fragment reassembly allows the firewall to reassemble fragmented
packets and inspect them, defeating a common method used by
attackers to bypass firewall security.
· The underlying operating system of the firewall is protected, because the
stateful inspection engine processes packets before they reach the TCP/IP
stack of the operating system.