Introduction to Microprocesso programming and interfacing.pptx
Firewall final (fire wall)
1. FIREWALL
ABSTRACT
The increasing complexity of networks, and the need to make them more open due to the Growing
emphasis on and attractiveness of the internet as a medium for business transactions, Mean that networks
are becoming more and more exposed to attacks, both from without and From within. The search is on for
mechanisms and techniques for the protection of internal networks from such attacks. One of the protective
mechanisms under serious consideration Is the firewall. A firewall protects a network by guarding the points
of entry to it. Firewalls are becoming more sophisticated by the day, and new features are constantly being
added, So that, in spite of the criticisms made of them and developmental trends threatening them, they are
still a powerful protective mechanism. This article provides an overview of firewall Technologies.
Firewalls are network devices that enforce an organization’s security policy. Since their development,
various methods have been used to implement firewalls. These methods filter network traffic at one or more
of the seven layers of the ISO network model, most commonly at the application, transport, network, and
data-link levels. Newer methods, which have not yet been widely adopted, include protocol normalization
and distributed firewalls. Firewalls involve more than the technology to implement them. Specifying a set of
filtering rules, known as a policy, is typically complicated and error-prone. High-level languages have been
developed to simplify the task of correctly defining a firewall’s policy. Once a policy has been specified,
testing is required to determine if the firewall correctly implements the policy. Because some data must be
able to pass in and out of a firewall, in order for the protected network to be useful, not all attacks can be
stopped by firewalls. Some emerging technologies, such as Virtual Private Networks (VPN) and peer-to-peer
networking pose new challenges for existing firewall technology.
2. FIREWALL
Sr.
No.
Content Page No.
1.
Introduction
1.1 The Need for Firewalls
1.2 Security problems in operating systems
1.3 Preventing access to information
1.4 Preventing Information Leaks
1.5 Enforcing Policy
1.6 Auditing
1.7Firewall architectures
1.8 Packet filtering
1.9 Improving Packet Filter Specification
4
2.
What are firewall
2.1What it does?
2.2Who needs a Firewall?
11
3.
Types of firewalls
3.1Application-filtering Firewall
3.2Packet-filtering Firewall
3.3Firewall components
3.4 How a firewall works
3.5 What a firewall can do to protect your network
3.6 SOCKS
3.7 What a firewall cannot do to protect your network
13
4.
Can firewalls scanviruses
4.1 Understanding Internet security issues
4.2 Types of Internet attacks
4.3 SETUP TYPES OF FIREWALLS
4.4 DIFFERENCES BETWEEN HARDWARE AND SOFTWARE
FIREWALLS?
16
5.
Configuring the firewall
5.1 IP addresses
5.2 Domain names
5.3 Protocols
5.4 Ports
5.5 Specific words and phrases
5.6 Firewall Testing
18
6.
Advantages and Disadvantages
6.1 ADVANTAGES
6.2 DISADVANTAGES
20
7. Future challenges forfirewalls 23
8. Conclusion 24
3. FIREWALL
ACKNOWLEDGMENT
I take this opportunity to express my heartfelt gratitude towards the Department of
Computer, JIEMS, Akkalkuwa that gave me an opportunity for presentation of my seminar in their
esteemed organization.
It is a privilege for me to have been associated with Mr. Mohammad Asif, my guide during
this seminars work. I have been greatly benefited by his valuable suggestions and ideas. It is with
great pleasure that I express my deep sense of gratitude to him for his valuable guidance, constant
encouragement and patience throughout this work.
I express my gratitude to Prof. Suhel Patel [CO HOD] for his constant encouragement, co-
operation, and support and also thankful to all people who have contributed in their own way in
making this seminar success.
I take this opportunity to thank all our classmates for their company during the course work
and for useful discussion I had with them.
Under these responsible and talented personalities I was efficiently able to complete seminar
in time with success.
Miss. Panwala Arsin.
(T.E CO)
4. FIREWALL
CHAPTER 1
INTRODUCATION
The Internet has made large amount of information available to the average computer user at home,
in business and education. For many people, having access to this information is no longer just an advantage
it is essential.
By connecting a private network to the Internet can expose critical or confidential data to
malicious attack from anywhere in the world. The intruders could gain access to your sites private
information or interfere with your use of your own systems.
Users who connect their computers to the Internet must be aware of these dangers, their implications
and how to protect their data and their critical systems. Therefore, security of network is the main criteria
here and firewalls provide this security.
The Internet firewalls keep the flames of Internet hell out of your network or, to keep the members of
your LAN pure by denying them access the all the evil Internet temptations.
Today’s networks change and develop on a regular basis to new business situations, such as
reorganizations, acquisitions, outsourcing, mergers, joint ventures, and strategic partnerships, and the
increasing degree to which internal networks are connected to the internet. The increased complexity and
openness of the network thus caused makes the question of security more complicated than hitherto, and
necessitates the development of sophisticated security technologies at the interface between networks of
different security domains, such as between intranet and internet or extranet. The best way of ensuring
interface security is the use of a firewall.
A firewall is a computer, router or other communication device that filters access to the protected
network. Cheswick and bellowing define a firewall as a collection of components or a system that is placed
between two networks and possesses the following properties:
1. All traffic from inside to outside, and vice-versa, must pass through it.
2. Only authorized traffic, as defined by the local security policy, is allowed to pass through it.
3. The firewall itself is immune to penetration.
The idea of a wall to keep out intruders dates back thousands of years. Over two thousand years ago, the
Chinese built the Great Wall as protection from neighbouring northern tribes. European kings built castles
with high walls and moats to protect themselves and their subjects, both from invading armies and from
marauding bands intent on pillaging and looting. The term “firewall” was in use as early as 1764 to describe
walls which separated the parts of a building most likely to have a fire (e.g., a kitchen) from the rest of a
structure. These physical barriers prevented or slowed a fire’s spread throughout a building, saving both
lives and property.
5. FIREWALL
A related use of the term is described by Schneier: Coal-powered trains had a large furnace in the engine
room, along with a pile of coal. The engineer would shovel coal into the engine. This process created coal
dust, which was highly flammable. Occasionally the coal dust would catch fire, causing an engine fire that
sometimes spread into the passenger cars. Since dead passengers reduced revenue, train engines were built
with iron walls right behind the engine compartment.
This stopped fires from spreading into the passenger cars, but didn’t protect the engineer between the
coal pile and the furnace.
1.1 The Need for Firewalls
In the early years, the Internet supported a small community of compatible users who valued
openness for sharing and collaboration. This view was challenged by the Morris Worm.
However, even without the Morris worm, the end of the open, trusting community would have come
soon through growth and diversification. Examples of successful or attempted intrusions around the same
time include: Clifford Stoll’s discovery of German spies tampering with his system, and Bill Cheswick’s
“Evening with Berferd” in which he set up a simple electronic “jail” for an attacker. In this jail, the attacker
was unable to affect the real system but was left with the impression that he or she had successfully broken
in. Cheswick was able to observe everything the attacker did, learning from these actions, and alerting
system administrators of the networks from where the attacks were originating. Such incidents clearly
signalled the end of an open and benign Internet. By 1992 Steve Bellovin described a collection of attacks
that he had noticed while monitoring the AT&T firewall and the networks around it. The result was clear—
there were many untrustworthy and even malicious users on the Internet. When networks are connected
together, a different level of trust often exists on the different sides of the connection. “Trust” in this sense
means that an organization believes that both the software and the users on its computers are not malicious.
Firewalls enforce trust boundaries, which are imposed for several reasons:
1.2 Security problems in operating systems:
Operating systems have a history of insecure configurations. For example, Windows 95 and
Windows 98 were widely distributed with windows file sharing enabled by default; many viruses exploited
this vulnerability. A second example is Red Hat Linux versions 6.2 and 7.0, which were vulnerable to three
remote exploits when the operating was installed using default options. It is an on-going and expensive
process to secure every user’s machine, and many organizations consciously decide not to secure the
machines inside their firewall. If a machine on the inside is ever compromised, the remaining machines are
likely also vulnerable, a situation that has been described as “a sort of crunchy shell around a soft, chewy
center”.
6. FIREWALL
Individuals can protect a single machine connected to the Internet with a personal firewall. Rather
than trying to secure the underlying operating system, these firewalls simply prevent some types of
communication. Such firewalls are often used in homes and on laptops when they are outside their normal
firewall. In this case, the trust boundary is the network interface of the machine.
Organizations often use firewalls to prevent a compromised machine inside from attacking machines
outside. In this case, the firewall protects the organization from possible liability due to propagating an
attack.
1.3 Preventing access to information:
National firewalls (attempt to) limit the activities of their users on the Internet, for example China. A
similar idea in the US is the Children’s Internet Protection Act (CHIPA) which mandates that certain
information be filtered. This law requires that schools and libraries which receive federal funding block
certain classes of web content.
1.4 Preventing Information Leaks:
Because all traffic leaving a network must pass through the firewall, it can be used to reduce
information leaks, as in: The key criterion for success for the Digital corporate gateways is preventing an
unauthorized or unnoticed leak of data to the outside.
1.5 Enforcing Policy:
Firewalls are one part of an overall security policy; they enforce the rules about which network traffic
is allowed to enter or leave a network. These policies restrict the use of certain applications, restrict which
remote machines may be contacted, and/or limit the bandwidth.
1.6 Auditing:
If a security breach (which does not include the firewall) occurs, audit trails can be used to help
determine what happened. Audit trails have also been used to monitor employees, e.g., for using work
network resources for non-work purposes.
1.7Firewall architectures:
Firewalls range from simple machines designed to be purchased “off-the-shelf” and installed by a
person unskilled in network security to complex, multiple-machine custom installations used in large
organizations. Regardless of their complexity, all firewalls have the concept of “inside” for the protected
network, and “outside” for the untrusted network. These terms are used even when a firewall protects the
outside world from potentially compromised machines inside.
7. FIREWALL
Another common feature of firewalls is the existence of a DMZ (named for the demilitarized zone
separating North and South Korea) or “screened network.” Machines such as email and web servers are
often placed on the DMZ. These machines are not allowed to make connections to machines on the inside of
the firewall, but machines on the inside are allowed to make connections to the DMZ machines. Thus if a
server on the DMZ is compromised, the attacker cannot directly attack machines on the inside. Servers are
particularly vulnerable because they must be accessed in order to be useful, and current firewalls are largely
ineffective against attacks through these services. can do little against Examples of attacks on servers include
the “Code Red” and “Nimda” worms which attacked Microsoft Windows machines running Microsoft’s web
server IIS, and in the case of Nimda, several additional routes. Firewall architectures are constrained by the
type of filtering (described shortly) and the presence or absence of a DMZ.
1.8 Packet filtering:
Packet filtering is looking at the headers in network packets and deciding whether or not to allow the
packet based on the policy enforced by the firewall. Packet filtering for network security began with
Mogul’s paper describing screend in 1989. Most early work on packet filtering for security emphasized
performance; later papers continued this trend. In addition to its efficiency, packet filtering is appealing
because it does not require the cooperation of users, nor does it require any special action on their part like
some proxies require. Packet filters use one or more of the following pieces of information to make their
decision on whether or not to forward the packet: source address; destination address; options in the network
header; transport-level protocol (i.e., TCP, UDP, ICMP, etc.); flags in the transport header; options in the
transport header; source port or equivalent if the protocol has such a construct; destination port or equivalent
if the protocol has such a construct; the interface on which the packet was received or will be sent; and
whether the packet is inbound or outbound. Although packet filtering is fast, it has some drawbacks, most
importantly the difficulty of writing correct filters. For example, Chapman compares packet filter languages
to assembly language. In 1995, Molitor proposed an improved commercial filter language. A second
drawback is that packet filtering cannot identify which user is causing which network traffic. It can inspect
the IP address of the host from which the traffic originates, but a host is not identical to a user. If an
organization with a packet-filtering firewall is trying to limit the services some users can access, it must
either implement an additional, separate protocol for authentication or use the IP address of the user’s
primary machine as a weak replacement for true user authentication. Also, because IP addresses can be
spoofed, using them for authentication can lead to other problems. If the router is running a properly
configured filter, remote attackers should not be able to spoof local addresses, but they could spoof other
remote addresses. Local machines can spoof other local machines easily. In spite of these problems, many
organizations still use IP addresses or DNS names for access control.
8. FIREWALL
With packet filters, the local machine directly initiates the connection to the remote machine. A result
is that the entire internal network is potentially reachable from external connections; otherwise the reply
packets from the remote host would not be delivered properly. As a consequence, hostile remote computers
can potentially exploit weaknesses in the protocol implementation of the local computer. Protocols such as
FTP are difficult for packet filters. FTP uses a control channel opened from the client to the server for
commands. However, when getting a file, one method of using FTP (active FTP) has the server open a
connection back to the client, contrary to the communication patters in other client-server protocols. FTP’s
lack of encryption protecting user authentication data has led to reduced usage, and eventually it may no
longer be used.
1.9 Improving Packet Filter Specification:
Firewalls were originally built and configured by experts. However, firewalls are now commodity
products which are sold with the intent that nearly anyone can be responsible for their network’s security.
Typically a graphical user interface (GUI) is used to configure packet filtering rules. Unfortunately, this GUI
requires the user to understand the complexities of packet filters, complexities originally pointed out by
Chapman in 1992. In many cases, the only advance since then is the GUI. The prevalence of transparent
proxies only increases the complexity of the administrator’s task because he or she must understand the
advantages and drawbacks of using proxies compared to packet filtering. Some researchers have therefore
developed higher-level languages for specifying packet filters.
Specific examples include using binary decision diagrams (BDDs) to specify the policy, a compiler for a
higher-level language that produces packet-filtering rules, a LISP-like language describing policy, and the
Common Open Policy Service (COPS) protocol standard. In 2000, Hazelhurst proposed BDDs for
visualizing router rule sets. Since BDDs represent boolean expressions, they are ideal for representing the
block/pass rules which occur in packet filters. BDDs also make automated analysis of packet filter rules
easier, as well as providing better performance than the table lookups used in many routers. The filter
language compiler, flc, allows the use of the C preprocessor, specification of a default block or pass policy
for various directions of traffic flow, and provides a simple if-then-else facility. flc also generates rules for
several different packet filters (IPF, ipfw, ipfwadm, ipfirewall, Cisco extended access lists, and screend).
Guttman described a LISP-like language for expressing access control policies for networks where more
than one firewall router is used to enforce the policy. The language is then used to compute a set of packet
filters which will properly implement the policy. He also describes an algorithm for comparing existing
filters to the policy to identify any policy breaches. However, the automatically generated filters are not
expressed in the language of any router; the network administrator must build them manually from the LISP-
like output.
9. FIREWALL
Proxies: A proxy is a program that receives traffic destined for another computer. Proxies sometimes
require user authentication; they can verify that the user is allowed to connect to the destination, and then
connect to the destination service on behalf of the user. When a proxy is used, the connection to the remote
machine comes from the machine running the proxy instead of the original machine making the request.
Because the proxy generates the connection to the remote machine, it has no problems determining which
connections are real and which are spoofed; this is in contrast to stateless packet filtering firewalls. Proxies
appear in firewalls primarily at the Transport and Application ISO network levels. In the Internet, the
transport level consists of only two protocols, TCP and UDP. This small number of protocols makes writing
a proxy easy—one proxy suffices for all protocols that use TCP. Contrast this with the application-level
proxies (covered below), where a separate proxy is required for each service, e.g., Telnet, FTP, HTTP,
SMTP, etc. Transport-level proxies have the advantage that a machine outside of the firewall cannot send
packets through the firewall which claim to be a part of an established connection. Because the state of the
TCP connection is known by the firewall, only packets that are a legitimate part of a communication are
allowed inside the firewall. Proxies at the application level provide the benefits of transport-level proxies,
and additionally they can enforce the proper application-level protocol and prevent the abuses of the protocol
by either client or server. The result is excellent security and auditing. Unfortunately, application proxies are
not without their drawbacks:
• The proxy must be designed for a specific protocol. New protocols are developed frequently, requiring new
proxies; if there is no proxy, there is no access.
• To use an application proxy, the client program must be changed to accommodate the proxy. The client
needs to understand the proxy’s authentication method and it must communicate the actual packet
destination to the proxy. Because source code is not publicly available for some applications, in these cases
the required changes can be made only by the application’s vendor, a significant bottleneck.
• Each packet requires two trips through the complete network protocol stack which adversely affects
performance. This is in contrast to packet filtering, which handles packets at the network layer.
One of the most common proxies is SOCKS. SOCKS simplifies the changes needed to the source code of
the client application—A SOCKS call replaces a normal socket call, which results in all outbound traffic
using the proxy. This approach is a clean solution, and it works well if one has the source code for the
relevant operating system utilities. Some commercial applications (e.g., Netscape) were written to
accommodate SOCKS. A system using SOCKS and TCP connections is transparent to the user (assuming
the proxy allows access to the destination host). In 2000, Fung and Chang described an enhancement to
SOCKS for UDP streams, such as that used by RealNetworks’ RealPlayer. Ranum and Avolio developed the
Trusted Information Systems (TIS) Firewall Toolkit (FWTK), a collection of proxies for building firewalls.
This freely available toolkit provided SMTP, the Network News Transport Protocol (NNTP), FTP and
Telnet application proxies as well as a generic circuit-level proxy.
10. FIREWALL
To improve security, the proxies used the UNIX system call chroot to limit how much of the system
is exposed; this way if a proxy were compromised, the rest of the firewall would more likely remain
trustworthy. The TIS FWTK had no proxies for UDP services; instead, the firewall machine ran DNS and
the Network Time Protocol (NTP). The internal machines used the firewall for those services. When Trusted
Information Systems and Network Associates, Inc. (NAI) merged in February 1998, the TIS firewall became
NAI’s Gauntlet Internet Firewall. A limitation of proxies is that client software must be modified and/or the
user must work differently when using the proxy. Transparent proxies address this limitation. With a
transparent proxy the client sends packets to the destination as usual. When the packets reach the firewall,
access control checks and logging are performed as in a classical proxy system. The “magic” is implemented
by the firewall, which notes the destination address and port, opens up a connection to it and then replies to
the client, as if the proxy were the remote machine. This relaying can take place at either the transport level
or the application level. RFC 1919 compares classical proxies with transparent proxies.
Transparent proxies are demanding because the firewall must operate both at the network and application
levels, affecting performance. One solution proposed by Spatscheck and Maltz and Bhagwat is that of
“splicing.” In splicing, after the proxy verifies that communication is allowed to proceed, the firewall
converts to a network-level packet filtering firewall for that communication. Splicing provides the extra
control of proxies but maintains performance closer to that of packet filters.
11. FIREWALL
CHAPTER 2
2. What is firewall?
A fire wall is a piece of software or hardware, which stands between two entities can be private
network on one side and a public network like the Internet, on the other side. They can control what kind of
traffic flow across and protect the network from hackers.
A firewall is designed to block unauthorized communications. Firewall will not protect system from
viruses, spyware and adware. A properly configured firewall can minimize damage caused by spyware by
blocking unauthorized access, while antivirus is a software application used for the prevention, detection,
and removal of malicious software, including computer viruses, Trojan horses, spyware, and adware.
Firewall can be implemented in both software and hardware, while antivirus Program is a software
application.
A firewall can be thought of as a screen or sieve that categorically strains out potentially harmful
data. Firewall and antivirus software are two fundamentally different and complementary kinds of security
applications.
Also known as a ‘packet filter’ .basically, software which monitors network traffic and connection
attempts into and out of a network or computer and determines whether or not to allow it to pass. Depending
on the sophistication, this can be limited to simple IP/port combinations or do full content-aware scans.
A firewall can be thought of as a screen or sieve that categorically strains out potentially harmful data.
(Fig: Firewall)
12. FIREWALL
2.1What it does?
Let’s say that a company is running with 500 employees. So the company will have hundreds of
computers that all have network cards connecting them together. In addition, the company will have one or
more connections to the Internet connections. Without firewall in place all of those hundreds of computers
are directly accessible to anyone on the Internet. A person who knows what he or she is doing can probe
those computers, try to make FTP connections to them, try to make Telnet connections to them and so on. If
one employee makes a mistake and leaves a security hole, hackers can get to the machine and exploit and
hole.
With a firewall in place, the landscape is much different. A company will place a firewall at every
connection to the Internet. The firewall can implement security rules. For example one of the security rules
inside the company might be
Out of the 500 computers inside this company only 1 of them is permitted to receive public FTP
traffic. Allow FTP connections only to that one computer and prevent them on all others.
A company can set rules like this for FTP servers, Web servers, Telnet servers and so on. In addition
the company can control how employees connect to Web sites, whether files are allowed to leave the
company over the network and so on. A firewall gives a company tremendous control over how people use
the network.
2.2Who needs a Firewall?
We need a firewall if we have a network (called a trusted network), which is connected to any other
network (called untrusted network), which does not belong to our network (like the Internet). We need a
firewall to setup controlled access between two or more networks owned by us. If we have a large WAN
which used the Internet as its backbone, we want to protect networks with firewalls.
We need a firewall even though we browse the Internet from a single desktop computer at home.
This computer is considered as a gateway because it provides the only point of access between the home
network and the Internet. If we use Internet applications like ICQ, having some bugs, an anonymous person
can exploit this to bring our computer down or breaking our privacy. If we blindly accept files from
anonymous people ( this generally happen when chatting ), we may unknowingly accept a file that can be an
installer of a service that may continuously run on a port, and through which the sender can connect to our
computer and issue commands to do whatever he wants to on our machine. This is a popular Trojan called
Back Orifice works. Examples of personal firewall software’s for home computers are Norton Personal
firewall, BlackIce, Zonealarm, VirusMD and Conseal PC Firewall. These can be configured to deny any
foreign connection to our desktop computer.
13. FIREWALL
CHAPTER 3
3. TYPES OF FIREWALLS
Firewalls use one or more of three methods to control traffic flowing in and out of the network.
They are:
Application-filtering Firewall
Packet-filtering Firewall
Stateful Inspection
3.1 Application-filtering Firewall:
An application-proxy firewall is implemented in proxy servers. Any one wants to access anything
outside the trusted network must go through the proxy server. This proxy firewall will grant or block access
depending on a set of rules. The rules can be based on the user login name, source, and destination machines
IP addresses, protocol in use like TCP, UDP, ICMP, Port address etc. An application proxy can block or
allow access to application-specific data. For example, you can block MP3 and video files.
3.2 Packet-filtering Firewall:
A packet-filtering firewall controls access based on information in the packet header. As we all
know, data that has to be transmitted across the network is broken into small chunks of data called packets.
Each packet has header and a part of the original data, called its content. The header consists of information
like source, destination, port, and number of the packet in the sequence. Packets that are analyzed against a
set of filters are sent to the requesting system and all others discarded.
3.3 Firewall components
A firewall is a collection of hardware and software that, when used together,
prevent unauthorized access to a portion of a network.
A firewall consists of the following components:
Hardware: Firewall hardware usually consists of a separate computer dedicated to running the
firewall software functions.
Software: Firewall software can consist of some or all of these applications:
– Packet filters
– Proxy servers
– SOCKS servers
– Network address translation (NAT) services
– Logging and monitoring software
– Virtual private network (VPN) services.
14. FIREWALL
3.4 How a firewall works
To understand how a firewall works, imagine that your network is a building to which you want to
control access. Your building has a lobby as the only entry point. In this lobby, you have receptionists to
welcome visitors, security guards to watch visitors, video cameras to record visitor actions, and badge
readers to authenticate visitors who enter the building. These measures may work well to control access to
your building. But, if an unauthorized person succeeds in entering your building, you have no way to protect
the building against this intruder’s actions. If you monitor the intruder’s movements, however, you have a
chance to detect any suspicious activity from the intruder.
When you define your firewall strategy, you may think it is sufficient to prohibit everything that
presents a risk for the organization and allow everything else. However, because computer criminals
constantly create new attack methods, you must anticipate ways to prevent these attacks. As in the example
of the building, you also need to monitor for signs that, somehow, someone has breached your defenses.
Generally, it is much more damaging and costly to recover from a break-in than to prevent one.
In the case of a firewall, your best strategy is to permit only those applications that you have tested
and have confidence in. If you follow this strategy, you must exhaustively define the list of services you
must run on your firewall. You can characterize each service by the direction of the connection (from inside
to outside, or outside to inside). You should also list users who you will authorize to use each service and the
machines that can issue a connection for it.
3.5 What a firewall can do to protect your network
You install a firewall between your network and your connection point to the Internet (or other
untrusted network). The firewall then allows you to limit the points of entry into your network. A firewall
provides a single point of contact (called a chokepoint) between your network and the Internet (see the figure
below). Because you have a single point of contact, you have more control over which traffic to allow into
and out of your network.
A firewall appears as a single address to the public. The firewall provides access to the untrusted
network through proxy or SOCKS servers or network address translation (NAT) while hiding your internal
network addresses. Consequently, the firewall maintains the privacy of your internal network. Keeping
information about your network private is one way in which the firewall makes an impersonation attack
(spoofing) less likely.
A firewall allows you to control traffic into and out of your network to minimize the risk of attack to
your network. A firewall securely filters all traffic that enters your network so that only specific types of
traffic for specific destinations can enter. This minimizes the risk that someone could use TELNET or file
transfer protocol (FTP) to gain access to your internal systems.
15. FIREWALL
3.6 SOCKS
SOCKS are a client/server architecture that transports TCP/IP traffic through a secure gateway. A
single SOCKS server can handle several TCP/IP applications, such as FTP and TELNET. To use SOCKS,
your Web browser or TCP/IP stack must support SOCKS. Because SOCKS operates at a lower level in the
TCP/IP stack, it tends to be faster than a proxy server. However, SOCKS does not provide caching.
Consequently, a proxy server, which provides caching, may offer faster performance if your users
often access the same URLs.
3.7 What a firewall cannot do to protect your network
While a firewall provides a tremendous amount of protection from certain kinds of attack, a firewall
is only part of your total security solution. For instance, a firewall cannot necessarily protect data that you
send over the Internet through applications such as SMTP mail, FTP, and TELNET. Unless you choose to
encrypt this data, anyone on the Internet can access it as it travels to its destination.
16. FIREWALL
CHAPTER 4
4. CAN FIREWALLS SCAN VIRUSES?
No, virus scanning is not the intended function of a firewall. It only looks at the header information or
the file (application) type to allow or block access. To check for virus patterns, all the data packets must be
assembled into the original file and then the file must be checked for the virus pattern. A basic firewalll is
not meant look inside the file data for virus patterns. A network virus scanner behind the firewall can do this
best.
4.1 Understanding Internet security issues
When connecting to an untrusted network, you must ensure that your security policy provides you
with the best protection possible. A firewall certainly represents a large portion of your total security
solution. However, because a firewall is only the first line of defense for your network, you must ensure that
your security policy provides additional coverage.
To ensure that your firewall provides the protection that you need, review these security concepts:
Trusted networks
Security policies
Security services
Network security objectives
Types of Internet attacks
4.2 Types of Internet attacks
There are several kinds of passive or active attacks of which you should be aware.
These are among the most common:
Sniffing
Internet Protocol (IP) spoofing
Denial of service
4.3 SETUP TYPES OF FIREWALLS :
The setup of a firewall largely depends on the physical and logical layout of the network.
Broadly there are two types of firewall setups are there. They are
a. Dual Homed firewall b. De-Militarized Zone (DMZ)
a. Dual Homed Firewall Setup:
In a Dual Homed setup, one firewall stands between the trusted and untrusted networks. It
has two interfaces, internal for the trusted, and external for the untrusted network. These interfaces can be
network cards on the same machine or ports on a router. All packets that have to traverse between these two
networks must go through the firewall. So, a packet coming from the untrusted network will first land at the
external interface. The firewall will then compare it against the pre-defined access rules. It allowed access,
17. FIREWALL
the firewall will route the packet to the private network through the internal interface. The machine on
which the firewall is setup is called a Bastion host. In this setup the Bastion host presents a single point of
attack. Anyone who can break into the Bastion host can access our private network. So the Bastion host
must have a robust security policy.
b. De-Militarized Zone (d m z) :
The DMZ setup is used when we have a private network, which must be shielded from the
Internet, but at the same time we want to provided some access like Web access or e-mail facilities to the
public through the Internet. In such a case, the Web mail, and news servers must be allowed comparatively
lenient access, but the machines on our private network must be protected by strict access-control rules.
Thus the public servers reside in an area called the demilitarized zone. This area is surrounded by two
firewall ( as shown in the diagram ). The first firewall, F1, provides lenient access-control rules so that
people across the Internet can access the public servers. But the second firewall, F2, defines strict access-
control rules. If, by chance, anyone exploits a hole in the firewall F1 and gains privileged access to the
machines hosting the public services, the person will still be retarded by the strong rules defined by the
firewall F2.
4.4 DIFFERENCES BETWEEN HARDWARE AND SOFTWARE FIREWALLS?
A software firewall requires a machine, may be a PC, to run. This machine will need an OS
and will typically have two network interfaces. Therefore, configuring it requires some effort as we have to
install the OS, configure the two network interfaces for the firewalls, etc. An important point here is that if
the OS or any other service it is running has some bugs, then it may be an open invitation for a hacker. So it
becomes important to patch the OS against any vulnerability and stop all the services that are not required.
On the other hand, a hardware firewall doesn't require a separate machine to run on. It's small
box that can be just plugged into the network and is ready for customized configuration. Examples of
hardware firewalls are Linsksy Cable/DSL router, SOHO2.
18. FIREWALL
CHAPTER 5
5. CONFIGURING THE FIREWALL
Firewalls are customizable. This means that you can add or remove filters based on several
conditions. Some of these are:
5.1 IP addresses:
Each machine on the Internet is assigned a unique address called an IP address IP .addresses are 32-
bit numbers, normally expressed as four "octets" in a "dotted decimal number". A typical IP address looks
like this: 216.27.61.137. For example, if a certain IP address outside the company is reading too many files
from a server, the firewall can block all traffic to or from that IP address.
5.2 Domain names:
Because it is hard to remember the string of numbers that make up an IP address, and because IP
addresses sometimes need to change, all servers on the Internet also have human-readable names, called
domain names. For example, it is easier for most of us to remember www.howstuffworks.com than it is to
remember 216.27.61.137. A company might block all access to certain domain names, or allow access only
to specific domain names.
5.3 Protocols:
The protocol is the pre-defined way that someone who wants to use a service talks with that service.
The "someone" could be a person, but more often it is a computer program like a Web browser. Protocols
are often text, and simply describe how the client and server will have their conversation. The http in the
Web's protocol.
Some common protocols that are used to set firewall filters for include:
IP (Internet Protocol) - the main delivery system for information over the Internet
TCP (Transport Control Protocol) - used to break apart and rebuild information that travels over the
Internet
HTTP (Hyper Text Transfer Protocol) - used for Web pages
FTP (File Transfer Protocol) - used to download and upload files
UDP (User Datagram Protocol) - used for information that requires no response, such as streaming
audio and video
ICMP (Internet Control Message Protocol) - used by a router to exchange the information with other
routers
SMTP (Simple Mail Transport Protocol) - used to send text-based information (e-mail)
SNMP (Simple Network Management Protocol) - used to collect system information from a remote
computer
Telnet - used to perform commands on a remote computer
19. FIREWALL
5.4 Ports:
Any server machine makes its services available to the Internet using numbered ports, one for each
service that is available on the serve. For example, if a server machine is running a Web (HTTP) server and
an FTP server, the Web server would typically be available on port 80, and the FTP server would be
available on port 21. A company might block port 21 access on all machines but one inside the company.
5.5 Specific words and phrases:
This can be anything. The firewall will sniff (search through) each packet of information for an exact
match of the text listed in the filter. For example, we could instruct the firewall to block any packet with the
word "X-rated" in it. The key here is that it has to be an exact match. The "X-rated" filter would not catch
"X rated" (no hyphen). But you can include as many words, phrases and variations of them as you need.
5.6 Firewall Testing
Since no two organizations communications needs and patterns are identical, few if any will have
identical firewalls. This leads to the problem of determining whether or not the firewall is correctly
enforcing the policy. Firewall testing was originally an ad-hoc exercise, the thoroughness being determined
by the skill of the person running the tests. A second phase of testing methodology included security
scanners such as the Security Administrator Tool for Analyzing Networks (SATAN) and the Internet
Security Systems (ISS) Internet scanner. These scanners provided the basis for the National Computer
Security Association (NCSA) certification for a period of time. Vigna extended this approach by defining a
formal model of a network’s topology . His model can also represent the TCP/IP protocol stack up through
the transport level. Using this model, he was able to generate logical statements describing the requirements
for the firewall. Given these requirements, he then generated a series of locations for probes and packets to
attempt to send when testing the real firewall. From a formal standpoint, this work is promising, but it fails
to address the common problem of how to develop a correct formal description.
Producing complete formal descriptions for realistic networks represents a significant amount of
work and is difficult to do correctly. Additionally, the test generator must have a complete list of
vulnerabilities for which to generate tests. Marcus Ranum took a different approach to firewall testing in; he
notes that firewalls are (or at least should be) different for different organizations. After a firewall is
deployed, an expert can study the policy specification for the firewall and decide which tests will verify that
the firewall properly implements the policy, using a top-down approach. He emphasizes the importance of
testing both the security of the firewall itself (that the firewall is secure from attack) and the correctness of
the policy implementation. Unfortunately, such testing is both expensive and time-consuming. Some of the
tools for firewall policy specification also provide testing or guidance for testing.
20. FIREWALL
CHAPTER 6
6. ADVANTAGES AND DISADVANTAGES
6.1 ADVANTAGES
1. Concentration of security all modified software and logging is located on the firewall system as
opposed to being distributed on many hosts;
2. Protocol filtering, where the firewall filters protocols and services that are either not necessary or that
cannot be adequately secured from exploitation;
3. Information hiding, in which a firewall can ``hide'' names of internal systems or electronic mail
addresses, thereby revealing less information to outside hosts;
4. Application gateways, where the firewall requires inside or outside users to connect first to the
firewall before connecting further, thereby filtering the protocol;
5. Extended logging, in which a firewall can concentrate extended logging of network traffic on one
system;
6. Centralized and simplified network services management, in which services such as ftp, electronic
mail, gopher, and other similar services are located on the firewall system(s) as opposed to being
maintained on many systems.
6.2 DISADVANTAGES
1. The most obvious being that certain types of network access may be hampered or even blocked for
some hosts, including telnet, ftp, X Windows, NFS, NIS, etc.
2. However, these disadvantages are not unique to firewalls; network access could be restricted at the
host level as well, depending on a site's security policy.
3. A second disadvantage with a firewall system is that it concentrates security in one spot an opposed
to distributing it among systems, thus a compromise of the firewall could be disastrous to other less-
protected systems on the subnet. This weakness can be countered however, with the argument that
lapses and weakness in security are more likely to be found as the number of systems in a subnet
increase, thereby multiplying the ways in which subnets can be exploited.
21. FIREWALL
Chapter 7
7. APPLICATIONS OF FIREWALLS
There are many creative ways that unscrupulous people use to access or abuse unprotected computers:
Remote login:
When someone is able to connect to your computer and control it in some form. This can range from
being able to view or access your files to actually running programs on your computer.
Application backdoors:
Some programs have special features that allow for remote access. Others contain bugs that provide a
backdoor or hidden access that provides some level of control of the program.
SMTP session hijacking:
SMTP is the most common method of sending e-mail over the Internet. By gaining access to a list of
e-mail addresses, a person can send unsolicited junk e-mail (spam) to thousands of users. This is done quite
often by redirecting the e-mail through the SMTP server of an unsuspecting host, making the actual sender
of the spam difficult to trace.
Operating system bugs:
Like applications, some operating systems have backdoors. Others provide remote access with
insufficient security controls or have bugs that an experienced hacker can take advantage of.
Denial of service:
We have probably heard this phrase used in news reports on the attacks on major Web sites. This
type of attack is nearly impossible to counter. What happens is that the hacker sends a request to the server
to connect to it. When the server responds with an acknowledgement and tries to establish a session, it
cannot find the system that made the request. By inundating a server with these unanswerable session
requests, a hacker causes the server to slow to a crawl or eventually crash.
E-mail bombs:
An e-mail bomb is usually a personal attack. Someone sends you the same e-mail hundreds or
thousands of times until your e-mail system cannot accept any more messages.
Macros:
To simplify complicated procedures, many applications allow you to create a script of commands
that the application can run. This script is known as a macro. Hackers have taken advantage of this to create
their own macros that, depending on the application, can destroy your data or crash your computer.
22. FIREWALL
Viruses:
Probably the most well known threat is computer viruses. A virus is a small program that can copy
itself to other computers. This way it can spread quickly from one system to the next. Viruses range from
harmless messages to erasing all of your data.
Spam:
Typically harmless but always annoying, spam is the electronic equivalent of junk mail. Spam can be
dangerous though. Quite often it contains links to Web sites. Be careful of clicking on these because you
may accidentally accept a cookie that provides a backdoor to your computer.
Redirect bombs:
Hackers can use ICMP to change (redirect) the path information takes by sending it to a different
router. This is one of the ways that a denial of service attack is set up.
7.1 Source routing:
In most cases, the path a packet travels over the Internet (or any other network) is determined by the
routers along that path. But the source providing the packet can arbitrarily specify the route that the packet
should travel. Hackers sometimes take advantage of this to make information appear to come from a trusted
source or even from inside the network! Most firewall products disable source routing by default.
Some of the items in the list above are hard, if not impossible, to filter using a firewall. While some
firewalls offer virus protection, it is worth the investment to install anti-virus software on each computer.
And, even though it is annoying, some spam is going to get through your firewall as long as you accept e-
mail.
The level of security you establish will determine how many of these threats can be stopped by your
firewall. The highest level of security would be to simply block everything. Obviously that defeats the
purpose of having an Internet connection. But a common rule of thumb is to block everything, then, begins
to select what types of traffic you will allow. You can also restrict traffic that travels through the firewall so
that only certain types of information, such as e-mail, can get through. This is a good rule for businesses that
have an experienced network administrator that understands what the needs are and knows exactly what
traffic to allow through. For most of us, it is probably better to work with the defaults provided by the
firewall developer unless there is a specific reason to change it.
23. FIREWALL
Future work and conclusion
All of the topics discussed in the prior section pose serious challenges for firewalls. In addition, two
emerging technologies will further complicate the job of a firewall, Virtual Private Networks (VPNs) and
peer-to-peer networking.
VPNs
Because firewalls are deployed at the network perimeter, if the network perimeter is expanded the
firewall must somehow protect this expanded territory. VPNs provide an example of how this can happen. A
laptop being used by a traveling employee in an Internet cafe or a home machine which is connected to an
ISP via a DSL line or cable modem must be inside the firewall. However, if the laptop or home machine’s
security is breached, the entire internal network becomes available to the attackers.
Remote access problems are first mentioned in. Due to the fact that VPNs had not yet been invented,
it is easy to understand why Avolio and Ranum failed to discuss the problem of a remote perimeter which
includes hosts always-connected to the Internet (via DSL or cable modems) and which are also allowed
inside through a VPN tunnel.
Peer-to-peer networking
The music sharing system Napster was the most famous example of peer-to-peer networking.
However, several other peer-to-peer systems exist as well, including Gnutella and AIMster (file sharing over
AOL Instant Messenger). When not used for music sharing, peer-to-peer file sharing is used to support
collaboration between distant colleagues. However, as Bellovin points out, these systems raise serious
security concerns. These include the possibility of using Gnutella for attacks, buggy servents (server+client
programs), and the problems of web and email-based content in yet another form. Current firewalls are
unable to provide any protection against these types of attacks beyond simply blocking the peer-to-peer
networking.
HTTP as a “universal transport protocol”
The development of firewalls and the filtering that usually occurs at an organization’s perimeter has
affected the design of new protocols. Many new protocols are developed on top of HTTP, since it is often
allowed through firewalls. In some cases, this piggy backing is a reasonable use of HTTP. In other cases,
such as the Simple Object Access Protocol (SOAP), HTTP is used as a remote procedure call protocol. A
good proxy is required to determine what HTTP is allowed with whom.
The need for firewalls has led to their ubiquity. Nearly every organization connected to the Internet
has installed some sort of firewall. The result of this is that most organizations have some level of protection
against threats from the outside. Attackers still probe for vulnerabilities that are likely to only apply to
machines inside of the firewall.
24. FIREWALL
Because machines inside a firewall are often vulnerable to both attackers who breach the firewall as
well as hostile insiders, we will likely see increased use of the distributed firewall architecture. The
beginnings of a simple form of distributed firewalls are already here, with personal firewalls being installed
on individual machines. However, many organizations will require that these individual firewalls respond to
configuration directives from a central policy server. This architecture will simply serve as the next level in
an arms race, as the central server and the protocol(s) it uses become special targets for attackers.
Firewalls and the restrictions they commonly impose have affected how application-level protocols
have evolved. Because traffic initiated by an internal machine is often not as tightly controlled, newer
protocols typically begin with the client contacting the server; not the reverse as active FTP did. The
restrictions imposed by firewalls have also affected the attacks that are developed. The rise of email-based
attacks is one example of this change.
An even more interesting development is the expansion of HTTP and port 80 for new services. File
sharing and remote procedure calls can now be accomplished using HTTP. This overloading of HTTP
results in new security concerns, and as a result, more organizations are beginning to use a (possibly
transparent) web proxy so they can control the remote services used by the protected machines. The future is
likely to see more of this co-evolution between protocol developers and firewall designers until the protocol
designers consider security when the protocol is first developed.