The document discusses the functions and capabilities of firewalls. It explains that firewalls can identify packets based on header information like source/destination IP addresses and port numbers. Firewalls can implement security policies, like only allowing certain departments to access the internet for specific services. Rules can be created to drop or accept packets based on their source, destination, and the transport service. Firewall configurations can authenticate users and integrate with directories to authorize access based on user profiles. Firewalls also provide content security for protocols like FTP, HTTP, and SMTP.

1. Notes on Firewall – asokanak@hotmail.com (Skype: asokanchennai)
FIREWALL
Notes by A.K.Asokan, CCNA, MBA(IT)
(asokanak@hotmail.com)
What is a firewall? This is the question which welcomed me, whenever I read
something on Firewall! And I understood the question perfectly but not the rest of the
text, most of the time, unfortunately!
You must have read that a firewall is placed in between your LAN and the Internet to
allow, deny or filter the packets which are traveling from the LAN behind it, to the
Internet and from the Internet to the LAN through the firewall. True. What else a
firewall can do? How a firewall identify the packets? Can a firewall understand what
services the packet in question is destined? (whether it is for http traffic or ftp traffic?).
If so, what are the parameters which tell the firewall that such is the service the packet
is destined to? Is it a software? Or hardware? Or a combination of both!
I am a 'hacker' (excuse me hackers, to use this beautiful word in a different perspective
which was also stolen by the so called 'crackers' long ago! I do not use the word hacker
because a hacker is a respectable person who has tremendous technical knowledge. But
unfortunately, it has been misunderstood that a hacker is a bad person with malicious
intention!) and I inserted a virus or a malicious script with the data (the payload) and
then send the packet to the LAN through the firewall. Of course, the firewall can read
the header information. But will it be able to go into the packet and check whether there
is any virus or malicious script present? If so what the firewall can do on such scripts?
I am the Managing Director of “Asokan Company” and I do not want my employees in
the packing section to access the internet. Secondly, I permit the accounts department
personnel to access the Internet only for http traffic (only to browse the net) and not for
any other services like ftp or telnet. Can I implement this requirement in the firewall?
So that when someone from the packing section tries to access the internet, the firewall
tells him, sorry yaar you can’t access the internet! How it can be implemented on a
firewall? Are there various types of firewalls? What is the difference between packet

2. Notes on Firewall – asokanak@hotmail.com (Skype: asokanchennai)
filtering firewalls and Application gateway firewalls? Let us discuss these fundamental
issues one by one.
Well. There are firewalls which are based on Graphical User Interface (GUI) (example
Checkpoint Firewall) and there are Firewalls where the Administrator configures the
policies at the Console (Example PIX firewall from Cisco systems). Checkpoint firewall
has large installation base in the world and since it is based on GUI, it is considered less
difficult for anyone to configure, provided he/she understands as to what are the various
parameters which provide Network Security.
When you learn driving, you need a car to practice. Though we say in general that I
practiced driving, we seldom say that I practiced driving in a Toyota car, though you
might have used a Toyota car when you practice. The reason for this (unnecessary!)
intro is that though we say 'firewall' in general, when we discuss certain in-depth
concepts, we need to refer certain components of a specific firewall. I use the
checkpoint firewall to explain the following concepts but I have no other intention by
referring the name except to make the point, what I am describing, clearer to the target
readers.
Let us discuss as to how a firewall identify the packets. Most firewalls identify the
packets by something called the packet parameters. What are packet parameters? They
are the header information. The source and destination IP addresses, the destination port
numbers and transport layer parameters from the packet etc.
You might have heard terms like policy, rules etc. What is a policy? A policy can be a
decision taken by the Management. Remembering the Managing Director of “Asokan
company” has taken a decision not to allow the packing section personnel to access the
internet? This can be one policy. The same can be implemented in the firewall by
writing a rule. See the following table carefully.

3. Notes on Firewall – asokanak@hotmail.com (Skype: asokanchennai)
Example of a rule base.
Source Destination Service Action
10.0.0.10 (packing section system) any Any Drop
10.0.0.20 (Accounts department system) any http accept
In the above example, when someone from the packing section (IP address 10.0.0.10)
trying to access 'any' destination in the internet for 'any' service, the action is that the
packets are dropped by the Firewall. Means that he will never be allowed to access the
internet. (The IP address of the Corporate is in the Private addressing scheme and it is
not routable beyond the firewall. Hence it is assumed that in the firewall, we did the
necessary NATing. For understanding NAT concepts, please read my notes on Network
Address Translation (NAT).
In the second instance, when someone from the Accounts Department (IP address
10.0.0.20) is trying to access 'any' destination in the internet for 'http' traffic (only for
browsing) the action is 'accept'ed means the firewall will allow the connectivity to be
established. But, for any other service other than http, the packets will get automatically
dropped. If you need to allow them to access http as well as ftp, then you have to add
'ftp' service also in the service column like the one in the following example.
Source Destination Service Action
10.0.0.20 (Accounts department system) any http accept
ftp
A firewall can do lot of functions like, authentication, create a VPN tunnel between the
head office and branch offices, Can set up secure remote connections, filter, allow or
deny access to incoming or outgoing packets, integrate with third party softwares
(antivirus etc.) URL filtering, FTP, HTTP and SMTP Content Security, Load
balancing…..waav, host of such services. The firewall can also authenticate users,
computers (clients) and a session (from login till you log out).

4. Notes on Firewall – asokanak@hotmail.com (Skype: asokanchennai)
If we want a firewall to authenticate a user, the user profile must have created. Where
will you create the user profile? You have choices. You can create the same in the
firewall system itself, in any Active Directory, in TACACS server, in RADIUS server
or in the Exchange Server or in the Operating system. Wherever you create the user
profile, the firewall has to be configured in such a way so that when the user is asking
for authentication, the firewall can look into the appropriate place to check the user
profile for the required permissions to either authenticate him or otherwise. Example,
there are two employees, Asokan and Steve. Asokan's profile is created in the operating
system, and Steve's profile is created in the Firewall itself. If we configure correctly,
then both the employees can be authenticated by the firewall and the firewall is
referring the respective user profiles to check for the credentials of the respective
employees.
Why there are many types of authentication like user authentication, client
authentication, session authentication etc? The reason is that in certain firewalls, the
user authentication is not available for all the services. It is available only for certain
services say http, ftp, telnet, and rlogin. Apart from these four services (these are known
as authenticated services), if someone wants to access other services like remote
desktop, or a netbios session, then user authentication cannot be used. For this purpose,
the firewall can authenticate a client (a system in the LAN) so that a user using the
client is authenticated to access the services. (There are lot of configurations and sign
on methods in client authentication like, manual sign on, partially automatic sign on,
fully automatic sign on etc. which are not described here since the idea of this note is to
give an overview of firewall).
The next concept is the LDAP integration. LDAP stands for Light Weight Directory
Access Protocol. If the users are created in the Active Directory, the user profiles
created there can be integrated into the firewall so that the firewall can provide them
authentication to access services outside the Corporate LAN. Suppose two new
employees joined the organization, and the system administrator created user profiles
for them in the Active Directory, then it will automatically reflect in the firewall once
you did the LDAP integration.

5. Notes on Firewall – asokanak@hotmail.com (Skype: asokanchennai)
Thirdly, the content security. The Firewall provides content security. It can provide
content security for FTP, HTTP and SMTP traffic. Ftp is for transferring files from
either client to server or/and server to client. Suppose I have an ftp server and I posted
lot of computer security notes there and I wish to share the notes between anyone who
wish to read the same. In that case, I can give the username and password to anyone or
(anonymous login) to my ftp server so that those who wish to download the files can
enter the ftp server and can see those files and download the same. Good.
However, I pose a threat that if, someone out there coming to my ftp server is a cracker,
and then he may put some virus or any malicious coding into my ftp server so that he
can destroy it! How can I protect the situation? Simple, I should instruct my firewall
that people can access the ftp server only for downloading the permitted contents and
not 'write' or upload anything to ftp server. ftp has 'get' command and 'put' command.
'ftp get' means enabling download from ftp server, 'ftp put' means uploading files TO ftp
server, which I do not allow in order to protect the server.
Likewise for http traffic also. Recall the above example, the M.D of 'Asokan Company'
does not permit packing section employees to access the internet at all. But he permits
the accounts personnel to access the http traffic. But he often sees that employees in the
accounts department is browsing naukri.com and post their resume in search of other
jobs! Now he impose one more restriction on them that employees can browse
naukri.com but should not be able to go to the specific page where they can upload their
resume! Yes. If you configure a URI resource (Uniform Resource Identifier) in the
firewall, you can prevent your employees from visiting specific pages in a website, or
you can even block a specific web site. If you prefer a list of websites to be blocked,
you can type all the URLs in a file in a specific format and import into the firewall
configuration so that none of the websites mentioned in the file will be accessed by their
employees! The firewall can be configured in such a way that it can rip into the payload
(data portion) and see whether the webpage or the ftp content contain a virus or
malicious scripts. If so, the firewall can remove such malicious codes and then send the
original content alone into the LAN. (However, the firewall may require third party
software for providing content security).

6. Notes on Firewall – asokanak@hotmail.com (Skype: asokanchennai)
Asokan Company has 300 employees in various departments. More over it has one
branch office elsewhere in the country. The main medium of communication is through
e-mail. In order to have better security control, the M.D has installed an Exchange
Server in a De-militarized zone (DMZ) for the SMTP traffic. SMTP stands for Simple
Mail Transfer Protocol. Now that the mails are going out from the corporate office to
branch office and people out there in the public internet also write mail to the officers
inside the LAN. When mails are coming from untrusted network, there is a vulnerability
that it may contain a virus or someone may try to launch an attack towards the server to
bring it down! To prevent this, the firewall can be suitably instructed to check the
contents of the SMTP traffic also whether the mails have any attachment of virus files,
scripts, active X contents, or java coding. If it present, the firewall can be instructed to
remove the same. Thereby we can provide content security for SMTP traffic also.
As we discussed above, the company has a branch office also. All the systems in the
head office as well as branch office are in the private IP family and both the network is
behind the firewall gateway. The head office belongs to 10.0.0.0 network and the
branch office belongs to 172.16.0.0 network. In order to communicate securely, one of
the possibilities is to set up a Virtual Private Network (VPN). To set up a VPN tunnel.
Tunneling encrypts the entire original packet including the headers. Imagine you write a
letter to your friend and put it in an envelope and the to address and the from address are
written on the cover. Then, if you enclose the cover into another cover, how can the
postman read the to address and from address? Similarly, when a packet in tunneled, it
means that the entire packet (including the header and the payload) are enclosed in a
packet. If so, how will it get routed? In order to understand how it is getting routed, we
need to understand the following concept.
VPN when established, the firewall establishes two phases between the participating
gateways (HO and BO). Phase 1 and Phase 2. Phase 1 is for the key installation and
Phase 2 is for the data exchange. Phase 1 is handled by Internet Key Exchange (IKE)
protocol and Phase 2 is handled by IPSec. Here something known as SA negotiation
takes place. What is SA? SA stands for Security Association. Once an SA is

7. Notes on Firewall – asokanak@hotmail.com (Skype: asokanchennai)
established, it means what keys to use, what algorithm to use for data encryption and
also for data integrity, all such details will be agreed upon by the two participating
gateways. That is what is known as Security Association (SA). What is the basis in
which the firewalls (bo and ho) authenticate each other? How it is identifying whether
really the peer firewall is contacting or someone is impersonating? Well. It can be
ascertained in two ways. VPN can be established by using either a ‘shared secret key’ or
a ‘certificate’. The shared secret key is, that you set a secret word (like password) in one
of the participating gateways and the same secret word should be set in the other
participating gateway as well while the VPN is being configured. This single secret
word is shared between the participating gateways to identify the peer firewall. What is
happening behind the scene? Let us see.
Phase 1 exchange the public keys and it use the Diffie-Hellman key calculation to
generate the shared secret key. This is accomplished by hashing and encrypting the
firewall’s identity with the shared secret key and exchanged between the firewalls.
From there onwards, they identify each other. That is how each firewall identifies its
peer. Phase 1 negotiation for key exchange is asymmetric and takes much
computational power whereas Phase 2 negotiation is symmetric and hence it takes less
computational power and the re-negotiation interval between phase 1 and phase 2 is
also varies accordingly.
The other method is based on “Certificate”. You can create a certificate (The firewall
acts as a Certifying Authority - CA) and the certificates can be exchanged between the
participating Gateways. From the certificate, each firewall can identify its peer.
Phase 2, uses the IKE SA negotiated in Phase 1, to negotiate an IPSec SA for
encrypting the data traffic. In other words, the data transmission between the firewalls
is encrypted and sent by IPSec protocol. Phase 1 lays the road and phase 2 runs the car
on the road.

8. Notes on Firewall – asokanak@hotmail.com (Skype: asokanchennai)
At the outset, the phase 2 negotiates the IPSec protocol combination that will be used.
What is a protocol combination? What are the combinations? IPSec protocol? Yes.
IPSec is a protocol stack like TCP/IP. We discuss two important headers of IPSec here
briefly, the AH and ESP. AH stands for Authentication Header and ESP stands for
Encapsulating Security Payload. (I understand that I am going a bit deep into the
subject but unless you know something about these two headers, the VPN tunneling
concepts will not be clear to you. Read on….) These can be used as a combination i.e.
AH+ESP or AH alone or ESP alone. AH provides authentication and message
integrity. Not Confidentiality. When confidentiality is not there, it means that, if
someone catches the data while in transit, he will be able to read the data! However if
the data is tampered while reaching the destination, it can be found as AH provides data
integrity. For this purpose AH uses a message digest (Read my cryptography notes to
understand message digest). If you feel that, if someone sees the data in between, it is
ok with you, then you can use AH as an authentication header of the IPSec protocol. In
other words, AH does not encrypt the data hence it cannot provide confidentiality.
ESP, Encapsulating Security Payload provides, Authentication, Data integrity as well
as Confidentiality. The latest version of some firewalls does not support AH at all. They
support ESP. What is happening behind the scene?
There are two modes of transport to understand here 1) Transport mode and 2) Tunnel
mode. Imagine an IP packet. It has data as well as headers. If the data alone is encrypted
without the header part, it is known as Transport mode encryption. If the entire IP
packet is encrypted including the header (put it into another cover as discussed above) it
is known as Tunnel mode. That’s what we discussed above. Now the problem is since
the IP header itself is inside the tunnel, how a tunnel mode encrypted packet getting
routed. It is simple, that the ESP adds its own IP header onto the tunneled packet.

9. Notes on Firewall – asokanak@hotmail.com (Skype: asokanchennai)
Look at the figure above. Imagine that a packet is going from head office to branch
office. At the ho, when a packet goes out, the source IP will be 10.0.0.10. Its target IP
is 172.16.0.10. When it reach the ho Firewall, since VPN is configured on the firewall
for secured communication between ho and bo, the ESP takes the packets (with source
IP 10.0.0.10 and destination IP 172.16.0.10) and put it into a cover. This is known as
Tunneling. The ESP also creates another IP header, with source IP, the outbound
interface of the ho firewall (20.0.0.1) and destination IP, the outbound interface of the
bo firewall (30.0.0.1). Now the secured tunnel communication will be between ho
firewall and bo firewall (between 20.0.0.1 and 30.0.0.1). When the data reached the
destination i.e. at 30.0.0.1 (the bo firewall), it decrypts the encrypted tunnel and pass the
data to the system 172.16.0.10 located in the branch office local network. Please note
that the data in the head office till the ho firewall and the same data from the branch
office firewall to the bo LAN is NOT encrypted. Another important thing to remember
is that when you set up VPN, there is NO need to provide NAT as there is no Address
Translation taking place either at the ho firewall or at the bo firewall. This is how VPN
works. (Lot of configuration details have been omitted as it is beyond the scope of this
simple note.)
Hope this note was useful to you. I would appreciate if you could just mail me
asokanak@hotmail.com your opinion as to how well you were able to understand the topics,
the way it is explained and whether any changes in the narration have to be incorporated and
your valuable suggestions. It will enable me to write future notes incorporating all your
suggestion. – with love. Asokan (skype discussion: asokanchennai).
___________________________________