The document discusses firewalls as crucial network security systems that monitor traffic and have evolved to include various control techniques such as service, direction, user, and behavior control. It highlights the weaknesses of firewalls, including their inability to prevent internal attacks and the limitations in recognizing new threats without predefined rules. Additionally, it covers different types of firewalls like packet filtering, circuit level gateways, application level gateways, and stateful inspection, along with concepts like bastion hosts used to enhance security.

1. FIREWALLS
BY PUNEET BAWA
M.E. (CHITKARA UNIVERSITY, PUNJAB)

2. What is Firewall?
A firewall is a network security system that is
designed to monitor outgoing and incoming
network traffic. It can be either hardware based or
software based.

3. Design Goals of Firewall
The primary goals of a firewall are:
*Any traffic going outside the system and moving into the system must pass through the firewall.
*Only local security policy authorized traffic will be able to get into and out of the firewall.
*Internal threats are often at bay as the firewall provides alert of a possible malware threat.

4. Techniques in Firewall
Firewall provides an additional layer of defense, insulating the internal systems from external
networks. Originally, firewalls focused primarily on service control, but they have since evolved to
provide all four:
1) SERVICE CONTROL
2) DIRECTION CONTROL
3) USER CONTROL
4) BEHAVIOR CONTROL

5. Service Control
This Control determines the types of internet services that can be accessed, inbound or outbound.
Firewall may filter traffic on the basis of IP address, protocol or TCP port number
It may provide proxy software that receives and interprets each service request before passing it on. It
may host the server software itself such as a web or mail service.
For Example:
Incoming HTTP Requests – Rejected unless they are directed to an official web server host

6. Direction Control
This Control regulates the direction in which particular service request may be initiated and allowed to
flow through firewall

7. User Control
A User control manages or authorizes admission to a service according to which entity is trying to
access that specified service .This feature is applied to users inside the firewall perimeter (Internal
Users). It may also be applied to incoming traffic from external users. But it requires some form of
secure authentication technology.

8. Behavior Control
Controls how particular services are used.
For example, the firewall may filter email to eliminate spam or it may enable external access to
only a portion of the information on a Local web server.
Filtering of email spam attacks – may require examination of Sender’s email address in
message headers and message contents.

9. Firewall
Weakness

10. Weakness and Importance
It can't fend off internal attacks
As mentioned above, a firewall is created to protect a system from any harmful threats from another
network. It acts as a sort of barrier. However, it can't fend off attacks that are launched from within the
system that it is supposed to protect. This is quite a common issue.
Limited prevention
Firewalls are created to prevent intrusions from traffic that only passes through them. This means that
it only allows data to pass as long as it adheres to the applied set of rules. If a new virus, that has
been undiscovered as yet is not mentioned in the set of rules, the firewall won't even scan it and allow
it through.

11. Weakness and Importance(Contd.)
It makes communication insecure
If a company allows communication from an outside network, such as the internet, the firewall has no
ability to be able to scan and prevent viruses. For instance, if a company has allowed access to
receive emails from the outside world, the firewall will easily allow the emails to filter through. Anybody
could disguise a virus or a Trojan within the email attachments, and gain access to the network inside,
or even destroy the firewall.
These are some of the most blatant weaknesses of firewalls that affect day to day usage of the
network.

12. Packet Filtering
Firewall

13. Introduction
Packet filtering is a firewall technique used to control network access by monitoring outgoing and
incoming packets and allowing them to pass or halt based on the source and destination Internet
Protocol (IP) addresses, protocols and ports.
Network layer firewalls define packet filtering rule sets, which provide highly efficient security
mechanisms.
Packet filtering is also known as static filtering.

14. Information Used
Source IP address: The IP address of the system that originated the IP packet.
Destination IP address:The IP address of the system the IP packet is trying to reach.
Source and destination transport-level address: The transport level (e.g., TCP or UDP) port
number, which defines applications such as SNMP or TELNET.
IP protocol field: Defines the transport protocol.
Interface: For a router with three or more ports, which interface of the router the packet came from or
which interface of the router the packet is destined for.

15. Attacks
IP address spoofing:
IP address spoofing is the act of falsifying the content in the Source IP header, usually with
randomized numbers, either to mask the sender’s identity or to launch a reflected DDoS attack,IP
address spoofing is used for two reasons in DDoS attacks: to mask botnet device locations and to
stage a reflected assault.
Source routing attacks:
This means that someone can force their traffic to take a specific path through your network, possisbly
bypassing various security stuff. There are very few "legitimate" uses for source routing, the main one
being ensuring that people at exchange points are sticking to their agreements

16. Attacks and CounterMeasures(Contd)
Tiny fragment attacks:
The intruder uses the IP fragmentation option to create extremely small fragments and force the TCP
header information into a separate packet fragment. This attack is designed to circumvent filtering
rules that depend on TCP header information. Typically, a packet filter will make a filtering decision on
the first fragment of a packet. All subsequent fragments of that packet are filtered out solely on the
basis that they are part of the packet whose first fragment was rejected. The attacker hopes that the
filtering router examines only the first fragment and that the remaining fragments are passed through.
A tiny fragment attack can be defeated by enforcing a rule that the first fragment of a packet must
contain a predefined minimum amount of the transport header. If the first fragment is rejected, the filter
can remember the packet and discard all subsequent fragments.

17. CIRCUIT LEVEL
GATEWAY
FIREWALLS

18. Circuit Level Gateway
The circuit level gateway firewalls work at the session layer of the OSI model. They monitor TCP
handshaking between the packets to determine if a requested session is legitimate. And the
information passed through a circuit level gateway, to the internet, appears to have come from the
circuit level gateway. So, there is no way for a remote computer or a host to determine the internal
private ip addresses of an organization, for example. This technique is also called Network Address
Translation where the private IP addresses originating from the different clients inside the network are
all mapped to the public IP address available through the internet service provider and then sent to the
outside world (Internet). This way, the packets are tagged with only the Public IP address (Firewall
level) and the internal private IP addresses are not exposed to potential intruders.

19. APPLICATION
LEVEL GATEWAY
FIREWALLS

20. Application Level Gateway
Application level firewalls decide whether to drop a packet or send them through based on the
application information (available in the packet). They do this by setting up various proxies on a single
firewall for different applications. Both the client and the server connect to these proxies instead of
connecting directly to each other. So, any suspicious data or connections are dropped by these
proxies. And since they are application aware, they can handle more complex protocols like H.323,
SIP, SQL Net etc.
Application level firewalls ensure protocol conformance. For example, attacks over http that violates
the protocol policies like sending Non-ASCII data in the header fields or overly long string along with
Non-ASCII characters in the host field would be dropped because they have been tampered with, by
the intruders.

21. Application Level Gateway(Cont)
Application level firewalls can look in to individual sessions and decide to drop a packet based on
information in the application protocol headers or in the application payload.
For example, SMTP application proxies can be configured to allow only certain commands like
helo, mail from:, rcpt to: etc. to pass through the firewall and block other commands like expn,
vrfy etc. which tries to expand a list or verify if that account exists, and are used by attackers
and spammers for their vested self interests.

22. STATEFUL
INSPECTION
FIREWALLS

23. Introduction
Stateful inspection, also known as dynamic packet filtering, is a firewall technology that monitors the
state of active connections and uses this information to determine which network packets to allow
through the firewall.
Stateful inspection has largely replaced an older technology, static packet filtering.

24. Static vs Dynamic
In static packet filtering, only the headers of packets are checked -- which means that an attacker
can sometimes get information through the firewall simply by indicating "reply" in the header.
Stateful inspection, on the other hand, analyzes packets down to the application layer. By recording
session information such as IP addresses and port numbers, a dynamic packet filter can implement a
much tighter security posture than a static packet filter can.

25. Advantage
In a firewall that uses stateful inspection, the network administrator can set the parameters to meet
specific needs. In a typical network, ports are closed unless an incoming packet requests connection
to a specific port and then only that port is opened.
This practice prevents port scanning, a well-known hacking technique.

26. Example

27. BASTION HOST

28. Introduction
A bastion host is a specialized computer that is deliberately exposed on a public network. From a
secured network perspective, it is the only node exposed to the outside world and is therefore very
prone to attack. It is placed outside the firewall in single firewall systems or, if a system has two
firewalls, it is often placed between the two firewalls or on the public side of a demilitarized zone
(DMZ).
The bastion host processes and filters all incoming traffic and prevents malicious traffic from entering
the network, acting much like a gateway. The most common examples of bastion hosts are mail,
domain name system, Web and File Transfer Protocol (FTP) servers. Firewalls and routers can also
become bastion hosts.

29. Explanation
The bastion host node is usually a very powerful server with improved security measures and custom
software. It often hosts only a single application because it needs to be very good at what it does. The
software is usually customized, proprietary and not available to the public. This host is designed to be
the strong point in the network to protect the system behind it. Therefore, it often undergoes regular
maintenance and audit. Sometimes bastion hosts are used to draw attacks so that the source of the
attacks may be traced.
To maintain the security of bastion hosts, all unnecessary software, daemons and users are removed.
The operating system is continually updated with the latest security updates and an intrusion detection
system is installed.

30. THANK YOU