Firewall Architecture & Types

FIREWALL ARCHITECURE Netgear FVS318:Netgear's entry-level

& TYPES firewall is aimed at the professional
home user or small business and is a
feature-packed, yet user-friendly,
Abstract device. A simple Web interface allows
easy configuration of security policies
A firewall is a device (usually a router
and the included comprehensive help
or a computer) installed between the
files enable quick deployment. The
internal network of an organization and
FVS318 has URL filtering and
the rest of the Internet. It is designed to
keyword blocking and can detect
forward some packets and filter (not
harmful ActiveX and Java modules.
forward) others. Firewalls can be
The wall-mounted case comes with a
deployed as either network firewalls or
lockable security device to deal with
on application layers or can be a hybrid
real, as well as virtual, security threats.
one.Various architectures of firewall
are possible like Dual-Homed Host
Architecture, Screened Host 1.2) Software Based Firewalls
Architecture, Screened Subnet
Architecture and various variations in A firewall that runs on generic
architecture are possible like multiple operating systems such as Windows
external router, combination of and Linux is known as software
internal router and bastion host etc to firewall. Examples of software firewall
improve the performance and security are: Microsoft ISA Server (uses
of the firewall. Windows 2000/2003), CheckPoint
FW-1 and many personal firewalls
such as Zone Alarm. FW-1 runs on
1.1) Hardware based firewalls Windows NT/2000, Solaris, Linux, and
AIX, as well as proprietary appliance
Firewalls that run in a proprietary
operating systems. Software-based
hardware and software environment
firewalls provide a level of protection
are known as hardware based firewalls.
intended to keep cyber-criminal and
Examples of hardware firewalls
BotNets from gaining unauthorized
Hardware firewalls take the form of a
access to individual computers. In
physical device that sits between the
addition, software-based firewalls
computer and the internet. Unlike
block malicious code from contacting
software firewalls, hardware firewalls
out to the mother server. Although it is
require quite a bit of work to fully
common for the average computer user
configure. Firewalls such as these may
to download free firewalls, it is a best
range from a simple router to a proxy
practice to find an enterprise-grade
server that directs all traffic to a server
firewall that allows custom filtering
elsewhere on the internet before
rules that are best suited for the
sending or taking data from a computer
individual user's specific needs.
or a network. not created equal, and an
Software Firewalls.Software firewalls
inexpensive hardware-based or free
are firewalls that are installed directly
software-based firewall can give the
into the computer as programs. Once
computer owner a false sense of
installed, these firewalls activate
security and allow unauthorized traffic
themselves and set up with relative
to go undetected. Since the firewall is
ease.The free AVG Anti-Rootkit is
the first line of defense against cyber-
designed to protect you. It finds and
kills rootkits. Tiny Personal Firewall
helps you selectively receive data.

Roll No-C07348 1

2)FIREWALL
ARCHITECTURES
Various architectures of firewalls are
described in detail below.Also various
variations are shown to improve
performance and security of firewall.
2.1) DUAL-HOMED HOST
ARCHITECTURE
It is built around the dual-homed host
computer, a computer which has at
least two network interfaces. Such a
host could act as a router between the
networks. These interfaces are attached
to; it is capable of routing IP packets
from one network to another.
However, to implement a dual-homed
host type of firewalls architecture, you
disable this routing function. Thus, IP
packets from one network (e.g., the
Internet) are not directly routed to the
other network (e.g., the internal,
protected network). Systems inside the
firewall can communicate with the
dual-homed host, and systems outside
the firewall (on the Internet) can
communicate with the dual-homed
host, but these systems can't
communicate directly with each other.
IP traffic between them is completely
blocked. In the architecture, the dual
homed host sits between, and is
connected to, the Internet and the
internal network.
Dual-homed hosts can provide a very
high level of control. If you aren't
allowing packets to go between
external and internal networks at all,
you can be sure that any packet on the
internal network that has an external
source is evidence of some kind of
security problem. In some cases, a
dual-homed host will allow you to
reject connections that claim to be for a
particular service but that don't
actually contain the right kind of data.
Roll No-C07348
Firewall Architecture & Types
A dual-homed host can only provide
services by proxying them, or by
having users log into the dual-homed
host directly. Furthermore, most users
find it inconvenient to use a dual-
homed host by logging into it.
Fig: Dual Homed Host Architecture
2.2) SCREENED HOST
ARCHITECTURE
It provides services from a host that's
attached to only the internal network,
using a separate router. In this, the
primary security is provided by packet
filtering. (e.g. packet filtering is what
prevents people from going around
proxy servers to make direct
connections.) The bastion host sits on
the internal network. The packet
filtering on the screening router is set
up in such a way that the bastion host
is the only system on the internal
network that hosts on the Internet can
open connections to (e.g. to deliver
incoming email). Even then, only
certain types of connections are
allowed. Any external system trying to
access internal systems or services will
have to connect to this host. The
bastion host thus needs to maintain a
high level of host security. The packet
filtering configuration in the screening
router may do one of the following:
2

Allow other internal hosts to open
connections to hosts on the Internet for
certain services (allowing those
services via packet filtering).Disallow
all connections from internal hosts
(forcing those hosts to use proxy
services via the bastion host).
Because this architecture allows
packets to move from the Internet to
the internal networks, it may seem
more risky but in practice, however, it
is also prone to failures that let packets
actually cross from the external
network to the internal network.
Furthermore, it's easier to defend a
router, which provides a very limited
set of services, than it is to defend a
host. It provides both better security
and better usability than the former.
The disadvantage is that if an attacker
manages to break in to the bastion
host, there is nothing left in the way of
network security between the bastion
host and the rest of the internal hosts.
The router also presents a single point
of failure; if the router is compromised,
the entire network is available to an
attacker. Thus, it has become
increasingly popular.
Fig. Screened Host Architecture
Roll No-C07348
Firewall Architecture & Types
2.3) SCREENED SUBNET
ARCHITECTURE
It adds an extra layer of security to the
screened host architecture by adding a
perimeter network that further isolates
the internal network from the Internet.
By their nature, bastion hosts are the
most vulnerable machines on your
network. Despite your best efforts to
protect them, they are the machines
most likely to be attacked, because
they're the machines that can be
attacked. By isolating the bastion host
on a perimeter network, you can
reduce the impact of a break-in on the
bastion host, thus it gives an intruder
some access, but not all.With the
simplest type of screened subnet
architecture, there are two screening
routers, each connected to the
perimeter net. One sits between the
perimeter net and the internal network,
and the other sits between the
perimeter net and the external network
(usually the Internet). To break into the
internal network with this type of
architecture, an attacker would have to
get past both routers. Even if the
attacker somehow broke in to the
bastion host, he'd still have to get past
the interior router. There is no single
vulnerable point that will compromise
the internal network.
Fig. Screened Subnet Architecture
3

Perimeter Network:
If an attacker successfully breaks into
the outer reaches of your firewall, then
the perimeter net (network between the
external network and your protected
internal network) offers an additional
layer of protection between that
attacker and your internal systems.
Thus, if someone breaks into a bastion
host on the perimeter net, he'll be able
to snoop only on traffic on that net. All
the traffic on the perimeter net should
be either to or from the bastion host, or
to or from the Internet. Because no
strictly internal traffic (which is
presumably sensitive or proprietary)
passes over the perimeter net, internal
traffic will be safe from prying eyes if
the bastion host is compromised.
Bastion Host
With the screened subnet architecture,
you attach a bastion host (or hosts) to
the perimeter net; this host is the main
point of contact for incoming
connections from the outside world;
for example:
Interior Router
Interior (or choke router) protects the
internal network both from the Internet
and from the perimeter net. The
interior router does most of the packet
filtering for your firewall. It allows
selected services outbound from the
internal net to the Internet. These
services are the services your site can
safely support and safely provide using
packet filtering rather than proxies.
Exterior Router
Exterior (or access router) protects
both the perimeter net and the internal
net from the Internet. The only packet
filtering rules that are really special on
Roll No-C07348
Firewall Architecture & Types
the exterior router are those that
protect the machines on the perimeter
net (that is, the bastion hosts and the
internal router). One of the security
tasks that the exterior router can
usefully perform - a task that usually
can't easily be done anywhere else - is
the blocking of any incoming packets
from the Internet that have forged
source addresses. Such packets claim
to have come from within the internal
network, but actually are coming in
from the Internet.
2.4) Further variations that
can be made in this model are:
2.4.1) Use Multiple Bastion
Hosts
You might decide to have one bastion
host handle the services that are
important to your own users (such as
SMTP servers, proxy servers, and so
on), while another host handles the
services that you provide to the
Internet, but which your users don't
care about (for example, an
anonymous FTP server). In this
way,performance for your own users
won't be dragged down by the
activities of outside users.You may
have performance reasons to create
multiple bastion hosts even if you don't
provide services to the Internet.
2.4.2) Merge the Interior
Router and the Exterior
Router
You can merge the interior and
exterior routers into a single router, but
only if you have a router sufficiently
capable and flexible. In general, you
need a router that allows you to specify
both inbound and outbound filters on
each interface. In , we discuss what
this means, and we describe the packet
filtering problems that may arise with
4

routers that have more than two
interfaces and don't have this
capability.If you merge the interior and
exterior routers, as we how in you'll
still have a perimeter net .
2.4.3) Merge the Bastion Host
and the Exterior Router
There might be cases in which you use
a single dual-homed machine as both
your bastion host and your exterior
router.Unlike merging the interior and
exterior routers, merging the bastion
host with the exterior router, does not
open significant new vulnerabilities. It
does expose the bastion host further. In
this architecture, the bastion host is
more exposed to the Internet, protected
only by whatever filtering (if any) its
own interface package does, and you
will need to take extra care to protect
it.
3.1) FIREWALL TYPES
Security expert Michael Gregg says the
National Institute of Standards and
Technology 800-10 divides firewalls in
to five basic types: Packet filters
,Stateful Inspection ,Proxys ,Dynamic
and Kernel.These divisions, however,
are not quite well defined as most
modern firewalls have a mix of
abilities that place them in more than
one of the categories shown above.
3.1) NETWORK LAYER
FIREWALLS
Network layer firewalls generally
make their decisions based on the
source address, destination address and
ports in individual IP packets. A
simple router is the traditional network
layer firewall, since it is not able to
make particularly complicated
decisions about what a packet is
actually talking to or where it actually
Roll No-C07348
Firewall Architecture & Types
came from. Modern network layer
firewalls have become increasingly
more sophisticated, and now maintain
internal information about the state of
connections passing through them at
any time.
Network layer firewall is a type of
firewall that works as a packet filter by
deciding what packets will pass the
firewall according to rules defined by
the administrator. Filtering rules can
act on the basis of source and
destination address and on ports, in
addition to whatever higher-level
network protocols the packet contains.
Network layer firewalls tend to operate
very fast, and transparently to users.
Network layer firewalls generally fall
into two sub-categories, stateful and
non-stateful. Stateful firewalls hold
some information on the state of
connections as part of their rules.
Stateless firewalls have packet-filtering
capabilities but cannot make more
complex decisions on what stage
communications between hosts have
reached. Stateless firewalls therefore
offer less security.
3.2) APPLICATION LAYER
FIREWALLS
Application layer firewalls defined, are
hosts running proxy servers, which
permit no traffic directly between
networks, and they perform elaborate
logging and examination of traffic
passing through them. Since proxy
applications are simply software
running on the firewall, it is a good
place to do lots of logging and access
control. Application layer firewalls can
be used as network address translators,
since traffic goes in one side and out
the other.Application layer firewall is a
firewall operating at the application
layer of the networking
communication. Generally, it is a host
using various forms of proxy servers to
5

proxy traffic instead of routing it. As it
works on the application layer, it may
inspect the contents of the traffic,
blocking what the firewall
administrator views as inappropriate
content, such as certain websites,
viruses, attempts to exploit known
logical flaws in client software, and so
forth.
A network-based application layer
firewall is a computer networking
firewall operating at the application
layer of a protocol stack[1], and are also
known as a proxy-based or reverse-
proxy firewall. Application firewalls
specific to a particular kind of network
traffic may be titled with the service
name, such as a web application
firewall. They may be implemented
through software running on a host or a
stand-alone piece of network hardware.
Often, it is a host using various forms
of proxy servers to proxy traffic before
passing it on to the client or server.
Host-based application firewall can
monitor any application input, output,
and/or system service calls made from,
to, or by an application. This is done
by examining information passed
through system calls instead of or in
addition to a network stack. A host-
based application firewall can only
provide protection to the applications
running on the same host.An example
of a host-based application firewall
which controls system service calls by
an application is the Mac OS X
application firewall.Host-based
application firewalls may also provide
network-based application firewalling.
3.3) STATEFUL FIREWALL
A stateful firewall is able to hold
significant attributes of each
connection in memory, from start to
finish. These attributes, which are
collectively known as the state of the
connection, may include such details
Roll No-C07348
Firewall Architecture & Types
as the IP addresses and ports involved
in the connection and the sequence
numbers of the packets traversing the
connection. The most CPU intensive
checking is performed at the time of
setup of the connection. All packets
after that (for that session) are
processed rapidly because it is simple
and fast to determine whether it
belongs to an existing, pre-screened
session. Once the session has ended, its
entry in the state-table is discarded.
In order to prevent the state table from
filling up, sessions will time out if no
traffic has passed for a certain period.
These stale connections are removed
from the state table. Many applications
therefore send keepalive messages
periodically in order to stop a firewall
from dropping the connection during
periods of no user-activity, though
some firewalls can be instructed to
send these messages for applications. It
is worth noting that the most common
Denial of Service attack on the internet
these days is the SYN flood, where a
malicious user intentionally sends
large amounts of SYN packets to the
server in order to overflow its state
table, thus blocking the server from
accepting other connections.Many
stateful firewalls are able to track the
state of flows in connectionless
protocols, like UDP. Such sessions
usually get the ESTABLISHED state
immediately after the first packet is
seen by the firewall. Sessions in
connectionless protocols can only end
by time-out.
6