Beruflich Dokumente
Kultur Dokumente
* * **
Robert Györödi , Cornelia Györödi , George Pecherle
Radu Lucaciu***
*
Associate professor Phd. Eng.,** Phd student, *** Student
Department of Computer Science, Faculty of Electrotehnics and Informatics, University of Oradea, Str. Universitatii 1, 410087,
Oradea, Romania
Phone: +40 (0) 259 408-226, E-Mail: cgyorodi@uoradea.ro, rgyorodi@rdsor.ro, gpecherle@uoradea.ro
Abstract. As networks increase in size and complexity, There are quite a few ways to defend an internal
security products are growing in sophistication and network like using a bastion-host, setting up a perimeter
security threats are becoming more ingenious. The usage network or using a firewall. However none of these
of security solutions has become inevitable for all methods are complete solutions for security, each suffering
modern organisations. There is no perfect security, but from different flaws. The best bet against a security breach
the idea is to make a network so hard to access, that it is using a combination of these techniques. It must be said
doesn’t worth trying. One of the crucial components that that a 100% breach resistant system is impossible to build.
contribute to this security are firewalls. It is important to The goal is to make breaching the system hard enough so
prevent undesired data before it ever gets into the target that the effort isn’t worth it.
system. This is the job of firewalls and the article covers
this topic.
38
one, but instead they are both communicating with the
proxy server.
vulnerable to forgery attacks where the attacker’s machine
There are two forms of packet filtering. The first one, assumes the identity of a trusted machine. The second way
the simplest, is filtering by address. This kind of filtering of filtering is filtering by service. Filtering by service takes
permits control over the flow of packets based on the into account not only the source/destination addresses but
source and/or destination address. Filtering by address is the source and destination ports too.
Packet filtering allows control over the packet stream The primary goal of the programmer when designing
based on their source address, destination address and this application was to create a modular, efficient program,
application protocols used to send the data. that occupies a minimum of resources when running.
Packet filtering has the following advantages: The vast majority of firewalls available on the market
• It is available in both hardware and software today have a negative impact on the resources of the
implementations system where it runs. The firewall that we developed is
• It is built-in in many routers minimal and it offers only filtering based on the IP address,
• It offers great leverage over an entire network. port and protocol, and not based on the service.
One filter placed in a strategic choke-point can
protect an entire network However, no filtering method is perfect. If we suppose
• It is transparent to the end-user that a certain port will always be used by a certain service,
all connections from that port will be accepted. However,
However, packet filtering isn’t flawless. Following are a to an attacker with admin rights on the system, it would be
few disadvantages: quite easy to use a program that runs on that port.
• Packets cannot be filtered based on the data they
contain To build the application layout and the user interface,
• It cannot be used to fully back trace an attack. we have used the features of the Microsoft Foundation
The logs can tell you the address where an attack Class (MFC) [11][12][13]. Based on this, the rest of the
came from but not the user. application has been developed. The graphical user
• There are protocols that are not suited for packet interface is below:
filtering, such as some Remote Control Protocols
because they use random ports to connect to a
host.
39
The Rules button from the interface will display a
dialog box to view the security rules. Right clicking any
rule will allow the user to manage them. Adding a new rule
is done through a dialog box. The two windows are
presented in figure 5 below:
40
Some of the main classes from the project are: 4. Conclusion
CAboutDlg (that implements the About dialog box of the
application); CFirewallApp (the base class of the Packet filtering by itself is not flawless, but when
application; at run-time, an object from this class is created combined with other protection techniques it can be very
and then it gets the control); CMainFrame (this class efficient. A good compromise must be found between the
processes the messages received from the operating system security level and the amount of effort needed to setup and
and it is responsible with the creation and management of maintain a firewall or security policy.
the visualization and document classes).
The application was designed to provide a passive
The OnAppExit() takes care of the normal program protection, meaning it will not scan the ports for services
exit. Also, because MFC doesn’t implement functions that trying to connect to the Internet and will only block or
handle the SystemTray icons, we had to create such a allow packets based on the rules specifically set up by the
function: TrayMessage() creates and registers, or removes user. It should not be considered a perfect protection tool
the icon. and should not be used as the only protection device.
41