Beruflich Dokumente
Kultur Dokumente
OF
CSE- 356
(DATA COMMUNICATION &
NETWORKING)
DOS: 21-11-2010
SUBMITTED TO:- MR. RAVI SHANKAR
SUBMITTED BY:-
What is Firewall:-
A firewall is a part of a computer system or network that is designed to block
unauthorized access while permitting authorized communications. It is a device
or set of devices that is configured to permit or deny network transmissions
based upon a set of rules and other criteria.
1. Packet filter: Packet filtering inspects each packet passing through the
network and accepts or rejects it based on user-defined rules. Although
difficult to configure, it is fairly effective and mostly transparent to its
users. It is susceptible to IP spoofing.
2. Application gateway: Applies security mechanisms to specific
applications, such as FTP and Telnet servers. This is very effective, but
can impose a performance degradation.
3. Circuit-level gateway: Applies security mechanisms when a TCP or UDP
connection is established. Once the connection has been made, packets
can flow between the hosts without further checking.
4. Proxy server: Intercepts all messages entering and leaving the network.
The proxy server effectively hides the true network addresses.
HISTORY:-
TYPES:-
There are several classifications of firewalls depending on where the
communication is taking place, where the communication is intercepted and the
state that is being traced.
Network layer firewalls, also called packet filters, operate at a relatively low
level of the TCP/IP protocol stack, not allowing packets to pass through the
firewall unless they match the established rule set. The firewall administrator
may define the rules; or default rules may apply. The term "packet filter"
originated in the context of BSD operating systems.
Network layer firewalls generally fall into two sub-categories, stateful and
stateless. Stateful firewalls maintain context about active sessions, and use that
"state information" to speed packet processing. Any existing network
connection can be described by several properties, including source and
destination IP address, UDP or TCP ports, and the current stage of the
connection's lifetime (including session initiation, handshaking, data transfer, or
completion connection). If a packet does not match an existing connection, it
will be evaluated according to the ruleset for new connections. If a packet
matches an existing connection based on comparison with the firewall's state
table, it will be allowed to pass without further processing.
Stateless firewalls require less memory, and can be faster for simple filters that
require less time to filter than to look up a session. They may also be necessary
for filtering stateless network protocols that have no concept of a session.
However, they cannot make more complex decisions based on what stage
communications between hosts have reached.
Modern firewalls can filter traffic based on many packet attributes like source
IP address, source port, destination IP address or port, destination service like
WWW or FTP. They can filter based on protocols, TTL values, netblock of
originator, of the source, and many other attributes.
Commonly used packet filters on various versions of Unix are ipf (various),
ipfw (FreeBSD/Mac OS X), pf (OpenBSD, and all other BSDs),
iptables/ipchains (Linux).
Application-layer
On inspecting all packets for improper content, firewalls can restrict or prevent
outright the spread of networked computer worms and trojans. The additional
inspection criteria can add extra latency to the forwarding of packets to their
destination.
Proxies
Proxies make tampering with an internal system from the external network
more difficult and misuse of one internal system would not necessarily cause a
security breach exploitable from outside the firewall (as long as the application
proxy remains intact and properly configured). Conversely, intruders may
hijack a publicly-reachable system and use it as a proxy for their own purposes;
the proxy then masquerades as that system to other internal machines. While
use of internal address spaces enhances security, crackers may still employ
methods such as IP spoofing to attempt to pass packets to a target network.
Firewalls often have network address translation (NAT) functionality, and the
hosts protected behind a firewall commonly have addresses in the "private
address range", as defined in RFC 1918. Firewalls often have such functionality
to hide the true address of protected hosts. Originally, the NAT function was
developed to address the limited number of IPv4 routable addresses that could
be used or assigned to companies or individuals as well as reduce both the
amount and therefore cost of obtaining enough public addresses for every
computer in an organization. Hiding the addresses of protected devices has
become an increasingly important defense against network reconnaissance.
If you have been using the Internet for any length of time, and especially if you
work at a larger company and browse the Web while you are at work, you have
probably heard the term firewall used. For example, you often hear people in
companies say things like, "I can't use that site because they won't let it through
the firewall." If you have a fast Internet connection into your home (either a
DSL connection or a cable modem), you may have found yourself hearing about
firewalls for your home network as well. It turns out that a small home network
has many of the same security issues that a large corporate network does. You
can use a firewall to protect your home network and family from offensive Web
sites and potential hackers. Basically, a firewall is a barrier to keep destructive
forces away from your property. In fact, that's why its called a firewall. Its job is
similar to a physical firewall that keeps a fire from spreading from one area to
the next. As you read through this article, you will learn more about firewalls,
how they work and what kinds of threats they can protect you from.
Firewall Configuration
Firewalls are customizable. This means that you can add or
remove filters based on several conditions. Some of these are:
Some operating systems come with a firewall built in. Otherwise, a software
firewall can be installed on the computer in your home that has an Internet
connection. This computer is considered a gateway because it provides the only
point of access between your home network and the Internet.
With a hardware firewall, the firewall unit itself is normally the gateway. A
good example is the Linksys Cable/DSL router. It has a built-in Ethernet card
and hub. Computers in your home network connect to the router, which in turn
is connected to either a cable or DSL modem. You configure the router via a
Web-based interface that you reach through the browser on your computer. You
can then set any filters or additional information.
Hardware firewalls are incredibly secure and not very expensive. Home
versions that include a router, firewall and Ethernet hub for broadband
connections can be found for well under $100.
Installation of firewall
Firewalls used to be only for large corporate networks—but then again, Internet
connections used to be only for large networks, too. Now that high-speed,
always-on Internet connectivity is becoming more and more common, so too are
attacks against connected computers. Firewalls help protect you against such
attacks by screening out many types of malicious traffic. In addition, firewalls
can help keep your computer from participating in attacks on others without
your knowledge. The good news is that consumer-level firewalls provide good
security without requiring that you be a computer security expert.
The router is generally a separate device from the cable or DSL modem—it’s
important to understand that most cable and DSL modems offer your small
office network no protection whatsoever. If you didn’t choose to pay extra for
security features, you probably don’t have any. If you’re unsure about your
modem, ask your ISP what level of protection your modem provides.
If you decide to use a hardware firewall, select one that has enough network
ports to allow you to connect all computers and other network devices directly
to it. As shown in Figure 8, wiring a firewall into your network is as simple as
adding an answering machine to your phone line. Simply unplug the Ethernet
connection between your cable/DSL modem and your PC, and plug it into the
firewall. Then connect your computer and other network devices into your
firewall.
The following are some of the popular hardware firewall products available:
Linksys Routers, NETGEAR Routers, and SMC Routers.
Home and small office computers that are directly connected to the Internet
require the added security of a firewall. The least expensive way to do this is to
enable both ICF and ICS on a system, and allow all networked computers to
connect through that system. You can enable ICS on only one Internet
connection on your network, and you should protect this connection by enabling
ICF. ICF can check only the communications that cross the Internet connection
on which it’s enabled. The following types of network topologies, are safe and
the most recommended:
You should avoid topologies with multiple Internet connections. If you must
have multiple direct Internet connections on your network, you should ensure
that ICF is enabled on each direct Internet connection in order to protect your
network. However, because ICF works on a per-connection basis, this topology
is still not a recommended topology because there’s no central point of
administration through which you can ensure the continuous protection of all
Internet connections.
A DMZ is an important element for securing a site. You need to take additional
security measures to protect data the back-end servers store. You can also store
extremely sensitive data or data that’s needed elsewhere in your enterprise
outside the DMZ, although doing so has negative performance implications and
runs the risk, however small, of opening your corporate network to hacking.
At the very least, a DMZ requires a router. A more sophisticated design would
include two routers and a firewall. How complex your configuration needs to be
depends on factors such as:
• How much security you need
• What sort of connectivity your system maintains to other networks
(internal—corporate network; external—Internet)
• How many servers you need to protect
After DMZ topology, the most important step in securing the environment is
controlling its traffic. You need to determine who’s allowed to connect and who
isn’t, and then enforce those rules, usually with routers and firewalls. Routers
can provide packet filtering, which controls traffic flow between two nodes, but
this tends to decrease router performance, so you have to be careful not to
overuse it. Check your router utilization before and after.
You must give particular attention to each server in the DMZ to ensure they’re
capable of withstanding malicious attacks. You can harden the exposed servers
by using the Security Tools and Checklists for your servers’ operating systems.
You can also implement low-level filtering policies and close selective ports.
For example, you should configure a host-based firewall on systems in a DMZ.
A function that is often combined with a firewall is a proxy server. The proxy
server is used to access Web pages by the other computers. When another
computer requests a Web page, it is retrieved by the proxy server and then sent
to the requesting computer. The net effect of this action is that the remote
computer hosting the Web page never comes into direct contact with anything
on your home network, other than the proxy server.
Proxy servers can also make your Internet access work more efficiently. If you
access a page on a Web site, it is cached (stored) on the proxy server. This
means that the next time you go back to that page, it normally doesn't have to
load again from the Web site. Instead it loads instantaneously from the proxy
server.
There are times that you may want remote users to have access to items on your
network. Some examples are:
• Web site
• Online business
• FTP download and upload area
In cases like this, you may want to create a DMZ (Demilitarized Zone).
Although this sounds pretty serious, it really is just an area that is outside the
firewall. Think of DMZ as the front yard of your house. It belongs to you and
you may put some things there, but you would put anything valuable inside the
house where it can be properly secured.
Setting up a DMZ is very easy. If you have multiple computers, you can choose
to simply place one of the computers between the Internet connection and the
firewall. Most of the software firewalls available will allow you to designate a
directory on the gateway computer as a DMZ.
Once you have a firewall in place, you should test it. A great way to do this is to
go to and try their free Shields Up! security test. You will get immediate
feedback on just how secure your system is.
Let's say that you work at a company with 500 employees. The company will
therefore have hundreds of computers that all have network cards connecting
them together. In addition, the company will have one or more connections to
the Internet through something like T1 or T3 lines. Without a firewall in place,
all of those hundreds of computers are directly accessible to anyone on the
Internet. A person who knows what he or she is doing can probe those
computers, try to make FTP connections to them, try to make telnet connections
to them and so on. If one employee makes a mistake and leaves a security hole,
hackers can get to the machine and exploit the hole.
With a firewall in place, the landscape is much different. A company will place
a firewall at every connection to the Internet (for example, at every T1 line
coming into the company). The firewall can implement security rules. For
example, one of the security rules inside the company might be:
Out of the 500 computers inside this company, only one of them is
permitted to receive public FTP traffic. Allow FTP connections only to
that one computer and prevent them on all others.
A company can set up rules like this for FTP servers, Web servers, Telnet
servers and so on. In addition, the company can control how employees connect
to Web sites, whether files are allowed to leave the company over the network
and so on. A firewall gives a company tremendous control over how people use
the network.
Firewalls use one or more of three methods to control traffic flowing in and out
of the network:
Some of the items in the list above are hard, if not impossible, to filter using a
firewall. While some firewalls offer virus protection, it is worth the investment
to install anti-virus software on each computer. And, even though it is annoying,
some spam is going to get through your firewall as long as you accept e-mail.
The level of security you establish will determine how many of these threats can
be stopped by your firewall. The highest level of security would be to simply
block everything. Obviously that defeats the purpose of having an Internet
connection. But a common rule of thumb is to block everything, then begin to
select what types of traffic you will allow. You can also restrict traffic that
travels through the firewall so that only certain types of information, such as e-
mail, can get through. This is a good rule for businesses that have an
experienced network administrator that understands what the needs are and
knows exactly what traffic to allow through. For most of us, it is probably better
to work with the defaults provided by the firewall developer unless there is a
specific reason to change it.
One of the best things about a firewall from a security standpoint is that it stops
anyone on the outside from logging onto a computer in your private network.
While this is a big deal for businesses, most home networks will probably not
be threatened in this manner. Still, putting a firewall in place provides some
peace of mind.
The private user’s computer then forwards this packet to the NAT server, which
translates the addresses of the outgoing packet to the following:
• Destination IP address: w2.x2.y2.z2
• Source IP address: w1.x1.y1.z1
• Destination port: TCP port 80
• Source port: TCP port 1025
The NAT server checks its translation table and maps the public addresses to
private addresses and forwards the packet to the computer at 192.168.0.10. The
forwarded packet contains the following address information:
• Destination IP address: 192.168.0.10
• Source IP address: w2.x2.y2.z2
• Destination port: TCP port 5000
• Source port: TCP port 80
For outgoing packets from the NAT server, the NAT server maps the source IP
address (a private address) to the ISP allocated address (a public address), and
maps the TCP/UDP port numbers to a different TCP/UDP port number.
For incoming packets to the NAT server, the NAT server maps the destination
IP address (a public address) to the original intranet address (a private address),
and maps the TCP/UDP port numbers back to their original TCP/UDP port
numbers.
Most proxy servers offer services beyond the standard functionality discussed
above. Reverse proxy enables the firewall to provide secure access to an
internal Web server (not exposing it to the outside) by redirecting external
HTTP (application proxy) requests to a single designated machine. This isn’t
suitable for multiserver Web hosting (reverse hosting—described next—takes
care of this), but it can be quite valuable when working with a single site.
Reverse hosting allows the firewall to redirect HTTP (application proxy)
requests to multiple internal Web servers. One method/way is to provide access
to multiple servers as subwebs of one large aggregate Web site or as multiple
independent Web servers. More flexible than reverse proxy but equally secure,
this method enables you to abstract the physical architecture of your Web sites
by mapping multiple servers to a single logical one. Both options allow the
firewall to offer caching functionality, which can improve responsiveness.
Reverse proxy can be very useful. For instance, suppose you need to allow a
Web server to query an internal database. There are several ways to do this. You
could replicate the database to the outside (if it’s not too large), but this puts the
contents’ integrity at risk. It might make more sense to move the Web and
database servers behind the firewall and use reverse proxy or reverse hosting to
get at the site. This option is very secure, although the overhead of running
multiple Web servers behind the proxy might tax the proxy’s ability to service
Web requests from internal clients.
A third alternative is better yet: Place the Web server in the demilitarized zone
(DMZ) and use the server proxy functionality of the firewall to query the
database. This option provides good security and performance. Before you
select any of these options, you should analyze your requirements so that you
can balance necessary security against performance/usability.
NETWORK – A
192.168.1. (0-
255)
PROXY ISP
SERVER
(INTERNET)
NETWORK – B 192.168.3.
24
192.168.2. (0-
255)
Obviously, the fewer the entries in this table, the faster the router can decide
what to do with datagram. (This was a big part of the motivation for classless
addressing, which aggregates routes into “supernets” to reduce router table size,
as we will see in the next topic.) Some routers only have connections to two
other devices, so they don't have much of a decision to make. Typically, the
router will simply take datagram coming from one of its interfaces and if
necessary, send them out on the other one. For example, consider a small
company's router acting as the interface between a network of three hosts and
the Internet. Any datagram sent to the router from a host on this network will
need to go over the router's connection to the router at the ISP.
When a router has connections to more than two devices, things become
considerably more complex. Some distant networks may be more easily
reachable if datagram are sent using one of the routers than the other. The
routing table contains information not only about the networks directly
connected to the router, but also information that the router has “learned” about
more distant networks.
Conceptually, we can divide all IP datagram deliveries into two general types,
shown graphically
Direct and Indirect (Routed) Delivery of IP Datagrams
Indirect Datagram Deliveries: When two devices are not on the same physical
network, the delivery of datagram from one to the other is indirect. Since the
source device can't see the destination on its local network, it must send the
datagram through one or more intermediate devices to deliver it. Indirect
delivery is analogous to mailing a letter to a friend in a different city. You don't
deliver it yourself—you put it into the postal system. The letter journeys
through postal system, possibly taking several intermediate steps, and ends up
in your friend's neighborhood, where a postal carrier puts it into his or her
mailbox.
To continue with our postal system analogy, I can send a letter from my home
in the United States to someone in, say, India, and the postal systems of both
countries will work to deliver the letter to its destination. However, when I drop
a letter in the mailbox, it's not like someone shows up, grabs the letter, and
hand-delivers it to the right address in India. The letter travels from the mailbox
to my local post office. From there, it probably goes to a regional distribution
center, and then from there, to a hub for international traffic. It goes to India,
perhaps (likely) via an intermediate country. When it gets to India, the Indian
postal system uses its own network of offices and facilities to route the letter to
its destination. The envelope “hops” from one location to the next until it
reaches its destination.
IP Datagram Next-Hop Routing
This is the same diagram as that shown in above figure except this time I have
explicitly shown the hops taken by each of the three sample transmissions. The
direct delivery of the first (green) transmission has only one hop (remember that
the switch doesn’t count because it is invisible at layer three). The local indirect
delivery passes through one router, so it has two hops. The Internet delivery in
this case has six hops; actual Internet routes can be much longer.
This diagram shows a small, simple internetwork consisting of four LANs each
served by a router. The routing table for each lists the router to which datagram
for each destination network should be sent, and is color coded to match the
colors of the networks. Notice that due to the “triangle”, each of R1, R2 and R3
can send to each other. However, R2 and R3 must send through R1 to deliver to
R4, and R4 must use R1 to reach either of the others.
Let's suppose that R1 also connects to another router, R4, which has 14.0.0.0/8
as its local network. R1 will have an entry for this local network. However, R2
and R3 also need to know how to reach 14.0.0.0/8, even though they don't
connect to it its router directly. Most likely, they will have an entry that says
that any datagram intended for 14.0.0.0/8 should be sent to R1. R1 will then
forward them to R4. Similarly, R4 will send any traffic intended for 12.0.0.0/8
or 13.0.0.0/8 through R1.
Route Determination
Determining what routes we should use for different networks turns out to be an
important but very complex job. Routers must plan routes and exchange
information about routes and networks, which can be done in a variety of ways.
This is accomplished in IP using special IP routing protocols. It is through these
protocols that R2 and R3 would find out that 14.0.0.0/8 exists and that it is
connected to them via R1
The different nature of routing within an AS and between ASes can be seen in
the fact that distinct sets of TCP/IP routing protocols are used for each type:
Since autonomous systems are just sets of routers, this means that ASes are
connected by linking a router in one AS to a router in another AS.
Architecturally, an AS consists of a set of routers with two different types of
connectivity:
There are two routing protocol algorithms that are most commonly encountered:
distance-vector and link-state. There are also protocols that use a combination
of these methods, or others.
Routers using this type of protocol maintain information about the distance to
all known networks in a table. They regularly send that table to each router they
immediately connect with (their neighbors or peers). These routers then update
their tables and send to their neighbors. This causes distance information to
propagate across the internetwork, so that eventually each router obtains
distance information about all networks on the internet.
There are also hybrid protocols that combine features from both types of
algorithms, and other protocols that use completely different algorithms. For
example, the Border Gateway Protocol (BGP) is a path-vector algorithm, which
is somewhat similar to the distance-vector algorithm, but communicates much
more detailed route information. It includes some of the attributes of distance-
vector and link-state protocols, but is more than just a combination of the two.
You may also occasionally see routing protocols categorized by type as static
and dynamic, so this is the last concept I want to discuss in this overview. This
terminology is somewhat misleading. The term “static routing” simply refers to
a situation where the routing tables are manually set up, so they remain static. In
contrast, “dynamic routing” is the subject of this entire section: the use of
routing protocols to dynamically update routing tables. Thus, all routing
protocols are “dynamic”. There is no such thing as a “static routing protocol”
unless you consider a network administrator editing a routing table a “protocol”.
Let's start with a look at routing protocol architectures. In this context, the word
architecture refers to the way that an internetwork is structured. Once we have a
number of networks and routers we wish to connect together, there is any
number of ways that we can do this. The architecture we choose is based on the
way that routers are linked up, and this has an impact on the way that routing is
done, and how routing protocols operate.
Core Architecture
Eventually, the core became too large, so a two-level hierarchy was formed to
allow further expansion. Non-core routers were located on the periphery of the
core and contained only partial routing information; they relied on the core
routers for transmissions that went across the internetwork. A special routing
protocol called the Gateway-to-Gateway Protocol (GGP) was used within the
core of the internetwork, while another protocol called the Exterior Gateway
Protocol (EGP) was used between non-core and core routers. The non-core
routers were sometimes single, stand-alone routers that connected a single
network to the core, or they could be sets of routers for an organization.
This architecture served for a while, but itself did not scale very well as the
Internet grew. The problem was mainly due to the fact that there was only a
single level to the architecture: every router in the core had to communicate
with every other. Even with peripheral routers being kept outside the core, the
amount of traffic in the core kept growing.
To resolve the limitations of the early core system, a new architecture was
created that moved away from the centralized concept of a core towards an
architecture that was better suited to a larger and growing internetwork. This
decentralized architecture treats the Internet as a set of independent groups,
which each group called an autonomous system (AS). An AS consists of a set of
routers and networks controlled by a particular organization or administrative
entity, which uses a single consistent policy for internal routing.
The power of this system is that routing on the internetwork as a whole occurs
between Ashes and not individual routers. Information is only shared between
one or maybe a couple of routers in each AS, not every router in each AS. The
details of routing within an AS are also hidden from the rest of the internetwork.
This provides both flexibility for each AS to do routing as it sees fit (thus the
name autonomous) and efficiency for the overall internetwork. Each AS has its
own number, and the numbers are globally managed to make sure they are
unique across an internetwork (such as the Internet).