Firewalls

25/11/2019
With the rise of Internet, we can connect any
computer in the world to any other
computer.
Disadvantage
(i) Leakage of critical and confidential
information to outside world
(ii) Outer dangerous elements like worms and
viruses entering corporate network to
create havoc.
 Firewalls

• Prevent specific types of information from

moving between the outside world
(untrusted network) and the inside world
(trusted network)
• May be separate computer system; a
software service running on existing router
or server; or a separate network containing
supporting devices
• A standard corporate network topology has a hierarchy
often referred to as the security perimeters.
• The external perimeter of network and the internal
network perimeter are separated by
DMZ ( Demilitarized Zone).
• When information moves from the Internet to the
internal world, integrity is a greater concern than
confidentiality
• Suitable guards are enforced between the Internet and
the DMZ and between the DMZ and internal network.
• This ensures that messages which can cause servers to
function incorrectly or crash are not accepted
 Firewalls Categorized by Development Era

• First generation: static packet filtering

firewalls
• Second generation: application-level firewalls
or proxy servers
• Third generation: stateful inspection firewalls
• Fourth generation: dynamic packet filtering
firewalls; allow only packets with particular
source, destination and port addresses to enter
• Fifth generation: kernel proxies; specialized
form working under kernel of Windows NT

5
 Packet Filtering
• Packet filtering firewalls examine header
information of data packets
• Most often based on combination of:
– Internet Protocol (IP) source and destination
address
– Direction (inbound or outbound)
– Transmission Control Protocol (TCP) or User
Datagram Protocol (UDP) source and destination
port requests
• Simple firewall models enforce rules designed
to prohibit packets with certain addresses or
partial addresses

6
 Factors
Factors that allow or deny data flow from
through the packet filters:
1. The physical network interface (network
adapter) that the packet arrives on
2. The address the data is coming from
3. The address the data is going on
4. The type of transport layer, TCP, UDP
5. The transport layer source port
6. The transport layer destination port
Eg: A packet filter might deny all traffic on
ports 1024 and up, or it might block all
incoming traffic using the TFTP protocol.
We can use incoming and outgoing filters to
dictate what information passes into or out
of your local network.
9
10
11
Principles of Information
12
Security, 2nd Edition
The rules are kept in the TCP/IP kernel and applied to
any packet.
The actions taken may be either deny or permit the
packet.
For a network packet to be routed to its destination, it
has to match with a permit list rule maintained the
kernel.
If a packet matches with a deny rule, then it is
dropped.
However if a packet does not match with either an
allow rule or a deny rule, then also it is dropped.
• They do not inspect the application layer data in
the packets.

• The packet filters do network address translation .

So topology of network and the addressing scheme
of the network is hidden to untrusted or external
network
Advantages

(i) Faster than other technologies.

(ii) Easy to configure and inexpensive.
(iii)Less complicated (single rule controls deny or
allow of packets)
(iv)Do not require client computers to be configured
specially
(v) Shield the internal IP address from the external
world
Disadvantages
They do not examine the packet or compare
it to previous packets. So susceptible to SYN
flood.
No user authentication is provided.
They are stateless and hence not suitable for
application layer protocols like FTP
They have no audit event generation and
alerting mechanisms.
 Application Gateways
Also called a proxy server.
The proxy services operate only in the appln
layer of the OS.
It is a program that runs on a firewall.
When a client program (eg. Web browser )
establishes a connection to a destination
service such as Web Server, it connects to an
application gateway or proxy.
The client then negotiates with the proxy server
in order to gain access to the destination
service.
 In effect, the proxy establishes the connection with the
destination behind the firewall and acts on behalf of the
client , hiding and protecting individual computers on the
network behind the firewall.
 This creates 2 connections: between the client and the
proxy server and another between the proxy server and
the destination.
 Once a connection is established, the application gateway
makes all decisions about which packets to forward.
 Since all communication is connected through the proxy
server, computers behind the firewall are protected.
Advantages
 Can understand high level protocols like HTTP and
FTP.
 Maintain infmn about the communication passing
through the firewall server
 Used to deny access to certain network services,
while allowing others.
 Capable of manipulating packet data.
 Transparent between the user and external network
 Good at generating audit records allowing admins to
monitor threats to the firewall.
Disadvantage
Do not allow network servers to run on the
firewall servers since the proxy server use
the same port to listen.
Slow and thus lead to degradation in
performance
Rely on OS support and are vulnerable to
bugs in the system.
 How firewalls examine packets
• There are 2 main approaches to this task
• Stateful Packet Inspection: The SPI firewall will
examine each packet, denying or permitting access
based not only on the examination of the current packet ,
but also on data derives from previous packets in the
conversation.
– ie, firewall is aware of the context in which a specific packet
was sent. This makes these firewalls less susceptible to SYN
floods.
– Eg: If the firewall detects that the current packet is an ICMP
packet and a stream of several thosand packers have been
continuously coming from the same source IP , it is clearly a
DoS attack and the packets will be blocked.
 SPI firewall can also look at the actual contents of
each packet
 This allows for some very advanced filtering
capabilities.
Stateless Packet inspection: does not involve actual
examining of the contents of each packet.
 Also it does not examine a packet within the context
of an outgoing TCP conversation.
 It does not know the preceeding or subsequent
packets are doing, thus making it vulnerable to DoS
attacks.
• Bastion Host
– A system identified by the firewall
administrator as a critical strong point in the
network´s security
– The bastion host serves as a platform for an
application-level or circuit-level gateway

24
 Firewall Configurations

• In addition to the use of simple

configuration of a single system (single
packet filtering router or single gateway),
more complex configurations are possible
• Three common configurations
– Screened host firewall system (single-homed bastion host)
– Screened host firewall system (dual-homed bastion host)
– Screened subnet firewall configuration

25
Screened host firewall system
(single-homed bastion host)

26
 Contd..
• Here a firewall set up consists of 2 parts:
– A packet filtering router
– Application gateway

Their purposes are as follows

 The packet filter ensures that the incoming traffic ( from
Internet to the corporate network) is allowed only if it is
destined for the application gateway by examining the
destn address field of every incoming IP packet.
 It also ensures that the outgoing traffic ( from corporate
network to Internet) is allowed only if it is originating
from the application gateway by examining the source
address field of every outgoing IP packet

27
The application gateway performs authentication and proxy
functions.
The configuration increases the security of the network by
performing checks at both packet and application levels.
This gives more flexibility to the network administrator to
define more granular security process.
Disadvantage
The internal users are connected to the application gateway
as well as to the packet filter. SO, if the packet filter is
somehow compromised, then the whole network is
exposed to the attacker.
Screened host firewall system (dual-
homed bastion host)

29
• To overcome the drawback of single homed configuration.
• An improvement over the earlier scheme.
• Here the direct connections between the internal hosts and
the packet filter are avoided. Instead the packet filter
connects only to the application gateway, which inturn has
a separate connection with the internal hosts.
• So, even if the packet filter is compromised, only the
application gateway is visible to the attacker. The internal
hosts are protected.
Screened Subnet Firewall

Henric Johnson 31
 Screened Subnet Firewall
 Offers the highest security among the possible firewall
configurations.
 Here, 2 packet filters are used, one between the Internet
and application gateway and another between the
application gateway and the internal network.

 Now, there are 3 levels of security for an attacker to

break into
 The attacker does not come to know about the internal
network unless he breaks into both packet filters and
the single application gateway standing between them.

32
 Encrypted tunnel
• In tunnel mode, an encrypted tunnel is
established between 2 hosts.
• Suppose X and Y are 2 hosts who want to
communicate using IPSec tunnel mode.
• They identify their respective proxies say P1
and P2 and a logical encrypted tunnel is
established between P1 and P2.
• X sends its transmission to P1. The tunnel
carries the transmission to P2.
• P2 forwards it to Y.
• Here, we will have 2 sets f IP headers, internal and
external. The internal IP header ( which is encrypted)
contains the source and destination addresses as X and Y.
• The external IP header contains the source and destn
addresses as P1 and P2. Thus X and Y are protected from
potential attackers.
• A Virtual Private Network (VPN) is an encrypted tunnel
built between private networks typically built over an
insecure or private network like the Internet.
• The VPN device on each end (router, firewall, and so forth)
must know which networks on the near side are allowed to
speak to which networks on the far side of the VPN. ACLs
service this function.
1. What are the characteristic features of stateful
inspection firewall?
2. Discuss different firewall configurations
3. What are the requirements of encrypted
tunnels?
4. Why the attacker is not able to recognize the
actual sender of the message in encrypted
tunnels?
5. Compare packet filter and Application Level
Gateways.