CS205 – Information Security

Week 11
Firewalls

• Prevent specific types of information from

moving between the outside world (untrusted
network) and the inside world (trusted network)
• May be:
– Separate computer system
– Software service running on existing router or server
– Separate network containing supporting devices

2
Firewalls Processing Modes

• Five processing modes by which firewalls can be

categorized:
– Packet filtering
– Application gateways
– Circuit gateways
– MAC layer firewalls
– Hybrids

3
Firewalls Processing Modes (cont’d.)

• Packet filtering firewalls examine header

information of data packets
• Most often based on combination of:
– Internet Protocol (IP) source and destination address
– Direction (inbound or outbound)
– Transmission Control Protocol (TCP) or User
Datagram Protocol (UDP) source and destination port
requests
• Simple firewall models enforce rules designed to
prohibit packets with certain addresses or partial
addresses
4
Firewalls Processing Modes (cont’d.)

• Three subsets of packet filtering firewalls:

– Static filtering: requires that filtering rules governing
how the firewall decides which packets are allowed
and which are denied are developed and installed
– Dynamic filtering: allows firewall to react to emergent
event and update or create rules to deal with event
– Stateful inspection: firewalls that keep track of each
network connection between internal and external
systems using a state table

5
Firewalls Processing Modes (cont’d.)

• Application gateways
– Frequently installed on a dedicated computer; also
known as a proxy server
– Since proxy server is often placed in unsecured area
of the network (e.g., DMZ), it is exposed to higher
levels of risk from less trusted networks
– Additional filtering routers can be implemented behind
the proxy server, further protecting internal systems

6
Firewalls Processing Modes (cont’d.)

• Circuit gateway firewall

– Operates at transport layer
– Like filtering firewalls, do not usually look at data
traffic flowing between two networks, but prevent
direct connections between one network and another
– Accomplished by creating tunnels connecting specific
processes or systems on each side of the firewall,
and allow only authorized traffic in the tunnels

7
Firewalls Processing Modes (cont’d.)

• MAC layer firewalls

– Designed to operate at the media access control layer
of OSI network model
– Able to consider specific host computer’s identity in its
filtering decisions
– MAC addresses of specific host computers are linked
to access control list (ACL) entries that identify
specific types of packets that can be sent to each
host; all other traffic is blocked

8
Firewalls Processing Modes (cont’d.)

• Hybrid firewalls
– Combine elements of other types of firewalls; i.e.,
elements of packet filtering and proxy services, or of
packet filtering and circuit gateways
– Alternately, may consist of two separate firewall
devices; each a separate firewall system, but
connected to work in tandem

9
Firewalls Categorized by Generation

• First generation: static packet filtering firewalls

• Second generation: application-level firewalls or
proxy servers
• Third generation: stateful inspection firewalls
• Fourth generation: dynamic packet filtering
firewalls; allow only packets with particular
source, destination, and port addresses to enter
• Fifth generation: kernel proxies; specialized form
working under kernel of Windows NT

10
Firewalls Categorized by Structure

• Most firewalls are appliances: stand-alone,

self-contained systems
• Commercial-grade firewall system
• Small office/home office (SOHO) firewall
appliances
• Residential-grade firewall software

11
Firewall Architectures

• Firewall devices can be configured in a number

of network connection architectures
• Best configuration depends on three factors:
– Objectives of the network
– Organization’s ability to develop and implement
architectures
– Budget available for function
• Four common architectural implementations of
firewalls: packet filtering routers, screened host
firewalls, dual-homed firewalls, screened subnet
firewalls
12
Firewall Architectures (cont’d.)

• Packet filtering routers

– Most organizations with Internet connection have a
router serving as interface to Internet
– Many of these routers can be configured to reject
packets that organization does not allow into network
– Drawbacks include a lack of auditing and strong
authentication

13
Firewall Architectures (cont’d.)

• Screened host firewalls

– Combines packet filtering router with separate,
dedicated firewall such as an application proxy server
– Allows router to prescreen packets to minimize
traffic/load on internal proxy
– Separate host is often referred to as bastion host
• Can be rich target for external attacks and should be very
thoroughly secured
• Also known as a sacrificial host

14
Firewall Architectures (cont’d.)

• Dual-homed host firewalls

– Bastion host contains two network interface cards
(NICs): one connected to external network, one
connected to internal network
– Implementation of this architecture often makes use
of network address translation (NAT), creating
another barrier to intrusion from external attackers

15
Firewall Architectures (cont’d.)

• Screened subnet firewall is the dominant

architecture used today
• Commonly consists of two or more internal
bastion hosts behind packet filtering router, with
each host protecting trusted network:
– Connections from outside (untrusted network) routed
through external filtering router
– Connections from outside (untrusted network) are
routed into and out of routing firewall to separate
network segment known as DMZ
– Connections into trusted internal network allowed only
from DMZ bastion host servers
16
Firewall Architectures (cont’d.)

• Screened subnet performs two functions:

– Protects DMZ systems and information from outside
threats
– Protects the internal networks by limiting how external
connections can gain access to internal systems
• Another facet of DMZs: extranets

17
Firewall Architectures (cont’d.)

• SOCKS servers
– SOCKS is the protocol for handling TCP traffic via a
proxy server
– A proprietary circuit-level proxy server that places
special SOCKS client-side agents on each
workstation
– A SOCKS system can require support and
management resources beyond those of traditional
firewalls

18
Selecting the Right Firewall

• When selecting firewall, consider a number of

factors:
– What firewall offers right balance between protection
and cost for needs of organization?
– Which features are included in base price and which
are not?
– Ease of setup and configuration? How accessible are
staff technicians who can configure the firewall?
– Can firewall adapt to organization’s growing network?
• Second most important issue is cost

19
Configuring and Managing Firewalls

• Each firewall device must have own set of

configuration rules regulating its actions
• Firewall policy configuration is usually complex
and difficult
• Configuring firewall policies is both an art and a
science
• When security rules conflict with the
performance of business, security often loses

20
Configuring and Managing Firewalls
(cont’d.)
• Best practices for firewalls
– All traffic from trusted network is allowed out
– Firewall device never directly accessed from public
network
– Simple Mail Transport Protocol (SMTP) data allowed
to pass through firewall
– Internet Control Message Protocol (ICMP) data
denied
– Telnet access to internal servers should be blocked
– When Web services offered outside firewall, HTTP
traffic should be denied from reaching internal
networks
21
Configuring and Managing Firewalls
(cont’d.)
• Firewall rules
– Operate by examining data packets and performing
comparison with predetermined logical rules
– Logic based on set of guidelines most commonly
referred to as firewall rules, rule base, or firewall logic
– Most firewalls use packet header information to
determine whether specific packet should be allowed
or denied

22
Content Filters

• Software filter—not a firewall—that allows

administrators to restrict content access from
within network
• Essentially a set of scripts or programs
restricting user access to certain networking
protocols/Internet locations
• Primary focus to restrict internal access to
external material
• Most common content filters restrict users from
accessing non-business Web sites or deny
incoming span
23
Thanks