INTRUSION PREVENTION SYSTEMS

274 CHAPTER 9/FIREWALLS AND

protecting a local system or network of
Firewalls can be an effective means of
while at the same time
from network-based security threats and the Internet. affording accesssytostems
outside world via wide area networks the

9.1 THE NEED FOR FIREWALLS

Information systems in çorporations, government agencies, and other

have undergone a steady evolution. The following are notable developmente. organizations
"Centralized data processing system, with a central mainframe supporting a
number of directly connected terminals
Local area networks (LANS)interconnecting PCs and terminals to each oth.
and the mainframe
"Premises network, consisting of a number of LANs, interconnecting PC,
servers, and perhaps a mainframe or two
Enterprise-wide network, consisting of multiple, geographically distributed
premises networksinterconnected by aprivate wide areanetwork (WAN)
Internet connectivity.in which the various premises networks all hook into the
Internet and may or may not also be connected by a private WAN
Internet connectivity is no longer optional for organizations. The iníorma
tion andservices available are essential to the organization. Moreover, individual
users within the organization want and need Internet access, and if this is not pr0
vided via their LAN, they will use dial-up capability from their PC to an Internet
service provider (ISP). However, while Internet access provides benefits to the
organization, it enables the outside world to reach and interact with local network
assets. This creates a threat to the organization. While it is possible to cquip cach
workstation and server on the prem1ses network wTth Strong security features,
such as intrusion proteclion, this may not be sufficient and in Some cases is not
cost-effective. Consider anetwork with hundreds or even thousands of systems,
running various operating systems, such as different versions of UNIX and
Windows. When a security flaw is discovered, each potentially affected system
must be upgraded to fix that flaw. This requires scaleable configuration manage
ment and aggressive patching to function effectively. Whiledifficult, this is possi
ble and is necessary if only host-based security is used. A widely accepteo
alternative or at least complement to host-based security services is the firewall.
The firewall is inserted
between the
Iish a controlled link and to erect an premises network and the Internet to estab-
nis perimeter is to protect the outer securíty wall or perimeter. The aim
O provide asingle choke point premises
where
network from Internet-based atlacks a
firewall may be a single security and auditing can be imposed. T
cooperate to perform the computer system or a set of two or more system5 that
The firewall, then, firewall function.
nai systems from provides an additional layer of defense,
external
"defense depth." which is just
in networks. This follows the classic insulating the inter-
as
applicable to IT military doctrin
security.
 |92 RIWALI CHARACTLRISICS 275

0.2 FIREWALLCHARACTERISTICs
IBELL94b] lists thc following design goals for a firewall:
1. Alltraffic fron inside to outside, andvice versa, must pass through the firewall.
This is achicved by physically blocking all access to the local nctwork except via
the fircwall.Various configurations are possible,as explaincd later in this chapter.
2. Only authorized traffic, as deined by the local sccurity policy. willbc allowed to
pass Various types of firewalls are uscd, whichimplement various typcsof securi
ty policies, as explained later in this chapter.
3, The firewall itself is immune to penetration.This implies the use of ahardened
syslemwith a secured operating systenm. Trusted computer systems are suitable
forhosting a firewall andoften required in government applications. This topic
is discussed in Chapter 10.
(SMIT97]lists four general techniques that firewalls use to control access and
cnforce the site's security policy. Originally, firewals focused primarily on service
control. but they have since evolved to provide all four:
" Service control: Determines the types of Internet services that can be
accessed. inbound or outbound. The firewall may filter traffic on the basis of
IPaddress, protoçol,or port number; may provide proxy software that receives
and interprets each service request before passing it on; or may host the server
software itself, such as a Web or mail service.
" Direction control:Determines the direction in which particular service
requests may be initiated and allowed to flow through the firewall.
User control: Controls access to aservice according to which user is attempt
ing to access it. This feature is typically applied to users inside the firewall
perimeter (local users). It may also be applied to incoming traffic from
external users;the latter requires some form of secure authentication technol
ogy, such as is provided in IPSec (Chapter 21).
Behavior control: Controls how particular services are used. For example, the
firewall may filter e-mail to eliminate spam, or it may enable external access to
only aportion of the information on a local Web server.
Before proceeding to the details of firewall types and configurations, it is best
to summarize what one can expect from afirewall. The following capabilities are
within the scope of afirewall:
1. Afirewall defines a single choke point that keeps
unauthorized users out of
lhe protected network, prohibits potentially vulnerable services from entering
or leaving the network, and provides protection from various kinds of IP
spoofing and routing attacks. The use of a single choke point simplifies security
managenment becausc security capabilities are consolidated on a single system
orset of systems.
L Afirewall provides a location for monitoring security-related events. Audits and
alarms can be implemented on the firewall system.
 PREVENTION:
NSYSTEMS
AND INTRUSION
CHAPTER9/ FIREWALLS
276 3. Afirewallis a convenient platform for several Internet functions that are TEN
security related. These include a network address translator, which maps loca
addresses, and a network management function
addresses to Internet hal auits
or logs Internet usage.
serve as the platformfor IPSec. Using the tunnel mode
4. ity can
described in Chapter 21, the firewall can be used to implement virtua
Afirewall capabil,.
private networks.
have their limitations, including the following:
Fifewalls
1. The firewall cannot protect against attacks that bypass the firewall. Internal
systems may have dial-out capability to connect to an ISP. An internal LAN
may support a modem pool that provides dial-in capability for traveling
employees and telecommuters.
internal threats, such as a dispruntl,
2. The firewall may not protect fully against external attacker
employee or anemployee who unwiltingly cooperates with an
from outside the orpani.
3. An improperly secured wireless LAN may be accessed enterprise network can.
zation. Aninternal firewall that separates portions of an
systems on different
not guard against wireless communications between local
sides of the internal firewall.
used and infected outsie
4. A laptop, PDA, or portable storage device may beinternally.
the corporate network and then attached and used

9.3 TYPES OF FIREWALLS

Afirewall may act as a packet filter. It can operate as a positive filter, allowing to pass
only packets that meet specific criteria,or as a negative filter, rejecting any packet thal
meets certain criteria. Depending on the type of firewall, it may examine one or more
protocol headers in each.packet, the payload of each packet, or the pattern generated
by asequence of packets.In this setion, we look at theprincipal types of firewalls
Packet Filtering Firewall
Apacket fillering firewall applies a set of rules toeach incoming and outgoing lP
packet and then forwards or discards the packet (Figure 9.1b). The firewall is typically
conligured to filter packets going in both directions (from and to the internal ner
work). Filtering rules are based on information contained in a network
packet:
Source IP address: The IP address of the system that originated the IP packet
(e.g., 192.178.1.1)
" Destination IP address: The IP
reach (e.g., 192.168.1.2)
address of the system the IP packet is trying"
" Source and
destination transport-level address: The
or UDP) port
" IP protocol
transport-level
number, which defincs applications such as SNMP or
(e.g".
field: Defines the
transport TELNE
Interface: For a protocol
the packet came firewall with three or more
firom or which interface of theports, which interfacc of the firewall
firewall the
packet destined
is
 9.3 7TYPES OF FIREWALLS 277
Internal (protected) network
(e.g: enterprise network) Firewall External (untrusted) network
(e.g: Internet)

(a) General model

End-to-end End-to-end End-to-end End-to-end

transport
Application transport transport |Application transport
Connection connection connection connection
TranspoIt Transport
Jntermet ntenet
Networ

Physical State Physical

info

(b) Packet filtering firewall (c) Stateful inspection firewall

Application proxy Circuit-level proxy

External Internal External
Internal
Application Applicatio transport transport |Application |Application transport
transport connection connection connection
Connection
Transport Transport Transport Transport

Internet Internet Internet

Internet
Network Network Network
Network
access access
access access
Physical Physical
Physical Physical
(e) Cigcuit-level proxy firewall
oApplication proxy firewall
Figure 9.1 Types of Firewalls
on matches to fields
The packet filter is typically set up as a list of rules based
that rule is invoked
in the IP or TCP header. If there is a match toone of the rules. any
lo determine whether to forward or discard the packet. If there is no match to
Tule, then a default action s taken. Two default policies are possible:
Default = discard: That which is not expressly permitted is prohibited.
Default = forward: That which is not expressly prohibited is permitled.
Ihe defaultdiscard policy is more conservative. Initially, everything is blocked,
dServices must be addedon a case-by-case basis. Thís policy is more visible to
 PREVENTION syer..
278 CHAPTER 9/FREWALLS AND INTRUSION

users, who are more likely to see the firewall as a hindrance.

However,
and government organizations.this Is the
policy likely to be preferred by businessescrcated. The default
visibility to users diminishes as rules are
ses case of use for end users but provides reduced sccurity;
forward FurIncrheera-.
the policy
tor must, in essence, react to each new security threat
as it security administra
becomes known. This
policy may be used by generally more open organizations, such as universities.
Table 9.1, from|BELL94b].gives some examples of packet filtering rule
*" a field is a wildcard sets. In
cach set. the rules arc applicd topto bottom. The
in
tor that matches everything. We assume that the default = discard policy is ina. designa-
A, Inbound mail is allowed (port25 is for SMTP incoming), but only to apateu-
host. However. packets from a particular external host, SPIGOT, are block
because that host hasa history of sending massive files in e-mail messaoes
include this rul.
B Thisis an cxplicit statementof the default policy. Allrule sets
implicitly as the last rule.
Table 9.1 Packet Filtering Examples
Rule Set A

port comment
ourhost port theirhost
action
SPIGOT we dont't trust these people
block
connection toour SMTP port
OUR-GW 25
allow
Rule Set B

commnent
ourhost port theirhost port
action
default
biock
Rule Set C

comment
theirhost port
action ourhost port
25 connection to their SMTP port
allow
Rule Set D
comment
ation Src port dest port flags
their
ourpackets to
allow (our host) 25 SMTP port

ACK
their replies
allow 25

RuleSet E
Comment
action Src port dest port flags
our outgoing calls
allow lour hosts)
calls
allow ACK replics to our
tráffic to nonservcrs
allow >1024
 3 IYPESOI IREWALLS 279
C. This rule set is intended tospecify that any
inside host can send mail to the outside.
A TCP packet with adestinationport of 25 is routed
tination machine. The problem with this rule is thattothetheuse
SMTP server on the des
of port 25 for SMTP
recciptis only a default; an outside machine could be configured to have some
other
application linked to port 25. As this rule is written. an attacker could gain access to
internal machines bysending packetswith a TCP source port numberof 25.
D. This rule set achieves the intended result that was not achieved in C
take advantage of a feature of TCP connections Once aconnection is set The rules
up. the
ACK Mag of a TCP segment is set toacknowledge segments sent from the other
side. Thus,thisrule set states that it allows |P packets where the source IP address
is one of a list of designated internal hosts and the destination TCPport number
is 25. It also allows incoming packets with a s0urce port number of 25 that include
the ACK lag in the TCP scgment. Note that we explicitly designate source and
destination systems to definc these rules explicitly.
E. This rule set is one approach to handling FTP connections. With FTP. two
TCP connectionsare uscd: acontrolconnection toset up the file transfer and
a data connection for the actual file transfer. The data connection uses a
different port number that is dynamically assigned for the transfer. Most
servers. and hence most attack targets, use low-numbered ports: most out
going calls tend to use a higher-numbered port, typically above 1023. Thus.
this rule set allows
"Packets that originate internally
" Reply packets to a connection initiated by an internal machine
" Packets destined for a high-numberedport onan internal machine
This scheme requires that the systems be conligured so that only the appropri
ate port numbers are in use.

Rule setEpoints out the difficulty in dealing with applications at the packet filter
ing level. Another way to deal with FTP and similar applications iseither stateful packet
filters or an application-level gateway, both described subsequently in this section.
One advantage of a packet filtering firewall is its simplicity. Also. packet filters
typically are transparent to users and are very fast. |WACKO02 lists the following
weaknesses of packet filter firewalls:
Because packet filter firewalls do not examine upper-laver data, they cannot
prevent attacks that employ application-specific vulnerabilities or functions.
For example, a packet filter firewall cannot block specific application com
mands; if a packet filter firewall allows a given application, all functions avait
abte within that application will be permitted.
Because of the limited information available to the firewall, the logging func
tionality present in packet filter firewalls is limited. Packet filter logs normally
Contain the same information used to make access control decisions (sOurce
address, destination address, and traffic type).
Most packet filter firewalls do not support advanced user authenticaton
schemes. Once again, this limitation is mostly due to the lack of upper-layer
functionality by the firewall.
280 CHAPTER 9/FIREWALL

filter firewalls are generally vulnerable to

STEMS
. Packet
take advantage of
problems within the
TCP/IP attacks and
stack, such as networklayer address
spoofing.
Manyspecification
in which the OSI
not detect a nctwork packet attacks 3 Layer packet filter
bypassthesccurity controls
arc
has been altered. Spoofingimplemented in a
addressinbyg
generally employed
firewall irewailosrmai
Finallv, duc to thesmall number of variables 1sed in platform.
packet filter firewalls are susceptible to sccurity
access Control
breaches causcd by \ntruders
onfigurations. In other words, it is casy t0 accidentally
filler firewall to allow traffic types, sources, and
organization's inlornnation dest inatiConi
ons g ure
that
d
aeci m
packm
denicd bascd on an security policy. shoult
Some of the attacks that can be made on packet filtering
appropriate countermeasures are the following: firewalls and he
"IP address spoofing: The intruder transmits packets from the
source IP address ficld containing an address of an internal host.outside wih a
er hopes that the use of a spoofed address will allow penetration The atlack.
of
that employ simple source address security, in which
trusted internal hosts are accepted.The countermeasure is to
packets systemsfic
from speci
with an inside source address if thà packet arrives on an
external discard packets
In fact, this countermeasure is often implemented at
the firewall.
the interface.
router externat
" Source routing attacks: The source
should take as it crosses the Internet,station specifies the route that a packet
in the hopes that this will
measures that do not analyze the source routing bypass securiy
measure is to discard all packets that use this information. The counter.
" Tiny fragment attacks: The option.
ate extremely small fragments intruder uscs the IP fragmentation option to cre
and
separate packetfragment. This attackforce the TCP header
is designed to information into a
that dependon TCP header circumvent filtering rules
filering information.
decision on the first fragment of aTypically, packet filter willmake a
a
of that packet packet. All subsequent fragments
ket whose firstare filtered out solely on the basis that they
firewall examinesfragment was rejected. The
only the first
are parl ot the pä
attacker hopes that the filtering
passed through.
that the first A fragment
tiny Íragment attack and that the remaining Îragments are
amount of the Iragment of a packet must can be
defeated by enforcing arule
remember Iransportandheader. If the first contain a predefined minimum
the packet
discard all fragment
subsequent
is rejected, the filter can
Stateful Inspecion Firewalls
Atraditional fragmentS.
does not take packet
int0 ilter makes filtering
meant by
alittle context and why a
background is considertartadiiontional higher-layer
any decisions on an
individual
packet basis and
follow a
needed.
client/server Most packet filter iscontext. lo unnderstand what is
model. For standared, ized
exampl
for the
limited with regard to context.
applSiicatmiplonse Mail
that run on lop of TCP
Protocol
 93:YPES OF ||RE WALS 281
(SMTP), C-mail is transmitted from a clicnt system to a server system. The client
systemgenerates new e-mail messages, typically from
uscr input. Thc server
e-mail messages and system
acceptsincoming places them in the appropriate user
SMTP operates by seting up a TCP connection between client and mailboxes.
the TCP server port number, which identifies the SMTPserver server, in which
TCP port number for the SMTP client is a number hetween 1024 application. 25. The
is
cenerated by theSMTP client. and 65535 that is
In general, whennan application that uses TCP creates a session with a
host, it creates a TCP connection in which the TCP port remote
number for the remote
(server) application is a number less than 1024 and the TCP port number for the
local (cllicnt) application is a number between 1024 and 65535. The numbers less
than1024 arethe "well-known" port numbers and are assigned
ticular applications (c.g.. 25 for server SMTP). The numbers permanently to
between 1024 par-
and
As535 are generated dynamically andhave temporary significance only for the life.
time of a TCP connection.
A simple packet filtering firewall must permit inbound network traffic on all
these high-numbered ports for TÇP-based rarIcto occur. This creates a vuinerabil
ity that can be exploited by unauthorized users.
Astateful inspection packet firewall tightens up the rules for TCP traffic by
creating a directoryof outbound TCP connections, as shown in Table 9.2.There is an
entry for each currently established connection. The packet filter will now allow
incoming traffic to high-numbered ports only for those packets that fit the profile of
one of the entries in this directory.
Astateful packet inspection firewall reviews the same packet information as a
packet filtering firewall, but also records information about TCP connections (Figure
9.1c). Some stateful firewalls also keep track ör TCP sequence numbers to prevent
attacks that depend on the sequence number, such as session hijacking. Some even
inspect limited amounts of application data for some well-known protocolslike
I FTP.
IM.and SIPS commands, in order to identify and track related connections.

TableH2 Example Stateful Firewall Connection State Table [WACK02]

Destination Connection
Source
Source Port Address Destination Port State
Address
80 Established
192.168.1.100 1030 210.9,88.29
216.32.42.123 80 Established
192.168.1.102 1031
25 Established
192.168.1.101 1033 173.66.32,122
79 Established
177.231.32.12
192.168.1.106 1035
80 Established
192.168.I.6
223.43.21.231 1990
Established
192.168.1.6 80
219.22.123.32 2112
Established
192.168.Il.6 80
210.99.212.18 3321
Established
80
24.102.32.23 1025 192.168.1.6
Established
80
223.21.22.12 1046 192.168.1.6
02 CHAPTER 9 /FIREWALLS AND INTRUSION PREVENTION SYSTEMs

2Application-Level Gateway
An application-level gatewa, also called an application prOAy, dets as a relay.
application-level traffic (Figure 9.ld). The user contactsthe gateway using aTCPIP
application, such as Telnet or FTP, and the gateway asksthe user for the name of the
remote host to be accessed. Whenthe userresponds and provides a valid user lD and
authentication information. the gateway contactsthe applicationon the remote host
and relaysTCP segments containingthe application data between thetWo eNdpoints.
If the gateway does nòtimplementthe proxycode for aspecific application, the ser.
viCe is not supported and cannot beforwarded acrossthe firewall)Further, the gate.
specific features of an
way can be contigured to support
considers
only
acceptable while
application
denying all other featuree thát the
administrator gateways tend to be more secure than packet filters. Rather
networkApplication-levcl
than trying to deal with the numerous possible Combinations that are toobe allowed
andforbidden at the TCP and IPlevel,the application-level gateway necd only scru-
tinize alew allowable applications. In addition, it is casy tolog and audit all incom-

ing traffic
Aprime application level.
at the disadvantage of this type of gateway is the additional processing
connections betw
overhead oneach connection. Ineffect, there are two spliced
the end users, with the gateway at the splice point, and the gateway must examine
and forward all traffic in both direction's. -

Circuit-Level Gateway
Afourth type of firewall is the circuit-level gateway or circuit-level Drory
(Figure 9.le). This can be a stand-alone system or it can be a specialized function
performed by an application-level gateway for certain applications. As with an
application gateway, acircuit-levelgateway does not permit an end-to-end TCP con
nection: rather, the gateway sets up two TCP connections, one between itself and a
TCPuser on an inner host and one between itself and aTCP user on an outside
host. Once the two connections are established, the gateway typically relays´TCP
segments from one connection to the other without examining the contents. The
securityfunction consists of determining which connections willbe allowed.
A typical use of circuit-level gateways is a siluation in which the system
administrator trusts the internal users. The gateway can be configured to support
application-level or proxy service on inbound connections and circuit-level tunc
tions foroutbound connections. In this configuration,the gateway can incur the pro
cessing overhead of examining incoming application data for forbidden functions
but does not incur that overhead on outgoing data.
An example of a circuit-level gatewayimplementation is the SOCKS package
|KOBL92): version 5of SOCKS is specified in RFC 1928.The RFC defines SOCh
in the following fashion:

The protocol described here is designed to provide a framework 0

client-server applications in both the TCP and UDP domains to conve-
niently and securely use the services of a network firewall.The protocol is
conceptually a"shim-layer" between the application layer andthe trans-
port layer, and as such does not provide network-layer gateway services,
such as forwarding of ICMP messages.
 9.4/REWAL BASING 283
SOCKS consists of the following
. The
components:
SOCKS server, which often runs on a
also implemented on Windows systems. UNIX-based firewall. SOCKS is
. TheSOCKS client library, which runs on
intenal hosts protected by the firewall.
SOCKS-ified versions of several standard clicnt programs such as FTP and
TELNET. The implementation of the SOCKS protocol typically involves
either thc recompilation or rclinking of TCP-based client applications, or the
Ise of alternate dynamically loaded libraries, to use the
lation routines in the SOCKSlibrary.
appropriate encapsu
Whena TCP-based client wishes toestablish a connection to an object that is
reachable only via a firewall (such determination is left up to the implementa
tion). it must open a TCP connection to the appropriate SOCKS port on the
soCKSserver system. The SOCKS service is located on TCP port 1080. If the con
nection request succeeds, the client enters a negotiation for the authentication
methodto be used, authenticates with the chosen method, and then sends arelay
requcst. The SOCKS server evaluates the request and either establishesfash- the
handled in a similar
appropriate connection or denies it. UDP exchanges are
authenticate a user to send and
jon, In essence, a TCP connection is opened to
reccive UDP segments, and the UDP segments are forwarded as long as the
TCP connection is open.

9.4 FIREWALL BASING

stand-alone machine running acommon oper

It is common to bas½a firewall ona functionality can also be implement
ating system, such as UNIX or Linux. Firewall
LAN swith.]In this section, we look at some
ed as a software module in arouter or
additionat firewall basing considerations.

BAstion Host
(eoxysenuW,
administrator as a criticalstrong
A bastion host is a system identified by the firewall
serves as a platform for an
point in the network's security. Typically, the bastion host a bastion host
application-level or circuit-level gateway. Common characteristics of
are as follows:
The bastion host hardwareplatform executes a secure version of itsoperating
system, making it ahardened system.
"Only the services that the network administrator considers essential are
installed on the bastion host. These could include proxy applications for DNS,
FTP, HTTP, andSMTP.
The bastion host may require additional authentication before a user is allowed
access to the proxy services.In addition, each proxy service may require its own
authentication before granting user access.
Each proxyis configured to support only a subset of the standardapplication's
command Set. y- ot
 CHAPTER 9/ FIREWALLS AND INTRUSION
284 PREVENTION
" Each proxy is configured to allow access only to specific
SYSTEMS
means that the limited comnmand/feature set may be host
systems on the protected network. applied only tosystaems. Thiofs
Each proxy, maintains, detailed audit information by subset
connection, andthe duration of each connection. The logging
audit all
tool for discovering and terminating intruder attacks. traf ic, each
log is an
" Each proxy module is a very small software package: essential
work security. Because of its relative simplicity, it is easier to check specifically designedfor net-
Tor security laws. For example, atypical UNIX maillapplication maysuch modules
20.000 lines of code,while a mail proxy may contain fewer than 1000 contain over
" Each proxy is independent of other proxies on the bastion host. If
problem with the operation of any proxy, or if a future there is a
is discov. vuBnerability
ered, it can be uninstalled without affecting the operation of the other
applications. Also, if the user population requires support for a new serieproxy
network administrator caneasily install the required proxy on the bastion hoe
JA proxy generally performs no disk access other than to read its initial confs
uration file. Hence, the portions of the file system containing executable coe
can be made read only. This makes it difficult for an intruder to install Troin
horse sniffers or other dangerous files on the bastion host.
" Each proxy runs as a nonprivileged user in a private andsecured directory on
the bastion host.

,Host-Based Firewalls
A host-based firewall is a software module used to secure an individual host. Such
modules are available in many operating systems or can be provided as an add-on
package. Like conventional stánd-alone firewalls, host-resident firewalls filter and
restrict the flow of packets. A common Jocation for such firewalls is a server. There
are several advantages to the use of a server-based or workstation-based firewall:
Filtering rules can be tailored to the host environment. Specific corporale
Security policies for servers can be implemented, with different filters o
servers used for different application.
Protection is provided independent of
nal attacks must pass through the topology. : Thus both internal and exter-
" Used in firewall.
conjunction withofstand-alone
vides an additional layer.
the
protectio. firewalls,
Anew type the ofhost-based firewall pro
server can be addedto
worknetwork, with its own firewall, without the
firewall configuration. necessity of altering
the net-

Personal
A
on personal
Firewall
wallone sidefirewall
and thecontrols the traffic workstation
ypicfalunctly, ionalipersonal
ty Internet
the can be used orin
the
between
enterprise
a personal computer qrPersonalfire
network on the other side. intranctS
firewall
is a home environment and on corpofate
Computer.In1
software module on the personal
 94/RWALLBASING 285
homecrnvironmcnt with multiple computers connected to the Internet. firewall
functionalitlycan.also be housed in arouter that connccts all of the
cable modem, or other home computers
10aDS;, Intcrnet interfacç{
Personal firewalls arc typically much less complex than
firewallsorstand-alonefirewalls." The primary role of the personaleither server-
firewall is tobased
deny
unauthorizcdremote ACCeSs to the computer. The firewall can also
activilyinan attempl to detect and block worms and other malwarémonitor outgoing
An example of a personal firewall is the capability built in to the Mac OS X
operating system. When the user enables the personal firewall in Mac 0S X. all
inbound connections are denied except for those the user explicitly permits Figure 92
showsthis simple interface. The list of inbound services that can be selectively reen-
abled, with their port numbers, includesthe following:
"Personal file sharing (548, 427)
Windows sharing (139)
"Personal Web sharing (80,427)
" Remote login-sSH (22)
" FTP access (20-21,1024-64535 from 20-21)
" Remote Apple events (3031)
" Printer sharing (631,515)
" IChat Rendezvous (5297, 5298)
ITunes Music Sharing (3869)

Servicesrewall Internet

FirewallOn
all services and
Cick Stop to allowinoming network communication to
Stop ports.

Allow: On Description (Ports)

Personal Fle Sharing (548, 427)
Windows Sharing (139) New.
Personal Web Sharing (80, 427) Edit...
Remote Login - SSH (22)
FTP Access (20-21, 1024-65535 from 20-21) Delete
Remote Apple Events (3031)
Printer Sharing (631, 515)
using the roxtes
To use FTP to retrieve Tites while the firewatl is on enable passive FTP mode ?
táb in Network Preferences.

Fioure 9.2 Example Personal Firewall Interface