Firewalls

Firewall

A firewall is a device (or software feature) designed to control

the flow of traffic into and out-of a network.
The firewall is inserted between the premises network and the

Internet/WAN’s/outside network
Aims:

 Establish a controlled link

 Protect the premises network from Internet-based attacks

 Provide a single choke point

2
Sample Firewalls Design

3
 Firewall Characterstics

 There must be single entry and exit point in

the network.
 It assumes all internal hosts are trusted one or
authorized members.
 Firewall does not analyze content of packet, so
it can not prevent from virus.

4
 Why use a firewall?
 Protect a wide range of machines from general probes and
many attacks.
 Someone probing a network for computers.
 Someone attempting to crash services on a computer.
 Someone attempting to crash a computer
(Win nuke).
 Someone attempting to gain access to a computer to use
resources or information
 Provides some protection for machines lacking in security.

5
Classification of Firewall
Characterized by protocol level it
controls in
 Packet filtering

 Circuit gateways

 Application gateways

 Combination of above is dynamic

packet filter
 Firewalls – Packet Filters
 Simplest of components
 Uses transport-layer information only
 IP Source Address, Destination Address
 Protocol/Next Header (TCP, UDP, ICMP, etc)

 TCP or UDP source & destination ports

 TCP Flags (SYN, ACK, FIN, RST, PSH, etc)

 ICMP message type

 Examples
 DNS uses port 53
 No incoming port 53 packets except known trusted
servers
Firewalls – Packet Filters
 Usage of Packet Filters
 Filtering with incoming or outgoing
interfaces
 E.g.,
Ingress filtering of spoofed IP
addresses
 Egress filtering

 Permits or denies certain services

 Requires intimate knowledge of TCP and
UDP port utilization on a number of
operating systems
Every ruleset is followed by an
implicit rule reading like this.
 Port Numbering
 TCP connection
 Server port is number less than 1024
 Client port is number between 1024 and 16383
 Permanent assignment
 Ports <1024 assigned permanently
 20,21 for FTP 23 for Telnet
 25 for server SMTP 80 for HTTP
 Variable use
 Ports >1024 must be available for client to make
any connection
 This presents a limitation for stateless packet
filtering
 If client wants to use port 2048, firewall must allow
incoming traffic on this port
 Better: State-ful filtering knows outgoing
 Firewalls – Stateful Packet
Filters
 Traditional packet filters do not examine
higher layer context
 i.e. matching return packets with outgoing
flow
 Stateful packet filters address this need
 They examine each IP packet in context
 Keep track of client-server sessions
 Check each packet validly belongs to one

 Hence are better able to detect bogus

packets out of context
 Firewalls – Stateful Packet
Filters
It is also known as Dynamic Packet
filter.

 Most common
 Provide good administrators
protection and full transparency
 Network given full control over traffic
 Captures semantics of a connection
Stateful Filtering
 Firewall Outlines
 Packet filtering
 Application gateways
 Circuit gateways

 Combination of above is dynamic

packet filter
 Firewall Gateways
 Firewall runs set of proxy programs
 Proxies filter incoming, outgoing packets
 All incoming traffic directed to firewall

 All outgoing traffic appears to come from

firewall
 Policy embedded in proxy programs
 Two kinds of proxies
 Application-level gateways/proxies
 Tailored to http, ftp, smtp, etc.
 Circuit-level gateways/proxies
 Working on TCP level
 Firewalls - Application
Level Gateway (or Proxy)
 Application-Level
Filtering
 Has full access to protocol
 user requests service from proxy
 proxy validates request as legal

 then actions request and returns result to

user
 Need separate proxies for each service
 E.g., SMTP (E-Mail)
 NNTP (Net news)

 DNS (Domain Name System)

 NTP (Network Time Protocol)

 custom services generally not supported

 App-level Firewall
Architecture
FTP
Telne proxy SMTP
t
proxy
proxy

Telnet FTP SMTP

daemon daemon daemon
Network Connection

Daemon spawns proxy when communication detected …

 Firewall Outlines
 Packet filtering
 Application gateways
 Circuit gateways

 Combination of above is dynamic

packet filter
Firewalls - Circuit Level
Gateway
 Bastion Host
 Highly secure host system
 Potentially exposed to "hostile" elements
 Hence is secured to withstand this
 Disable all non-required services; keep it
simple
 Trusted to enforce trusted separation
between network connections
 Runs circuit / application level gateways
 Install/modify services you want
 Or provides externally accessible services
Screened Host
Architecture
Screened Subnet Using Two
Routers
 Firewalls Aren’t Perfect?
 Useless against attacks from the inside
 Evildoer exists on inside
 Malicious code is executed on an internal
machine
 Organizations with greater insider
threat
 Banks and Military
 Protection must exist at each layer
 Assess risks of threats at every layer
 Cannot protect against transfer of all
virus infected programs or files
 because of huge range of O/S & file types
 Firewalls - Circuit Level
Gateway
 Relays two TCP connections
 Imposes security by limiting which
such connections are allowed
 Once created usually relays traffic
without examining contents
 Typically used when trust internal
users by allowing general outbound
connections
 SOCKS commonly used for this
 Firewall Outlines
 Packet filtering
 Application gateways
 Circuit gateways

 Combination of above is dynamic

packet filter
 External Interface
Ruleset
Allow outgoing calls, permit incoming
calls only for mail and only to gateway GW

Note: Specify GW as destination host instead of Net

to prevent open access to Net 1
 Net 1 Router Interface
Ruleset
 Gateway machine speaks directly only to
other machines running trusted mail
server software
 Relay machines used to call out to GW
to pick up waiting mail

Note: Spoofing is avoided with the specification of G

 How Many Routers Do We
Need?
 If routers only support outgoing filtering, we
need two:
 One to use ruleset that protects against
compromised gateways
 One to use ruleset that guards against address
forgery and restricts access to gateway machine
 An input filter on one port is exactly
equivalent to an output filter on the other port
 If you trust the network provider, you can go
without input filters
 Filtering can be done on the output side of the
router
 Routing Filters
 All nodes are somehow reachable from the
Internet
 Routers need to be able to control what
routes they advertise over various
interfaces
 Clients who employ IP source routing make
it possible to reach ‘unreachable’ hosts
 Enables address-spoofing
 Block source routing at borders, not at

backbone
 Routing Filters (cont)
 Packet filters obviate the need for route
filters
 Route filtering becomes difficult or
impossible in the presence of complex
technologies
 Route squatting – using unofficial IP
addresses inside firewalls that belong to
someone else
 Difficult to choose non-addressed address
space
Dual Homed Host
Architecture