Firewall

Outline of Presentation
• The Nature of Today’s Attacker
• Firewall Definition and History
• What Firewalls Do and Cannot Do
• Types of Firewalls
• Firewall Architecture
• Do You Need a Firewall
• Selecting Firewall
• Implementations
• Conclusion
 The Nature of Today’s Attackers

Who are these “hackers” who are trying to break into your computer?

Most people imagine someone at a keyboard late at night, guessing

passwords to steal confidential data from a computer system.
This type of attack does happen, but it makes up a very small portion of
the total network attacks that occur.

Today, worms and viruses initiate the vast majority of attacks. Worms and
viruses generally find their targets randomly.

As a result, even organizations with little or no confidential

information need firewalls to protect their networks from these automated
attackers.
 What Is a Firewall ?
The term firewall has been around for quite some time and originally was used to
define a barrier constructed to prevent the spread of fire from one part of a building
or structure to another. Network firewalls provide a barrier between networks that
prevents or denies unwanted or unauthorized traffic.

Definition: A Network Firewall is a system or group of systems used to control access

between two networks -- a trusted network and an untrusted network -- using pre-
configured rules or filters.
 What Is a Firewall ?
• Firewalls can either be hardware and/or software based.
– Ex. Some routers come with firewall functionality
– ipfw, ipchains, pf on Unix systems, Windows XP and Mac OS X have
built in firewalls
• Firewalls can be composed of a single router, multiple routers, a single
host system or multiple hosts running firewall software, hardware
appliances specifically designed to provide firewall services. They vary
greatly in design, functionality, architecture, and cost.
• A firewall is also called a Border Protection Device (BPD) in certain military
contexts where a firewall separates networks by creating perimeter
networks in a DMZ “Demilitarized Zone”.
 Firewalls History

The first firewalls were developed by the Digital Equipment Corporation (DEC) back in
the late 1980s.
First generation - packet filters
Packet Filtering mechanisms work in the network layer of the OSI model. In packet
filtering, each packet passing through a firewall is compared to a set of rules before it
is allowed to pass through. For example, if a certain destination IP address is found in
a packet, it could be dropped or if the packet confirms to a certain protocol (eg. http),
it could be dropped for companies which do not allow internet access to their
employees. This system was published in 1988 by Jeff Mogul from Digital Equipment
Corporatin (DEC)

Second generation - circuit level

From 1980-1990 two colleagues from AT&T Company, developed the second
generation of firewalls known as circuit level firewalls. The circuit level gateway
firewalls work at the session layer of the OSI model. They monitor TCP handshaking
between the packets to determine if a requested session is legitimate. And the
information passed through a circuit level gateway, to the internet, appears to have
come from the circuit level gateway. So, there is no way for a remote computer or a
host to determine the internal private ip addresses of an organization
 Firewalls History
Third generation - application layer
Publications by Gene Spafford of Purdue University, Bill Cheswick at AT&T
Laboratories described a third generation firewall. also known as proxy based
firewalls. Application level firewalls decide whether to drop a packet or send them
through based on the application information (available in the packet). They do this by
setting up various proxies on a single firewall for different applications. Both the client
and the server connect to these proxies instead of connecting directly to each other

Next generations (DPI)

• In 1992, Bob Braden and Annette DeSchon at the University of Southren California
(USC) were developing their own fourth generation packet filter firewall system.
• Cisco, one of the largest internet security companies in the world released their PIX
” Private Internet EXchange ” product to the public in 1997.
• Since 1999, IBM’s intrusion prevention products have been using deep packet
inspection to protect networks. The core IPS protection engine is the IBM Protocol
Analysis Module (PAM), developed by IBM X-Force.
 What Firewalls Do (Positive Effects)
Positive Effects

User authentication.
Firewalls can be configured to require user authentication. This allows network
administrators to control ,track specific user activity.

Auditing and logging.

By configuring a firewall to log and audit activity, information may be kept
and analyzed at a later date.
 What Firewalls Do (Positive Effects)

Anti-Spoofing - Detecting when the source of the network traffic is being "spoofed",
i.e., when an individual attempting to access a blocked service alters the source
address in the message so that the traffic is allowed.

Network Address Translation (NAT) - Changing the network addresses of devices on

any side of the firewall to hide their true addresses from devices on other sides. There
are two ways NAT is performed:

– One-to-One - where each true address is translated to a unique translated

address.
– Many-to-One - where all true addresses are translated to a single address,
usually that of the firewall.
 What Firewalls Do (Positive Effects)
Virtual Private Networks

VPNs are communications sessions traversing public networks that have been made
virtually private through the use of encryption technology. VPN sessions are defined
by creating a firewall rule that requires encryption for any session that meets specific
criteria.
 What Firewalls Do (Negative Effects)

Negative Effects

Although firewall solutions provide many benefits, negative effects may also be
experienced.

– Traffic bottlenecks. By forcing all network traffic to pass through the firewall,
there is a greater chance that the network will become congested.

– Single point of failure. In most configurations where firewalls are the only link
between networks, if they are not configured correctly or are unavailable, no
traffic will be allowed through.
 What Firewalls Do (Negative Effects)

– Increased management responsibilities. A firewall often adds to network

management responsibilities and makes network troubleshooting more
complex.
 What Firewalls Cannot Do
The most common misconception about firewalls is that they guarantee security for
your network.

A firewall cannot and does not guarantee that your network is 100% secure.

Firewalls cannot offer any protection against inside attacks. A high percentage of
security incidents today come from inside the trusted network.

In most implementations, firewalls cannot provide protection against viruses or

malicious code. Since most firewalls do not inspect the payload or content of the
packet, they are not aware of any threat that may be contained inside.

Finally, no firewall can protect against inadequate or mismanaged policies.

 How Firewalls Work

These policies are consolidated into two commonly

used firewall security policies:
– Deny-everything-not-specifically-allowed which sets
the firewall in such a way that it denies, all traffic and
services except a few that are added as the
organizations needs develop.
– Allow-everything-not-specifically-denied which lets in
all the traffic and services except those on the
“forbidden” list which is developed as the
organization’s dislikes grow.
 Types of Firewalls
Firewalls types can be categorized depending on:
– The Function or methodology the firewall use
– Whether the communication is being done between a single node and the
network, or between two or more networks.
– Whether the communication state is being tracked at the firewall or not.
 Types of Firewalls

1. By the Firewalls methodology :

 Packet Filtering
 Stateful Packet Inspection
 Application Gateways/Proxies
 Adaptive Proxies
 Circuit Level Gateway
 Packet Filtering Firewall

A packet filtering firewall does exactly what its name implies -- it filters packets.

As each packet passes through the firewall, it is examined and information

contained in the header is compared to a pre-configured set of rules or filters. An
allow or deny decision is made based on the results of the comparison. Each packet is
examined individually without regard to other packets that are part of the same
connection.
 Packet Filtering Firewall
Packet Filtering Firewall

Trusted Firewall Untrusted

Network rule set Network

Packet is Blocked or Discarded

 Packet Filtering Firewall
A packet filtering firewall is often called a network layer firewall because the filtering is
primarily done at the network layer (layer three) or the transport layer (layer four) of
the OSI reference model.
 Packet Filtering Firewall
You use packet filters to instruct a firewall to drop traffic that meets certain criteria.

For example, you could create a filter that would drop all ping requests. You can
also configure filters with more complex exceptions to a rule.

Packet filtering rules or filters can be configured to allow or deny traffic based on one
or more of the following variables:

– Source IP address
– Destination IP address
– Protocol type (TCP/UDP)
– Source port
– Destination port
Example Packet Filtering Firewall
 Packet Filtering
Strengths :

Packet filtering is typically faster than other packet screening methods. Because packet
filtering is done at the lower levels of the OSI model, the time it takes to process a
packet is much quicker.

Packet filtering firewalls can be implemented transparently. They typically require no

additional configuration for clients.

Packet filtering firewalls are typically less expensive. Many hardware devices and
software packages have packet filtering features included as part of their standard
package.
 Packet Filtering
Weaknesses

Packet filtering firewalls allow a direct connection to be made between the two
endpoints. Although this type of packet screening is configured to allow or deny traffic
between two networks, the client/server model is never broken.

Packet filtering firewalls are fast and typically have no impact on network
performance, but it's usually an all-or-nothing approach. If ports are open, they are
open to all traffic passing through that port, which in effect leaves a security hole in
your network.

Defining rules and filters on a packet filtering firewall can be a complex task.
 Packet Filtering (Weaknesses)

Packet filtering firewalls are prone to certain types of attacks. Since packet inspection
goes no deeper than the packet header information, There are three common exploits
to which packet filtering firewalls are susceptible.

– These are IP spoofing

sending your data and faking a source address that the firewall will trust

– ICMP ”Internet Control Message Protocol” tunneling

ICMP tunneling allows a hacker to insert data into a legitimate ICMP packet.
 Stateful Packet Inspection
Stateful packet inspection uses the same fundamental packet screening technique that
packet filtering does. In addition, it examines the packet header information from the
network layer of the OSI model to the application layer to verify that the packet is part
of a legitimate connection and the protocols are behaving as expected.
 Stateful Packet Inspection Firewall
As packets pass through the firewall, packet header information is examined and
fed into a dynamic state table where it is stored. The packets are compared to pre-
configured rules or filters and allow or deny decisions are made based on the results of the
comparison.

The data in the state table is then used to evaluate subsequent packets to verify
that they are part of the same connection.

The connection state is derived from information gathered in previous packets.

It is an essential factor in making the decision for new communication attempts.
Stateful packet inspection compares the packets against the rules or filters and then checks
the dynamic state table to verify that the packets are part of a valid, established
connection.
By having the ability to "remember" the status of a connection, this method of packet
screening is better equipped to guard against attacks than standard packet filtering
 Stateful Packet Inspection Firewall

This method can make decisions based on one or more of the following:

Source IP address
Destination IP address
Protocol type (TCP/UDP)
Source port
Destination port
Connection state
Stateful Packet Inspection Firewall

Trusted Untrusted
Network Network

Packet is Blocked or Discarded

 Example Stateful Packet Inspection Firewall
.
 Stateful Packet Inspection
Strengths :

Like packet filtering firewalls, have very little impact on network performance.

More secure than basic packet filtering firewalls. Because stateful packet inspection
digs deeper into the packet header information to determine the connection state
between endpoints.

Usually it have some logging capabilities. Logging can help identify and track the
different types of traffic that pass though the firewall.
 Stateful Packet Inspection
Weaknesses

Like packet filtering, stateful packet inspection does not break the client/server model
and therefore allows a direct connection to be made between the two endpoints

Rules and filters in this packet screening method can become complex, hard to
manage, prone to error and difficult to test.
 Application Gateways/Proxies

The proxy plays middleman in all connection attempts.

The application gateway/proxy acts as an intermediary between the two endpoints.

This packet screening method actually breaks the client/server model in that two
connections are required: one from the source to the gateway/proxy and one from the
gateway/proxy to the destination. Each endpoint can only communicate with the
other by going through the gateway/proxy.
 Application Gateways/Proxies
This type of firewall operates at the application level of the OSI model. For source and
destination endpoints to be able to communicate with each other, a proxy service
must be implemented for each application protocol.

The gateways/proxies are carefully designed to be reliable and secure because they
are the only connection point between the two networks.
Application Gateways/Proxies
 Application Gateways/Proxies Firewall
When a client issues a request from the untrusted network, a connection is
established with the application gateway/proxy. The proxy determines if the request is
valid (by comparing it to any rules or filters) and then sends a new request on behalf
of the client to the destination. By using this method, a direct connection is never
made from the trusted network to the untrusted network and the request appears to
have originated from the application gateway/proxy.

Application
Gateway (Proxy
service) Untrusted
Network
Work Station
 Application Gateways/Proxies Firewall
The response is sent back to the application gateway/proxy, which determines if it is
valid and then sends it on to the client.

By breaking the client/server model, this type of firewall can effectively hide the
trusted network from the untrusted network.

It is important to note that the application gateway/proxy actually builds a new

request, only copying known acceptable commands before sending it on to the
destination.

Unlike packet filtering and stateful packet inspection, an application gateway/proxy

can see all aspects of the application layer so it can look for more specific pieces of
information
 Application Gateways/Proxies
Strengths

Application gateways/proxies do not allow a direct connection to be made between

endpoints. They actually break the client/server model.

Typically have the best content filtering capabilities. Since they have the ability to
examine the payload of the packet, they are capable of making decisions based on
content.

Allow the network administrator to have more control over traffic passing through the
firewall. They can permit or deny specific applications or specific features of an
application.
 Application Gateways/Proxies

Weaknesses

The most significant weakness is the impact they can have on performance.
it requires more processing power and has the potential to become a
bottleneck for the network.

Typically require additional client configuration. Clients on the network may require
specialized software or configuration changes to be able to connect to the application
gateway/proxy.
 Adaptive Proxies / Hybrid Proxy
Known as dynamic proxies

Developed as an enhanced form of application gateways/proxies. Combining the

merits of both application gateways/proxies and packet filtering
 Circuit-level Gateway
• Unlike a packet filtering firewall, a circuit-level gateway does not examine individual
packets. Instead, circuit-level gateways monitor TCP or UDP sessions.
• Once a session has been established, it leaves the port open to allow all other
packets belonging to that session to pass. The port is closed when the session is
terminated.
• circuit-level gateways operate at the transport layer (layer 4) of the OSI model.
 Types of Firewalls

2. With regard to the scope of filtered communications the done between a single
node and the network, or between two or more networks there exist :

– Personal Firewalls, a software application which normally filters traffic

entering or leaving a single computer.
– Network firewalls, normally running on a dedicated network device or
computer positioned on the boundary of two or more networks.
 Types of Firewalls

3. Finally, Types depending on whether the firewalls keeps track of the state of
network connections or treats each packet in isolation, two additional categories of
firewalls exist:

– Stateful firewall
– Stateless firewall
 Types of Firewalls
Stateful firewall

keeps track of the state of network connections (such as TCP streams)

traveling across it.

Stateful firewall is able to hold in memory significant attributes of each

connection, from start to finish. These attributes, which are collectively known
as the state of the connection, may include such details as the IP addresses
and ports involved in the connection and the sequence numbers of the
packets traversing the connection.
 Types of Firewalls
Stateless firewall

Treats each network frame (Packet) in isolation. Such a firewall has no way of
knowing if any given packet is part of an existing connection, is trying to
establish a new connection, or is just a rogue packet.

The classic example is the File Transfer Protocol, because by design it opens
new connections to random ports.
 Firewall Architecture
Since firewall solutions can be configured using a single system or multiple
systems, the architecture used to implement the solution can be simple or
complex.

– Packet Filtering Router

– Screened Host (Bastion Host)
– Dual-homed Gateway
– Screened Subnet or Demilitarized Zone (DMZ)
– Firewall Appliance
 Packet Filtering Router
A packet filtering router is a router configured to screen packets between two
networks. It routes traffic between the two networks and uses packet filtering rules to
permit or deny traffic.

Trusted Untrusted
Network Network
Filtering Router
 Screened Host (Bastion Host)
• Firewall consist of two system:
• Packet filtering router
• A bastian host
• Router provides packet filters for
some basic services
• Bastion host proxies more risky
services
• Not suitable for exporting
services
 Bastian Host
• A system indentified by the firewall administrator as a critical strong poin in the
network’s security
• Hardware with its own secured version of OS
• Only allowable services are installed
• May require additional authentication from users for accessing services
• The bastion host serves as a platform for an application-level or circuit-level
gateway
• A bastion host has the following characteristics:
• Traffic from the Internet can only reach the bastion host; they cannot reach
the internal network.
• Traffic having the IP address of the bastion host can only go to the Internet.
No traffic from the internal network can go to the Internet.
 Dual-homed Gateway
• A dual-homed gateway firewall
consists of a highly secured host
system running proxy software
• It has two network interfaces, one on
each side of the firewall .
• Only gateways or proxies for the
services that are considered essential
are installed on the system.
• In this case, even if, the router got
compromised, the internal network
will remain unaffected since it is in
the separate network zone.
 Screened Subnet or Demilitarized Zone (DMZ)
• Created between two packet filtering
routers.
• The exterior router is the only
connection between the enterprise
network and the outside world
• The interior router does the bulk of
the access control work. It filters
packets
• The bastion host is a secure server. It
provides an interconnection point
between the enterprise network and
the outside world for the restricted
services
• The perimeter network connects the
servers together and connects the
exterior router to the interior router
 Do you need a firewall?
The decision to implement a firewall solution should not be made without doing some
research and analysis.

What does the firewall need to control or protect?

In order to make a sound decision, first identify what functions the firewall
would need to perform. Will it control access to and from the network, or will it
protect services and users?

– What would the firewall control?

• Access into the network
• Access out of the network
• Access between internal networks, departments, or buildings
• Access for specific groups, users or addresses
• Access to specific resources or services
 Do you need a firewall?
What would it need to protect?

– Specific machines or networks

– Specific services
– Information - private or public
– Users
 Do you need a firewall?
What impact will a firewall have on your organization, network and users?

– What resources will be required to implement and maintain a firewall

solution?
– Who will do the work? Are experienced technical personnel available for the
job or will someone need to be hired from outside your organization?
– Is hardware available that meets the requirements to support a firewall
solution?
– Will existing services be able to function through a firewall?
– What will the financial impact be on the organization? (Financial impact
should include initial implementation costs, ongoing maintenance and
upgrades, hardware and software costs, and technical support costs, whether
the support is provided in-house or from an outside source.)
 Selecting Firewall Solution
In order to pick the best architecture and packet screening method for a
firewall solution, the following questions should be considered:

What does the firewall need to do?

What additional services would be desirable?

How will it fit in the existing network?

How will it effect existing services and users?

 Security Policy
The success of any firewall solution's implementation is directly related to the
existence of a well-thought-out and consistently-implemented security policy.

Some of the topics a security policy may address are:

Administrative Issues

– User access - Which users will be allowed access to and from the network?
– Access to services - Which services will be allowed in and out of the network?
– Access to resources - Which resources will be available to users?
– User authentication - Will the organization require user authentication?
– Logging and auditing - Will the organization want to keep log and audit files.
– Policy violation consequences - What will be the consequences of policy violation?
– Responsibilities - Who will oversee and administer the security policy? Who has final authority on
decisions?
 Security Policy
Technical Issues

– Remote access - Will the organization allow remote access to the network?

– Physical security - How will physical security of machines, one of the most
obvious security elements that is often overlooked, be achieve?

– Virus protection - How will the organization handle virus protection?

 Implementations
Software
– Devil-Linux
– Dotdefender
– ipfirewall
– PAN-OS
– Symantec …

Hardware
– Cisco Firepower NGFW & ASA
– DataPower
– SofaWare Technologies
Source gartner.com
 Conclusion
Don’t make the mistake of thinking that no one will attack your network, because with
the rise in automated attack tools, your network is as much at risk as every other
network on the Internet.

The need for firewalls has led to their ubiquity. Nearly every organization connected to
the Internet has installed some sort of firewall.

When choosing and implementing a firewall solution, make a decision based on the
organization's needs, security policy, technical analysis, and financial resources.
Solutions available today utilize different types of equipment, network configurations,
and software.
HAPPY LEARNING!!