Cyber Security III

Server Management and Firewalls

Dr. Smita Kachole

 Firewalls
• Before the advent of computers and networking the
term “Firewall” was used in a building as “a fireproof
wall used as a barrier to prevent the spread of fire”.
• As the Internet developed from an academic
resource to an open community, the need to stop
unwanted attacks on computer networks arose.
• A firewall is a piece of software or hardware that
filters all network traffic between your computer,
home network, or company network and the
Internet.
 What Firewalls Do
• Block incoming network traffic based on source or
destination
• Block outgoing network traffic based on source or
destination-For example, you may want to prevent
employees from accessing inappropriate Web sites.
• Block network traffic based on content-More
advanced firewalls can screen network traffic for
unacceptable content. For example, a firewall that is
integrated with a virus scanner can prevent files that
contain viruses from entering your network. Other
firewalls integrate with e-mail services to screen out
unacceptable e-mail.
 What Firewalls Do
• Make internal resources available- Although the primary
purpose of a firewall is to prevent unwanted network traffic
from passing through it, you can also configure many firewalls to
allow selective access to internal resources, such as a public
Web server, while still preventing other access from the Internet
to your internal network.
• Allow connections to internal network: A common method for
employees to connect to a network is using virtual private
networks (VPNs). VPNs allow secure connections from the
Internet to a corporate network. For example, telecommuters
and traveling salespeople can use a VPN to connect to the
corporate network. VPNs are also used to connect branch offices
to each other. Some firewalls include VPN functionality and
make it easy to establish such connections.
 What Firewalls Do
• Report on network traffic and firewall
activities: When screening network traffic to
and from the Internet, it’s also important to
know what your firewall is doing, who tried to
break into your network, and who tried to
access inappropriate material on the Internet.
Most firewalls include a reporting mechanism
of some kind or another.
 Basic Functions of a Firewall
• Packet filtering: The headers of all network
packets going through the firewall are
inspected. The firewall makes an explicit
decision to allow or block each packet.
• Network Address Translation (NAT): The
outside world sees only one or more outside IP
addresses of the firewall. The internal network
can use any address in the private IP address
range. Source and destination addresses in
network packets are automatically changed (or
“translated”) back and forth by the firewall.
 Basic Functions of a Firewall
• Application proxy: The firewall is capable of
inspecting more than just the header of the network
packets. This capability requires the firewall to
understand the specific application protocol
• Monitoring and logging: Even with a solid set of
rules, logging what happens at the firewall is
important. Doing so can help you to analyze a
possible security breach later and gives feedback on
the performance and actual filtering done by the
firewall.
 Advanced Functions
• Data caching: Because the same data or the
contents of the same Web site may pass the
firewall repeatedly in response to requests from
different users, the firewall can cache that data
and answer more quickly without getting the data
anew from the actual Web site every time.
• Content filtering: Firewall rules may be used to
restrict access to certain inappropriate Web sites
based on URLs, keywords, or content type (video
streams, for example, or executable e-mail
attachments).
 Advanced Functions
• Intrusion detection: Certain patterns of network traffic
may indicate an intrusion attempt in progress. Instead of
just blocking the suspicious network packets, the
firewall may take active steps to further limit the
attempt, for example, by disallowing the sender IP
address altogether or alerting an administrator.
• Load balancing: From a security standpoint, a single
point of entry is good. But from an availability
standpoint, this single point of entry may lead to a
single point of failure as well. Most firewalls allow the
incoming and outgoing network request to be
distributed among two or more cooperating firewalls.
 Security threats that a firewall can’t protect
you from
• Inside attack: Users on the internal network
have already passed the firewall. The firewall
can do nothing to stop internal network
snooping or intrusion attempts from within.
• Other security measures, such as configuring
restricted permissions on workstations and
servers, and enabling the auditing of network
access, should be implemented to protect
against these kinds of attacks.
 Security threats that a firewall can’t protect
you from
• Social engineering: This is the term used to describe
attacks in which hackers obtain information by
calling employees and pretending to be a colleague
at the front desk, a member of the security staff, or
just somebody from the firm doing routine checks.
• This person asks for privileged information, such as
server names, IP addresses, or passwords.
Employees should be aware of these tactics and
know that certain information should never be given.
Security threats that a firewall can’t protect you from

• Viruses and Trojan horse programs: Firewalls attempt

to scan for viruses in all network traffic, but these
programs change constantly. Distinguishing between
acceptable e-mail attachments and malicious content
continues to be a problem for computer users.
• Trojan horse programs are perhaps even harder to
spot, because they don’t attempt to spread to other
files or computers like their virus sisters. A very small
Trojan horse program that is run once by an
unsuspecting user can open up a back door to his
computer.
 Security threats that a firewall can’t protect
you from
• Poorly trained firewall administrators: The
firewall doesn’t know what is acceptable and
what is not unless an administrator tells it.
Competent firewall administrators should
correctly specify which network traffic should
be blocked.
• Most firewalls, however, can easily be confused
by fragmented IP packets and should be
explicitly configured to handle such fragments.
 Types of firewalls
• Packet Filter Firewalls-

• The first firewalls used Internet Protocol (IP) router

technology, the network layer, and filtering rules to
determine whether network traffic was allowed access to
the network.
• Packet filter firewalls could only allow or deny network
communication. The filtering rules had to be manually
altered by the firewall administrator.
• The filtering rules examined incoming or outgoing packets,
allowing or disallowing their transmission. The basis for
these rules was often the source IP address, the destination
port and the protocol used.
 Types of firewalls
• One problem of the first packet filter firewall
was that because it used IP router technology
that passed traffic through the connection, it
allowed direct connections between networks
through address authorisation.
• To correct this problem, a further series of
firewalls were developed between 1989 and
1990 using circuit level firewall gateways
 Types of firewalls
• Circuit Level Firewalls-
• Circuit level firewall gateways were used for Transport
Control Protocol (TCP) connections.
• They examined each connection setup to ensure it
follows a legitimate “handshake” for the TCP being used.
• The circuit level firewall then checks its records to make
sure that the sender is allowed to send to the receiver
and the receiver is allowed to receive from the sender.
• If the answer is “yes” to both conditions, the connection
and all associated packets are routed through with no
more security checks
 Types of firewalls
• Application Layer Firewalls-
• This new generation of firewalls uses filters and
application gateways or proxies to control traffic
entering or leaving their networks. The application
layer firewall is an intermediary between the internal
network and the Internet
• An application layer firewall has two primary
functions, to act as a proxy server or as a proxy client.
• This means that the firewall is the go-between for
any communication that crosses between the two
networks (internal network and Internet).
 Types of firewalls
• When a Computer A wants to communicate with
Computer B which is connected to the worldwide web,
the Firewall C acts as an intermediary between
Computers A and B.
• Firewall C takes the intended communication from
Computer A and directs it to Computer B, when
Computer B replies, it replies to Firewall C thinking it
is Computer A.
• When Computer A communicates back to computer B,
it is actually only passing data to Firewall C, as
represented in Figure
 Types of firewalls
• Inbound connections are always made with the proxy
client, while outbound connections are always made
with the proxy server.
• There is no direct connection between the internal
network and an insecure network.
• A typical application layer firewall can provide proxy
services for applications and protocols like Telnet, File
Transfer Protocol (FTP), Hypertext Transfer Protocol
(HTTP), and Simple Mail Transfer Protocol (SMTP).
• Note that a separate proxy must be installed for each
application-level service.
 Types of firewalls
• When the application layer firewall is passing the
traffic from network to network the firewall has
the opportunity to analyse the data and headers
within the traffic.
• When traffic arrives at the external connection,
the firewall evaluates IP addresses; it looks at the
data within the packet to stop an outside source
hiding information, and it uses any filters or
policies in place to determine if the traffic is
legitimate or not and whether it is allowed to enter
the internal network
 Types of firewalls
• Advantages -
• All communication passes though the firewall.
• It can also control what protocols are used, such as HTTP and
FTP
• It can disallow Peer To Peer (P2P) and other unused protocols.
• It can restrict access to certain network services and websites
not related to the business such as web based email sites or
pornography.
• The application layer firewall can also use HTTP object caching
and user authentication.
• As all traffic flows through it, the application layer firewall has
all the information required to generate comprehensive audit
reports.
 Types of firewalls
• Drawbacks-
• As all traffic flows through it, the proxy server
introduces delays in communication.
• A new proxy has to be written for each new
protocol that has to pass though the firewall, often
causing delays.
• As the firewall is run using a third party operating
system architecture, it is vulnerable to Operating
System (OS) and application layer bugs, meaning
the OS’s have to be hardened against attack
• cost and performance
 Types of firewalls
• Stateful Inspection Firewalls-
• Instead of examining the contents of each packet, the
header information of the packet is compared to
packets that are known to be trusted.
• The stateful inspection used packet filtering
technology, it evaluated the IP header information
such as source, source port, destination and
destination port.
• A new feature of the stateful inspection firewall was a
state table. This table kept a list of open connections.
 Types of firewalls
• Stateful packet filtering blocks all traffic on ports
greater than 1023 and allows only network traffic
that matches the response port of a previously sent
IP packet. The firewall internally maintains a table
of information on which ports it may expect traffic.
• If the firewall determines that a communication
exchange is finished, it removes that information
from the table. In cases where the firewall is unable
to detect that the communication has ended, it
automatically removes that information after a
short time period.
 Types of firewalls
• When a user accessed an outside service, the
stateful inspection firewall remembered details
about the original request such as port number,
source and destination address.
• This "remembering" is called “saving the state”.
When the outside system responded to a
request, the firewall compared the received
packets with the saved state to determine if they
are allowed in.
 Types of firewalls
• The effect of a state table meant that a packet
may be generated by a third party to look like
a typical legitimate response, say a webpage.
• When the firewall checked the state table,
there would be no connection entry for the
response thus denying access to the internal
network.
 Types of firewalls
• A stateful inspection firewall could read all
seven Open Systems Interconnection (OSI)
layers, allowing it to filter packets at the
header level, as well as provide the ability to
analyse applications, overcoming the
weaknesses of IP filtering devices.
• Stateful inspection itself has proven to be a
very effective and efficient mechanism for
access control.
 Types of firewalls
• Disadvantages-
• When a service used User Datagram Protocol
(UDP), they did so insecurely.
• UDP sent one packet out and got one packet
back. UDP does not have error correction or
integrity checks.
• If a UDP packet is sent, a single packet
response can potentially allow a hacker in.
 Types of firewalls
• Disadvantages-
• A stateful inspection firewall was not a proxy;
it let internal packets make their way to the
outside network, thus exposing internal IP
addresses to potential hackers.
• Some firewall vendors are using Stateful
Inspection and proxies together for added
security.
 Types of firewalls
• Advantage-
• TCP and TCP maintains state. This means sequence
numbers have to be used. In order to subvert TCP
security, not only do you need to forge the source IP
address but you also need to be able to determine
what sequence number you need to use.
• An example of a stateful inspection implementation is
the freeware firewall IPTables which is standard with
many Linux distributions. IPTables check and filter
each packet individually.
• Also uses filtering
 Types of firewalls
• This technology has its strengths and weaknesses.
• To choose between application layer and stateful
inspection firewalls, an organisation’s policy and
requirements must be taken into account.
• Application gateways provide better control and
logging, while stateful inspection has both the
edge in performance and much greater flexibility
but at the risk of incorrect configuration
 Types of firewalls
• Dynamic Packet Filtering Firewalls-
• closely related to stateful inspection firewalls.
• it looks at each packet as opposed to the
connection as a whole
• Increased security but negative effect on
performance
• 1994-Firewall 1 – checkpoint technologies
released
 Types of firewalls
• Kernel Proxy Firewalls- the current firewall
technology
• This technology evaluates packets at multiple
layers of the protocol stack in the proxy server
• Centri Firewall- by Cisco
• uses the Windows NT Executive, which is the
kernel of Windows NT, 2000, 2003
 Types of firewalls
• Kernel Proxy Firewalls- comprised of three
components
• The first component captures packets arriving at the
firewall server. The packet is then analysed by
reading the header information and the signature
data. Both the data about the packet and the packet
itself are passed to the second stage.
• The second stage receives the data about the packet
and decides whether to drop the packet, map it to an
existing session or to create a new session using the
received data about the packet.
 Types of firewalls
• If a current session exists, the packet is passed
through a custom built protocol stack created
specifically for that session, which is a
customised implementation of the approach
widely known as a network address
translation. This last stage enforces the
security policy as configured into the device in
the final stage, the kernel proxy, as it inspects
each packet
 Types of firewalls
• The kernel proxy comprises of proxy servers
for application layer protocols such as HTTP,
FTP, Telnet and SMTP, transport layer
protocols such as Internet Control Message
Protocol (ICMP) TCP and UDP and Network
Layer protocols such as IP. These proxy servers
are configurable so the second stage
determines what decision to make about the
packet
 Types of firewalls
• Personal firewall-
• A personal firewall is most often installed as a
piece of software on a single computer and
protects just that computer.
• Personal firewalls also come as separate hardware
components, or they may be built into other
network devices, but they all protect a single
computer or a very small number of computers.
• Personal firewalls also normally have very limited
reporting and management features.
 Types of firewalls
Departmental or small organization firewall:
• These firewalls are designed to protect all the
computers in an office of limited size that is in a
single location.
• Firewalls in this category have the capacity to
screen network traffic for a limited number of
computers, and the reporting and management
capabilities are adequate for this function.
 Types of firewalls
• Enterprise firewall:
• Enterprise firewalls are appropriate for larger
organizations, including organizations with
thousands of users that are geographically
dispersed.
• The reporting capabilities include consolidated
reports for multiple firewalls; the management
tools enable you to configure multiple firewalls
in a single step.
 A network router
• Some router manufacturers have enhanced the
functions of their products by including firewall
features.
• A router that connects your network to the
Internet, may perform packet filtering or other
firewall functions.
• Most likely, the router provides some
rudimentary firewall capabilities but that it
doesn’t give any advanced features.
 Appliance
• Some firewalls consist of a piece of hardware with integrated
software that provides a number of firewall functions. Such a
device is often referred to as a firewall appliance.
• Just like a refrigerator that simply works when you plug it
into an outlet, a firewall appliance starts working the
moment you plug it in — there’s no separate software to
install. However, you still may have to do some configuration.
• If you use such a firewall, the device is fairly simple to
administer. You don’t have to worry about configuring a
separate operating system, and most often the device has no
other functions that may interfere with the firewall’s
operations.
 Software-only firewalls
• Software-only firewalls run on a computer that
can also perform other functions. Most
personal firewalls that protect a single
computer fall into this category.
• After all, the reason you get a personal firewall
is to protect your computer while you are using
the Internet — not to make your computer a
dedicated firewall.
• Some enterprise firewalls are also software-
based.
 All-in-one tools

• An increasingly popular type of network device is

the all-in-one tool. One vendor, for example,
offers a small box that promises to act as a cable
modem, router, network hub, wireless
networking base station, and firewall.
• The manufacturer may exclude some functions
that are considered important.
• The quality and functions built in varies from
manufacturer to manufacturer.
 Rules and firewall configuration
• A firewall enforces rules about what network
traffic is allowed to enter or leave your personal
computer or network.
• Most firewalls come with some preconfigured
rules, but most likely you will have to add more
rules.
• After the rules are in place, a firewall examines
all network traffic and drops the traffic if the
rules prohibit it.
 Rules and firewall configuration
• A large part of administering a firewall consists of
configuring rules, such as the following:
– Allow everyone to access all Web sites.
– Allow outgoing e-mail from the internal mail server.
– Drop all outgoing network traffic unless it matches the first
two rules.
– Allow incoming Web requests to the public Web server.
– Drop all incoming network traffic except for connections to
the public web server.
– Log all connection attempts that were rejected by the
firewall.
– Log all access to external Web sites.
 Rules and firewall configuration
• Configuring rules for a home network can be very
easy. You may merely have to define a rule that
allows all outgoing network traffic and another one
that allows no connections to be established from
the outside.
• Setting up the rules for a large corporation with
many Web servers, thousands of users, and many
departments (each with different needs for
accessing the Internet) can be much more
complicated.
 DMZ-Demilitarized Zone
• The hosting of services on the Internet requires that
you expose a portion of your network to the Internet
while preventing access to your private network.
• Many larger businesses require that
• a dedicated segment of the network be established
for protecting Internet-accessible
• resources. The common term for this segment of the
network is a demilitarized zone, or DMZ.
• A network DMZ resides between a public network,
typically the Internet, and a company’s private
network
 DMZ-Demilitarized Zone
• All traffic that enters and exits is inspected-
• In a network, the DMZ is probably the most
secured segment of the network because all
data that enters or exits the DMZ is inspected
against a firewall’s rule listing to determine
whether the traffic is approved to enter or exit
the DMZ
 DMZ-Demilitarized Zone
• Resources in the DMZs are inspected to ensure
that security is not compromised.
• Many companies use intrusion detection
software in the DMZ, both on the network itself
and at each network device located in the DMZ,
to identify attacks launched against the
resources. The intrusion detection software
immediately informs the firewall administrator
that a suspected attack is taking place.
Level 1 DMZ
 DMZ-Demilitarized Zone
• DMZs act as a protective boundary to the
private network.
• By placing Internet-accessible resources in the
DMZ, a firewall can be configured to prevent
all access attempts to the private network
from the Internet. Only access attempts
directed to the DMZ are permitted by the
firewall, as long as the attempts use only
approved protocols.
 DMZ-Demilitarized Zone
• Also called ass screened subnet and perimeter
network