Abstract image of a woman sitting on books and studying on a laptop

Firewalls

Download as DOCX, PDF
Sonali Parab, profile picture
Sonali Parab

The document discusses firewalls, which are systems designed to prevent unauthorized access to private networks, explaining their components, types (packet filtering, stateful filters, application layer, and bastion hosts), and their roles in cybersecurity. It reviews the evolution of firewalls, starting from first-generation packet filters to advanced application-layer firewalls, detailing the attacks they defend against and the methodologies for implementing firewall policies. Additionally, it highlights the differences between hardware and software firewalls, and provides insights into firewall analysis and configuration challenges.

Education
1 of 20
Downloaded 93 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Ethical Hacking. Firewall. Case Study by: Sonali. Parab.
Ethical Hacking: Firewall. 1 Firewall Objective A firewall is a system designed to prevent unauthorized access to or from a private network. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria. Abstract In computing, a firewall is a software or hardware-based network security system that controls the incoming and outgoing network traffic based on applied rule set. A firewall establishes a barrier between a trusted, secure internal network and another network (e.g., the Internet) that is not assumed to be secure and trusted. Many personal computer operating systems include software-based firewalls to protect against threats from the public Internet. Many routers that pass data between networks contain firewall components and, conversely, many firewalls can perform basic routing functions. Figure 1: Illustration of Firewall.
Ethical Hacking: Firewall. 2 Introduction What is a Firewall? A firewall is a secure Internet gateway that is used to interconnect a private network to the Internet (see Figure 1). There are a number of components that make up a firewall: i) The Internet access security policy of the organisation. This states, at a high level, what degree of security the organisation expects when connecting to the Internet. The security policy is independent of technology and techniques, and should have a lifetime independent of the equipment used. An example of statements from such a security policy might be: external users will not be allowed to access the corporate network without a strong level of authentication; any corporate information not in the public domain must be transferred across the Internet in a confidential manner, and corporate users will only be allowed to send electronic mail to the Internet - all other services will be banned. ii) The mapping of the security policy onto technical designs and procedures that are to be followed when connecting to the Internet. This information will be updated as new technology is announced, and as system configurations change etc. For example, regarding authentication, the technical design might specify the use of one-time passwords. Technical designs are usually based on one of two security policies, permit any service unless it is expressly denied, or deny any service unless it is expressly permitted. The latter is clearly the more secure of the two. iii) The firewall system, which is the hardware and software which implements the firewall. Typical firewall systems comprise a IP packet filtering router, and a host computer (sometimes called a bastion host or application gateway) running application filtering and authentication software. Why Firewalls?  Prevent denial of service attacks: SYN flooding: attacker establishes many bogus TCP connections, no resources left for “real” connections.  Prevent illegal modification/access of internal data. e.g., attacker replaces CIA’s homepage with something else.  Allow only authorized access to inside network (set of authenticated users/hosts). There are three types of fire walls. Packet Filter: IP Packet Filter Firewall is a firewall deciding to forward or to drop a certain packet according to the information of the packet’s head. Packet filters act by inspecting the "packets" which transfer between computers on the Internet. If a packet matches the packet filter's set of rules, the packet filter will drop (silently discard) the packet, or reject it (discard it, and send "error responses" to the source). This type of packet filtering pays no attention to whether a packet is part of an existing stream of traffic (i.e. it stores no information on connection "state"). Instead, it filters each packet based only on information contained in the packet itself.
Ethical Hacking: Firewall. Packet filtering firewalls work mainly on the first three layers of the OSI reference model, which means most of the work is done between the network and physical layers, with a little bit of peeking into the transport layer to figure out source and destination port numbers. 3 Figure 2: Packet Filtering Firewall. Stateful Filters Stateful filters introduce a technology of stateful inspection packet filtering. These firewalls perform the work of their first-generation predecessors but operate up to layer 4 (transport layer) of the OSI model. This is achieved by retaining packets until enough are available to make a judgment about its state. Known as stateful packet inspection, it records all connections passing through it and determines whether a packet is the start of a new connection, a part of an existing connection, or not part of any connection. Though static rules are still used, these rules can now contain connection state as one of their test criteria. Certain DoS attacks bombard the firewall with thousands of fake connection packets to overwhelm it by filling its connection state memory. Figure 3: Stateful Inspection Firewall.
Ethical Hacking: Firewall. Application Layer Application layer filtering can "understand" certain applications and protocols (such as File Transfer Protocol (FTP), Domain Name System (DNS), or Hypertext Transfer Protocol (HTTP)). This is useful as it is able to detect if an unwanted protocol is attempting to bypass the firewall on an allowed port, or detect if a protocol is being abused in any harmful way. The existing deep packet inspection functionality of modern firewalls can be shared by Intrusion prevention systems (IPS). 4 Figure 4: Application level gateway Firewall. Bastion Host Firewall: A Bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. A firewall at layer 5 Internet (7 ISO) is sometimes called a bastion host, application gateway, proxy server or guardian system. Its purpose is to filter the service provided by the application. The computer generally hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer. It is hardened in this manner primarily due to its location and purpose, which is either on the outside of the firewall or in the DMZ and usually involves access from untrusted networks or computers. Figure 5: Bastion Host Firewall.
Ethical Hacking: Firewall. 5 Literature Review The term firewall originally referred to a wall intended to confine a fire or potential fire within a building. Later uses refer to similar structures, such as the metal sheet separating the engine compartment of a vehicle or aircraft from the passenger compartment. Firewall technology emerged in the late 1980s when the Internet was a fairly new technology in terms of its global use and connectivity. The predecessors to firewalls for network security were the routers used in the late 1980s  Clifford Stoll's discovery of German spies tampering with his system  Bill Cheswick's "Evening with Berferd" 1992 in which he set up a simple electronic "jail" to observe an attacker  In 1988, an employee at the NASA Ames Research Center in California sent a memo by email to his colleagues that read, "We are currently under attack from an Internet VIRUS! It has hit Berkeley, UC San Diego, Lawrence Livermore, Stanford, and NASA Ames."  The Morris Worm spread itself through multiple vulnerabilities in the machines of the time. Although it was not malicious in intent, the Morris Worm was the first large scale attack on Internet security; the online community was neither expecting an attack nor prepared to deal with one. First generation: Packet filters The first paper published on firewall technology was in 1988, when engineers from Digital Equipment Corporation (DEC) developed filter systems known as packet filter firewalls. This fairly basic system was the first generation of what is now a highly involved and technical internet security feature. At AT&T Bell Labs, Bill Cheswick and Steve Bellovin were continuing their research in packet filtering and developed a working model for their own company based on their original first generation architecture. Packet filters act by inspecting the "packets" which are transferred between computers on the Internet. If a packet matches the packet filter's set of filtering rules, the packet filter will drop (silently discard) the packet or reject it (discard it, and send "error responses" to the source). This type of packet filtering pays no attention to whether a packet is part of an existing stream of traffic (i.e. it stores no information on connection "state"). Instead, it filters each packet based only on information contained in the packet itself (most commonly using a combination of the packet's source and destination address, its protocol, and, for TCP and UDP traffic, the port number). TCP and UDP protocols constitute most communication over the Internet, and because TCP and UDP traffic by convention uses well known ports for particular types of traffic, a "stateless" packet filter can distinguish between, and thus control, those types of traffic (such
Ethical Hacking: Firewall. as web browsing, remote printing, email transmission, file transfer), unless the machines on each side of the packet filter are both using the same non-standard ports. Packet filtering firewalls work mainly on the first three layers of the OSI reference model, which means most of the work is done between the network and physical layers, with a little bit of peeking into the transport layer to figure out source and destination port numbers. When a packet originates from the sender and filters through a firewall, the device checks for matches to any of the packet filtering rules that are configured in the firewall and drops or rejects the packet accordingly. When the packet passes through the firewall, it filters the packet on a protocol/port number basis (GSS). For example, if a rule in the firewall exists to block telnet access, then the firewall will block the TCP protocol for port number 23. 6 Second generation: "Stateful" filters From 1989–1990 three colleagues from AT&T Bell Laboratories, Dave Presetto, Janardan Sharma, and Kshitij Nigam, developed the second generation of firewalls, calling themCircuit- level gateways. Second-generation firewalls perform the work of their first-generation predecessors but operate up to layer 4 (transport layer) of the OSI model. This is achieved by retaining packets until enough information is available to make a judgement about its state. Known as stateful packet inspection, it records all connections passing through it and determines whether a packet is the start of a new connection, a part of an existing connection, or not part of any connection. Though static rules are still used, these rules can now contain connection state as one of their test criteria. Certain denial-of-service attacks bombard the firewall with thousands of fake connection packets in an attempt to overwhelm it by filling its connection state memory. Third generation: application layer Marcus Ranum, Wei Xu, and Peter Churchyard developed an Application Firewall known as Firewall Toolkit (FWTK). In June 1994, Wei Xu extended the FWTK with the Kernel enhancement of IP filter and socket transparent. This was known as the first transparent Application firewall, released as a commercial product of Gauntlet firewall at Trusted Information Systems. Gauntlet firewall was rated one of the number 1 firewalls during 1995– 1998. The key benefit of application layer filtering is that it can "understand" certain applications and protocols (such as File Transfer Protocol (FTP), Domain Name System (DNS), orHypertext Transfer Protocol (HTTP)). This is useful as it is able to detect if an unwanted protocol is attempting to bypass the firewall on an allowed port, or detect if a protocol is being abused in any harmful way. As of 2012, the so-called next-generation firewall (NGFW) is nothing more than the "widen" or "deepen" inspection at application-stack. For example,
Ethical Hacking: Firewall. the existing deep packet inspection functionality of modern firewalls can be extended to include i) Intrusion prevention systems (IPS); ii) User identity integration (by binding user IDs to IP or MAC addresses for 7 "reputation"); and/or iii) Web Application Firewall (WAF). WAF attacks may be implemented in the tool "WAF Fingerprinting utilizing timing side channels" (WAFFle). Study Penetration of Firewall Attacking Packet Filtering Firewall • IP Address Spoofing Attack • Denial-of-service Attack • Tiny Fragment Attack • Trojan Attack Attacking Stateful Inspection Firewall • Protocol Tunneling • Trojans Rebound Attacking Proxy • Unauthorized Web Access • Unauthorized Socks Access • Unauthorized Telnet Access Penetration of Firewall using WinGate. WinGate is Integrated Gateway Management Software for Microsoft Windows, providing web caching, firewall and NAT services, along with a number of integrated proxy servers and also email services (SMTP, POP3 and IMAP servers). WinGate 1.0 was first released on 5 October 1995, and was a re-write of a product that had been previously released in prototype form by Adrien de Croy under the name SocketSet earlier that year. WinGate proved very popular, and by the mid to late 1990s, WinGate was almost ubiquitous in homes and small businesses that needed to share a single Internet connection between multiple networked computers. The introduction of Internet Connection Sharing inWindows 98 however, combined with increasing availability of cheap NAT-enabled routers, forced WinGate to evolve to provide more than just internet connection sharing features. Today, focus for WinGate is primarily access control, email server, caching, reporting, bandwidth management and content filtering. WinGate comes in three versions, Standard, Professional and Enterprise. The Enterprise edition also provides an easily configuredvirtual private network system, which is also available separately as WinGate VPN. Licensing is based on the number of concurrently
Ethical Hacking: Firewall. connected users, and a range of license sizes are available. Multiple licenses can also be aggregated. 8 The current version of WinGate is version 8.0.5 (released 5 December 2013). Figure 6: WinGate. Hardware Firewall vs Software Firewall • Hardware firewalls are specifically built within hardware devices like routers whereas software firewalls are software programs installed on computers. • Hardware firewalls protect a whole network while software firewalls protect individual computers on which they are installed. • By default, hardware firewalls filter web packets while software firewalls may not filter web packets unless web traffic filtering controls are enabled. • A hardware firewall can be configured to use a proxy service for filtering packets while a software firewall does not use a proxy service to filter.
Ethical Hacking: Firewall. Firewall Analysis Understanding the deployed firewall policy can be a daunting task. Administrators today have no easy way of answering questions such as can I telnet from here to there? Or from which machines can our DMZ be reached, and with which services? , or what will be the effect of adding this rule to the firewall?' ' . These are basic questions that administrators need to answer regularly in order to perform their jobs, and sometimes more importantly, in order to explain the pol icy and its consequences to their management. There are several reasons why this task is difficult, including: 1. Firewall configuration languages tend to be arcane, very low level, and highly vendor 9 specific. 2. Vendor-supplied GUIs require their users to cl ick through several windows in order to fully understand even a single rule: at a minimum, the user needs to check the I P addresses of the source and destination fields, and the protocols and ports underlying the service field. 3. Firewall rule-bases are sensitive to rule order. Several rules may match a particular packet, and usual ly the first matching rule is applied -- so changing the rule order, or inserting a correct rule in the wrong place, may lead to unexpected behavior and possible security breaches. 4. Alternating PASS and DROP rules create rule-bases that have complex interactions between different rules. What pol icy such a rule-base is enforcing is hard for humans to comprehend when there are more than a handful of rules. Firewall Policies: To protect private networks and individual machines from the dangers of the greater Internet, a firewall can be employed to filter incoming or outgoing traffic based on a predefined set of rules called firewall policies. Policy Actions: • Packets flowing through a firewall can have one of three outcomes: – Accepted: permitted through the firewall – Dropped: not allowed through with no indication of failure – Rejected: not allowed through, accompanied by an attempt to inform the source that the packet was rejected. Blacklists and White Lists: There are two fundamental approaches to creating firewall policies (or rulesets) to effectively minimize vulnerability to the outside world while maintaining the desired functionality for the machines in the trusted internal network (or individual computer).
Ethical Hacking: Firewall. 10 • Blacklist approach – All packets are allowed through except those that fit the rules defined specifically in a blacklist. This type of configuration is more flexible in ensuring that service to the internal network is not disrupted by the firewall. Figure 7: Black list firewall approach. • Whitelist approach – A safer approach to defining a firewall ruleset is the default-deny policy, in which packets are dropped or rejected unless they are specifically allowed by the firewall Figure 8: White list firewall approach
Ethical Hacking: Firewall. 11 Methodology Design Principles of Firewall i. Packet Filtering Firewall: Allow the packet which match the established rule set to pass and deny the packet which violate the established rule set, at the same time, it will record log message, alarm the administrator when a policy has been violated. Working of Packet Filtering Firewall. • A packet filter has a set of rules with accept or deny actions • Based on the information contained in the packet itself • Using different field in the head of the packet to filter, include the packet's source and destination address, its protocol, port number, and so on • When the packet filter receives a packet of information, the filter compares the packet to your pre-configured rule set • At the first match, the packet filter either accepts or denies the packet of information Figure 9: Working of Packet Filtering Firewall.
Ethical Hacking: Firewall. A packet filtering router should be able to filter IP packets and decision to forward/drop packets based on the following four fields: 12  source IP address, destination IP address  TCP/UDP source and destination port numbers  ICMP message type  TCP SYN and ACK bits Filtering  is used to:  block connections from specific hosts or networks  block connections to specific hosts or networks  block connections to specific ports  block connections from specific ports Example 1: block incoming and outgoing datagrams with IP protocol field = 17and with either source or dest port = 23. All incoming and outgoing UDP flows and telnet connections are blocked. Example 2: Block inbound TCP segments with ACK=0. Prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside. Advantages • High speed • Transparent for the users Disadvantages • Cannot filter the packet according the containing of the packet • Only offer brief log messages • Every port that may be used must be open to the external network, which increase the risk of attack • Very difficult to configure ACL (Access Control List).
Ethical Hacking: Firewall. 13 ii. Stateful Inspection Firewall: A stateful inspection firewall is a firewall that monitors the state of the connection and compiles the information in a state table. Working of Stateful Inspection Firewall Stateful packet inspection (SPI) or stateful inspection is a firewall that keeps track of the state of network connections (such as TCP streams, UDP communication) traveling across it. The firewall is programmed to distinguish legitimate packets for different types of connections. Only packets matching a known active connection will be allowed by the firewall; others will be rejected. Figure 10: Working of Stateful Inspection Firewall. Advantages • Safer than static packet filtering • Better performance than static packet filtering Disadvantages • Security is not high enough due to fewer checks on packet data • More detections demand higher performance of the firewall
Ethical Hacking: Firewall. iii. Application Layer Gateway (ALG, or Proxy Server) Responsible for the communication between external network and internal network. When the users intend to communicate, they do not communicate directly, proxy will help forwarding instead. 14 Working of Application Layer Gateway (ALG, or Proxy Server) Figure 11: Working of ALG Firewall. Function Offered by Proxy • Authentication mechanism • Content Filtering • Mature Log Advantages • Accelerate the network by its Cache • Prevent any detection to internal network • Filtering the content of the packet effectively • Reduce direct attack to internal network • No IP Address Spoofing Attack • Mature Log Disadvantages • A special service must have a special proxy • Too much access delay when proxy server is busy • Opaque (not transparent) for the users • Slower than Packet Filtering firewall
Ethical Hacking: Firewall. iv. Bastion Host Firewall. A Bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer. It is hardened in this manner primarily due to its location and purpose, which is either on the outside of the firewall or in the DMZ and usually involves access from untrusted networks or computers. 15 Figure 12: Working of Bastion host Firewall. Placement of Bastion hosts There are two common network configurations that include bastion hosts and their placement. The first requires two firewalls, with bastion hosts sitting between the first "outside world" firewall, and an inside firewall, in a demilitarized zone (DMZ). Often smaller networks do not have multiple firewalls, so if only one firewall exists in a network, bastion hosts are commonly placed outside the firewall Bastion hosts are related to multi-homed hosts and screened hosts. While a dual-homed host often contains a firewall it is also used to host other services as well. A screened host is a dual-homed host that is dedicated to running the firewall. Figure 13: Internal Bastion host. Figure 14: External Bastion host.
Ethical Hacking: Firewall. 16 Firewall Configurations i. The Dual Homed Gateway This is a secure firewall design comprising an application gateway and a packet filtering router. It is called “dual homed” because the gateway has two network interfaces, one attached to the Internet, the other to the organisation's network. Only applications with proxy services on the application gateway are able to operate through the firewall. Since IP forwarding is disabled in the host, IP packets must be directed to one of the proxy servers on the host, or be rejected. Some manufacturers build the packet filtering capability and the application proxies into one box, thereby simplifying the design (but removing the possibility of having an optional info server and modems attached to the screened subnet, see Figure 10). The disadvantages of the dual homed gateway are that it may be a bottleneck to performance, and it may be too secure for some sites (!) since it is not possible to let trusted applications bypass the firewall and communicate directly with peers on the Internet. They must have a proxy service in the firewall. Figure 15: Dual Homed Gateway Firewall. ii. The Screened Host Gateway The screened host gateway is similar to the above, but more flexible and less secure, since trusted traffic may pass directly from the Internet into the private network, thereby bypassing the application gateway. In this design the application gateway only needs a single network connection The IP router will normally be configured to pass Internet traffic to the application gateway or to reject it. Traffic from the corporate network to the Internet will also be rejected, unless it originates from the application gateway. The only exception to these rules will be for trusted traffic that will be allowed straight through. Figure 16: The screened host gateway Firewall.
Ethical Hacking: Firewall. 17 iii. The Screened Subnet Gateway This configuration creates a small isolated network between the Internet and the corporate network, which is sometimes referred to as the demilitarised zone (DMZ), see Figure 12. The advantages of this configuration is that multiple hosts and gateways can be stationed in the DMZ, thereby achieving a much greater throughput to the Internet than the other configurations; plus the configuration is very secure as two packet filtering routers are there to protect the corporate network. The IP router on the Internet side will only let through Internet traffic that is destined for a host in the DMZ (and vice versa). The IP router on the corporate network side will only let site traffic pass to a host in the DMZ (and vice versa). This system is as secure as the dual homed gateway, but it is also possible to allow trusted traffic to pass straight through the DMZ if required. This configuration is of course more expensive to implement! Figure 17: The Screened Subnet Gateway Firewall. iv. Double Proxying and a DMZ The configuration shown in Figure 13 is even more secure that the screened subnet seen in the previous section. It is used by a bank to protect its internal network from direct access from the Internet. Users from the Internet have to pass through two application proxies before they can access the bank’s intranet. This shows that there really is no limit to how complex a firewall configuration can be. The only limitations are the cost and performance implications of building ulta-secure firewall configurations. Figure 18: Double Proxying and a DMZ Firewall.
Ethical Hacking: Firewall. Reviews In short, firewalls are necessary. Without a firewall, your internet-connected PC would not last for many minutes before succumbing to an attack. Ever since Vista, Windows operating systems have included an excellent two-way firewall, which means it can protect against things trying to attack from the outside and things trying to connect with their senders once they make it inside the firewall to your computer. Many people are content to run the Windows firewall, and there is nothing wrong with that. However, some people prefer a firewall from the same publisher who sells their security software. 18 Figure 17: The firewall.
Ethical Hacking: Firewall. 19 Conclusions What Can a Firewall Do: • Packet Inspection • Connections and State • Stateful Packet Inspection • protect internal host from the risk of direct interaction • Insulate the protected host from threats by ensuring that an external host can never directly communicate with the protected host Protect resources • To protect resources from threat • Protected resources should always be kept patched and up-to-date • Record all communications especially access policy violations • Through system log or proprietary logging format • Alarm when a policy has been violated References 1. Network Firewall Technologies-i. David W Chadwick IS Institute, University of Salford, Salford, M5 4WT, England. 2. Packet Filtering and Stateful Firewalls Avishai Wool, Ph.D., School of Electrical Engineering. 3. KAIST, Dept. of EECS. 4. http://en.wikipedia.org/wiki/Firewall_(computing) 5. http://my.ss.sysu.edu.cn/WebSec/download/chap6.pdf 6. http://en.wikipedia.org/wiki/WinGate

More Related Content

PDF
IPsec for IMS
Hossein Yavari
 
PPTX
Mimo radar(1)
twinkle singh
 
PDF
LECT 10, 11-DSALGO(Hashing).pdf
MuhammadUmerIhtisham
 
PDF
LTE Procedures
Abdulrahman Fady
 
PDF
LTE Location Management and Mobility Management
aliirfan04
 
PDF
EC8702 adhoc and wireless sensor networks iv ece
GOWTHAMMS6
 
ODP
3gpp overview
manoj pradhan
 
PPTX
Lte default and dedicated bearer / VoLTE
manish_sapra
 
IPsec for IMS
Hossein Yavari
 
Mimo radar(1)
twinkle singh
 
LECT 10, 11-DSALGO(Hashing).pdf
MuhammadUmerIhtisham
 
LTE Procedures
Abdulrahman Fady
 
LTE Location Management and Mobility Management
aliirfan04
 
EC8702 adhoc and wireless sensor networks iv ece
GOWTHAMMS6
 
3gpp overview
manoj pradhan
 
Lte default and dedicated bearer / VoLTE
manish_sapra
 

What's hot (20)

PDF
Multiple Access Techniques
International Islamic University Chittagong
 
PPT
Message Authentication Requirement-MAC
Sou Jana
 
PPTX
LTE Architecture
Manje Gowda
 
PPTX
TDMA, FDMA, and CDMA
Najeeb Khan
 
PDF
IPSec (Internet Protocol Security) - PART 1
Shobhit Sharma
 
PDF
Adaptive Equalization
Oladapo Abiodun
 
PPTX
FDMA-TDMA-CDMA
Sammar Khan
 
PPT
Ipsec
Rupesh Mishra
 
PPTX
CoAP - Web Protocol for IoT
Aniruddha Chakrabarti
 
PDF
Computer networks wireless lan,ieee-802.11,bluetooth
Deepak John
 
PPTX
EPS presentation
Anirudh Yadav
 
PPT
Security in GSM(2G) and UMTS(3G) Networks
Naveen Kumar
 
DOC
14 gsm bss network kpi (call setup time) optimization manual[1].doc
tharinduwije
 
PPTX
Gsm security and encryption
RK Nayak
 
PPT
Mobile computing unit2,SDMA,FDMA,CDMA,TDMA Space Division Multi Access,Frequ...
Pallepati Vasavi
 
PDF
Towards the Internet of Relevant Things: the IEEE 802.15.4e Standard
Giuseppe Anastasi
 
PPT
Protocols for wireless sensor networks
DEBABRATASINGH3
 
PDF
UMTS core network and its evolution
Naveen Jakhar, I.T.S
 
PPT
Gsm
Bala V
 
PPTX
Wireless sensor networks
Manoj BN
 
Multiple Access Techniques
International Islamic University Chittagong
 
Message Authentication Requirement-MAC
Sou Jana
 
LTE Architecture
Manje Gowda
 
TDMA, FDMA, and CDMA
Najeeb Khan
 
IPSec (Internet Protocol Security) - PART 1
Shobhit Sharma
 
Adaptive Equalization
Oladapo Abiodun
 
FDMA-TDMA-CDMA
Sammar Khan
 
Ipsec
Rupesh Mishra
 
CoAP - Web Protocol for IoT
Aniruddha Chakrabarti
 
Computer networks wireless lan,ieee-802.11,bluetooth
Deepak John
 
EPS presentation
Anirudh Yadav
 
Security in GSM(2G) and UMTS(3G) Networks
Naveen Kumar
 
14 gsm bss network kpi (call setup time) optimization manual[1].doc
tharinduwije
 
Gsm security and encryption
RK Nayak
 
Mobile computing unit2,SDMA,FDMA,CDMA,TDMA Space Division Multi Access,Frequ...
Pallepati Vasavi
 
Towards the Internet of Relevant Things: the IEEE 802.15.4e Standard
Giuseppe Anastasi
 
Protocols for wireless sensor networks
DEBABRATASINGH3
 
UMTS core network and its evolution
Naveen Jakhar, I.T.S
 
Gsm
Bala V
 
Wireless sensor networks
Manoj BN
 
Ad

Viewers also liked (20)

PPTX
360 guide and report
kathy olsson
 
PDF
Sexting all schools handout no video.pptx
kathy olsson
 
PPT
Firewall & its configurations
Student
 
PPT
Chapter 5
sivadnolram
 
PPT
Presentation, Firewalls
kkkseld
 
DOCX
Firewall configuration
Nutan Kumar Panda
 
PDF
Secure by Design - Security Design Principles for the Rest of Us
Eoin Woods
 
PPT
data mining for security application
bharatsvnit
 
PPTX
Types of firewall
Pina Parmar
 
PPTX
Data Mining with Splunk
David Carasso
 
PPTX
BASIC OF ROUTERS,ROUTER IOS AND ROUTING PROTOCOLS
amiteshg
 
PPTX
Importance Of A Security Policy
charlesgarrett
 
PPTX
Network design
csk selva
 
PPT
Firewals in Network Security NS10
koolkampus
 
PPTX
Routers and Routing Configuration
yasir1122
 
PPTX
Firewall presentation
Amandeep Kaur
 
PPT
Firewall
lmbriscoe
 
DOCX
Firewall
syeda zoya mehdi
 
PPT
Web Security
Bharath Manoharan
 
PDF
Physical Security Presentation
Wajahat Rajab
 
360 guide and report
kathy olsson
 
Sexting all schools handout no video.pptx
kathy olsson
 
Firewall & its configurations
Student
 
Chapter 5
sivadnolram
 
Presentation, Firewalls
kkkseld
 
Firewall configuration
Nutan Kumar Panda
 
Secure by Design - Security Design Principles for the Rest of Us
Eoin Woods
 
data mining for security application
bharatsvnit
 
Types of firewall
Pina Parmar
 
Data Mining with Splunk
David Carasso
 
BASIC OF ROUTERS,ROUTER IOS AND ROUTING PROTOCOLS
amiteshg
 
Importance Of A Security Policy
charlesgarrett
 
Network design
csk selva
 
Firewals in Network Security NS10
koolkampus
 
Routers and Routing Configuration
yasir1122
 
Firewall presentation
Amandeep Kaur
 
Firewall
lmbriscoe
 
Firewall
syeda zoya mehdi
 
Web Security
Bharath Manoharan
 
Physical Security Presentation
Wajahat Rajab
 
Ad

Similar to Firewalls (20)

PDF
Watchguard Firewall overview and implemetation
Kaveh Khosravi
 
DOCX
Firewall
Pankaj Kumawat
 
DOC
Firewall
Shiva Krishna Chandra Shekar
 
DOC
Firewall
Shiva Krishna Chandra Shekar
 
PDF
Firewall
Netwax Lab
 
ODT
Firewall
Silas Augustine Ntiyamila
 
PPTX
Firewall
Saurabh Chauhan
 
PDF
Improving Firewall Performance by Eliminating Redundancies In Access Control ...
CSCJournals
 
DOC
Firewall
Kenny2012
 
PDF
BAIT1103 Chapter 8
limsh
 
PPTX
firewall as a security measure (1)-1.pptx
ShreyaBanerjee52
 
PDF
WT - Firewall & Proxy Server
vinay arora
 
PDF
169
vivatechijri
 
PPTX
Firewall
Devashree Kumari
 
PPTX
Firewall Design and Implementation
ajeet singh
 
PPTX
Firewall Design and Implementation
ajeet singh
 
PDF
UNIT 4 Firewalls Information Security Sharad Institute
SatishPise4
 
PPTX
Information Security (Firewall)
Zara Nawaz
 
DOCX
Firewall final (fire wall)
JIEMS Akkalkuwa
 
PPTX
Firewall ppt.pptx
BhushanLokhande12
 
Watchguard Firewall overview and implemetation
Kaveh Khosravi
 
Firewall
Pankaj Kumawat
 
Firewall
Shiva Krishna Chandra Shekar
 
Firewall
Shiva Krishna Chandra Shekar
 
Firewall
Netwax Lab
 
Firewall
Silas Augustine Ntiyamila
 
Firewall
Saurabh Chauhan
 
Improving Firewall Performance by Eliminating Redundancies In Access Control ...
CSCJournals
 
Firewall
Kenny2012
 
BAIT1103 Chapter 8
limsh
 
firewall as a security measure (1)-1.pptx
ShreyaBanerjee52
 
WT - Firewall & Proxy Server
vinay arora
 
169
vivatechijri
 
Firewall
Devashree Kumari
 
Firewall Design and Implementation
ajeet singh
 
Firewall Design and Implementation
ajeet singh
 
UNIT 4 Firewalls Information Security Sharad Institute
SatishPise4
 
Information Security (Firewall)
Zara Nawaz
 
Firewall final (fire wall)
JIEMS Akkalkuwa
 
Firewall ppt.pptx
BhushanLokhande12
 

More from Sonali Parab (19)

PPT
Forensic laboratory setup requirements
Sonali Parab
 
DOCX
Forensic laboratory setup requirements
Sonali Parab
 
DOCX
Distributed systems
Sonali Parab
 
DOCX
Data Mining
Sonali Parab
 
DOCX
Embedded System
Sonali Parab
 
DOCX
Advance Database Management Systems -Object Oriented Principles In Database
Sonali Parab
 
PDF
Cloud and Ubiquitous Computing manual
Sonali Parab
 
PPT
Advance Database Management Systems -Object Oriented Principles In Database
Sonali Parab
 
PPT
Default and On demand routing - Advance Computer Networks
Sonali Parab
 
DOCX
Cloud Computing And Virtualization
Sonali Parab
 
DOCX
Protocols in Bluetooth
Sonali Parab
 
PPT
Protols used in bluetooth
Sonali Parab
 
PPT
Public Cloud Provider
Sonali Parab
 
DOCX
Public Cloud Provider
Sonali Parab
 
DOCX
Minning www
Sonali Parab
 
DOCX
Remote Method Invocation
Sonali Parab
 
DOCX
Agile testing
Sonali Parab
 
PPT
Minning WWW
Sonali Parab
 
PPTX
Remote Method Invocation (Java RMI)
Sonali Parab
 
Forensic laboratory setup requirements
Sonali Parab
 
Forensic laboratory setup requirements
Sonali Parab
 
Distributed systems
Sonali Parab
 
Data Mining
Sonali Parab
 
Embedded System
Sonali Parab
 
Advance Database Management Systems -Object Oriented Principles In Database
Sonali Parab
 
Cloud and Ubiquitous Computing manual
Sonali Parab
 
Advance Database Management Systems -Object Oriented Principles In Database
Sonali Parab
 
Default and On demand routing - Advance Computer Networks
Sonali Parab
 
Cloud Computing And Virtualization
Sonali Parab
 
Protocols in Bluetooth
Sonali Parab
 
Protols used in bluetooth
Sonali Parab
 
Public Cloud Provider
Sonali Parab
 
Public Cloud Provider
Sonali Parab
 
Minning www
Sonali Parab
 
Remote Method Invocation
Sonali Parab
 
Agile testing
Sonali Parab
 
Minning WWW
Sonali Parab
 
Remote Method Invocation (Java RMI)
Sonali Parab
 

Recently uploaded (20)

PDF
Myanmar Dental Journal, The Journal of the Myanmar Dental Association (2013).pdf
Nay Aung
 
PDF
MICROENCAPSULATION_NDDS_BPHARMACY__SEM VII_PCI Syllabus.pdf
SabsKhan1
 
PDF
Disorder of Endocrine system (1).pdfyyhyyyy
[email protected]
 
PDF
faiz-khans about Radiotherapy Physics-02.pdf
FrancisKazoba
 
PPTX
Macbeth play - analysis .pptx english lit
helenamistry
 
PPTX
2025 High Blood Pressure Guideline Slide Set.pptx
Ramesh Kumar
 
PDF
Journal of Dental Science - UDMY (2020).pdf
Nay Aung
 
PDF
Horaris_Grups_25-26_Definitiu_15_07_25.pdf
rpujol11
 
PPTX
What’s under the hood: Parsing standardized learning content for AI
Rustici Software
 
PPTX
Integrated Management of Neonatal and Childhood Illnesses (IMNCI) – Unit IV |...
RAKESH SAJJAN
 
PDF
Nurlina - Urban Planner Portfolio (english ver)
Nurlina Y.
 
PDF
Journal of Dental Science - UDMY (2022).pdf
Nay Aung
 
PDF
M.Tech in Aerospace Engineering | BIT Mesra
BIT Mesra
 
PDF
0520_Scheme_of_Work_(for_examination_from_2021).pdf
SankariNandakumar
 
PDF
LIFE & LIVING TRILOGY - PART - (2) THE PURPOSE OF LIFE.pdf
sureshkumarsoni26
 
PDF
Controlled Drug Delivery System-NDDS UNIT-1 B.Pharm 7th sem
gpspharma784
 
PDF
semiconductor packaging in vlsi design fab
KarpoorasundariK
 
PPTX
UNIT_2-__LIPIDS[1].pptx.................
Akanksha Kotangale
 
PPTX
PLASMA AND ITS CONSTITUENTS 123.pptx
sweet2th18
 
PDF
Literature_Review_methods_ BRACU_MKT426 course material
mokoto4834
 
Myanmar Dental Journal, The Journal of the Myanmar Dental Association (2013).pdf
Nay Aung
 
MICROENCAPSULATION_NDDS_BPHARMACY__SEM VII_PCI Syllabus.pdf
SabsKhan1
 
Disorder of Endocrine system (1).pdfyyhyyyy
[email protected]
 
faiz-khans about Radiotherapy Physics-02.pdf
FrancisKazoba
 
Macbeth play - analysis .pptx english lit
helenamistry
 
2025 High Blood Pressure Guideline Slide Set.pptx
Ramesh Kumar
 
Journal of Dental Science - UDMY (2020).pdf
Nay Aung
 
Horaris_Grups_25-26_Definitiu_15_07_25.pdf
rpujol11
 
What’s under the hood: Parsing standardized learning content for AI
Rustici Software
 
Integrated Management of Neonatal and Childhood Illnesses (IMNCI) – Unit IV |...
RAKESH SAJJAN
 
Nurlina - Urban Planner Portfolio (english ver)
Nurlina Y.
 
Journal of Dental Science - UDMY (2022).pdf
Nay Aung
 
M.Tech in Aerospace Engineering | BIT Mesra
BIT Mesra
 
0520_Scheme_of_Work_(for_examination_from_2021).pdf
SankariNandakumar
 
LIFE & LIVING TRILOGY - PART - (2) THE PURPOSE OF LIFE.pdf
sureshkumarsoni26
 
Controlled Drug Delivery System-NDDS UNIT-1 B.Pharm 7th sem
gpspharma784
 
semiconductor packaging in vlsi design fab
KarpoorasundariK
 
UNIT_2-__LIPIDS[1].pptx.................
Akanksha Kotangale
 
PLASMA AND ITS CONSTITUENTS 123.pptx
sweet2th18
 
Literature_Review_methods_ BRACU_MKT426 course material
mokoto4834
 

Firewalls

  • 1. Ethical Hacking. Firewall. Case Study by: Sonali. Parab.
  • 2. Ethical Hacking: Firewall. 1 Firewall Objective A firewall is a system designed to prevent unauthorized access to or from a private network. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria. Abstract In computing, a firewall is a software or hardware-based network security system that controls the incoming and outgoing network traffic based on applied rule set. A firewall establishes a barrier between a trusted, secure internal network and another network (e.g., the Internet) that is not assumed to be secure and trusted. Many personal computer operating systems include software-based firewalls to protect against threats from the public Internet. Many routers that pass data between networks contain firewall components and, conversely, many firewalls can perform basic routing functions. Figure 1: Illustration of Firewall.
  • 3. Ethical Hacking: Firewall. 2 Introduction What is a Firewall? A firewall is a secure Internet gateway that is used to interconnect a private network to the Internet (see Figure 1). There are a number of components that make up a firewall: i) The Internet access security policy of the organisation. This states, at a high level, what degree of security the organisation expects when connecting to the Internet. The security policy is independent of technology and techniques, and should have a lifetime independent of the equipment used. An example of statements from such a security policy might be: external users will not be allowed to access the corporate network without a strong level of authentication; any corporate information not in the public domain must be transferred across the Internet in a confidential manner, and corporate users will only be allowed to send electronic mail to the Internet - all other services will be banned. ii) The mapping of the security policy onto technical designs and procedures that are to be followed when connecting to the Internet. This information will be updated as new technology is announced, and as system configurations change etc. For example, regarding authentication, the technical design might specify the use of one-time passwords. Technical designs are usually based on one of two security policies, permit any service unless it is expressly denied, or deny any service unless it is expressly permitted. The latter is clearly the more secure of the two. iii) The firewall system, which is the hardware and software which implements the firewall. Typical firewall systems comprise a IP packet filtering router, and a host computer (sometimes called a bastion host or application gateway) running application filtering and authentication software. Why Firewalls?  Prevent denial of service attacks: SYN flooding: attacker establishes many bogus TCP connections, no resources left for “real” connections.  Prevent illegal modification/access of internal data. e.g., attacker replaces CIA’s homepage with something else.  Allow only authorized access to inside network (set of authenticated users/hosts). There are three types of fire walls. Packet Filter: IP Packet Filter Firewall is a firewall deciding to forward or to drop a certain packet according to the information of the packet’s head. Packet filters act by inspecting the "packets" which transfer between computers on the Internet. If a packet matches the packet filter's set of rules, the packet filter will drop (silently discard) the packet, or reject it (discard it, and send "error responses" to the source). This type of packet filtering pays no attention to whether a packet is part of an existing stream of traffic (i.e. it stores no information on connection "state"). Instead, it filters each packet based only on information contained in the packet itself.
  • 4. Ethical Hacking: Firewall. Packet filtering firewalls work mainly on the first three layers of the OSI reference model, which means most of the work is done between the network and physical layers, with a little bit of peeking into the transport layer to figure out source and destination port numbers. 3 Figure 2: Packet Filtering Firewall. Stateful Filters Stateful filters introduce a technology of stateful inspection packet filtering. These firewalls perform the work of their first-generation predecessors but operate up to layer 4 (transport layer) of the OSI model. This is achieved by retaining packets until enough are available to make a judgment about its state. Known as stateful packet inspection, it records all connections passing through it and determines whether a packet is the start of a new connection, a part of an existing connection, or not part of any connection. Though static rules are still used, these rules can now contain connection state as one of their test criteria. Certain DoS attacks bombard the firewall with thousands of fake connection packets to overwhelm it by filling its connection state memory. Figure 3: Stateful Inspection Firewall.
  • 5. Ethical Hacking: Firewall. Application Layer Application layer filtering can "understand" certain applications and protocols (such as File Transfer Protocol (FTP), Domain Name System (DNS), or Hypertext Transfer Protocol (HTTP)). This is useful as it is able to detect if an unwanted protocol is attempting to bypass the firewall on an allowed port, or detect if a protocol is being abused in any harmful way. The existing deep packet inspection functionality of modern firewalls can be shared by Intrusion prevention systems (IPS). 4 Figure 4: Application level gateway Firewall. Bastion Host Firewall: A Bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. A firewall at layer 5 Internet (7 ISO) is sometimes called a bastion host, application gateway, proxy server or guardian system. Its purpose is to filter the service provided by the application. The computer generally hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer. It is hardened in this manner primarily due to its location and purpose, which is either on the outside of the firewall or in the DMZ and usually involves access from untrusted networks or computers. Figure 5: Bastion Host Firewall.
  • 6. Ethical Hacking: Firewall. 5 Literature Review The term firewall originally referred to a wall intended to confine a fire or potential fire within a building. Later uses refer to similar structures, such as the metal sheet separating the engine compartment of a vehicle or aircraft from the passenger compartment. Firewall technology emerged in the late 1980s when the Internet was a fairly new technology in terms of its global use and connectivity. The predecessors to firewalls for network security were the routers used in the late 1980s  Clifford Stoll's discovery of German spies tampering with his system  Bill Cheswick's "Evening with Berferd" 1992 in which he set up a simple electronic "jail" to observe an attacker  In 1988, an employee at the NASA Ames Research Center in California sent a memo by email to his colleagues that read, "We are currently under attack from an Internet VIRUS! It has hit Berkeley, UC San Diego, Lawrence Livermore, Stanford, and NASA Ames."  The Morris Worm spread itself through multiple vulnerabilities in the machines of the time. Although it was not malicious in intent, the Morris Worm was the first large scale attack on Internet security; the online community was neither expecting an attack nor prepared to deal with one. First generation: Packet filters The first paper published on firewall technology was in 1988, when engineers from Digital Equipment Corporation (DEC) developed filter systems known as packet filter firewalls. This fairly basic system was the first generation of what is now a highly involved and technical internet security feature. At AT&T Bell Labs, Bill Cheswick and Steve Bellovin were continuing their research in packet filtering and developed a working model for their own company based on their original first generation architecture. Packet filters act by inspecting the "packets" which are transferred between computers on the Internet. If a packet matches the packet filter's set of filtering rules, the packet filter will drop (silently discard) the packet or reject it (discard it, and send "error responses" to the source). This type of packet filtering pays no attention to whether a packet is part of an existing stream of traffic (i.e. it stores no information on connection "state"). Instead, it filters each packet based only on information contained in the packet itself (most commonly using a combination of the packet's source and destination address, its protocol, and, for TCP and UDP traffic, the port number). TCP and UDP protocols constitute most communication over the Internet, and because TCP and UDP traffic by convention uses well known ports for particular types of traffic, a "stateless" packet filter can distinguish between, and thus control, those types of traffic (such
  • 7. Ethical Hacking: Firewall. as web browsing, remote printing, email transmission, file transfer), unless the machines on each side of the packet filter are both using the same non-standard ports. Packet filtering firewalls work mainly on the first three layers of the OSI reference model, which means most of the work is done between the network and physical layers, with a little bit of peeking into the transport layer to figure out source and destination port numbers. When a packet originates from the sender and filters through a firewall, the device checks for matches to any of the packet filtering rules that are configured in the firewall and drops or rejects the packet accordingly. When the packet passes through the firewall, it filters the packet on a protocol/port number basis (GSS). For example, if a rule in the firewall exists to block telnet access, then the firewall will block the TCP protocol for port number 23. 6 Second generation: "Stateful" filters From 1989–1990 three colleagues from AT&T Bell Laboratories, Dave Presetto, Janardan Sharma, and Kshitij Nigam, developed the second generation of firewalls, calling themCircuit- level gateways. Second-generation firewalls perform the work of their first-generation predecessors but operate up to layer 4 (transport layer) of the OSI model. This is achieved by retaining packets until enough information is available to make a judgement about its state. Known as stateful packet inspection, it records all connections passing through it and determines whether a packet is the start of a new connection, a part of an existing connection, or not part of any connection. Though static rules are still used, these rules can now contain connection state as one of their test criteria. Certain denial-of-service attacks bombard the firewall with thousands of fake connection packets in an attempt to overwhelm it by filling its connection state memory. Third generation: application layer Marcus Ranum, Wei Xu, and Peter Churchyard developed an Application Firewall known as Firewall Toolkit (FWTK). In June 1994, Wei Xu extended the FWTK with the Kernel enhancement of IP filter and socket transparent. This was known as the first transparent Application firewall, released as a commercial product of Gauntlet firewall at Trusted Information Systems. Gauntlet firewall was rated one of the number 1 firewalls during 1995– 1998. The key benefit of application layer filtering is that it can "understand" certain applications and protocols (such as File Transfer Protocol (FTP), Domain Name System (DNS), orHypertext Transfer Protocol (HTTP)). This is useful as it is able to detect if an unwanted protocol is attempting to bypass the firewall on an allowed port, or detect if a protocol is being abused in any harmful way. As of 2012, the so-called next-generation firewall (NGFW) is nothing more than the "widen" or "deepen" inspection at application-stack. For example,
  • 8. Ethical Hacking: Firewall. the existing deep packet inspection functionality of modern firewalls can be extended to include i) Intrusion prevention systems (IPS); ii) User identity integration (by binding user IDs to IP or MAC addresses for 7 "reputation"); and/or iii) Web Application Firewall (WAF). WAF attacks may be implemented in the tool "WAF Fingerprinting utilizing timing side channels" (WAFFle). Study Penetration of Firewall Attacking Packet Filtering Firewall • IP Address Spoofing Attack • Denial-of-service Attack • Tiny Fragment Attack • Trojan Attack Attacking Stateful Inspection Firewall • Protocol Tunneling • Trojans Rebound Attacking Proxy • Unauthorized Web Access • Unauthorized Socks Access • Unauthorized Telnet Access Penetration of Firewall using WinGate. WinGate is Integrated Gateway Management Software for Microsoft Windows, providing web caching, firewall and NAT services, along with a number of integrated proxy servers and also email services (SMTP, POP3 and IMAP servers). WinGate 1.0 was first released on 5 October 1995, and was a re-write of a product that had been previously released in prototype form by Adrien de Croy under the name SocketSet earlier that year. WinGate proved very popular, and by the mid to late 1990s, WinGate was almost ubiquitous in homes and small businesses that needed to share a single Internet connection between multiple networked computers. The introduction of Internet Connection Sharing inWindows 98 however, combined with increasing availability of cheap NAT-enabled routers, forced WinGate to evolve to provide more than just internet connection sharing features. Today, focus for WinGate is primarily access control, email server, caching, reporting, bandwidth management and content filtering. WinGate comes in three versions, Standard, Professional and Enterprise. The Enterprise edition also provides an easily configuredvirtual private network system, which is also available separately as WinGate VPN. Licensing is based on the number of concurrently
  • 9. Ethical Hacking: Firewall. connected users, and a range of license sizes are available. Multiple licenses can also be aggregated. 8 The current version of WinGate is version 8.0.5 (released 5 December 2013). Figure 6: WinGate. Hardware Firewall vs Software Firewall • Hardware firewalls are specifically built within hardware devices like routers whereas software firewalls are software programs installed on computers. • Hardware firewalls protect a whole network while software firewalls protect individual computers on which they are installed. • By default, hardware firewalls filter web packets while software firewalls may not filter web packets unless web traffic filtering controls are enabled. • A hardware firewall can be configured to use a proxy service for filtering packets while a software firewall does not use a proxy service to filter.
  • 10. Ethical Hacking: Firewall. Firewall Analysis Understanding the deployed firewall policy can be a daunting task. Administrators today have no easy way of answering questions such as can I telnet from here to there? Or from which machines can our DMZ be reached, and with which services? , or what will be the effect of adding this rule to the firewall?' ' . These are basic questions that administrators need to answer regularly in order to perform their jobs, and sometimes more importantly, in order to explain the pol icy and its consequences to their management. There are several reasons why this task is difficult, including: 1. Firewall configuration languages tend to be arcane, very low level, and highly vendor 9 specific. 2. Vendor-supplied GUIs require their users to cl ick through several windows in order to fully understand even a single rule: at a minimum, the user needs to check the I P addresses of the source and destination fields, and the protocols and ports underlying the service field. 3. Firewall rule-bases are sensitive to rule order. Several rules may match a particular packet, and usual ly the first matching rule is applied -- so changing the rule order, or inserting a correct rule in the wrong place, may lead to unexpected behavior and possible security breaches. 4. Alternating PASS and DROP rules create rule-bases that have complex interactions between different rules. What pol icy such a rule-base is enforcing is hard for humans to comprehend when there are more than a handful of rules. Firewall Policies: To protect private networks and individual machines from the dangers of the greater Internet, a firewall can be employed to filter incoming or outgoing traffic based on a predefined set of rules called firewall policies. Policy Actions: • Packets flowing through a firewall can have one of three outcomes: – Accepted: permitted through the firewall – Dropped: not allowed through with no indication of failure – Rejected: not allowed through, accompanied by an attempt to inform the source that the packet was rejected. Blacklists and White Lists: There are two fundamental approaches to creating firewall policies (or rulesets) to effectively minimize vulnerability to the outside world while maintaining the desired functionality for the machines in the trusted internal network (or individual computer).
  • 11. Ethical Hacking: Firewall. 10 • Blacklist approach – All packets are allowed through except those that fit the rules defined specifically in a blacklist. This type of configuration is more flexible in ensuring that service to the internal network is not disrupted by the firewall. Figure 7: Black list firewall approach. • Whitelist approach – A safer approach to defining a firewall ruleset is the default-deny policy, in which packets are dropped or rejected unless they are specifically allowed by the firewall Figure 8: White list firewall approach
  • 12. Ethical Hacking: Firewall. 11 Methodology Design Principles of Firewall i. Packet Filtering Firewall: Allow the packet which match the established rule set to pass and deny the packet which violate the established rule set, at the same time, it will record log message, alarm the administrator when a policy has been violated. Working of Packet Filtering Firewall. • A packet filter has a set of rules with accept or deny actions • Based on the information contained in the packet itself • Using different field in the head of the packet to filter, include the packet's source and destination address, its protocol, port number, and so on • When the packet filter receives a packet of information, the filter compares the packet to your pre-configured rule set • At the first match, the packet filter either accepts or denies the packet of information Figure 9: Working of Packet Filtering Firewall.
  • 13. Ethical Hacking: Firewall. A packet filtering router should be able to filter IP packets and decision to forward/drop packets based on the following four fields: 12  source IP address, destination IP address  TCP/UDP source and destination port numbers  ICMP message type  TCP SYN and ACK bits Filtering  is used to:  block connections from specific hosts or networks  block connections to specific hosts or networks  block connections to specific ports  block connections from specific ports Example 1: block incoming and outgoing datagrams with IP protocol field = 17and with either source or dest port = 23. All incoming and outgoing UDP flows and telnet connections are blocked. Example 2: Block inbound TCP segments with ACK=0. Prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside. Advantages • High speed • Transparent for the users Disadvantages • Cannot filter the packet according the containing of the packet • Only offer brief log messages • Every port that may be used must be open to the external network, which increase the risk of attack • Very difficult to configure ACL (Access Control List).
  • 14. Ethical Hacking: Firewall. 13 ii. Stateful Inspection Firewall: A stateful inspection firewall is a firewall that monitors the state of the connection and compiles the information in a state table. Working of Stateful Inspection Firewall Stateful packet inspection (SPI) or stateful inspection is a firewall that keeps track of the state of network connections (such as TCP streams, UDP communication) traveling across it. The firewall is programmed to distinguish legitimate packets for different types of connections. Only packets matching a known active connection will be allowed by the firewall; others will be rejected. Figure 10: Working of Stateful Inspection Firewall. Advantages • Safer than static packet filtering • Better performance than static packet filtering Disadvantages • Security is not high enough due to fewer checks on packet data • More detections demand higher performance of the firewall
  • 15. Ethical Hacking: Firewall. iii. Application Layer Gateway (ALG, or Proxy Server) Responsible for the communication between external network and internal network. When the users intend to communicate, they do not communicate directly, proxy will help forwarding instead. 14 Working of Application Layer Gateway (ALG, or Proxy Server) Figure 11: Working of ALG Firewall. Function Offered by Proxy • Authentication mechanism • Content Filtering • Mature Log Advantages • Accelerate the network by its Cache • Prevent any detection to internal network • Filtering the content of the packet effectively • Reduce direct attack to internal network • No IP Address Spoofing Attack • Mature Log Disadvantages • A special service must have a special proxy • Too much access delay when proxy server is busy • Opaque (not transparent) for the users • Slower than Packet Filtering firewall
  • 16. Ethical Hacking: Firewall. iv. Bastion Host Firewall. A Bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer. It is hardened in this manner primarily due to its location and purpose, which is either on the outside of the firewall or in the DMZ and usually involves access from untrusted networks or computers. 15 Figure 12: Working of Bastion host Firewall. Placement of Bastion hosts There are two common network configurations that include bastion hosts and their placement. The first requires two firewalls, with bastion hosts sitting between the first "outside world" firewall, and an inside firewall, in a demilitarized zone (DMZ). Often smaller networks do not have multiple firewalls, so if only one firewall exists in a network, bastion hosts are commonly placed outside the firewall Bastion hosts are related to multi-homed hosts and screened hosts. While a dual-homed host often contains a firewall it is also used to host other services as well. A screened host is a dual-homed host that is dedicated to running the firewall. Figure 13: Internal Bastion host. Figure 14: External Bastion host.
  • 17. Ethical Hacking: Firewall. 16 Firewall Configurations i. The Dual Homed Gateway This is a secure firewall design comprising an application gateway and a packet filtering router. It is called “dual homed” because the gateway has two network interfaces, one attached to the Internet, the other to the organisation's network. Only applications with proxy services on the application gateway are able to operate through the firewall. Since IP forwarding is disabled in the host, IP packets must be directed to one of the proxy servers on the host, or be rejected. Some manufacturers build the packet filtering capability and the application proxies into one box, thereby simplifying the design (but removing the possibility of having an optional info server and modems attached to the screened subnet, see Figure 10). The disadvantages of the dual homed gateway are that it may be a bottleneck to performance, and it may be too secure for some sites (!) since it is not possible to let trusted applications bypass the firewall and communicate directly with peers on the Internet. They must have a proxy service in the firewall. Figure 15: Dual Homed Gateway Firewall. ii. The Screened Host Gateway The screened host gateway is similar to the above, but more flexible and less secure, since trusted traffic may pass directly from the Internet into the private network, thereby bypassing the application gateway. In this design the application gateway only needs a single network connection The IP router will normally be configured to pass Internet traffic to the application gateway or to reject it. Traffic from the corporate network to the Internet will also be rejected, unless it originates from the application gateway. The only exception to these rules will be for trusted traffic that will be allowed straight through. Figure 16: The screened host gateway Firewall.
  • 18. Ethical Hacking: Firewall. 17 iii. The Screened Subnet Gateway This configuration creates a small isolated network between the Internet and the corporate network, which is sometimes referred to as the demilitarised zone (DMZ), see Figure 12. The advantages of this configuration is that multiple hosts and gateways can be stationed in the DMZ, thereby achieving a much greater throughput to the Internet than the other configurations; plus the configuration is very secure as two packet filtering routers are there to protect the corporate network. The IP router on the Internet side will only let through Internet traffic that is destined for a host in the DMZ (and vice versa). The IP router on the corporate network side will only let site traffic pass to a host in the DMZ (and vice versa). This system is as secure as the dual homed gateway, but it is also possible to allow trusted traffic to pass straight through the DMZ if required. This configuration is of course more expensive to implement! Figure 17: The Screened Subnet Gateway Firewall. iv. Double Proxying and a DMZ The configuration shown in Figure 13 is even more secure that the screened subnet seen in the previous section. It is used by a bank to protect its internal network from direct access from the Internet. Users from the Internet have to pass through two application proxies before they can access the bank’s intranet. This shows that there really is no limit to how complex a firewall configuration can be. The only limitations are the cost and performance implications of building ulta-secure firewall configurations. Figure 18: Double Proxying and a DMZ Firewall.
  • 19. Ethical Hacking: Firewall. Reviews In short, firewalls are necessary. Without a firewall, your internet-connected PC would not last for many minutes before succumbing to an attack. Ever since Vista, Windows operating systems have included an excellent two-way firewall, which means it can protect against things trying to attack from the outside and things trying to connect with their senders once they make it inside the firewall to your computer. Many people are content to run the Windows firewall, and there is nothing wrong with that. However, some people prefer a firewall from the same publisher who sells their security software. 18 Figure 17: The firewall.
  • 20. Ethical Hacking: Firewall. 19 Conclusions What Can a Firewall Do: • Packet Inspection • Connections and State • Stateful Packet Inspection • protect internal host from the risk of direct interaction • Insulate the protected host from threats by ensuring that an external host can never directly communicate with the protected host Protect resources • To protect resources from threat • Protected resources should always be kept patched and up-to-date • Record all communications especially access policy violations • Through system log or proprietary logging format • Alarm when a policy has been violated References 1. Network Firewall Technologies-i. David W Chadwick IS Institute, University of Salford, Salford, M5 4WT, England. 2. Packet Filtering and Stateful Firewalls Avishai Wool, Ph.D., School of Electrical Engineering. 3. KAIST, Dept. of EECS. 4. http://en.wikipedia.org/wiki/Firewall_(computing) 5. http://my.ss.sysu.edu.cn/WebSec/download/chap6.pdf 6. http://en.wikipedia.org/wiki/WinGate