FIREWALL
BY
Dinah Dennis, Lakshmi Shetty & Haider Naqvi
Firewall
Firewalls are systems that establish access control policies among networks. They can
block information from entering a network or from getting out of that network, they can
permit different users to perform different kinds of operations, according to the user’s
authorizations.
What is an Internet firewall?
Firewalls are a very effective type of network security.
It prevents the dangers of the Internet from spreading to your internal network, this can
be achieved by physically blocking all access to the local network except via the firewall.
Firewalls are systems that establish access control policies among networks. Various
types of firewalls are used, which implement various types of security policies.
Internal Firewall Internet External
Network Network
An Internet firewall is most often installed at the point where your protected internal
network connects to the Internet.
All traffic coming from the Internet or going out from your internal network passes
through the firewall. Since the traffic passes through it, the firewall has the opportunity
to make sure that this traffic is acceptable.
What does “acceptable mean to the firewall? It means that whatever is being done –
email, file transfers, remote logins, or any kinds of specific interactions between specific
systems -- conforms to the security policy of the site.
Logically, a firewall is a separator, and an analyzer. The physical implementation of the
firewall varies from site to site. Most often, a firewall is a set of hardware components- a
router, a host computer or some combination of routers, computers and networks with
appropriate software.
Characteristics of a Firewall
There are four general techniques that firewalls use to control access:
Service control – determines the types of Internet services that can be accessed
inbound and outbound. The firewall filters traffic on the basis of IP address and TCP
port number.
Direction control – determines the direction in which particular services requests may be
initiated and allowed to flow through the firewall.
User Control – controls access to a service according to which user is attempting to
access it. This is applied to user’s inside the firewall and to incoming traffic from
external users.
Behavior Control – controls how particular services are used for example the filter of
email to eliminate spam or enable external access to information on a local Web server.
What can a Firewall do?
A firewall is a focus for security decisions
Think of a firewall as a choke point. A firewall gives you enormous leverage for network
security because it lets you concentrate your security measures on this choke point – the
point where your network connects to the Internet.
A firewall can enforce a security policy
Many of the services that people want from the Internet are inherently insecure. The
firewall is the traffic cop for these services. It enforces the site’s security policy, allowing
only “approved” services to pass through and those only within the rules set up for them.
A firewall can log Internet activity efficiently
Because all traffic passes through the firewall, the firewall provides a good place to
collect information about system and network use –and misuse. As a single point of
access, the firewall can record what occurs between the protected network and the
external network.
A firewall limits your exposure
A firewall can be used to keep one section of your site’s network separate from another
section. By doing this, you keep problems that impact one section from spreading
through the entire network.
Information Systems have evolved from Mainframe to LAN of PCS to WAN and now its
Internet. First it was a privilege for employees now it’s essential. It enables organizations
to interact with the outside world at same time it allows outside world to interact with the
organization. No one can deny Internets usefulness however it also presents threats.
There are two choices in protecting an organization from Internet threats. First is to
equip each computer on the network with latest operating system patches and make
sure each computer on the network is secure. In other words file security and other
security is set up correctly. This is not feasible in large organizations.
Other alternative is to create border security. In literature Network Security is compared
with countries border security. Famous Chinese General Sun Tzu said “ On the day that
you take up your command block the frontier passes, destroy the official tallies, stop the
passage of emissaries”. So if you are a Network administrator on the day you get the
responsibility install a firewall if not already installed. Just like nations without controlled
border cannot ensure the security and safety of their citizens, nor can prevent piracy and
theft. Networks without controlled access cannot ensure the security or privacy of stored
data, nor can they keep network resources from being exploited by hackers.
How do Firewalls provide border security? Firewalls inspect and approve or reject each
connection attempt made between organization network and Internet. By the nature of
firewalls, they create bottleneck. But speed of modern computers compared to the speed
of lease lines, the latency caused by firewalls can be completely transparent.
There are hundreds of firewall products ranging from software to hardware solutions.
Strong firewalls protect networks at all software layers from data link layer up through
the application layer. All firewalls should provide following three fundamental services.
Packet Filtering – rejects TCP/IP packets from unauthorized hosts and rejects
connection attempts to unauthorized services.
Network Address Translation (NAT) – Translates the IP address of internal hosts
to hide them from outside monitoring. NAT is also called IP masquerading.
Proxy services – Makes application-level connections on behalf of internal hosts.
Types of Firewall:
A Firewall, which acts as an intermediary between your users and the Internet, comes in
three varieties: packet-level (or packet filter)-Network level Firewalls, Circuit-level
gateways, proxy-based (or application-level).
Of course there are also hybrid firewalls which can be combinations of all three and the
newest type of Firewall called as Stateful inspection.
Packet-level Firewalls :
Examine all data traveling between your local LAN and the Internet. Using a
preprogrammed set of rules, packet filtering router applies a set of rules to each
incoming IP packet and then forwards or discards the packet.The router is typically
configured to filter packets going in both directions.Filtering rules are based on fields in
the IP and transaport header,including source and destination IP address,IP protocol
field and TCP or UDP port Number.If there is a match to one of the rules that rule is
invoked to determine whether to forward or disacrd the packet.If there is no match to any
rule than a default action is taken.Two default policies are possible:
Default=disacrd:That which is not expressely permitted is prohibited
Default =forward:THat which is not expressely prohibited is permitted
A simple router is the "traditional" network level firewall, since it is not able to make
particularly sophisticated decisions about what a packet is actually talking to or where it
actually came from. Modern network level firewalls have become increasingly
sophisticated, and now maintain internal information about the state of connections
passing through them, the contents of some of the data streams, and so on. One thing
that's an important distinction about many network level firewalls is that they route traffic
directly though them, so to use one you usually need to have a validly assigned IP
address block.
Advantage:
Network level firewalls tend to be very fast,simple and tend to be very transparent to
users.
Disadvantage:
Difficulty of setting up packet filter rules correctly and lack of authentication.
Attacks that can be made on Packet-Filtering routers and the Counter measures are:
IP address Spoofing : The intruder ransmits packets from the outside with a source
IP address field containing an address of an internal host.The attacker hopes that the
use of spoofed address will allow penetration of systems that employ simple source
address security in which packets from specific trusted internal hosts are accepted.
The counter measure is to disacrd packets with an inside source address if the
packet arrives on an external interface.
Souce Routing attacks
Tiny Fragment attacks
Circuit-level gateways :
This can be a standalone system or it can be a specialized function performed by an
application level gateway for certain applications.It does not permit an end-to-end TCP
connection,rather the gateway sets up two TCP connections,one between itself and a
TCP user on an inner host and one between itself and a TCP user on an outside
host.Once two connections are established the gateway typically relays TCP segments
from one connection to other without examining the contents. Unlike most packet filters,
connections passing through a circuit-level gateway appear to the remote machine as if
they originated from the firewall. This is very useful to hide information about protected
networks. Socks is a popular de-facto standard for automatic circuit-level gateways.
Brimstone supports both Socks and a manual circuit-level gateway.
Application gateways:
represent a totally different concept for firewalls. Instead of a list of simple rules which
control which packets or sessions should be allowed through, a program accepts the
connection, typically performs strong authentication on the user which often requires
one-time passwords, and then often prompts the user for information on what host to
connect to. This is, in some senses, more limited than packet-filters and circuit-level
gateways since you must have a gateway program for each applications (e.g. telnet, ftp,
X11, etc). However, for most environments it provides much higher security because
unlike the other types of gateways, it can perform strong user authentication to ensure
that the person on the other end of the IP connection is really who they say they are.
Additionally, once you know who you are talking to, you can perform other types of
access checks on a per-user basis such as what times they can connect, what hosts
they can connect to, what services they can use, etc. Many people only consider
application gateways to be true firewall, because of the lack of user authentication in the
other two types.
Application level firewalls generally are hosts running proxy servers, which permit no
traffic directly between networks, and which perform elaborate logging and auditing of
traffic passing through them. Since the proxy applications are software components
running on the firewall, it is a good place to do lots of logging and access control.
Application level firewalls can be used as network address translators, since traffic goes
in one "side" and out the other, after having passed through an application that
effectively masks the origin of the initiating connection. Having an application in the way
in some cases may impact performance and may make the firewall less transparent.
Early application level firewalls such as those built using the TIS firewall toolkit [10], are
not particularly transparent to end users and may require some training. Modern
application level firewalls are often fully transparent. Application level firewalls tend to
provide more detailed audit reports and tend to enforce more conservative security
models than network level firewalls.
Hybrid gateways :
are ones where the above types are combined. Quite frequently one finds an
application gateway combined with a circuit-level gateways or packet filters, since it can
allow internal hosts unencumbered access to unsecured networks while forcing strong
security on connects from unsecure networks into the secured internal networks.
Recommended Brimstone configuration are a hybrid firewall
The newest type of firewall is based on a technology called stateful inspection,
developed by Checkpoint Software Technologies. This firewall type remembers
information, such as source and destination addresses and port number, in a packet
known to be legitimate. It uses this information to compare the "friendly" packet to the
packet in question.
Each firewall type has its advantages and disadvantages; it's debatable which is the
most secure. Packet-filtering and stateful-inspection firewalls require each system be
assigned a separate IP address; application-level firewalls let a single Internet address
speak for all its users. The downside is only the client application that supports proxies
can communicate with the Internet. The firewall must have a proxy for every application
or service for which clients require Internet access. Fortunately, many proxy servers
allow one to create their own proxies.
In addition to three fundamental services, most firewalls also perform two other
important services.
Encrypted Authentication – allows users on the public network to prove their
identity to prove their identity to the firewall
Encrypted Tunnels – establishes a secure connection between two private
networks over Internet. Tunneling is also called Virtual Private Networking (VPN).
Most firewall products provide packet filtering, NAT, Proxy services, and security
services. How do they differ? They differ in four categories.
Security Flaws – some firewalls rely heavily on the host operating system,
contain bugs that can be exploited, or there is a flaw in the authentication
protocol.
Interface – some firewalls require learning of a cryptic interface
Enterprise Functionality – large organizations might have a number of firewalls.
The ability to store firewall policies centrally is plus for them.
Service Features - some firewalls provide services such as FTP, Telnet and
HTTP. These services are convenient but usually obsolete in functionality and
can reduce the security of the firewall
Primary criterion for firewall selection should be security. Next most important feature is
Interface. Ease of use, one must be able to correctly configure a firewall.
Many administrators assume that once their firewall is online their security problem is
gone. They are wrong. No network attached to the Internet can be made completely
secure. There are security problems that firewalls can’t solve. Forged email and hidden
border crossing are examples of problems firewalls can’t solve. Forging an e-mail is
easy if organizations network allow port 25 SMTP traffic through then an hacker can
easily forge an email. Hidden borer crossing occurs if employees have dial out to their
ISP. Modem PPP connections to the Internet are bi-directional just like leased lines.
And there's a good chance that their client has file sharing turned on, so their computer
can be exploited directly from the Internet.
Another type of attack can occur if your operating system does not have latest patches.
One of the examples of such an attack is ping of death. An Hacker can bring down
server by just issuing this command
ping IP address –L 65510 –n1000
Network can only be protected from this by installing latest patch of the operating
system.
When configuring firewalls decisions are required about interface to the Internet. In other
words which applications will be opened up to Internet? To make these decisions one
has to know which ports these applications listen on.
TCP/IP services usually listen on the following ports.
Port TCP/IP Service
7 Echo
9 Discard
13 Daytime
17 Quote of the Day
19 Character Generator
20
Internet servers listen on the following ports
Port Server
21 File Transfer Protocol (FTP)
23 Telnet
70 Gopher
80 World Wide Web (HTTP)
119 Net News (NNTP)
File server usually listens on following ports
Port Service
53 DNS service
135 RPC Locator Service (Windows NT )
137 Net BIOS Name Service (WINS servers)
139 Net BIOS Session Service (Windows Networks)
Mail servers usually listen on following ports
Port Mail Server
25 SMTP (Mail server to server exchanges).
110 POP version 3 (Server to client mail exchanges).
143 IMAP (Client access to mail server)
An organization only wants to interface with Internet through HTTP. They only need to
open port 80. Firewall’s packet filtering should disallow all other packets.
There are several free firewall products out there. Free firewalls all suffer from a few of
the same class problems. They have weak or missing logging and alerting features.
They don’t provide any real –time firewall monitoring capability. Their graphical user
interface if cryptic or there is no GUI. Instead a new command language is provided for
configuration. Here is a list of free firewalls products
Linux and IPChains
The Trusted Information Systems Firewall Toolkit (TIS FWTK)
FreeBSD and Drawbridge
Free firewall missing logging and alerting features can be compensated by some of the
system utilities NT 4.0 comes with. Event viewer can be used to list security violations.
NT network monitor can be used to capture network packets and display information
about them. Another cool tool provided with NT is CACLS which provide fine control
over assignment of permissions to files and directories.
Another breed of security tools are called Security Analysis tools. These tools are very
cool and should be used even if you bought the best firewall there is. Security Analysis
tools scan target host for various known security vulnerabilities from another machine on
the Internet. In essence, these tools provide one-stop-shopping to determine which
known bugs or vulnerabilities your Network security is open too.
Only drawback for Security tools is these tools operate from databases with a known
problem. The databases can’t find vulnerabilities that hacker don’t already know about.
The only solution to that problem is to subscribe to e-mail vulnerability reports such as
SANS (www.sans.com)
Microsoft Security Advisor (www.microsoft.com/security),
Here are some examples of Security Analysis Tools.
SATAN
o http://www.fish.com/~zen/satan/satan.html
WS-Ping
o "best of breed" TCP/IP administration tool
o http://www.keyscreen.com/KeyScreen(s)/WS-Ping.htm
Kane Security Analyst
o www.securitydynamics.com
Here is a list of firewall vendors
www.nai.com
www.cisco.com/security
www.lucent.com/security
www.sonicwall.com
www.netscreen.com
www.elronsoftware.com
www.gnatbox.com
www.altavista.software.digital.com
www.milkyway.com
www.watchguard.com
www.checkpoint.com
# best selling Firewall-1
www.netguard.com
www.axent.com
www.sun.com/security
www.microsoft.com/proxy
www.fwtk.org
drawbridge.tamu.edu
www.wingate.net
Here is a list of security organizations.
www.sans.org
www.cert.org
www.icsa.net
www.ntsecurity.net
www.microsoft.com/security
www.trustedsystems.com