firewall by kashish4u




           PACKET FILTER


Computer networks are generally designed to do one thing above all others:
allow any computer connected to the network to freely exchange information
with any other computer also connected to the same network. In an ideal world,
this is a perfect way for a network to operate facilitating universal
communications between connected systems. Individual computers are then free
to decide who they want to communicate with, what information they want to
allow access to and which services they will make available. This way of
operating is called "host based security", because individual computers or hosts
implement security mechanisms. In practice individual computers on say, an
office network, are not terribly good at defining and securely enforcing a
consistent security policy. They run very complex, and therefore by definition
are error prone software systems, and it is very difficult to ensure that they are
consistently kept secure, much less that their users obey basic advice like
choosing difficult to guess passwords etc.

This situation may be adequate where individual users on a network have a
similar level of trust such that there is little chance or motive for a user to
subvert host security, such as a small company network where everyone with
physical access is trusted (e.g. employee etc). Once that network is connected to
other networks where the trust relationships simply do not exist in the same
way, and then other mechanisms need to be put in place to provide adequate
security by protecting resources on the trusted network from potential access by
attackers on the un-trusted part of the network.

The way this is done is by partially breaking connectivity at the network level
so that nodes on the trusted and untrusted parts of the network can no longer
freely exchange information in an unfettered way. The device which does this is
called a "Firewall", by reference to the analogue in American automobile
engineering, where the Firewall is a thick steel plate barrier between engine and
passenger compartments which prevents a fire in the former spreading to the
latter. I suppose that if this particular piece of technology had been invented on
the English side of the Atlantic, it would have been called a "bulkhead" instead!

A firewall is a system or group of systems that enforces an access control policy
between two networks. The actual means by which this is accomplished varies
widely, but in principle, the firewall can be thought of as a pair of mechanisms:
one which exists to block traffic, and the other which exists to permit traffic.
Some firewalls place a greater emphasis on blocking traffic, while others
emphasize permitting traffic. Probably the most important thing to recognize
about a firewall is that it implements an access control policy. If you don't have
a good idea of what kind of access you want to allow or to deny, a firewall
really won't help you. It's also important to recognize that the firewall's
configuration, because it is a mechanism for enforcing policy, imposes its policy
on everything behind it. Administrators for firewalls managing the connectivity
for a large number of hosts therefore have a heavy responsibility.

A firewall is simply a program or hardware device that filters the information
coming through the Internet connection into your private network or computer
system. If an incoming packet of information is flagged by the filters, it is not
allowed through. A Firewall disrupts free communication between trusted and
un-trusted networks, attempting to manage the information flow and restrict
dangerous free access. There are numerous mechanisms employed to do this,
each one being somewhere between completely preventing packets flowing,
which would be equivalent to completely disconnected networks, and allowing
free exchange of data, which would be equivalent to having no Firewall.

A Firewall normally includes mechanisms for protection at the:

      Network Layer: IP packets are sanitized (source routing disabled, only
       packets with valid external addresses allowed), and routed according to
       predefined rules. Some firewalls allow translation of internal IP addresses
       to valid Internet IP addresses (NAT or Network Address Translation) and
       other replace all internal addresses with the firewall address (meaning
       internal hosts cannot be addressed).
   Transport Layer: Access to TCP & UDP ports can be granted/blocked,
    depending on IP address of both sender and receiver. This allows access
    control for many TCP services, but doesn't work at all for others (e.g.
    X11, ftp, portmapper services).
   Application Layer:
    o   Proxy servers (also called application gateways) accept requests for a
        particular application and either further the request to the final
        destination, or block the request. Ideally proxies should be transparent
        to the end user. Proxies are stripped-down, reliable versions of
        standard applications with access control and forwarding built-in.
   Encryption: A firewall may use encryption to provide confidentiality,
    authenticate or improve integrity. When encryption is used for
    confidentiality (often called VPNs, Virtual Private Networks), there are
    two general cases:
1. Encryption is performed by the firewall, i.e. it is the endpoint of a VPN.
    The firewall could understand and filter the actual protocol used within
    the VPN and provide intelligent logging.
2. Encryption is performed by a host inside the firewall (End-to-End
    encryption). The firewall sees an encrypted stream but cannot understand
    it. This is useful is you don't trust the firewall administrator, not so useful
    if you want to filter the protocols within the VPN. The VPN becomes a
    point of entry for an attacker that the Firewall administrator cannot detect.
    Therefore, the VPN end-point inside the firewall must be VERY well
    configured / monitored and use firewall mechanisms such as strong
   Dept of defence: A Firewall should also include redundant security
barriers, so that a single point of failure cannot compromise the network. The
Firewall should be as invisible as possible to users (who could weaken
security) and the network (difficult to attack).
      Reliability: Redundant routing, clusters, RAID, cold standbys etc. can all
   be used to provide varying levels of availability. The reliability of service
   required should be specified before a firewall is designed.

There are a number of different kinds of technique which may be employed by a
Firewall in order to correctly identify a conversation and act on it. The
techniques used by a particular Firewall have an impact on the accuracy with
which it can identify traffic, the level of sophistication of the checks it can
implement, but also its complexity and therefore cost and likelihood that it
incorporates bugs.


Packets (small chunks of data) are analyzed against a set of filters. Packets that
make it through the filters are sent to the requesting system and all others are
discarded. The network level operations corresponding to the security policy
above were actually an example of a simple packet filter. A Firewall
implementing a packet filter looks at one packet at a time, and considers it in
isolation in order to make a forwarding decision. Because of the way that a
packet filtering Firewall works, it can implement a restricted range of filtering


Another mechanism for controlling risks when Internal servers must allow
connections from the Internet is to use a technique called Application Proxies
on a single external firewall. Information from the Internet is retrieved by the
firewall and then sent to the requesting system and vice versa.

These work by terminating the external connection at a special service within
the firewall. As the name suggests, this service acts as a proxy for the real
server, implementing the application protocol in the same way as the real server
running on the internal network. It forms a connection to the internal server,
only passing on application protocol elements that pass its strict checks of

This way, most mechanisms for subverting the internal application server are

Using an application proxy is not without difficulty as their complexity tends to
mean that they need to be implemented on firewalls which are significantly
more powerful than the relatively simple systems used for basic packet filters.
This, and the fact that such firewalls are typically sold to "Enterprise" customers
mean that their cost is often uneconomic for small businesses.

Application proxy firewalls also tend to require frequent software updating to
ensure that they are running latest versions of the proxy code. This occurs both
when new exploits are identified which need to be blocked, but also when
problems occur in interactions between the proxy and widely deployed
applications (in other words when the proxy is actually breaking an otherwise
working connection due to over strict or even erroneous checking).


A newer method that doesn't examine the contents of each packet but instead
compares certain key parts of the packet to a database of trusted information.
Information traveling from inside the firewall to the outside is monitored for
specific defining characteristics, and then incoming information is compared to
these characteristics. If the comparison yields a reasonable match, the
information is allowed through. Otherwise it is discarded. Stateful inspection
takes the basic principles of packet filtering and adds the concept of history, so
that the Firewall considers the packets in the context of previous packets.

This has a number of advantages over simpler packet filtering:

      It is possible to build up Firewall rules for protocols which cannot be
       properly controlled by packet filtering.
      More complete control of traffic is possible.

Equally, there are some disadvantages to a stateful inspection solution, in that
the implementation is necessarily more complex and therefore more likely to be

It also requires a device with more memory and a more powerful CPU etc for a
given traffic load, as information has to be stored about each and every traffic
flow seen over a period of time.


An example of the kind of hole which is typically opened up in a Firewall is that
necessary for mail delivery.

On the Internet, a protocol called SMTP is used to deliver between mail servers.
This works in effect by the mail sender's machine connecting to the mail
recipient's server and pushing the e-mail. In order to accept mail from the
Internet onto a local mail server it is usual to open up a hole which allows any
server to connect to the local mail server. This will often be justified using logic
which says that this is only a small hole to one specific service on one specific
host, and the rest of the internal network is still fully protected by the Firewall
"outbound only" rule.

Unfortunately what this does is open up the internal mail server to any attack
that is possible against the software installed on it, and if this is at all complex,
there will be lots of potential attacks.

As an example, a search on Bugtraq (an industry source of application
vulnerability data) against a popular mail server, Microsoft Exchange showed
that there had been 4 major vulnerabilities discovered, just between March and
July 2002. Today these vulnerabilities have increased to a much greater extent
and are on continuous increase

Many of these vulnerabilities would have allowed a remote hacker not only to
gain unauthorized access to the server itself, but also to then use it as a launch
point to attack any other system on the network, just as if the Firewall wasn't


The classic solution to the problem of opening up holes in the network
perimeter to allow access to services is the Demilitarised Zone or DMZ. Named
after the buffer zone between opposing forces in a military peacekeeping
scenario, the DMZ is a special separate network of servers to which external
untrusted hosts have access, but which have no access to the Internal network.

Large enterprise Internet access and Firewall systems always incorporate at
least one level of DMZ as this is seen as essential to preventing the
vulnerabilities described above which are inherent in opening up holes in the
Firewall onto the internal network.
The issue with this solution for the medium sized or smaller enterprise is one of
cost. A typical DMZ solution requires at least three devices, the external
Firewall, the internal Firewall, and the DMZ server machine. This means of
course three times the cost which may not be feasible or proportionate for a
small organisation wishing to secure it's ADSL Internet connection.


There are many possible ways to set up a Firewall. Here the principle methods
are shown. The choice of Firewall depends on cost, performance, availability
needs and the sensitivity of the information being protected by the firewall.
Highly secure, high performance, high availability systems are not cheap. If
high availability is important, it could double costs.

BASIC         FILTER            ARCHITECTURE                    (SCREENING

The cheapest (and least secure) setup involves using a router (which can filter
inbound and outbound packets on each interface) to screen access to one (or
more) internal servers. A router is normally needed anyway to connect to the
Internet, so the filter is for free. This server is the starting point for all outside
connections. Internal clients who wish to access the outside do so via this
screened server.

   Transparent, simple.
   Cheapest solution, lowest security.
   The router could be replaced by an intelligent filter, providing fine
      grained access control, protection against IP spoofing and with logging
      (although such logging is at a low level, making it difficult to interpret).


     Complex filtering rules (and hence error prone) are required on the router.
      Fine grained access control is near impossible.
     Since most routers cannot do logging, little is known about possible
     The screening router can be easily modified to allow other internal hosts
      to access the outside. This is a bad thing, as it can soon get out of hand
      (too may hosts, too many complex rules, difficult to verify).
      Some (old) routers do not correctly screen source routed packets.
      Routers cannot add authentication.
      Difficult to hide internal structure.
      Only one barrier.

This architecture is not recommended, except where finance is a severe problem
(even then, is it really worth the risk?). As an improvement, an "intelligent
filter" (see below) could be used to replace the router filter.


In this classical firewall architecture, a host is setup with two network
interfaces, one connected to the outside, one to the inside. Packet forwarding is
disabled on the gateway; information is passed at the application level. The
gateway can be reached from both sides, but traffic cannot directly flow across
it. Normally, a router is also needed for Internet connection.

The simple architecture is also easy enough to verify, but requires careful
configuration of the gateway. Can hide internal network.

      Cheap, but dept of defence (2 barriers) and diversity of defence are weak.
       May be enough for small sites using basic outgoing services (HTTP,
       telnet, ftp).
      As with the previous example, an intelligent filter as opposed to a router
       filtering can improve security.
      Internet servers (WWW, ftp) would normally be placed on a third


      Since the dual homed host cannot forward packets, a proxy must exist for
       all services that traverse the gateway (unless the gateway also has a
       packet filter). Not all services can be proxied and they require user input
       or configuration.
      Firewall performance is limited to the performance of one machine.

This variation of the Basic Filter involves the use of two filters, the additional
filter being used between the screened host and its clients. The "protected" host
is known as a Bastion Host.


      Filtering rules are simpler that the Basic Filter architecture, the external
       router only allows traffic between the bastion host and the outside and the
       internal router only allows traffic between the bastion host and the inside.
      Security is also improved (more barriers, greater dept of defence).
      If two different routers are used, diversity of defence is improved, at the
       cost of complexity.
      Internet servers (WWW, ftp) would normally be placed on the outside
       without any access to the internal network.
      Relatively cheap solution.


    Costs are higher
    Routers cannot do logging, little is known about possible attacks at the
       packet level.
    Routers can't do "intelligent" filtering of dual port protocols such as FTP.

This architecture may be a solution for small sites with tight finances, or simple
outgoing services.


This architecture is an extension of the screened host architecture. The classical
firewall setup is a packet filter between the outside and a "semi-secure" or De-
Militarised Zone (DMZ) subnet where the proxies lie (this allows the outside
only restricted access services in the DMZ Zone). The DMZ is further separated
from the internal network by another packet filter which only allows
connections to/from the proxies.
The filters specified above are "intelligent" with logging. All incoming and
outgoing services between the Internet and the Internal networks pass via proxy
servers in the DMZ.

      The DMZ can be a switched LAN, or a two switched LANs with dual
       homed bastion hosts between them. The latter is more secure since only
       proxied connections will be allowed through and protects against a
       software error in the filters. Direct inside<-> outside socket connections
       are no longer possible, unless an extra filter is added on the default route
       in place of a bastion..
      Modular & flexible.
      Dept and diversity of defence (but also cost and complexity) are higher
       than the previous solution.
      For maximum diversity of defence, two different firewall products should
       be used for the "packet filters" shown above.
      For very high availability, the DMZ with front & back end filters can be
       duplicated and hooked together by routers (2 on the inside and 2 on the
       outside) that support redundant routing.

Recommended for large sites, or those protecting valuable assets..


Some products act as bridges and are as such invisible to TCP/IP traffic. An
example is the SunScreen from Sun Microsystems. This offers a huge
advantage, especially if the filter is intelligent - it is very difficult to attack the
packet filter.

      Since the filter doesn't have an IP address, it is much more difficult to
       attack. Being invisible is a major security advantage.
      Since it can bridge but not route, it can be inserted into a current network
       without changing current addresses or subnet masks. But this also means
       that a router is still necessary!
      For high availability a duplicate filter should be available.

The filter above is a Single point of failure. What if it dies or the wrong rule is
added by mistake?

So while using this type of architecture firewall used must be carefully
designed, specified and installed over a network.

The level of security you establish will determine how many of these threats can
be stopped by your firewall. The highest level of security would be to simply
block everything. Obviously that defeats the purpose of having an Internet
connection. But a common rule of thumb is to block everything, and then begin
to select what types of traffic you will allow. You can also restrict traffic that
travels through the firewall so that only certain types of information, such as e-
mail, can get through. This is a good rule for businesses that have an
experienced network administrator that understands what the needs are and
knows exactly what traffic to allow through. For most of us, it is probably better
to work with the defaults provided by the firewall developer unless there is a
specific reason to change it.

One of the best things about a firewall from a security standpoint is that it stops
anyone on the outside from logging onto a computer in your private network.
While this is a big deal for businesses, most home networks will probably not be
threatened in this manner. Still, putting a firewall in place provides some peace
of mind.

To top