Firewalls concept in Network Security

V.Ramalinga Raju

Gokaraju Rangaraju Institute of Engineering & Technology
Bachupally, Hyderabad

A firewall is hardware, software, or a combination of both that is used to prevent unauthorized programs or Internet users from accessing a private network and/or a single computer. Firewall Is Like Gate man In a Person House .When Gate Man Check Incoming Persons He Has Any Doubt Same Way Firewall Checks All Incoming and Outgoing Packets .Any Unauthorized Packets Discarded .Authorized Packets Only Allowed. The term "fire wall" originally meant, and still means, a fireproof wall intended to prevent the spread of fire from one room or area of a building to another. The Internet is a volatile and unsafe environment when viewed from a computer-security perspective, therefore "firewall" is an excellent metaphor for network security. Attackers are Leaking Information From Internet To Private Network and Adding Content To Internet From Private Network.

1.1 Solutions The Two Problems In Networks Can be Solved using Two 1. Encryption 2. Firewall  Encryption can¶t solve all problems the best is Firewall Firewall Is Like Gate man In a Person House .When Gate Man Check Incoming Persons He Has Any Doubt Same Way Firewall Checks All Incoming and Outgoing Packets.

1. Why Firewall came Into Existence
Network So Many No of Users & Computers. Communication b/w Computers In The Network Some problems Arise. 1.Leaking of Information Internet To Private Network. 2.Adding of Information Private Network To Internet.


The firewall itself is immune to penetration 2.Only authorized traffic.All traffic from outside to inside and vice-versa passes through the firewall. Isolates a computer or network from the ³outside´ based on a defined set of rules Inspects each individual "packet" of data as it arrives at either side of the firewall Maintains a state table. All Incoming from Internet And Outgoing from Private Network Must pass Through Firewall.Allow ± traffic that flows automatically because it has been deemed as ³safe´ (Ex.2 Firewall Goals 1. 3. therefore "firewall" is an excellent metaphor for network security. The Internet is a volatile and unsafe environment when viewed from a computer-security perspective. A security system that acts as a protective boundary between a network and the outside world. or a combination of both that is used to prevent unauthorized programs or Internet users from accessing a private network and/or a single computer 2. 2. Introduction To Firewall Firewall helps protecting your computer by preventing unauthorized users from gaining access to your computer through a network or internet. etc. The term "fire wall" originally meant. the term firewall is not merely descriptive of a general idea. Firewall b/w the Internet And Private Network. Eudora.When Gate Man Check Incoming Persons He Has Any Doubt Same Way Firewall Checks All Incoming and Outgoing Packets .3 Firewall Rules 1. a fireproof wall intended to prevent the spread of fire from one room or area of a building to another.1 What Is Firewall A firewall is hardware. Firewall Is Like Gate man In a Person House . Determine whether traffic should be allowed to pass or be blocked. Meeting Maker. software.2.Authorized Packets Only Allowed.Any Unauthorized Packets Discarded . In computer networking. 2. It has come to mean some very precise things. All Must pass Through Firewall. 2 . and still means. will be allowed to pass. as defined by local security policy.

Authorized Request Must pass Through Firewall. Configuration . 4.1 Hardware vs. Attacks . Un Authorized 3 . the larger the subnet.In Hardware Firewall Include Internet and Private Network. Only professionals have the experience to minimize security risks. but may not protect your equipment from dial in access to your computer systems 3. easier to configure y Implemented in single System 3. cooperate to achieve a uniformly high level of security 3.Firewall b/w the Internet and Private Network.a firewall can't tell you if it has been incorrectly configured. 3.4 Firewall Limitations 1. Monitoring . Architecture . 5.firewalls can¶t notify you if someone has hacked into your network. An architecture that depends upon one method of security or one security mechanism has a single point of failure and may open the organization to intruders.firewalls can¶t protect against attacks that don¶t go through the firewall. your firewall may restrict access from the Internet.2 Hardware Firewall or Router Firewall 1.5 Need Of Firewall what Happens if we don¶t use firewall: 1.Ask ± asks the user whether or not the traffic is allowed to pass through 2. 3. Firewall Types Two types of firewalls 1. 4. the less manageable it is to maintain all hosts at the same level of security 2.Hardware Firewall implemented In Entire Network.Viruses . Hardware Firewall(Router Firewall) 2. 2. 2. For example. Software Firewalls Hardware Firewalls(Router firewall) y Protect an entire network y Implemented on the router level y Usually more expensive. network security relies totally on host security and all hosts must. Software Firewall(windows Firewall) 3.subnet system expose themselves to inherently insecure services such as NFS or NIS to probes and attacks from hosts elsewhere on the network. Many organizations need additional security monitoring tools.firewalls reflect the overall level of security in the a sense.not all firewalls offer protection against computer viruses as there are many ways to encode files and transfer them over the Internet. harder to configure Software Firewalls(Windows firewall) y Protect a single computer y Usually less expensive. Implementation Can Be Done At Router Level. 5.Hardware Firewall Cost is High.2. 2.Block ± traffic that is blocked because it has been deemed dangerous to your computer 3.

Software Firewall Implemented In Single System. FIN. 2. RST. 3.compared to a set of criteria before it is forwarded.Examples DNS uses port 53 4 . Application gateways 3. PSH. 3. 4. UDP. ACK.Configure Is Very High.Software Firewall b/w The Single System and Internet. Packet filtering 2.Uses transport-layer information only IP Source Address. etc) ICMP message type 5. Classification of Firewalls Classification Is 3 Types 1. Circuit gateways 4.Simplest of components 4.1 Packet Filter Firewall 1. ICMP.Request don¶t pass Through The Firewall. Destination Address Protocol/Next Header (TCP.Work at the network level.3 Software Firewall or Windows Firewall 1. 5. 4 .Software Firewall Is Low Cost. 2.Software Firewall Implemented In AVG antivirus. 3. etc) TCP or UDP source & destination ports TCP Flags (SYN.

can also be used to log user activity and logins. E.Correctness is more important than speed.Order rules so that most common traffic is dealt with first. 4.No incoming port 53 packets except known trusted servers Usage of Packet Filters 1.filter application specific commands. If you do not need it.2 Application Gateway 1. All that is not expressly permitted is prohibited. 4. 4.Degradation depends on number of rules applied at any point. Requires intimate knowledge of TCP and UDP port utilization on a number of operating systems Security & Performance of Packet Filters 1. Can be efficient if filtering rules are kept simple.Rewrite expressions in syntax supported by your at the application layer.least privilege. eliminate it.Gateway sits between user on inside and server on outside. For example. 3..IP address spoofing. 5.Start with a security policy.Incoming or outgoing packets cannot access services for which there is no proxy .g. 2. How to Configure a Packet Filter 1. Rules can get complicated and difficult to test. even Linux boxes.Specify allowable packets in terms of logical expressions on packet fields. Ingress filtering of spoofed IP addresses Egress filtering 2. 3. Almost any router. Disadvantages Can possibly be penetrated. Widely available. permit certain users. 4. 2. Advantages and disadvantages of traditional packet filters Advantages One screening router can protect entire network.Filtering with incoming or outgoing interfaces. Instead of talking 5 . Fake source address to be trusted Add filters on router to block 2.Permits or denies certain services. 5. Cannot enforce some policies.Tiny fragment attacks Split TCP header info over several tiny packets Either discard or reassemble before check 3.General rules .

Typically used when trust internal users by allowing general outbound connections 8. 3.Information passed to remote computer through a circuit level gateway appears to have originated from the gateway.. user and server talk through proxy. May need different proxy server for each service. For example.directly. Advantages and disadvantages of proxy gateways Advantages Proxy can log all connections. Proxy can perform user-level authentication. Proxy can provide caching. 6. Performance.g.Allows more fine grained and sophisticated control than packet filtering. Disadvantages Not all services have proxied versions.SOCKS commonly used for this 6 . activity in connections. SMTP (E-Mail) y NNTP (Net news) y DNS (Domain Name System) y y NTP (Network Time Protocol) custom services generally not supported 4. Can¶t deposit mail in recipient¶s mail server without passing through sender¶s mail server . 4.Once created usually relays traffic without examining contents 7.A mail server is an example of an application gateway. 7. Requires modification of client.two TCP connections 5. Proxy can do intelligent filtering based on content.monitor TCP handshaking between packets to determine whether a requested session is legitimate. 2.3 Circuit Gateway 1. ftp server may not allow files greater than a set size. Application-Level Filtering Has full access to protocol y user requests service from proxy y proxy validates request as legal y then actions request and returns result to user Need separate proxies for each service y at the session layer.Imposes security by limiting which such connections are allowed 6.

When Information Coming From Internet To Private Network First pass Through Screening Router(Packet Filter). keep it simple  Trusted to enforce trusted separation between network connections  Runs circuit / application level gateways y Install/modify services you want  Or provides externally accessible services Advantages and disadvantages of circuit gateways Advantages relatively inexpensive hiding information about the private network Disadvantages they do not filter individual packets 5.Bastion Host  Highly secure host system  Potentially exposed to "hostile" elements  Hence is secured to withstand this y Disable all non-required services. Packet Filter applying Some Rules On Each Ip Packet.g. deliver email) 7 . After Ip Packet Pass Through Bastion Host They Can Check Authentication Finally Pass Through Private Network. Firewall Topology 3 Types of Topology in Firewall 1) Screened Host Firewall 2) Dual Homed Host Firewall 3) Screened Subnet Firewall In this Type Of Topology one packet Filter Firewall and one Bastion Host(Application Gateway).1 Screened Host Firewall 5 . One Drawback is Attackers In The Internet can Easily access Private Network Because Of No Bastion Host Between Internet And Private Network ‡ Provides services from a host attached to internal network ‡ Security provided by packet filtering ² only certain operations allowed (e.

Packet Filter applying Some Rules On Each Ip Packet.‡ ‡ outside connections can only go to bastion host allow internal hosts to originate connections over Internet if bastion host is compromised.3 Screened Subnet Firewall In this Type Of Topology one packet Filter Firewall and Two Bastion Host(Application Gateway). When Information Coming From Internet To Private Network First pass Through Screening Router(Packet Filter). ² ‡ ‡ 5.2 Dual Homed Host Firewall Built around dual-homed host computer Disable ability to route between networks ² packets from Internet are not routed directly to the internal network ² services provided by proxy ² users log into dual-homed host to access Internet ² user accounts present security problems Advantage Security Is More Then Screened Host Firewall Two Bastion Host 5. After Ip Packet Pass Through Bastion Host They Can Check Authentication Finally Pass Through Private Network. Dual Homed Host Firewall Security is More then Screened Host Firewall Because Of They Compulsory Pass Through Bastion Host and Enter Into Private Network 8 .

Without firewall not connected to internet. or decoding email messages and passing their attachments to an AV package for analysis. The other problem with doing loads of different functions within a single firewall is that no one product will manage to be the ³best of breed´. This is addressed by some firewall manufacturers. . which do far more complex things to the traffic they see in an attempt to prevent the network from being attacked. you find that a multifunction device does all things averagely. This is hardly surprising.. Future Scope Firewall technology has evolved significantly since the days of basic packet filters and network address translation. 7. The packet Filter Firewall Is Known As Exterior Router. Generally. Conclusion In conclusion inter net is the dangerous place. Firewall protect private file from outsiders. So where are firewalls going? The main problem with today¶s firewall technology is that it¶s doing so much work that as the capacity of the average Internet connection grows. Exterior router (access router) ² protects DMZ and internal network from Internet Interior router (choke router) ² protects internal network from Internet and DMZ ² does most of packet filtering for firewall ² allows selected outbound services from internal network ² limit services between bastion host and internal network 6. Many of today¶s firewalls don¶t just filter packets but also do clever stuff like checking whether incoming Java applets contain dangerous code. Security Is More Then Other Two Topologies Because of Two Packet Filter Firewall . instead of doing any one function brilliantly. The Packet Filter Firewall Is Known As Interior Host. One Packet Filter Firewall Is Between Internet and Bastion Host. We now have not just firewalls but ³intrusion detection devices´. Hacker crackers and viruses and harm full for personal data. Firewall provide necessary security for such type of illegal access. who instead of doing advanced work such as 9 Advantage Security Is More. the firewall becomes a bottleneck.In this Type Of Topology Two packet Filter Firewall and one Bastion Host(Application Gateway). Second Packet Filter Firewall Is Between Bastion Host and Private Network.

nondeterministic heuristics thrown in for good measure. So one minute a machine is receiving a message that says: ³Here¶s some data to check for viruses and here¶s the code you need to use to do the check´ and the next it¶s hearing: ³Please decode these emails and pull out the attachments ± here¶s a lump of code you can use to do it´. Imagine an email arrives in the network. The email decoder knows that before it can do anything with the message. it needs to examine the attachments for viruses. and notifies this fact to the email decoder. and security can only suffer as a consequence. For each type of incoming and outgoing traffic. toward having an ³edge network´ of smaller devices. Sharing the load So how do we address these issues of bottlenecking and fitness for purpose? It seems to us that the obvious way is to move away from having a firewall device. Each of these would perform their own particular function under the supervision of a ³master´ device.g. with each device in the network knowing (a) how to do its own job and (b) what to do with the results should the test it¶s performing pass or fail. The AV package verifies that the files are clean. AV processing) while others could handle two or three lesser tasks. pass the task to an external system running a mainstream application with a reputation for excellence in its field. and verifies that it¶s passed the basic entry criteria. Some machines would be dedicated to one task (e. Strangely.AV protection internally. Learn from ERP This kind of workflow implementation is commonplace in corporate ERP systems. we¶ve mentioned the concept of having (say) an AV machine that does AV processing on request. So far. on the right port. which knows it can now pass the original message on to the email server for delivery. one can imagine the ³edge network´ as comprising a collection of generalpurpose machines that simply do the jobs they¶re asked to do by a central scheduler. with the data that needs processing being passed in by external devices. It then passes it on to an email decoder for the attachments to be extracted. Imagine for a moment that we simply have a cluster of general purpose machines. possibly the firewall itself. the external device passes in both the data and the code it wants to run on the data. Because there¶s a large amount of processing to be done to analyse the traffic. a similar type of workflow arrangement is implemented. with no specific purpose. so it unbundles them and passes them to an AV package. Instead of passing data in for processing. but not necessarily relying on the firewall for intercommunication. Taking the concept to extremes. it¶s not unreasonable to think that ERP-style workflow management might be a useful addition. though. The firewall checks that it¶s destined for the right server. the current penchant for bundling firewalls as all-in-one ³appliances´ goes against this idea. and an email decoder for extracting attachments. Since network protection is no longer a basic filtering exercise but a vast pile of intricate logic with some nasty. Transmissions have to negotiate their way through all relevant components of this ³edge network´ before being allowed into the corporate network. it¶s also sensible to think that there would be several separate machines sharing the load and passing messages between each other. 10 .

Vol.. and T. 6. 699. Lynn. [6]Massachusetts Institute of Technology. "Sendmail . 688. Communications of the ACM. MIT. 1983. "NSF Poses Code of Networking Ethics". "NAME/FINGER". Also reprinted in the Communications of the ACM. 6.K. D. January 1989.. E. [10]Seeley. Dave Farber. 19. Communications of the ACM. 32. [7]Computer Professionals for Social Responsibility. 11 . Massachusetts Institute of Technology.. [2]Postel. T. No.. and J. Issued with the BSD UNIX documentation set. "Teaching Students About Responsible Use of Computers". Gries. ComputerCommunication Review. SRI. November 29-30 1988.. Also appears in the Communications of the ACM.. Vol. "The Computer Worm". Pg. 32. University of California. Rochlis. [4]Internet Activities Board. 1. Chair. D. No. June 1989. Hartmanis. 32. August 1982. No. 17 October 1989. 28 November 1988. RFC 742. Holcomb. Pg. ACM SIGCOM. 1985-1986. RFC 1087. USC/InformationSciences Institute.. June 1989. RFC 821. DDN Security Coordination Center. D. J. Usenix Association. [3]Harrenstien.Also issued as Purdue CS Technical Report CSD-TR-823.6 February 1989. CPSR.IAB. "A Tour of the Worm". M. [5]National Science Foundation.8. No. February 1989. Santoro. No. "DDN Security Bulletin 03". Also appears in the minutes of the regular meeting of the Division Advisory Panel for Networking and Communications Research and Infrastructure. [8]Eisenberg. 32. "Ethics and the Internet". CA. "CPSR Statement on the Computer Virus".June 1989. 6. Pg. [11]Spafford. J. December 1977. June 1989. E. References [1]Allman. MIT. "With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988". "The Internet Worm Program: An Analysis". "Simple Mail Transfer Protocol". [9]Eichin.An Internetwork Mail Router". [12]DCA DDN Defense Communications System. San Diego. 710. Berkeley. 6. January 1989. Proceedings of 1989 Winter USENIX Conference. Vol. Pg. M. 704. Vol. February 1989. Cornell University. Athena Project. Vol.